From 9f7c282a489803754f22b181daa29bd8e926b8f8 Mon Sep 17 00:00:00 2001 From: Toby Brain Date: Fri, 18 Jul 2025 20:38:50 +1000 Subject: [PATCH 1/5] Install go, tools, and dependencies for Copilot --- .github/workflows/copilot-setup-steps.yml | 33 +++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 .github/workflows/copilot-setup-steps.yml diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml new file mode 100644 index 000000000..663a089de --- /dev/null +++ b/.github/workflows/copilot-setup-steps.yml @@ -0,0 +1,33 @@ +name: "Copilot Setup Steps" + +# Automatically run the setup steps when they are changed to allow for easy validation, and +# allow manual testing through the repository's "Actions" tab +on: + workflow_dispatch: + push: + paths: + - .github/workflows/copilot-setup-steps.yml + pull_request: + paths: + - .github/workflows/copilot-setup-steps.yml + +jobs: + # The job MUST be called `copilot-setup-steps` or it will not be picked up by Copilot. + copilot-setup-steps: + runs-on: ubuntu-latest + + # Set the permissions to the lowest permissions possible needed for your steps. + # Copilot will be given its own token for its operations. + permissions: + # If you want to clone the repository as part of your setup steps, for example to install dependencies, you'll need the `contents: read` permission. If you don't clone the repository in your setup steps, Copilot will do this for you automatically after the steps complete. + contents: read + + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5 + with: + go-version-file: 'go.mod' + cache: true + + - name: Get dependencies + run: make setup From 3faae660bc177ee58ddb0a6cd3e736dcaedd9593 Mon Sep 17 00:00:00 2001 From: Toby Brain Date: Mon, 21 Jul 2025 11:55:45 +1000 Subject: [PATCH 2/5] Setup Terraform and ES Stack --- .github/workflows/copilot-setup-steps.yml | 82 +++++++++++++++++++++++ 1 file changed, 82 insertions(+) diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml index 663a089de..82b9f45e6 100644 --- a/.github/workflows/copilot-setup-steps.yml +++ b/.github/workflows/copilot-setup-steps.yml @@ -21,6 +21,63 @@ jobs: permissions: # If you want to clone the repository as part of your setup steps, for example to install dependencies, you'll need the `contents: read` permission. If you don't clone the repository in your setup steps, Copilot will do this for you automatically after the steps complete. contents: read + env: + ELASTICSEARCH_ENDPOINTS: "http://localhost:9200" + ELASTICSEARCH_USERNAME: "elastic" + ELASTICSEARCH_PASSWORD: password + KIBANA_ENDPOINT: "http://localhost:5601" + KIBANA_USERNAME: "elastic" + KIBANA_PASSWORD: password + KIBANA_SYSTEM_USERNAME: kibana_system + KIBANA_SYSTEM_PASSWORD: password + TF_ACC: "1" + STACK_VERSION: 9.0.3 + services: + elasticsearch: + image: docker.elastic.co/elasticsearch/elasticsearch:${{ env.STACK_VERSION }} + env: + discovery.type: single-node + xpack.security.enabled: true + xpack.security.authc.api_key.enabled: true + xpack.security.authc.token.enabled: true + xpack.watcher.enabled: true + xpack.license.self_generated.type: trial + repositories.url.allowed_urls: https://example.com/* + path.repo: /tmp + ELASTIC_PASSWORD: ${{ env.ELASTICSEARCH_PASSWORD }} + ports: + - 9200:9200 + options: --health-cmd="curl http://localhost:9200/_cluster/health" --health-interval=10s --health-timeout=5s --health-retries=10 + kibana: + image: docker.elastic.co/kibana/kibana:${{ env.STACK_VERSION }} + env: + SERVER_NAME: kibana + ELASTICSEARCH_HOSTS: http://elasticsearch:9200 + ELASTICSEARCH_USERNAME: ${{ env.KIBANA_SYSTEM_USERNAME }} + ELASTICSEARCH_PASSWORD: ${{ env.KIBANA_SYSTEM_PASSWORD }} + XPACK_ENCRYPTEDSAVEDOBJECTS_ENCRYPTIONKEY: a7a6311933d3503b89bc2dbc36572c33a6c10925682e591bffcab6911c06786d + # LOGGING_ROOT_LEVEL: debug + ports: + - 5601:5601 + options: --health-cmd="curl http://localhost:5601/api/status" --health-interval=10s --health-timeout=5s --health-retries=10 + fleet: + image: docker.elastic.co/beats/elastic-agent:${{ env.STACK_VERSION }} + env: + SERVER_NAME: fleet + FLEET_ENROLL: "1" + FLEET_URL: https://fleet:8220 + FLEET_INSECURE: "true" + FLEET_SERVER_ENABLE: "1" + FLEET_SERVER_POLICY_ID: fleet-server + FLEET_SERVER_ELASTICSEARCH_HOST: http://elasticsearch:9200 + FLEET_SERVER_ELASTICSEARCH_INSECURE: "true" + FLEET_SERVER_INSECURE_HTTP: "true" + KIBANA_HOST: http://kibana:5601 + KIBANA_FLEET_SETUP: "1" + KIBANA_FLEET_PASSWORD: ${{ env.ELASTICSEARCH_PASSWORD }} + ports: + - 8220:8220 + options: --restart="unless-stopped" steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 @@ -28,6 +85,31 @@ jobs: with: go-version-file: 'go.mod' cache: true + - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3 + with: + terraform_wrapper: false - name: Get dependencies run: make setup + + - name: Setup Kibana user + run: make set-kibana-password + env: + ELASTICSEARCH_PASSWORD: ${{ env.ELASTICSEARCH_PASSWORD }} + KIBANA_SYSTEM_USERNAME: ${{ env.KIBANA_SYSTEM_USERNAME }} + KIBANA_SYSTEM_PASSWORD: ${{ env.KIBANA_SYSTEM_PASSWORD }} + + - id: get-api-key + name: Get ES API key + run: |- + echo "apikey=$(make create-es-api-key | jq -r .encoded)" >> "$GITHUB_OUTPUT" + env: + ELASTICSEARCH_PASSWORD: ${{ env.ELASTICSEARCH_PASSWORD }} + + - id: setup-fleet + name: Setup Fleet + run: |- + make setup-kibana-fleet + env: + ELASTICSEARCH_PASSWORD: ${{ env.ELASTICSEARCH_PASSWORD }} + FLEET_NAME: "fleet" From 2b492aac0822a98df0603eab3474f8eb52eddfa3 Mon Sep 17 00:00:00 2001 From: Toby Brain Date: Mon, 21 Jul 2025 13:54:40 +1000 Subject: [PATCH 3/5] Top level? --- .github/workflows/copilot-setup-steps.yml | 24 +++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml index 82b9f45e6..b2d383da1 100644 --- a/.github/workflows/copilot-setup-steps.yml +++ b/.github/workflows/copilot-setup-steps.yml @@ -11,27 +11,27 @@ on: paths: - .github/workflows/copilot-setup-steps.yml +env: + ELASTICSEARCH_ENDPOINTS: "http://localhost:9200" + ELASTICSEARCH_USERNAME: "elastic" + ELASTICSEARCH_PASSWORD: password + KIBANA_ENDPOINT: "http://localhost:5601" + KIBANA_USERNAME: "elastic" + KIBANA_PASSWORD: password + KIBANA_SYSTEM_USERNAME: kibana_system + KIBANA_SYSTEM_PASSWORD: password + TF_ACC: "1" + STACK_VERSION: 9.0.3 + jobs: # The job MUST be called `copilot-setup-steps` or it will not be picked up by Copilot. copilot-setup-steps: runs-on: ubuntu-latest - # Set the permissions to the lowest permissions possible needed for your steps. # Copilot will be given its own token for its operations. permissions: # If you want to clone the repository as part of your setup steps, for example to install dependencies, you'll need the `contents: read` permission. If you don't clone the repository in your setup steps, Copilot will do this for you automatically after the steps complete. contents: read - env: - ELASTICSEARCH_ENDPOINTS: "http://localhost:9200" - ELASTICSEARCH_USERNAME: "elastic" - ELASTICSEARCH_PASSWORD: password - KIBANA_ENDPOINT: "http://localhost:5601" - KIBANA_USERNAME: "elastic" - KIBANA_PASSWORD: password - KIBANA_SYSTEM_USERNAME: kibana_system - KIBANA_SYSTEM_PASSWORD: password - TF_ACC: "1" - STACK_VERSION: 9.0.3 services: elasticsearch: image: docker.elastic.co/elasticsearch/elasticsearch:${{ env.STACK_VERSION }} From 2d479f4e7de2b55abc8026ef5ccdddafc08c446b Mon Sep 17 00:00:00 2001 From: Toby Brain Date: Mon, 21 Jul 2025 14:07:06 +1000 Subject: [PATCH 4/5] Nope --- .github/workflows/copilot-setup-steps.yml | 29 +++++++++++------------ 1 file changed, 14 insertions(+), 15 deletions(-) diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml index b2d383da1..8cdf166ab 100644 --- a/.github/workflows/copilot-setup-steps.yml +++ b/.github/workflows/copilot-setup-steps.yml @@ -11,30 +11,29 @@ on: paths: - .github/workflows/copilot-setup-steps.yml -env: - ELASTICSEARCH_ENDPOINTS: "http://localhost:9200" - ELASTICSEARCH_USERNAME: "elastic" - ELASTICSEARCH_PASSWORD: password - KIBANA_ENDPOINT: "http://localhost:5601" - KIBANA_USERNAME: "elastic" - KIBANA_PASSWORD: password - KIBANA_SYSTEM_USERNAME: kibana_system - KIBANA_SYSTEM_PASSWORD: password - TF_ACC: "1" - STACK_VERSION: 9.0.3 - jobs: # The job MUST be called `copilot-setup-steps` or it will not be picked up by Copilot. copilot-setup-steps: runs-on: ubuntu-latest + # Set the permissions to the lowest permissions possible needed for your steps. # Copilot will be given its own token for its operations. permissions: # If you want to clone the repository as part of your setup steps, for example to install dependencies, you'll need the `contents: read` permission. If you don't clone the repository in your setup steps, Copilot will do this for you automatically after the steps complete. contents: read + env: + ELASTICSEARCH_ENDPOINTS: "http://localhost:9200" + ELASTICSEARCH_USERNAME: "elastic" + ELASTICSEARCH_PASSWORD: password + KIBANA_ENDPOINT: "http://localhost:5601" + KIBANA_USERNAME: "elastic" + KIBANA_PASSWORD: password + KIBANA_SYSTEM_USERNAME: kibana_system + KIBANA_SYSTEM_PASSWORD: password + TF_ACC: "1" services: elasticsearch: - image: docker.elastic.co/elasticsearch/elasticsearch:${{ env.STACK_VERSION }} + image: docker.elastic.co/elasticsearch/elasticsearch:9.0.3 env: discovery.type: single-node xpack.security.enabled: true @@ -49,7 +48,7 @@ jobs: - 9200:9200 options: --health-cmd="curl http://localhost:9200/_cluster/health" --health-interval=10s --health-timeout=5s --health-retries=10 kibana: - image: docker.elastic.co/kibana/kibana:${{ env.STACK_VERSION }} + image: docker.elastic.co/kibana/kibana:9.0.3 env: SERVER_NAME: kibana ELASTICSEARCH_HOSTS: http://elasticsearch:9200 @@ -61,7 +60,7 @@ jobs: - 5601:5601 options: --health-cmd="curl http://localhost:5601/api/status" --health-interval=10s --health-timeout=5s --health-retries=10 fleet: - image: docker.elastic.co/beats/elastic-agent:${{ env.STACK_VERSION }} + image: docker.elastic.co/beats/elastic-agent:9.0.3 env: SERVER_NAME: fleet FLEET_ENROLL: "1" From f9fa866de72dd214bb5a75b704d5ed2aa2ba2ec7 Mon Sep 17 00:00:00 2001 From: Toby Brain Date: Mon, 21 Jul 2025 14:13:10 +1000 Subject: [PATCH 5/5] Fixup elastic-agent docker image --- .github/workflows/copilot-setup-steps.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml index 8cdf166ab..d9b9ccac6 100644 --- a/.github/workflows/copilot-setup-steps.yml +++ b/.github/workflows/copilot-setup-steps.yml @@ -60,7 +60,7 @@ jobs: - 5601:5601 options: --health-cmd="curl http://localhost:5601/api/status" --health-interval=10s --health-timeout=5s --health-retries=10 fleet: - image: docker.elastic.co/beats/elastic-agent:9.0.3 + image: docker.elastic.co/elastic-agent/elastic-agent:9.0.3 env: SERVER_NAME: fleet FLEET_ENROLL: "1"