[Fleet] Only enable secret storage once all fleet servers are above 8.10.0 #163627
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…-ref HEAD~1..HEAD --fix'
hop-dev
added
Team:Fleet
|
Pinging @elastic/fleet (Team:Fleet) |
🤖 GitHub commentsExpand to view the GitHub comments
Just comment with:
|
nchaulet
reviewed
Aug 10, 2023
| @@ -90,6 +90,7 @@ const getSavedObjectTypes = (): { [key: string]: SavedObjectsType } => ({ | |||
| fleet_server_hosts: { type: 'keyword' }, | |||
| has_seen_add_data_notice: { type: 'boolean', index: false }, | |||
| prerelease_integrations_enabled: { type: 'boolean' }, | |||
| secret_storage_requirements_met: { type: 'boolean' }, | |||
There was a problem hiding this comment.
nit: I do not think we want to search on that so we can probably add index: false
There was a problem hiding this comment.
that's weird, getting an error in ci build about this, even though the mapping was added in this pr:
info Checking if mappings are compatible
--
| │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [.kibana_mappings_check] creating index, cause [api], templates [], shards [1]/[1]
| │ info [o.e.i.m.MapperService] [node-01] [.kibana_mappings_check] reloading search analyzers
| │ERROR There was an issue trying to apply the extracted mappings to the existing index.
| │ERROR ResponseError: illegal_argument_exception
| │ Root causes:
| │ illegal_argument_exception: Mapper for [ingest_manager_settings.secret_storage_requirements_met] conflicts with existing mapper:
| │ Cannot update parameter [index] from [true] to [false]
| │ at SniffingTransport.request (/var/lib/buildkite-agent/builds/kb-n2-2-spot-28a62e0974e60ad7/elastic/kibana-pull-request/kibana/node_modules/@elastic/transport/src/Transport.ts:535:17)
| │ at processTicksAndRejections (node:internal/process/task_queues:95:5)
| │ at Indices.putMapping (/var/lib/buildkite-agent/builds/kb-n2-2-spot-28a62e0974e60ad7/elastic/kibana-pull-request/kibana/node_modules/@elastic/elasticsearch/src/api/api/indices.ts:1338:12)
| │ at checkIncompatibleMappings (check_incompatible_mappings.ts:43:18)
| │ at run_check_mappings_update_cli.ts:66:9
| │ at tooling_log.ts:84:18
| │ at description (run_check_mappings_update_cli.ts:65:7)
| │ at run.ts:70:7
| │ at withProcRunner (with_proc_runner.ts:29:5)
| │ at run (run.ts:69:5)
nchaulet
reviewed
Aug 10, 2023
nchaulet
reviewed
Aug 10, 2023
| } | ||
|
|
||
| // there must be at least one fleet server for this check to pass | ||
| if (policyIds.size === 0) { |
There was a problem hiding this comment.
Shouldn't we do this check based on agents, not agent policies? Or are we supposing that if there is a policy with 8.10 fleet server, that should be enough?
Changed this to return false if there are no FS agents.
jloleysens
approved these changes
Aug 11, 2023
|
|
||
| it('should convert plain text values to secrets once fleet server requirements are met', async () => { | ||
| if (!fleetServerCheckPolicy) { | ||
| throw new Error('fleetServerCheckPolicy not set, previous test must have failed'); |
There was a problem hiding this comment.
As a best practice, tests shouldn't rely on other tests, it makes it harder to debug one by one.
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]
History
To update your PR or re-run it, just comment with: cc @hop-dev |
jughosta
pushed a commit
to jughosta/kibana
that referenced
this pull request
Aug 14, 2023
….10.0 (elastic#163627) ## Summary Closes elastic#157456 Secret storage requires that fleet servers are 8.10.0 or above. This PR adds a backend check that all fleet servers are above 8.10.0 before enabling secrets storage. Once all fleet servers are above that version, secrets are permanently enabled. the fleet server check checks all agents in policies that contain the fleet server package. A flag on the`ingest_manager_settings` saved. object `secret_storage_requirements_met` is used to make a note that the check has previously passed, meaning we don't have to keep querying the agents and policies. Test scenarios (all covered by integration tests) : - given a deployment with no fleet servers connected, on creating a package policy with secret variables, the values should be stored in plain text not as a secret reference - given a deployment with at least one fleet server that is below 8.10.0, on creating a package policy with secret variables, the values should be stored in plain text not as a secret reference - given a deployment where all fleet servers are 8.10.0 or above, secrets should be stored as secret references and in the secrets index - if a package policy was created before secrets were enabled, and since its creation the fleet server versions pass the check, when updating that policy, all secrets should move to being secret references. --------- Co-authored-by: kibanamachine <[email protected]> Co-authored-by: Julia Bardi <[email protected]> Co-authored-by: Julia Bardi <[email protected]>
benakansara
pushed a commit
to benakansara/kibana
that referenced
this pull request
Aug 14, 2023
….10.0 (elastic#163627) ## Summary Closes elastic#157456 Secret storage requires that fleet servers are 8.10.0 or above. This PR adds a backend check that all fleet servers are above 8.10.0 before enabling secrets storage. Once all fleet servers are above that version, secrets are permanently enabled. the fleet server check checks all agents in policies that contain the fleet server package. A flag on the`ingest_manager_settings` saved. object `secret_storage_requirements_met` is used to make a note that the check has previously passed, meaning we don't have to keep querying the agents and policies. Test scenarios (all covered by integration tests) : - given a deployment with no fleet servers connected, on creating a package policy with secret variables, the values should be stored in plain text not as a secret reference - given a deployment with at least one fleet server that is below 8.10.0, on creating a package policy with secret variables, the values should be stored in plain text not as a secret reference - given a deployment where all fleet servers are 8.10.0 or above, secrets should be stored as secret references and in the secrets index - if a package policy was created before secrets were enabled, and since its creation the fleet server versions pass the check, when updating that policy, all secrets should move to being secret references. --------- Co-authored-by: kibanamachine <[email protected]> Co-authored-by: Julia Bardi <[email protected]> Co-authored-by: Julia Bardi <[email protected]>
1 task
jillguyonnet
added a commit
that referenced
this pull request
Jan 8, 2024
#173398) ## Summary Closes #173041 Output secret storage requires that all Fleet servers are on version 8.12.0 or above. The implementation is similar to package policy secrets: #163627: this PR adds the new `output_secret_storage_requirements_met` flag on the `ingest_manager_settings` saved object. ### Testing 1. Define a preconfigured output wit a secret value in your `kibana.dev.yml` file, e.g.: ```yml xpack.fleet.outputs: - id: my-logstash-output-with-a-secret name: preconfigured logstash output with a secret type: logstash hosts: ['localhost:9999'] ssl: certificate: xxxxxxxxxx secrets: ssl: key: secretLogstashKey ``` 3. Start ES and Kibana. Do not start a Fleet server. 4. Go to Fleet settings and inspect the preconfigured output: it should have been created and the secret value should not have been set (optionally, you can check in the Console with `GET .fleet-secrets/_search` that the secret was not created). However, a plain text equivalent should have been created (in the example above, `ssl.key` should be set to `secretLogstashKey`). 5. Start a Fleet server on version less than 8.12.0. Kibana should update the output. Again, check that the secret value was not set and that the plain text equivalent is set. 6. Stop the Fleet server and start another one on version 8.12.0 or higher. Kibana should update the output. This time, the secret value should have been set. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: kibanamachine <[email protected]> Co-authored-by: Julia Bardi <[email protected]>
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Jan 8, 2024
elastic#173398) ## Summary Closes elastic#173041 Output secret storage requires that all Fleet servers are on version 8.12.0 or above. The implementation is similar to package policy secrets: elastic#163627: this PR adds the new `output_secret_storage_requirements_met` flag on the `ingest_manager_settings` saved object. ### Testing 1. Define a preconfigured output wit a secret value in your `kibana.dev.yml` file, e.g.: ```yml xpack.fleet.outputs: - id: my-logstash-output-with-a-secret name: preconfigured logstash output with a secret type: logstash hosts: ['localhost:9999'] ssl: certificate: xxxxxxxxxx secrets: ssl: key: secretLogstashKey ``` 3. Start ES and Kibana. Do not start a Fleet server. 4. Go to Fleet settings and inspect the preconfigured output: it should have been created and the secret value should not have been set (optionally, you can check in the Console with `GET .fleet-secrets/_search` that the secret was not created). However, a plain text equivalent should have been created (in the example above, `ssl.key` should be set to `secretLogstashKey`). 5. Start a Fleet server on version less than 8.12.0. Kibana should update the output. Again, check that the secret value was not set and that the plain text equivalent is set. 6. Stop the Fleet server and start another one on version 8.12.0 or higher. Kibana should update the output. This time, the secret value should have been set. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: kibanamachine <[email protected]> Co-authored-by: Julia Bardi <[email protected]> (cherry picked from commit 70508b9)
kibanamachine
added a commit
that referenced
this pull request
Jan 8, 2024
…mpatible (#173398) (#174433) # Backport This will backport the following commits from `main` to `8.12`: - [[Fleet] Only enable output secrets if all Fleet servers are compatible (#173398)](#173398) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Jill Guyonnet","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-01-08T09:20:20Z","message":"[Fleet] Only enable output secrets if all Fleet servers are compatible (#173398)\n\n## Summary\r\n\r\nCloses https://github.com/elastic/kibana/issues/173041\r\n\r\nOutput secret storage requires that all Fleet servers are on version\r\n8.12.0 or above.\r\n\r\nThe implementation is similar to package policy secrets:\r\nhttps://github.com//pull/163627: this PR adds the new\r\n`output_secret_storage_requirements_met` flag on the\r\n`ingest_manager_settings` saved object.\r\n\r\n### Testing\r\n\r\n1. Define a preconfigured output wit a secret value in your\r\n`kibana.dev.yml` file, e.g.:\r\n ```yml\r\n xpack.fleet.outputs:\r\n - id: my-logstash-output-with-a-secret\r\n name: preconfigured logstash output with a secret\r\n type: logstash\r\n hosts: ['localhost:9999']\r\n ssl:\r\n certificate: xxxxxxxxxx\r\n secrets:\r\n ssl:\r\n key: secretLogstashKey\r\n ```\r\n3. Start ES and Kibana. Do not start a Fleet server.\r\n4. Go to Fleet settings and inspect the preconfigured output: it should\r\nhave been created and the secret value should not have been set\r\n(optionally, you can check in the Console with `GET\r\n.fleet-secrets/_search` that the secret was not created). However, a\r\nplain text equivalent should have been created (in the example above,\r\n`ssl.key` should be set to `secretLogstashKey`).\r\n5. Start a Fleet server on version less than 8.12.0. Kibana should\r\nupdate the output. Again, check that the secret value was not set and\r\nthat the plain text equivalent is set.\r\n6. Stop the Fleet server and start another one on version 8.12.0 or\r\nhigher. Kibana should update the output. This time, the secret value\r\nshould have been set.\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <[email protected]>\r\nCo-authored-by: Julia Bardi <[email protected]>","sha":"70508b957a4860b12fd3a2bb9612cfb8a95092e9","branchLabelMapping":{"^v8.13.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Fleet","v8.12.0","v8.13.0"],"title":"[Fleet] Only enable output secrets if all Fleet servers are compatible","number":173398,"url":"https://github.com/elastic/kibana/pull/173398","mergeCommit":{"message":"[Fleet] Only enable output secrets if all Fleet servers are compatible (#173398)\n\n## Summary\r\n\r\nCloses https://github.com/elastic/kibana/issues/173041\r\n\r\nOutput secret storage requires that all Fleet servers are on version\r\n8.12.0 or above.\r\n\r\nThe implementation is similar to package policy secrets:\r\nhttps://github.com//pull/163627: this PR adds the new\r\n`output_secret_storage_requirements_met` flag on the\r\n`ingest_manager_settings` saved object.\r\n\r\n### Testing\r\n\r\n1. Define a preconfigured output wit a secret value in your\r\n`kibana.dev.yml` file, e.g.:\r\n ```yml\r\n xpack.fleet.outputs:\r\n - id: my-logstash-output-with-a-secret\r\n name: preconfigured logstash output with a secret\r\n type: logstash\r\n hosts: ['localhost:9999']\r\n ssl:\r\n certificate: xxxxxxxxxx\r\n secrets:\r\n ssl:\r\n key: secretLogstashKey\r\n ```\r\n3. Start ES and Kibana. Do not start a Fleet server.\r\n4. Go to Fleet settings and inspect the preconfigured output: it should\r\nhave been created and the secret value should not have been set\r\n(optionally, you can check in the Console with `GET\r\n.fleet-secrets/_search` that the secret was not created). However, a\r\nplain text equivalent should have been created (in the example above,\r\n`ssl.key` should be set to `secretLogstashKey`).\r\n5. Start a Fleet server on version less than 8.12.0. Kibana should\r\nupdate the output. Again, check that the secret value was not set and\r\nthat the plain text equivalent is set.\r\n6. Stop the Fleet server and start another one on version 8.12.0 or\r\nhigher. Kibana should update the output. This time, the secret value\r\nshould have been set.\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <[email protected]>\r\nCo-authored-by: Julia Bardi <[email protected]>","sha":"70508b957a4860b12fd3a2bb9612cfb8a95092e9"}},"sourceBranch":"main","suggestedTargetBranches":["8.12"],"targetPullRequestStates":[{"branch":"8.12","label":"v8.12.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.13.0","branchLabelMappingKey":"^v8.13.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/173398","number":173398,"mergeCommit":{"message":"[Fleet] Only enable output secrets if all Fleet servers are compatible (#173398)\n\n## Summary\r\n\r\nCloses https://github.com/elastic/kibana/issues/173041\r\n\r\nOutput secret storage requires that all Fleet servers are on version\r\n8.12.0 or above.\r\n\r\nThe implementation is similar to package policy secrets:\r\nhttps://github.com//pull/163627: this PR adds the new\r\n`output_secret_storage_requirements_met` flag on the\r\n`ingest_manager_settings` saved object.\r\n\r\n### Testing\r\n\r\n1. Define a preconfigured output wit a secret value in your\r\n`kibana.dev.yml` file, e.g.:\r\n ```yml\r\n xpack.fleet.outputs:\r\n - id: my-logstash-output-with-a-secret\r\n name: preconfigured logstash output with a secret\r\n type: logstash\r\n hosts: ['localhost:9999']\r\n ssl:\r\n certificate: xxxxxxxxxx\r\n secrets:\r\n ssl:\r\n key: secretLogstashKey\r\n ```\r\n3. Start ES and Kibana. Do not start a Fleet server.\r\n4. Go to Fleet settings and inspect the preconfigured output: it should\r\nhave been created and the secret value should not have been set\r\n(optionally, you can check in the Console with `GET\r\n.fleet-secrets/_search` that the secret was not created). However, a\r\nplain text equivalent should have been created (in the example above,\r\n`ssl.key` should be set to `secretLogstashKey`).\r\n5. Start a Fleet server on version less than 8.12.0. Kibana should\r\nupdate the output. Again, check that the secret value was not set and\r\nthat the plain text equivalent is set.\r\n6. Stop the Fleet server and start another one on version 8.12.0 or\r\nhigher. Kibana should update the output. This time, the secret value\r\nshould have been set.\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <[email protected]>\r\nCo-authored-by: Julia Bardi <[email protected]>","sha":"70508b957a4860b12fd3a2bb9612cfb8a95092e9"}}]}] BACKPORT--> Co-authored-by: Jill Guyonnet <[email protected]>
delanni
pushed a commit
to delanni/kibana
that referenced
this pull request
Jan 11, 2024
elastic#173398) ## Summary Closes elastic#173041 Output secret storage requires that all Fleet servers are on version 8.12.0 or above. The implementation is similar to package policy secrets: elastic#163627: this PR adds the new `output_secret_storage_requirements_met` flag on the `ingest_manager_settings` saved object. ### Testing 1. Define a preconfigured output wit a secret value in your `kibana.dev.yml` file, e.g.: ```yml xpack.fleet.outputs: - id: my-logstash-output-with-a-secret name: preconfigured logstash output with a secret type: logstash hosts: ['localhost:9999'] ssl: certificate: xxxxxxxxxx secrets: ssl: key: secretLogstashKey ``` 3. Start ES and Kibana. Do not start a Fleet server. 4. Go to Fleet settings and inspect the preconfigured output: it should have been created and the secret value should not have been set (optionally, you can check in the Console with `GET .fleet-secrets/_search` that the secret was not created). However, a plain text equivalent should have been created (in the example above, `ssl.key` should be set to `secretLogstashKey`). 5. Start a Fleet server on version less than 8.12.0. Kibana should update the output. Again, check that the secret value was not set and that the plain text equivalent is set. 6. Stop the Fleet server and start another one on version 8.12.0 or higher. Kibana should update the output. This time, the secret value should have been set. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: kibanamachine <[email protected]> Co-authored-by: Julia Bardi <[email protected]>
CoenWarmer
pushed a commit
to CoenWarmer/kibana
that referenced
this pull request
Feb 15, 2024
elastic#173398) ## Summary Closes elastic#173041 Output secret storage requires that all Fleet servers are on version 8.12.0 or above. The implementation is similar to package policy secrets: elastic#163627: this PR adds the new `output_secret_storage_requirements_met` flag on the `ingest_manager_settings` saved object. ### Testing 1. Define a preconfigured output wit a secret value in your `kibana.dev.yml` file, e.g.: ```yml xpack.fleet.outputs: - id: my-logstash-output-with-a-secret name: preconfigured logstash output with a secret type: logstash hosts: ['localhost:9999'] ssl: certificate: xxxxxxxxxx secrets: ssl: key: secretLogstashKey ``` 3. Start ES and Kibana. Do not start a Fleet server. 4. Go to Fleet settings and inspect the preconfigured output: it should have been created and the secret value should not have been set (optionally, you can check in the Console with `GET .fleet-secrets/_search` that the secret was not created). However, a plain text equivalent should have been created (in the example above, `ssl.key` should be set to `secretLogstashKey`). 5. Start a Fleet server on version less than 8.12.0. Kibana should update the output. Again, check that the secret value was not set and that the plain text equivalent is set. 6. Stop the Fleet server and start another one on version 8.12.0 or higher. Kibana should update the output. This time, the secret value should have been set. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: kibanamachine <[email protected]> Co-authored-by: Julia Bardi <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Closes #157456
Secret storage requires that fleet servers are 8.10.0 or above.
This PR adds a backend check that all fleet servers are above 8.10.0 before enabling secrets storage. Once all fleet servers are above that version, secrets are permanently enabled.
the fleet server check checks all agents in policies that contain the fleet server package.
A flag on the
ingest_manager_settingssaved. objectsecret_storage_requirements_metis used to make a note that the check has previously passed, meaning we don't have to keep querying the agents and policies.Test scenarios (all covered by integration tests) :