[ACIX-1309] Try internal registry first for base Docker images used for fakeintake

[Ishirui]

What does this PR do?

Updates test/fakeintake/Dockerfile to try registry.ddbuild.io as a source first instead of an upstream repo for base golang and alpine images

Also update the update-go invoke task and corresponding CI job.

Motivation

Avoiding rate limits and increasing CI reliability.

Describe how you validated your changes

• Passing CI
• Building the image locally
• Verifying fallback logic works properly by using a golang base image that does not exist in registry.ddbuild.io (1.25.4 to be precise)

Additional Notes

1. Pinned golang images are only available as non-alpine flavor from registry.ddbuild.io and we don't really care about the build image being heavy or not - as long as the final stage is light. Therefore we switch to an ubuntu base for the build stage
2. Since we are often quite quick to update the go versions in our images, it is possible that we try to update the golang version used in the base image faster than Renovate can update the upstream on DataDog/images. In that case we don't want to be unable to build the fakeintake in CI, so we fallback to docker.io in that case.

[pgimalac]

If it's an arg, could we just pass it from the build job ? (entirely removing the need to update this file on go updates)

[Ishirui]

Sure we could, but as a rule of thumb I prefer to keep versions inside the Dockerfile themselves, or in a centralized place like a bake file. Needing to pass them via CLI makes the docker build command very clunky in case you ever want to build the image locally (this was especially painful when I was working on buildimages, where the command had 20+ args 🥴)

[pgimalac]

Fair enough

[agent-platform-auto-pr]

Gitlab CI Configuration Changes

Modified Jobs

docker_build_fakeintake

  docker_build_fakeintake:
    image: 486234852809.dkr.ecr.us-east-1.amazonaws.com/docker:20.10-py3
    needs: []
    retry: 2
    rules:
    - if: $CI_COMMIT_BRANCH =~ /^mq-working-branch-/
      when: never
    - changes:
        compare_to: $COMPARE_TO_BRANCH
        paths:
        - test/fakeintake/**/*
        - .gitlab/build/binary_build/fakeintake.yml
        - .gitlab/deploy/container_build/fakeintake.yml
        - .gitlab/deploy/dev_container_deploy/fakeintake.yml
    - changes:
        paths:
        - test/fakeintake/**/*
        - .gitlab/build/binary_build/fakeintake.yml
        - .gitlab/deploy/container_build/fakeintake.yml
        - .gitlab/deploy/dev_container_deploy/fakeintake.yml
      if: $CI_COMMIT_BRANCH == "main"
    script:
+   - "GO_VERSION=$(grep -E '^ARG GO_VERSION=' ${DOCKERFILE} | cut -d= -f2)\nGOLANG_IMAGE=\"\
+     ${BASE_IMAGE_REGISTRY}/library/golang:${GO_VERSION}\"\nif docker buildx imagetools\
+     \ inspect \"${GOLANG_IMAGE}\" > /dev/null 2>&1; then\n  echo \"Base image ${GOLANG_IMAGE}\
+     \ found in internal registry, building...\"\n  docker buildx build --push --pull\
+     \ --platform ${PLATFORMS} --build-arg=CI --build-arg=BASE_IMAGE_REGISTRY=${BASE_IMAGE_REGISTRY}\
+     \ --file ${DOCKERFILE} --tag ${TARGET} $BUILD_CONTEXT\n  exit 0\nfi\n"
    - DOCKER_LOGIN=$($CI_PROJECT_DIR/tools/ci/fetch_secret.sh $DOCKER_REGISTRY_RO user)
      || exit $?
    - $CI_PROJECT_DIR/tools/ci/fetch_secret.sh $DOCKER_REGISTRY_RO token | docker login
      --username "$DOCKER_LOGIN" --password-stdin "$DOCKER_REGISTRY_URL"
    - EXIT="${PIPESTATUS[0]}"; if [ $EXIT -ne 0 ]; then echo "Unable to locate credentials
      needs gitlab runner restart"; exit $EXIT; fi
+   - 'echo "Base image ${GOLANG_IMAGE} not found in internal registry, falling back
+     to docker.io..."
+ 
-   - docker buildx build --push --pull --platform ${PLATFORMS} --build-arg=CI --file
?   ^                                                                            ^
+     docker buildx build --push --pull --platform ${PLATFORMS} --build-arg=CI --build-arg=BASE_IMAGE_REGISTRY=docker.io
?   ^                                                                            ^^  ++++++++++++++++++++++++++++++ ++++
-     ${DOCKERFILE} --tag ${TARGET} $BUILD_CONTEXT
+     --file ${DOCKERFILE} --tag ${TARGET} $BUILD_CONTEXT
?    +++++++
+ 
+     '
    stage: container_build
    tags:
    - arch:amd64
    - specific:true
    variables:
+     BASE_IMAGE_REGISTRY: registry.ddbuild.io/images/mirror
      BUILD_CONTEXT: .
      DOCKERFILE: test/fakeintake/Dockerfile
      PLATFORMS: linux/amd64,linux/arm64
      TARGET: registry.ddbuild.io/ci/datadog-agent/fakeintake:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}

Changes Summary

Removed	Modified	Added	Renamed
0	1	0	0

ℹ️ Diff available in the job log.

[Copilot]

Pull request overview

Updates the fakeintake container build to prefer pulling base images from the internal mirror registry first (with a fallback to Docker Hub), and aligns the Go version update automation with the new Dockerfile pattern to improve CI reliability.

Changes:

• Parameterize fakeintake base images via BASE_IMAGE_REGISTRY and GO_VERSION build args.
• Update update-go automation to bump the GO_VERSION= arg in the fakeintake Dockerfile.
• Add CI build retry/fallback logic to rebuild using docker.io if the internal mirror is missing the required base image.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File	Description
test/fakeintake/Dockerfile	Adds registry/version args and switches base images to use an internal registry prefix.
tasks/update_go.py	Updates the Go version reference matcher to target GO_VERSION= in the fakeintake Dockerfile.
.gitlab/deploy/container_build/fakeintake.yml	Tries internal mirror first and retries build with docker.io when base image resolution fails.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[agent-platform-auto-pr]

Static quality checks

✅ Please find below the results from static quality gates
Comparison made with ancestor cafb445
📊 Static Quality Gates Dashboard
🔗 SQG Job

31 successful checks with minimal change (< 2 KiB)

	Quality gate	Current Size
✅	agent_deb_amd64	755.988 MiB
✅	agent_deb_amd64_fips	715.077 MiB
✅	agent_heroku_amd64	323.754 MiB
✅	agent_msi	622.073 MiB
✅	agent_rpm_amd64	755.971 MiB
✅	agent_rpm_amd64_fips	715.061 MiB
✅	agent_rpm_arm64	734.126 MiB
✅	agent_rpm_arm64_fips	696.201 MiB
✅	agent_suse_amd64	755.971 MiB
✅	agent_suse_amd64_fips	715.061 MiB
✅	agent_suse_arm64	734.126 MiB
✅	agent_suse_arm64_fips	696.201 MiB
✅	docker_agent_amd64	817.021 MiB
✅	docker_agent_arm64	819.911 MiB
✅	docker_agent_jmx_amd64	1007.933 MiB
✅	docker_agent_jmx_arm64	999.605 MiB
✅	docker_cluster_agent_amd64	192.342 MiB
✅	docker_cluster_agent_arm64	207.644 MiB
✅	docker_cws_instrumentation_amd64	7.135 MiB
✅	docker_cws_instrumentation_arm64	6.689 MiB
✅	docker_dogstatsd_amd64	38.500 MiB
✅	docker_dogstatsd_arm64	36.812 MiB
✅	dogstatsd_deb_amd64	29.720 MiB
✅	dogstatsd_deb_arm64	27.881 MiB
✅	dogstatsd_rpm_amd64	29.720 MiB
✅	dogstatsd_suse_amd64	29.720 MiB
✅	iot_agent_deb_amd64	42.617 MiB
✅	iot_agent_deb_arm64	39.723 MiB
✅	iot_agent_deb_armhf	40.447 MiB
✅	iot_agent_rpm_amd64	42.618 MiB
✅	iot_agent_suse_amd64	42.618 MiB

On-wire sizes (compressed)

	Quality gate	Change	Size (prev → curr → max)
✅	agent_deb_amd64	+37.46 KiB (0.02% increase)	185.438 → 185.474 → 186.090
✅	agent_deb_amd64_fips	+38.2 KiB (0.02% increase)	176.271 → 176.308 → 180.330
✅	agent_heroku_amd64	neutral	87.100 MiB → 88.440
✅	agent_msi	neutral	149.242 MiB → 154.470
✅	agent_rpm_amd64	-31.94 KiB (0.02% reduction)	187.314 → 187.283 → 189.170
✅	agent_rpm_amd64_fips	neutral	178.396 MiB → 181.060
✅	agent_rpm_arm64	+32.7 KiB (0.02% increase)	169.717 → 169.749 → 170.020
✅	agent_rpm_arm64_fips	+5.2 KiB (0.00% increase)	162.451 → 162.456 → 164.130
✅	agent_suse_amd64	-31.94 KiB (0.02% reduction)	187.314 → 187.283 → 189.170
✅	agent_suse_amd64_fips	neutral	178.396 MiB → 181.060
✅	agent_suse_arm64	+32.7 KiB (0.02% increase)	169.717 → 169.749 → 170.020
✅	agent_suse_arm64_fips	+5.2 KiB (0.00% increase)	162.451 → 162.456 → 164.130
✅	docker_agent_amd64	neutral	277.760 MiB → 279.410
✅	docker_agent_arm64	neutral	265.053 MiB → 267.960
✅	docker_agent_jmx_amd64	neutral	346.403 MiB → 348.040
✅	docker_agent_jmx_arm64	neutral	329.695 MiB → 332.560
✅	docker_cluster_agent_amd64	neutral	67.203 MiB → 68.000
✅	docker_cluster_agent_arm64	-2.77 KiB (0.00% reduction)	63.191 → 63.189 → 63.640
✅	docker_cws_instrumentation_amd64	neutral	2.995 MiB → 3.330
✅	docker_cws_instrumentation_arm64	neutral	2.726 MiB → 3.090
✅	docker_dogstatsd_amd64	neutral	14.900 MiB → 15.820
✅	docker_dogstatsd_arm64	neutral	14.239 MiB → 14.830
✅	dogstatsd_deb_amd64	neutral	7.853 MiB → 8.790
✅	dogstatsd_deb_arm64	neutral	6.741 MiB → 7.710
✅	dogstatsd_rpm_amd64	neutral	7.866 MiB → 8.800
✅	dogstatsd_suse_amd64	neutral	7.866 MiB → 8.800
✅	iot_agent_deb_amd64	+2.59 KiB (0.02% increase)	11.236 → 11.238 → 12.040
✅	iot_agent_deb_arm64	neutral	9.601 MiB → 10.450
✅	iot_agent_deb_armhf	-2.62 KiB (0.03% reduction)	9.806 → 9.803 → 10.620
✅	iot_agent_rpm_amd64	-2.07 KiB (0.02% reduction)	11.256 → 11.254 → 12.060
✅	iot_agent_suse_amd64	-2.07 KiB (0.02% reduction)	11.256 → 11.254 → 12.060

[cit-pr-commenter-54b7da]

Regression Detector

Regression Detector Results

Metrics dashboard
Target profiles
Run ID: d31374ec-55e7-47f0-899d-e08e6b549285

Baseline: cafb445
Comparison: 4913116
Diff

Optimization Goals: ✅ No significant changes detected

Experiments ignored for regressions

Regressions in experiments with settings containing erratic: true are ignored.

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
➖	docker_containers_cpu	% cpu utilization	+0.44	[-2.68, +3.57]	1	Logs

Fine details of change detection per experiment

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
➖	quality_gate_metrics_logs	memory utilization	+1.67	[+1.47, +1.87]	1	Logs bounds checks dashboard
➖	quality_gate_logs	% cpu utilization	+0.53	[-0.99, +2.05]	1	Logs bounds checks dashboard
➖	docker_containers_cpu	% cpu utilization	+0.44	[-2.68, +3.57]	1	Logs
➖	docker_containers_memory	memory utilization	+0.43	[+0.35, +0.51]	1	Logs
➖	otlp_ingest_metrics	memory utilization	+0.39	[+0.23, +0.54]	1	Logs
➖	file_tree	memory utilization	+0.27	[+0.22, +0.32]	1	Logs
➖	quality_gate_idle	memory utilization	+0.25	[+0.21, +0.29]	1	Logs bounds checks dashboard
➖	ddot_logs	memory utilization	+0.25	[+0.18, +0.32]	1	Logs
➖	ddot_metrics_sum_delta	memory utilization	+0.07	[-0.12, +0.26]	1	Logs
➖	ddot_metrics_sum_cumulative	memory utilization	+0.07	[-0.09, +0.23]	1	Logs
➖	file_to_blackhole_500ms_latency	egress throughput	+0.07	[-0.31, +0.44]	1	Logs
➖	file_to_blackhole_0ms_latency	egress throughput	+0.01	[-0.49, +0.50]	1	Logs
➖	uds_dogstatsd_to_api	ingress throughput	+0.00	[-0.13, +0.13]	1	Logs
➖	tcp_dd_logs_filter_exclude	ingress throughput	-0.00	[-0.10, +0.09]	1	Logs
➖	uds_dogstatsd_to_api_v3	ingress throughput	-0.00	[-0.13, +0.12]	1	Logs
➖	file_to_blackhole_1000ms_latency	egress throughput	-0.03	[-0.45, +0.39]	1	Logs
➖	file_to_blackhole_100ms_latency	egress throughput	-0.03	[-0.08, +0.02]	1	Logs
➖	uds_dogstatsd_20mb_12k_contexts_20_senders	memory utilization	-0.08	[-0.13, -0.03]	1	Logs
➖	ddot_metrics	memory utilization	-0.10	[-0.30, +0.11]	1	Logs
➖	quality_gate_idle_all_features	memory utilization	-0.17	[-0.21, -0.14]	1	Logs bounds checks dashboard
➖	tcp_syslog_to_blackhole	ingress throughput	-0.38	[-0.45, -0.32]	1	Logs
➖	ddot_metrics_sum_cumulativetodelta_exporter	memory utilization	-0.46	[-0.69, -0.23]	1	Logs
➖	otlp_ingest_logs	memory utilization	-0.97	[-1.07, -0.88]	1	Logs

Bounds Checks: ✅ Passed

perf	experiment	bounds_check_name	replicates_passed	links
✅	docker_containers_cpu	simple_check_run	10/10
✅	docker_containers_memory	memory_usage	10/10
✅	docker_containers_memory	simple_check_run	10/10
✅	file_to_blackhole_0ms_latency	lost_bytes	10/10
✅	file_to_blackhole_0ms_latency	memory_usage	10/10
✅	file_to_blackhole_1000ms_latency	lost_bytes	10/10
✅	file_to_blackhole_1000ms_latency	memory_usage	10/10
✅	file_to_blackhole_100ms_latency	lost_bytes	10/10
✅	file_to_blackhole_100ms_latency	memory_usage	10/10
✅	file_to_blackhole_500ms_latency	lost_bytes	10/10
✅	file_to_blackhole_500ms_latency	memory_usage	10/10
✅	quality_gate_idle	intake_connections	10/10	bounds checks dashboard
✅	quality_gate_idle	memory_usage	10/10	bounds checks dashboard
✅	quality_gate_idle_all_features	intake_connections	10/10	bounds checks dashboard
✅	quality_gate_idle_all_features	memory_usage	10/10	bounds checks dashboard
✅	quality_gate_logs	intake_connections	10/10	bounds checks dashboard
✅	quality_gate_logs	lost_bytes	10/10	bounds checks dashboard
✅	quality_gate_logs	memory_usage	10/10	bounds checks dashboard
✅	quality_gate_metrics_logs	cpu_usage	10/10	bounds checks dashboard
✅	quality_gate_metrics_logs	intake_connections	10/10	bounds checks dashboard
✅	quality_gate_metrics_logs	lost_bytes	10/10	bounds checks dashboard
✅	quality_gate_metrics_logs	memory_usage	10/10	bounds checks dashboard

Explanation

Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%

Performance changes are noted in the perf column of each table:

• ✅ = significantly better comparison variant performance
• ❌ = significantly worse comparison variant performance
• ➖ = no significant change in performance

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

3. Its configuration does not mark it "erratic".

CI Pass/Fail Decision

✅ Passed. All Quality Gates passed.

• quality_gate_metrics_logs, bounds check cpu_usage: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check lost_bytes: 10/10 replicas passed. Gate passed.
• quality_gate_idle_all_features, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_idle_all_features, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check lost_bytes: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_idle, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_idle, bounds check memory_usage: 10/10 replicas passed. Gate passed.

[alopezz]

My comments here are not blocking.

[tbavelier]

Don't think cont-platform owns any file here but LGTM

[Ishirui]

Don't think cont-platform owns any file here but LGTM

Yeah not sure why GitHub considers you codeowner 😅