-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Fleet] Secrets are disabled when an agent running < 8.10 is enrolled, regardless of whether it is a Fleet Server agent #186845
Comments
Pinging @elastic/fleet (Team:Fleet) |
At least in some tests I've performed, the banner was showing up even if there were Agents < 8.10 with no Fleet Server policy. I've unenrolled all Elastic Agents < 8.10 and the banner was finally removed. I wonder how we handle adding an old Fleet Server < 8.10 to a cluster running 8.14. How should the product behave?
TL;DR:
|
This issue will be fixed by #187935 Tested the scenarios manually with the pr changes:
|
…elastic#187935) ## Summary Closes elastic#187933 Closes elastic#186845 Fixed missing policy filter when checking if Fleet Servers met minimum version to enable secrets storage. The integration tests cover now a case where there are no fleet servers but there are agents with minimum version, to verify that the query filters them out. Manual verification is hard because you can't enroll an agent without enrolling FS with at least the same version. It could be done by manually creating docs in `.fleet-agents`. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios (cherry picked from commit 5761a38)
Thank you @juliaElastic !
Is there any consequence? Are Fleet Servers < 8.10 able to handle the secret fieds? |
…secrets (#187935) (#188089) # Backport This will backport the following commits from `main` to `8.15`: - [[Fleet] Missing policy filter in Fleet Server check to enable secrets (#187935)](#187935) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Julia Bardi","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-07-11T10:57:01Z","message":"[Fleet] Missing policy filter in Fleet Server check to enable secrets (#187935)\n\n## Summary\r\n\r\nCloses https://github.com/elastic/kibana/issues/187933\r\nCloses https://github.com/elastic/kibana/issues/186845\r\n\r\nFixed missing policy filter when checking if Fleet Servers met minimum\r\nversion to enable secrets storage.\r\nThe integration tests cover now a case where there are no fleet servers\r\nbut there are agents with minimum version, to verify that the query\r\nfilters them out.\r\n\r\nManual verification is hard because you can't enroll an agent without\r\nenrolling FS with at least the same version.\r\nIt could be done by manually creating docs in `.fleet-agents`.\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios","sha":"5761a382e144799b09e45fe5cd59e0c1a012c81e","branchLabelMapping":{"^v8.16.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","Team:Fleet","backport:prev-minor","v8.16.0"],"title":"[Fleet] Missing policy filter in Fleet Server check to enable secrets","number":187935,"url":"https://github.com/elastic/kibana/pull/187935","mergeCommit":{"message":"[Fleet] Missing policy filter in Fleet Server check to enable secrets (#187935)\n\n## Summary\r\n\r\nCloses https://github.com/elastic/kibana/issues/187933\r\nCloses https://github.com/elastic/kibana/issues/186845\r\n\r\nFixed missing policy filter when checking if Fleet Servers met minimum\r\nversion to enable secrets storage.\r\nThe integration tests cover now a case where there are no fleet servers\r\nbut there are agents with minimum version, to verify that the query\r\nfilters them out.\r\n\r\nManual verification is hard because you can't enroll an agent without\r\nenrolling FS with at least the same version.\r\nIt could be done by manually creating docs in `.fleet-agents`.\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios","sha":"5761a382e144799b09e45fe5cd59e0c1a012c81e"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/187935","number":187935,"mergeCommit":{"message":"[Fleet] Missing policy filter in Fleet Server check to enable secrets (#187935)\n\n## Summary\r\n\r\nCloses https://github.com/elastic/kibana/issues/187933\r\nCloses https://github.com/elastic/kibana/issues/186845\r\n\r\nFixed missing policy filter when checking if Fleet Servers met minimum\r\nversion to enable secrets storage.\r\nThe integration tests cover now a case where there are no fleet servers\r\nbut there are agents with minimum version, to verify that the query\r\nfilters them out.\r\n\r\nManual verification is hard because you can't enroll an agent without\r\nenrolling FS with at least the same version.\r\nIt could be done by manually creating docs in `.fleet-agents`.\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios","sha":"5761a382e144799b09e45fe5cd59e0c1a012c81e"}}]}] BACKPORT--> Co-authored-by: Julia Bardi <[email protected]>
When an Elastic Agent running on a version older than 8.10 is detected, the "policy secrets are disabled" callout will be visible, and secrets storage will be disabled. This is unexpected, as this check should only be triggered for Fleet Server agents.
The text was updated successfully, but these errors were encountered: