Add upgrade test on an air-gapped environment

[AndersonQ]

What does this PR do?

Add an upgrade test for air-gaped environments. It creates an artifacts server and blocks artifacts.elastic.co using iptables.

Why is it important?

To ensure the upgrade works correctly on air-gaped environments.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• [ ] I have made corresponding changes to the documentation
• [ ] I have made corresponding change to the default configuration files
• [ ] I have added tests that prove my fix is effective or that my feature works
• [ ] I have added an entry in ./changelog/fragments using the [changelog tool](https://github.com/elastic/elastic-agent#changelog)
• I have added an integration test or an E2E test

How to test this PR locally

Run the test with:

AGENT_VERSION=8.12.0-SNAPSHOT AGENT_KEEP_INSTALLED=true INSTANCE_PROVISIONER="multipass" SNAPSHOT=true TEST_PLATFORMS="linux/amd64" mage integration:single TestFleetManagedAirGapedUpgrade

Related issues

• Closes Add an integration test to emulate an air gapped agent upgrade #3403

Questions to ask yourself

• How are we going to support this in production?
• How are we going to measure its adoption?
• How are we going to debug this?
• What are the metrics I should take care of?
• ...

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b 3403-airgapped-test upstream/3403-airgapped-test
git merge upstream/main
git push upstream 3403-airgapped-test

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-11-15T15:49:06.228+0000

• Duration: 67 min 41 sec

❕ Flaky test report

No test was executed to be analysed.

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages.

• run integration tests : Run the Elastic Agent Integration tests.

• run end-to-end tests : Generate the packages and run the E2E Tests.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[AndersonQ]

[Blocker]
Merge elastic/elastic-agent-libs#159 and release elastic-agent-libs then update the elastic-agent-libs version here

[elasticmachine]

Pinging @elastic/elastic-agent (Team:Elastic-Agent)

[AndersonQ]

buildkite test this

[AndersonQ]

buildkite test this

[blakerouse]

Looks good. Really like seeing this type of test!

[blakerouse]

Suggested change

	t.Logf("found %v IPs for %q, blockingn them...", ips, host)
	t.Logf("found %v IPs for %q, blocking them...", ips, host)

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b 3403-airgapped-test upstream/3403-airgapped-test
git merge upstream/main
git push upstream 3403-airgapped-test

[AndersonQ]

buildkite test this

[michalpristas]

LGTM

[michalpristas]

this test not the flag

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b 3403-airgapped-test upstream/3403-airgapped-test
git merge upstream/main
git push upstream 3403-airgapped-test

[cmacknz]

Suggested change

	func TestFleetAirGapedUpgrade(t *testing.T) {
	func TestFleetAirGappedUpgrade(t *testing.T) {

[cmacknz]

The route here should probably be a constant since it is also configured in the server.

[cmacknz]

I can see in the logs that the download is going to the file path and the remote GPG key download is failing as expected 👍

{"log.level":"info","@timestamp":"2023-11-23T14:05:26.049Z","log.origin":{"file.name":"upgrade/upgrade.go","file.line":131},"message":"Upgrading agent","log":{"source":"elastic-agent"},"version":"8.12.0-SNAPSHOT","source_uri":"","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-11-23T14:05:26.049Z","log.origin":{"file.name":"upgrade/cleanup.go","file.line":22},"message":"Cleaning up non-matching downloaded versions","log":{"source":"elastic-agent"},"version":"8.12.0","downloads.path":"/opt/Elastic/Agent/data/elastic-agent-11887c/downloads","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-11-23T14:05:26.049Z","log.origin":{"file.name":"coordinator/coordinator.go","file.line":500},"message":"updated upgrade details","log":{"source":"elastic-agent"},"upgrade_details":{"target_version":"8.12.0-SNAPSHOT","state":"UPG_DOWNLOADING","action_id":"4c8fb430-f991-4da8-ab22-feb74d65e786","metadata":{}},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-11-23T14:05:26.049Z","log.origin":{"file.name":"upgrade/step_download.go","file.line":96},"message":"Downloading upgrade artifact","log":{"source":"elastic-agent"},"version":"8.12.0-SNAPSHOT","source_uri":"http://127.0.0.1:41181/downloads/beats/elastic-agent/","drop_path":"","target_path":"/opt/Elastic/Agent/data/elastic-agent-11887c/downloads","install_path":"/opt/Elastic/Agent/data/elastic-agent-11887c/install","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-11-23T14:05:26.049Z","log.origin":{"file.name":"upgrade/step_download.go","file.line":250},"message":"download attempt 1","log":{"source":"elastic-agent"},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-11-23T14:05:26.060Z","log.origin":{"file.name":"coordinator/coordinator.go","file.line":500},"message":"updated upgrade details","log":{"source":"elastic-agent"},"upgrade_details":{"target_version":"8.12.0-SNAPSHOT","state":"UPG_DOWNLOADING","action_id":"4c8fb430-f991-4da8-ab22-feb74d65e786","metadata":{}},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-11-23T14:05:27.444Z","log.origin":{"file.name":"http/progress_observer.go","file.line":71},"message":"download from http://127.0.0.1:41181/downloads/beats/elastic-agent/beats/elastic-agent/elastic-agent-8.12.0-SNAPSHOT-linux-x86_64.tar.gz completed in 1 second @ 698.9MBps","log":{"source":"elastic-agent"},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-11-23T14:05:27.453Z","log.origin":{"file.name":"coordinator/coordinator.go","file.line":500},"message":"updated upgrade details","log":{"source":"elastic-agent"},"upgrade_details":{"target_version":"8.12.0-SNAPSHOT","state":"UPG_DOWNLOADING","action_id":"4c8fb430-f991-4da8-ab22-feb74d65e786","metadata":{"download_percent":1,"download_rate":"698.896443MBps"}},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-11-23T14:05:27.455Z","log.origin":{"file.name":"coordinator/coordinator.go","file.line":500},"message":"updated upgrade details","log":{"source":"elastic-agent"},"upgrade_details":{"target_version":"8.12.0-SNAPSHOT","state":"UPG_DOWNLOADING","action_id":"4c8fb430-f991-4da8-ab22-feb74d65e786","metadata":{"download_percent":1,"download_rate":"698.896443MBps"}},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-11-23T14:05:27.455Z","log.origin":{"file.name":"http/progress_observer.go","file.line":71},"message":"download from http://127.0.0.1:41181/downloads/beats/elastic-agent/beats/elastic-agent/elastic-agent-8.12.0-SNAPSHOT-linux-x86_64.tar.gz.sha512 completed in Less than a second @ +InfYBps","log":{"source":"elastic-agent"},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-11-23T14:05:27.455Z","log.origin":{"file.name":"coordinator/coordinator.go","file.line":500},"message":"updated upgrade details","log":{"source":"elastic-agent"},"upgrade_details":{"target_version":"8.12.0-SNAPSHOT","state":"UPG_DOWNLOADING","action_id":"4c8fb430-f991-4da8-ab22-feb74d65e786","metadata":{"download_percent":1,"download_rate":"+Inf bps"}},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-11-23T14:05:28.859Z","log.origin":{"file.name":"download/verifier.go","file.line":231},"message":"Default PGP appended","log":{"source":"elastic-agent"},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-11-23T14:05:38.752Z","message":"Non-zero metrics in the last 30s","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"filestream-monitoring","type":"filestream"},"log":{"source":"filestream-monitoring"},"service.name":"filebeat","monitoring":{"ecs.version":"1.6.0","metrics":{"beat":{"cgroup":{"cpu":{"id":"elastic-agent.service"},"memory":{"id":"elastic-agent.service","mem":{"usage":{"bytes":886800384}}}},"cpu":{"system":{"ticks":60,"time":{"ms":60}},"total":{"ticks":430,"time":{"ms":430},"value":430},"user":{"ticks":370,"time":{"ms":370}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":19},"info":{"ephemeral_id":"9b7405df-87cf-4425-a74d-6d9fa07ca328","name":"filebeat","uptime":{"ms":30243},"version":"8.12.0"},"memstats":{"gc_next":42197592,"memory_alloc":23796280,"memory_sys":57799944,"memory_total":75058464,"rss":135041024},"runtime":{"goroutines":56}},"filebeat":{"events":{"active":0,"added":259,"done":259},"harvester":{"open_files":4,"running":4,"started":4}},"libbeat":{"config":{"module":{"running":1,"starts":1}},"output":{"events":{"acked":91,"active":0,"batches":2,"total":91},"read":{"bytes":2762,"errors":1},"type":"elasticsearch","write":{"bytes":21845}},"pipeline":{"clients":4,"events":{"active":0,"filtered":168,"published":91,"retry":75,"total":259},"queue":{"acked":91,"max_events":3200}}},"registrar":{"states":{"current":0}},"system":{"cpu":{"cores":2},"load":{"1":1.08,"15":1.01,"5":1.78,"norm":{"1":0.54,"15":0.505,"5":0.89}}}}},"log.logger":"monitoring","log.origin":{"file.line":187,"file.name":"log/log.go"},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-11-23T14:05:39.279Z","message":"Non-zero metrics in the last 30s","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"beat/metrics-monitoring","type":"beat/metrics"},"log":{"source":"beat/metrics-monitoring"},"log.origin":{"file.line":187,"file.name":"log/log.go"},"service.name":"metricbeat","monitoring":{"ecs.version":"1.6.0","metrics":{"beat":{"cgroup":{"cpu":{"id":"elastic-agent.service"},"memory":{"id":"elastic-agent.service","mem":{"usage":{"bytes":886624256}}}},"cpu":{"system":{"ticks":60,"time":{"ms":60}},"total":{"ticks":330,"time":{"ms":330},"value":330},"user":{"ticks":270,"time":{"ms":270}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":12},"info":{"ephemeral_id":"bb3e47f5-32dd-417a-9f05-580f021440bb","name":"metricbeat","uptime":{"ms":30280},"version":"8.12.0"},"memstats":{"gc_next":54164408,"memory_alloc":35782312,"memory_sys":53343496,"memory_total":51128432,"rss":138149888},"runtime":{"goroutines":29}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0},"type":"elasticsearch"},"pipeline":{"clients":0,"events":{"active":0},"queue":{"max_events":3200}}},"system":{"cpu":{"cores":2},"load":{"1":1.08,"15":1.01,"5":1.78,"norm":{"1":0.54,"15":0.505,"5":0.89}}}}},"log.logger":"monitoring","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-11-23T14:05:39.593Z","message":"Non-zero metrics in the last 30s","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"http/metrics-monitoring","type":"http/metrics"},"log":{"source":"http/metrics-monitoring"},"service.name":"metricbeat","monitoring":{"ecs.version":"1.6.0","metrics":{"beat":{"cgroup":{"cpu":{"id":"elastic-agent.service"},"memory":{"id":"elastic-agent.service","mem":{"usage":{"bytes":886886400}}}},"cpu":{"system":{"ticks":60,"time":{"ms":60}},"total":{"ticks":320,"time":{"ms":320},"value":320},"user":{"ticks":260,"time":{"ms":260}}},"handles":{"limit":{"hard":524288,"soft":524288},"open":13},"info":{"ephemeral_id":"7e5a6c0d-fc8f-4766-980e-b2e1f23abb41","name":"metricbeat","uptime":{"ms":30180},"version":"8.12.0"},"memstats":{"gc_next":51236408,"memory_alloc":40810832,"memory_sys":57799944,"memory_total":57194336,"rss":142475264},"runtime":{"goroutines":35}},"libbeat":{"config":{"module":{"running":1,"starts":1}},"output":{"events":{"acked":1,"active":0,"batches":1,"total":1},"read":{"bytes":2938,"errors":1},"type":"elasticsearch","write":{"bytes":3123}},"pipeline":{"clients":1,"events":{"active":0,"published":1,"retry":1,"total":1},"queue":{"acked":1,"max_events":3200}}},"metricbeat":{"http":{"json":{"events":1,"success":1}}},"system":{"cpu":{"cores":2},"load":{"1":1.08,"15":1.01,"5":1.78,"norm":{"1":0.54,"15":0.505,"5":0.89}}}}},"log.logger":"monitoring","log.origin":{"file.line":187,"file.name":"log/log.go"},"ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-11-23T14:05:58.860Z","log.origin":{"file.name":"download/verifier.go","file.line":268},"message":"Skipped remote PGP located at \"https://artifacts.elastic.co/GPG-KEY-elastic-agent\" because it's unavailable: 2 errors occurred:\n\t* Get \"https://artifacts.elastic.co/GPG-KEY-elastic-agent\": context deadline exceeded\n\t* Remote PGP download failed\n\n","log":{"source":"elastic-agent"},"ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-11-23T14:05:59.026Z","log.origin":{"file.name":"download/verifier.go","file.line":270},"message":"Failed to fetch remote PGP key from \"https://70314541ec04430aaedc661b1ffa7313.fleet.us-west2.gcp.elastic-cloud.com:443/api/agents/upgrades/8.12.0/pgp-public-key\": call to 'https://70314541ec04430aaedc661b1ffa7313.fleet.us-west2.gcp.elastic-cloud.com:443/api/agents/upgrades/8.12.0/pgp-public-key' returned unsuccessful status code: 400","log":{"source":"elastic-agent"},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-11-23T14:05:59.027Z","log.origin":{"file.name":"download/verifier.go","file.line":256},"message":"Using 1 PGP keys","log":{"source":"elastic-agent"},"ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-11-23T14:05:59.027Z","log.origin":{"file.name":"composed/verifier.go","file.line":53},"message":"Verifier failed!","log":{"source":"elastic-agent"},"verifier":"fs.verifier","error":{"message":"could not get .asc file: fetching asc file from '/opt/Elastic/Agent/data/elastic-agent-11887c/downloads/elastic-agent-8.12.0-SNAPSHOT-linux-x86_64.tar.gz.asc': open /opt/Elastic/Agent/data/elastic-agent-11887c/downloads/elastic-agent-8.12.0-SNAPSHOT-linux-x86_64.tar.gz.asc: no such file or directory"},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-11-23T14:06:00.254Z","log.origin":{"file.name":"download/verifier.go","file.line":231},"message":"Default PGP appended","log":{"source":"elastic-agent"},"ecs.version":"1.6.0"}

[cmacknz]

Now we just need the test to pass reliably.

As an aside there are a lot of formatting changes in here that made it harder to review the changes that add the test. Formatting changes are a good improvement, but its easier to review a lot of them if they are separated out. Lots of formatting changes also make it harder to spot bugs in the "real" part of the change.

[AndersonQ]

Now we just need the test to pass reliably.

I'm wondering if after the last rebase something broke because they were passing :/
I'm investigating it now

[AndersonQ]

buildkite test this

[AndersonQ]

buildkite test this

[elastic-sonarqube]

SonarQube Quality Gate

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
0.0% Duplication