[Agent] Respect connector_id defined in agentless #2989
Conversation
| @@ -231,7 +237,6 @@ async def supported_connectors(self, native_service_types=None, connector_ids=No | |||
| custom_connectors_query = { | |||
| "bool": { | |||
| "filter": [ | |||
| {"term": {"is_native": False}}, | |||
There was a problem hiding this comment.
since we treat all connectors the same (discover by ID), remove this filter
| @@ -56,6 +56,7 @@ async def ensure_connector_records_exist(self, agent_config, connector_name=None | |||
| connector_id=connector_id, | |||
| service_type=service_type, | |||
| connector_name=connector_name, | |||
| is_native=True, | |||
There was a problem hiding this comment.
So we've settled on is_native flag reusage in the end?
There was a problem hiding this comment.
This is what I understood from the "mega-thread" we've had last week, will DM you the link
| @@ -384,7 +384,7 @@ class BaseDataSource: | |||
| advanced_rules_enabled = False | |||
| dls_enabled = False | |||
| incremental_sync_enabled = False | |||
| native_connector_api_keys_enabled = True | |||
| native_connector_api_keys_enabled = False | |||
There was a problem hiding this comment.
This is old setting to enable native connector secrets for native connectors. Since we no longer rely on secrets for elastic managed connectors I just set this flag to false without thinking worrying about proper cleanup, I've filed followup ticket:
#2990
There was a problem hiding this comment.
So it'll break connectors running in native mode in traditional setup in 9.x, but we don't care since it's something nobody's supposed to do, right?
There was a problem hiding this comment.
The native connectors would be broken anyway since only service account that manages the ent-search node has access to read the secrets https://github.com/elastic/elasticsearch/blob/8c20ac5884158b88fdd598e422db632e1734aabb/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/service/ElasticServiceAccounts.java#L48
After migration to 9.0 those secrets are useless because noone has permissions to read them
jedrazb
deleted the
jedrazb-agentless-respects-connector-id-from-fleet-policy
branch
💔 Failed to create backport PR(s)The backport operation could not be completed due to the following error: The backport PRs will be merged automatically after passing CI. To backport manually run: |
Closes https://github.com/elastic/search-team/issues/8669
Changes:
connector_idis provided in fleet policy, create a connector with such idis_nativeflagOther changes:
yqinstallation (I think in 9.0.0 "correct" yq was removed in agent image and apt-get was fetching different tool, confirmed it was coming from different repo)See example in action:
Checklists
Pre-Review Checklist
config.yml.example)v7.13.2,v7.14.0,v8.0.0)Followup work
I am aware that there is some more work to do, this PR is just what we need now, followup tickets are filed: