Merge branch 'main' into sharedux/cleanup-tomountpoint-deprecations-viii

elastic · Apr 27, 2024 · 9cfd3ee · 9cfd3ee
2 parents 90102e9 + 306bcf6
commit 9cfd3ee
Show file tree

Hide file tree

Showing 89 changed files with 747 additions and 519 deletions.
diff --git a/.buildkite/pipeline-resource-definitions/kibana-fips-daily.yml b/.buildkite/pipeline-resource-definitions/kibana-fips-daily.yml
@@ -0,0 +1,38 @@
+# yaml-language-server: $schema=https://gist.githubusercontent.com/elasticmachine/988b80dae436cafea07d9a4a460a011d/raw/rre.schema.json
+apiVersion: backstage.io/v1alpha1
+kind: Resource
+metadata:
+  name: bk-kibana-fips-daily
+  description: Run Kibana FIPS smoke tests
+  links:
+    - title: Pipeline link
+      url: https://buildkite.com/elastic/kibana-fips
+spec:
+  type: buildkite-pipeline
+  owner: group:kibana-operations
+  system: buildkite
+  implementation:
+    apiVersion: buildkite.elastic.dev/v1
+    kind: Pipeline
+    metadata:
+      name: kibana / fips
+      description: Run Kibana FIPS smoke tests
+    spec:
+      env:
+        SLACK_NOTIFICATIONS_CHANNEL: "#kibana-operations-alerts"
+        ELASTIC_SLACK_NOTIFICATIONS_ENABLED: "true"
+      repository: elastic/kibana
+      branch_configuration: main
+      default_branch: main
+      pipeline_file: ".buildkite/pipelines/fips.yml"
+      provider_settings:
+        trigger_mode: none
+      schedules:
+        daily:
+          branch: main
+          cronline: 0 9 * * * America/New_York
+      teams:
+        kibana-operations:
+          access_level: MANAGE_BUILD_AND_READ
+        everyone:
+          access_level: READ_ONLY
diff --git a/.buildkite/pipeline-resource-definitions/locations.yml b/.buildkite/pipeline-resource-definitions/locations.yml
@@ -12,6 +12,7 @@ spec:
     - https://github.com/elastic/kibana/blob/main/.buildkite/pipeline-resource-definitions/kibana-es-serverless-snapshots.yml
     - https://github.com/elastic/kibana/blob/main/.buildkite/pipeline-resource-definitions/kibana-es-snapshots.yml
     - https://github.com/elastic/kibana/blob/main/.buildkite/pipeline-resource-definitions/kibana-esql-grammar-sync.yml
+    - https://github.com/elastic/kibana/blob/main/.buildkite/pipeline-resource-definitions/kibana-fips-daily.yml
     - https://github.com/elastic/kibana/blob/main/.buildkite/pipeline-resource-definitions/kibana-flaky.yml
     - https://github.com/elastic/kibana/blob/main/.buildkite/pipeline-resource-definitions/kibana-fleet-packages-daily.yml
     - https://github.com/elastic/kibana/blob/main/.buildkite/pipeline-resource-definitions/kibana-migration-staging.yml

diff --git a/.buildkite/pipelines/fips.yml b/.buildkite/pipelines/fips.yml
@@ -0,0 +1,32 @@
+env:
+  DISABLE_CI_STATS_SHIPPING: "true"
+steps:
+  - command: .buildkite/scripts/steps/build_kibana.sh
+    label: Build Kibana Distribution and Plugins
+    agents:
+      image: family/kibana-ubuntu-2004
+      imageProject: elastic-images-qa
+      provider: gcp
+      machineType: n2-standard-16
+      preemptible: true
+    key: build
+    if: "build.env('KIBANA_BUILD_ID') == null || build.env('KIBANA_BUILD_ID') == ''"
+    timeout_in_minutes: 60
+    retry:
+      automatic:
+        - exit_status: "-1"
+          limit: 3
+
+  - wait
+
+  - command: TEST_PACKAGE=fips .buildkite/scripts/steps/package_testing/test.sh
+    label: "Smoke testing for FIPS"
+    agents:
+      image: family/kibana-ubuntu-2004
+      imageProject: elastic-images-qa
+      provider: gcp
+      enableNestedVirtualization: true
+      localSsds: 1
+      localSsdInterface: nvme
+      machineType: n2-standard-4
+    timeout_in_minutes: 600
diff --git a/.buildkite/scripts/steps/fips/build.sh b/.buildkite/scripts/steps/fips/build.sh
diff --git a/.buildkite/scripts/steps/fips/smoke_test.sh b/.buildkite/scripts/steps/fips/smoke_test.sh
@@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+
+if [ -z "$KIBANA_BUILD_LOCATION" ]; then
+  export KIBANA_BUILD_LOCATION="/usr/share/kibana"
+fi
+
+# a FTR failure will result in the script returning an exit code of 10
+exitCode=0
+
+configs=(
+  "x-pack/test/reporting_functional/reporting_and_security.config.ts"
+  "x-pack/test/saved_object_api_integration/security_and_spaces/config_trial.ts"
+  "x-pack/test/alerting_api_integration/security_and_spaces/group1/config.ts"
+  "x-pack/test/alerting_api_integration/security_and_spaces/group2/config.ts"
+  "x-pack/test/alerting_api_integration/security_and_spaces/group3/config.ts"
+  "x-pack/test/alerting_api_integration/security_and_spaces/group4/config.ts"
+  "x-pack/test/functional/apps/saved_objects_management/config.ts"
+  "x-pack/test/functional/apps/user_profiles/config.ts"
+  "x-pack/test/functional/apps/security/config.ts"
+)
+
+cd /home/vagrant/kibana
+
+for config in "${configs[@]}"; do
+  set +e
+  node /home/vagrant/kibana/scripts/functional_tests \
+    --bail \
+    --kibana-install-dir "$KIBANA_BUILD_LOCATION" \
+    --config="$config"
+  lastCode=$?
+  set -e
+
+  if [ $lastCode -ne 0 ]; then
+    exitCode=10
+    echo "FTR exited with code $lastCode"
+    echo "^^^ +++"
+
+    if [[ "$failedConfigs" ]]; then
+      failedConfigs="${failedConfigs}"$'\n'"$config"
+    else
+      failedConfigs="$config"
+    fi
+  fi
+done
+
+if [[ "$failedConfigs" ]]; then
+  echo "$failedConfigs" >/home/vagrant/ftr_failed_configs
+fi
+
+echo "--- FIPS smoke test complete"
+
+exit $exitCode
diff --git a/.buildkite/scripts/steps/package_testing/test.sh b/.buildkite/scripts/steps/package_testing/test.sh
@@ -21,17 +21,25 @@ elif [[ "$TEST_PACKAGE" == "rpm" ]]; then
 elif [[ "$TEST_PACKAGE" == "docker" ]]; then
   download_artifact "kibana-$KIBANA_PKG_VERSION*-docker-image.tar.gz" . --build "${KIBANA_BUILD_ID:-$BUILDKITE_BUILD_ID}"
   KIBANA_IP_ADDRESS="192.168.56.7"
+elif [[ "$TEST_PACKAGE" == "fips" ]]; then
+  download_artifact kibana-default.tar.gz . --build "${KIBANA_BUILD_ID:-$BUILDKITE_BUILD_ID}"
+  download_artifact kibana-default-plugins.tar.gz . --build "${KIBANA_BUILD_ID:-$BUILDKITE_BUILD_ID}"
 fi
 cd ..
 
 export VAGRANT_CWD=$PWD/test/package
-vagrant up "$TEST_PACKAGE" --no-provision
 
-node scripts/es snapshot \
-  -E network.bind_host=127.0.0.1,192.168.56.1 \
-  -E discovery.type=single-node \
-  --license=trial &
-while ! timeout 1 bash -c "echo > /dev/tcp/localhost/9200"; do sleep 30; done
+if [[ "$TEST_PACKAGE" == "fips" ]]; then
+  vagrant up "$TEST_PACKAGE"
+else
+  vagrant up "$TEST_PACKAGE" --no-provision
+
+  node scripts/es snapshot \
+    -E network.bind_host=127.0.0.1,192.168.56.1 \
+    -E discovery.type=single-node \
+    --license=trial &
+  while ! timeout 1 bash -c "echo > /dev/tcp/localhost/9200"; do sleep 30; done
+fi
 
 function echoKibanaLogs {
   if [[ "$TEST_PACKAGE" == "deb" ]] || [[ "$TEST_PACKAGE" == "rpm" ]]; then
@@ -47,13 +55,25 @@ function echoKibanaLogs {
 }
 trap "echoKibanaLogs" EXIT
 
-vagrant provision "$TEST_PACKAGE"
+if [[ "$TEST_PACKAGE" == "fips" ]]; then
+  set +e
+  vagrant ssh $TEST_PACKAGE -t -c "/home/vagrant/kibana/.buildkite/scripts/steps/fips/smoke_test.sh"
+  vagrant ssh $TEST_PACKAGE -t -c "cat /home/vagrant/ftr_failed_configs 2>/dev/null" >ftr_failed_configs
+  set -e
+
+  if [ -s ftr_failed_configs ]; then
+    buildkite-agent meta-data set "ftr-failed-configs" <./ftr_failed_configs
+  fi
+else
+  vagrant provision "$TEST_PACKAGE"
+
+  export TEST_BROWSER_HEADLESS=1
+  export TEST_KIBANA_URL="http://elastic:changeme@$KIBANA_IP_ADDRESS:5601"
+  export TEST_ES_URL="http://elastic:[email protected]:9200"
 
-export TEST_BROWSER_HEADLESS=1
-export TEST_KIBANA_URL="http://elastic:changeme@$KIBANA_IP_ADDRESS:5601"
-export TEST_ES_URL="http://elastic:[email protected]:9200"
+  echo "--- FTR - Reporting"
 
-cd x-pack
+  cd x-pack
 
-echo "--- FTR - Reporting"
-node scripts/functional_test_runner.js --config test/functional/apps/visualize/config.ts --include-tag=smoke --quiet
+  node scripts/functional_test_runner.js --config test/functional/apps/visualize/config.ts --include-tag=smoke --quiet
+fi
diff --git a/packages/kbn-test/src/es/test_es_cluster.ts b/packages/kbn-test/src/es/test_es_cluster.ts
@@ -182,6 +182,7 @@ export function createTestEsCluster<
   } = options;
 
   const clusterName = `${CI_PARALLEL_PROCESS_PREFIX}${customClusterName}`;
+  const isFIPSMode = process.env.FTR_FIPS_MODE === '1';
 
   const defaultEsArgs = [
     `cluster.name=${clusterName}`,
@@ -192,7 +193,12 @@ export function createTestEsCluster<
       : ['discovery.type=single-node']),
   ];
 
-  const esArgs = assignArgs(defaultEsArgs, customEsArgs);
+  const esArgs = assignArgs(
+    defaultEsArgs,
+    // ML has issues running in FIPS mode due to custom OpenSSL
+    // Remove after https://github.com/elastic/kibana-operations/issues/96
+    isFIPSMode ? [...customEsArgs, 'xpack.ml.enabled=false'] : customEsArgs
+  );
 
   const config = {
     version: esTestConfig.getVersion(),

diff --git a/test/functional/apps/discover/group1/_errors.ts b/test/functional/apps/discover/group1/_errors.ts
@@ -38,7 +38,8 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) {
       });
     });
 
-    describe('not found', () => {
+    // FLAKY: https://github.com/elastic/kibana/issues/166291
+    describe.skip('not found', () => {
       it('should redirect to main page when trying to access invalid route', async () => {
         await PageObjects.common.navigateToUrl('discover', '#/invalid-route', {
           useActualUrl: true,

diff --git a/test/package/Vagrantfile b/test/package/Vagrantfile
@@ -36,4 +36,23 @@ Vagrant.configure("2") do |config|
     end
     docker.vm.network "private_network", ip: "192.168.56.7"
   end
+
+  config.vm.define "fips" do |fips|
+    fips.vm.synced_folder '../../', '/home/vagrant/kibana', SharedFoldersEnableSymlinksCreate: false
+    fips.vm.provider :virtualbox do |vb|
+      vb.memory = 4096
+      vb.cpus = 2
+    end
+    fips.vm.box = 'generic/rhel9'
+    fips.vm.provision "shell", inline: <<-SHELL
+      echo "export OPENSSL_MODULES=/usr/local/lib64/ossl-modules" >> /etc/profile.d/kibana-fips-env.sh
+      echo "export TEST_BROWSER_HEADLESS=1" >> /etc/profile.d/kibana-fips-env.sh
+      echo "export ES_TMPDIR=/home/vagrant/kibana/.es/tmp" >> /etc/profile.d/kibana-fips-env.sh
+      # Remove after https://github.com/elastic/kibana-operations/issues/96
+      echo "export FTR_FIPS_MODE=1" >> /etc/profile.d/kibana-fips-env.sh
+    SHELL
+    fips.vm.provision "ansible" do |ansible|
+      ansible.playbook = "fips.yml"
+    end
+  end
 end
diff --git a/test/package/fips.yml b/test/package/fips.yml
@@ -0,0 +1,12 @@
+- name: test kibana fips docker package
+  hosts: fips
+  vars:
+    kibana_dist_path: "/usr/share/kibana"
+    kibana_src_path: "/home/vagrant/kibana"
+    nvm_ver: "0.39.7"
+    openssl_sha: "sha256:6c13d2bf38fdf31eac3ce2a347073673f5d63263398f1f69d0df4a41253e4b3e"
+    openssl_ver: "3.0.8"
+  roles:
+    - upgrade_yum_packages
+    - install_kibana_fips
+    - assert_fips_enabled
diff --git a/test/package/roles/assert_fips_enabled/tasks/main.yml b/test/package/roles/assert_fips_enabled/tasks/main.yml
@@ -0,0 +1,11 @@
+- name: register kibana node getFips
+  command: "{{ kibana_dist_path }}/node/bin/node --enable-fips --openssl-config={{ kibana_dist_path }}/config/nodejs.cnf -p 'crypto.getFips()'"
+  register: kibana_node_fips
+
+- debug:
+    msg: "{{ kibana_node_fips }}"
+
+- name: assert FIPS enabled
+  assert:
+    that:
+      - kibana_node_fips.stdout == "1"