pixie-io · ddelnano · Jul 2, 2025 · Jun 10, 2025 · Jun 10, 2025 · Jun 16, 2025
@@ -32,9 +32,6 @@ go_library(
     importpath = "px.dev/pixie/src/stirling/testing/demo_apps/go_grpc_tls_pl/server",
     deps = [
         "//src/stirling/testing/demo_apps/go_grpc_tls_pl/server/greetpb:service_pl_go_proto",
-        "@com_github_sirupsen_logrus//:logrus",
-        "@com_github_spf13_pflag//:pflag",
-        "@com_github_spf13_viper//:viper",
         "@org_golang_google_grpc//:grpc",
         "@org_golang_x_net//http2",
         "@org_golang_x_net//http2/h2c",

@@ -0,0 +1,70 @@
+# Copyright 2018- The Pixie Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+ARG GO_IMAGE_DIGEST
+FROM alpine:3.20@sha256:de4fe7064d8f98419ea6b49190df1abbf43450c1702eeb864fe9ced453c1cc5f AS certs
+
+RUN apk add --no-cache openssl
+
+WORKDIR /tmp/certs
+
+# Generate CA key and cert
+RUN openssl ecparam -genkey -name secp384r1 -out ca.key && \
+    openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 \
+        -subj "/C=US/ST=California/L=San Francisco/O=Pixie Labs Inc./CN=Pixie CA" \
+        -out ca.crt
+
+# Generate server key
+RUN openssl ecparam -genkey -name secp384r1 -out server.key
+
+# Generate server CSR
+RUN openssl req -new -key server.key \
+        -subj "/C=US/ST=California/L=San Francisco/O=Pixie Labs Inc./CN=127.0.0.1" \
+        -out server.csr
+
+# Create server cert config with SAN and extensions
+RUN echo "subjectAltName=IP:127.0.0.1" > server.ext && \
+    echo "basicConstraints=CA:FALSE" >> server.ext && \
+    echo "keyUsage = digitalSignature, keyEncipherment" >> server.ext && \
+    echo "extendedKeyUsage = serverAuth" >> server.ext
+
+# Sign server CSR with CA
+RUN openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
+        -out server.crt -days 365 -sha256 -extfile server.ext
+
+FROM golang:${GO_IMAGE_DIGEST} as build
+
+ARG GOOGLE_GOLANG_GRPC
+
+WORKDIR /app
+
+# Copy source and build
+COPY server.go .
+COPY greetpb greetpb
+RUN go mod init px.dev/pixie/src/stirling/testing/demo_apps/go_grpc_tls_pl/server && \
+    go get google.golang.org/grpc@${GOOGLE_GOLANG_GRPC} && \
+    go get github.com/gogo/protobuf/proto && \
+    go mod tidy
+RUN CGO_ENABLED=0 go build -o server .
+
+FROM scratch
+COPY --from=certs /tmp/certs/ca.crt /etc/ssl/ca.crt
+COPY --from=certs /tmp/certs/server.crt /etc/ssl/server.crt
+COPY --from=certs /tmp/certs/server.key /etc/ssl/server.key
+COPY --from=build /app/server /app/server
+
+ENTRYPOINT ["/app/server"]
+CMD ["--server_tls_cert", "/etc/ssl/server.crt", "--server_tls_key", "/etc/ssl/server.key", "--tls_ca_cert", "/etc/ssl/ca.crt"]
@@ -0,0 +1,9 @@
+# Go GRPC and HTTP2 server for testing HTTP2/GRPC traicing
+
+This directory contains a Go grpc and http2 server for testing Pixie's Go http2 and grpc tracing. This application is built through bazel and by the `update_ghcr.sh` script contained in this directory. The reason for this is that as Go versions fall out of support, maintaining these in our bazel build hinders our ability to upgrade our go deps and to upgrade Pixie's Go version.
+
+In addition to this, Pixie's upcoming opentelemetry-go-instrumentation offsetgen based tracing requires building binaries with Go's toolchain until https://github.com/bazel-contrib/rules_go/issues/3090 is resolved.
+
+As new Go versions are released, the out of support versions should be removed from bazel and added to the `update_ghcr.sh` script in this directory. This will allow our builds to maintain test coverage for older Go versions without complicating our ability to upgrade Pixie's Go version and dependencies.
+
+Run `update_ghcr.sh` in this directory to push the images for each Go version to the ghcr.io repo.
@@ -22,16 +22,15 @@ import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
+	"flag"
+	"log"
 	"net"
 	"net/http"
 	"os"
 	"os/signal"
 	"syscall"
 	"time"
 
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/pflag"
-	"github.com/spf13/viper"
 	"golang.org/x/net/http2"
 	"golang.org/x/net/http2/h2c"
 	"google.golang.org/grpc"
@@ -52,21 +51,20 @@ func (s *Server) SayHello(ctx context.Context, in *greetpb.HelloRequest) (*greet
 }
 
 func main() {
-	pflag.String("server_tls_cert", "", "Path to server.crt")
-	pflag.String("server_tls_key", "", "Path to server.key")
-	pflag.String("tls_ca_cert", "", "Path to ca.crt")
-	pflag.Parse()
-	viper.BindPFlags(pflag.CommandLine)
+	serverCert := flag.String("server_tls_cert", "", "Path to server.crt")
+	serverKey := flag.String("server_tls_key", "", "Path to server.key")
+	caCert := flag.String("tls_ca_cert", "", "Path to ca.crt")
+	flag.Parse()
 
-	pair, err := tls.LoadX509KeyPair(viper.GetString("server_tls_cert"), viper.GetString("server_tls_key"))
+	pair, err := tls.LoadX509KeyPair(*serverCert, *serverKey)
 	if err != nil {
-		log.WithError(err).Fatal("failed to load keys")
+		log.Fatalf("failed to load keys: %v", err)
 	}
 
 	certPool := x509.NewCertPool()
-	ca, err := os.ReadFile(viper.GetString("tls_ca_cert"))
+	ca, err := os.ReadFile(*caCert)
 	if err != nil {
-		log.WithError(err).Fatal("failed to read CA cert")
+		log.Fatalf("failed to read CA cert: %v", err)
 	}
 
 	if ok := certPool.AppendCertsFromPEM(ca); !ok {
@@ -114,6 +112,6 @@ func main() {
 	defer cancel()
 	err = httpServer.Shutdown(ctx)
 	if err != nil {
-		log.WithError(err).Error("http2 server Shutdown() failed")
+		log.Fatal("http2 server Shutdown() failed")
 	}
 }
@@ -0,0 +1,46 @@
+#!/bin/bash -e
+
+# Copyright 2018- The Pixie Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+declare -A GO_IMAGE_DIGEST_MAP=(
+  ["1.18-alpine@sha256:77f25981bd57e60a510165f3be89c901aec90453fd0f1c5a45691f6cb1528807"]="v1.57.2"
+  ["1.19-alpine@sha256:0ec0646e208ea58e5d29e558e39f2e59fccf39b7bda306cb53bbaff91919eca5"]="v1.58.3"
+  ["1.20-alpine@sha256:e47f121850f4e276b2b210c56df3fda9191278dd84a3a442bfe0b09934462a8f"]="v1.58.3"
+  ["1.21-alpine@sha256:2414035b086e3c42b99654c8b26e6f5b1b1598080d65fd03c7f499552ff4dc94"]="v1.58.3"
+  ["1.22-alpine@sha256:1699c10032ca2582ec89a24a1312d986a3f094aed3d5c1147b19880afe40e052"]="v1.58.3"
+)
+version=1.0
+
+IMAGES=()
+
+for go_image_digest in "${!GO_IMAGE_DIGEST_MAP[@]}"; do
+  tag="ghcr.io/pixie-io/golang_${go_image_digest//./_}_grpc_server_with_buildinfo:$version"
+  google_golang_grpc=${GO_IMAGE_DIGEST_MAP[$go_image_digest]}
+  echo "Building and pushing image: $tag"
+  docker build . --build-arg GO_IMAGE_DIGEST="${go_image_digest}" --build-arg GOOGLE_GOLANG_GRPC="${google_golang_grpc}" -t "${tag}"
+  docker push "${tag}"
+  sha=$(docker inspect --format='{{index .RepoDigests 0}}' "${tag}" | cut -f2 -d'@')
+  IMAGES+=("${tag}@${sha}")
+done
+
+echo ""
+echo "Images pushed!"
+echo "IMPORTANT: Now update //bazel/container_images.bzl with the following digest: $sha"
+echo "Images:"
+for image in "${IMAGES[@]}"; do
+  echo "  - $image"
+done
@@ -25,8 +25,7 @@ go_library(
     srcs = ["https_server.go"],
     importpath = "px.dev/pixie/src/stirling/testing/demo_apps/go_https/server",
     deps = [
-        "@com_github_spf13_pflag//:pflag",
-        "@com_github_spf13_viper//:viper",
+        "@org_golang_x_net//http2",
     ],
 )
 

@@ -0,0 +1,52 @@
+# Copyright 2018- The Pixie Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+ARG GO_IMAGE_DIGEST
+FROM alpine:3.20@sha256:de4fe7064d8f98419ea6b49190df1abbf43450c1702eeb864fe9ced453c1cc5f AS certs
+
+RUN apk add --no-cache openssl
+
+WORKDIR /tmp/certs
+
+# Generate private key
+RUN openssl ecparam -genkey -name secp384r1 -out server.key && \
+    openssl req -new -x509 -sha256 \
+        -key server.key \
+        -subj "/C=US/ST=California/L=San Francisco/O=Pixie Labs Inc./CN=127.0.0.1:50101" \
+        -out server.crt \
+        -days 365
+
+# Stage 2: Build Go app and include certs
+FROM golang:${GO_IMAGE_DIGEST} as build
+
+ARG GOLANG_X_NET
+
+WORKDIR /app
+
+# Copy source and build
+COPY https_server.go .
+RUN go mod init https_server && \
+    go get golang.org/x/net@${GOLANG_X_NET} && \
+    go mod tidy
+RUN CGO_ENABLED=0 go build -o https_server .
+
+FROM scratch
+COPY --from=build /app /app
+COPY --from=certs /tmp/certs/server.crt /etc/ssl/server.crt
+COPY --from=certs /tmp/certs/server.key /etc/ssl/server.key
+
+ENTRYPOINT ["/app/https_server"]
+CMD ["--cert", "/etc/ssl/server.crt", "--key", "/etc/ssl/server.key"]
@@ -0,0 +1,9 @@
+# Go HTTPS server for testing Go TLS tracing
+
+This directory contains a Go HTTPS server for testing Pixie's Go TLS tracing capabilities. This application is built through bazel and by the `update_ghcr.sh` script contained in this directory. The reason for this is that as Go versions fall out of support, maintaining these in our bazel build hinders our ability to upgrade our go deps and to upgrade Pixie's Go version.
+
+In addition to this, Pixie's upcoming opentelemetry-go-instrumentation offsetgen based tracing requires building binaries with Go's toolchain until https://github.com/bazel-contrib/rules_go/issues/3090 is resolved.
+
+As new Go versions are released, the out of support versions should be removed from bazel and added to the `update_ghcr.sh` script in this directory. This will allow our builds to maintain test coverage for older Go versions without complicating our ability to upgrade Pixie's Go version and dependencies.
+
+Run `update_ghcr.sh` in this directory to push the images for each Go version to the ghcr.io repo.
@@ -19,20 +19,24 @@
 package main
 
 import (
+	"flag"
 	"fmt"
 	"io"
 	"log"
 	"net/http"
 
-	"github.com/spf13/pflag"
-	"github.com/spf13/viper"
+	"golang.org/x/net/http2"
 )
 
 const (
 	httpPort  = 50100
 	httpsPort = 50101
 )
 
+// Import the http2 package to ensure golang.org/x/net exists within the binary's
+// buildinfo.
+var s http2.Server //nolint:unused
+
 func basicHandler(w http.ResponseWriter, r *http.Request) {
 	w.Header().Add("Content-Type", "application/json")
 	_, err := io.WriteString(w, `{"status":"ok"}`)
@@ -58,14 +62,12 @@ func listenAndServe(port int) {
 }
 
 func main() {
-	pflag.String("cert", "", "Path to the .crt file.")
-	pflag.String("key", "", "Path to the .key file.")
-	pflag.Parse()
-
-	viper.BindPFlags(pflag.CommandLine)
+	certPath := flag.String("cert", "", "Path to the .crt file.")
+	keyPath := flag.String("key", "", "Path to the .key file.")
+	flag.Parse()
 
 	http.HandleFunc("/", basicHandler)
 
-	go listenAndServeTLS(httpsPort, viper.GetString("cert"), viper.GetString("key"))
+	go listenAndServeTLS(httpsPort, *certPath, *keyPath)
 	listenAndServe(httpPort)
 }
@@ -0,0 +1,46 @@
+#!/bin/bash -e
+
+# Copyright 2018- The Pixie Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+declare -A GO_IMAGE_DIGEST_MAP=(
+  ["1.18-alpine@sha256:77f25981bd57e60a510165f3be89c901aec90453fd0f1c5a45691f6cb1528807"]="v0.35.0"
+  ["1.19-alpine@sha256:0ec0646e208ea58e5d29e558e39f2e59fccf39b7bda306cb53bbaff91919eca5"]="v0.35.0"
+  ["1.20-alpine@sha256:e47f121850f4e276b2b210c56df3fda9191278dd84a3a442bfe0b09934462a8f"]="v0.35.0"
+  ["1.21-alpine@sha256:2414035b086e3c42b99654c8b26e6f5b1b1598080d65fd03c7f499552ff4dc94"]="v0.35.0"
+  ["1.22-alpine@sha256:1699c10032ca2582ec89a24a1312d986a3f094aed3d5c1147b19880afe40e052"]="v0.35.0"
+)
+version=1.0
+
+IMAGES=()
+
+for go_image_digest in "${!GO_IMAGE_DIGEST_MAP[@]}"; do
+  tag="ghcr.io/pixie-io/golang_${go_image_digest//./_}_https_server_with_buildinfo:$version"
+  x_net_version=${GO_IMAGE_DIGEST_MAP[$go_image_digest]}
+  echo "Building and pushing image: $tag"
+  docker build . --build-arg GO_IMAGE_DIGEST="${go_image_digest}" --build-arg GOLANG_X_NET="${x_net_version}" -t "${tag}"
+  docker push "${tag}"
+  sha=$(docker inspect --format='{{index .RepoDigests 0}}' "${tag}" | cut -f2 -d'@')
+  IMAGES+=("${tag}@${sha}")
+done
+
+echo ""
+echo "Images pushed!"
+echo "IMPORTANT: Now update //bazel/container_images.bzl with the following digest: $sha"
+echo "Images:"
+for image in "${IMAGES[@]}"; do
+  echo "  - $image"
+done