[Fleet] Support stack-aligned versioning scheme for bundled APM package #137759
Comments
kpollich
added
Team:Operations
|
Pinging @elastic/fleet (Team:Fleet) |
|
Pinging @elastic/apm-ui (Team:apm) |
|
There are buildkite APIs to access artifacts from specific builds, so if we knew the buildkite build id for the buildkite-agent artifact download "apm-server-build.tar.gz" . --build "$APM_SERVER_BUILD_ID"Alternatively, if you want to just upload the artifacts to a gcs bucket and then just download the most recent version of the artifact from a well-known object name, like: gsutil cp gs://elastic-apm-server-ci-builds/${branch}/latest.tar.gz apm-server-build.tar.gzWe can help setup the GCS buckets you'd like to use |
|
@kpollich I think that all sounds sensible. We'll need to sign the packages we store in build artifacts, which I think is something that @mtojek is looking into anyway. @spalger we are using Jenkins, so unfortunately we can't use buildkite build artifacts. For unified release builds, I would expect that Kibana would bundle the apm package from the the specific APM Server build for that unified release, rather than the latest branch build. Would it make sense to have Kibana build after APM Server in unified release, and fetch the artifacts that way? This is how binary artifacts are bundled in elastic-agent. |
Yes, I think so. So 8.5 would be the target. |
|
I spoke with @joshdover a bit offline, and I think we can avoid any involvement with CI or operations here by doing the following.
So, if APM opts in to this behavior, we'd have the following process:
I think this avoids the risk of shipping a prerelease versions in production (assuming the last prerelease == the production release) while affording us the ability to use prerelease versions of APM during the BC period. @axw - Does this satisfy the APM team's needs here without needing to involve more moving parts involving the operations folks, CI pipelines, etc? |
|
@kpollich I think it's reasonable. I'd say it's not perfect, as it's depending on something outside of the unified release process, which could break this assumption
... but I think this is better than what we have today, and addresses our immediate needs. I'd say we should go with this, and if we need to we could come back to the more complicated CI pipeline orchestration. |
Take into account that |
kpollich
changed the title
|
Hi folks, I've updated the description + title here based on #137759 (comment), and this should no longer involve the operations team so I've removed their label here. Thanks to the operations folks that responded above to provide some clarity, but we should be able to move forward with a more isolated implementation in Fleet's package bundling process. |
|
Just to clarify, based on what's been discussed there's no action for the APM UI team, am I right? |
This is correct based on the implementation we've discussed in this issue. The Fleet team would be driving the implementation of the prerelease version rewriting, support for an opt-in flag in @axw I've spent some time thinking about bundled packages and speaking with @ruflin about this in more details, and I'd be very interested to hear more about APM's specific pain points with the current processes around bundling packages + how they relate to package storage v2. Upon reviewing the email chain that prompted this issue, I came across this list of requirements you drafted:
Of these, numbers Numbers
I'm assuming this means that when we're shipping Kibana My main question here is whether this is a functional or aesthetic need. For example, would it be possible to push an emergency release to the APM integration and publish it to EPR as Overall, I'm concerned about baking too much logic into the package bundling process in Kibana. I am wondering if it's worth revisiting #124342 and considering storing bundled packages directly in Kibana's source code. Storing bundled packages directly in Kibana and updating via Git replaces the manual pre-release checklist of bundled package updates with a more automation-friendly process. e.g. A process like this removes the "build step" to resolve + download bundled packages every time a Kibana distributable is built, and makes it simpler to manage bundled packages via Git and GitHub instead of custom logic and tooling. Of course there are many bits of nuance and further thinking to do to support this, so I don't want to forego breaking down any immediate blockers the APM team is dealing with. Is the prerelease version rewriting logic captured here necessary to unblock the APM team in the coming releases where package storage v2 will be live? I know this is a conversation that has happened a few times now, but I'm curious if there are any new thoughts here. Does this issue run counter to a potentially more elegant solution involving Kibana's source code directly containing bundled packages? |
That's correct, I just included them for completeness.
That's correct.
APM Server is always released as part of the unified release. It would be possible to publish a patch to the integration package out of band, but we don't want to introduce version skew. There would be more variables, decreasing supportability. It also means the APM UI code cannot assume anything about the version that is installed, increasing its complexity (see #124342 (comment)). We have not yet needed to push an emergency fix for the integration package. Not to say that it can't or won't happen, but it's the wrong thing to optimise for. Issues with assets installed by the integration package are much more easily worked around compared to bugs in APM Server code.
Is it that the change to rewrite the version sigificant? Or is the concern about the implications of bundling at build time, and making the build non-reproducible? I assume the latter. I don't want to move the source of the APM integration package to Kibana in the foresseable future, as working across repos like that will introduce toil for APM Server developers and reduce our velocity.
I would be fine with having apm-server's CI push the package to elastic/kibana. Can we avoid having to go through PRs & additional code reviews? Integration package changes are reviewed in APM Server PRs, so I expect that should be sufficient.
It's not strictly necessary to do the version rewriting. If we push a timstamped package to package-storage v2 (because immutability) and a non-timestamped version to kibana (because stack version alignment), then I believe we'll be unblocked. |
I'd rather we poll the unified release API for the latest release during development/builds than store an archive in the Kibana repo. At ~25mb per archive the repo size will end up quite large. We can have APM CI trigger Kibana CI when a new build is published. We will have to make sure the released version is the exact same as the bundled version.
Maybe - I'm not sure how integrated APM server is. Elasticsearch changes break Kibana tests relatively frequently, so we don't allow automatic updates. We do package beats in our Cloud image without verification, but that's really just running a separate process with no integration. |
Another option, which is a kind of combination of all of the above: we could have APM Server's CI send a PR to Kibana which will update it to a specific pre-release/snapshot package version after it is published to package storage. That way we would have reproducible builds. We would still want to rewrite the version to match Kibana's. Something like this:
When Kibana is built off that commit, it wouldn't pull the latest package, but it would pull that specific package version from storage. It would rewrite the version of the package to match its own version (8.5.0-preview-123456 => 8.5.0).
@jbudz if we could create a PR which doesn't need review, but waits for tests to pass and then auto-merges - would that be OK? |
What about storing the non-archived packages and generating
This would definitely solve the issue with manually updating bundled package versions, but we'd still be doing the on-the-fly version rewriting specific to APM's (and maybe Endpoint's?) needs. What if, as part of the "bundled package contract", any package whose source is stored in |
|
I'm back from PTO and trying to keep up with this thread.
The Infra layer of the Package Storage v2 contains a set of jobs that can be triggered on different events. We could add a new job responsible for syncing bundled packages (or just the apm package?) with the Kibana repository. It can be started by the indexing job or on daily basis (schedule-daily job). It isn't anything new for the infra, as we have also a different job to refresh kubernetes templates. The job opens PRs against the agent (or beats?) repository. Let me know what do you think. |
Nit: I prefer we optimise for "continuously" instead of daily, just to get into the habit. |
Yes, if we want to explore the option with the sync job. Let's wait for @kpollich to chime in. |
It would be great to continuously update the APM package stored in Kibana's source via CI like this. The k8's template job is a pretty direct comparison, I think. To clarify, I've created two diagrams to capture the before/after workflows around bundled packages. Current bundled package workflow
Proposed bundled package workflow
So, the new process would essentially allow the APM team to publish any version of the APM package and a PR would automatically be filed against Kibana updating the package in Let me know if I've captured your thinking here, @mtojek. |
|
These are really fancy graphs :) Please share what you've used to prepare them @kpollich. Let me rephrase it into components we own.
Questions:
I'm concerned about increasing complexity around the solution, but hopefully, we're closer than further. cc @jlind23 |
|
https://excalidraw.com/ is the tool in question 🙂
Package sources aren't stored in Kibana today, only a reference to a package. Kibana fetches the built package archives from EPR at build time for a configurable list of bundled packages.
Yes this is just a typo - PR's only go one direction it turns out 😵
I think this is one of the big asks from @axw here: to forcibly align APM's version to the stack. See his responses above regarding this version alignment need: #137759 (comment). The plan would be to overwrite the version in
The packages we bundle today are captured here https://github.com/elastic/kibana/blob/main/fleet_packages.json
Yes I think we'd want these packages to skip the signing/verification process. Since their source code ships directly with Kibana it seems unnecessary to verify them in the same way we verify packages downloaded from EPR. This will probably allow us to skip over some corner cases related to verification. |
|
I'm not sure if I just circle back the discussion, but I will try this: If we stick with package references and During the build time, Kibana would pull referenced .zip files, unpack them, and alter package versions if needed (configurable for apm, not sure about others). Long story short, we would need:
|
|
I think what @mtojek wrote above sounds like a good approach. We would still need to verify the integrity of the package with this approach, since there's a download involved - but this would be done at bundling time rather than run-/installation time. Perhaps we could extend fleet_packages.json with:
|
|
Sounds like a plan. I will start preparing the sync job in the package-storage-infra. |
|
I'll take a pass at adding this new functionality to |
|
I put together a first pass at the "align package version to Kibana's" behavior here: #139567. @axw I think this satisfies the initial asks from this issue (prior to our discussions about higher level rethinking of how we work on bundled packages), but please let me know if there's anything else we can do in the immediate term to unblock APM in 8.5. |
|
@kpollich I'm removing the |
@kpollich thanks, looks good overall! We can always rework it later, but I think it would be better to have That would take us in the direction of #137759 (comment), where we would set a specific version in |
I understand that
👍 Let me know what you think as it impacts the work I've planned to do (implement the sync job). BTW Could we remove that comment block in |
@mtojek I only meant as an interim step, until the |
We can make the file
This makes sense, and I'd rather have every package in
If the sync packages CI task work isn't too far out, then I don't see a need to have support for |
👍
I'm working on this here. I'm if we should expand the file structure: [
{
"name": "apm",
"version": "8.4.0-preview-1234567",
"source": {
"repository_name": "package-storage-v2",
"download_url": "https://package-storage.elastic.co/artifacts/packages/apm-8.4.0-preview-1234567.zip",
"signature_url": "https://package-storage.elastic.co/artifacts/packages/apm-8.4.0-preview-1234567.zip.sig"
},
...
},This way we could get rid of the logic pointing to epr-snapshot from Kibana and start using signed artifacts (a concern raised by @axw). |
Updated #139567 with this behavior in mind. We require a version in |
|
The sync-bundled-packages job is waiting for reviews too (internal link above). |
|
Yep that sounds good to me. I think we can close this out. |
Replaces #136834
In the process of adapting various Elastic Agent packages to the new Package Storage v2 architecture, we've identified some needs specifically for the APM package to continue allowing the maintainers of the APM integration to work within their current processes:
8.4.0-dev1) to be presented as8.4.0to preserve APM's versioning needsTo meet these goals, we're proposing the following implementation:
usesStackAlignedExperimentalReleasesflag infleet_packages.jsonusesStackAlignedExperimentalReleasesis set for a bundled package, Kibana will fetch the latest compatible prerelease version from EPR when bundling, regardless of theversionvalue specified infleet_package.jsonSo, if APM opts in to this behavior, we'd have the following process:
?experimental=truequery stringapm-8.5.0-dev1version of APM, for exampleapm-8.5.0-dev1version using the returned archive + signature file from EPRapm-8.5.0-dev1package8.5.0so it's displayed as such in the UI, etcShow original description
The text was updated successfully, but these errors were encountered: