From 324673c8d6e4a4513329a3ea7c29910212c5c6bf Mon Sep 17 00:00:00 2001 From: Brad White Date: Thu, 20 Jun 2024 14:09:45 -0600 Subject: [PATCH] [ci / FIPS] Dynamic agent selection. Add FIPS agents (#183777) ## Summary - Closes https://github.com/elastic/kibana-operations/issues/100 - Utilizes FIPS agent from elastic/ci-agent-images#686 - Adds dynamic agent selection during PR pipeline upload - FIPS agents can be used with `FTR_ENABLE_FIPS_AGENT` env variable or `ci:enable-fips-agent` label - Removes agent image config from individual steps in favor of image config for the whole pipeline. - Steps can still override this config by adding `image`, `imageProject` etc - Adds a conditional assertion to `Check` CI step which validates that FIPS is working properly ### Testing - [Pipeline run using FIPS agents](https://buildkite.com/elastic/kibana-pull-request/builds/215332) - Failures are expected and this possibly ran with flaky tests --- .buildkite/pipeline-utils/agent_images.ts | 55 +++++++++++++++++++ .../ci-stats/pick_test_group_run_order.ts | 5 +- .buildkite/pipeline-utils/index.ts | 1 + .../pipelines/pull_request/apm_cypress.yml | 3 - .buildkite/pipelines/pull_request/base.yml | 30 ---------- .../pipelines/pull_request/build_project.yml | 3 - .../pull_request/check_next_docs.yml | 3 - .../pipelines/pull_request/deploy_cloud.yml | 3 - .../pipelines/pull_request/deploy_project.yml | 6 -- .../pull_request/exploratory_view_plugin.yml | 3 - .buildkite/pipelines/pull_request/fips.yml | 3 - .../pipelines/pull_request/fleet_cypress.yml | 3 - .../pipelines/pull_request/kbn_handlebars.yml | 3 - .../observability_onboarding_cypress.yml | 3 - .../pipelines/pull_request/post_build.yml | 3 - .../pull_request/profiling_cypress.yml | 3 - .../pipelines/pull_request/response_ops.yml | 3 - .../pull_request/response_ops_cases.yml | 3 - .../security_solution/ai_assistant.yml | 6 -- .../security_solution/cypress_burn.yml | 12 ---- .../security_solution/defend_workflows.yml | 10 ---- .../security_solution/detection_engine.yml | 12 ---- .../security_solution/entity_analytics.yml | 6 -- .../security_solution/explore.yml | 6 -- .../security_solution/investigations.yml | 6 -- .../security_solution/osquery_cypress.yml | 6 -- .../security_solution/rule_management.yml | 12 ---- .../security_solution/threat_intelligence.yml | 3 - .../pipelines/pull_request/slo_plugin_e2e.yml | 3 - .../pipelines/pull_request/storybooks.yml | 3 - .../pull_request/synthetics_plugin.yml | 3 - .../pipelines/pull_request/uptime_plugin.yml | 3 - .../pipelines/pull_request/ux_plugin_e2e.yml | 3 - .../pull_request/webpack_bundle_analyzer.yml | 3 - .buildkite/scripts/common/env.sh | 14 +++++ .buildkite/scripts/common/util.sh | 4 +- .../pipelines/pull_request/pipeline.ts | 3 +- .buildkite/scripts/steps/checks.sh | 3 + .../steps/checks/verify_fips_enabled.sh | 28 ++++++++++ .../roles/assert_fips_enabled/tasks/main.yml | 2 +- 40 files changed, 108 insertions(+), 179 deletions(-) create mode 100644 .buildkite/pipeline-utils/agent_images.ts create mode 100755 .buildkite/scripts/steps/checks/verify_fips_enabled.sh diff --git a/.buildkite/pipeline-utils/agent_images.ts b/.buildkite/pipeline-utils/agent_images.ts new file mode 100644 index 0000000000000..0d1c2f859b0a1 --- /dev/null +++ b/.buildkite/pipeline-utils/agent_images.ts @@ -0,0 +1,55 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import { dump } from 'js-yaml'; +import { BuildkiteClient, BuildkiteCommandStep } from './buildkite'; + +type AgentImageConfig = BuildkiteCommandStep['agents']; + +const DEFAULT_AGENT_IMAGE_CONFIG: AgentImageConfig = { + provider: 'gcp', + image: 'family/kibana-ubuntu-2004', + imageProject: 'elastic-images-prod', +}; + +const FIPS_AGENT_IMAGE_CONFIG: AgentImageConfig = { + provider: 'gcp', + image: 'family/kibana-fips-ubuntu-2004', + imageProject: 'elastic-images-qa', +}; + +const GITHUB_PR_LABELS = process.env.GITHUB_PR_LABELS ?? ''; +const FTR_ENABLE_FIPS_AGENT = process.env.FTR_ENABLE_FIPS_AGENT?.toLowerCase() === 'true'; + +// Narrow the return type with overloads +function getAgentImageConfig(): AgentImageConfig; +function getAgentImageConfig(options: { returnYaml: true }): string; +function getAgentImageConfig({ returnYaml = false } = {}): string | AgentImageConfig { + const bk = new BuildkiteClient(); + let config: AgentImageConfig; + + if (FTR_ENABLE_FIPS_AGENT || GITHUB_PR_LABELS.includes('ci:enable-fips-agent')) { + config = FIPS_AGENT_IMAGE_CONFIG; + + bk.setAnnotation( + 'agent image config', + 'info', + '#### FIPS Agents Enabled
\nFIPS mode can produce new test failures. If you did not intend this remove ```KBN_ENABLE_FIPS``` environment variable and/or the ```ci:enable-fips-agent``` Github label.' + ); + } else { + config = DEFAULT_AGENT_IMAGE_CONFIG; + } + + if (returnYaml) { + return dump({ agents: config }); + } + + return config; +} + +export { getAgentImageConfig }; diff --git a/.buildkite/pipeline-utils/ci-stats/pick_test_group_run_order.ts b/.buildkite/pipeline-utils/ci-stats/pick_test_group_run_order.ts index aa6e33f1116b4..20b2d366e6067 100644 --- a/.buildkite/pipeline-utils/ci-stats/pick_test_group_run_order.ts +++ b/.buildkite/pipeline-utils/ci-stats/pick_test_group_run_order.ts @@ -16,6 +16,7 @@ import { BuildkiteClient, BuildkiteStep } from '../buildkite'; import { CiStatsClient, TestGroupRunOrderResponse } from './client'; import DISABLED_JEST_CONFIGS from '../../disabled_jest_configs.json'; +import { getAgentImageConfig } from '#pipeline-utils'; type RunGroup = TestGroupRunOrderResponse['types'][0]; @@ -25,9 +26,7 @@ const getAgentRule = (queueName: string = 'n2-4-spot') => { if (process.env?.BUILDKITE_AGENT_META_DATA_QUEUE === 'gobld') { const [kind, cores, spot] = queueName.split('-'); return { - provider: 'gcp', - image: 'family/kibana-ubuntu-2004', - imageProject: 'elastic-images-prod', + ...getAgentImageConfig(), machineType: `${kind}-standard-${cores}`, preemptible: spot === 'spot', }; diff --git a/.buildkite/pipeline-utils/index.ts b/.buildkite/pipeline-utils/index.ts index b8da40de58f2e..b84c1e2d913d9 100644 --- a/.buildkite/pipeline-utils/index.ts +++ b/.buildkite/pipeline-utils/index.ts @@ -6,6 +6,7 @@ * Side Public License, v 1. */ +export * from './agent_images'; export * from './buildkite'; export * as CiStats from './ci-stats'; export * from './github'; diff --git a/.buildkite/pipelines/pull_request/apm_cypress.yml b/.buildkite/pipelines/pull_request/apm_cypress.yml index e0d8b5f4db021..05194bae83e79 100644 --- a/.buildkite/pipelines/pull_request/apm_cypress.yml +++ b/.buildkite/pipelines/pull_request/apm_cypress.yml @@ -2,9 +2,6 @@ steps: - command: .buildkite/scripts/steps/functional/apm_cypress.sh label: 'APM Cypress Tests' agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-4 preemptible: true depends_on: diff --git a/.buildkite/pipelines/pull_request/base.yml b/.buildkite/pipelines/pull_request/base.yml index 0af21702aedd0..8b57562c7a329 100644 --- a/.buildkite/pipelines/pull_request/base.yml +++ b/.buildkite/pipelines/pull_request/base.yml @@ -3,9 +3,6 @@ steps: label: Pre-Build timeout_in_minutes: 10 agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-2 - wait @@ -13,9 +10,6 @@ steps: - command: .buildkite/scripts/steps/build_kibana.sh label: Build Kibana Distribution and Plugins agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-16 preemptible: true key: build @@ -29,9 +23,6 @@ steps: - command: .buildkite/scripts/steps/quick_checks.sh label: 'Quick Checks' agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-2 preemptible: true key: quick_checks @@ -46,9 +37,6 @@ steps: - command: .buildkite/scripts/steps/ci_stats_ready.sh label: Mark CI Stats as ready agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-2 timeout_in_minutes: 10 depends_on: @@ -62,9 +50,6 @@ steps: - command: .buildkite/scripts/steps/test/pick_test_group_run_order.sh label: 'Pick Test Group Run Order' agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-2 timeout_in_minutes: 10 env: @@ -79,9 +64,6 @@ steps: - command: .buildkite/scripts/steps/lint.sh label: 'Linting' agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-8 preemptible: true key: linting @@ -94,9 +76,6 @@ steps: - command: .buildkite/scripts/steps/check_types.sh label: 'Check Types' agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-4 preemptible: true key: check_types @@ -109,9 +88,6 @@ steps: - command: .buildkite/scripts/steps/lint_with_types.sh label: 'Linting (with types)' agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-16 preemptible: true key: linting_with_types @@ -125,9 +101,6 @@ steps: label: 'Checks' key: checks agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-2 preemptible: true timeout_in_minutes: 60 @@ -139,9 +112,6 @@ steps: - command: .buildkite/scripts/steps/api_docs/build_api_docs.sh label: 'Build API Docs' agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-4 preemptible: true key: build_api_docs diff --git a/.buildkite/pipelines/pull_request/build_project.yml b/.buildkite/pipelines/pull_request/build_project.yml index c6ae6479effd5..2f18ff4674557 100644 --- a/.buildkite/pipelines/pull_request/build_project.yml +++ b/.buildkite/pipelines/pull_request/build_project.yml @@ -2,9 +2,6 @@ steps: - command: .buildkite/scripts/steps/artifacts/docker_image.sh label: 'Build Project Image' agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-16 preemptible: true timeout_in_minutes: 60 diff --git a/.buildkite/pipelines/pull_request/check_next_docs.yml b/.buildkite/pipelines/pull_request/check_next_docs.yml index eafd8ca872392..d513de2f8fea3 100644 --- a/.buildkite/pipelines/pull_request/check_next_docs.yml +++ b/.buildkite/pipelines/pull_request/check_next_docs.yml @@ -2,9 +2,6 @@ steps: - command: .buildkite/scripts/steps/next_docs/build_and_validate_docs.sh label: 'Build and Validate Next Docs' agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-4 preemptible: true timeout_in_minutes: 30 diff --git a/.buildkite/pipelines/pull_request/deploy_cloud.yml b/.buildkite/pipelines/pull_request/deploy_cloud.yml index ed174aa41facd..d520822e54f7b 100644 --- a/.buildkite/pipelines/pull_request/deploy_cloud.yml +++ b/.buildkite/pipelines/pull_request/deploy_cloud.yml @@ -2,9 +2,6 @@ steps: - command: .buildkite/scripts/steps/cloud/build_and_deploy.sh label: 'Build and Deploy to Cloud' agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-2 preemptible: true depends_on: diff --git a/.buildkite/pipelines/pull_request/deploy_project.yml b/.buildkite/pipelines/pull_request/deploy_project.yml index 0698d9e1899e6..34333f411c80d 100644 --- a/.buildkite/pipelines/pull_request/deploy_project.yml +++ b/.buildkite/pipelines/pull_request/deploy_project.yml @@ -3,9 +3,6 @@ steps: label: 'Build Project Image' key: build_project_image agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-16 preemptible: true timeout_in_minutes: 60 @@ -16,9 +13,6 @@ steps: - command: .buildkite/scripts/steps/serverless/deploy.sh label: 'Deploy Project' agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-4 preemptible: true timeout_in_minutes: 10 diff --git a/.buildkite/pipelines/pull_request/exploratory_view_plugin.yml b/.buildkite/pipelines/pull_request/exploratory_view_plugin.yml index 511e98321ecb7..72a2ae8ab785b 100644 --- a/.buildkite/pipelines/pull_request/exploratory_view_plugin.yml +++ b/.buildkite/pipelines/pull_request/exploratory_view_plugin.yml @@ -2,9 +2,6 @@ steps: - command: .buildkite/scripts/steps/functional/exploratory_view_plugin.sh label: 'Exploratory View @elastic/synthetics Tests' agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-4 preemptible: true depends_on: diff --git a/.buildkite/pipelines/pull_request/fips.yml b/.buildkite/pipelines/pull_request/fips.yml index 5118fae835718..a136b4f91a2c5 100644 --- a/.buildkite/pipelines/pull_request/fips.yml +++ b/.buildkite/pipelines/pull_request/fips.yml @@ -2,9 +2,6 @@ steps: - command: .buildkite/scripts/steps/fips/build.sh label: 'Build FIPS Image' agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-2 preemptible: true depends_on: diff --git a/.buildkite/pipelines/pull_request/fleet_cypress.yml b/.buildkite/pipelines/pull_request/fleet_cypress.yml index b2bf1bc3d9412..2e0365793afc0 100644 --- a/.buildkite/pipelines/pull_request/fleet_cypress.yml +++ b/.buildkite/pipelines/pull_request/fleet_cypress.yml @@ -2,9 +2,6 @@ steps: - command: .buildkite/scripts/steps/functional/fleet_cypress.sh label: 'Fleet Cypress Tests' agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-4 preemptible: true depends_on: diff --git a/.buildkite/pipelines/pull_request/kbn_handlebars.yml b/.buildkite/pipelines/pull_request/kbn_handlebars.yml index 9bee1bc29f372..5da18ce31919c 100644 --- a/.buildkite/pipelines/pull_request/kbn_handlebars.yml +++ b/.buildkite/pipelines/pull_request/kbn_handlebars.yml @@ -2,9 +2,6 @@ steps: - command: .buildkite/scripts/steps/test/kbn_handlebars.sh label: 'Check @kbn/handlebars for upstream differences' agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-2 preemptible: true depends_on: diff --git a/.buildkite/pipelines/pull_request/observability_onboarding_cypress.yml b/.buildkite/pipelines/pull_request/observability_onboarding_cypress.yml index 06c61b703b1e2..300c148a09b3f 100644 --- a/.buildkite/pipelines/pull_request/observability_onboarding_cypress.yml +++ b/.buildkite/pipelines/pull_request/observability_onboarding_cypress.yml @@ -2,9 +2,6 @@ steps: - command: .buildkite/scripts/steps/functional/observability_onboarding_cypress.sh label: 'Observability onboarding Cypress Tests' agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-4 preemptible: true depends_on: diff --git a/.buildkite/pipelines/pull_request/post_build.yml b/.buildkite/pipelines/pull_request/post_build.yml index 95764b537e5eb..f5c1a0bae19ea 100644 --- a/.buildkite/pipelines/pull_request/post_build.yml +++ b/.buildkite/pipelines/pull_request/post_build.yml @@ -5,7 +5,4 @@ steps: - command: .buildkite/scripts/lifecycle/post_build.sh label: Post-Build agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-2 diff --git a/.buildkite/pipelines/pull_request/profiling_cypress.yml b/.buildkite/pipelines/pull_request/profiling_cypress.yml index 7293db65cb704..d86fc5a167db6 100644 --- a/.buildkite/pipelines/pull_request/profiling_cypress.yml +++ b/.buildkite/pipelines/pull_request/profiling_cypress.yml @@ -2,9 +2,6 @@ steps: - command: .buildkite/scripts/steps/functional/profiling_cypress.sh label: 'Profiling Cypress Tests' agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-4 preemptible: true depends_on: diff --git a/.buildkite/pipelines/pull_request/response_ops.yml b/.buildkite/pipelines/pull_request/response_ops.yml index bc9f22fc8194c..60e2dc32476d5 100644 --- a/.buildkite/pipelines/pull_request/response_ops.yml +++ b/.buildkite/pipelines/pull_request/response_ops.yml @@ -2,9 +2,6 @@ steps: - command: .buildkite/scripts/steps/functional/response_ops.sh label: 'Rules, Alerts and Exceptions ResponseOps Cypress Tests on Security Solution' agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-4 preemptible: true depends_on: diff --git a/.buildkite/pipelines/pull_request/response_ops_cases.yml b/.buildkite/pipelines/pull_request/response_ops_cases.yml index 421e71285af4d..1e1510260436d 100644 --- a/.buildkite/pipelines/pull_request/response_ops_cases.yml +++ b/.buildkite/pipelines/pull_request/response_ops_cases.yml @@ -2,9 +2,6 @@ steps: - command: .buildkite/scripts/steps/functional/response_ops_cases.sh label: 'Cases Cypress Tests on Security Solution' agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-4 preemptible: true depends_on: diff --git a/.buildkite/pipelines/pull_request/security_solution/ai_assistant.yml b/.buildkite/pipelines/pull_request/security_solution/ai_assistant.yml index a0dbfdb62e98d..252365ee7e4da 100644 --- a/.buildkite/pipelines/pull_request/security_solution/ai_assistant.yml +++ b/.buildkite/pipelines/pull_request/security_solution/ai_assistant.yml @@ -2,9 +2,6 @@ steps: - command: .buildkite/scripts/steps/functional/security_serverless_ai_assistant.sh label: 'Serverless AI Assistant - Security Solution Cypress Tests' agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-4 preemptible: true depends_on: @@ -20,9 +17,6 @@ steps: - command: .buildkite/scripts/steps/functional/security_solution_ai_assistant.sh label: 'AI Assistant - Security Solution Cypress Tests' agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-4 preemptible: true depends_on: diff --git a/.buildkite/pipelines/pull_request/security_solution/cypress_burn.yml b/.buildkite/pipelines/pull_request/security_solution/cypress_burn.yml index d3ee6fe63f641..6d69748c6d447 100644 --- a/.buildkite/pipelines/pull_request/security_solution/cypress_burn.yml +++ b/.buildkite/pipelines/pull_request/security_solution/cypress_burn.yml @@ -2,9 +2,6 @@ steps: - command: .buildkite/scripts/steps/functional/defend_workflows_burn.sh label: '[Soft fail] Defend Workflows Cypress Tests, burning changed specs' agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp enableNestedVirtualization: true localSsds: 1 localSsdInterface: nvme @@ -21,9 +18,6 @@ steps: - command: .buildkite/scripts/steps/functional/defend_workflows_serverless_burn.sh label: '[Soft fail] Defend Workflows Cypress Tests on Serverless, burning changed specs' agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp enableNestedVirtualization: true localSsds: 1 localSsdInterface: nvme @@ -40,9 +34,6 @@ steps: - command: .buildkite/scripts/steps/functional/security_solution_burn.sh label: '[Soft fail] Security Solution Cypress tests, burning changed specs' agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-4 preemptible: true depends_on: @@ -57,9 +48,6 @@ steps: - command: .buildkite/scripts/steps/functional/osquery_cypress_burn.sh label: '[Soft fail] Osquery Cypress Tests, burning changed specs' agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-4 preemptible: true depends_on: diff --git a/.buildkite/pipelines/pull_request/security_solution/defend_workflows.yml b/.buildkite/pipelines/pull_request/security_solution/defend_workflows.yml index 2fab86d72afa2..47f0e672a8d5a 100644 --- a/.buildkite/pipelines/pull_request/security_solution/defend_workflows.yml +++ b/.buildkite/pipelines/pull_request/security_solution/defend_workflows.yml @@ -2,9 +2,6 @@ steps: - command: .buildkite/scripts/steps/functional/defend_workflows.sh label: 'Defend Workflows Cypress Tests' agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp enableNestedVirtualization: true localSsds: 1 localSsdInterface: nvme @@ -22,9 +19,6 @@ steps: - command: .buildkite/scripts/steps/functional/defend_workflows_serverless.sh label: 'Defend Workflows Cypress Tests on Serverless' agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp enableNestedVirtualization: true localSsds: 1 localSsdInterface: nvme @@ -38,14 +32,10 @@ steps: automatic: - exit_status: '-1' limit: 1 - # status_exception: Native role management is not enabled in this Elasticsearch instance # - command: .buildkite/scripts/steps/functional/security_serverless_defend_workflows.sh # label: 'Serverless Security Defend Workflows Cypress Tests' # agents: -# image: family/kibana-ubuntu-2004 -# imageProject: elastic-images-prod -# provider: gcp # machineType: n2-standard-4 # preemptible: true # depends_on: build diff --git a/.buildkite/pipelines/pull_request/security_solution/detection_engine.yml b/.buildkite/pipelines/pull_request/security_solution/detection_engine.yml index b2294b33f82fe..65a9dc832e1e6 100644 --- a/.buildkite/pipelines/pull_request/security_solution/detection_engine.yml +++ b/.buildkite/pipelines/pull_request/security_solution/detection_engine.yml @@ -2,9 +2,6 @@ steps: - command: .buildkite/scripts/steps/functional/security_serverless_detection_engine.sh label: 'Serverless Detection Engine - Security Solution Cypress Tests' agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-4 preemptible: true depends_on: @@ -20,9 +17,6 @@ steps: - command: .buildkite/scripts/steps/functional/security_serverless_detection_engine_exceptions.sh label: 'Serverless Detection Engine - Exceptions - Security Solution Cypress Tests' agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-4 preemptible: true depends_on: @@ -38,9 +32,6 @@ steps: - command: .buildkite/scripts/steps/functional/security_solution_detection_engine.sh label: 'Detection Engine - Security Solution Cypress Tests' agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-4 preemptible: true depends_on: @@ -56,9 +47,6 @@ steps: - command: .buildkite/scripts/steps/functional/security_solution_detection_engine_exceptions.sh label: 'Detection Engine - Exceptions - Security Solution Cypress Tests' agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-4 preemptible: true depends_on: diff --git a/.buildkite/pipelines/pull_request/security_solution/entity_analytics.yml b/.buildkite/pipelines/pull_request/security_solution/entity_analytics.yml index bd670b4fa9324..8883f1ab9c038 100644 --- a/.buildkite/pipelines/pull_request/security_solution/entity_analytics.yml +++ b/.buildkite/pipelines/pull_request/security_solution/entity_analytics.yml @@ -2,9 +2,6 @@ steps: - command: .buildkite/scripts/steps/functional/security_serverless_entity_analytics.sh label: 'Serverless Entity Analytics - Security Cypress Tests' agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-4 preemptible: true depends_on: @@ -20,9 +17,6 @@ steps: - command: .buildkite/scripts/steps/functional/security_solution_entity_analytics.sh label: 'Entity Analytics - Security Solution Cypress Tests' agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-4 preemptible: true depends_on: diff --git a/.buildkite/pipelines/pull_request/security_solution/explore.yml b/.buildkite/pipelines/pull_request/security_solution/explore.yml index 4f4609aca42f1..239021affcf99 100644 --- a/.buildkite/pipelines/pull_request/security_solution/explore.yml +++ b/.buildkite/pipelines/pull_request/security_solution/explore.yml @@ -2,9 +2,6 @@ steps: - command: .buildkite/scripts/steps/functional/security_solution_explore.sh label: 'Explore - Security Solution Cypress Tests' agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-4 preemptible: true depends_on: @@ -20,9 +17,6 @@ steps: - command: .buildkite/scripts/steps/functional/security_serverless_explore.sh label: 'Serverless Explore - Security Solution Cypress Tests' agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-4 preemptible: true depends_on: diff --git a/.buildkite/pipelines/pull_request/security_solution/investigations.yml b/.buildkite/pipelines/pull_request/security_solution/investigations.yml index 713b1b0bc45ab..ccd469aedbdbe 100644 --- a/.buildkite/pipelines/pull_request/security_solution/investigations.yml +++ b/.buildkite/pipelines/pull_request/security_solution/investigations.yml @@ -2,9 +2,6 @@ steps: - command: .buildkite/scripts/steps/functional/security_solution_investigations.sh label: 'Investigations - Security Solution Cypress Tests' agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-4 preemptible: true depends_on: @@ -20,9 +17,6 @@ steps: - command: .buildkite/scripts/steps/functional/security_serverless_investigations.sh label: 'Serverless Investigations - Security Solution Cypress Tests' agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-4 preemptible: true depends_on: diff --git a/.buildkite/pipelines/pull_request/security_solution/osquery_cypress.yml b/.buildkite/pipelines/pull_request/security_solution/osquery_cypress.yml index 6e47721a6d671..26faa344371c9 100644 --- a/.buildkite/pipelines/pull_request/security_solution/osquery_cypress.yml +++ b/.buildkite/pipelines/pull_request/security_solution/osquery_cypress.yml @@ -2,9 +2,6 @@ steps: - command: .buildkite/scripts/steps/functional/osquery_cypress.sh label: 'Osquery Cypress Tests' agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-4 preemptible: true depends_on: @@ -20,9 +17,6 @@ steps: - command: .buildkite/scripts/steps/functional/security_serverless_osquery.sh label: 'Serverless Osquery Cypress Tests' agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-4 preemptible: true depends_on: diff --git a/.buildkite/pipelines/pull_request/security_solution/rule_management.yml b/.buildkite/pipelines/pull_request/security_solution/rule_management.yml index 8c84a6566eca9..30bd1bd1ff649 100644 --- a/.buildkite/pipelines/pull_request/security_solution/rule_management.yml +++ b/.buildkite/pipelines/pull_request/security_solution/rule_management.yml @@ -2,9 +2,6 @@ steps: - command: .buildkite/scripts/steps/functional/security_serverless_rule_management.sh label: 'Serverless Rule Management - Security Solution Cypress Tests' agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-4 preemptible: true depends_on: @@ -20,9 +17,6 @@ steps: - command: .buildkite/scripts/steps/functional/security_serverless_rule_management_prebuilt_rules.sh label: 'Serverless Rule Management - Prebuilt Rules - Security Solution Cypress Tests' agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-4 preemptible: true depends_on: @@ -38,9 +32,6 @@ steps: - command: .buildkite/scripts/steps/functional/security_solution_rule_management.sh label: 'Rule Management - Security Solution Cypress Tests' agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-4 preemptible: true depends_on: @@ -56,9 +47,6 @@ steps: - command: .buildkite/scripts/steps/functional/security_solution_rule_management_prebuilt_rules.sh label: 'Rule Management - Prebuilt Rules - Security Solution Cypress Tests' agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-4 preemptible: true depends_on: diff --git a/.buildkite/pipelines/pull_request/security_solution/threat_intelligence.yml b/.buildkite/pipelines/pull_request/security_solution/threat_intelligence.yml index 5f79c21bd4938..3b4f0e6accc7f 100644 --- a/.buildkite/pipelines/pull_request/security_solution/threat_intelligence.yml +++ b/.buildkite/pipelines/pull_request/security_solution/threat_intelligence.yml @@ -2,9 +2,6 @@ steps: - command: .buildkite/scripts/steps/functional/threat_intelligence.sh label: 'Threat Intelligence Cypress Tests' agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-4 preemptible: true depends_on: diff --git a/.buildkite/pipelines/pull_request/slo_plugin_e2e.yml b/.buildkite/pipelines/pull_request/slo_plugin_e2e.yml index 8dc048801c7c1..852ec2f9a0b16 100644 --- a/.buildkite/pipelines/pull_request/slo_plugin_e2e.yml +++ b/.buildkite/pipelines/pull_request/slo_plugin_e2e.yml @@ -2,9 +2,6 @@ steps: - command: .buildkite/scripts/steps/functional/slo_plugin_e2e.sh label: 'SLO Plugin @elastic/synthetics Tests' agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-4 preemptible: true depends_on: diff --git a/.buildkite/pipelines/pull_request/storybooks.yml b/.buildkite/pipelines/pull_request/storybooks.yml index fe8b333f2d46f..4829f7fd91206 100644 --- a/.buildkite/pipelines/pull_request/storybooks.yml +++ b/.buildkite/pipelines/pull_request/storybooks.yml @@ -2,9 +2,6 @@ steps: - command: .buildkite/scripts/steps/storybooks/build_and_upload.sh label: 'Build Storybooks' agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-8 preemptible: true key: storybooks diff --git a/.buildkite/pipelines/pull_request/synthetics_plugin.yml b/.buildkite/pipelines/pull_request/synthetics_plugin.yml index 39467f473c08e..77f330b991ba8 100644 --- a/.buildkite/pipelines/pull_request/synthetics_plugin.yml +++ b/.buildkite/pipelines/pull_request/synthetics_plugin.yml @@ -2,9 +2,6 @@ steps: - command: .buildkite/scripts/steps/functional/synthetics_plugin.sh label: 'Synthetics @elastic/synthetics Tests' agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-4 preemptible: true depends_on: diff --git a/.buildkite/pipelines/pull_request/uptime_plugin.yml b/.buildkite/pipelines/pull_request/uptime_plugin.yml index 2350767b92edf..286c760336132 100644 --- a/.buildkite/pipelines/pull_request/uptime_plugin.yml +++ b/.buildkite/pipelines/pull_request/uptime_plugin.yml @@ -2,9 +2,6 @@ steps: - command: .buildkite/scripts/steps/functional/uptime_plugin.sh label: 'Uptime @elastic/synthetics Tests' agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-4 preemptible: true depends_on: diff --git a/.buildkite/pipelines/pull_request/ux_plugin_e2e.yml b/.buildkite/pipelines/pull_request/ux_plugin_e2e.yml index 747b7e813f752..a11309cffb2c2 100644 --- a/.buildkite/pipelines/pull_request/ux_plugin_e2e.yml +++ b/.buildkite/pipelines/pull_request/ux_plugin_e2e.yml @@ -2,9 +2,6 @@ steps: - command: .buildkite/scripts/steps/functional/ux_synthetics_e2e.sh label: 'UX Plugin @elastic/synthetics Tests' agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-4 preemptible: true depends_on: diff --git a/.buildkite/pipelines/pull_request/webpack_bundle_analyzer.yml b/.buildkite/pipelines/pull_request/webpack_bundle_analyzer.yml index 03ff2bd0da693..6b265c3146a63 100644 --- a/.buildkite/pipelines/pull_request/webpack_bundle_analyzer.yml +++ b/.buildkite/pipelines/pull_request/webpack_bundle_analyzer.yml @@ -2,9 +2,6 @@ steps: - command: .buildkite/scripts/steps/webpack_bundle_analyzer/build_and_upload.sh label: 'Build Webpack Bundle Analyzer reports' agents: - image: family/kibana-ubuntu-2004 - imageProject: elastic-images-prod - provider: gcp machineType: n2-standard-4 preemptible: true key: webpack_bundle_analyzer diff --git a/.buildkite/scripts/common/env.sh b/.buildkite/scripts/common/env.sh index be1101f4c2d96..a8fa9cae419d0 100755 --- a/.buildkite/scripts/common/env.sh +++ b/.buildkite/scripts/common/env.sh @@ -131,3 +131,17 @@ export TEST_GROUP_TYPE_FUNCTIONAL="Functional Tests" # tells the gh command what our default repo is export GH_REPO=github.com/elastic/kibana + +FTR_ENABLE_FIPS_AGENT=false +# used by FIPS agents to link FIPS OpenSSL modules +if [[ "${KBN_ENABLE_FIPS:-}" == "true" ]] || is_pr_with_label "ci:enable-fips-agent"; then + FTR_ENABLE_FIPS_AGENT=true + export OPENSSL_MODULES=$HOME/openssl/lib/ossl-modules + + if [[ -f "$KIBANA_DIR/config/node.options" ]]; then + echo -e '\n--enable-fips' >>"$KIBANA_DIR/config/node.options" + echo "--openssl-config=$HOME/nodejs.cnf" >>"$KIBANA_DIR/config/node.options" + fi +fi + +export FTR_ENABLE_FIPS_AGENT diff --git a/.buildkite/scripts/common/util.sh b/.buildkite/scripts/common/util.sh index 818d712fd2aa8..5630fed40bf93 100755 --- a/.buildkite/scripts/common/util.sh +++ b/.buildkite/scripts/common/util.sh @@ -33,7 +33,7 @@ check_for_changed_files() { SHOULD_AUTO_COMMIT_CHANGES="${2:-}" CUSTOM_FIX_MESSAGE="${3:-}" - GIT_CHANGES="$(git status --porcelain -- . ':!:.bazelrc')" + GIT_CHANGES="$(git status --porcelain -- . ':!:.bazelrc' ':!:config/node.options')" if [ "$GIT_CHANGES" ]; then if ! is_auto_commit_disabled && [[ "$SHOULD_AUTO_COMMIT_CHANGES" == "true" && "${BUILDKITE_PULL_REQUEST:-}" ]]; then @@ -56,7 +56,7 @@ check_for_changed_files() { git config --global user.name kibanamachine git config --global user.email '42973632+kibanamachine@users.noreply.github.com' gh pr checkout "${BUILDKITE_PULL_REQUEST}" - git add -A -- . ':!.bazelrc' + git add -A -- . ':!.bazelrc' ':!config/node.options' git commit -m "$NEW_COMMIT_MESSAGE" git push diff --git a/.buildkite/scripts/pipelines/pull_request/pipeline.ts b/.buildkite/scripts/pipelines/pull_request/pipeline.ts index 38ae590f18e0b..035ab108a6b88 100644 --- a/.buildkite/scripts/pipelines/pull_request/pipeline.ts +++ b/.buildkite/scripts/pipelines/pull_request/pipeline.ts @@ -9,7 +9,7 @@ import { execSync } from 'child_process'; import fs from 'fs'; import prConfigs from '../../../pull_requests.json'; -import { areChangesSkippable, doAnyChangesMatch } from '#pipeline-utils'; +import { areChangesSkippable, doAnyChangesMatch, getAgentImageConfig } from '#pipeline-utils'; const prConfig = prConfigs.jobs.find((job) => job.pipelineSlug === 'kibana-pull-request'); @@ -43,6 +43,7 @@ const getPipeline = (filename: string, removeSteps = true) => { const pipeline = []; + pipeline.push(getAgentImageConfig({ returnYaml: true })); pipeline.push(getPipeline('.buildkite/pipelines/pull_request/base.yml', false)); if (await doAnyChangesMatch([/^packages\/kbn-handlebars/])) { diff --git a/.buildkite/scripts/steps/checks.sh b/.buildkite/scripts/steps/checks.sh index 481c08f52758d..ef2b14c3e2f82 100755 --- a/.buildkite/scripts/steps/checks.sh +++ b/.buildkite/scripts/steps/checks.sh @@ -5,6 +5,9 @@ set -euo pipefail export DISABLE_BOOTSTRAP_VALIDATION=false .buildkite/scripts/bootstrap.sh +if [[ "${FIPS_ENABLED:-}" == "true" ]]; then + .buildkite/scripts/steps/checks/verify_fips_enabled.sh +fi .buildkite/scripts/steps/checks/saved_objects_compat_changes.sh .buildkite/scripts/steps/checks/saved_objects_definition_change.sh .buildkite/scripts/steps/capture_oas_snapshot.sh diff --git a/.buildkite/scripts/steps/checks/verify_fips_enabled.sh b/.buildkite/scripts/steps/checks/verify_fips_enabled.sh new file mode 100755 index 0000000000000..6a4a7e2ebd35c --- /dev/null +++ b/.buildkite/scripts/steps/checks/verify_fips_enabled.sh @@ -0,0 +1,28 @@ +#!/usr/bin/env bash + +set -euo pipefail + +source .buildkite/scripts/common/util.sh + +.buildkite/scripts/download_build_artifacts.sh + +echo --- Verify FIPS enabled + +NODE_BINARY="$KIBANA_BUILD_LOCATION/node/glibc-217/bin/node" + +if [[ -x "$NODE_BINARY" ]]; then + # sed is used to remove invisible ANSI color codes from the output + FIPS_STATUS=$("$NODE_BINARY" --enable-fips --openssl-config="$HOME/nodejs.cnf" -p 'crypto.getFips()' | sed 's/\x1b\[[0-9;]*m//g' | tr -d \\n) + echo "$FIPS_STATUS" | od -c + + if [[ "$FIPS_STATUS" == "1" ]]; then + echo "FIPS enabled successfully" + exit 0 + else + echo "Failed to enable FIPS: $FIPS_STATUS" + exit 1 + fi +else + echo "Node binary not found at $NODE_BINARY" + exit 1 +fi diff --git a/test/package/roles/assert_fips_enabled/tasks/main.yml b/test/package/roles/assert_fips_enabled/tasks/main.yml index 74ebe283673cb..3f115314957b1 100644 --- a/test/package/roles/assert_fips_enabled/tasks/main.yml +++ b/test/package/roles/assert_fips_enabled/tasks/main.yml @@ -1,6 +1,6 @@ - name: register kibana node getFips shell: - cmd: "source /home/vagrant/.profile && {{ kibana_dist_path }}/node/bin/node --enable-fips --openssl-config={{ kibana_dist_path }}/config/nodejs.cnf -p 'crypto.getFips()'" + cmd: "source /home/vagrant/.profile && {{ kibana_dist_path }}/node/glibc-217/bin/node --enable-fips --openssl-config={{ kibana_dist_path }}/config/nodejs.cnf -p 'crypto.getFips()'" executable: /bin/bash register: kibana_node_fips