Add Pipeline to deploy custom agent image for FIPS testing

[michel-laterman]

What does this PR do?

Add a new buildkite pipeline to build a custom agent image and use it in an ECH deployment for testing.

Why is it important?

FIPS integration tests will require a custom agent running in the CFT region.

Checklist

• I have read and understood the pull request guidelines of this project.
• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in ./changelog/fragments using the changelog tool
• I have added an integration test or an E2E test

Disruptive User Impact

N/A

[michel-laterman]

buildkite test this

[michel-laterman]

@v1v @pazone, can you take a look at this, we need permissions in order to push a custom image to use in the CFT region

denied: requested access to the resource is denied
--
  | Error: Failed pushing docker image: running "docker image push docker.elastic.co/observability-ci/elastic-agent-fips:git-b84b80343415" failed with exit code 1

[v1v]

| Error: Failed pushing docker image: running "docker image push docker.elastic.co/observability-ci/elastic-agent-fips:git-b84b80343415" failed with exit code 1

Can you share the URL link to the error?

I'm not familiar with the current user and namespace, but as far as I see, those details are stored at https://github.com/elastic/elastic-agent/blob/aa224536eadf49f8b9b962df240c0caa4861970e/.buildkite/hooks/pre-command#l17.

However, I think you need to configure the pre-command hook to run for the new BK pipelines:

• elastic-agent/.buildkite/hooks/pre-command

  Lines 39 to 47 in aa22453

  	if [[ "$BUILDKITE_PIPELINE_SLUG" == "elastic-agent-package" ]]; then
  	if [[ "$BUILDKITE_STEP_KEY" == "package_elastic-agent" ]]; then
  	docker_login
  	fi
  	if [[ "$BUILDKITE_STEP_KEY" == "dra-publish" || "$BUILDKITE_STEP_KEY" == "bk-api-publish-independent-agent" ]]; then
  	release_manager_login
  	fi
  	fi

  is the settings for the elastic-agent-package BK pipeline.

I see you have enabled the pre-command for the new step

[ycombinator]

Left a few suggestions but overall this looks good.

[ycombinator]

CI, specifically the fips:Stateful:Ubuntu (only the x86_64 ones) and fips:Kubernetes steps are failing like so:

.buildkite/scripts/steps/integration_tests_tf.sh: line 10: asdf: command not found

Looks like the platform-ingest-fleet-server-ubuntu-2204-fips VM image is missing asdf. Here is the PR to add it: https://github.com/elastic/ci-agent-images/pull/1431.

[pazone]

/test

[pazone]

Is there a known reason why we use a fleet-server image here?

[michel-laterman]

I think that the images were created as a result of some experimentation that was being done with the fleet-server repo

[pazone]

Should I create FIPS-compliant images for elastic-agent to avoid possible problems?

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b fips-ech upstream/fips-ech
git merge upstream/main
git push upstream fips-ech

[pazone]

Do I understand correctly that we run a set integration test groups in the same way and the only difference is in the VM image and the FIPS=true?

[michel-laterman]

VM image, and i think that FIPS=true results in -integration.fips=true being sent

[pazone]

cloud:image invokes the Package() function that packages the agent again. This step takes a considerable amount of time (~15 minutes). Can we download the artifacts produced by the packaging step and reuse them?

[michel-laterman]

We can try, but I'm not sure if the Image step will use artifacts that are already present, @pkoutsovasilis do you know if it will?

[elasticmachine]

💔 Build Failed

• Buildkite Build
• Commit: 74c7e0f

Failed CI Steps

• arm:sudo: upgrade
• fips:x86_64:non-sudo:default
• fips:x86_64:non-sudo:default
• fips:x86_64:non-sudo:upgrade
• fips:x86_64:non-sudo:upgrade
• fips:x86_64:non-sudo:upgrade-flavor
• fips:x86_64:non-sudo:upgrade-flavor
• fips:x86_64:non-sudo:standalone-upgrade
• fips:x86_64:non-sudo:standalone-upgrade
• fips:x86_64:non-sudo:fleet
• fips:x86_64:non-sudo:fleet
• fips:x86_64:sudo:default
• fips:x86_64:sudo:default
• fips:x86_64:sudo:upgrade
• fips:x86_64:sudo:upgrade
• fips:x86_64:sudo:upgrade-flavor
• fips:x86_64:sudo:upgrade-flavor
• fips:x86_64:sudo:standalone-upgrade
• fips:x86_64:sudo:standalone-upgrade
• fips:x86_64:sudo:fleet
• fips:x86_64:sudo:fleet
• fips:arm64:non-sudo:default
• fips:arm64:non-sudo:default
• fips:arm64:non-sudo:upgrade
• fips:arm64:non-sudo:upgrade
• fips:arm64:non-sudo:upgrade-flavor
• fips:arm64:non-sudo:upgrade-flavor
• fips:arm64:non-sudo:standalone-upgrade
• fips:arm64:non-sudo:standalone-upgrade
• fips:arm64:non-sudo:fleet
• fips:arm64:non-sudo:fleet
• fips:arm64:sudo:default
• fips:arm64:sudo:default
• fips:arm64:sudo:upgrade
• fips:arm64:sudo:upgrade
• fips:arm64:sudo:upgrade-flavor
• fips:arm64:sudo:upgrade-flavor
• fips:arm64:sudo:standalone-upgrade
• fips:arm64:sudo:standalone-upgrade
• fips:arm64:sudo:fleet
• fips:arm64:sudo:fleet
• fips:v1.27.16:amd64
• fips:v1.27.16:amd64
• fips:v1.28.9:amd64
• fips:v1.28.9:amd64
• fips:v1.29.8:amd64
• fips:v1.29.8:amd64
• fips:v1.30.8:amd64
• fips:v1.30.8:amd64
• fips:v1.31.0:amd64
• fips:v1.31.0:amd64
• fips:v1.32.0:amd64
• fips:v1.32.0:amd64

History

• 💔 Build #21400 failed 68cc3cb
• 💔 Build #21397 failed 628f05d
• 💔 Build #21396 failed 878203f
• 💔 Build #21159 failed 6ee1fde

cc @michel-laterman

[elastic-sonarqube]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarQube