Skip to content

Add a step to exhaustive tests for observabilitySRE accetpance testing #17623

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: 8.19
Choose a base branch
from
Open

Add a step to exhaustive tests for observabilitySRE accetpance testing #17623

wants to merge 5 commits into from

Conversation

donoghuc
Copy link
Member

@donoghuc donoghuc commented May 1, 2025

Release notes

[rn:skip]

What does this PR do?

This commit shows the proposed pattern for adding acceptance testing for the observability SRE image. This will run when exhaustive tests run. A new gradle task will hook in to rspec similar to how it is done for the smoke tests. The main difference is that instead of building a container, the latest is pulled from the container registry and run on a fips configured host VM.

Why is it important/What is the impact to the user?

NA

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files (and/or docker env variables)
  • I have added tests that prove my fix is effective or that my feature works

Related issues

@donoghuc
Add a step to exhaustive tests for observabilitySRE accetpance testing
1642211 
This commit shows the proposed pattern for adding acceptance testing for the
observability SRE image. This will run when exhaustive tests run. A new gradle
task will hook in to rspec similar to how it is done for the smoke tests. The
main difference is that instead of building a container, the latest is pulled
from the container registry and run on a fips configured host VM.
donoghuc
donoghuc commented May 1, 2025
View reviewed changes
.buildkite/scripts/exhaustive-tests/generate-steps.py
"instanceType": "m6i.xlarge",
"diskSizeGb": 60,
"instanceMaxAge": 1440,
"imagePrefix": "logstash-ubuntu-2204-fips"
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is currently blocked on some failing CI. The PR to build the image has been merged https://github.com/elastic/ingest-dev/issues/5469 though.

donoghuc
donoghuc commented May 1, 2025
View reviewed changes
x-pack/build.gradle Outdated
description = "Run ObservabilitySRE acceptance tests"
// Need to have set up the ruby environment for rspec even through we are running in container
dependsOn(":bootstrap", ":logstash-core:assemble", ":installDevelopmentGems")
// TODO: hook in to rspec
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've proved out that on a fips host we can run these tasks. This will give us a consistent java/jruby env for which we can do the standard gradle/rake/rspec control flow.

For the next step in this PR i will be adding in some rspec that shows a pattern for doing container orchestration. At this point i'm thinking that will look like shelling out to docker-compose in rspec.

donoghuc
donoghuc commented May 2, 2025
View reviewed changes
x-pack/distributions/internal/observabilitySRE/qa/acceptance/docker/docker-compose.yml
ports:
- "9200:9200"
volumes:
- ./elasticsearch/config/${ELASTICSEARCH_CONFIG:-elasticsearch-fips.yml}:/usr/share/elasticsearch/config/elasticsearch.yml
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is how I will be swapping in different configurations of elasticsearch etc

donoghuc
donoghuc commented May 2, 2025
View reviewed changes
...s/internal/observabilitySRE/qa/acceptance/docker/elasticsearch/config/elasticsearch-fips.yml
@@ -0,0 +1,14 @@
# Elasticsearch settings
discovery.type: single-node
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will probably move toward file based ES config for smoke test as well, currently its done mainly in docker compose manifest

@donoghuc
Copy link
Member Author

donoghuc commented May 2, 2025

Still very much WIP. I have some cleanup and bugs to track down. Just wanted to get the structure out there breaking down responsibility between gradle/rspec etc and float the idea of changing configuration of components via interpolation in the docker compose file.

@donoghuc donoghuc force-pushed the fedramp-high-acceptance-tests branch 2 times, most recently from 569bedc to 94869d9 Compare May 5, 2025 22:28
@donoghuc
WIP: Idea for how to handle multipe container configs for acceptance …
6c53570 
…tests

This commit shows the rough structure for how I am planning on handling docker
compose networks for acceptance tests. The main idea is to use interpolation in
the docker compose file to point to different configuration files for
filebeat/logstash/elasticsearch. This is mainly due to the nature of these tests
showing behavior when the system is and is not configured properly for FIPS. The
breakdown in responsibility is:

1. Gradle handles cert generation (similar to smoke test, this avoids checking
in PKI)
2. Rspec handles stopping/starting docker compose and managing environment vars
for intperolation in docker compose manifests (different from smoke tests where
a single static docker compose is started in gradle)
3. Rspec handles deciding when containers are ready and querying state about
data flowing through the system
4. Gradle cleans up certs

THis is just a rough sketch, there are still bugs to be worked out but before i
get too far in to it I want to get the idea out there.
@donoghuc donoghuc force-pushed the fedramp-high-acceptance-tests branch from 94869d9 to 6c53570 Compare May 5, 2025 22:44
@donoghuc donoghuc marked this pull request as ready for review May 5, 2025 23:08
@donoghuc
Copy link
Member Author

donoghuc commented May 5, 2025

I've got this all working locally. Specifically the rspec tests will now test that data goes from LS to ES with gradle generating certs and rspec managing container startup/teardown.

We are still waiting on unblocking generation of a fips enabled test runner, but I'm happy with the patterns established here breaking down the responsibility between gradle/rspec and docker-compose.

donoghuc added 3 commits May 7, 2025 16:21
@donoghuc
Add tests describing behavior of LS -> ES with non-fips config
294307e 
This commit adds a test to show that data will not flow from LS to ES
when weak non fips config is used.
@donoghuc
Use latest ES image
255b047 
This will be handled separately in a separate PR, but taking this
commit for now on this branch.
@donoghuc
Remove custom entrypoint from new container
a257cad 
The latest ES images do not require this workaround.
@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube

@elasticmachine
Copy link
Collaborator

💚 Build Succeeded

History

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@donoghuc @elasticmachine