client credential flow

charts/apps/staging-values.yaml

@@ -88,5 +88,6 @@ kueue:
 k6Operator:
   enabled: true
   targetRevision: HEAD
-  extraValueFiles: []
+  extraValueFiles:
+    - staging-values.yaml
   valuesObject: {}

charts/k6-operator/staging-values.yaml

@@ -8,3 +8,16 @@ k6-operator:
       limits:
         cpu: 1000m
         memory: 1Gi
+sessionspace:
+  enabled: true
+  name: ks10000-1
+  proposalCode: ks
+  proposalNumber: "10000"
+  visit: "1"
+  instrument: b01-1
+  gid: "36055"
+  startDate: "2026-04-30 9:00:00.0"
+  endDate: "2026-05-22 9:00:00.0"
+  members:
+    - https://identity-dev.diamond.ac.uk/realms/dls/k6Operator
+

charts/k6-operator/templates/k6-operator-configmap.yaml

@@ -5,4 +5,3 @@ metadata:
   namespace: {{ .Release.Namespace}}
 data:
 {{(.Files.Glob "tests/*.ts").AsConfig| indent 2}}
-

charts/k6-operator/templates/k6-testrun.yaml → charts/k6-operator/templates/k6-ping-graph-testrun.yaml

@@ -1,23 +1,29 @@
 # k6-resource.yml
-
 apiVersion: k6.io/v1alpha1
 kind: TestRun
 metadata:
   name: k6-ping-graph
   namespace: {{ .Release.Namespace}}
 spec:
-  parallelism: 4
+  parallelism: 1
   script:
     configMap:
       name: k6-configmap
       file: ping-graph.ts
   runner:
     env:
-      - name: GRAPH_PROXY_BEARER_TOKEN
+      - name: KEYCLOAK_CLIENT_ID
+        valueFrom: 
+          secretKeyRef: 
+            name: graph-proxy-k6-auth
+            key: KEYCLOAK_CLIENT_ID
+      - name: KEYCLOAK_CLIENT_SECRET
         valueFrom: 
           secretKeyRef: 
             name: graph-proxy-k6-auth
-            key: GRAPH_PROXY_BEARER_TOKEN
+            key: KEYCLOAK_CLIENT_SECRET
+      - name: KEYCLOAK_TOKEN_URL
+        value: https://identity-dev.diamond.ac.uk/realms/dls/protocol/openid-connect/token
       - name: GRAPH_URL
         value: http://graph-proxy.graph-proxy.svc.cluster.local:80/graphql
     resources:

charts/k6-operator/templates/k6-probe-configmap.yaml

@@ -0,0 +1,117 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: k6-ws-map
+  namespace: {{ .Release.Namespace}}
+data: 
+  k6-ws-subscription-testrun.yaml: |
+    apiVersion: k6.io/v1alpha1
+    kind: TestRun
+    metadata:
+      name: k6-ws-subscription-probe
+      namespace: {{ .Release.Namespace}}
+    spec:
+      parallelism: 1
+      script:
+        configMap:
+          name: k6-configmap
+          file: ws-subscription.ts
+      runner:
+        env:
+          - name: KEYCLOAK_CLIENT_ID
+            valueFrom: 
+              secretKeyRef: 
+                name: graph-proxy-k6-auth
+                key: KEYCLOAK_CLIENT_ID
+          - name: KEYCLOAK_CLIENT_SECRET
+            valueFrom: 
+              secretKeyRef: 
+                name: graph-proxy-k6-auth
+                key: KEYCLOAK_CLIENT_SECRET
+          - name: KEYCLOAK_TOKEN_URL
+            value: https://identity-dev.diamond.ac.uk/realms/dls/protocol/openid-connect/token
+          - name: GRAPH_URL
+            value: http://graph-proxy.graph-proxy.svc.cluster.local:80/graphql
+          - name: GRAPH_WS_URL
+            value: ws://graph-proxy.graph-proxy.svc.cluster.local:80/graphql/ws
+        resources:
+          limits:
+            cpu: 1000m
+            memory: 1Gi
+          requests:
+            cpu: 500m
+            memory: 500Mi
+      starter:
+        resources:
+          limits:
+            cpu: 1000m
+            memory: 1Gi
+          requests:
+            cpu: 500m
+            memory: 500Mi
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: k6-probe-runner
+rules:
+  - apiGroups:
+      - k6.io
+    resources:
+      - testruns
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: k6-probe-runner
+roleRef:
+  kind: Role
+  name: k6-probe-runner
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    name: k6-probe-runner
+    namespace: {{ .Release.Namespace}}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: k6-probe-runner
+
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: k6-ws-cron
+spec:
+  schedule: "*/30 * * * *"
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          serviceAccount: k6-probe-runner
+          containers:
+            - name: kubectl
+              image: bitnami/kubectl
+              volumeMounts:
+                - name: k6-yaml
+                  mountPath: /tmp/
+              command:
+                - /bin/bash
+              args:
+                - -c
+                - 'kubectl delete -f /tmp/k6-ws-subscription-testrun.yaml; kubectl apply -f /tmp/k6-ws-subscription-testrun.yaml'
+          restartPolicy: OnFailure
+          volumes:
+            - name: k6-yaml
+              configMap:
+                name: k6-ws-map

charts/k6-operator/templates/k6-ws-subscription-testrun.yaml

@@ -0,0 +1,47 @@
+# k6-resource.yml
+
+apiVersion: k6.io/v1alpha1
+kind: TestRun
+metadata:
+  name: k6-ws-subscription
+  namespace: {{ .Release.Namespace}}
+spec:
+  parallelism: 1
+  script:
+    configMap:
+      name: k6-configmap
+      file: ws-subscription.ts
+  runner:
+    env:
+      - name: KEYCLOAK_CLIENT_ID
+        valueFrom: 
+          secretKeyRef: 
+            name: graph-proxy-k6-auth
+            key: KEYCLOAK_CLIENT_ID
+      - name: KEYCLOAK_CLIENT_SECRET
+        valueFrom: 
+          secretKeyRef: 
+            name: graph-proxy-k6-auth
+            key: KEYCLOAK_CLIENT_SECRET
+      - name: KEYCLOAK_TOKEN_URL
+        value: https://identity-dev.diamond.ac.uk/realms/dls/protocol/openid-connect/token
+      - name: GRAPH_URL
+        value: http://graph-proxy.graph-proxy.svc.cluster.local:80/graphql
+      - name: GRAPH_WS_URL
+        value: ws://graph-proxy.graph-proxy.svc.cluster.local:80/graphql/ws
+    resources:
+      limits:
+        cpu: 1000m
+        memory: 1Gi
+      requests:
+        cpu: 500m
+        memory: 500Mi
+  starter:
+    resources:
+      limits:
+        cpu: 1000m
+        memory: 1Gi
+      requests:
+        cpu: 500m
+        memory: 500Mi
+

charts/k6-operator/templates/rbac.yaml

@@ -0,0 +1,35 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: argo-workflow
+  namespace: ks10000-1
+  ownerReferences:
+  - apiVersion: v1
+    kind: ServiceAccount
+    name: argo-workflow
+    uid: ks12345
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: argo-workflow
+subjects:
+- kind: ServiceAccount
+  name: argo-workflow
+  namespace: ks10000-1
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: visit-member
+  namespace: ks10000-1
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: visit-member
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: oidc:https://identity-dev.diamond.ac.uk/realms/dls/k6Operator
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: oidc:umi13827

charts/k6-operator/templates/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: kyverno
+    generate.kyverno.io/policy-name: workflows-sessionspace
+    generate.kyverno.io/policy-namespace: ""
+    generate.kyverno.io/rule-name: generate-argo-workflow-service-account
+    generate.kyverno.io/trigger-group: ""
+    generate.kyverno.io/trigger-kind: Namespace
+    generate.kyverno.io/trigger-namespace: ""
+    generate.kyverno.io/trigger-uid: 225e0bc5-1410-419d-880c-97fcc98d17bf
+    generate.kyverno.io/trigger-version: v1
+  name: argo-workflow
+  namespace: ks10000-1

charts/k6-operator/templates/sessionspace.yaml

@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: sessionspaces
+  name: ks10000-1
+---
+apiVersion: v1
+kind: ConfigMap
+data:
+  end_date: "2026-05-22 9:00:00.0"
+  gid: "36055"
+  instrument: b01-1
+  members: '["https://identity-dev.diamond.ac.uk/realms/dls/k6Operator", "umi13827"]'
+  proposal_code: ks
+  proposal_number: "10000"
+  start_date: "2026-04-30 9:00:00.0"
+  visit: "1"
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: sessionspaces
+    #workflows.argoproj.io/configmap-type: Parameter
+  name: sessionspaces
+  namespace: ks10000-1
+
+  # rolebindings not created
+  # v kubectl get roles -n ks10000-1

charts/k6-operator/tests/common.ts

@@ -0,0 +1,38 @@
+import http from 'k6/http';
+import { check, fail } from 'k6';
+import exec from 'k6/execution';
+
+const graphUrl = __ENV.GRAPH_URL;
+const keycloakUrl = __ENV.KEYCLOAK_TOKEN_URL;
+const clientID = __ENV.KEYCLOAK_CLIENT_ID;
+const clientSecret = __ENV.KEYCLOAK_CLIENT_SECRET;
+
+export function setup(): { token: string } {
+  if (!clientSecret) fail('KEYCLOAK_CLIENT_SECRET required');
+  if (!clientID) fail('KEYCLOAK_CLIENT_ID required');
+  if (!keycloakUrl) fail('KEYCLOAK_TOKEN_URL required');
+  if (!graphUrl) fail('GRAPH_URL required');
+
+  const tokenRes = http.post(
+    keycloakUrl, {
+    grant_type: 'client_credentials',
+    client_id: clientID,
+    client_secret: clientSecret,
+  });
+
+  check(tokenRes, {
+    'keycloak token request succeeded': (r) => r.status === 200,
+  });
+
+  if (tokenRes.status !== 200) {
+    fail(`Token request failed: ${tokenRes.status} ${tokenRes.body}`);
+  }
+
+  const tokenBody = JSON.parse(tokenRes.body as string);
+  const token = tokenBody.access_token;
+  if (!token) {
+    exec.test.abort('No access_token in Keycloak response');
+  }
+
+  return { token };
+}