Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Fleet] Secrets are disabled when an agent running < 8.10 is enrolled, regardless of whether it is a Fleet Server agent #186845

Closed
kpollich opened this issue Jun 24, 2024 · 4 comments · Fixed by #187935
Assignees
Labels
Team:Fleet Team label for Observability Data Collection Fleet team

Comments

@kpollich
Copy link
Member

kpollich commented Jun 24, 2024

When an Elastic Agent running on a version older than 8.10 is detected, the "policy secrets are disabled" callout will be visible, and secrets storage will be disabled. This is unexpected, as this check should only be triggered for Fleet Server agents.

@kpollich kpollich added the Team:Fleet Team label for Observability Data Collection Fleet team label Jun 24, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/fleet (Team:Fleet)

@lucabelluccini
Copy link
Contributor

lucabelluccini commented Jun 24, 2024

At least in some tests I've performed, the banner was showing up even if there were Agents < 8.10 with no Fleet Server policy.
I cannot confirm those tests were 100% valid as the cluster I've tested on was full of very old Elastic Agents and some of them might have been Fleet Servers in the past.

I've unenrolled all Elastic Agents < 8.10 and the banner was finally removed.

I wonder how we handle adding an old Fleet Server < 8.10 to a cluster running 8.14. How should the product behave?
After the tests above (so the banner was gone)...

  • I tried to install an Elastic Agent 8.9.0 to ESS 8.14.1 and adding an integration policy with secrets didn't show the banner.
  • I tried to install a Fleet Server 8.9.0 to ESS 8.14.1 and adding an integration policy with secrets didn't show the banner.

TL;DR:

  • We must make sure we show the banner only if Fleet Servers are still active and they are < 8.10 (as it seems the only requirement to respect for Fleet-managed secrets)
  • We must review how the product behaves if a user re-enrolls a Fleet Server < 8.10. Should we prevent the addition? It behaves like an opt-in feature which cannot be rolled back.

@juliaElastic
Copy link
Contributor

juliaElastic commented Jul 11, 2024

This issue will be fixed by #187935
The logic was incorrectly checking all agents (not just fleet servers) to disable secrets when there is one with an older version.
There is a flag that is set when requirements are met to enable secrets, so secrets are not turned off if an old version of Fleet Server is added later.

Tested the scenarios manually with the pr changes:

  • secrets should be disabled initially
  • enroll a fleet server 8.9.2
  • enroll an agent 8.9.2
  • upgrade fleet-server (or enroll another one) to at least 8.12.0, make sure the old one is unenrolled
  • secrets should be enabled now
  • enroll a fleet-server 8.9.2 again
  • the secrets stay enabled

kibanamachine pushed a commit to kibanamachine/kibana that referenced this issue Jul 11, 2024
…elastic#187935)

## Summary

Closes elastic#187933
Closes elastic#186845

Fixed missing policy filter when checking if Fleet Servers met minimum
version to enable secrets storage.
The integration tests cover now a case where there are no fleet servers
but there are agents with minimum version, to verify that the query
filters them out.

Manual verification is hard because you can't enroll an agent without
enrolling FS with at least the same version.
It could be done by manually creating docs in `.fleet-agents`.

### Checklist

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

(cherry picked from commit 5761a38)
@lucabelluccini
Copy link
Contributor

Thank you @juliaElastic !

. There is a flag that is set when requirements are met to enable secrets, so secrets are not turned off if an old version of Fleet Server is added later.

Is there any consequence? Are Fleet Servers < 8.10 able to handle the secret fieds?

kibanamachine referenced this issue Jul 11, 2024
…secrets (#187935) (#188089)

# Backport

This will backport the following commits from `main` to `8.15`:
- [[Fleet] Missing policy filter in Fleet Server check to enable secrets
(#187935)](#187935)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Julia
Bardi","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-07-11T10:57:01Z","message":"[Fleet]
Missing policy filter in Fleet Server check to enable secrets
(#187935)\n\n## Summary\r\n\r\nCloses
https://github.com/elastic/kibana/issues/187933\r\nCloses
https://github.com/elastic/kibana/issues/186845\r\n\r\nFixed missing
policy filter when checking if Fleet Servers met minimum\r\nversion to
enable secrets storage.\r\nThe integration tests cover now a case where
there are no fleet servers\r\nbut there are agents with minimum version,
to verify that the query\r\nfilters them out.\r\n\r\nManual verification
is hard because you can't enroll an agent without\r\nenrolling FS with
at least the same version.\r\nIt could be done by manually creating docs
in `.fleet-agents`.\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios","sha":"5761a382e144799b09e45fe5cd59e0c1a012c81e","branchLabelMapping":{"^v8.16.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","Team:Fleet","backport:prev-minor","v8.16.0"],"title":"[Fleet]
Missing policy filter in Fleet Server check to enable
secrets","number":187935,"url":"https://github.com/elastic/kibana/pull/187935","mergeCommit":{"message":"[Fleet]
Missing policy filter in Fleet Server check to enable secrets
(#187935)\n\n## Summary\r\n\r\nCloses
https://github.com/elastic/kibana/issues/187933\r\nCloses
https://github.com/elastic/kibana/issues/186845\r\n\r\nFixed missing
policy filter when checking if Fleet Servers met minimum\r\nversion to
enable secrets storage.\r\nThe integration tests cover now a case where
there are no fleet servers\r\nbut there are agents with minimum version,
to verify that the query\r\nfilters them out.\r\n\r\nManual verification
is hard because you can't enroll an agent without\r\nenrolling FS with
at least the same version.\r\nIt could be done by manually creating docs
in `.fleet-agents`.\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios","sha":"5761a382e144799b09e45fe5cd59e0c1a012c81e"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/187935","number":187935,"mergeCommit":{"message":"[Fleet]
Missing policy filter in Fleet Server check to enable secrets
(#187935)\n\n## Summary\r\n\r\nCloses
https://github.com/elastic/kibana/issues/187933\r\nCloses
https://github.com/elastic/kibana/issues/186845\r\n\r\nFixed missing
policy filter when checking if Fleet Servers met minimum\r\nversion to
enable secrets storage.\r\nThe integration tests cover now a case where
there are no fleet servers\r\nbut there are agents with minimum version,
to verify that the query\r\nfilters them out.\r\n\r\nManual verification
is hard because you can't enroll an agent without\r\nenrolling FS with
at least the same version.\r\nIt could be done by manually creating docs
in `.fleet-agents`.\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios","sha":"5761a382e144799b09e45fe5cd59e0c1a012c81e"}}]}]
BACKPORT-->

Co-authored-by: Julia Bardi <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Team:Fleet Team label for Observability Data Collection Fleet team
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants