[Fleet] Only enable output secrets if all Fleet servers are compatible (

elastic#173398) ## Summary Closes elastic#173041 Output secret storage requires that all Fleet servers are on version 8.12.0 or above. The implementation is similar to package policy secrets: elastic#163627: this PR adds the new `output_secret_storage_requirements_met` flag on the `ingest_manager_settings` saved object. ### Testing 1. Define a preconfigured output wit a secret value in your `kibana.dev.yml` file, e.g.: ```yml xpack.fleet.outputs: - id: my-logstash-output-with-a-secret name: preconfigured logstash output with a secret type: logstash hosts: ['localhost:9999'] ssl: certificate: xxxxxxxxxx secrets: ssl: key: secretLogstashKey ``` 3. Start ES and Kibana. Do not start a Fleet server. 4. Go to Fleet settings and inspect the preconfigured output: it should have been created and the secret value should not have been set (optionally, you can check in the Console with `GET .fleet-secrets/_search` that the secret was not created). However, a plain text equivalent should have been created (in the example above, `ssl.key` should be set to `secretLogstashKey`). 5. Start a Fleet server on version less than 8.12.0. Kibana should update the output. Again, check that the secret value was not set and that the plain text equivalent is set. 6. Stop the Fleet server and start another one on version 8.12.0 or higher. Kibana should update the output. This time, the secret value should have been set. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: kibanamachine <[email protected]> Co-authored-by: Julia Bardi <[email protected]>
kibanamachine · Jan 8, 2024 · 70508b9 · 70508b9
1 parent 6a7166c
commit 70508b9
Show file tree

Hide file tree

Showing 15 changed files with 859 additions and 518 deletions.
diff --git a/packages/kbn-check-mappings-update-cli/current_fields.json b/packages/kbn-check-mappings-update-cli/current_fields.json
@@ -468,6 +468,7 @@
   "ingest_manager_settings": [
     "fleet_server_hosts",
     "has_seen_add_data_notice",
+    "output_secret_storage_requirements_met",
     "prerelease_integrations_enabled",
     "secret_storage_requirements_met"
   ],

diff --git a/packages/kbn-check-mappings-update-cli/current_mappings.json b/packages/kbn-check-mappings-update-cli/current_mappings.json
@@ -1564,6 +1564,9 @@
       "prerelease_integrations_enabled": {
         "type": "boolean"
       },
+      "output_secret_storage_requirements_met": {
+        "type": "boolean"
+      },
       "secret_storage_requirements_met": {
         "type": "boolean"
       }

diff --git a/src/core/server/integration_tests/ci_checks/saved_objects/check_registered_types.test.ts b/src/core/server/integration_tests/ci_checks/saved_objects/check_registered_types.test.ts
@@ -109,7 +109,7 @@ describe('checking migration metadata changes on all registered SO types', () =>
         "ingest-download-sources": "279a68147e62e4d8858c09ad1cf03bd5551ce58d",
         "ingest-outputs": "e36a25e789f22b4494be728321f4304a040e286b",
         "ingest-package-policies": "f4c2767e852b700a8b82678925b86bac08958b43",
-        "ingest_manager_settings": "64955ef1b7a9ffa894d4bb9cf863b5602bfa6885",
+        "ingest_manager_settings": "91445219e7115ff0c45d1dabd5d614a80b421797",
         "inventory-view": "b8683c8e352a286b4aca1ab21003115a4800af83",
         "kql-telemetry": "93c1d16c1a0dfca9c8842062cf5ef8f62ae401ad",
         "legacy-url-alias": "9b8cca3fbb2da46fd12823d3cd38fdf1c9f24bc8",

diff --git a/x-pack/plugins/fleet/common/constants/secrets.ts b/x-pack/plugins/fleet/common/constants/secrets.ts
@@ -8,3 +8,4 @@
 export const SECRETS_ENDPOINT_PATH = '/_fleet/secret';
 
 export const SECRETS_MINIMUM_FLEET_SERVER_VERSION = '8.10.0';
+export const OUTPUT_SECRETS_MINIMUM_FLEET_SERVER_VERSION = '8.12.0';
diff --git a/x-pack/plugins/fleet/common/types/models/settings.ts b/x-pack/plugins/fleet/common/types/models/settings.ts
@@ -15,4 +15,5 @@ export interface Settings extends BaseSettings {
   id: string;
   preconfigured_fields?: Array<'fleet_server_hosts'>;
   secret_storage_requirements_met?: boolean;
+  output_secret_storage_requirements_met?: boolean;
 }
diff --git a/x-pack/plugins/fleet/cypress/e2e/fleet_settings_outputs.cy.ts b/x-pack/plugins/fleet/cypress/e2e/fleet_settings_outputs.cy.ts
@@ -174,8 +174,9 @@ describe('Outputs', () => {
         cy.wait('@saveOutput').then((interception) => {
           const responseBody = interception.response?.body;
           cy.visit(`/app/fleet/settings/outputs/${responseBody?.item?.id}`);
-          expect(responseBody?.item.service_token).to.equal(undefined);
-          expect(responseBody?.item.secrets.service_token.id).not.to.equal(undefined);
+          // There is no Fleet server, therefore the service token should have been saved in plain text.
+          expect(responseBody?.item.service_token).to.equal('service_token');
+          expect(responseBody?.item.secrets).to.equal(undefined);
         });
 
         cy.get('[placeholder="Specify host URL"').should('have.value', 'https://localhost:5000');

diff --git a/x-pack/plugins/fleet/server/constants/index.ts b/x-pack/plugins/fleet/server/constants/index.ts
@@ -81,6 +81,7 @@ export {
   // secrets
   SECRETS_ENDPOINT_PATH,
   SECRETS_MINIMUM_FLEET_SERVER_VERSION,
+  OUTPUT_SECRETS_MINIMUM_FLEET_SERVER_VERSION,
   // outputs
   OUTPUT_HEALTH_DATA_STREAM,
   type PrivilegeMapObject,

diff --git a/x-pack/plugins/fleet/server/saved_objects/index.ts b/x-pack/plugins/fleet/server/saved_objects/index.ts
@@ -81,6 +81,7 @@ import {
   migratePackagePolicyToV81102,
   migratePackagePolicyEvictionsFromV81102,
 } from './migrations/security_solution/to_v8_11_0_2';
+import { settingsV1 } from './model_versions/v1';
 
 /*
  * Saved object types and mappings
@@ -104,13 +105,17 @@ const getSavedObjectTypes = (): { [key: string]: SavedObjectsType } => ({
         has_seen_add_data_notice: { type: 'boolean', index: false },
         prerelease_integrations_enabled: { type: 'boolean' },
         secret_storage_requirements_met: { type: 'boolean' },
+        output_secret_storage_requirements_met: { type: 'boolean' },
       },
     },
     migrations: {
       '7.10.0': migrateSettingsToV7100,
       '7.13.0': migrateSettingsToV7130,
       '8.6.0': migrateSettingsToV860,
     },
+    modelVersions: {
+      1: settingsV1,
+    },
   },
   [AGENT_POLICY_SAVED_OBJECT_TYPE]: {
     name: AGENT_POLICY_SAVED_OBJECT_TYPE,

diff --git a/x-pack/plugins/fleet/server/saved_objects/model_versions/v1.ts b/x-pack/plugins/fleet/server/saved_objects/model_versions/v1.ts
@@ -0,0 +1,19 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { SavedObjectsModelVersion } from '@kbn/core-saved-objects-server';
+
+export const settingsV1: SavedObjectsModelVersion = {
+  changes: [
+    {
+      type: 'mappings_addition',
+      addedMappings: {
+        output_secret_storage_requirements_met: { type: 'boolean' },
+      },
+    },
+  ],
+};