Merge branch '9.2' into renovate/9.2-ftr

Author: Ikuni17

.buildkite/pipeline-resource-definitions/kibana-fips-daily.yml

@@ -33,19 +33,37 @@ spec:
           branch: main
           cronline: 0 5 * * * America/New_York
           env:
-            KBN_FIPS_VERSION: '140-2'
+            TEST_ENABLE_FIPS_VERSION: '140-2'
         '140-2 Daily build (9.1)':
           message: 140-2 Daily build
           branch: '9.1'
           cronline: 0 5 * * * America/New_York
           env:
-            KBN_FIPS_VERSION: '140-2'
+            TEST_ENABLE_FIPS_VERSION: '140-2'
         '140-2 Daily build (8.19)':
           message: 140-2 Daily build
           branch: '8.19'
           cronline: 0 5 * * * America/New_York
           env:
-            KBN_FIPS_VERSION: '140-2'
+            TEST_ENABLE_FIPS_VERSION: '140-2'
+        '140-3 Daily build (main)':
+          message: 140-3 Daily build
+          branch: main
+          cronline: 0 5 * * * America/New_York
+          env:
+            TEST_ENABLE_FIPS_VERSION: '140-3'
+        '140-3 Daily build (9.1)':
+          message: 140-3 Daily build
+          branch: '9.1'
+          cronline: 0 5 * * * America/New_York
+          env:
+            TEST_ENABLE_FIPS_VERSION: '140-3'
+        '140-3 Daily build (8.19)':
+          message: 140-3 Daily build
+          branch: '8.19'
+          cronline: 0 5 * * * America/New_York
+          env:
+            TEST_ENABLE_FIPS_VERSION: '140-3'
       teams:
         kibana-operations:
           access_level: MANAGE_BUILD_AND_READ

.buildkite/pipeline-utils/agent_images.ts

@@ -10,6 +10,7 @@
 import { dump } from 'js-yaml';
 import type { BuildkiteAgentTargetingRule } from './buildkite';
 import { BuildkiteClient } from './buildkite';
+import { FIPS_VERSION, prHasFIPSLabel } from './pr_labels';
 
 const ELASTIC_IMAGES_QA_PROJECT = 'elastic-images-qa';
 const ELASTIC_IMAGES_PROD_PROJECT = 'elastic-images-prod';
@@ -19,32 +20,49 @@ const DEFAULT_AGENT_IMAGE_CONFIG: BuildkiteAgentTargetingRule = {
   provider: 'gcp',
   image: 'family/kibana-ubuntu-2404',
   imageProject: ELASTIC_IMAGES_PROD_PROJECT,
-};
-
-const FIPS_AGENT_IMAGE_CONFIG: BuildkiteAgentTargetingRule = {
-  provider: 'gcp',
-  image: 'family/kibana-fips-ubuntu-2404',
-  imageProject: ELASTIC_IMAGES_PROD_PROJECT,
+  diskSizeGb: 105,
 };
 
 const GITHUB_PR_LABELS = process.env.GITHUB_PR_LABELS ?? '';
-const FTR_ENABLE_FIPS_AGENT = process.env.FTR_ENABLE_FIPS_AGENT?.toLowerCase() === 'true';
+const USE_FIPS_IMAGE_FOR_PR = process.env.TEST_ENABLE_FIPS_VERSION?.match(
+  new RegExp(`^${FIPS_VERSION.TWO}|${FIPS_VERSION.THREE}$`)
+);
 const USE_QA_IMAGE_FOR_PR = process.env.USE_QA_IMAGE_FOR_PR?.match(/(1|true)/i);
 
+const getFIPSImage = () => {
+  let image: string;
+
+  if (
+    process.env.TEST_ENABLE_FIPS_VERSION === FIPS_VERSION.THREE ||
+    prHasFIPSLabel(FIPS_VERSION.THREE)
+  ) {
+    image = 'family/kibana-fips-140-3-ubuntu-2404';
+  } else {
+    image = 'family/kibana-fips-140-2-ubuntu-2404';
+  }
+
+  return {
+    provider: 'gcp',
+    image,
+    imageProject: ELASTIC_IMAGES_PROD_PROJECT,
+    diskSizeGb: 105,
+  };
+};
+
 // Narrow the return type with overloads
 function getAgentImageConfig(): BuildkiteAgentTargetingRule;
 function getAgentImageConfig(options: { returnYaml: true }): string;
 function getAgentImageConfig({ returnYaml = false } = {}): string | BuildkiteAgentTargetingRule {
   const bk = new BuildkiteClient();
   let config: BuildkiteAgentTargetingRule;
 
-  if (FTR_ENABLE_FIPS_AGENT || GITHUB_PR_LABELS.includes('ci:enable-fips-agent')) {
-    config = FIPS_AGENT_IMAGE_CONFIG;
+  if (USE_FIPS_IMAGE_FOR_PR || prHasFIPSLabel()) {
+    config = getFIPSImage();
 
     bk.setAnnotation(
       'agent image config',
       'info',
-      '#### FIPS Agents Enabled<br />\nFIPS mode can produce new test failures. If you did not intend this remove ```KBN_ENABLE_FIPS``` environment variable and/or the ```ci:enable-fips-agent``` Github label.'
+      '#### FIPS Agents Enabled<br />\nFIPS mode can produce new test failures. If you did not intend this remove ```TEST_ENABLE_FIPS_VERSION``` environment variable and/or the ```ci:enable-fips-<version>-agent``` Github label.'
     );
   } else {
     config = DEFAULT_AGENT_IMAGE_CONFIG;
@@ -61,7 +79,7 @@ function getAgentImageConfig({ returnYaml = false } = {}): string | BuildkiteAge
   return config;
 }
 
-const expandAgentQueue = (queueName: string = 'n2-4-spot') => {
+const expandAgentQueue = (queueName: string = 'n2-4-spot', diskSizeGb?: number) => {
   const [kind, cores, addition] = queueName.split('-');
   const additionalProps =
     {
@@ -72,6 +90,7 @@ const expandAgentQueue = (queueName: string = 'n2-4-spot') => {
   return {
     ...getAgentImageConfig(),
     machineType: `${kind}-standard-${cores}`,
+    ...(diskSizeGb ? { diskSizeGb } : {}),
     ...additionalProps,
   };
 };

.buildkite/pipeline-utils/buildkite/client.ts

@@ -51,6 +51,7 @@ export interface BuildkiteAgentTargetingRule {
   machineType?: string;
   minCpuPlatform?: string;
   preemptible?: boolean;
+  diskSizeGb?: number;
 }
 
 export interface BuildkiteCommandStep {

.buildkite/pipeline-utils/ci-stats/pick_test_group_run_order.ts

@@ -512,10 +512,7 @@ export async function pickTestGroupRunOrder() {
             parallelism: unit.count,
             timeout_in_minutes: 120,
             key: 'jest',
-            agents: {
-              ...expandAgentQueue('n2-4-spot'),
-              diskSizeGb: 115,
-            },
+            agents: expandAgentQueue('n2-4-spot', 110),
             env: {
               SCOUT_TARGET_TYPE: 'local',
             },
@@ -537,7 +534,7 @@ export async function pickTestGroupRunOrder() {
             parallelism: integration.count,
             timeout_in_minutes: 120,
             key: 'jest-integration',
-            agents: expandAgentQueue('n2-4-spot'),
+            agents: expandAgentQueue('n2-4-spot', 105),
             env: {
               SCOUT_TARGET_TYPE: 'local',
             },
@@ -575,7 +572,7 @@ export async function pickTestGroupRunOrder() {
                   label: title,
                   command: getRequiredEnv('FTR_CONFIGS_SCRIPT'),
                   timeout_in_minutes: 120,
-                  agents: expandAgentQueue(queue),
+                  agents: expandAgentQueue(queue, 105),
                   env: {
                     SCOUT_TARGET_TYPE: 'local',
                     FTR_CONFIG_GROUP_KEY: key,

.buildkite/pipeline-utils/pr_labels.ts

@@ -7,13 +7,46 @@
  * License v3.0 only", or the "Server Side Public License, v 1".
  */
 
+export enum FIPS_VERSION {
+  TWO = '140-2',
+  THREE = '140-3',
+}
+
+export const FIPS_GH_LABELS = {
+  [FIPS_VERSION.TWO]: 'ci:enable-fips-140-2-agent',
+  [FIPS_VERSION.THREE]: 'ci:enable-fips-140-3-agent',
+};
+
+/**
+ * Checks if the PR has a specific FIPS label or ANY FIPS label when no version is passed.
+ */
+export function prHasFIPSLabel(version?: FIPS_VERSION): boolean {
+  const labels = process.env.GITHUB_PR_LABELS ?? '';
+
+  if (!labels) {
+    return false;
+  }
+
+  if (version) {
+    return labels.includes(FIPS_GH_LABELS[version]);
+  }
+
+  return Object.values(FIPS_GH_LABELS).some((label) => labels.includes(label));
+}
+
 /**
  * Available auto-mapped label options, respected by 'collectEnvFromLabels' function.
  */
 export const LABEL_MAPPING: Record<string, Record<string, string>> = {
   'ci:use-chrome-beta': {
     USE_CHROME_BETA: 'true', // Use if you want to run tests with Chrome Beta
   },
+  [FIPS_GH_LABELS[FIPS_VERSION.TWO]]: {
+    TEST_ENABLE_FIPS_VERSION: FIPS_VERSION.TWO,
+  },
+  [FIPS_GH_LABELS[FIPS_VERSION.THREE]]: {
+    TEST_ENABLE_FIPS_VERSION: FIPS_VERSION.THREE,
+  },
 };
 
 /**

.buildkite/pipelines/fips.yml

@@ -1,6 +1,5 @@
 env:
   DISABLE_CI_STATS_SHIPPING: 'true'
-  KBN_ENABLE_FIPS: 'true'
   TEST_BROWSER_HEADLESS: 1
 agents:
   provider: 'gcp'
@@ -13,14 +12,27 @@ steps:
     timeout_in_minutes: 10
     agents:
       machineType: n2-standard-2
+      diskSizeGb: 115
 
   - wait
 
+  - command: .buildkite/scripts/steps/store_cache.sh
+    label: Store Cache for build
+    timeout_in_minutes: 10
+    id: store_cache
+    soft_fail: true
+    depends_on:
+      - terrazzo-initial-pipeline-upload
+    agents:
+      machineType: n2-standard-2
+      diskSizeGb: 95
+
   - command: .buildkite/scripts/steps/build_kibana.sh
     label: Build Kibana Distribution
     agents:
       machineType: n2-standard-8
       preemptible: true
+      diskSizeGb: 150
     key: build
     if: "build.env('KIBANA_BUILD_ID') == null || build.env('KIBANA_BUILD_ID') == ''"
     depends_on: pre-build
@@ -44,6 +56,9 @@ steps:
     label: 'Pick Test Group Run Order'
     depends_on: build
     timeout_in_minutes: 10
+    agents:
+      machineType: n2-standard-2
+      diskSizeGb: 115
     env:
       FTR_CONFIGS_SCRIPT: '.buildkite/scripts/steps/test/ftr_configs.sh'
       FTR_EXTRA_ARGS: '$FTR_EXTRA_ARGS'

.buildkite/pipelines/fips/fips_pipeline.ts

@@ -7,12 +7,13 @@
  * License v3.0 only", or the "Server Side Public License, v 1".
  */
 
-import { emitPipeline, getPipeline } from '#pipeline-utils';
+import { emitPipeline, getAgentImageConfig, getPipeline } from '#pipeline-utils';
 
 (async () => {
   const pipeline: string[] = [];
 
   try {
+    pipeline.push(getAgentImageConfig({ returnYaml: true }));
     pipeline.push(getPipeline('.buildkite/pipelines/fips.yml', false));
 
     emitPipeline(pipeline);

.buildkite/pipelines/fips/verify_fips_enabled.sh

@@ -3,8 +3,6 @@
 set -euo pipefail
 
 source .buildkite/scripts/common/util.sh
-export DISABLE_BOOTSTRAP_VALIDATION=false
-.buildkite/scripts/bootstrap.sh
 .buildkite/scripts/download_build_artifacts.sh
 
 echo --- Verify FIPS enabled

.buildkite/pipelines/on_merge.yml

@@ -10,7 +10,6 @@ steps:
       imageProject: elastic-images-prod
       provider: gcp
       machineType: n2-standard-2
-      diskSizeGb: 115
     retry:
       automatic:
         - exit_status: '*'
@@ -54,7 +53,7 @@ steps:
       provider: gcp
       machineType: n2-highcpu-8
       preemptible: true
-      diskSizeGb: 115
+      diskSizeGb: 105
     timeout_in_minutes: 60
     retry:
       automatic:
@@ -69,7 +68,7 @@ steps:
       provider: gcp
       machineType: n2-standard-2
       preemptible: true
-      diskSizeGb: 115
+      diskSizeGb: 105
     timeout_in_minutes: 60
     retry:
       automatic:
@@ -84,7 +83,7 @@ steps:
       provider: gcp
       machineType: n2-standard-16
       preemptible: true
-      diskSizeGb: 115
+      diskSizeGb: 105
     timeout_in_minutes: 60
     retry:
       automatic:
@@ -99,7 +98,7 @@ steps:
       provider: gcp
       machineType: n2-standard-32
       preemptible: true
-      diskSizeGb: 115
+      diskSizeGb: 105
     timeout_in_minutes: 60
     retry:
       automatic:
@@ -116,7 +115,7 @@ steps:
       diskType: 'hyperdisk-balanced'
       preemptible: true
       spotZones: us-central1-a,us-central1-b,us-central1-c
-      diskSizeGb: 115
+      diskSizeGb: 105
     timeout_in_minutes: 60
     retry:
       automatic:
@@ -148,7 +147,7 @@ steps:
       provider: gcp
       machineType: n2-highmem-4
       preemptible: true
-      diskSizeGb: 115
+      diskSizeGb: 105
     timeout_in_minutes: 80
     retry:
       automatic:
@@ -164,7 +163,7 @@ steps:
       imageProject: elastic-images-prod
       provider: gcp
       machineType: n2-standard-2
-      diskSizeGb: 115
+      diskSizeGb: 105
     timeout_in_minutes: 10
     depends_on:
       - build
@@ -181,7 +180,7 @@ steps:
       imageProject: elastic-images-prod
       provider: gcp
       machineType: n2-standard-2
-      diskSizeGb: 115
+      diskSizeGb: 105
     timeout_in_minutes: 10
     env:
       JEST_UNIT_SCRIPT: '.buildkite/scripts/steps/test/jest.sh'
@@ -199,7 +198,7 @@ steps:
       imageProject: elastic-images-prod
       provider: gcp
       machineType: n2-standard-4
-      diskSizeGb: 115
+      diskSizeGb: 105
     key: build_scout_tests
     timeout_in_minutes: 10
     depends_on: