-
Notifications
You must be signed in to change notification settings - Fork 519
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wire kibana config from fleet #4670
Conversation
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
Trends 🧪Steps errorsExpand to view the steps failures
|
b9a8bba
to
6c00307
Compare
6c00307
to
392ea19
Compare
Still missing tests, but opening this already for review |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm pretty confused about what this PR is meant to be doing.
We discussed that the API Key passed used by Fleet would not have sufficient privileges, i.e. would not have the APM space privileges required for querying central config. IIANM that's why you added apm-server.kibana
section to the integration package.
So why is elastic/beats#23856 needed, and why is the server still looking at the Fleet config?
beater/beater.go
Outdated
@@ -220,7 +223,7 @@ func (s *serverCreator) CheckConfig(cfg *common.Config) error { | |||
|
|||
func (s *serverCreator) Create(p beat.PipelineConnector, rawConfig *common.Config) (cfgfile.Runner, error) { | |||
integrationConfig, err := config.NewIntegrationConfig(rawConfig) | |||
if err != nil { | |||
if integrationConfig == nil || err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It doesn't make sense to return a nil
cfgfile.Runner
unless there's an error being returned, and integrationConfig
will/should only be nil
if config.NewIntegrationConfig
returns an error -- so I don't think this is right.
beater/beater.go
Outdated
cfg, err := config.NewConfig(args.RawConfig, args.KibanaConfig, elasticsearchOutputConfig(args.Beat)) | ||
if err != nil { | ||
return nil, err | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cfg, err := config.NewConfig(args.RawConfig, args.KibanaConfig, elasticsearchOutputConfig(args.Beat)) | |
if err != nil { | |
return nil, err | |
} | |
cfg, err := config.NewConfig(args.RawConfig, elasticsearchOutputConfig(args.Beat)) | |
if err != nil { | |
return nil, err | |
} | |
if args.KibanaConfig != nil { | |
args.Kibana = *args.KibanaConfig | |
} |
Seeing as this is the only place we pass in the arg, can we just replace the Kibana config afterwards and avoid forcing all other callers to pass in nil
? Alternatively we could not unpack Fleet.Kibana
in the integration config, and merge it into the config in serverCreator.Create
.
@@ -2,3 +2,6 @@ apm-server: | |||
host: {{host}} | |||
secret_token: {{secret_token}} | |||
rum.enabled: {{enable_rum}} | |||
kibana: | |||
enabled: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
enabled: true |
enabled: true
is implied, it's not necessary to explicitly specify it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, I just liked to be explicit.
And this doesn't take the The API Key comes from user input in the package, as we talked about. |
@@ -41,6 +41,11 @@ policy_templates: | |||
required: true | |||
show_user: true | |||
default: false | |||
- name: kibana_api_key | |||
type: string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should this be type: password
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it appears there is no such a thing...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Am I looking at the wrong place here https://github.com/elastic/package-spec/blob/a8fe73d82b25806f6b96582b99993a63b67ef130/versions/1/data_stream/manifest.spec.yml#L53?
Ahhhh sorry, I see. Thanks for the explanation. If elastic/beats#23856 does go ahead: is it not possible to have the spec extract "fleet.kibana" and merge it into "apm-server.kibana"? Is that the bit you said you couldn't get to work? I suppose this approach is fine though. Anyway, I see there's some contention on the Beats issue so let's wait until that's resolved? |
I tried a few things, I believe the problem with that one is that it is not possible to merge dicts on conflict; so we would lose either the api_key or the other fields. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. A couple of things I'd like to see:
- A test for the new APIKey behaviour in kibana.ConnectingClient. I think this should be done before merging.
- A system test for agent central config when running under Fleet, using the injected
fleet.kibana
config, as a followup.
…to fleet-central-config
…to fleet-central-config
* Adds kibana and sourcemap api keys to package # Conflicts: # apmpackage/apm/0.1.0/agent/input/template.yml.hbs # apmpackage/apm/0.1.0/manifest.yml # changelogs/head.asciidoc # kibana/connecting_client.go
* Adds kibana and sourcemap api keys to package # Conflicts: # apmpackage/apm/0.1.0/agent/input/template.yml.hbs # apmpackage/apm/0.1.0/manifest.yml # changelogs/head.asciidoc # kibana/connecting_client.go
* Adds kibana and sourcemap api keys to package # Conflicts: # apmpackage/apm/0.1.0/agent/input/template.yml.hbs # apmpackage/apm/0.1.0/manifest.yml # changelogs/head.asciidoc # kibana/connecting_client.go Co-authored-by: Juan Álvarez <[email protected]>
* Adds kibana and sourcemap api keys to package # Conflicts: # apmpackage/apm/0.1.0/agent/input/template.yml.hbs # apmpackage/apm/0.1.0/manifest.yml # changelogs/head.asciidoc # kibana/connecting_client.go Co-authored-by: Juan Álvarez <[email protected]>
I tested this with 7.12 BC2, and it doesn't seem to be working. I started the stack with apm-integration-testing (with elastic/apm-integration-testing#1069 applied):
Then looking at the APM Server logs in the Fleet UI, I see logs like:
|
sorry @axw , Beats backports not merged yet |
Tested again with BC3, works well! |
Motivation/summary
Adds support for central config and sourcemaps in managed mode.
Checklist
How to test these changes
In the Kibana UI create an APM integration without (or with a wrong API key), and check that
curl http://localhost:8200/config/v1/agents\?service.name=foo
returns "Unauthorized". Then create a valid api key and update the apm policy with it. Repeat the same curl command, and this time should respond with service-does-not-exist error.For sourcemaps: index a sourcemap, and check that APM Server can read it back when ingesting errors, provided the right API key has been configured in the policy editor.
Related issues
Requires elastic/beats#23856
Closes #4573