feat(agentless): add agentless release pipelines (#7701)

Author: olegsu

.buildkite/pipeline.agentless-app-release.yaml

@@ -0,0 +1,33 @@
+env:
+  VERSION: "${BUILDKITE_COMMIT:0:12}"
+steps:
+  - label: "Mirror Elastic-Agent Snapshot DRA to internal registry"
+    key: "mirror-elastic-agent"
+    command: "./build/ecp-internal-release.sh"
+    agents:
+      image: docker.elastic.co/ci-agent-images/serverless-helm-builder:0.0.2@sha256:d00e8a7a0ab3618cfaacb0a7b1e1b06ee29728eb2b44de602374bd8f6b9b92ac
+
+
+
+  # wait for metadata to be set
+  - wait: ~
+
+  - label: ":grey_question: Promote agentless app release if validation passes"
+    depends_on: "mirror-elastic-agent"
+    command: |
+      export COMMIT_HASH=$$(buildkite-agent meta-data get git-short-commit)
+      if [ $$(buildkite-agent step get "outcome" --step "mirror-elastic-agent") == "passed" ]; then
+          cat <<- YAML | buildkite-agent pipeline upload
+          steps:
+          - label: ":serverless::argo: Run synthetics tests and update agentless to $${COMMIT_HASH} in serverless-gitops"
+            async: true
+            branches: main
+            trigger: gpctl-promote-after-serverless-devenv-synthetics
+            build:
+              env:
+                SERVICE_COMMIT_HASH: $${COMMIT_HASH}
+                SERVICE: agentless
+      YAML
+      fi
+    agents:
+      image: docker.elastic.co/ci-agent-images/serverless-helm-builder:0.0.2@sha256:d00e8a7a0ab3618cfaacb0a7b1e1b06ee29728eb2b44de602374bd8f6b9b92ac

.buildkite/pipeline.agentless-tests.yaml

@@ -0,0 +1,27 @@
+# This pipeline serves as the entry point for your service's quality gates definitions. When
+# properly configured, it will be invoked automatically as part of the automated
+# promotion process once a new version was rolled out in one of the various cloud stages.
+#
+# The updated environment is provided via ENVIRONMENT variable. The seedling
+# step will branch and execute pipeline snippets at the following location:
+# .buildkite/pipeline.tests-qa.yaml
+# .buildkite/pipeline.tests-staging.yaml
+# .buildkite/pipeline.tests-production.yaml
+#
+# Docs: https://docs.elastic.dev/serverless/qualitygates
+
+env:
+  ENVIRONMENT: ${ENVIRONMENT?}
+  TEAM_CHANNEL: "#agentless-alerts"
+
+steps:
+  - label: ":pipeline::grey_question::seedling: Trigger service tests for ${ENVIRONMENT}"
+    command: ".buildkite/scripts/steps/run-agentless-tests.sh"
+    agents:
+      image: "docker.elastic.co/ci-agent-images/quality-gate-seedling:0.0.4@sha256:b15aa65183fd9ac4b3ad2b01287ee8c47382a74450485b012bade5331fefeae9"
+    env:
+      SERVICE_VERSION: "${BUILDKITE_COMMIT:0:12}"
+
+notify:
+  - slack: "${TEAM_CHANNEL}"
+    if: build.branch == "main" && build.state == "failed"

.buildkite/pipeline.tests-production.yaml

@@ -0,0 +1,40 @@
+# These pipeline steps constitute the quality gate for your service within the Production environment.
+# Incorporate any necessary additional logic to validate the service's integrity. A failure in
+# this pipeline build will prevent further progression to the subsequent stage.
+
+steps:
+  - command:
+      - echo "Waiting for 10m for indicative health metrics"
+      - sleep 600
+  - wait
+  - label: ":rocket: Run observability gates"
+    if: build.env("ENVIRONMENT") == "production-canary"
+    trigger: "serverless-quality-gates"
+    build:
+      branch: main
+      commit: HEAD
+      message: "${BUILDKITE_MESSAGE}"
+      env:
+        TARGET_ENV: production
+        SERVICE: agentless-controller
+        CONTAINER_NAME: agentless-controller
+        CHECK_ALERTS: true
+        CHECK_RECONCILE_ERROR_PERCENTAGE: true
+        CHECK_CONTAINER_RESTART_COUNT: true
+        CHECK_LOG_ERROR_RATE: true
+        CHECK_SLO: true
+        CHECK_SLO_TAG: agentless-controller
+        CHECK_SLO_BURN_RATE_THRESHOLD: 0.1
+        MAX_ERROR_PERCENT: 2
+        SERVICE_VERSION: ${SERVICE_VERSION:0:12}
+        CHECK_SYNTHETICS: true
+        CHECK_SYNTHETICS_TAG: agentless
+        CHECK_SYNTHETICS_MINIMUM_RUNS: 2
+        CHECK_SYNTHETICS_MAX_POLL: 70
+        CHECK_SYNTHETIC_POLL_INTERVAL: 180
+        MAX_FAILURES: 1
+        DEPLOYMENT_SLICES: ${DEPLOYMENT_SLICES:-""}
+
+  - label: ":cookie: 1h bake period before continuing promotion"
+    if: build.env("ENVIRONMENT") == "production-canary"
+    command: "sleep 3600"

.buildkite/pipeline.tests-qa.yaml

@@ -0,0 +1,33 @@
+# These pipeline steps constitute the quality gate for your service within the QA environment.
+# Incorporate any necessary additional logic to validate the service's integrity. A failure in
+# this pipeline build will prevent further progression to the subsequent stage.
+steps:
+  - command:
+      - echo "Waiting for 10m for indicative health metrics"
+      - sleep 600
+  - wait
+  - label: ":rocket: Run observability gates"
+    trigger: "serverless-quality-gates"
+    build:
+      branch: main
+      commit: HEAD
+      message: "${BUILDKITE_MESSAGE}"
+      env:
+        TARGET_ENV: qa
+        SERVICE: agentless-controller
+        CONTAINER_NAME: agentless-controller
+        CHECK_RECONCILE_ERROR_PERCENTAGE: true
+        CHECK_CONTAINER_RESTART_COUNT: true
+        CHECK_LOG_ERROR_RATE: true
+        CHECK_SLO: true
+        CHECK_SLO_TAG: agentless-controller
+        CHECK_SLO_BURN_RATE_THRESHOLD: 0.1
+        MAX_ERROR_PERCENT: 10
+        SERVICE_VERSION: ${SERVICE_VERSION:0:12}
+        CHECK_SYNTHETICS: true
+        CHECK_SYNTHETICS_TAG: agentless
+        CHECK_SYNTHETICS_MINIMUM_RUNS: 2
+        CHECK_SYNTHETICS_MAX_POLL: 70
+        CHECK_SYNTHETIC_POLL_INTERVAL: 180
+        MAX_FAILURES: 1
+        DEPLOYMENT_SLICES: ${DEPLOYMENT_SLICES:-""}

.buildkite/pipeline.tests-staging.yaml

@@ -0,0 +1,33 @@
+# These pipeline steps constitute the quality gate for your service within the Staging environment.
+# Incorporate any necessary additional logic to validate the service's integrity. A failure in
+# this pipeline build will prevent further progression to the subsequent stage.
+steps:
+  - command:
+      - echo "Waiting for 10m for indicative health metrics"
+      - sleep 600
+  - wait
+  - label: ":rocket: Run observability gates"
+    trigger: "serverless-quality-gates"
+    build:
+      branch: main
+      commit: HEAD
+      message: "${BUILDKITE_MESSAGE}"
+      env:
+        TARGET_ENV: staging
+        SERVICE: agentless-controller
+        CONTAINER_NAME: agentless-controller
+        CHECK_RECONCILE_ERROR_PERCENTAGE: true
+        CHECK_CONTAINER_RESTART_COUNT: true
+        CHECK_LOG_ERROR_RATE: true
+        CHECK_SLO: true
+        CHECK_SLO_TAG: agentless-controller
+        CHECK_SLO_BURN_RATE_THRESHOLD: 0.1
+        MAX_ERROR_PERCENT: 10
+        SERVICE_VERSION: ${SERVICE_VERSION:0:12}
+        CHECK_SYNTHETICS: true
+        CHECK_SYNTHETICS_TAG: agentless
+        CHECK_SYNTHETICS_MINIMUM_RUNS: 2
+        CHECK_SYNTHETICS_MAX_POLL: 70
+        CHECK_SYNTHETIC_POLL_INTERVAL: 180
+        MAX_FAILURES: 1
+        DEPLOYMENT_SLICES: ${DEPLOYMENT_SLICES:-""}

.buildkite/scripts/steps/ecp-internal-release.sh

@@ -0,0 +1,65 @@
+#!/usr/bin/env bash
+
+# ELASTICSEARCH CONFIDENTIAL
+# __________________
+#
+#  Copyright Elasticsearch B.V. All rights reserved.
+#
+# NOTICE:  All information contained herein is, and remains
+# the property of Elasticsearch B.V. and its suppliers, if any.
+# The intellectual and technical concepts contained herein
+# are proprietary to Elasticsearch B.V. and its suppliers and
+# may be covered by U.S. and Foreign Patents, patents in
+# process, and are protected by trade secret or copyright
+# law.  Dissemination of this information or reproduction of
+# this material is strictly forbidden unless prior written
+# permission is obtained from Elasticsearch B.V.
+
+set -eu
+
+_SELF=$(dirname $0)
+source "${_SELF}/../common.sh"
+
+
+# annotate create temp markdown file if not exists
+# this file will be later used to annotate the build
+# it appends to the file the message passed as argument
+BUILDKITE_ANNOTATE_FILE="buildkite-annotate.md"
+annotate() {
+    echo "$1" >>$BUILDKITE_ANNOTATE_FILE
+}
+
+write_annotation() {
+    cat $BUILDKITE_ANNOTATE_FILE | buildkite-agent annotate --style info
+}
+
+DOCKER_REGISTRY_SECRET_PATH="kv/ci-shared/platform-ingest/docker_registry_prod"
+DOCKER_REGISTRY="docker.elastic.co"
+PRIVATE_REPO="docker.elastic.co/observability-ci/ecp-elastic-agent-service"
+SNAPSHOT_DRA_URL=https://snapshots.elastic.co/latest/master.json
+
+DRA_RESULT=$(curl -s -X GET "$SNAPSHOT_DRA_URL")
+echo "$DRA_RESULT"
+BUILD_ID=$(echo "$DRA_RESULT" | jq '.build_id' | tr -d '"')
+BUILD_VERSION=$(echo "$DRA_RESULT" | jq '.version' | tr -d '"')
+
+MANIFEST_URL="https://snapshots.elastic.co/$BUILD_ID/agent-package/agent-artifacts-$BUILD_VERSION.json"
+GIT_COMMIT=$(curl -s -X GET "$MANIFEST_URL" | jq '.projects["elastic-agent-core"]["commit_hash"]' | tr -d '"')
+GIT_SHORT_COMMIT=$(echo "$GIT_COMMIT" | cut -c1-12)
+
+DOCKER_TAG="git-${GIT_SHORT_COMMIT}"
+PRIVATE_IMAGE="${PRIVATE_REPO}:${DOCKER_TAG}"
+
+DOCKER_USERNAME_SECRET=$(retry 5 vault kv get -field user "${DOCKER_REGISTRY_SECRET_PATH}")
+DOCKER_PASSWORD_SECRET=$(retry 5 vault kv get -field password "${DOCKER_REGISTRY_SECRET_PATH}")
+skopeo login --username "${DOCKER_USERNAME_SECRET}" --password "${DOCKER_PASSWORD_SECRET}" "${DOCKER_REGISTRY}"
+skopeo copy --all "docker://docker.elastic.co/cloud-release/elastic-agent-service:$BUILD_ID-SNAPSHOT" "docker://$PRIVATE_IMAGE"
+
+annotate "* Image: $PRIVATE_IMAGE"
+annotate "* Short commit: $GIT_SHORT_COMMIT"
+annotate "* Commit: https://github.com/elastic/elastic-agent/commit/$GIT_COMMIT"
+annotate "* Manifest: $MANIFEST_URL"
+
+buildkite-agent meta-data set "git-short-commit" "$GIT_SHORT_COMMIT"
+
+write_annotation

.buildkite/scripts/steps/run-agentless-tests.sh

@@ -0,0 +1,57 @@
+#!/usr/bin/env bash
+
+# ELASTICSEARCH CONFIDENTIAL
+# __________________
+#
+#  Copyright Elasticsearch B.V. All rights reserved.
+#
+# NOTICE:  All information contained herein is, and remains
+# the property of Elasticsearch B.V. and its suppliers, if any.
+# The intellectual and technical concepts contained herein
+# are proprietary to Elasticsearch B.V. and its suppliers and
+# may be covered by U.S. and Foreign Patents, patents in
+# process, and are protected by trade secret or copyright
+# law.  Dissemination of this information or reproduction of
+# this material is strictly forbidden unless prior written
+# permission is obtained from Elasticsearch B.V.
+
+set -eox pipefail
+
+_SELF=$(dirname $0)
+source "${_SELF}/../common.sh"
+
+extract_sha() {
+    local env=$1
+    local sha
+
+    # Ensure repo is available
+    git clone --depth 1 [email protected]:elastic/serverless-gitops.git || (
+        cd serverless-gitops
+        git pull
+    )
+
+    go install github.com/mikefarah/yq/[email protected]
+
+    # Extract first matching SHA for the environment pattern
+    sha=$(yq eval ".services.agentless-controller.versions | to_entries | .[] | select(.key | test(\"^${env}.*\")) | .value" serverless-gitops/services/agentless-controller/versions.yaml | head -1)
+
+    echo "$sha"
+}
+
+# Check environment variable
+if [ -z "${ENVIRONMENT:-}" ]; then
+    echo "ENVIRONMENT variable is not set"
+    exit 1
+fi
+
+# Extract agentless_controller_sha for the specified environment
+agentless_controller_sha=$(extract_sha "$ENVIRONMENT")
+
+if [ -z "$agentless_controller_sha" ]; then
+    echo "No SHA found for environment: $ENVIRONMENT"
+    exit 1
+fi
+
+echo "Running agentless tests for environment $ENVIRONMENT with Agentless-Controller version: $agentless_controller_sha"
+export SERVICE_VERSION="$agentless_controller_sha"
+make -C /agent run-environment-tests # part of docker.elastic.co/ci-agent-images/quality-gate-seedling image

catalog-info.yaml

@@ -412,4 +412,95 @@ spec:
         ELASTIC_SLACK_NOTIFICATIONS_ENABLED: "true"
         SLACK_NOTIFICATIONS_CHANNEL: "#ingest-notifications"
         SLACK_NOTIFICATIONS_ON_SUCCESS: "false"
-        SLACK_NOTIFICATIONS_ALL_BRANCHES: "false" # only notify for failures on `main` or \d+.\d+ (release) branches
+        SLACK_NOTIFICATIONS_ALL_BRANCHES: "false" # only notify for failures on `main` or \d+.\d+ (release) branches
+
+---
+# yaml-language-server: $schema=https://gist.githubusercontent.com/elasticmachine/988b80dae436cafea07d9a4a460a011d/raw/rre.schema.json
+apiVersion: backstage.io/v1alpha1
+kind: Resource
+metadata:
+  name: agentless-serverless-release
+  description: Initiate agentless serverless release
+  links:
+    - title: Pipeline
+      url: https://buildkite.com/elastic/agentless-serverless-release
+spec:
+  type: buildkite-pipeline
+  owner: group:ingest-fp
+  system: buildkite
+  implementation:
+    apiVersion: buildkite.elastic.dev/v1
+    kind: Pipeline
+    metadata:
+      name: agentless / serverless / release
+      description: Initiate Agentless serverless release
+    spec:
+      env:
+        SLACK_NOTIFICATIONS_CHANNEL: '#agentless-alerts'
+        ELASTIC_SLACK_NOTIFICATIONS_ENABLED: "true"
+        SLACK_NOTIFICATIONS_ON_SUCCESS: "false"
+        SLACK_NOTIFICATIONS_ALL_BRANCHES: "false" # only notify for failures on `main` or \d+.\d+ (release) branches
+      default_branch: main
+      allow_rebuilds: false
+      skip_intermediate_builds: false
+      repository: elastic/elastic-agent
+      pipeline_file: .buildkite/pipeline.agentless-app-release.yaml
+      provider_settings:
+        build_branches: false
+        build_pull_requests: false
+        publish_commit_status: false
+        trigger_mode: none
+        build_tags: false
+        prefix_pull_request_fork_branch_names: false
+        skip_pull_request_builds_for_existing_commits: false
+      teams:
+        agentless-team:
+          access_level: MANAGE_BUILD_AND_READ
+        cloud-tooling:
+          access_level: MANAGE_BUILD_AND_READ
+        everyone:
+          access_level: READ_ONLY
+        ingest-fp:
+          access_level: MANAGE_BUILD_AND_READ
+---
+
+# yaml-language-server: $schema=https://gist.githubusercontent.com/elasticmachine/988b80dae436cafea07d9a4a460a011d/raw/e57ee3bed7a6f73077a3f55a38e76e40ec87a7cf/rre.schema.json
+apiVersion: backstage.io/v1alpha1
+kind: Resource
+metadata:
+  name: agentless-tests
+  description: Tests the service ntegration in a specific environment
+  links:
+    - title: Pipeline
+      url: https://buildkite.com/elastic/agentless-tests
+spec:
+  type: buildkite-pipeline
+  owner: group:ingest-fp
+  system: buildkite
+  implementation:
+    apiVersion: buildkite.elastic.dev/v1
+    kind: Pipeline
+    metadata:
+      name: agentless-tests
+      description: agentless tests
+    spec:
+      env:
+        SLACK_NOTIFICATIONS_CHANNEL: '#agentless-alerts'
+        ELASTIC_SLACK_NOTIFICATIONS_ENABLED: "true"
+        SLACK_NOTIFICATIONS_ON_SUCCESS: "false"
+        SLACK_NOTIFICATIONS_ALL_BRANCHES: "false" # only notify for failures on `main` or \d+.\d+ (release) branches
+      repository: elastic/elastic-agent
+      pipeline_file: .buildkite/pipeline.agentless-tests.yaml
+      branch_configuration: "main"
+      provider_settings:
+        build_pull_requests: false
+        trigger_mode: none
+      teams:
+        agentless-team:
+          access_level: MANAGE_BUILD_AND_READ
+        cloud-tooling:
+          access_level: MANAGE_BUILD_AND_READ
+        ingest-fp:
+          access_level: MANAGE_BUILD_AND_READ
+        everyone:
+          access_level: READ_ONLY