-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SIEM] Executes security application cypress tests on every PR #73939
Conversation
Pinging @elastic/siem (Team:SIEM) |
} | ||
}, | ||
|
||
'xpack-securitySolutionCypress': kibanaPipeline.functionalTestProcess('xpack-securitySolutionCypress', './test/scripts/jenkins_security_solution_cypress.sh'), | ||
// 'xpack-visualRegression': kibanaPipeline.functionalTestProcess('xpack-visualRegression', './test/scripts/jenkins_xpack_visual_regression.sh'), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would remove the commented out block below (I know it's not part of this PR but just saying) ... or put a comment above it about why it is commented out and important to keep around as a reminder.
Generally we just delete commented out things or remove them as we can use git history to find older information.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! I think as we depend on other teams we should run our tests on every PR.
I believe one of the reasons for only running these tests on security changes was due to the stability of the tests. Lately, it seems most of the failures are caused by other changes which would have been addressed if they were ran on those pull requests. @spalger @brianseeders, do either of you have issues running these on all PR's? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The problem I have with this is that the cypress tests don't have a standard debugging experience so everyone on the team needs to be educated on how to debug these tests if we start running them on every PR. This was part of the cost of doing something unique that we described.
I think we need to move these tests off of cypress and start using the unified functional testing approach so that people can debug these tests when they fail and so Operations can properly track them.
If we do decide to continue with Cypress for these tests:
|
I disagree that writing some documentation and fixing the reporting is sufficient here. I think adding a wildly different test environment that everyone could potentially have to debug and fix tests in is a too high a cost for the supposed benefits here. |
If SIEM is going to test parts of their application that integrate with the rest of Kibana and therefore require that the tests are run on every PR we should write them with the shared testing tools. @MadameSheema you don't need to rewrite all of the tests using the FTR today, just move over the tests that integrate with other parts of Kibana so we can start to get coverage of the SIEM app running on every PR. |
Out of curiosity, do you have an example of a change outside of security solution that broke your tests? We would love to get to a point where we don't need to run all test suites for all PRs, so it would be nice to see a concrete example of something that's keeping us from doing so, so we can think about what to do with it in the future. If developers are able to understand and take action on failures, I'm okay with enabling the tests for PRs. If every failure is going to lead to confusion and questions, we should make the experience a little better before turning it on. I don't know how the experience currently is, I'm just saying it should be at least on par with the experience of handling any other test failures |
💚 Build SucceededBuild metrics
To update your PR or re-run it, just comment with: |
I think I have found three of the more recent examples where our tests failed due to changes made outside of the security solution plugin. I'm sure there are more examples, but I feel these are enough to provide evidence in support of some amount / all of security solution cypress tests to be run outside of changes made directly in the security solution plugin:
|
Not saying it's sufficient, just another blocker to this effort. |
Once, I've experienced a hard time running APM Cypress functional tests locally, so gave up eventually and pinged the owner to help to debug the problem. Not sure the approach with custom tooling is scalable for the Kibana team size.
The Security solutions plugin has dependencies on other plugins + the Kibana platform. kibana/x-pack/plugins/security_solution/kibana.json Lines 7 to 31 in 85e5c27
Why not run these tests on any change in a dependency tree? Thanks to the Kibana plugin system, we have all the deps declared. We only need to write a script to traverse the deps tree for a plugin. Or we can even extend the platform API with this functionality. |
@spalger we don't want to be a blocker or make things harder for other teams, this is why I'm talking with my the team to see how to proceed with this, unfortunately right now we don't have the available bandwith to start with the migration. For now, it is possible to run the tests for all the PRs but allow other teams to merge the code although something from our side fails? Just block it for security. If you consider that we can generate too much noise, at least with for all the dependencies? That would be really helpful for us to start to investigate issues asap as soon as something fails and we will not block other people. What do you think? |
How about we setup an hourly job that runs the security suite until the security team can find the time to move their tests to the common structure and the FTR?
No, sorry, I don't think there isn't any way to only require a check for the security team that wouldn't cause a bunch of false negative reporting and decrease the usefulness/trustworthiness of CI or require a ton of changes to the reporting mechanisms we have in place. |
Sounds good :) Do you have any example we can use as a starting point? |
I'm working on creating the job now |
Thanks! :) |
Pinging @elastic/security-solution (Team: SecuritySolution) |
Summary
We have faced some situations where our tests were failing because other teams introduced bugs in our application making our tests fails and blocking us or blocking other teams modifying/working on our source code.
Lately our failing tests have been for that reason, in order to avoid this, we want to execute or tests on every PR.