Replace Terraform ESS provisioning with oblt-cli; add Windows ARM64 CI#13546
Draft
michel-laterman wants to merge 8 commits intoelastic:mainfrom
Draft
Replace Terraform ESS provisioning with oblt-cli; add Windows ARM64 CI#13546michel-laterman wants to merge 8 commits intoelastic:mainfrom
michel-laterman wants to merge 8 commits intoelastic:mainfrom
Conversation
Contributor
|
This pull request does not have a backport label. Could you fix it @michel-laterman? 🙏
|
michel-laterman
force-pushed
the
feature/oblt-cli-win-arm64
branch
from
46c3784 to
859eff5
Compare
![macroscopeapp[bot]](https://avatars.githubusercontent.com/in/900172?s=60&v=4){kind=small}
…4 CI Replace the Terraform-based ESS deployment provisioning with oblt-cli for all integration test platforms. This removes the Terraform dependency from CI runners, enabling support for Windows ARM64 where Terraform has no native binary. Key changes: - ess.sh/ess.ps1: Use `oblt-cli cluster create custom --template ess-ea-it` instead of `terraform apply`. Credentials are now loaded from GCP Secret Manager via `oblt-cli cluster secrets env` rather than Terraform outputs. - Pipeline plugins: Replace `vault_ec_key_prod` (EC API key) with `google_oidc_observability_plugin` + `oblt_cli_plugin` + `vault_github_token` - Add "Stateful: Windows ARM64" test group targeting Azure agents with the full test matrix matching Windows x86_64 - Remove `test_infra/ess/` Terraform configs and Terraform from .tool-versions Based on the approach from elastic#8591 by @v1v. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
michel-laterman
force-pushed
the
feature/oblt-cli-win-arm64
branch
from
859eff5 to
a986aff
Compare
4 tasks
v1v
reviewed
Apr 14, 2026
| @@ -7,25 +7,20 @@ env: | |||
| IMAGE_UBUNTU_2404_X86_64: "platform-ingest-elastic-agent-ubuntu-2404-1772525581" | |||
Member
There was a problem hiding this comment.
AFAIK, we don't support FIPS in oblt-cli yet
v1v
reviewed
Apr 14, 2026
| # Source the secrets file | ||
| # shellcheck source=/dev/null | ||
| local src_rc=0 | ||
| source "${secrets_file}" || src_rc=$? |
Member
There was a problem hiding this comment.
for some reason the source is not loading the variables :/
I bet, we need to do some export of the file
v1v
reviewed
Apr 14, 2026
| $Env:KIBANA_HOST = & terraform output -raw kibana_endpoint | ||
| $Env:KIBANA_USERNAME = $Env:ELASTICSEARCH_USERNAME | ||
| $Env:KIBANA_PASSWORD = $Env:ELASTICSEARCH_PASSWORD | ||
| $Env:INTEGRATIONS_SERVER_HOST = & terraform output -raw integrations_server_endpoint |
Member
There was a problem hiding this comment.
What's this? Is fleet-server?
with oblt-cli there are different URLs:
- KIBANA_FLEET_HOST=https://bob.kb.us-west2.gcp.elastic-cloud.com:443
- ELASTICSEARCH_HOST=https://ea-hosted-it-ess-ea--hnejl.es.us-west2.gcp.elastic-cloud.com:443
- KIBANA_FLEET_HOST=https://ea-hosted-it-ess-ea--hnejl.kb.us-west2.gcp.elastic-cloud.com:443
- FLEET_URL=https://ea-hosted-it-ess-ea--hnejl.fleet.us-west2.gcp.elastic-cloud.com:443
- INGEST_URL=https://ea-hosted-it-ess-ea--hnejl.ingest.us-west2.gcp.elastic-cloud.com:443
- ELASTIC_APM_SERVER_URL=https://ea-hosted-it-ess-ea--hnejl.apm.us-west2.gcp.elastic-cloud.com:443
Need to find the correct URL so we can replace INTEGRATIONS_SERVER_HOST with the relevant env variable provided by oblt-cli
I think it's ELASTIC_APM_SERVER_URL
Contributor
🔍 Preview links for changed docs |
v1v
reviewed
Apr 14, 2026
| $Env:KIBANA_PASSWORD = $Env:ELASTICSEARCH_PASSWORD | ||
| $Env:INTEGRATIONS_SERVER_HOST = & terraform output -raw integrations_server_endpoint | ||
| Pop-Location | ||
| & oblt-cli cluster create custom ` |
Member
There was a problem hiding this comment.
Let's wait for elastic/oblt-cli-buildkite-plugin#41 so we can add support for Windows too
Member
There was a problem hiding this comment.
Wonder if we can split this PR into three steps:
- Linux support
- Windows support
- FIPS support
For Linux I think it should work as is, for Windows we need a few changes to support that platform in the existing BK plugin, and for FIPS, it will not be available in the near future.
Contributor
Author
There was a problem hiding this comment.
I think we can use the FIPS image in the non frh-staging environment
…l-laterman/elastic-agent into feature/oblt-cli-win-arm64 * 'feature/oblt-cli-win-arm64' of https://github.com/michel-laterman/elastic-agent: [main][Automation] Update elastic/beats to 323f731f84e5 (elastic#13622) Update OTel Collector components to v0.149.0/v1.55.0 (elastic#13599) build(deps): bump peter-evans/create-pull-request from 8.1.0 to 8.1.1 (elastic#13593) Fix clean stopping of beats on windows (elastic#13581) Handle multiple values for fleet and kibana headers (elastic#13506) [otel/kube-stack] Update the OpenTelemetry Kube Stack Helm Chart to latest versions (elastic#13522) Automate updates to opentelemetry-collector-components (elastic#13578) [beatreceiver] Add integration testing for kafka output (elastic#13550) Bump the version on main to 9.5.0 (elastic#13532) [beatreceivers] Enable otel runtime by default for kafka and logstash output (elastic#13514) Add Elastic Agent 9.3.3+IAR release notes (elastic#13556) fix(flake): clean up prefix install data dirs in RPM test fixture (elastic#13552) [Automation] Bump Golang version to 1.25.9 (elastic#13559) feat(helm): add support for Fleet URL and token from Kubernetes Secret (elastic#13507)
Contributor
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
oblt-clifor all integration test platforms, removing the Terraform dependency from CI runnersWhat does this PR do?
oblt-cli migration (all platforms)
Replaces
terraform apply/terraform destroywithoblt-cli cluster create custom --template ess-ea-itandoblt-cli cluster destroy. Credentials are now loaded from GCP Secret Manager viaoblt-cli cluster secrets envinstead of Terraform outputs or Buildkite metadata.Scripts changed:
ess.sh/ess.ps1— newess_up(),ess_down(),ess_load_secrets()using oblt-cliess_start.sh/ess_down.sh— simplified, no Terraform state managementintegration_tests_tf.sh/integration_tests_tf.ps1— useess_load_secretsinstead of Buildkite metadata readsPipeline plugins replaced:
vault_ec_key_prod(EC API key via Vault)google_oidc_observability_plugin+oblt_cli_plugin+vault_github_tokenRemoved:
test_infra/ess/directory (Terraform configs)terraformfrom.tool-versionsASDF_TERRAFORM_VERSIONfrom pipeline envWindows ARM64 integration tests (new)
Added "Stateful: Windows ARM64" group to
bk.integration.pipeline.yml:provider: azure,vmSize: Standard_D4ps_v6)Note: Local
mage integration:*commands are not affected — they use separate Go-based provisioners inpkg/testing/ess/.Prerequisites (separate PRs/repos)
elastic/ci-agent-images): Build Windows ARM64 image for elastic-agent — updateIMAGE_WIN_ARM64placeholder once readyelastic/oblt-infra): Verifyelastic-agentpipeline principal hasgoogle-oblt-cluster-secrets-accessroleTest plan
/test extendedto verify ESS stack provisions correctly via oblt-cli🤖 Generated with Claude Code