chore(ssi): add e2e tests

[betterengineering]

What does this PR do?

This commit adds several e2e tests for SSI. These tests focus on configuration options for SSI and how they impact mutation.

Motivation

We have e2e test coverage through the Kubernetes tests that run on every platform:

datadog-agent/test/new-e2e/tests/containers/k8s_test.go

Lines 1196 to 1206 in 35e4f67

	func (suite *k8sSuite) TestAdmissionControllerWithoutAPMInjection() {
	suite.testAdmissionControllerPod("workload-mutated", "mutated", "", false)
	}
	func (suite *k8sSuite) TestAdmissionControllerWithLibraryAnnotation() {
	suite.testAdmissionControllerPod("workload-mutated-lib-injection", "mutated-with-lib-annotation", "python", false)
	}
	func (suite *k8sSuite) TestAdmissionControllerWithAutoDetectedLanguage() {
	suite.testAdmissionControllerPod("workload-mutated-lib-injection", "mutated-with-auto-detected-language", "python", true)
	}

However, these tests don't allow us to test more advanced configuration scenarios and more nuanced assertions. We want to add dedicated SSI end to end tests that focus on user configuration. For now, these new tests will be in addtion to the existing tests that focus on basic functionality on every platform we support.

See SSI Kubernetes | Platform Stability for how this change fits into a larger initiative.

Describe how you validated your changes

The attached build. Locally, these can be run like so:

inv new-e2e-tests.run --targets=./tests/ssi --run='^TestWorkloadSelectionSuite$'

inv new-e2e-tests.run --targets=./tests/ssi --run='^TestLocalSDKInjectionSuite$'

inv new-e2e-tests.run --targets=./tests/ssi --run='^TestNamespaceSelectionSuite$'

Additional Notes

Every version is pinned. The injector is pinned, the python tracer is pinned, and the test app is pinned. So nothing should change outside of a commit for these tests.

[agent-platform-auto-pr]

Gitlab CI Configuration Changes

Added Jobs

.on_ssi_or_e2e_changes

.on_ssi_or_e2e_changes:
- if: $RUN_E2E_TESTS == "off"
  when: never
- if: $CI_COMMIT_BRANCH =~ /^mq-working-branch-/
  when: never
- if: $RUN_E2E_TESTS == "on"
  when: on_success
- if: $CI_COMMIT_BRANCH == "main"
  when: on_success
- if: $CI_COMMIT_BRANCH =~ /^[0-9]+\.[0-9]+\.x$/
  when: on_success
- if: $CI_COMMIT_TAG =~ /^[0-9]+\.[0-9]+\.[0-9]+-rc\.[0-9]+$/
  when: on_success
- changes:
    compare_to: $COMPARE_TO_BRANCH
    paths:
    - .gitlab/e2e/e2e.yml
    - test/e2e-framework/**/*
    - test/new-e2e/go.mod
    - flakes.yaml
    - release.json
- changes:
    compare_to: $COMPARE_TO_BRANCH
    paths:
    - pkg/clusteragent/admission/mutate/autoinstrumentation/**/*
    - pkg/clusteragent/admission/mutate/common/**/*
    - pkg/clusteragent/admission/mutate/config/**/*
    - pkg/clusteragent/admission/mutate/tagsfromlabels/**/*
    - pkg/clusteragent/admission/common/**/*
    - pkg/clusteragent/admission/controllers/webhook/**/*
    - comp/core/workloadmeta/collectors/internal/kubeapiserver/**/*
    - comp/languagedetection/**/*
    - test/new-e2e/tests/ssi/**/*
  when: on_success

new-e2e-ssi

new-e2e-ssi:
  after_script:
  - CODECOV_TOKEN=$($CI_PROJECT_DIR/tools/ci/fetch_secret.sh $CODECOV token) || exit
    $?; export CODECOV_TOKEN
  - $CI_PROJECT_DIR/tools/ci/junit_upload.sh "junit-${CI_JOB_ID}.tgz" "$E2E_RESULT_JSON"
  - "if [ -d \"$E2E_COVERAGE_OUT_DIR\" ]; then\n  dda inv -- -e coverage.process-e2e-coverage-folders\
    \ $E2E_COVERAGE_OUT_DIR\n  pip install boto3==1.38.8 # TODO: Remove this before\
    \ merging, after dda is bumped in test-infra-definitions\n  dda inv -- -e dyntest.compute-and-upload-job-index\
    \ --bucket-uri $S3_PERMANENT_ARTIFACTS_URI --coverage-folder $E2E_COVERAGE_OUT_DIR\
    \ --commit-sha $CI_COMMIT_SHA --job-id $CI_JOB_ID\nfi\n"
  artifacts:
    expire_in: 2 weeks
    paths:
    - $E2E_OUTPUT_DIR
    - $E2E_RESULT_JSON
    - junit-*.tgz
    - $E2E_COVERAGE_OUT_DIR
    reports:
      annotations:
      - $EXTERNAL_LINKS_PATH
    when: always
  before_script:
  - mkdir -p $GOPATH/pkg/mod/cache && tar xJf modcache_e2e.tar.xz -C $GOPATH/pkg/mod/cache
  - rm -f modcache_e2e.tar.xz
  - mkdir -p ~/.pulumi && tar xJf pulumi_plugins.tar.xz -C ~/.pulumi
  - rm -f pulumi_plugins.tar.xz
  - mkdir -p $GOPATH/pkg/mod/cache && tar xJf modcache_tools.tar.xz -C $GOPATH/pkg/mod/cache
  - rm -f modcache_tools.tar.xz
  - dda inv -- -e install-tools
  - mkdir -p ~/.aws
  - "if [ -n \"$E2E_USE_AWS_PROFILE\" ]; then\n  echo Using agent-qa-ci aws profile\n\
    \  $CI_PROJECT_DIR/tools/ci/fetch_secret.sh $AGENT_QA_E2E profile >> ~/.aws/config\
    \ || exit $?\n  # Now all `aws` commands target the agent-qa profile\n  export\
    \ AWS_PROFILE=agent-qa-ci\nelse\n  # Assume role to fetch only once credentials\
    \ and avoid rate limits\n  echo Assuming ddbuild-agent-ci role\n  roleoutput=\"\
    $(aws sts assume-role --role-arn arn:aws:iam::669783387624:role/ddbuild-agent-ci\
    \ --external-id ddbuild-agent-ci --role-session-name RoleSession)\"\n  export\
    \ AWS_ACCESS_KEY_ID=\"$(echo \"$roleoutput\" | jq -r '.Credentials.AccessKeyId')\"\
    \n  export AWS_SECRET_ACCESS_KEY=\"$(echo \"$roleoutput\" | jq -r '.Credentials.SecretAccessKey')\"\
    \n  export AWS_SESSION_TOKEN=\"$(echo \"$roleoutput\" | jq -r '.Credentials.SessionToken')\"\
    \nfi\n"
  - $CI_PROJECT_DIR/tools/ci/fetch_secret.sh $AGENT_QA_E2E ssh_public_key_rsa > $E2E_AWS_PUBLIC_KEY_PATH
    || exit $?
  - touch $E2E_AWS_PRIVATE_KEY_PATH && chmod 600 $E2E_AWS_PRIVATE_KEY_PATH && $CI_PROJECT_DIR/tools/ci/fetch_secret.sh
    $AGENT_QA_E2E ssh_key_rsa > $E2E_AWS_PRIVATE_KEY_PATH || exit $?
  - $CI_PROJECT_DIR/tools/ci/fetch_secret.sh $AGENT_QA_E2E ssh_public_key_rsa > $E2E_AZURE_PUBLIC_KEY_PATH
    || exit $?
  - touch $E2E_AZURE_PRIVATE_KEY_PATH && chmod 600 $E2E_AZURE_PRIVATE_KEY_PATH &&
    $CI_PROJECT_DIR/tools/ci/fetch_secret.sh $AGENT_QA_E2E ssh_key_rsa > $E2E_AZURE_PRIVATE_KEY_PATH
    || exit $?
  - $CI_PROJECT_DIR/tools/ci/fetch_secret.sh $AGENT_QA_E2E ssh_public_key_rsa > $E2E_GCP_PUBLIC_KEY_PATH
    || exit $?
  - touch $E2E_GCP_PRIVATE_KEY_PATH && chmod 600 $E2E_GCP_PRIVATE_KEY_PATH && $CI_PROJECT_DIR/tools/ci/fetch_secret.sh
    $AGENT_QA_E2E ssh_key_rsa > $E2E_GCP_PRIVATE_KEY_PATH || exit $?
  - pulumi login "s3://dd-pulumi-state?region=us-east-1&awssdk=v2&profile=$AWS_PROFILE"
  - ARM_CLIENT_ID=$($CI_PROJECT_DIR/tools/ci/fetch_secret.sh $E2E_AZURE client_id)
    || exit $?; export ARM_CLIENT_ID
  - ARM_CLIENT_SECRET=$($CI_PROJECT_DIR/tools/ci/fetch_secret.sh $E2E_AZURE token)
    || exit $?; export ARM_CLIENT_SECRET
  - ARM_TENANT_ID=$($CI_PROJECT_DIR/tools/ci/fetch_secret.sh $E2E_AZURE tenant_id)
    || exit $?; export ARM_TENANT_ID
  - ARM_SUBSCRIPTION_ID=$($CI_PROJECT_DIR/tools/ci/fetch_secret.sh $E2E_AZURE subscription_id)
    || exit $?; export ARM_SUBSCRIPTION_ID
  - $CI_PROJECT_DIR/tools/ci/fetch_secret.sh $E2E_GCP credentials_json > ~/gcp-credentials.json
    || exit $?
  - export GOOGLE_APPLICATION_CREDENTIALS=~/gcp-credentials.json
  - dda inv -- -e gitlab.generate-ci-visibility-links --output=$EXTERNAL_LINKS_PATH
  - export DD_ENV=nativetest
  - export DD_CIVISIBILITY_AGENTLESS_ENABLED=true
  - DD_API_KEY=$($CI_PROJECT_DIR/tools/ci/fetch_secret.sh $AGENT_API_KEY_ORG2 token)
    || exit $?; export DD_API_KEY
  - export WINDOWS_DDNPM_DRIVER=${WINDOWS_DDNPM_DRIVER:-$(dda inv release.get-release-json-value
    "dependencies::WINDOWS_DDNPM_DRIVER" --no-worktree)}
  - export WINDOWS_DDPROCMON_DRIVER=${WINDOWS_DDPROCMON_DRIVER:-$(dda inv release.get-release-json-value
    "dependencies::WINDOWS_DDPROCMON_DRIVER" --no-worktree)}
  image: registry.ddbuild.io/ci/datadog-agent-buildimages/linux$CI_IMAGE_LINUX_SUFFIX:$CI_IMAGE_LINUX
  needs:
  - go_e2e_deps
  - go_e2e_test_binaries
  - go_tools_deps
  - job: new-e2e-base-coverage
    optional: true
  - qa_dca
  - qa_agent
  - qa_agent_full
  rules:
  - if: $RUN_E2E_TESTS == "off"
    when: never
  - if: $CI_COMMIT_BRANCH =~ /^mq-working-branch-/
    when: never
  - if: $RUN_E2E_TESTS == "on"
    when: on_success
  - if: $CI_COMMIT_BRANCH == "main"
    when: on_success
  - if: $CI_COMMIT_BRANCH =~ /^[0-9]+\.[0-9]+\.x$/
    when: on_success
  - if: $CI_COMMIT_TAG =~ /^[0-9]+\.[0-9]+\.[0-9]+-rc\.[0-9]+$/
    when: on_success
  - changes:
      compare_to: $COMPARE_TO_BRANCH
      paths:
      - .gitlab/e2e/e2e.yml
      - test/e2e-framework/**/*
      - test/new-e2e/go.mod
      - flakes.yaml
      - release.json
  - changes:
      compare_to: $COMPARE_TO_BRANCH
      paths:
      - pkg/clusteragent/admission/mutate/autoinstrumentation/**/*
      - pkg/clusteragent/admission/mutate/common/**/*
      - pkg/clusteragent/admission/mutate/config/**/*
      - pkg/clusteragent/admission/mutate/tagsfromlabels/**/*
      - pkg/clusteragent/admission/common/**/*
      - pkg/clusteragent/admission/controllers/webhook/**/*
      - comp/core/workloadmeta/collectors/internal/kubeapiserver/**/*
      - comp/languagedetection/**/*
      - test/new-e2e/tests/ssi/**/*
    when: on_success
  - if: $CI_COMMIT_BRANCH =~ /^mq-working-branch-/
    when: never
  - allow_failure: true
    when: manual
  script:
  - export IS_DEV_BRANCH="$(dda inv -- -e pipeline.is-dev-branch)"
  - DYNAMIC_TESTS_BREAKGLASS=$($CI_PROJECT_DIR/tools/ci/fetch_secret.sh $DYNAMIC_TESTS_BREAKGLASS
    value) || exit $?; export DYNAMIC_TESTS_BREAKGLASS
  - "if [ \"$DYNAMIC_TESTS_BREAKGLASS\" == \"true\" ] || [ \"$IS_DEV_BRANCH\" == \"\
    false\" ] || [ \"$RUN_E2E_TESTS\" == \"on\" ]; then\n  export DYNAMIC_TESTS_FLAG=\"\
    \"\nfi\n"
  - dda inv -- -e new-e2e-tests.run $DYNAMIC_TESTS_FLAG $PRE_BUILT_BINARIES_FLAG $MAX_RETRIES_FLAG
    --local-package $CI_PROJECT_DIR/$OMNIBUS_BASE_DIR --result-json $E2E_RESULT_JSON
    --targets $TARGETS -c ddagent:imagePullRegistry=669783387624.dkr.ecr.us-east-1.amazonaws.com
    -c ddagent:imagePullUsername=AWS -c ddagent:imagePullPassword=$(aws ecr get-login-password)
    --junit-tar junit-${CI_JOB_ID}.tgz ${EXTRA_PARAMS} --test-washer --logs-folder=$E2E_OUTPUT_DIR/logs
    --logs-post-processing --logs-post-processing-test-depth=$E2E_LOGS_PROCESSING_TEST_DEPTH
  stage: e2e
  tags:
  - arch:amd64
  - specific:true
  variables:
    DYNAMIC_TESTS_FLAG: --impacted
    E2E_AWS_PRIVATE_KEY_PATH: /tmp/agent-qa-aws-ssh-key
    E2E_AWS_PUBLIC_KEY_PATH: /tmp/agent-qa-aws-ssh-key.pub
    E2E_AZURE_PRIVATE_KEY_PATH: /tmp/agent-qa-azure-ssh-key
    E2E_AZURE_PUBLIC_KEY_PATH: /tmp/agent-qa-azure-ssh-key.pub
    E2E_COMMIT_SHA: $CI_COMMIT_SHORT_SHA
    E2E_COVERAGE_OUT_DIR: $CI_PROJECT_DIR/coverage
    E2E_GCP_PRIVATE_KEY_PATH: /tmp/agent-qa-gcp-ssh-key
    E2E_GCP_PUBLIC_KEY_PATH: /tmp/agent-qa-gcp-ssh-key.pub
    E2E_KEY_PAIR_NAME: datadog-agent-ci-rsa
    E2E_LOGS_PROCESSING_TEST_DEPTH: 1
    E2E_OUTPUT_DIR: $CI_PROJECT_DIR/e2e-output
    E2E_PIPELINE_ID: $CI_PIPELINE_ID
    E2E_RESULT_JSON: $CI_PROJECT_DIR/e2e_test_output.json
    E2E_USE_AWS_PROFILE: 'true'
    EXTERNAL_LINKS_PATH: external_links_$CI_JOB_ID.json
    FLAKY_PATTERNS_CONFIG: $CI_PROJECT_DIR/flaky-patterns-runtime.yaml
    GIT_STRATEGY: clone
    KUBERNETES_CPU_REQUEST: 6
    KUBERNETES_MEMORY_LIMIT: 16Gi
    KUBERNETES_MEMORY_REQUEST: 12Gi
    MAX_RETRIES_FLAG: ''
    PRE_BUILT_BINARIES_FLAG: --use-prebuilt-binaries
    REMOTE_STACK_CLEANING: 'true'
    SHOULD_RUN_IN_FLAKES_FINDER: 'true'
    TARGETS: ./tests/ssi
    TEAM: injection-platform

Changes Summary

Removed	Modified	Added	Renamed
0	0	2	0

ℹ️ Diff available in the job log.

[agent-platform-auto-pr]

Static quality checks

✅ Please find below the results from static quality gates
Comparison made with ancestor 118cd8c
📊 Static Quality Gates Dashboard

Successful checks

Info

	Quality gate	Delta	On disk size (MiB)	Delta	On wire size (MiB)
✅	agent_deb_amd64	$${0}$$	$${707.05}$$ < $${707.24}$$	$${-0.02}$$	$${173.43}$$ < $${174.02}$$
✅	agent_deb_amd64_fips	$${0}$$	$${702.34}$$ < $${702.86}$$	$${-0.03}$$	$${172.37}$$ < $${173.5}$$
✅	agent_heroku_amd64	$${0}$$	$${328.72}$$ < $${329.53}$$	$${-0.01}$$	$${87.42}$$ < $${88.43}$$
✅	agent_msi	$${0}$$	$${570.74}$$ < $${982.08}$$	$${+0.01}$$	$${142.73}$$ < $${143.02}$$
✅	agent_rpm_amd64	$${0}$$	$${707.03}$$ < $${707.23}$$	$${+0}$$	$${176.02}$$ < $${177.24}$$
✅	agent_rpm_amd64_fips	$${0}$$	$${702.33}$$ < $${702.85}$$	$${+0.02}$$	$${175.57}$$ < $${176.32}$$
✅	agent_rpm_arm64	$${0}$$	$${688.82}$$ < $${692.59}$$	$${+0}$$	$${159.52}$$ < $${160.9}$$
✅	agent_rpm_arm64_fips	$${0}$$	$${684.94}$$ < $${687.54}$$	$${-0.01}$$	$${159.02}$$ < $${160.11}$$
✅	agent_suse_amd64	$${0}$$	$${707.03}$$ < $${707.23}$$	$${+0}$$	$${176.02}$$ < $${177.24}$$
✅	agent_suse_amd64_fips	$${0}$$	$${702.33}$$ < $${702.85}$$	$${+0.02}$$	$${175.57}$$ < $${176.32}$$
✅	agent_suse_arm64	$${0}$$	$${688.82}$$ < $${692.59}$$	$${+0}$$	$${159.52}$$ < $${160.9}$$
✅	agent_suse_arm64_fips	$${0}$$	$${684.94}$$ < $${687.54}$$	$${-0.01}$$	$${159.02}$$ < $${160.11}$$
✅	docker_agent_amd64	$${-0}$$	$${768.84}$$ < $${769.58}$$	$${-0}$$	$${261.19}$$ < $${261.89}$$
✅	docker_agent_arm64	$${+0}$$	$${775.19}$$ < $${779.27}$$	$${-0}$$	$${250.24}$$ < $${252.08}$$
✅	docker_agent_jmx_amd64	$${-0}$$	$${959.72}$$ < $${960.46}$$	$${-0}$$	$${329.82}$$ < $${330.53}$$
✅	docker_agent_jmx_arm64	$${-0}$$	$${954.79}$$ < $${958.87}$$	$${-0}$$	$${314.86}$$ < $${316.71}$$
✅	docker_cluster_agent_amd64	$${-0}$$	$${180.42}$$ < $${181.08}$$	$${+0}$$	$${63.72}$$ < $${64.49}$$
✅	docker_cluster_agent_arm64	$${0}$$	$${196.3}$$ < $${198.49}$$	$${-0}$$	$${60.03}$$ < $${61.17}$$
✅	docker_cws_instrumentation_amd64	$${0}$$	$${7.13}$$ < $${7.18}$$	$${-0}$$	$${2.99}$$ < $${3.33}$$
✅	docker_cws_instrumentation_arm64	$${0}$$	$${6.69}$$ < $${6.92}$$	$${-0}$$	$${2.73}$$ < $${3.09}$$
✅	docker_dogstatsd_amd64	$${0}$$	$${38.77}$$ < $${39.38}$$	$${+0}$$	$${15.01}$$ < $${15.82}$$
✅	docker_dogstatsd_arm64	$${0}$$	$${37.07}$$ < $${37.94}$$	$${-0}$$	$${14.34}$$ < $${14.83}$$
✅	dogstatsd_deb_amd64	$${0}$$	$${30.0}$$ < $${30.61}$$	$${-0}$$	$${7.93}$$ < $${8.79}$$
✅	dogstatsd_deb_arm64	$${0}$$	$${28.15}$$ < $${29.11}$$	$${+0}$$	$${6.81}$$ < $${7.71}$$
✅	dogstatsd_rpm_amd64	$${0}$$	$${30.0}$$ < $${30.61}$$	$${+0}$$	$${7.94}$$ < $${8.8}$$
✅	dogstatsd_suse_amd64	$${0}$$	$${30.0}$$ < $${30.61}$$	$${+0}$$	$${7.94}$$ < $${8.8}$$
✅	iot_agent_deb_amd64	$${0}$$	$${42.94}$$ < $${43.29}$$	$${+0}$$	$${11.25}$$ < $${12.04}$$
✅	iot_agent_deb_arm64	$${0}$$	$${40.07}$$ < $${40.92}$$	$${-0}$$	$${9.61}$$ < $${10.45}$$
✅	iot_agent_deb_armhf	$${0}$$	$${40.65}$$ < $${41.03}$$	$${+0}$$	$${9.81}$$ < $${10.62}$$
✅	iot_agent_rpm_amd64	$${0}$$	$${42.94}$$ < $${43.29}$$	$${-0}$$	$${11.26}$$ < $${12.06}$$
✅	iot_agent_suse_amd64	$${0}$$	$${42.94}$$ < $${43.29}$$	$${-0}$$	$${11.26}$$ < $${12.06}$$

[cit-pr-commenter]

Regression Detector

Regression Detector Results

Metrics dashboard
Target profiles
Run ID: 3466fb72-f4e7-427a-b463-026330647e76

Baseline: 9114232
Comparison: 50d528b
Diff

Optimization Goals: ✅ No significant changes detected

Experiments ignored for regressions

Regressions in experiments with settings containing erratic: true are ignored.

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
➖	docker_containers_cpu	% cpu utilization	+2.80	[-0.18, +5.79]	1	Logs

Fine details of change detection per experiment

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
➖	docker_containers_cpu	% cpu utilization	+2.80	[-0.18, +5.79]	1	Logs
➖	file_tree	memory utilization	+2.75	[+2.71, +2.80]	1	Logs
➖	quality_gate_idle_all_features	memory utilization	+1.60	[+1.56, +1.63]	1	Logs bounds checks dashboard
➖	quality_gate_idle	memory utilization	+0.86	[+0.82, +0.90]	1	Logs bounds checks dashboard
➖	ddot_metrics	memory utilization	+0.65	[+0.45, +0.86]	1	Logs
➖	uds_dogstatsd_20mb_12k_contexts_20_senders	memory utilization	+0.59	[+0.54, +0.64]	1	Logs
➖	docker_containers_memory	memory utilization	+0.46	[+0.39, +0.54]	1	Logs
➖	ddot_metrics_sum_delta	memory utilization	+0.44	[+0.23, +0.64]	1	Logs
➖	ddot_metrics_sum_cumulativetodelta_exporter	memory utilization	+0.43	[+0.20, +0.66]	1	Logs
➖	otlp_ingest_logs	memory utilization	+0.42	[+0.30, +0.54]	1	Logs
➖	otlp_ingest_metrics	memory utilization	+0.26	[+0.10, +0.41]	1	Logs
➖	ddot_metrics_sum_cumulative	memory utilization	+0.16	[-0.00, +0.32]	1	Logs
➖	file_to_blackhole_0ms_latency	egress throughput	+0.02	[-0.40, +0.43]	1	Logs
➖	uds_dogstatsd_to_api	ingress throughput	+0.01	[-0.11, +0.13]	1	Logs
➖	uds_dogstatsd_to_api_v3	ingress throughput	+0.01	[-0.10, +0.12]	1	Logs
➖	tcp_dd_logs_filter_exclude	ingress throughput	-0.00	[-0.07, +0.07]	1	Logs
➖	file_to_blackhole_100ms_latency	egress throughput	-0.01	[-0.06, +0.04]	1	Logs
➖	ddot_logs	memory utilization	-0.03	[-0.10, +0.04]	1	Logs
➖	file_to_blackhole_500ms_latency	egress throughput	-0.05	[-0.42, +0.32]	1	Logs
➖	file_to_blackhole_1000ms_latency	egress throughput	-0.06	[-0.47, +0.34]	1	Logs
➖	quality_gate_metrics_logs	memory utilization	-0.64	[-0.84, -0.43]	1	Logs bounds checks dashboard
➖	quality_gate_logs	% cpu utilization	-0.79	[-2.26, +0.68]	1	Logs bounds checks dashboard
➖	tcp_syslog_to_blackhole	ingress throughput	-2.30	[-2.38, -2.22]	1	Logs

Bounds Checks: ✅ Passed

perf	experiment	bounds_check_name	replicates_passed	links
✅	docker_containers_cpu	simple_check_run	10/10
✅	docker_containers_memory	memory_usage	10/10
✅	docker_containers_memory	simple_check_run	10/10
✅	file_to_blackhole_0ms_latency	lost_bytes	10/10
✅	file_to_blackhole_0ms_latency	memory_usage	10/10
✅	file_to_blackhole_1000ms_latency	lost_bytes	10/10
✅	file_to_blackhole_1000ms_latency	memory_usage	10/10
✅	file_to_blackhole_100ms_latency	lost_bytes	10/10
✅	file_to_blackhole_100ms_latency	memory_usage	10/10
✅	file_to_blackhole_500ms_latency	lost_bytes	10/10
✅	file_to_blackhole_500ms_latency	memory_usage	10/10
✅	quality_gate_idle	intake_connections	10/10	bounds checks dashboard
✅	quality_gate_idle	memory_usage	10/10	bounds checks dashboard
✅	quality_gate_idle_all_features	intake_connections	10/10	bounds checks dashboard
✅	quality_gate_idle_all_features	memory_usage	10/10	bounds checks dashboard
✅	quality_gate_logs	intake_connections	10/10	bounds checks dashboard
✅	quality_gate_logs	lost_bytes	10/10	bounds checks dashboard
✅	quality_gate_logs	memory_usage	10/10	bounds checks dashboard
✅	quality_gate_metrics_logs	cpu_usage	10/10	bounds checks dashboard
✅	quality_gate_metrics_logs	intake_connections	10/10	bounds checks dashboard
✅	quality_gate_metrics_logs	lost_bytes	10/10	bounds checks dashboard
✅	quality_gate_metrics_logs	memory_usage	10/10	bounds checks dashboard

Explanation

Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%

Performance changes are noted in the perf column of each table:

• ✅ = significantly better comparison variant performance
• ❌ = significantly worse comparison variant performance
• ➖ = no significant change in performance

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

3. Its configuration does not mark it "erratic".

CI Pass/Fail Decision

✅ Passed. All Quality Gates passed.

• quality_gate_metrics_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check lost_bytes: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check cpu_usage: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check lost_bytes: 10/10 replicas passed. Gate passed.
• quality_gate_idle, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_idle, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_idle_all_features, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_idle_all_features, bounds check intake_connections: 10/10 replicas passed. Gate passed.

[betterengineering]

This is something I added in #43874 but it wasn't correct.

[iamluc]

👌 Thanks!

[BaptisteFoy]

LGTM for Fleet-owned files

[betterengineering]

/merge

[dd-devflow-routing-codex]

View all feedbacks in Devflow UI.

2025-12-19 16:05:16 UTC ℹ️ Start processing command /merge

---

2025-12-19 16:05:24 UTC ℹ️ MergeQueue: waiting for PR to be ready

This pull request is not mergeable according to GitHub. Common reasons include pending required checks, missing approvals, or merge conflicts — but it could also be blocked by other repository rules or settings.
It will be added to the queue as soon as checks pass and/or get approvals.
Note: if you pushed new commits since the last approval, you may need additional approval.
You can remove it from the waiting list with /remove command.

---

2025-12-19 17:39:10 UTC ℹ️ MergeQueue: merge request added to the queue

The expected merge time in main is approximately 1h (p90).

---

2025-12-19 18:19:07 UTC ℹ️ MergeQueue: This merge request was merged