fleet-server blackbox e2e tests (#2538)

* Add blackbox e2e test suite

Add e2e test suite that treats the fleet-server binary as a black box
and tests the API.

* Add go build coverage flag support

* Add e2e tests to jenkinsfile

* reset integration/.env

* Add review changes

* remove username from local testing image

* echo docker-compose commands for debugging

* use env var for service token

* Add log message to test for debugging

* two pass linux extraction

* fix linux directory creation

* fixes

* merge macos and linux extraction

* Note extracted elastic-agent location

* add command work dir, add command to error statement

* Fix broken container test

* Use multipass for agent install test suite

* Disable agetnt install tests

* fix tag

* Add container log output for failed tests

* Use testcontainers for docker test

* alter lifecycle

* container lifecylce logs to testlog

* Alter secret file permissions in container

* Copy certs instead of bind-mount

* Fix typos

* Fix file permissions

* Seperate testing requirements from module requirements

* Restore original go.mod, fix test-unit target

* Use Dockerfile.build to create e2e binaries

* Fix target

Author: michel-laterman

.ci/Jenkinsfile

@@ -111,6 +111,20 @@ pipeline {
         }
       }
     }
+    stage('E2E Test') {
+      options { skipDefaultCheckout() }
+      steps {
+        withGithubNotify(context: "E2E Test", tab: 'tests') {
+          cleanup()
+          dir("${BASE_DIR}"){
+            withGoEnv(){
+              retryWithSleep(retries: 2, seconds: 5, backoff: true){ sh(label: "Install Docker", script: '.ci/scripts/install-docker-compose.sh') }
+              sh(label: 'test', script: 'make test-e2e')
+            }
+          }
+        }
+      }
+    }
     stage('Cloud e2e Test') {
       options { skipDefaultCheckout() }
       steps {

.gitignore

@@ -24,3 +24,4 @@ dev-tools/cloud/terraform/*.tfvars*
 *.swn
 
 .service_token
+.kibana_service_token

Dockerfile.build

@@ -4,9 +4,10 @@ FROM docker.elastic.co/beats-dev/golang-crossbuild:${GO_VERSION}-main-debian11
 RUN \
   apt-get update \
   && apt-get install -y zip \
-  && mkdir /.cache \
+  && mkdir -p /.cache \
   && chmod 777 /.cache
 
 WORKDIR /go/src/github.com/elastic/fleet-server
 
-ENTRYPOINT [ "make", "release" ]
+ENTRYPOINT [ "make" ]
+CMD [ "release" ]

Makefile

@@ -21,7 +21,7 @@ BENCHMARK_ARGS := -count=8
 BENCHMARK_PACKAGE ?= ./...
 BENCHMARK_FILTER ?= Bench
 
-GO_TEST_FLAG = ""
+GO_TEST_FLAG =
 ifdef TEST_COVERAGE
 GO_TEST_FLAG = -covermode=atomic -coverprofile=build/TEST-go-fleet-server-coverage.cov
 endif
@@ -44,6 +44,7 @@ DOCKER_IMAGE?=docker.elastic.co/fleet-server/fleet-server
 
 
 PLATFORM_TARGETS=$(addprefix release-, $(PLATFORMS))
+COVER_TARGETS=$(addprefix cover-, $(PLATFORMS))
 COMMIT=$(shell git rev-parse --short HEAD)
 NOW=$(shell date -u '+%Y-%m-%dT%H:%M:%SZ')
 CMD_COLOR_ON=\033[32m\xE2\x9c\x93
@@ -75,10 +76,23 @@ local: ## - Build local binary for local environment (bin/fleet-server)
 	go build $(if $(DEV),-tags="dev",) -gcflags="${GCFLAGS}" -ldflags="${LDFLAGS}" -o ./bin/fleet-server .
 	@printf "${CMD_COLOR_ON} Binaries in ./bin/\n${CMD_COLOR_OFF}"
 
+.PHONY: cover-e2e-binaries
+cover-e2e-binaries: ## - Build binaries for the test-e2e target with the go 1.20+ cover flag
+	SNAPSHOT=true $(MAKE) $(COVER_TARGETS)
+
+.PHONY: $(COVER_TARGETS)
+$(COVER_TARGETS): cover-%: ## - Build a binary with the -cover flag for integration testing
+	@mkdir -p build/cover
+	$(eval $@_OS := $(firstword $(subst /, ,$(lastword $(subst cover-, ,$@)))))
+	$(eval $@_GO_ARCH := $(lastword $(subst /, ,$(lastword $(subst cover-, ,$@)))))
+	$(eval $@_ARCH := $(TARGET_ARCH_$($@_GO_ARCH)))
+	$(eval $@_BUILDMODE:= $(BUILDMODE_$($@_OS)_$($@_GO_ARCH)))
+	GOOS=$($@_OS) GOARCH=$($@_GO_ARCH) go build $(if $(DEV),-tags="dev",) -cover -coverpkg=./... -gcflags="${GCFLAGS}" -ldflags="${LDFLAGS}" $($@_BUILDMODE) -o build/cover/fleet-server-$(VERSION)-$($@_OS)-$($@_ARCH)/fleet-server$(if $(filter windows,$($@_OS)),.exe,) .
+
 .PHONY: clean
 clean: ## - Clean up build artifacts
 	@printf "${CMD_COLOR_ON} Clean up build artifacts\n${CMD_COLOR_OFF}"
-	rm -rf .service_token ./bin/ ./build/
+	rm -rf .service_token .kibana_service_token ./bin/ ./build/
 
 .PHONY: generate
 generate: ## - Generate schema models
@@ -221,7 +235,11 @@ build-releaser: ## - Build a Docker image to run make package including all buil
 
 .PHONY: docker-release
 docker-release: build-releaser ## - Builds a release for all platforms in a dockerised environment
-	docker run --rm -u $(shell id -u):$(shell id -g) --volume $(PWD):/go/src/github.com/elastic/fleet-server $(BUILDER_IMAGE)
+	docker run --rm -u $(shell id -u):$(shell id -g) --volume $(PWD):/go/src/github.com/elastic/fleet-server $(BUILDER_IMAGE) release
+
+.PHONY: docker-cover-e2e-binaries
+docker-cover-e2e-binaries: build-releaser
+	docker run --rm -u $(shell id -u):$(shell id -g) --volume $(PWD):/go/src/github.com/elastic/fleet-server $(BUILDER_IMAGE) cover-e2e-binaries
 
 .PHONY: release
 release: $(PLATFORM_TARGETS) ## - Builds a release. Specify exact platform with PLATFORMS env.
@@ -263,7 +281,7 @@ export $(shell sed 's/=.*//' ./dev-tools/integration/.env)
 # Start ES with docker without waiting
 .PHONY: int-docker-start-async
 int-docker-start-async:
-	@docker-compose -f ./dev-tools/integration/docker-compose.yml --env-file ./dev-tools/integration/.env up  -d --remove-orphans elasticsearch
+	@docker compose -f ./dev-tools/integration/docker-compose.yml --env-file ./dev-tools/integration/.env up  -d --remove-orphans elasticsearch
 
 # Wait for ES to be ready
 .PHONY: int-docker-wait
@@ -279,7 +297,8 @@ int-docker-start: ## - Start docker envronment for integration tests and wait un
 # Stop integration docker setup
 .PHONY: int-docker-stop
 int-docker-stop: ## - Stop docker environment for integration tests
-	@docker-compose -f ./dev-tools/integration/docker-compose.yml --env-file ./dev-tools/integration/.env down
+	@docker compose -f ./dev-tools/integration/docker-compose.yml --env-file ./dev-tools/integration/.env down
+	@rm -f .service_token
 
 # Run integration tests with starting/stopping docker
 .PHONY: test-int
@@ -300,6 +319,48 @@ test-int-set: ## - Run integration tests without setup
 	ELASTICSEARCH_HOSTS=${TEST_ELASTICSEARCH_HOSTS} ELASTICSEARCH_USERNAME=${ELASTICSEARCH_USERNAME} ELASTICSEARCH_PASSWORD=${ELASTICSEARCH_PASSWORD} \
 	go test -v -tags=integration -count=1 -race -p 1 ./...
 
+##################################################
+# e2e testing targets
+##################################################
+
+# based off build-and-push-cloud-image
+.PHONY: build-e2e-agent-image
+build-e2e-agent-image: docker-cover-e2e-binaries ## - Build a custom elastic-agent image with fleet-server binaries with coverage enabled injected
+	@printf "${CMD_COLOR_ON} Creating test e2e agent image\n${CMD_COLOR_OFF}"
+	GOARCH=amd64 ./dev-tools/e2e/build.sh
+
+.PHONY: e2e-certs
+e2e-certs: ## - Use openssl to create a CA, encrypted private key, and signed fleet-server cert testing purposes
+	@printf "${CMD_COLOR_ON} Creating test e2e certs\n${CMD_COLOR_OFF}"
+	@./dev-tools/e2e/certs.sh
+
+.PHONY: e2e-docker-start
+e2e-docker-start: int-docker-start ## - Start a testing instance of Elasticsearch and Kibana in docker containers
+	@KIBANA_TOKEN=$(shell ./dev-tools/e2e/get-kibana-servicetoken.sh ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}@${TEST_ELASTICSEARCH_HOSTS}) docker compose -f ./dev-tools/e2e/docker-compose.yml --env-file ./dev-tools/integration/.env up  -d --remove-orphans kibana
+	@./dev-tools/e2e/wait-for-kibana.sh ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}@localhost:5601
+
+.PHONY: e2e-docker-stop
+e2e-docker-stop: ## - Tear down testing Elasticsearch and Kibana instances
+	@KIBANA_TOKEN="supress-warning" docker compose -f ./dev-tools/e2e/docker-compose.yml --env-file ./dev-tools/integration/.env down
+	rm -f .kibana_service_token
+	@$(MAKE) int-docker-stop
+
+.PHONY: test-e2e
+test-e2e: docker-cover-e2e-binaries build-e2e-agent-image e2e-certs ## - Setup and run the blackbox end to end test suite
+	@mkdir -p build/e2e-cover
+	@$(MAKE) e2e-docker-start
+	@set -o pipefail; $(MAKE) test-e2e-set | tee build/test-e2e.out
+	@$(MAKE) e2e-docker-stop
+
+.PHONY: test-e2e-set
+test-e2e-set: ## - Run the blackbox end to end tests without setup.
+	cd testing; \
+	ELASTICSEARCH_SERVICE_TOKEN=$(shell ./dev-tools/integration/get-elasticsearch-servicetoken.sh ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}@${TEST_ELASTICSEARCH_HOSTS}) \
+	ELASTICSEARCH_HOSTS=${TEST_ELASTICSEARCH_HOSTS} ELASTICSEARCH_USERNAME=${ELASTICSEARCH_USERNAME} ELASTICSEARCH_PASSWORD=${ELASTICSEARCH_PASSWORD} \
+	AGENT_E2E_IMAGE=$(shell cat "build/e2e-image") \
+	CGO_ENABLED=1 \
+	go test -v -tags=e2e -count=1 -race -p 1 ./...
+
 ##################################################
 # Cloud testing targets
 ##################################################

dev-tools/cloud/docker/build.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 # This script builds an image from the elastic-agent image
-# with a locally built apm-server binary injected. Additional
+# with a locally built fleet-server binary injected. Additional
 # flags (e.g. -t <name>) will be passed to `docker build`.
 
 set -eu
@@ -40,4 +40,4 @@ docker build \
 docker push ${CI_ELASTIC_AGENT_DOCKER_IMAGE}:${CUSTOM_IMAGE_TAG}
 
 echo "Image available at:"
-echo "${CI_ELASTIC_AGENT_DOCKER_IMAGE}:${CUSTOM_IMAGE_TAG}"
+echo "${CI_ELASTIC_AGENT_DOCKER_IMAGE}:${CUSTOM_IMAGE_TAG}"

dev-tools/e2e/Dockerfile

@@ -0,0 +1,15 @@
+ARG ELASTIC_AGENT_IMAGE # e.g. docker.elastic.co/cloud-release/elastic-agent-cloud:8.8.0-4671daa2-SNAPSHOT
+
+FROM --platform=linux/amd64 ${ELASTIC_AGENT_IMAGE} as elastic_agent_amd64
+ARG STACK_VERSION # e.g. 8.5.0-SNAPSHOT
+ARG VCS_REF_SHORT # e.g. abc123
+ONBUILD COPY --chmod=0755 --chown=elastic-agent cover/fleet-server-${STACK_VERSION}-linux-x86_64/fleet-server \
+             ./data/elastic-agent-${VCS_REF_SHORT}/components/fleet-server
+
+FROM --platform=linux/arm64 ${ELASTIC_AGENT_IMAGE} as elastic_agent_arm64
+ARG STACK_VERSION # e.g. 8.5.0-SNAPSHOT
+ARG VCS_REF_SHORT # e.g. abc123
+ONBUILD COPY --chmod=0755 --chown=elastic-agent cover/fleet-server-${STACK_VERSION}-linux-arm64/fleet-server \
+             ./data/elastic-agent-${VCS_REF_SHORT}/components/fleet-server
+
+FROM elastic_agent_${TARGETARCH}

dev-tools/e2e/build.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+
+# This script builds an image from the elastic-agent image
+# with a locally built fleet-server binary injected. Additional
+# flags (e.g. -t <name>) will be passed to `docker build`.
+
+set -eu
+
+REPO_ROOT=$(cd $(dirname $(readlink -f "$0"))/../.. && pwd)
+
+source ${REPO_ROOT}/dev-tools/integration/.env
+
+COMMIT=$(git rev-parse --short HEAD)
+CI_ELASTIC_AGENT_DOCKER_IMAGE=docker.elastic.co/observability-ci/elastic-agent
+
+BASE_IMAGE="${BASE_IMAGE:-docker.elastic.co/cloud-release/elastic-agent-cloud:$ELASTICSEARCH_VERSION}"
+GOARCH="${GOARCH:-$(go env GOARCH)}"
+
+export DOCKER_BUILDKIT=1
+docker pull --platform linux/$GOARCH $BASE_IMAGE
+
+STACK_VERSION=$(docker inspect -f '{{index .Config.Labels "org.label-schema.version"}}' $BASE_IMAGE)
+VCS_REF=$(docker inspect -f '{{index .Config.Labels "org.label-schema.vcs-ref"}}' $BASE_IMAGE)
+
+CUSTOM_IMAGE_TAG=${STACK_VERSION}-e2e-${COMMIT}-$(date +%s)
+
+docker build \
+	-f $REPO_ROOT/dev-tools/e2e/Dockerfile \
+	--build-arg ELASTIC_AGENT_IMAGE=$BASE_IMAGE \
+	--build-arg STACK_VERSION=$STACK_VERSION \
+	--build-arg VCS_REF_SHORT=${VCS_REF:0:6} \
+	--platform linux/$GOARCH \
+	-t ${CI_ELASTIC_AGENT_DOCKER_IMAGE}:${CUSTOM_IMAGE_TAG} \
+	$* $REPO_ROOT/build
+
+echo "${CI_ELASTIC_AGENT_DOCKER_IMAGE}:${CUSTOM_IMAGE_TAG}" > ${REPO_ROOT}/build/e2e-image

dev-tools/e2e/certs.sh

@@ -0,0 +1,63 @@
+#!/bin/bash
+
+set -eu
+
+REPO_ROOT=$(cd $(dirname $(readlink -f "$0"))/../.. && pwd)
+CERT_DIR=${REPO_ROOT}/build/e2e-certs
+
+mkdir -p ${CERT_DIR}
+
+# Create CA
+openssl req -x509 \
+    -sha256 -days 356 \
+    -nodes \
+    -newkey rsa:2048 \
+    -subj "/CN=e2e-test-ca" \
+    -keyout ${CERT_DIR}/e2e-test-ca.key -out ${CERT_DIR}/e2e-test-ca.crt \
+    2>/dev/null
+
+# Make encrypted private key
+echo -n abcd1234 > ${CERT_DIR}/passphrase
+
+openssl genpkey -algorithm RSA \
+    -aes-128-cbc \
+    -pkeyopt rsa_keygen_bits:2048 \
+    -pass file:${CERT_DIR}/passphrase \
+    -out ${CERT_DIR}/fleet-server-key \
+    2>/dev/null
+
+openssl rsa -aes-128-cbc \
+    -in ${CERT_DIR}/fleet-server-key \
+    -out ${CERT_DIR}/fleet-server.key  \
+    -passin pass:abcd1234 \
+    -passout file:${CERT_DIR}/passphrase \
+    2>/dev/null
+
+# Make CSR
+openssl req -new \
+    -key ${CERT_DIR}/fleet-server.key \
+    -passin file:${CERT_DIR}/passphrase \
+    -subj "/CN=localhost" \
+    -addext "subjectAltName=IP:127.0.0.1,DNS:localhost" \
+    -out ${CERT_DIR}/fleet-server.csr \
+    2>/dev/null
+
+# Sign CSR with CA
+openssl x509 -req \
+    -in ${CERT_DIR}/fleet-server.csr \
+    -days 356 \
+    -extfile <(printf "subjectAltName=IP:127.0.0.1,DNS:localhost") \
+    -CA ${CERT_DIR}/e2e-test-ca.crt \
+    -CAkey ${CERT_DIR}/e2e-test-ca.key \
+    -CAcreateserial \
+    -out ${CERT_DIR}/fleet-server.crt \
+    2>/dev/null
+
+# Sanity checks
+openssl verify -verbose \
+    -CAfile ${CERT_DIR}/e2e-test-ca.crt \
+    ${CERT_DIR}/fleet-server.crt
+
+openssl rsa -check -noout \
+    -in ${CERT_DIR}/fleet-server.key \
+    -passin file:${CERT_DIR}/passphrase

dev-tools/e2e/docker-compose.yml

@@ -0,0 +1,18 @@
+version: '2.3'
+services:
+  kibana:
+    image: "docker.elastic.co/kibana/kibana:${ELASTICSEARCH_VERSION}-amd64"
+    container_name: kibana
+    environment:
+      - KIBANA_TOKEN=${KIBANA_TOKEN}
+    volumes:
+      - ./kibana.yml:/usr/share/kibana/config/kibana.yml
+    ports:
+      - 127.0.0.1:5601:5601
+    networks:
+      - integration
+# Attach to the integration test network
+networks:
+  integration:
+    name: integration_default
+    external: true

dev-tools/e2e/get-kibana-servicetoken.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+host="$1"
+
+jsonBody="$(curl -sSL -XPOST "$host/_security/service/elastic/kibana/credential/token/token1")"
+
+# use grep and sed to get the service token value as we may not have jq or a similar tool on the instance
+token=$(echo ${jsonBody} |  grep -Eo '"value"[^}]*' | grep -Eo ':.*' | sed -r "s/://" | sed -r 's/"//g')
+
+# cache or use cached token in order to be able to run repeative integration tests,
+# very useful during development, without recreating elasticsearch instance every time.
+if [ -z "$token" ]
+then
+    token=`cat .kibana_service_token`
+else
+    echo "$token" > .kibana_service_token
+fi
+
+echo "$token"

dev-tools/e2e/kibana.yml

@@ -0,0 +1,33 @@
+server.name: kibana
+server.host: "0.0.0.0"
+server.ssl.enabled: false
+elasticsearch.hosts: [ "http://elasticsearch:9200" ]
+elasticsearch.serviceAccountToken: "${KIBANA_TOKEN}"
+
+xpack.fleet.agents.enabled: true
+xpack.fleet.agents.fleet_server.hosts: ["http://fleet-server:8220"]
+xpack.fleet.agents.elasticsearch.hosts: ["http://elasticsearch:9200"]
+xpack.fleet.packages:
+  - name: elastic_agent
+    version: latest
+  - name: fleet_server
+    version: latest
+xpack.fleet.agentPolicies:
+  - name: fleet-server-policy
+    id: fleet-server-policy
+    monitoring_enabled: []
+    is_default_fleet_server: true
+    is_managed: false
+    namespace: default
+    package_policies:
+      - name: fleet_server-1
+        id: default-fleet-server
+        package:
+          name: fleet_server
+xpack.fleet.outputs:
+  - id: fleet-default-output
+    name: default
+    type: elasticsearch
+    hosts: [ http://elasticsearch:9200 ]
+    is_default: true
+    is_default_monitoring: true

dev-tools/e2e/wait-for-kibana.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+set -e
+
+host="$1"
+shift
+cmd="$@"
+
+
+until $(curl --output /dev/null --silent --head --fail "${host}/api/status"); do
+    printf '.'
+    sleep 1
+done
+
+# First wait for ES to start...
+response=$(curl $host)
+
+until [ "$response" = "200" ]; do
+    response=$(curl --write-out %{http_code} --silent --output /dev/null "${host}/api/status")
+    echo '.'
+    sleep 1
+done
+
+>&2 echo "Kibana is up"
+exec $cmd