Skip to content

[osquery] Setup E2E against Serverless ES, Kibana, Fleet server standalone and Elastic agents in Docker#165415

Merged
patrykkopycinski merged 107 commits intoelastic:mainfrom
patrykkopycinski:chore/serverless-fleet-cypress
Sep 29, 2023
Merged

[osquery] Setup E2E against Serverless ES, Kibana, Fleet server standalone and Elastic agents in Docker#165415
patrykkopycinski merged 107 commits intoelastic:mainfrom
patrykkopycinski:chore/serverless-fleet-cypress

Conversation

@patrykkopycinski
Copy link
Copy Markdown
Contributor

@patrykkopycinski patrykkopycinski commented Aug 31, 2023
edited
Loading

Summary

Let's automate E2E against Serverless

Changelog:

  • updated certs to include additional dns names we are using for testing locally, host.docker.internal, es01
  • updated certs generation README to include changes related to openssl@3
  • added new certs for Fleet server
  • added fleet-server service token
  • added support for ca_trusted_fingerprint in fleet preconfig

image

@patrykkopycinski patrykkopycinski force-pushed the chore/serverless-fleet-cypress branch from df547a1 to 8a2243e Compare August 31, 2023 22:22
kibanamachine and others added 28 commits August 31, 2023 22:55
@kibanamachine
[CI] Auto-commit changed files from 'node scripts/eslint --no-cache -…
801c71a 
…-fix'
@tomsonpl
tests
d089fc8
@tomsonpl
Merge branch 'main' into cypress-fleet
c6024d4
@tomsonpl
Merge branch 'main' into cypress-fleet
124c8a1
@tomsonpl
Merge branch 'main' into cypress-fleet
07752b8 
# Conflicts:
#	x-pack/plugins/security_solution/scripts/endpoint/common/stack_services.ts
@tomsonpl
fix misisng semicolon
7dad906
@tomsonpl
Merge branch 'main' into cypress-fleet
1e2485f
@tomsonpl
Merge branch 'main' into cypress-fleet
778ac2b
@tomsonpl
test
b5fc090
@tomsonpl
test
ee6fda6
@tomsonpl
working agents
f6761cb
@tomsonpl
Merge branch 'main' into cypress-fleet
798e034 
# Conflicts:
#	x-pack/plugins/security_solution/scripts/endpoint/common/fleet_services.ts
#	x-pack/plugins/security_solution/scripts/endpoint/common/stack_services.ts
@patrykkopycinski
fix
3740985
@tomsonpl
clean up
26ae0cb
@tomsonpl
rename cert files
36d27d4
@tomsonpl
clean up
e1b339b
@tomsonpl
add fleet-server.yml
5a8630b
@tomsonpl
add fleet-server.yml
c39a2f3
@tomsonpl
clean up
eb5dada
@tomsonpl
Merge branch 'main' into cypress-fleet
3864e2b
@tomsonpl
clean up
7e6896a
@tomsonpl
clean up
fd24d0e
@tomsonpl
clean up
cd4d0b5
@tomsonpl
localhost
e86f2e0
@tomsonpl
revert es and kibana certs
be6c000
@tomsonpl
fix test
ecdf28c
@tomsonpl
fix test
54012ac
@tomsonpl
Revert "revert es and kibana certs"
67b98bb 
This reverts commit be6c000.
paul-tavares
paul-tavares approved these changes Sep 25, 2023
View reviewed changes
Copy link
Copy Markdown
Contributor

@paul-tavares paul-tavares left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for working on this. 👍

Ikuni17
Ikuni17 approved these changes Sep 25, 2023
View reviewed changes
Copy link
Copy Markdown
Contributor

@Ikuni17 Ikuni17 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@tomsonpl
Merge branch 'main' into chore/serverless-fleet-cypress
714eb54 
# Conflicts:
#	x-pack/plugins/fleet/server/config.ts
MadameSheema
MadameSheema approved these changes Sep 26, 2023
View reviewed changes
Copy link
Copy Markdown
Contributor

@MadameSheema MadameSheema left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please socialize before merging that docker is going to be needed as well for executing Cypress ESS in the local machine. Thanks.

MadameSheema
MadameSheema approved these changes Sep 26, 2023
View reviewed changes
Copy link
Copy Markdown
Contributor

@MadameSheema MadameSheema left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please socialize before merging that docker is going to be needed as well for executing Cypress ESS in the local machine. Thanks.

@oatkiller
Copy link
Copy Markdown
Contributor

oatkiller commented Sep 26, 2023
edited
Loading

What this PR Does

  • Runs fleet server in standalone mode. Previously we ran a single agent in fleet mode. This doesn't accurately mimic the experience users will have in serverless. Non serverless tests will run still run in the old way: against a single agent in fleet mode.

Note: this isn't intended to cause any changes to how SAET tests run today.

Breaking changes

You'll need docker installed locally to run tests with these changes. @patrykkopycinski may be able to change this limitations.

Changes to kbn-dev-utils & kbn-crypto

  • The old certificates only supported localhost dns. In order to support networking with an ES running in docker, we needed to update the dns names accepted by the certs. See this PR for background info: Add support for Docker and Serverless to kbn/es #161927
  • Updated README to use openssl v3 commands

Changes to kbn-es

  • Added new service account that can be used to enroll fleet.

Changes to x-pack/plugins/fleet

  • Expose and add types for ca_trusted_fingerprint. This allows us to authenticate with fleet using the certs mentioned above.

Follow up ideas:

  • We could run ES in docker for ESS tests as well. This might have better test performance.
  • SAET Cypress serverless tests will not run using the serverless ES via Docker with the changes in this PR. Follow up PRs could implement this.

jeramysoucy
jeramysoucy approved these changes Sep 27, 2023
View reviewed changes
Copy link
Copy Markdown
Contributor

@jeramysoucy jeramysoucy left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. I just had a question regarding one of the new openssl rsa command options.

packages/kbn-dev-utils/certs/README.md

# Extract the PEM-formatted PKCS #1 private key for Elasticsearch
openssl pkcs12 -in elasticsearch.p12 -nocerts -passin pass:"storepass" -passout pass:"keypass" | openssl rsa -passin pass:keypass -out elasticsearch.key
openssl pkcs12 -in elasticsearch.p12 -nocerts -passin pass:"storepass" -passout pass:"keypass" | openssl rsa -passin pass:keypass -out elasticsearch.key -traditional
Copy link
Copy Markdown
Contributor

@jeramysoucy jeramysoucy Sep 27, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I could not find documentation on the -traditional option. What does it do?

Copy link
Copy Markdown
Contributor

@jeramysoucy jeramysoucy Sep 27, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Update: found it..."When writing a private key, use the traditional PKCS#1 format instead of the PKCS#8 format". All set.

@banderror
Copy link
Copy Markdown
Contributor

banderror commented Sep 28, 2023

@oatkiller Thanks a lot for writing up this summary: #165415 (comment). Could you please elaborate on this:

SAET Cypress serverless tests will not run using the serverless ES via Docker with the changes in this PR. Follow up PRs could implement this.

What SAET Cypress serverless tests will be affected by this PR, and what does it mean "will not run"?

@kevinlog
Copy link
Copy Markdown
Contributor

kevinlog commented Sep 28, 2023

@banderror

SAET Cypress serverless tests will not run using the serverless ES via Docker with the changes in this PR. Follow up PRs could implement this.

What SAET Cypress serverless tests will be affected by this PR, and what does it mean "will not run"?

I believe this is just stating that SAET tests are currently not going to run against the serverless ES in docker. Not that SAET tests are being broken by this PR. The follow up PRs could adjust the SAET tests to also run in this manner.

cc @oatkiller

@patrykkopycinski patrykkopycinski enabled auto-merge (squash) September 28, 2023 22:25
@kibana-ci
Copy link
Copy Markdown

kibana-ci commented Sep 29, 2023
edited
Loading

💔 Build Failed

Failed CI Steps

Test Failures

  • [job] [logs] Investigations - Security Solution Cypress Tests #5 / Discover State "before each" hook for "should remember filters when navigating away and back to discover " "before each" hook for "should remember filters when navigating away and back to discover "

Metrics [docs]

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id before after diff
@kbn/dev-utils 25 32 +7
@kbn/es 30 33 +3
total +10
Unknown metric groups

API count

id before after diff
@kbn/dev-utils 29 36 +7
@kbn/es 43 48 +5
total +12

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @patrykkopycinski

@patrykkopycinski patrykkopycinski merged commit 5dedc99 into elastic:main Sep 29, 2023
@kibanamachine kibanamachine added v8.11.0 backport:skip This PR does not require backporting labels Sep 29, 2023
@patrykkopycinski patrykkopycinski deleted the chore/serverless-fleet-cypress branch September 30, 2023 13:23
@patrykkopycinski patrykkopycinski mentioned this pull request Oct 2, 2023
Merged
patrykkopycinski added a commit that referenced this pull request Oct 4, 2023
@patrykkopycinski @kibanamachine @MadameSheema
Setup E2E against Serverless ES, Kibana, Fleet server standalone and …
5fb9a38 
…Elastic endpoint agent in VM (#167720)

## Summary

Run Defend Workflows Cypress E2E against Serverless stack, similar to
#165415

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Gloria Hornero <gloria.hornero@elastic.co>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jeramysoucy jeramysoucy jeramysoucy approved these changes

@banderror banderror banderror approved these changes

@jloleysens jloleysens jloleysens approved these changes

@Ikuni17 Ikuni17 Ikuni17 approved these changes

@tomsonpl tomsonpl tomsonpl approved these changes

@MadameSheema MadameSheema MadameSheema approved these changes

@paul-tavares paul-tavares paul-tavares approved these changes

@juliaElastic juliaElastic juliaElastic approved these changes

@oatkiller oatkiller Awaiting requested review from oatkiller

@maximpn maximpn Awaiting requested review from maximpn

@pzl pzl Awaiting requested review from pzl pzl was automatically assigned from elastic/security-defend-workflows

Assignees

@patrykkopycinski patrykkopycinski

Labels

backport:skip This PR does not require backporting release_note:skip Skip the PR/issue when compiling release notes Team:Fleet Team label for Observability Data Collection Fleet team v8.11.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.