[Fleet] Only enable output secrets if all Fleet servers are compatible #173398
Conversation
🤖 GitHub commentsExpand to view the GitHub comments
Just comment with:
|
|
/ci |
jillguyonnet
force-pushed
the
fleet/173041-output-secrets-fleet-server-check
branch
from
ca07d48
to
2ff0875
Compare
jillguyonnet
added
Team:Fleet
|
/ci |
|
/ci |
… src/core/server/integration_tests/ci_checks'
|
/ci |
|
@elastic/fleet @juliaElastic Can I get some input about the expectation here? As is, a secret will not be set if the Fleet servers version check fails. This could have the effect that the output is not fully set. Is this sufficient, or should there be added logic to set a plain text value instead? The Cypress test failures are a reflection of this: for instance, this expectation fails as the secret is not set (this is because there is no Fleet server). |
If the Fleet server version check fails, the logic should fallback to storing plain text secrets (existing behaviour), this is also how it works for policy secrets. |
|
@jillguyonnet Do you think we can get this pr in before the last BC is built on Jan 4? Let me know if you need help. |
|
Hey @juliaElastic - yes tackling this now. |
|
@elasticmachine merge upstream |
|
/ci |
|
/ci |
|
/ci |
| updateData.type === outputType.RemoteElasticsearch | ||
| ) { | ||
| if (!data.service_token && data.secrets?.service_token) { | ||
| updateData.service_token = data.secrets?.service_token as string; |
There was a problem hiding this comment.
I wonder if this logic can be extracted, seems very similar to the create method. It could be done in a follow up pr.
Do we have test coverage over this logic?
Also, is it necessary for originalOutput to have the same type as the updated output? It can happen that the type changes, isn't it?
There was a problem hiding this comment.
I wonder if this logic can be extracted, seems very similar to the create method. It could be done in a follow up pr.
Agreed. These methods are very long and could use some extracting/refactoring. It's always a little dangerous to leave refactoring for followup, but it might be the right call in this case.
Do we have test coverage over this logic?
We do in the integration tests, I suppose, but absolutely happy to add some unit tests as well.
Also, is it necessary for originalOutput to have the same type as the updated output? It can happen that the type changes, isn't it?
Good point! I guess that is not required (and perhaps even a liability). Perhaps it would be good to add a test with an output type change.
There was a problem hiding this comment.
I think we have some tests on output type change in cypress tests.
|
buildkite, test this |
There was a problem hiding this comment.
Tested, and looks good.
There is one scenario which looks expected, though maybe something we should clarify in the docs. Namely how existing outputs can be recreated with secret storage.
Steps to reproduce:
- Create an output with a secret without fleet server, the output secret is stored as plain text (e.g. remote ES with secret token)
- Enroll a fleet server 8.12
- Go back to the existing output to edit
- Outcome: the service token shows up as a plain text, there is no way to update it to be saved as a secret from the UI, unless creating a new output.
|
Thanks for your review @juliaElastic 🙏 I will address your point regarding Regarding the UI, there is this followup issue that was considered a nice-to-have, although I definitely agree that the docs should reflect the current situation: #171418. WDYT? I'm also waiting for approval from @elastic/kibana-core. |
Thanks, I'm fine to leave the refactor as a follow up, to get this in before the next BC build.
Good to know that there is already a follow up for this. We could check if there is already any docs being added on output secrets. |
|
Pushed the fix with a couple of associated unit tests. I opened #174258 as a followup refactor issue. Also pinged the core team on Slack, hopefully will get this out now 🤞 |
|
@elasticmachine merge upstream |
|
Thanks for approving @jloleysens - it's a good point, I thought the implementation should mirror what was done for policy secrets in #163627. |
💚 Build Succeeded
Metrics [docs]
History
To update your PR or re-run it, just comment with: |
jillguyonnet
deleted the
fleet/173041-output-secrets-fleet-server-check
branch
elastic#173398) ## Summary Closes elastic#173041 Output secret storage requires that all Fleet servers are on version 8.12.0 or above. The implementation is similar to package policy secrets: elastic#163627: this PR adds the new `output_secret_storage_requirements_met` flag on the `ingest_manager_settings` saved object. ### Testing 1. Define a preconfigured output wit a secret value in your `kibana.dev.yml` file, e.g.: ```yml xpack.fleet.outputs: - id: my-logstash-output-with-a-secret name: preconfigured logstash output with a secret type: logstash hosts: ['localhost:9999'] ssl: certificate: xxxxxxxxxx secrets: ssl: key: secretLogstashKey ``` 3. Start ES and Kibana. Do not start a Fleet server. 4. Go to Fleet settings and inspect the preconfigured output: it should have been created and the secret value should not have been set (optionally, you can check in the Console with `GET .fleet-secrets/_search` that the secret was not created). However, a plain text equivalent should have been created (in the example above, `ssl.key` should be set to `secretLogstashKey`). 5. Start a Fleet server on version less than 8.12.0. Kibana should update the output. Again, check that the secret value was not set and that the plain text equivalent is set. 6. Stop the Fleet server and start another one on version 8.12.0 or higher. Kibana should update the output. This time, the secret value should have been set. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: kibanamachine <[email protected]> Co-authored-by: Julia Bardi <[email protected]> (cherry picked from commit 70508b9)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
…mpatible (#173398) (#174433) # Backport This will backport the following commits from `main` to `8.12`: - [[Fleet] Only enable output secrets if all Fleet servers are compatible (#173398)](#173398) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Jill Guyonnet","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-01-08T09:20:20Z","message":"[Fleet] Only enable output secrets if all Fleet servers are compatible (#173398)\n\n## Summary\r\n\r\nCloses https://github.com/elastic/kibana/issues/173041\r\n\r\nOutput secret storage requires that all Fleet servers are on version\r\n8.12.0 or above.\r\n\r\nThe implementation is similar to package policy secrets:\r\nhttps://github.com//pull/163627: this PR adds the new\r\n`output_secret_storage_requirements_met` flag on the\r\n`ingest_manager_settings` saved object.\r\n\r\n### Testing\r\n\r\n1. Define a preconfigured output wit a secret value in your\r\n`kibana.dev.yml` file, e.g.:\r\n ```yml\r\n xpack.fleet.outputs:\r\n - id: my-logstash-output-with-a-secret\r\n name: preconfigured logstash output with a secret\r\n type: logstash\r\n hosts: ['localhost:9999']\r\n ssl:\r\n certificate: xxxxxxxxxx\r\n secrets:\r\n ssl:\r\n key: secretLogstashKey\r\n ```\r\n3. Start ES and Kibana. Do not start a Fleet server.\r\n4. Go to Fleet settings and inspect the preconfigured output: it should\r\nhave been created and the secret value should not have been set\r\n(optionally, you can check in the Console with `GET\r\n.fleet-secrets/_search` that the secret was not created). However, a\r\nplain text equivalent should have been created (in the example above,\r\n`ssl.key` should be set to `secretLogstashKey`).\r\n5. Start a Fleet server on version less than 8.12.0. Kibana should\r\nupdate the output. Again, check that the secret value was not set and\r\nthat the plain text equivalent is set.\r\n6. Stop the Fleet server and start another one on version 8.12.0 or\r\nhigher. Kibana should update the output. This time, the secret value\r\nshould have been set.\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <[email protected]>\r\nCo-authored-by: Julia Bardi <[email protected]>","sha":"70508b957a4860b12fd3a2bb9612cfb8a95092e9","branchLabelMapping":{"^v8.13.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Fleet","v8.12.0","v8.13.0"],"title":"[Fleet] Only enable output secrets if all Fleet servers are compatible","number":173398,"url":"https://github.com/elastic/kibana/pull/173398","mergeCommit":{"message":"[Fleet] Only enable output secrets if all Fleet servers are compatible (#173398)\n\n## Summary\r\n\r\nCloses https://github.com/elastic/kibana/issues/173041\r\n\r\nOutput secret storage requires that all Fleet servers are on version\r\n8.12.0 or above.\r\n\r\nThe implementation is similar to package policy secrets:\r\nhttps://github.com//pull/163627: this PR adds the new\r\n`output_secret_storage_requirements_met` flag on the\r\n`ingest_manager_settings` saved object.\r\n\r\n### Testing\r\n\r\n1. Define a preconfigured output wit a secret value in your\r\n`kibana.dev.yml` file, e.g.:\r\n ```yml\r\n xpack.fleet.outputs:\r\n - id: my-logstash-output-with-a-secret\r\n name: preconfigured logstash output with a secret\r\n type: logstash\r\n hosts: ['localhost:9999']\r\n ssl:\r\n certificate: xxxxxxxxxx\r\n secrets:\r\n ssl:\r\n key: secretLogstashKey\r\n ```\r\n3. Start ES and Kibana. Do not start a Fleet server.\r\n4. Go to Fleet settings and inspect the preconfigured output: it should\r\nhave been created and the secret value should not have been set\r\n(optionally, you can check in the Console with `GET\r\n.fleet-secrets/_search` that the secret was not created). However, a\r\nplain text equivalent should have been created (in the example above,\r\n`ssl.key` should be set to `secretLogstashKey`).\r\n5. Start a Fleet server on version less than 8.12.0. Kibana should\r\nupdate the output. Again, check that the secret value was not set and\r\nthat the plain text equivalent is set.\r\n6. Stop the Fleet server and start another one on version 8.12.0 or\r\nhigher. Kibana should update the output. This time, the secret value\r\nshould have been set.\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <[email protected]>\r\nCo-authored-by: Julia Bardi <[email protected]>","sha":"70508b957a4860b12fd3a2bb9612cfb8a95092e9"}},"sourceBranch":"main","suggestedTargetBranches":["8.12"],"targetPullRequestStates":[{"branch":"8.12","label":"v8.12.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.13.0","branchLabelMappingKey":"^v8.13.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/173398","number":173398,"mergeCommit":{"message":"[Fleet] Only enable output secrets if all Fleet servers are compatible (#173398)\n\n## Summary\r\n\r\nCloses https://github.com/elastic/kibana/issues/173041\r\n\r\nOutput secret storage requires that all Fleet servers are on version\r\n8.12.0 or above.\r\n\r\nThe implementation is similar to package policy secrets:\r\nhttps://github.com//pull/163627: this PR adds the new\r\n`output_secret_storage_requirements_met` flag on the\r\n`ingest_manager_settings` saved object.\r\n\r\n### Testing\r\n\r\n1. Define a preconfigured output wit a secret value in your\r\n`kibana.dev.yml` file, e.g.:\r\n ```yml\r\n xpack.fleet.outputs:\r\n - id: my-logstash-output-with-a-secret\r\n name: preconfigured logstash output with a secret\r\n type: logstash\r\n hosts: ['localhost:9999']\r\n ssl:\r\n certificate: xxxxxxxxxx\r\n secrets:\r\n ssl:\r\n key: secretLogstashKey\r\n ```\r\n3. Start ES and Kibana. Do not start a Fleet server.\r\n4. Go to Fleet settings and inspect the preconfigured output: it should\r\nhave been created and the secret value should not have been set\r\n(optionally, you can check in the Console with `GET\r\n.fleet-secrets/_search` that the secret was not created). However, a\r\nplain text equivalent should have been created (in the example above,\r\n`ssl.key` should be set to `secretLogstashKey`).\r\n5. Start a Fleet server on version less than 8.12.0. Kibana should\r\nupdate the output. Again, check that the secret value was not set and\r\nthat the plain text equivalent is set.\r\n6. Stop the Fleet server and start another one on version 8.12.0 or\r\nhigher. Kibana should update the output. This time, the secret value\r\nshould have been set.\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <[email protected]>\r\nCo-authored-by: Julia Bardi <[email protected]>","sha":"70508b957a4860b12fd3a2bb9612cfb8a95092e9"}}]}] BACKPORT--> Co-authored-by: Jill Guyonnet <[email protected]>
elastic#173398) ## Summary Closes elastic#173041 Output secret storage requires that all Fleet servers are on version 8.12.0 or above. The implementation is similar to package policy secrets: elastic#163627: this PR adds the new `output_secret_storage_requirements_met` flag on the `ingest_manager_settings` saved object. ### Testing 1. Define a preconfigured output wit a secret value in your `kibana.dev.yml` file, e.g.: ```yml xpack.fleet.outputs: - id: my-logstash-output-with-a-secret name: preconfigured logstash output with a secret type: logstash hosts: ['localhost:9999'] ssl: certificate: xxxxxxxxxx secrets: ssl: key: secretLogstashKey ``` 3. Start ES and Kibana. Do not start a Fleet server. 4. Go to Fleet settings and inspect the preconfigured output: it should have been created and the secret value should not have been set (optionally, you can check in the Console with `GET .fleet-secrets/_search` that the secret was not created). However, a plain text equivalent should have been created (in the example above, `ssl.key` should be set to `secretLogstashKey`). 5. Start a Fleet server on version less than 8.12.0. Kibana should update the output. Again, check that the secret value was not set and that the plain text equivalent is set. 6. Stop the Fleet server and start another one on version 8.12.0 or higher. Kibana should update the output. This time, the secret value should have been set. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: kibanamachine <[email protected]> Co-authored-by: Julia Bardi <[email protected]>
elastic#173398) ## Summary Closes elastic#173041 Output secret storage requires that all Fleet servers are on version 8.12.0 or above. The implementation is similar to package policy secrets: elastic#163627: this PR adds the new `output_secret_storage_requirements_met` flag on the `ingest_manager_settings` saved object. ### Testing 1. Define a preconfigured output wit a secret value in your `kibana.dev.yml` file, e.g.: ```yml xpack.fleet.outputs: - id: my-logstash-output-with-a-secret name: preconfigured logstash output with a secret type: logstash hosts: ['localhost:9999'] ssl: certificate: xxxxxxxxxx secrets: ssl: key: secretLogstashKey ``` 3. Start ES and Kibana. Do not start a Fleet server. 4. Go to Fleet settings and inspect the preconfigured output: it should have been created and the secret value should not have been set (optionally, you can check in the Console with `GET .fleet-secrets/_search` that the secret was not created). However, a plain text equivalent should have been created (in the example above, `ssl.key` should be set to `secretLogstashKey`). 5. Start a Fleet server on version less than 8.12.0. Kibana should update the output. Again, check that the secret value was not set and that the plain text equivalent is set. 6. Stop the Fleet server and start another one on version 8.12.0 or higher. Kibana should update the output. This time, the secret value should have been set. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: kibanamachine <[email protected]> Co-authored-by: Julia Bardi <[email protected]>
Summary
Closes #173041
Output secret storage requires that all Fleet servers are on version 8.12.0 or above.
The implementation is similar to package policy secrets: #163627: this PR adds the new
output_secret_storage_requirements_metflag on theingest_manager_settingssaved object.Testing
kibana.dev.ymlfile, e.g.:GET .fleet-secrets/_searchthat the secret was not created). However, a plain text equivalent should have been created (in the example above,ssl.keyshould be set tosecretLogstashKey).Checklist