Improve smoke tests for observability SRE image (#17486)

* Improve smoke tests for observability SRE image

This commit adds a new rspec test to run the observability SRE container in a
docker compose network with filebeat and elasticsearch. It uses some simple test
data through a pipeline with plugins we expect to be used in production. The
rspec tests will ensure the test data is flowing from filebeat to logstash to
elasticsearch by querying elasticsearch for expected transformed data.

* REVERT ME: debug whats goig on in CI :(

* Run filebeat container as root

* Work around strict file ownership perms for filebeat

We add the filebeat config in a volume, the permissions checks fail due test
runner not being a root user. This commit disables that check in filebeat as
seems to be the consensus solution online for example: https://event-driven.io/en/tricks_on_how_to_set_up_related_docker_images/

* Dynaimcally generate PKI instead of checking it in

Instead of checking in PKI, dynamically generate it with gradle task for
starting containers and running the tests. This improvement avoids github
warning of checked in keys and avoid expiration headaches. Generation is very
fast and does not add any significant overhead to test setup.

* Remove use of "should" in rspec docstrings

see https://github.com/rubocop/rspec-style-guide?tab=readme-ov-file#should-in-example-docstrings

* Ensure permissions readable for volume

Now that certs are dynamically generated, ensure they are able to be read in container

* Use elasticsearch-fips image for smoke testing

* Add git ignore for temp certs

Author: donoghuc

.buildkite/pull_request_pipeline.yml

@@ -157,9 +157,15 @@ steps:
       set -euo pipefail
       source .buildkite/scripts/common/vm-agent.sh
       QUALIFIED_VERSION="$(.buildkite/scripts/common/qualified-version.sh)"
+      # Build the image locally with the gradle task
       ./gradlew --stacktrace artifactDockerObservabilitySRE -PfedrampHighMode=true
+      # Ensure it can at least start logstash
       docker run docker.elastic.co/logstash/logstash-observability-sre:$${QUALIFIED_VERSION} \
         logstash -e 'input { generator { count => 3 } } output { stdout { codec => rubydebug } }'
+      # Run the smoke tests on the PR code
+      docker tag docker.elastic.co/logstash/logstash-observability-sre:$${QUALIFIED_VERSION} \
+        pr-built-observability-sre-image
+      ./gradlew observabilitySREsmokeTests --stacktrace
 
   - label: ":lab_coat: Integration Tests - FIPS mode / part 1-of-3"
     key: "integration-tests-fips-part-1-of-3"

x-pack/build.gradle

@@ -75,3 +75,42 @@ tasks.register("buildFipsValidationGem") {
     rake(rootProject.projectDir, rootProject.buildDir, 'plugin:build-fips-validation-plugin')
   }
 }
+tasks.register("observabilitySREsmokeTests", Test) {
+    description = "Run ObservabilitySRE smoke tests using docker-compose and RSpec"
+    // Need to have set up the ruby environment for rspec even through we are running in container
+    dependsOn(":bootstrap", ":logstash-core:assemble", ":installDevelopmentGems")
+    inputs.files fileTree("${projectDir}/distributions/internal/observabilitySRE/qa/smoke")
+    doFirst {
+        // Generate the certificates first
+        exec {
+            workingDir file("distributions/internal/observabilitySRE/qa/smoke/docker/certs")
+            commandLine 'bash', './generate.sh'
+            ignoreExitValue = false
+        }
+        def result = exec {
+            workingDir file("distributions/internal/observabilitySRE/qa/smoke/docker")
+            commandLine 'docker-compose', 'up', '-d'
+            ignoreExitValue = true
+        }
+        if (result.exitValue != 0) {
+            throw new GradleException("Docker compose failed to start")
+        }
+        // Give containers time to start and show logs
+        sleep(30000)
+        exec {
+            workingDir file("distributions/internal/observabilitySRE/qa/smoke/docker")
+            commandLine 'docker-compose', 'logs'
+        }
+    }
+    systemProperty 'logstash.root.dir', projectDir.parent
+    include '**/org/logstash/xpack/test/RSpecObservabilitySRETests.class'
+    doLast {
+        exec {
+            workingDir file("distributions/internal/observabilitySRE/qa/smoke/docker")
+            commandLine 'docker-compose', 'down', '-v'
+            ignoreExitValue = true
+        }
+        // Clean up the generated certificates
+        delete fileTree("distributions/internal/observabilitySRE/qa/smoke/docker/certs").include("*.key", "*.crt", "*.csr", "*.srl")
+    }
+}

x-pack/distributions/internal/observabilitySRE/qa/smoke/docker/certs/.gitignore

@@ -0,0 +1,3 @@
+*.crt
+*.csr
+*.key

x-pack/distributions/internal/observabilitySRE/qa/smoke/docker/certs/generate.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+
+echo "Generating CA certificate"
+openssl req -x509 -newkey rsa:3072 -days 365 -nodes -keyout ca.key -out ca.crt -subj "/CN=Elastic-CA" -sha256
+
+echo "Generating Elasticsearch certificate"
+openssl req -newkey rsa:3072 -nodes -keyout elasticsearch.key -out elasticsearch.csr -subj "/CN=elasticsearch" -sha256
+openssl x509 -req -in elasticsearch.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out elasticsearch.crt -days 365 -sha256
+
+echo "Generating Logstash certificate"
+openssl req -newkey rsa:3072 -nodes -keyout logstash.key -out logstash.csr -subj "/CN=logstash" -sha256
+openssl x509 -req -in logstash.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out logstash.crt -days 365 -sha256
+
+echo "Generating Filebeat certificate"
+openssl req -newkey rsa:3072 -nodes -keyout filebeat.key -out filebeat.csr -subj "/CN=filebeat" -sha256
+openssl x509 -req -in filebeat.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out filebeat.crt -days 365 -sha256
+
+chmod 644 *.crt *.key

x-pack/distributions/internal/observabilitySRE/qa/smoke/docker/docker-compose.yml

@@ -0,0 +1,57 @@
+version: '3'
+
+services:
+  elasticsearch:
+    image: docker.elastic.co/elasticsearch/elasticsearch-fips:8.19.0-SNAPSHOT
+    environment:
+      - discovery.type=single-node
+      - xpack.security.enabled=true
+      - ELASTIC_PASSWORD=changeme
+      - ES_JAVA_OPTS=-Xms512m -Xmx512m
+      - xpack.security.http.ssl.enabled=true
+      - xpack.security.http.ssl.key=/usr/share/elasticsearch/config/certs/elasticsearch.key
+      - xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/certs/elasticsearch.crt
+      - xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/certs/ca.crt
+      - xpack.security.transport.ssl.enabled=true
+      - xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/certs/elasticsearch.key
+      - xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/certs/elasticsearch.crt
+      - xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/certs/ca.crt
+    ports:
+      - "9200:9200"
+    volumes:
+      - ./certs:/usr/share/elasticsearch/config/certs
+    networks:
+      - smoketest
+
+  logstash:
+    # We build the observability SRE image with the gradle task, but then tag it
+    # as this in CI to ensure we are getting the local one built from the PR and not from 
+    # the container registry
+    image: pr-built-observability-sre-image
+    volumes:
+      - ./logstash/pipeline:/usr/share/logstash/pipeline
+      - ./logstash/config/logstash.yml:/usr/share/logstash/config/logstash.yml
+      - ./certs:/usr/share/logstash/config/certs
+    ports:
+      - "5044:5044"
+    depends_on:
+      - elasticsearch
+    networks:
+      - smoketest
+
+  filebeat:
+    image: docker.elastic.co/beats/filebeat:8.19.0-SNAPSHOT
+    # Test runner mounts volume with non root user, do not require this file be root
+    entrypoint: "filebeat -e --strict.perms=false"
+    volumes:
+      - ./filebeat/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro
+      - ./certs:/usr/share/filebeat/certs
+      - ./test-logs:/test-logs:ro
+    depends_on:
+      - logstash
+    networks:
+      - smoketest
+
+networks:
+  smoketest:
+    driver: bridge

x-pack/distributions/internal/observabilitySRE/qa/smoke/docker/filebeat/filebeat.yml

@@ -0,0 +1,15 @@
+filebeat.inputs:
+- type: log
+  enabled: true
+  paths:
+    - /test-logs/*.log
+
+output.logstash:
+  hosts: ["logstash:5044"]
+  ssl:
+    enabled: true
+    certificate_authorities: ["/usr/share/filebeat/certs/ca.crt"]
+    certificate: "/usr/share/filebeat/certs/filebeat.crt"
+    key: "/usr/share/filebeat/certs/filebeat.key"
+    verification_mode: "full"
+    supported_protocols: ["TLSv1.2"]

x-pack/distributions/internal/observabilitySRE/qa/smoke/docker/logstash/config/logstash.yml

@@ -0,0 +1,6 @@
+api.http.host: "0.0.0.0"
+xpack.monitoring.enabled: false
+
+pipeline.ordered: false
+pipeline.workers: 2
+pipeline.buffer.type: heap

x-pack/distributions/internal/observabilitySRE/qa/smoke/docker/logstash/pipeline/logstash.conf

@@ -0,0 +1,71 @@
+input {
+  beats {
+    port => 5044
+    ssl_enabled => true
+    ssl_certificate_authorities => ["/usr/share/logstash/config/certs/ca.crt"]
+    ssl_certificate => "/usr/share/logstash/config/certs/logstash.crt"
+    ssl_key => "/usr/share/logstash/config/certs/logstash.key"
+    ssl_client_authentication => "required"
+    ssl_supported_protocols => ["TLSv1.2"]
+  }
+}
+
+filter {
+  grok {
+    match => { "message" => "TEST-LOG: %{GREEDYDATA:log_content}" }
+  }
+  
+  if [log_content] =~ /timestamp=/ {
+    grok {
+      match => { "log_content" => ".*timestamp=%{TIMESTAMP_ISO8601:timestamp}.*" }
+    }
+    date {
+      match => [ "timestamp", "ISO8601" ]
+      target => "@timestamp"
+    }
+  }
+
+  age {}
+  if [@metadata][age] > 86400 {
+    mutate {
+      add_tag => ["old_event"]
+    }
+  }
+  
+  if [log_content] =~ /DEBUG/ {
+    drop { }
+  }
+  
+  if [log_content] =~ /json=/ {
+    grok {
+      match => { "log_content" => ".*json=%{GREEDYDATA:json_string}.*" }
+    }
+    json {
+      source => "json_string"
+      target => "parsed_json"
+    }
+  }
+
+  fingerprint {
+    source => ["message"]
+    target => "fingerprint"
+    method => "MD5"
+  }
+  
+  mutate {
+    add_field => { "environment" => "test" }
+  }
+}
+
+output {
+  elasticsearch {
+    hosts => ["https://elasticsearch:9200"]
+    user => "elastic"
+    password => "changeme"
+    ssl_enabled => true
+    ssl_verification_mode => "full"
+    ssl_certificate_authorities => ["/usr/share/logstash/config/certs/ca.crt"]
+    index => "logs-%{+YYYY.MM.dd}"
+    ssl_supported_protocols => ["TLSv1.2"]
+  }
+}

x-pack/distributions/internal/observabilitySRE/qa/smoke/docker/test-logs/test.log

@@ -0,0 +1,7 @@
+TEST-LOG: Simple example log entry
+TEST-LOG: Error message with status=500
+TEST-LOG: Log with json={"user":"testuser","action":"login","status":"success"}
+TEST-LOG: Log with json={"user":"admin","action":"update","items":5,"details":{"category":"config","changed":true}}
+TEST-LOG: Log with timestamp=2025-04-01T12:00:00Z for testing date filter
+TEST-LOG: Debug log message DEBUG should be dropped
+TEST-LOG: Log with timestamp=2024-04-01T12:00:00Z should be tagged as old_event