-
Notifications
You must be signed in to change notification settings - Fork 291
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update lib-injection docker image tags #7057
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @andrewlock 👋
Thanks for taking care of this.
As you could guess, our CI is somewhat messy but we will try to get it working.
I left a bunch of comments in your PRs and I still have few quick questions for you though:
The docker image is build on GitHub using this action.
This means the tracer that is inside the docker image is not signed built by our GitLab CI, but rather a dev build for the system tests to run.
EDIT: We don't sign our build, but the artifact built in GitHub than shipped in the Docker image will still be different from the one in the Maven Central repository (and our GitHub release attachment).
Don't we want to have the right agent release binary (the one built on GitLab) to be distributed to our customers instead?
By the way, how to do expect the CI to coordinate themselves? (that GitHub will have built and published GitHub the docker image to GHCR before your publishing task to be executed)?
I also wonder if we will end up duplicating the build-lib-init.sh
script in every repository or if we should communalise it (and if it is not something that could be related to the existing script that builds the original image/tag).
Pinging @randomanderson if he has more context about it 🙏
# needs the version from the generate-tag-values job | ||
needs: | ||
- job: generate-lib-init-tag-values |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why split generate-lib-init-tag-values
and deploy-lib-init-trigger
into two separate jobs?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Trigger jobs can't have any script
blocks
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because I think we have to due to the way GitLab works with trigger jobs I think. I could be wrong though, I suck at gitlab 😅 FWIW, other languages are using this script, so it works even if it's not optimal
# We don't tag prerelease versions | ||
- if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+$/' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
About RC, I don't know who are using them, and where they are getting them from?
@am312 Can you provide more info about them?
@PerfectSlayer Probably, yes, but to be clear, you're already shipping that build. All this PR does is add a couple of extra tags to it.
However it's currently doing it, I haven't changed anything about that, and they're already being shipped, this just changes the image tagging a bit 😄
Yep, it's currently copied around (like the other scripts that are also currently copied around for this stuff). I agree, we will likely consolidate all this once we have a central place for creating these artifacts, but right now we just need to get the extra tags added, and the original script doesn't handle that (nor should it IMO). |
Thanks for the comments @andrewlock 🙏 I will approve the PR but in the mean time, I want to make sure we start address all the pipeline issues as we keep adding complexity and features without addressing the root issues. I hope it went better with the other languages 😅 |
BenchmarksStartupParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 49 metrics, 14 unstable metrics. Startup time reports for insecure-bankgantt
title insecure-bank - global startup overhead: candidate=1.35.0-SNAPSHOT~2f8aad75a5, baseline=1.35.0-SNAPSHOT~489de243b6
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.061 s) : 0, 1061219
Total [baseline] (8.535 s) : 0, 8535309
Agent [candidate] (1.055 s) : 0, 1055204
Total [candidate] (8.552 s) : 0, 8551532
section iast
Agent [baseline] (1.162 s) : 0, 1162153
Total [baseline] (8.961 s) : 0, 8961307
Agent [candidate] (1.162 s) : 0, 1162435
Total [candidate] (8.97 s) : 0, 8970229
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.172 s) : 0, 1171732
Total [baseline] (8.969 s) : 0, 8969100
Agent [candidate] (1.167 s) : 0, 1166677
Total [candidate] (8.993 s) : 0, 8992676
section iast_TELEMETRY_OFF
Agent [baseline] (1.168 s) : 0, 1167862
Total [baseline] (8.976 s) : 0, 8976042
Agent [candidate] (1.156 s) : 0, 1156337
Total [candidate] (8.989 s) : 0, 8988676
gantt
title insecure-bank - break down per module: candidate=1.35.0-SNAPSHOT~2f8aad75a5, baseline=1.35.0-SNAPSHOT~489de243b6
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (655.164 ms) : 0, 655164
BytebuddyAgent [candidate] (650.979 ms) : 0, 650979
GlobalTracer [baseline] (313.508 ms) : 0, 313508
GlobalTracer [candidate] (311.92 ms) : 0, 311920
AppSec [baseline] (49.801 ms) : 0, 49801
AppSec [candidate] (49.697 ms) : 0, 49697
Remote Config [baseline] (663.966 µs) : 0, 664
Remote Config [candidate] (654.179 µs) : 0, 654
Telemetry [baseline] (7.491 ms) : 0, 7491
Telemetry [candidate] (7.477 ms) : 0, 7477
section iast
BytebuddyAgent [baseline] (776.107 ms) : 0, 776107
BytebuddyAgent [candidate] (776.227 ms) : 0, 776227
GlobalTracer [baseline] (290.726 ms) : 0, 290726
GlobalTracer [candidate] (290.982 ms) : 0, 290982
AppSec [baseline] (51.498 ms) : 0, 51498
AppSec [candidate] (50.854 ms) : 0, 50854
IAST [baseline] (22.353 ms) : 0, 22353
IAST [candidate] (22.951 ms) : 0, 22951
Remote Config [baseline] (591.446 µs) : 0, 591
Remote Config [candidate] (579.427 µs) : 0, 579
Telemetry [baseline] (7.665 ms) : 0, 7665
Telemetry [candidate] (7.608 ms) : 0, 7608
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (784.166 ms) : 0, 784166
BytebuddyAgent [candidate] (777.919 ms) : 0, 777919
GlobalTracer [baseline] (293.779 ms) : 0, 293779
GlobalTracer [candidate] (292.407 ms) : 0, 292407
AppSec [baseline] (47.74 ms) : 0, 47740
AppSec [candidate] (48.204 ms) : 0, 48204
IAST [baseline] (25.104 ms) : 0, 25104
IAST [candidate] (25.778 ms) : 0, 25778
Remote Config [baseline] (607.992 µs) : 0, 608
Remote Config [candidate] (599.688 µs) : 0, 600
Telemetry [baseline] (6.958 ms) : 0, 6958
Telemetry [candidate] (8.455 ms) : 0, 8455
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (781.101 ms) : 0, 781101
BytebuddyAgent [candidate] (771.138 ms) : 0, 771138
GlobalTracer [baseline] (293.007 ms) : 0, 293007
GlobalTracer [candidate] (290.615 ms) : 0, 290615
AppSec [baseline] (52.277 ms) : 0, 52277
AppSec [candidate] (49.299 ms) : 0, 49299
IAST [baseline] (20.634 ms) : 0, 20634
IAST [candidate] (23.233 ms) : 0, 23233
Remote Config [baseline] (604.4 µs) : 0, 604
Remote Config [candidate] (598.181 µs) : 0, 598
Telemetry [baseline] (6.865 ms) : 0, 6865
Telemetry [candidate] (8.197 ms) : 0, 8197
Startup time reports for petclinicgantt
title petclinic - global startup overhead: candidate=1.35.0-SNAPSHOT~2f8aad75a5, baseline=1.35.0-SNAPSHOT~489de243b6
dateFormat X
axisFormat %s
section tracing
Agent [baseline] (1.053 s) : 0, 1053401
Total [baseline] (10.297 s) : 0, 10297250
Agent [candidate] (1.054 s) : 0, 1054222
Total [candidate] (10.25 s) : 0, 10250412
section appsec
Agent [baseline] (1.173 s) : 0, 1172819
Total [baseline] (10.438 s) : 0, 10437658
Agent [candidate] (1.175 s) : 0, 1175075
Total [candidate] (10.476 s) : 0, 10476039
section iast
Agent [baseline] (1.164 s) : 0, 1163980
Total [baseline] (10.705 s) : 0, 10704602
Agent [candidate] (1.162 s) : 0, 1162476
Total [candidate] (10.731 s) : 0, 10731364
section profiling
Agent [baseline] (1.253 s) : 0, 1252707
Total [baseline] (10.575 s) : 0, 10574571
Agent [candidate] (1.255 s) : 0, 1254518
Total [candidate] (10.566 s) : 0, 10565655
gantt
title petclinic - break down per module: candidate=1.35.0-SNAPSHOT~2f8aad75a5, baseline=1.35.0-SNAPSHOT~489de243b6
dateFormat X
axisFormat %s
section tracing
BytebuddyAgent [baseline] (649.821 ms) : 0, 649821
BytebuddyAgent [candidate] (650.297 ms) : 0, 650297
GlobalTracer [baseline] (311.422 ms) : 0, 311422
GlobalTracer [candidate] (311.932 ms) : 0, 311932
AppSec [baseline] (49.744 ms) : 0, 49744
AppSec [candidate] (49.481 ms) : 0, 49481
Remote Config [baseline] (660.696 µs) : 0, 661
Remote Config [candidate] (664.413 µs) : 0, 664
Telemetry [baseline] (7.457 ms) : 0, 7457
Telemetry [candidate] (7.475 ms) : 0, 7475
section appsec
BytebuddyAgent [baseline] (673.695 ms) : 0, 673695
BytebuddyAgent [candidate] (674.501 ms) : 0, 674501
GlobalTracer [baseline] (294.658 ms) : 0, 294658
GlobalTracer [candidate] (295.461 ms) : 0, 295461
AppSec [baseline] (152.058 ms) : 0, 152058
AppSec [candidate] (152.501 ms) : 0, 152501
Remote Config [baseline] (617.488 µs) : 0, 617
Remote Config [candidate] (619.225 µs) : 0, 619
Telemetry [baseline] (8.146 ms) : 0, 8146
Telemetry [candidate] (8.13 ms) : 0, 8130
IAST [baseline] (18.597 ms) : 0, 18597
IAST [candidate] (18.714 ms) : 0, 18714
section iast
BytebuddyAgent [baseline] (777.698 ms) : 0, 777698
BytebuddyAgent [candidate] (776.352 ms) : 0, 776352
GlobalTracer [baseline] (291.459 ms) : 0, 291459
GlobalTracer [candidate] (291.792 ms) : 0, 291792
AppSec [baseline] (48.542 ms) : 0, 48542
AppSec [candidate] (49.573 ms) : 0, 49573
Remote Config [baseline] (593.235 µs) : 0, 593
Remote Config [candidate] (589.551 µs) : 0, 590
Telemetry [baseline] (7.59 ms) : 0, 7590
Telemetry [candidate] (6.915 ms) : 0, 6915
IAST [baseline] (24.877 ms) : 0, 24877
IAST [candidate] (23.98 ms) : 0, 23980
section profiling
ProfilingAgent [baseline] (94.442 ms) : 0, 94442
ProfilingAgent [candidate] (96.067 ms) : 0, 96067
BytebuddyAgent [baseline] (658.991 ms) : 0, 658991
BytebuddyAgent [candidate] (659.676 ms) : 0, 659676
GlobalTracer [baseline] (384.179 ms) : 0, 384179
GlobalTracer [candidate] (383.975 ms) : 0, 383975
AppSec [baseline] (50.486 ms) : 0, 50486
AppSec [candidate] (50.166 ms) : 0, 50166
Remote Config [baseline] (817.081 µs) : 0, 817
Remote Config [candidate] (829.96 µs) : 0, 830
Telemetry [baseline] (7.409 ms) : 0, 7409
Telemetry [candidate] (7.466 ms) : 0, 7466
Profiling [baseline] (94.466 ms) : 0, 94466
Profiling [candidate] (96.092 ms) : 0, 96092
LoadParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 7 metrics, 21 unstable metrics. Request duration reports for insecure-bankgantt
title insecure-bank - request duration [CI 0.99] : candidate=1.35.0-SNAPSHOT~2f8aad75a5, baseline=1.35.0-SNAPSHOT~489de243b6
dateFormat X
axisFormat %s
section baseline
no_agent (459.085 µs) : 430, 488
. : milestone, 459,
iast (586.579 µs) : 555, 618
. : milestone, 587,
iast_FULL (692.255 µs) : 660, 724
. : milestone, 692,
iast_GLOBAL (617.178 µs) : 585, 649
. : milestone, 617,
iast_HARDCODED_SECRET_DISABLED (584.854 µs) : 553, 616
. : milestone, 585,
iast_INACTIVE (551.977 µs) : 521, 583
. : milestone, 552,
iast_TELEMETRY_OFF (574.782 µs) : 542, 607
. : milestone, 575,
tracing (542.765 µs) : 513, 572
. : milestone, 543,
section candidate
no_agent (452.718 µs) : 424, 482
. : milestone, 453,
iast (588.85 µs) : 557, 621
. : milestone, 589,
iast_FULL (682.169 µs) : 650, 714
. : milestone, 682,
iast_GLOBAL (616.053 µs) : 585, 647
. : milestone, 616,
iast_HARDCODED_SECRET_DISABLED (586.147 µs) : 554, 618
. : milestone, 586,
iast_INACTIVE (557.185 µs) : 526, 588
. : milestone, 557,
iast_TELEMETRY_OFF (576.301 µs) : 544, 608
. : milestone, 576,
tracing (537.487 µs) : 508, 567
. : milestone, 537,
Request duration reports for petclinicgantt
title petclinic - request duration [CI 0.99] : candidate=1.35.0-SNAPSHOT~2f8aad75a5, baseline=1.35.0-SNAPSHOT~489de243b6
dateFormat X
axisFormat %s
section baseline
no_agent (1.729 ms) : 1703, 1755
. : milestone, 1729,
appsec (2.192 ms) : 2160, 2224
. : milestone, 2192,
appsec_no_iast (2.208 ms) : 2175, 2242
. : milestone, 2208,
iast (1.902 ms) : 1872, 1931
. : milestone, 1902,
profiling (1.907 ms) : 1876, 1939
. : milestone, 1907,
tracing (1.893 ms) : 1860, 1926
. : milestone, 1893,
section candidate
no_agent (1.713 ms) : 1688, 1739
. : milestone, 1713,
appsec (2.178 ms) : 2146, 2209
. : milestone, 2178,
appsec_no_iast (2.184 ms) : 2150, 2218
. : milestone, 2184,
iast (1.895 ms) : 1864, 1925
. : milestone, 1895,
profiling (1.921 ms) : 1885, 1957
. : milestone, 1921,
tracing (1.884 ms) : 1852, 1917
. : milestone, 1884,
DacapoParameters
See matching parameters
SummaryFound 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics. Execution time for biojavagantt
title biojava - execution time [CI 0.99] : candidate=1.35.0-SNAPSHOT~2f8aad75a5, baseline=1.35.0-SNAPSHOT~489de243b6
dateFormat X
axisFormat %s
section baseline
no_agent (20.62 s) : 20620000, 20620000
. : milestone, 20620000,
appsec (21.338 s) : 21338000, 21338000
. : milestone, 21338000,
iast (24.865 s) : 24865000, 24865000
. : milestone, 24865000,
iast_GLOBAL (25.176 s) : 25176000, 25176000
. : milestone, 25176000,
profiling (21.493 s) : 21493000, 21493000
. : milestone, 21493000,
tracing (20.971 s) : 20971000, 20971000
. : milestone, 20971000,
section candidate
no_agent (21.581 s) : 21581000, 21581000
. : milestone, 21581000,
appsec (21.412 s) : 21412000, 21412000
. : milestone, 21412000,
iast (25.177 s) : 25177000, 25177000
. : milestone, 25177000,
iast_GLOBAL (25.22 s) : 25220000, 25220000
. : milestone, 25220000,
profiling (21.56 s) : 21560000, 21560000
. : milestone, 21560000,
tracing (20.735 s) : 20735000, 20735000
. : milestone, 20735000,
Execution time for tomcatgantt
title tomcat - execution time [CI 0.99] : candidate=1.35.0-SNAPSHOT~2f8aad75a5, baseline=1.35.0-SNAPSHOT~489de243b6
dateFormat X
axisFormat %s
section baseline
no_agent (1.544 ms) : 1532, 1557
. : milestone, 1544,
appsec (2.683 ms) : 2622, 2743
. : milestone, 2683,
iast (2.34 ms) : 2270, 2410
. : milestone, 2340,
iast_GLOBAL (2.376 ms) : 2306, 2447
. : milestone, 2376,
profiling (2.208 ms) : 2148, 2268
. : milestone, 2208,
tracing (2.166 ms) : 2108, 2224
. : milestone, 2166,
section candidate
no_agent (1.542 ms) : 1530, 1555
. : milestone, 1542,
appsec (2.692 ms) : 2632, 2752
. : milestone, 2692,
iast (2.345 ms) : 2275, 2416
. : milestone, 2345,
iast_GLOBAL (2.409 ms) : 2336, 2482
. : milestone, 2409,
profiling (2.204 ms) : 2144, 2264
. : milestone, 2204,
tracing (2.159 ms) : 2102, 2216
. : milestone, 2159,
|
What Does This Do
Adds
vMAJOR
andvMAJOR.MINOR
lib-injection images (in addition tovMAJOR.MINOR.PATCH
andlatest
)Motivation
We want to enable customers to be able to pin to a major version. We were also incorrectly tagging images as
latest
when they weren't (only would have happened on hotfixes, so hasn't actually occurred).We are following (this doc's suggestions), but in summary:
vMajor.Minor.Patch
version tag2.5.0
getsv2.5.0
2.2.3
getsv2.2.3
1.2.1
getsv1.2.1
vMajor.Minor
version tag initially (which assumes we never "go back" in release values)2.5.0
getsv2.5
2.2.3
getsv2.2
1.2.1
getsv1.2
vMajor
version tag. Only releases for which this is the highest version in the major get the tag.2.5.0
getsv2
(if there's no higher2.x.x
release)1.2.1
getsv1
(if there's no higher1.x.x
release)2.5.0
getslatest
if it's the highest release so far1.2.1
will not getlatest
if there's already2.x.x
releasesThe logic is now more complicated and requires knowing the state of the git repository. The script shown here mirrors the one added for .NET.
Additional Notes
The generation stage is quite verbose about printing out all the variables, but overall this is obviously very hard to test so I set up a dummy GitHub repository and GitLab YAML, which just echoes the values it receives, to confirm they're sent across to the child pipeline correctly.
If it is safe to do so, we can test this by reverting the
revert "TESTING"
commitI don't know how backporting or the extra
-rc
commit tags work, so hopefully someone else could pick that up 😅