From e07a64af9e6986987374cd0dc481b06afbc74536 Mon Sep 17 00:00:00 2001
From: Blake Rouse <blake.rouse@elastic.co>
Date: Tue, 11 Jan 2022 15:57:13 -0500
Subject: [PATCH 1/2] Fix issue with ensureServiceToken.

---
 .../elastic-agent/pkg/agent/cmd/container.go  | 30 +++++++++++--------
 1 file changed, 18 insertions(+), 12 deletions(-)

diff --git a/x-pack/elastic-agent/pkg/agent/cmd/container.go b/x-pack/elastic-agent/pkg/agent/cmd/container.go
index 33f46728b65..00ff1b51cfa 100644
--- a/x-pack/elastic-agent/pkg/agent/cmd/container.go
+++ b/x-pack/elastic-agent/pkg/agent/cmd/container.go
@@ -199,11 +199,6 @@ func containerCmd(streams *cli.IOStreams, cmd *cobra.Command) error {
 		}
 	}
 
-	err = ensureServiceToken(streams, &cfg)
-	if err != nil {
-		return err
-	}
-
 	// start apm-server legacy process when in cloud mode
 	var wg sync.WaitGroup
 	var apmProc *process.Info
@@ -287,6 +282,19 @@ func runContainerCmd(streams *cli.IOStreams, cmd *cobra.Command, cfg setupConfig
 		}
 	}
 	if cfg.Fleet.Enroll {
+		if cfg.FleetServer.Enable {
+			if client == nil {
+				client, err = kibanaClient(cfg.Kibana, cfg.Kibana.Headers)
+				if err != nil {
+					return err
+				}
+			}
+			err = ensureServiceToken(streams, client, &cfg)
+			if err != nil {
+				return err
+			}
+		}
+
 		var policy *kibanaPolicy
 		token := cfg.Fleet.EnrollmentToken
 		if token == "" && !cfg.FleetServer.Enable {
@@ -309,7 +317,10 @@ func runContainerCmd(streams *cli.IOStreams, cmd *cobra.Command, cfg setupConfig
 		if policy != nil {
 			policyID = policy.ID
 		}
-		logInfo(streams, "Policy selected for enrollment: ", policyID)
+		if policyID != "" {
+			logInfo(streams, "Policy selected for enrollment: ", policyID)
+		}
+
 		cmdArgs, err := buildEnrollArgs(cfg, token, policyID)
 		if err != nil {
 			return err
@@ -339,7 +350,7 @@ type TokenResp struct {
 // ensureServiceToken will ensure that the cfg specified has the service_token attributes filled.
 //
 // If no token is specified it will use the elasticsearch username/password to request a new token from Kibana
-func ensureServiceToken(streams *cli.IOStreams, cfg *setupConfig) error {
+func ensureServiceToken(streams *cli.IOStreams, client *kibana.Client, cfg *setupConfig) error {
 	// There's already a service token
 	if cfg.Kibana.Fleet.ServiceToken != "" || cfg.FleetServer.Elasticsearch.ServiceToken != "" {
 		return nil
@@ -349,11 +360,6 @@ func ensureServiceToken(streams *cli.IOStreams, cfg *setupConfig) error {
 	}
 
 	logInfo(streams, "Requesting service_token from Kibana.")
-	client, err := kibanaClient(cfg.Kibana, cfg.Kibana.Headers)
-	if err != nil {
-		return err
-	}
-
 	code, r, err := client.Connection.Request("POST", "/api/fleet/service-tokens", nil, nil, nil)
 	if err != nil {
 		return fmt.Errorf("request to get security token from Kibana failed: %w", err)

From 3fc3ee38d8be8b78ebf02137cc0de4741a056fb1 Mon Sep 17 00:00:00 2001
From: Blake Rouse <blake.rouse@elastic.co>
Date: Wed, 12 Jan 2022 09:46:44 -0500
Subject: [PATCH 2/2] Move ensureServiceToken up to line 273.

---
 .../elastic-agent/pkg/agent/cmd/container.go  | 28 +++++++++----------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/x-pack/elastic-agent/pkg/agent/cmd/container.go b/x-pack/elastic-agent/pkg/agent/cmd/container.go
index 00ff1b51cfa..25ff4c15ddc 100644
--- a/x-pack/elastic-agent/pkg/agent/cmd/container.go
+++ b/x-pack/elastic-agent/pkg/agent/cmd/container.go
@@ -269,6 +269,12 @@ func runContainerCmd(streams *cli.IOStreams, cmd *cobra.Command, cfg setupConfig
 		return run(streams, logToStderr)
 	}
 
+	if cfg.Kibana.Fleet.Setup || cfg.Fleet.Enroll {
+		err = ensureServiceToken(streams, &cfg)
+		if err != nil {
+			return err
+		}
+	}
 	if cfg.Kibana.Fleet.Setup {
 		client, err = kibanaClient(cfg.Kibana, cfg.Kibana.Headers)
 		if err != nil {
@@ -282,19 +288,6 @@ func runContainerCmd(streams *cli.IOStreams, cmd *cobra.Command, cfg setupConfig
 		}
 	}
 	if cfg.Fleet.Enroll {
-		if cfg.FleetServer.Enable {
-			if client == nil {
-				client, err = kibanaClient(cfg.Kibana, cfg.Kibana.Headers)
-				if err != nil {
-					return err
-				}
-			}
-			err = ensureServiceToken(streams, client, &cfg)
-			if err != nil {
-				return err
-			}
-		}
-
 		var policy *kibanaPolicy
 		token := cfg.Fleet.EnrollmentToken
 		if token == "" && !cfg.FleetServer.Enable {
@@ -350,7 +343,7 @@ type TokenResp struct {
 // ensureServiceToken will ensure that the cfg specified has the service_token attributes filled.
 //
 // If no token is specified it will use the elasticsearch username/password to request a new token from Kibana
-func ensureServiceToken(streams *cli.IOStreams, client *kibana.Client, cfg *setupConfig) error {
+func ensureServiceToken(streams *cli.IOStreams, cfg *setupConfig) error {
 	// There's already a service token
 	if cfg.Kibana.Fleet.ServiceToken != "" || cfg.FleetServer.Elasticsearch.ServiceToken != "" {
 		return nil
@@ -360,6 +353,13 @@ func ensureServiceToken(streams *cli.IOStreams, client *kibana.Client, cfg *setu
 	}
 
 	logInfo(streams, "Requesting service_token from Kibana.")
+
+	// Client is not passed in to this function because this function will use username/password and then
+	// all the following clients will use the created service token.
+	client, err := kibanaClient(cfg.Kibana, cfg.Kibana.Headers)
+	if err != nil {
+		return err
+	}
 	code, r, err := client.Connection.Request("POST", "/api/fleet/service-tokens", nil, nil, nil)
 	if err != nil {
 		return fmt.Errorf("request to get security token from Kibana failed: %w", err)