-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Fleet] Only enable secret storage once all fleet servers are above 8.10.0 #163627
[Fleet] Only enable secret storage once all fleet servers are above 8.10.0 #163627
Conversation
…-ref HEAD~1..HEAD --fix'
Pinging @elastic/fleet (Team:Fleet) |
🤖 GitHub commentsExpand to view the GitHub comments
Just comment with:
|
@@ -90,6 +90,7 @@ const getSavedObjectTypes = (): { [key: string]: SavedObjectsType } => ({ | |||
fleet_server_hosts: { type: 'keyword' }, | |||
has_seen_add_data_notice: { type: 'boolean', index: false }, | |||
prerelease_integrations_enabled: { type: 'boolean' }, | |||
secret_storage_requirements_met: { type: 'boolean' }, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: I do not think we want to search on that so we can probably add index: false
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
that's weird, getting an error in ci build about this, even though the mapping was added in this pr:
info Checking if mappings are compatible
--
| │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [.kibana_mappings_check] creating index, cause [api], templates [], shards [1]/[1]
| │ info [o.e.i.m.MapperService] [node-01] [.kibana_mappings_check] reloading search analyzers
| │ERROR There was an issue trying to apply the extracted mappings to the existing index.
| │ERROR ResponseError: illegal_argument_exception
| │ Root causes:
| │ illegal_argument_exception: Mapper for [ingest_manager_settings.secret_storage_requirements_met] conflicts with existing mapper:
| │ Cannot update parameter [index] from [true] to [false]
| │ at SniffingTransport.request (/var/lib/buildkite-agent/builds/kb-n2-2-spot-28a62e0974e60ad7/elastic/kibana-pull-request/kibana/node_modules/@elastic/transport/src/Transport.ts:535:17)
| │ at processTicksAndRejections (node:internal/process/task_queues:95:5)
| │ at Indices.putMapping (/var/lib/buildkite-agent/builds/kb-n2-2-spot-28a62e0974e60ad7/elastic/kibana-pull-request/kibana/node_modules/@elastic/elasticsearch/src/api/api/indices.ts:1338:12)
| │ at checkIncompatibleMappings (check_incompatible_mappings.ts:43:18)
| │ at run_check_mappings_update_cli.ts:66:9
| │ at tooling_log.ts:84:18
| │ at description (run_check_mappings_update_cli.ts:65:7)
| │ at run.ts:70:7
| │ at withProcRunner (with_proc_runner.ts:29:5)
| │ at run (run.ts:69:5)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 🚀
} | ||
|
||
// there must be at least one fleet server for this check to pass | ||
if (policyIds.size === 0) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't we do this check based on agents, not agent policies? Or are we supposing that if there is a policy with 8.10 fleet server, that should be enough?
Changed this to return false if there are no FS agents.
|
||
it('should convert plain text values to secrets once fleet server requirements are met', async () => { | ||
if (!fleetServerCheckPolicy) { | ||
throw new Error('fleetServerCheckPolicy not set, previous test must have failed'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As a best practice, tests shouldn't rely on other tests, it makes it harder to debug one by one.
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]
History
To update your PR or re-run it, just comment with: cc @hop-dev |
….10.0 (elastic#163627) ## Summary Closes elastic#157456 Secret storage requires that fleet servers are 8.10.0 or above. This PR adds a backend check that all fleet servers are above 8.10.0 before enabling secrets storage. Once all fleet servers are above that version, secrets are permanently enabled. the fleet server check checks all agents in policies that contain the fleet server package. A flag on the`ingest_manager_settings` saved. object `secret_storage_requirements_met` is used to make a note that the check has previously passed, meaning we don't have to keep querying the agents and policies. Test scenarios (all covered by integration tests) : - given a deployment with no fleet servers connected, on creating a package policy with secret variables, the values should be stored in plain text not as a secret reference - given a deployment with at least one fleet server that is below 8.10.0, on creating a package policy with secret variables, the values should be stored in plain text not as a secret reference - given a deployment where all fleet servers are 8.10.0 or above, secrets should be stored as secret references and in the secrets index - if a package policy was created before secrets were enabled, and since its creation the fleet server versions pass the check, when updating that policy, all secrets should move to being secret references. --------- Co-authored-by: kibanamachine <[email protected]> Co-authored-by: Julia Bardi <[email protected]> Co-authored-by: Julia Bardi <[email protected]>
….10.0 (elastic#163627) ## Summary Closes elastic#157456 Secret storage requires that fleet servers are 8.10.0 or above. This PR adds a backend check that all fleet servers are above 8.10.0 before enabling secrets storage. Once all fleet servers are above that version, secrets are permanently enabled. the fleet server check checks all agents in policies that contain the fleet server package. A flag on the`ingest_manager_settings` saved. object `secret_storage_requirements_met` is used to make a note that the check has previously passed, meaning we don't have to keep querying the agents and policies. Test scenarios (all covered by integration tests) : - given a deployment with no fleet servers connected, on creating a package policy with secret variables, the values should be stored in plain text not as a secret reference - given a deployment with at least one fleet server that is below 8.10.0, on creating a package policy with secret variables, the values should be stored in plain text not as a secret reference - given a deployment where all fleet servers are 8.10.0 or above, secrets should be stored as secret references and in the secrets index - if a package policy was created before secrets were enabled, and since its creation the fleet server versions pass the check, when updating that policy, all secrets should move to being secret references. --------- Co-authored-by: kibanamachine <[email protected]> Co-authored-by: Julia Bardi <[email protected]> Co-authored-by: Julia Bardi <[email protected]>
#173398) ## Summary Closes #173041 Output secret storage requires that all Fleet servers are on version 8.12.0 or above. The implementation is similar to package policy secrets: #163627: this PR adds the new `output_secret_storage_requirements_met` flag on the `ingest_manager_settings` saved object. ### Testing 1. Define a preconfigured output wit a secret value in your `kibana.dev.yml` file, e.g.: ```yml xpack.fleet.outputs: - id: my-logstash-output-with-a-secret name: preconfigured logstash output with a secret type: logstash hosts: ['localhost:9999'] ssl: certificate: xxxxxxxxxx secrets: ssl: key: secretLogstashKey ``` 3. Start ES and Kibana. Do not start a Fleet server. 4. Go to Fleet settings and inspect the preconfigured output: it should have been created and the secret value should not have been set (optionally, you can check in the Console with `GET .fleet-secrets/_search` that the secret was not created). However, a plain text equivalent should have been created (in the example above, `ssl.key` should be set to `secretLogstashKey`). 5. Start a Fleet server on version less than 8.12.0. Kibana should update the output. Again, check that the secret value was not set and that the plain text equivalent is set. 6. Stop the Fleet server and start another one on version 8.12.0 or higher. Kibana should update the output. This time, the secret value should have been set. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: kibanamachine <[email protected]> Co-authored-by: Julia Bardi <[email protected]>
elastic#173398) ## Summary Closes elastic#173041 Output secret storage requires that all Fleet servers are on version 8.12.0 or above. The implementation is similar to package policy secrets: elastic#163627: this PR adds the new `output_secret_storage_requirements_met` flag on the `ingest_manager_settings` saved object. ### Testing 1. Define a preconfigured output wit a secret value in your `kibana.dev.yml` file, e.g.: ```yml xpack.fleet.outputs: - id: my-logstash-output-with-a-secret name: preconfigured logstash output with a secret type: logstash hosts: ['localhost:9999'] ssl: certificate: xxxxxxxxxx secrets: ssl: key: secretLogstashKey ``` 3. Start ES and Kibana. Do not start a Fleet server. 4. Go to Fleet settings and inspect the preconfigured output: it should have been created and the secret value should not have been set (optionally, you can check in the Console with `GET .fleet-secrets/_search` that the secret was not created). However, a plain text equivalent should have been created (in the example above, `ssl.key` should be set to `secretLogstashKey`). 5. Start a Fleet server on version less than 8.12.0. Kibana should update the output. Again, check that the secret value was not set and that the plain text equivalent is set. 6. Stop the Fleet server and start another one on version 8.12.0 or higher. Kibana should update the output. This time, the secret value should have been set. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: kibanamachine <[email protected]> Co-authored-by: Julia Bardi <[email protected]> (cherry picked from commit 70508b9)
…mpatible (#173398) (#174433) # Backport This will backport the following commits from `main` to `8.12`: - [[Fleet] Only enable output secrets if all Fleet servers are compatible (#173398)](#173398) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Jill Guyonnet","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-01-08T09:20:20Z","message":"[Fleet] Only enable output secrets if all Fleet servers are compatible (#173398)\n\n## Summary\r\n\r\nCloses https://github.com/elastic/kibana/issues/173041\r\n\r\nOutput secret storage requires that all Fleet servers are on version\r\n8.12.0 or above.\r\n\r\nThe implementation is similar to package policy secrets:\r\nhttps://github.com//pull/163627: this PR adds the new\r\n`output_secret_storage_requirements_met` flag on the\r\n`ingest_manager_settings` saved object.\r\n\r\n### Testing\r\n\r\n1. Define a preconfigured output wit a secret value in your\r\n`kibana.dev.yml` file, e.g.:\r\n ```yml\r\n xpack.fleet.outputs:\r\n - id: my-logstash-output-with-a-secret\r\n name: preconfigured logstash output with a secret\r\n type: logstash\r\n hosts: ['localhost:9999']\r\n ssl:\r\n certificate: xxxxxxxxxx\r\n secrets:\r\n ssl:\r\n key: secretLogstashKey\r\n ```\r\n3. Start ES and Kibana. Do not start a Fleet server.\r\n4. Go to Fleet settings and inspect the preconfigured output: it should\r\nhave been created and the secret value should not have been set\r\n(optionally, you can check in the Console with `GET\r\n.fleet-secrets/_search` that the secret was not created). However, a\r\nplain text equivalent should have been created (in the example above,\r\n`ssl.key` should be set to `secretLogstashKey`).\r\n5. Start a Fleet server on version less than 8.12.0. Kibana should\r\nupdate the output. Again, check that the secret value was not set and\r\nthat the plain text equivalent is set.\r\n6. Stop the Fleet server and start another one on version 8.12.0 or\r\nhigher. Kibana should update the output. This time, the secret value\r\nshould have been set.\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <[email protected]>\r\nCo-authored-by: Julia Bardi <[email protected]>","sha":"70508b957a4860b12fd3a2bb9612cfb8a95092e9","branchLabelMapping":{"^v8.13.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Fleet","v8.12.0","v8.13.0"],"title":"[Fleet] Only enable output secrets if all Fleet servers are compatible","number":173398,"url":"https://github.com/elastic/kibana/pull/173398","mergeCommit":{"message":"[Fleet] Only enable output secrets if all Fleet servers are compatible (#173398)\n\n## Summary\r\n\r\nCloses https://github.com/elastic/kibana/issues/173041\r\n\r\nOutput secret storage requires that all Fleet servers are on version\r\n8.12.0 or above.\r\n\r\nThe implementation is similar to package policy secrets:\r\nhttps://github.com//pull/163627: this PR adds the new\r\n`output_secret_storage_requirements_met` flag on the\r\n`ingest_manager_settings` saved object.\r\n\r\n### Testing\r\n\r\n1. Define a preconfigured output wit a secret value in your\r\n`kibana.dev.yml` file, e.g.:\r\n ```yml\r\n xpack.fleet.outputs:\r\n - id: my-logstash-output-with-a-secret\r\n name: preconfigured logstash output with a secret\r\n type: logstash\r\n hosts: ['localhost:9999']\r\n ssl:\r\n certificate: xxxxxxxxxx\r\n secrets:\r\n ssl:\r\n key: secretLogstashKey\r\n ```\r\n3. Start ES and Kibana. Do not start a Fleet server.\r\n4. Go to Fleet settings and inspect the preconfigured output: it should\r\nhave been created and the secret value should not have been set\r\n(optionally, you can check in the Console with `GET\r\n.fleet-secrets/_search` that the secret was not created). However, a\r\nplain text equivalent should have been created (in the example above,\r\n`ssl.key` should be set to `secretLogstashKey`).\r\n5. Start a Fleet server on version less than 8.12.0. Kibana should\r\nupdate the output. Again, check that the secret value was not set and\r\nthat the plain text equivalent is set.\r\n6. Stop the Fleet server and start another one on version 8.12.0 or\r\nhigher. Kibana should update the output. This time, the secret value\r\nshould have been set.\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <[email protected]>\r\nCo-authored-by: Julia Bardi <[email protected]>","sha":"70508b957a4860b12fd3a2bb9612cfb8a95092e9"}},"sourceBranch":"main","suggestedTargetBranches":["8.12"],"targetPullRequestStates":[{"branch":"8.12","label":"v8.12.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.13.0","branchLabelMappingKey":"^v8.13.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/173398","number":173398,"mergeCommit":{"message":"[Fleet] Only enable output secrets if all Fleet servers are compatible (#173398)\n\n## Summary\r\n\r\nCloses https://github.com/elastic/kibana/issues/173041\r\n\r\nOutput secret storage requires that all Fleet servers are on version\r\n8.12.0 or above.\r\n\r\nThe implementation is similar to package policy secrets:\r\nhttps://github.com//pull/163627: this PR adds the new\r\n`output_secret_storage_requirements_met` flag on the\r\n`ingest_manager_settings` saved object.\r\n\r\n### Testing\r\n\r\n1. Define a preconfigured output wit a secret value in your\r\n`kibana.dev.yml` file, e.g.:\r\n ```yml\r\n xpack.fleet.outputs:\r\n - id: my-logstash-output-with-a-secret\r\n name: preconfigured logstash output with a secret\r\n type: logstash\r\n hosts: ['localhost:9999']\r\n ssl:\r\n certificate: xxxxxxxxxx\r\n secrets:\r\n ssl:\r\n key: secretLogstashKey\r\n ```\r\n3. Start ES and Kibana. Do not start a Fleet server.\r\n4. Go to Fleet settings and inspect the preconfigured output: it should\r\nhave been created and the secret value should not have been set\r\n(optionally, you can check in the Console with `GET\r\n.fleet-secrets/_search` that the secret was not created). However, a\r\nplain text equivalent should have been created (in the example above,\r\n`ssl.key` should be set to `secretLogstashKey`).\r\n5. Start a Fleet server on version less than 8.12.0. Kibana should\r\nupdate the output. Again, check that the secret value was not set and\r\nthat the plain text equivalent is set.\r\n6. Stop the Fleet server and start another one on version 8.12.0 or\r\nhigher. Kibana should update the output. This time, the secret value\r\nshould have been set.\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <[email protected]>\r\nCo-authored-by: Julia Bardi <[email protected]>","sha":"70508b957a4860b12fd3a2bb9612cfb8a95092e9"}}]}] BACKPORT--> Co-authored-by: Jill Guyonnet <[email protected]>
elastic#173398) ## Summary Closes elastic#173041 Output secret storage requires that all Fleet servers are on version 8.12.0 or above. The implementation is similar to package policy secrets: elastic#163627: this PR adds the new `output_secret_storage_requirements_met` flag on the `ingest_manager_settings` saved object. ### Testing 1. Define a preconfigured output wit a secret value in your `kibana.dev.yml` file, e.g.: ```yml xpack.fleet.outputs: - id: my-logstash-output-with-a-secret name: preconfigured logstash output with a secret type: logstash hosts: ['localhost:9999'] ssl: certificate: xxxxxxxxxx secrets: ssl: key: secretLogstashKey ``` 3. Start ES and Kibana. Do not start a Fleet server. 4. Go to Fleet settings and inspect the preconfigured output: it should have been created and the secret value should not have been set (optionally, you can check in the Console with `GET .fleet-secrets/_search` that the secret was not created). However, a plain text equivalent should have been created (in the example above, `ssl.key` should be set to `secretLogstashKey`). 5. Start a Fleet server on version less than 8.12.0. Kibana should update the output. Again, check that the secret value was not set and that the plain text equivalent is set. 6. Stop the Fleet server and start another one on version 8.12.0 or higher. Kibana should update the output. This time, the secret value should have been set. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: kibanamachine <[email protected]> Co-authored-by: Julia Bardi <[email protected]>
elastic#173398) ## Summary Closes elastic#173041 Output secret storage requires that all Fleet servers are on version 8.12.0 or above. The implementation is similar to package policy secrets: elastic#163627: this PR adds the new `output_secret_storage_requirements_met` flag on the `ingest_manager_settings` saved object. ### Testing 1. Define a preconfigured output wit a secret value in your `kibana.dev.yml` file, e.g.: ```yml xpack.fleet.outputs: - id: my-logstash-output-with-a-secret name: preconfigured logstash output with a secret type: logstash hosts: ['localhost:9999'] ssl: certificate: xxxxxxxxxx secrets: ssl: key: secretLogstashKey ``` 3. Start ES and Kibana. Do not start a Fleet server. 4. Go to Fleet settings and inspect the preconfigured output: it should have been created and the secret value should not have been set (optionally, you can check in the Console with `GET .fleet-secrets/_search` that the secret was not created). However, a plain text equivalent should have been created (in the example above, `ssl.key` should be set to `secretLogstashKey`). 5. Start a Fleet server on version less than 8.12.0. Kibana should update the output. Again, check that the secret value was not set and that the plain text equivalent is set. 6. Stop the Fleet server and start another one on version 8.12.0 or higher. Kibana should update the output. This time, the secret value should have been set. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: kibanamachine <[email protected]> Co-authored-by: Julia Bardi <[email protected]>
Summary
Closes #157456
Secret storage requires that fleet servers are 8.10.0 or above.
This PR adds a backend check that all fleet servers are above 8.10.0 before enabling secrets storage. Once all fleet servers are above that version, secrets are permanently enabled.
the fleet server check checks all agents in policies that contain the fleet server package.
A flag on the
ingest_manager_settings
saved. objectsecret_storage_requirements_met
is used to make a note that the check has previously passed, meaning we don't have to keep querying the agents and policies.Test scenarios (all covered by integration tests) :