elastic
diff --git a/‎.buildkite/bk.integration.pipeline.yml‎
Lines changed: 117 additions & 0 deletions b/‎.buildkite/bk.integration.pipeline.yml‎
Lines changed: 117 additions & 0 deletions
diff --git a/‎.buildkite/integration.pipeline.yml‎
Lines changed: 3 additions & 25 deletions b/‎.buildkite/integration.pipeline.yml‎
Lines changed: 3 additions & 25 deletions
diff --git a/‎.buildkite/scripts/buildkite-k8s-integration-tests.sh‎
Lines changed: 5 additions & 1 deletion b/‎.buildkite/scripts/buildkite-k8s-integration-tests.sh‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎.buildkite/scripts/steps/k8s-extended-tests.sh‎
Lines changed: 1 addition & 1 deletion b/‎.buildkite/scripts/steps/k8s-extended-tests.sh‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/serverless-project.yml‎
Lines changed: 104 additions & 0 deletions b/‎.github/workflows/serverless-project.yml‎
Lines changed: 104 additions & 0 deletions
diff --git a/‎.pre-commit-config.yaml‎
Lines changed: 1 addition & 0 deletions b/‎.pre-commit-config.yaml‎
Lines changed: 1 addition & 0 deletions
@@ -13,9 +13,37 @@ env:
   IMAGE_WIN_2022: "platform-ingest-elastic-agent-windows-2022-1749258065"
   IMAGE_WIN_2025: "platform-ingest-elastic-agent-windows-2025-1749258065"
 
+# This section is used to define the plugins that will be used in the pipeline.
+# See https://buildkite.com/docs/pipelines/integrations/plugins/using#using-yaml-anchors-with-plugins
+common:
+  - google_oidc_plugin: &google_oidc_plugin
+      # See https://github.com/elastic/oblt-infra/blob/main/conf/resources/repos/elastic-agent/01-gcp-oidc.tf
+      # This plugin authenticates to Google Cloud using the OIDC token.
+      elastic/oblt-google-auth#v1.3.0:
+        lifetime: 10800 # seconds
+        project-id: "elastic-observability-ci"
+        project-number: "911195782929"
+# see https://github.com/avaly/gcp-secret-manager-buildkite-plugin/pull/10
+# see https://github.com/avaly/gcp-secret-manager-buildkite-plugin/pull/11
+#  - gcp_serverless_secrets_plugin: &gcp_serverless_secrets_plugin
+      #avaly/gcp-secret-manager#v1.2.0:
+  - gcp_serverless_secrets_plugin: &gcp_serverless_secrets_plugin
+      elastic/gcp-secret-manager#v1.3.0-elastic:
+        env:
+          # These secrets are created in .github/workflows/serverless-project.yml
+          ELASTICSEARCH_HOST: ea-serverless-it-elasticsearch-hostname
+          ELASTICSEARCH_PASSWORD: ea-serverless-it-elasticsearch-password
+          ELASTICSEARCH_USERNAME: ea-serverless-it-elasticsearch-username
+          KIBANA_HOST: ea-serverless-it-kibana-hostname
+          KIBANA_USERNAME: ea-serverless-it-kibana-username
+          KIBANA_PASSWORD: ea-serverless-it-kibana-password
+
 steps:
   - label: Start ESS stack for integration tests
     key: integration-ess
+    notify:
+      - github_commit_status:
+          context: "buildkite/elastic-agent-extended-testing - ESS stack provision"
     env:
       ASDF_TERRAFORM_VERSION: 1.9.2
     command: |
@@ -31,6 +59,9 @@ steps:
 
   - group: "Extended runtime leak tests"
     key: extended-integration-tests
+    notify:
+      - github_commit_status:
+          context: "buildkite/elastic-agent-extended-testing - Runtime leak tests"
     depends_on:
       - integration-ess
     steps:
@@ -90,6 +121,9 @@ steps:
 
   - group: "Stateful: Windows"
     key: integration-tests-win
+    notify:
+      - github_commit_status:
+          context: "buildkite/elastic-agent-extended-testing - Windows"
     depends_on:
       - integration-ess
     steps:
@@ -184,6 +218,9 @@ steps:
 
   - group: "Stateful:Ubuntu"
     key: integration-tests-ubuntu
+    notify:
+      - github_commit_status:
+          context: "buildkite/elastic-agent-extended-testing - Ubuntu"
     depends_on:
       - integration-ess
     steps:
@@ -291,6 +328,9 @@ steps:
 
   - group: "Stateful:Debian"
     key: integration-tests-debian
+    notify:
+      - github_commit_status:
+          context: "buildkite/elastic-agent-extended-testing - Debian"
     depends_on:
       - integration-ess
     steps:
@@ -348,6 +388,9 @@ steps:
 
   - group: "Stateful(Sudo):RHEL8"
     key: integration-tests-rhel8
+    notify:
+      - github_commit_status:
+          context: "buildkite/elastic-agent-extended-testing - RHEL8"
     depends_on:
       - integration-ess
     steps:
@@ -370,6 +413,9 @@ steps:
 
   - group: "Kubernetes"
     key: integration-tests-kubernetes
+    notify:
+      - github_commit_status:
+          context: "buildkite/elastic-agent-extended-testing - Kubernetes"
     depends_on:
       - integration-ess
       - packaging-containers-x86-64
@@ -406,6 +452,76 @@ steps:
             - v1.30.8
             - v1.31.0
 
+  - group: "Serverless integration test"
+    key: integration-tests-serverless
+    notify:
+      - github_commit_status:
+          context: "buildkite/elastic-agent-extended-testing - Serverless integration test"
+    steps:
+      - label: "Windows:2022:amd64:sudo"
+        depends_on:
+          - packaging-windows
+        env:
+          TEST_PACKAGE: "github.com/elastic/elastic-agent/testing/integration/serverless"
+        command: |
+          buildkite-agent artifact download build/distributions/** . --step 'packaging-windows'
+          .buildkite/scripts/buildkite-integration-tests.ps1 fleet true
+        artifact_paths:
+          - build/**
+          - build/diagnostics/**
+        retry:
+          automatic:
+            limit: 1
+        agents:
+          provider: "gcp"
+          machineType: "n2-standard-8"
+          image: "${IMAGE_WIN_2022}"
+        plugins:
+          - *google_oidc_plugin
+          - *gcp_serverless_secrets_plugin
+
+      - label: "Windows:2025:amd64:sudo"
+        depends_on:
+          - packaging-windows
+        env:
+          TEST_PACKAGE: "github.com/elastic/elastic-agent/testing/integration/serverless"
+        command: |
+          buildkite-agent artifact download build/distributions/** . --step 'packaging-windows'
+          .buildkite/scripts/buildkite-integration-tests.ps1 fleet true
+        artifact_paths:
+          - build/**
+          - build/diagnostics/**
+        retry:
+          automatic:
+            limit: 1
+        agents:
+          provider: "gcp"
+          machineType: "n2-standard-8"
+          image: "${IMAGE_WIN_2025}"
+        plugins:
+          - *google_oidc_plugin
+          - *gcp_serverless_secrets_plugin
+      - label: "Ubuntu:2404:amd64:sudo"
+        depends_on: packaging-ubuntu-x86-64
+        env:
+          TEST_PACKAGE: "github.com/elastic/elastic-agent/testing/integration/serverless"
+        command: |
+          buildkite-agent artifact download build/distributions/** . --step 'packaging-ubuntu-x86-64'
+          sudo -E .buildkite/scripts/buildkite-integration-tests.sh fleet true
+        artifact_paths:
+          - build/**
+          - build/diagnostics/**
+        retry:
+          automatic:
+            limit: 1
+        agents:
+          provider: "gcp"
+          machineType: "n2-standard-8"
+          image: "${IMAGE_UBUNTU_2404_X86_64}"
+        plugins:
+          - *google_oidc_plugin
+          - *gcp_serverless_secrets_plugin
+
   - label: ESS stack cleanup
     depends_on:
       - integration-tests-ubuntu
@@ -430,6 +546,7 @@ steps:
       - integration-tests-win
       - integration-tests-rhel8
       - integration-tests-kubernetes
+      - integration-tests-serverless
     allow_dependency_failure: true
     command: |
       buildkite-agent artifact download "build/*.xml" .
 
@@ -6,6 +6,9 @@ env:
 steps:
   - group: "Integration tests: packaging"
     key: "int-packaging"
+    notify:
+      - github_commit_status:
+          context: "buildkite/elastic-agent - Packaging"
     steps:
       # Build matrix is not used for packaging in favor to unique step keys
       # Packaging linux/amd64
@@ -84,31 +87,6 @@ steps:
           imagePrefix: "core-ubuntu-2204-aarch64"
           diskSizeGb: 200
 
-  - label: "Serverless integration test"
-    key: "serverless-integration-tests"
-    depends_on:
-      - int-packaging
-    concurrency_group: elastic-agent-extended-testing/serverless-integration
-    concurrency: 8
-    env:
-      # we run each step in a different data center to spread the load
-      TEST_INTEG_AUTH_GCP_DATACENTER: "us-central1-a"
-    command: |
-      buildkite-agent artifact download "build/distributions/**" . $BUILDKITE_BUILD_ID
-      .buildkite/scripts/steps/integration_tests.sh serverless integration:testServerless
-    artifact_paths:
-      - "build/TEST-**"
-      - "build/diagnostics/*"
-    agents:
-      provider: "gcp"
-      machineType: "n2-standard-8"
-    retry:
-      automatic:
-        limit: 1
-    notify:
-      - github_commit_status:
-          context: "buildkite/elastic-agent-extended-testing - Serverless integration test"
-
   - label: "Triggering Integration tests"
     depends_on:
       - int-packaging
 
@@ -95,10 +95,14 @@ EOF
   pod_logs_base="${PWD}/build/${fully_qualified_group_name}.pod_logs_dump"
 
   set +e
-  K8S_TESTS_POD_LOGS_BASE="${pod_logs_base}" AGENT_IMAGE="${image}" DOCKER_VARIANT="${variant}" gotestsum --hide-summary=skipped --format testname --no-color -f standard-quiet --junitfile-hide-skipped-tests --junitfile "${outputXML}" --jsonfile "${outputJSON}" -- -tags kubernetes,integration -test.shuffle on -test.timeout 2h0m0s github.com/elastic/elastic-agent/testing/integration -v -args -integration.groups="${group_name}" -integration.sudo="false"
+  K8S_TESTS_POD_LOGS_BASE="${pod_logs_base}" AGENT_IMAGE="${image}" DOCKER_VARIANT="${variant}" gotestsum --hide-summary=skipped --format testname --no-color -f standard-quiet --junitfile-hide-skipped-tests --junitfile "${outputXML}" --jsonfile "${outputJSON}" -- -tags kubernetes,integration -test.shuffle on -test.timeout 2h0m0s github.com/elastic/elastic-agent/testing/integration/k8s -v -args -integration.groups="${group_name}" -integration.sudo="false"
   exit_status=$?
   set -e
 
+  if [[ $exit_status -ne 0 ]]; then
+     echo "^^^ +++"
+  fi
+
   if [[ $TESTS_EXIT_STATUS -eq 0 && $exit_status -ne 0 ]]; then
     TESTS_EXIT_STATUS=$exit_status
   fi
 
@@ -26,7 +26,7 @@ else
 fi
 
 SNAPSHOT=true EXTERNAL=true PACKAGES=docker mage -v package
-TEST_INTEG_CLEAN_ON_EXIT=true INSTANCE_PROVISIONER=kind STACK_PROVISIONER=stateful SNAPSHOT=true mage integration:kubernetesMatrix
+TEST_INTEG_CLEAN_ON_EXIT=true INSTANCE_PROVISIONER=kind STACK_PROVISIONER=stateful SNAPSHOT=true mage integration:testKubernetesMatrix
 TESTS_EXIT_STATUS=$?
 set -e
 
 
@@ -0,0 +1,104 @@
+---
+name: serverless-project
+
+on:
+  workflow_dispatch:
+  schedule:
+    # To run more often if needed, for now daily at 4:00 UTC
+    - cron: "0 4 * * *"
+
+permissions:
+  contents: read
+
+jobs:
+  create-serverless:
+    permissions:
+      id-token: write
+    runs-on: ubuntu-latest
+    env:
+      PREFIX: "ea-serverless-it"
+    steps:
+      ####################################
+      # 1. Create the serverless project
+      ####################################
+      - name: Get token
+        id: get_token
+        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
+        with:
+          app_id: ${{ secrets.OBS_AUTOMATION_APP_ID }}
+          private_key: ${{ secrets.OBS_AUTOMATION_APP_PEM }}
+          permissions: >-
+            {
+              "checks": "read",
+              "contents": "write",
+              "pull_requests": "write"
+            }
+          repositories: >-
+            ["observability-test-environments"]
+
+      - uses: elastic/oblt-actions/git/setup@v1
+        with:
+          github-token: ${{ steps.get_token.outputs.token }}
+
+      - name: Get day of the week
+        id: get_day
+        run: echo "day=$(date +'%a' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT
+
+      - uses: elastic/oblt-actions/oblt-cli/cluster-create-custom@v1
+        id: create_serverless
+        with:
+          template: 'serverless-ea-it'
+          parameters: '{"Target":"production","ProjectType":"observability"}'
+          cluster-name-prefix: "${{ env.PREFIX }}-${{ steps.get_day.outputs.day }}"
+          github-token: ${{ steps.get_token.outputs.token }}
+          gitops: true
+          wait: '15'
+
+      # Authenticate to the elastic-observability to get the cluster credentials
+      - uses: elastic/oblt-actions/google/auth@v1
+
+      - uses: elastic/oblt-actions/oblt-cli/cluster-credentials@v1
+        with:
+          cluster-name: ${{ steps.create_serverless.outputs.cluster-name }}
+          github-token: ${{ steps.get_token.outputs.token }}
+
+      - name: Smoke test
+        run: curl -X GET ${ELASTICSEARCH_HOST}/_cat/indices?v -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}
+
+      ####################################
+      # 2. Copy the serverless secrets
+      ####################################
+      # Authenticate to the elastic-observability-ci to rotate the cluster credentials
+      - uses: elastic/oblt-actions/google/auth@v1
+        with:
+          project-number: "911195782929"
+          project-id: "elastic-observability-ci"
+
+      - name: Set up Cloud SDK
+        uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a
+
+      # TODO: as soon as the oblt-framework supports elastic-observability-ci we can avoid this step.
+      # NOTE:
+      #   * While runnning this workflow, it might cause some hiccups if a PR runs when rotating the secrets
+      #   * Secrets need to be created firstly. gcloud secrets create otherwise gcloud secrets versions add will fail.
+      #     That's not an issue now, as we use the same secret name.
+      - name: Rotate GCSM secrets
+        env:
+          GCP_PROJECT: "elastic-observability-ci"
+        run: |
+          echo -n "${ELASTICSEARCH_HOST}" | gcloud secrets versions add "${PREFIX}-elasticsearch-hostname" --data-file=- --quiet --project "${GCP_PROJECT}"
+          echo -n "${ELASTICSEARCH_PASSWORD}" | gcloud secrets versions add "${PREFIX}-elasticsearch-password" --data-file=- --quiet --project "${GCP_PROJECT}"
+          echo -n "${ELASTICSEARCH_USERNAME}" | gcloud secrets versions add "${PREFIX}-elasticsearch-username" --data-file=- --quiet --project "${GCP_PROJECT}"
+          echo -n "${KIBANA_HOST}" | gcloud secrets versions add "${PREFIX}-kibana-hostname" --data-file=- --quiet --project "${GCP_PROJECT}"
+          echo -n "${KIBANA_USERNAME}" | gcloud secrets versions add "${PREFIX}-kibana-username" --data-file=- --quiet --project "${GCP_PROJECT}"
+          echo -n "${KIBANA_PASSWORD}" | gcloud secrets versions add "${PREFIX}-kibana-password" --data-file=- --quiet --project "${GCP_PROJECT}"
+
+      # TODO: if rotation fails then rollback to the previous cluster.
+      - if: ${{ failure()  }}
+        uses: elastic/oblt-actions/slack/send@v1
+        env:
+          JOB_URL: "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+        with:
+          bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
+          channel-id: "#ingest-notifications"
+          message: ":traffic_cone: serverless project creation failed for `${{ github.repository }}@${{ github.ref_name }}`, `@robots-ci` please look what's going on <${{ env.JOB_URL }}|here>"
@@ -8,3 +8,4 @@ repos:
         exclude: (.*/.*.(tmpl|tftpl)$)
     -   id: check-merge-conflict
         args: ['--assume-in-merge']
+        exclude: (^NOTICE.*\.txt$)