x-pack/filebeat/input/http_endpoint: allow http_endpoint instances to share ports

[efd6]

What does this PR do?

This change adds a pool of http servers that share listening addresses and ports but respond to different mux endpoints.

Why is it important?

This reduces configuration complexity and port exposure in filebeat agents.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

• I won't address the linter complaints.

How to test this PR locally

The tests can be run using the go test command in x-pack/filebeat/input/http_endpoint.

Related issues

• Closes [Filebeat] http_endpoint input instances should be able to "share" port #32578

Use cases

Screenshots

Logs

[efd6]

I'm not particularly proud of this, but I don't see another way to ensure that we have the servers up without doing nasty things inside pool.serve.

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2022-10-27T00:54:19.477+0000

• Duration: 72 min 58 sec

Test stats 🧪

Test	Results
Failed	0
Passed	2299
Skipped	167
Total	2466

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[andrewkroh]

I had some questions relating to handling of conflicting listener config between input instances.

Once we are settled on the behavior, the documentation for http_endpoint should be updated to describe this feature.

[andrewkroh]

For the case where one input instance is running with TLS and another is not, I think we should detect and prevent this.

On a similar note, should we prevent two inputs that are configured with different/inconsistent TLS options too?

[efd6]

I will add this check, and yes, I think inconsistent configs should be disallowed.

[efd6]

Hang on. This may not be the right thing to do; we already prevent two bindings of a pattern to an address (IP:port) so it is not possible to get into the situation where we have a conflicting TLS config. The next level of binding, where we are looking at an address as IP-only doesn't really make sense to check this for since there may be cases where one port expects TLS and another doesn't — I would imagine that this is rare, but the case where they have different TLS configurations would be less so.

[andrewkroh]

Here's an example config that demonstrates the problem I am thinking of.

---

filebeat.inputs:

- type: http_endpoint
  id: http_endpoint-no-ssl
  listen_address: 127.0.0.1
  listen_port: 9001
  url: '/webhook-alpha/'
  preserve_original_event: true

# This one will start listening without TLS, but I would expect an error
# since we cannot have both an HTTP and HTTPS listener on 127.0.0.1:9001.
- type: http_endpoint
  id: http_endpoint-with-ssl
  listen_address: 127.0.0.1
  listen_port: 9001
  url: '/webhook-beta/'
  preserve_original_event: true
  ssl:
    verification_mode: none
    certificate: |
      -----BEGIN CERTIFICATE-----
      MIIBzjCCATGgAwIBAgIBATAKBggqhkjOPQQDBDASMRAwDgYDVQQKEwdBY21lIENv
      MB4XDTIyMTAyNTEyNDQ0OFoXDTIzMDQyMzEyNDQ0OFowEjEQMA4GA1UEChMHQWNt
      ZSBDbzCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEANdwExxtIgYhw8kN485JxdAX
      Y/XzbXA5w1G1ubO3sOpXIcQnuOZC/ea0xnbq9JLOxs9u1glr/K9awsXGlg5JQ3K6
      Aa6dBg5IQIGc6UBbetCaOx3QQkrrKJFrlF+6oiwn3Cs+V/qZMwsNgDdEeq2gFINj
      3ede5TUE+jmsqy+qcNTZ9ik6ozUwMzAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAww
      CgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAKBggqhkjOPQQDBAOBigAwgYYCQQH2
      bwUzZWpwyvXoBGwWfGeKcmNSRFK+5Ur9k2C+PW+C+tVw0oqJvuEcJys78cB9TVwM
      OLBBY4Lip6CDGZ9Zu8MvAkETMcxFC2g3YIiHMFztfkMmU5XnVjjwjelmxNxREKUB
      pyD8tx7ptfI6hI8EUrqD1mQwnLLFU7Rq7IAbNuFXksYeWw==
      -----END CERTIFICATE-----

    # Not a secret.
    key: |
      -----BEGIN EC PRIVATE KEY-----
      MIHcAgEBBEIBtHeKAVWSypQo+PUDhUSMmh41Es6uCd+0OQhr3K9S3ntq7OjuMces
      CN2dG3WJBDo3TEfVJOhrNKE31zoM7+PE+kygBwYFK4EEACOhgYkDgYYABADXcBMc
      bSIGIcPJDePOScXQF2P1821wOcNRtbmzt7DqVyHEJ7jmQv3mtMZ26vSSzsbPbtYJ
      a/yvWsLFxpYOSUNyugGunQYOSECBnOlAW3rQmjsd0EJK6yiRa5RfuqIsJ9wrPlf6
      mTMLDYA3RHqtoBSDY93nXuU1BPo5rKsvqnDU2fYpOg==
      -----END EC PRIVATE KEY-----

output.console.enable: true

[efd6]

Done

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b 32578-http_endpoint upstream/32578-http_endpoint
git merge upstream/main
git push upstream 32578-http_endpoint

[andrewkroh]

Can you please add a description of the new feature to the http_endpoint asciidocs.

[andrewkroh]

LGTM