Wire kibana config from fleet #4670
Conversation
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
Trends 🧪Steps errors
Expand to view the steps failures
|
jalvz
force-pushed
the
fleet-central-config
branch
from
b9a8bba
to
6c00307
Compare
jalvz
force-pushed
the
fleet-central-config
branch
from
6c00307
to
392ea19
Compare
|
Still missing tests, but opening this already for review |
There was a problem hiding this comment.
I'm pretty confused about what this PR is meant to be doing.
We discussed that the API Key passed used by Fleet would not have sufficient privileges, i.e. would not have the APM space privileges required for querying central config. IIANM that's why you added apm-server.kibana section to the integration package.
So why is elastic/beats#23856 needed, and why is the server still looking at the Fleet config?
beater/beater.go
Outdated
| @@ -220,7 +223,7 @@ func (s *serverCreator) CheckConfig(cfg *common.Config) error { | |||
|
|
|||
| func (s *serverCreator) Create(p beat.PipelineConnector, rawConfig *common.Config) (cfgfile.Runner, error) { | |||
| integrationConfig, err := config.NewIntegrationConfig(rawConfig) | |||
| if err != nil { | |||
| if integrationConfig == nil || err != nil { | |||
There was a problem hiding this comment.
It doesn't make sense to return a nil cfgfile.Runner unless there's an error being returned, and integrationConfig will/should only be nil if config.NewIntegrationConfig returns an error -- so I don't think this is right.
beater/beater.go
Outdated
| cfg, err := config.NewConfig(args.RawConfig, args.KibanaConfig, elasticsearchOutputConfig(args.Beat)) | ||
| if err != nil { | ||
| return nil, err | ||
| } |
There was a problem hiding this comment.
| cfg, err := config.NewConfig(args.RawConfig, args.KibanaConfig, elasticsearchOutputConfig(args.Beat)) | |
| if err != nil { | |
| return nil, err | |
| } | |
| cfg, err := config.NewConfig(args.RawConfig, elasticsearchOutputConfig(args.Beat)) | |
| if err != nil { | |
| return nil, err | |
| } | |
| if args.KibanaConfig != nil { | |
| args.Kibana = *args.KibanaConfig | |
| } |
Seeing as this is the only place we pass in the arg, can we just replace the Kibana config afterwards and avoid forcing all other callers to pass in nil? Alternatively we could not unpack Fleet.Kibana in the integration config, and merge it into the config in serverCreator.Create.
| @@ -2,3 +2,6 @@ apm-server: | |||
| host: {{host}} | |||
| secret_token: {{secret_token}} | |||
| rum.enabled: {{enable_rum}} | |||
| kibana: | |||
| enabled: true | |||
There was a problem hiding this comment.
| enabled: true |
enabled: true is implied, it's not necessary to explicitly specify it.
There was a problem hiding this comment.
Sure, I just liked to be explicit.
And this doesn't take the The API Key comes from user input in the package, as we talked about. |
| @@ -41,6 +41,11 @@ policy_templates: | |||
| required: true | |||
| show_user: true | |||
| default: false | |||
| - name: kibana_api_key | |||
| type: string | |||
There was a problem hiding this comment.
should this be type: password?
There was a problem hiding this comment.
it appears there is no such a thing...
There was a problem hiding this comment.
Am I looking at the wrong place here https://github.com/elastic/package-spec/blob/a8fe73d82b25806f6b96582b99993a63b67ef130/versions/1/data_stream/manifest.spec.yml#L53?
Ahhhh sorry, I see. Thanks for the explanation. If elastic/beats#23856 does go ahead: is it not possible to have the spec extract "fleet.kibana" and merge it into "apm-server.kibana"? Is that the bit you said you couldn't get to work? I suppose this approach is fine though. Anyway, I see there's some contention on the Beats issue so let's wait until that's resolved? |
I tried a few things, I believe the problem with that one is that it is not possible to merge dicts on conflict; so we would lose either the api_key or the other fields. |
There was a problem hiding this comment.
LGTM. A couple of things I'd like to see:
- A test for the new APIKey behaviour in kibana.ConnectingClient. I think this should be done before merging.
- A system test for agent central config when running under Fleet, using the injected
fleet.kibanaconfig, as a followup.
…to fleet-central-config
…to fleet-central-config
* Adds kibana and sourcemap api keys to package # Conflicts: # apmpackage/apm/0.1.0/agent/input/template.yml.hbs # apmpackage/apm/0.1.0/manifest.yml # changelogs/head.asciidoc # kibana/connecting_client.go
* Adds kibana and sourcemap api keys to package # Conflicts: # apmpackage/apm/0.1.0/agent/input/template.yml.hbs # apmpackage/apm/0.1.0/manifest.yml # changelogs/head.asciidoc # kibana/connecting_client.go
* Adds kibana and sourcemap api keys to package # Conflicts: # apmpackage/apm/0.1.0/agent/input/template.yml.hbs # apmpackage/apm/0.1.0/manifest.yml # changelogs/head.asciidoc # kibana/connecting_client.go Co-authored-by: Juan Álvarez <[email protected]>
* Adds kibana and sourcemap api keys to package # Conflicts: # apmpackage/apm/0.1.0/agent/input/template.yml.hbs # apmpackage/apm/0.1.0/manifest.yml # changelogs/head.asciidoc # kibana/connecting_client.go Co-authored-by: Juan Álvarez <[email protected]>
|
I tested this with 7.12 BC2, and it doesn't seem to be working. I started the stack with apm-integration-testing (with elastic/apm-integration-testing#1069 applied):
Then looking at the APM Server logs in the Fleet UI, I see logs like:
|
|
sorry @axw , Beats backports not merged yet |
|
Tested again with BC3, works well! |
Motivation/summary
Adds support for central config and sourcemaps in managed mode.
Checklist
How to test these changes
In the Kibana UI create an APM integration without (or with a wrong API key), and check that
curl http://localhost:8200/config/v1/agents\?service.name=fooreturns "Unauthorized". Then create a valid api key and update the apm policy with it. Repeat the same curl command, and this time should respond with service-does-not-exist error.For sourcemaps: index a sourcemap, and check that APM Server can read it back when ingesting errors, provided the right API key has been configured in the policy editor.
Related issues
Requires elastic/beats#23856
Closes #4573