adaptive_export: production AE — streaming export + write-integrity

Author: Entlein

.github/workflows/vizier_release.yaml

@@ -15,7 +15,7 @@ jobs:
       image-base-name: "dev_image_with_extras"
   build-release:
     name: Build Release
-    runs-on: oracle-16cpu-64gb-x86-64
+    runs-on: oracle-vm-16cpu-64gb-x86-64
     needs: get-dev-image
     permissions:
       contents: read
@@ -140,7 +140,7 @@ jobs:
         git commit -s -m "Release Helm chart Vizier ${VERSION}"
         git push origin "gh-pages"
   update-gh-artifacts-manifest:
-    runs-on: oracle-8cpu-32gb-x86-64
+    runs-on: oracle-vm-16cpu-64gb-x86-64
     needs: [get-dev-image, create-github-release]
     container:
       image: ${{ needs.get-dev-image.outputs.image-with-tag }}

.gitmodules

@@ -36,8 +36,8 @@ build:
     bazel:
       target: //src/vizier/services/cloud_connector:cloud_connector_server_image.tar
       args:
-        - --config=x86_64_sysroot
-        - --compilation_mode=opt
+      - --config=x86_64_sysroot
+      - --compilation_mode=opt
   - image: vizier-cert_provisioner_image
     context: .
     bazel:

skaffold/skaffold_vizier.yaml

@@ -82,3 +82,17 @@ func WithDirectCredsInsecure() ClientOption {
 		c.insecureDirect = true
 	}
 }
+
+// WithDirectTLSSkipVerify is the secure-by-default option for direct (standalone /
+// node-local PEM) connections: the transport IS TLS-encrypted, but the server cert
+// is not chain/hostname-verified. Use this instead of WithDirectCredsInsecure when
+// the direct endpoint serves TLS with a self-signed / service cert whose SAN does
+// not match the node IP (e.g. vizier-pem's direct-query port served with
+// service-tls-certs, dialed at HOST_IP). Unlike WithDisableTLSVerification it does
+// NOT require a "cluster.local" address, so it works for the node-IP direct dial.
+// Bearer creds (the minted JWT) therefore ride an encrypted channel, never plaintext.
+func WithDirectTLSSkipVerify() ClientOption {
+	return func(c *Client) {
+		c.disableTLSVerification = true
+	}
+}

src/api/go/pxapi/opts.go

@@ -24,29 +24,29 @@ package(default_visibility = [
 
 # Generate all Go container library permutations for supported Go versions.
 go_container_libraries(
-    container_type = "grpc_server",
     bazel_sdk_versions = pl_all_supported_go_sdk_versions,
+    container_type = "grpc_server",
     prebuilt_container_versions = pl_go_test_versions,
 )
 
 # Stirling test cases usually test server side tracing. Therefore
 # we only need to provide the bazel SDK versions for the client containers.
 go_container_libraries(
-    container_type = "grpc_client",
     bazel_sdk_versions = pl_all_supported_go_sdk_versions,
+    container_type = "grpc_client",
 )
 
 go_container_libraries(
-    container_type = "tls_server",
     bazel_sdk_versions = pl_all_supported_go_sdk_versions,
+    container_type = "tls_server",
     prebuilt_container_versions = pl_go_test_versions,
 )
 
 # Stirling test cases usually test server side tracing. Therefore
 # we only need to provide the bazel SDK versions for the client containers.
 go_container_libraries(
-    container_type = "tls_client",
     bazel_sdk_versions = pl_all_supported_go_sdk_versions,
+    container_type = "tls_client",
 )
 
 pl_cc_test_library(

src/stirling/source_connectors/socket_tracer/testing/container_images/BUILD.bazel

@@ -14,6 +14,8 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 
+load("@io_bazel_rules_docker//container:container.bzl", "container_bundle")
+load("@io_bazel_rules_docker//contrib:push-all.bzl", "container_push")
 load("//bazel:pl_build_system.bzl", "pl_go_image")
 
 pl_go_image(
@@ -24,3 +26,27 @@ pl_go_image(
         "//src/vizier:__subpackages__",
     ],
 )
+
+# Single-image bundle + push targets — same shape as
+# //k8s/vizier:image_bundle / vizier_images_push, but scoped to ONLY
+# the adaptive_export image so the SBOB PoC can rebuild this one
+# component without rebuilding kelvin / pem / metadata. Consumed by
+# .github/workflows/adaptive_export_image.yaml via
+# `bazel run :adaptive_export_image_push` with the standard
+# --//k8s:image_repository / --//k8s:image_version overrides.
+container_bundle(
+    name = "adaptive_export_image_bundle",
+    images = {
+        "$(IMAGE_PREFIX)/vizier-adaptive_export_image:$(BUNDLE_VERSION)": ":adaptive_export_image",
+    },
+    toolchains = [
+        "//k8s:image_prefix",
+        "//k8s:bundle_version",
+    ],
+)
+
+container_push(
+    name = "adaptive_export_image_push",
+    bundle = ":adaptive_export_image_bundle",
+    format = "Docker",
+)

src/vizier/services/adaptive_export/BUILD.bazel

@@ -24,10 +24,18 @@ go_library(
     visibility = ["//visibility:private"],
     deps = [
         "//src/api/go/pxapi",
+        "//src/vizier/services/adaptive_export/internal/activeset",
+        "//src/vizier/services/adaptive_export/internal/clickhouse",
         "//src/vizier/services/adaptive_export/internal/config",
+        "//src/vizier/services/adaptive_export/internal/control",
+        "//src/vizier/services/adaptive_export/internal/controller",
         "//src/vizier/services/adaptive_export/internal/pixie",
+        "//src/vizier/services/adaptive_export/internal/pixieapi",
         "//src/vizier/services/adaptive_export/internal/pxl",
         "//src/vizier/services/adaptive_export/internal/script",
+        "//src/vizier/services/adaptive_export/internal/sink",
+        "//src/vizier/services/adaptive_export/internal/streaming",
+        "//src/vizier/services/adaptive_export/internal/trigger",
         "@com_github_sirupsen_logrus//:logrus",
     ],
 )