Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
56 commits
Select commit Hold shift + click to select a range
c6515fd
adaptive_export: production AE — streaming export + write-integrity
Jun 8, 2026
390ee45
adaptive_export: ADAPTIVE_PASSTHROUGH firehose loop
entlein Jun 8, 2026
9535139
ci: dx-image workflow — build + publish dx-daemon to ghcr
entlein Jun 9, 2026
4ab9d07
Revert ci: dx-image workflow — wrong repo
entlein Jun 9, 2026
6139e3b
adaptive_export: unit-normalize trigger watermark cursor + load-test …
Jun 16, 2026
fd80e5f
e2e_test/adaptive_export_loadtest: AE fixture-isolation load-test har…
Jun 16, 2026
1001f6d
e2e_test/adaptive_export_loadtest: document AE implied contracts (C1-…
Jun 16, 2026
4e62453
adaptive_export_loadtest: C15 write-duration contract + DX-steering d…
Jun 16, 2026
746421f
adaptive_export/trigger: update test SQL substrings for multiIf norma…
entlein Jun 16, 2026
808a3ea
adaptive_export_loadtest: exp_control uses real now_s event_time (no …
Jun 16, 2026
9798a69
adaptive_export: ADAPTIVE_RECONCILE per-pull write-fidelity instrument
Jun 17, 2026
519bff5
harness: exp_pipeline_reconcile — skip empty-key rows (0 rows != LOSS 1)
Jun 17, 2026
3f6f409
harness: log4shell_fire.sh — reliably fire + restart the log4j-chain …
Jun 17, 2026
239e032
harness: log4shell_fire.sh — detection-signal framing (Cyber Verifica…
Jun 17, 2026
10ad397
adaptive_export(passthrough): precompiled + concurrent firehose, drop…
Jun 17, 2026
f4fe5c4
adaptive_export: bazel BUILD deps for internal/reconcile + pxl compil…
Jun 17, 2026
ee2dcfb
adaptive_export(pxl): raise Pixie 10k result cap via #px:set query flag
Jun 17, 2026
0fa7eb8
adaptive_export/sink: content_type silent-drop contract suite
entlein Jun 9, 2026
1102ce5
adaptive_export_loadtest: DX-steered-vs-ALL datavolume reduction harness
Jun 17, 2026
fed1c6e
adaptive_export_loadtest: deep AE NFR benchmark harness
Jun 18, 2026
7532c87
adaptive_export_loadtest: fix DX-reduction dead-arm (clear stale stee…
Jun 18, 2026
0094ec7
nfr harness: fix lag (dateDiff) + drop racy broker-pct completeness
Jun 18, 2026
e59180a
dx-reduction harness: report ROWS reduction (primary) + bytes (second…
Jun 18, 2026
84eac90
ae deployment: add memory limit (1Gi) + raise cpu limit to 1 core
Jun 18, 2026
00aeaf3
ae bootstrap: separate the secret from the re-applied infra bundle
Jun 18, 2026
d8192aa
dx-reduction harness: fire BOTH attack stages so DX steers the backend
Jun 18, 2026
61ef494
adaptive_export: rename whitelist→allowlist across streaming path + a…
Jun 18, 2026
9feda72
ae(clickhouse): create forensic_db.dx_attack_graph at boot
Jun 18, 2026
2c7cfcf
ae(clickhouse): dx_attack_graph numeric cols Int64/Float64 (px-readable)
Jun 18, 2026
48b100e
adaptive_export(streaming): add #px:set max_output_rows cap flag to s…
Jun 18, 2026
8e7f1c6
ae(clickhouse): create dx_attack_graph_malicious view at boot
Jun 19, 2026
39a2f12
ae(control): /dx/attack_graph ingest endpoint -> ClickHouse
Jun 19, 2026
3b1d484
adaptive_export: convention pass — consolidate CH HTTP, drop dead cod…
entlein Jun 20, 2026
e9c1331
adaptive_export: restore executable bits on harness scripts (post-hea…
entlein Jun 20, 2026
15ee7a3
adaptive_export: lint pass + restore @px load prefix in cmd/BUILD.bazel
entlein Jun 20, 2026
31febbe
adaptive_export: address user review #2 #4 #6 + 4 outstanding CodeRab…
entlein Jun 20, 2026
fdfb451
test(harness): consolidate to one run-picture + e2e CI workflow
Jun 21, 2026
dc644c3
revert(bazel): drop stray buildifier attribute-reorder in stirling co…
Jun 21, 2026
fcab916
ci: fix run-genfiles + run-container-lint on PR 53
entlein Jun 21, 2026
3094068
ci: apply gazelle's actual kwarg order to stirling container_images
entlein Jun 21, 2026
19e84ad
ci: fix container-lint Errors on e2e workflow + new harness scripts
entlein Jun 21, 2026
e0a19dd
ci: silence 6 SHELLCHECK Warnings to clear container-lint exit code
entlein Jun 21, 2026
e6a6237
feat(ae-control): bearer-JWT auth + input validation (CodeRabbit foll…
Jun 21, 2026
714c1fb
fix(ae): remaining CodeRabbit Majors (#53 followup)
Jun 21, 2026
dfdc465
fix(ae-trigger): escape a PollLimit-saturated watermark boundary (fro…
Jun 22, 2026
decf2ae
feat(ae-control): TLS on the control surface (CONTROL_TLS) (#71)
entlein Jun 23, 2026
0c65751
Merge remote-tracking branch 'origin/main' into ae-followup-auth
Jun 23, 2026
e187dc3
test(ae-trigger): differential oracle vs naive reference (incremental…
entlein Jun 24, 2026
0fd9c3f
ci: fix vizier-release Build Release runner label (oracle-16cpu → ora…
entlein Jun 24, 2026
cb81ecd
ci: fix merge-conflict regressions from main pickup (runner labels, u…
entlein Jun 24, 2026
c2642da
fix(ae): address 13 CodeRabbit Go-code findings on PR 68
entlein Jun 24, 2026
7f43c51
ci: carve out private/cockpit + terraform/credentials/cockpit from fi…
entlein Jun 24, 2026
c579e48
Revert "ci: carve out private/cockpit + terraform/credentials/cockpit…
entlein Jun 24, 2026
d94624a
ci: rename private/{cockpit,skaffold_cloud.yaml} so filename-linter a…
entlein Jun 24, 2026
ae41131
terraform: drop fork IaC from PR 68 — belongs on main, not this PR
Jun 28, 2026
6d10b07
fork-infra: drop cockpit, .sops.yaml, e2e workflow from PR 68
Jun 28, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .arclint
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
"(^private\/credentials\/.*\\.yaml)",
"(^src/operator/client/versioned/)",
"(^src/operator/apis/px.dev/v1alpha1/zz_generated.deepcopy.go)",
"(^src/e2e_test/adaptive_export_loadtest/tools/loadgen/)",
"(^src/stirling/bpf_tools/bcc_bpf/system-headers)",
"(^src/stirling/mysql/testing/.*\\.json$)",
"(^src/stirling/obj_tools/testdata/go/test_go_binary.go)",
Expand Down
4 changes: 4 additions & 0 deletions .bazelignore
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,7 @@ third_party/threadstacks
tools/chef/nodes
# To keep third party dependencies separate, privy is intentional setup as a separate bazel workspace
src/datagen/pii/privy

# adaptive_export_loadtest generator is a docker-built test tool (see its README);
# build-agent to replace with a bazel target. Until then, keep it out of gazelle.
src/e2e_test/adaptive_export_loadtest/tools/loadgen
4 changes: 2 additions & 2 deletions .github/workflows/cli_release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ jobs:
image-base-name: "dev_image_with_extras"
build-release:
name: Build Release
runs-on: oracle-16cpu-64gb-x86-64
runs-on: oracle-vm-16cpu-64gb-x86-64
needs: get-dev-image
permissions:
contents: read
Expand Down Expand Up @@ -209,7 +209,7 @@ jobs:
update-gh-artifacts-manifest:
if: |
always() && needs.create-github-release.result == 'success'
runs-on: oracle-8cpu-32gb-x86-64
runs-on: oracle-vm-16cpu-64gb-x86-64
needs: [get-dev-image, create-github-release]
container:
image: ${{ needs.get-dev-image.outputs.image-with-tag }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/cloud_release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ jobs:
image-base-name: "dev_image_with_extras"
build-release:
name: Build Release
runs-on: oracle-16cpu-64gb-x86-64
runs-on: oracle-vm-16cpu-64gb-x86-64
needs: get-dev-image
permissions:
contents: read
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/mirror_demos.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ jobs:
permissions:
contents: read
packages: write
runs-on: oracle-16cpu-64gb-x86-64
runs-on: oracle-vm-16cpu-64gb-x86-64

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟠 Major | ⚡ Quick win

Keep actionlint’s custom runner labels in sync.

This rename looks intentional, but Line 12 will keep failing workflow lint until the custom self-hosted label list is updated alongside it. The same oracle-vm-16cpu-64gb-x86-64 label is already referenced elsewhere, so the root cause is the shared actionlint config, not this job definition.

🧰 Tools
🪛 actionlint (1.7.12)

[error] 12-12: label "oracle-vm-16cpu-64gb-x86-64" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2025-vs2026", "windows-2022", "windows-11-arm", "ubuntu-slim", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "macos-latest", "macos-latest-xlarge", "macos-latest-large", "macos-26-intel", "macos-26-xlarge", "macos-26-large", "macos-26", "macos-15-intel", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xlarge", "macos-14-large", "macos-14", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/mirror_demos.yaml at line 12, The workflow job’s custom
runner label was renamed to oracle-vm-16cpu-64gb-x86-64, but actionlint will
still fail until the shared custom runner label list is updated to match. Update
the actionlint configuration that defines allowed self-hosted labels so it
includes the new label used by the workflow’s runs-on entry, keeping both
references in sync.

Source: Linters/SAST tools

steps:
- uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v2
with:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/mirror_deps.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ jobs:
permissions:
contents: read
packages: write
runs-on: oracle-16cpu-64gb-x86-64
runs-on: oracle-vm-16cpu-64gb-x86-64
steps:
- uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v2
with:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/mirror_releases.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ jobs:
permissions:
contents: read
packages: write
runs-on: oracle-16cpu-64gb-x86-64
runs-on: oracle-vm-16cpu-64gb-x86-64
steps:
- uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v2
with:
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/operator_release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ jobs:
image-base-name: "dev_image_with_extras"
build-release:
name: Build Release
runs-on: oracle-16cpu-64gb-x86-64
runs-on: oracle-vm-16cpu-64gb-x86-64
needs: get-dev-image
permissions:
contents: read
Expand Down Expand Up @@ -140,7 +140,7 @@ jobs:
git commit -s -m "Release Helm chart ${VERSION}"
git push origin "gh-pages"
update-gh-artifacts-manifest:
runs-on: oracle-8cpu-32gb-x86-64
runs-on: oracle-vm-16cpu-64gb-x86-64
needs: [get-dev-image, create-github-release]
container:
image: ${{ needs.get-dev-image.outputs.image-with-tag }}
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/perf_common.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ jobs:
ref: ${{ inputs.ref }}
generate-perf-matrix:
needs: get-dev-image-with-extras
runs-on: oracle-16cpu-64gb-x86-64
runs-on: oracle-vm-16cpu-64gb-x86-64
container:
image: ${{ needs.get-dev-image-with-extras.outputs.image-with-tag }}
outputs:
Expand All @@ -57,7 +57,7 @@ jobs:
echo "matrix=${matrix}" >> $GITHUB_OUTPUT
run-perf-eval:
needs: [get-dev-image-with-extras, generate-perf-matrix]
runs-on: oracle-16cpu-64gb-x86-64
runs-on: oracle-vm-16cpu-64gb-x86-64
container:
image: ${{ needs.get-dev-image-with-extras.outputs.image-with-tag }}
strategy:
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/vizier_release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ jobs:
image-base-name: "dev_image_with_extras"
build-release:
name: Build Release
runs-on: oracle-16cpu-64gb-x86-64
runs-on: oracle-vm-16cpu-64gb-x86-64
needs: get-dev-image
permissions:
contents: read
Expand Down Expand Up @@ -140,7 +140,7 @@ jobs:
git commit -s -m "Release Helm chart Vizier ${VERSION}"
git push origin "gh-pages"
update-gh-artifacts-manifest:
runs-on: oracle-8cpu-32gb-x86-64
runs-on: oracle-vm-16cpu-64gb-x86-64
needs: [get-dev-image, create-github-release]
container:
image: ${{ needs.get-dev-image.outputs.image-with-tag }}
Expand Down
13 changes: 9 additions & 4 deletions bazel/ui.bzl
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,11 @@
# This file contains rules for for our UI builds.

ui_shared_cmds_start = [
"set -x",
'export BASE_PATH="$(pwd)"',
"export PATH=/usr/local/bin:/opt/px_dev/tools/node/bin:$PATH",
'export HOME="$(mktemp -d)"', # This makes node-gyp happy.
"export PATH=/opt/px_dev/tools/node/bin:/usr/local/bin:$PATH",
"hash -r",
'export HOME="$(mktemp -d)"',
'export TMPPATH="$(mktemp -d)"',
]

Expand Down Expand Up @@ -49,6 +51,7 @@ def _pl_webpack_deps_impl(ctx):
execution_requirements = {tag: "" for tag in ctx.attr.tags},
outputs = [out],
command = " && ".join(cmd),
use_default_shell_env = True,
progress_message =
"Generating webpack deps %s" % out.short_path,
)
Expand All @@ -72,8 +75,8 @@ def _pl_webpack_library_impl(ctx):
# and apply it to the environment here. Hopefully,
# no special characters/spaces/quotes in the results ...
env_cmds = [
'$(sed -E "s/^([A-Za-z_]+)\\s*(.*)/export \\1=\\2/g" "{}")'.format(ctx.info_file.path),
'$(sed -E "s/^([A-Za-z_]+)\\s*(.*)/export \\1=\\2/g" "{}")'.format(ctx.version_file.path),
'$(sed -E -n "s/^(STABLE_BUILD_TAG|BUILD_TIMESTAMP)\\s+(.*)/export \\1=\\2/p" "{}")'.format(ctx.info_file.path),
'$(sed -E -n "s/^(STABLE_BUILD_TAG|BUILD_TIMESTAMP)\\s+(.*)/export \\1=\\2/p" "{}")'.format(ctx.version_file.path),
Comment on lines +78 to +79

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Locate the file and inspect the relevant section with line numbers.
git ls-files | rg '^bazel/ui\.bzl$'
wc -l bazel/ui.bzl
sed -n '1,170p' bazel/ui.bzl | cat -n

Repository: k8sstormcenter/pixie

Length of output: 7423


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Search for the exact sed snippets and any related command construction.
rg -n 'STABLE_BUILD_TAG|BUILD_TIMESTAMP|sed -E -n|yarn build_prod|&&' bazel/ui.bzl . -g '!**/node_modules/**'

Repository: k8sstormcenter/pixie

Length of output: 50377


Guard the stamp exports against missing keys
At bazel/ui.bzl:78-79, a missing key makes the leading $(sed ...) disappear and breaks the &&-joined shell script before yarn build_prod runs. Wrap each expansion in eval "$(sed ...)" or another no-op-safe form.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@bazel/ui.bzl` around lines 78 - 79, Guard the stamp export logic in the shell
command built by the `ui` rule so missing `STABLE_BUILD_TAG` or
`BUILD_TIMESTAMP` entries do not remove the leading command and break the `&&`
chain before `yarn build_prod`. Update the two `sed` expansions that reference
`ctx.info_file.path` and `ctx.version_file.path` to a no-op-safe form, such as
wrapping each in `eval "$(sed ...)"`, so the command still succeeds when a key
is absent.

]
all_files.append(ctx.info_file)
all_files.append(ctx.version_file)
Expand All @@ -95,6 +98,7 @@ def _pl_webpack_library_impl(ctx):
execution_requirements = {tag: "" for tag in ctx.attr.tags},
outputs = [out],
command = " && ".join(cmd),
use_default_shell_env = True,
progress_message =
"Generating webpack bundle %s" % out.short_path,
)
Expand Down Expand Up @@ -170,6 +174,7 @@ def _pl_deps_licenses_impl(ctx):
execution_requirements = {tag: "" for tag in ctx.attr.tags},
outputs = [out],
command = " && ".join(cmd),
use_default_shell_env = True,
progress_message =
"Generating licenses %s" % out.short_path,
)
Expand Down
11 changes: 11 additions & 0 deletions k8s/vizier/bootstrap/adaptive_export_deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -88,13 +88,24 @@ spec:
# value: "changeme-ingest"
# - name: CLICKHOUSE_DATABASE
# value: "forensic_db"
# TLS for the control surface (CONTROL_TLS=true). server.crt/key from the
# same service-tls-certs secret the broker/PEM use; without this the dx
# bearer JWT crosses the CNI in cleartext. Harmless when control is off.
volumeMounts:
- name: certs
mountPath: /certs
readOnly: true
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
volumes:
- name: certs
secret:
secretName: service-tls-certs
securityContext:
runAsUser: 10100
runAsGroup: 10100
Expand Down
74 changes: 2 additions & 72 deletions skaffold/skaffold_cloud.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@
.common_bazel_args: &common_bazel_args
- --compilation_mode=opt
- --config=stamp
- --action_env=GOOGLE_APPLICATION_CREDENTIALS
- --config=x86_64_sysroot
apiVersion: skaffold/v4beta1
kind: Config
Expand Down Expand Up @@ -77,78 +76,9 @@ manifests:
paths:
- k8s/cloud/dev
profiles:
- name: minikube
activation:
- kubeContext: minikube
patches:
- op: replace
path: /build/local
value:
push: false
- name: dev
activation:
- command: dev
patches:
- op: add
path: /build/artifacts/context=./bazel/args
value:
- --compilation_mode=dbg
- name: ory_auth
patches:
- op: replace
path: /manifests/kustomize/paths
value:
- k8s/cloud/dev
- k8s/cloud/dev/ory_auth
- op: add
path: /build/artifacts/context=./bazel/args
value:
- --compilation_mode=dbg
- name: ory_auth_prod
patches:
- op: add
path: /manifests/kustomize/paths
value:
- k8s/cloud/base/ory_auth
- name: staging
activation:
- env: PL_BUILD_TYPE=staging
patches:
- op: add
path: /build/artifacts/context=./bazel/args
value:
*common_bazel_args
- op: replace
path: /manifests/kustomize/paths
value:
- k8s/cloud/staging
- name: testing
activation:
- env: PL_BUILD_TYPE=testing
patches:
- op: add
path: /build/artifacts/context=./bazel/args
value:
*common_bazel_args
- op: replace
path: /manifests/kustomize/paths
value:
- k8s/cloud/testing
- name: prod
activation:
- env: PL_BUILD_TYPE=prod
patches:
- op: add
path: /build/artifacts/context=./bazel/args
value:
*common_bazel_args
- op: replace
path: /manifests/kustomize/paths
value:
- k8s/cloud/prod
- name: public
- name: cockpit
patches:
- op: replace
path: /manifests/kustomize/paths
value:
- k8s/cloud/public/base
- cockpit
14 changes: 14 additions & 0 deletions src/api/go/pxapi/opts.go
Original file line number Diff line number Diff line change
Expand Up @@ -82,3 +82,17 @@ func WithDirectCredsInsecure() ClientOption {
c.insecureDirect = true
}
}

// WithDirectTLSSkipVerify is the secure-by-default option for direct (standalone /
// node-local PEM) connections: the transport IS TLS-encrypted, but the server cert
// is not chain/hostname-verified. Use this instead of WithDirectCredsInsecure when
// the direct endpoint serves TLS with a self-signed / service cert whose SAN does
// not match the node IP (e.g. vizier-pem's direct-query port served with
// service-tls-certs, dialed at HOST_IP). Unlike WithDisableTLSVerification it does
// NOT require a "cluster.local" address, so it works for the node-IP direct dial.
// Bearer creds (the minted JWT) therefore ride an encrypted channel, never plaintext.
func WithDirectTLSSkipVerify() ClientOption {
return func(c *Client) {
c.disableTLSVerification = true
}
}
Loading
Loading