remove flags for policy defaulting #30256
Conversation
lykkin
added
enhancement
Team:Elastic-Agent-Control-Plane
botelastic
bot
added
needs_team
lykkin
changed the title
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
💚 Flaky test reportTests succeeded. 🤖 GitHub commentsTo re-run your PR in the CI, just comment with:
|
…in package policy separation
|
Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane) |
Co-authored-by: Josh Dover <[email protected]>
…leet-policy-updates
There was a problem hiding this comment.
This looks good to me, I would like a second reviewer @blakerouse can you review this please.
@lykkin Thanks for the test and the clarify in the log statement.
| return &policy, nil | ||
| } | ||
| } else { | ||
| if policy.IsDefault { | ||
| if policy.Name == cfg.Fleet.DefaultTokenPolicyName { | ||
| logWarn(streams, "using default policy name:", policy.Name) | ||
| return &policy, nil | ||
| } | ||
| } |
There was a problem hiding this comment.
Thanks for the added logging and making it explicit this will helps us.
| if policyName == "" { | ||
| logWarn(streams, "No policy name set, please set the FLEET_TOKEN_POLICY_NAME environment variable to the agent policy name.") | ||
| } | ||
| } |
There was a problem hiding this comment.
@blakerouse I need to relearn the quirks of the enrollment process, but should we just error out?
| @@ -81,6 +81,7 @@ The following actions are possible and grouped based on the actions. | |||
| KIBANA_FLEET_HOST - kibana host to enable create enrollment token on [$KIBANA_HOST] | |||
| FLEET_TOKEN_NAME - token name to use for fetching token from Kibana. This requires Kibana configs to be set. | |||
| FLEET_TOKEN_POLICY_NAME - token policy name to use for fetching token from Kibana. This requires Kibana configs to be set. | |||
| DEFAULT_FLEET_TOKEN_POLICY_NAME - token policy name to use when [$FLEET_TOKEN_POLICY_NAME] is not set. Defaults to "Default policy". | |||
There was a problem hiding this comment.
Why is this extra needed? Can't the default just be there for FLEET_TOKEN_POLICY_NAME when one is not provided?
There was a problem hiding this comment.
this is in response to the above conversation saying the default should be configurable. maybe i misunderstood what was being said?
it does seem a bit redundant to me though, since someone could just set the policy id up front when they are configuring their instance.
i suppose it could be useful if someone wanted to set up different defaults assuming the policy an agent is looking for disappears. not too sure how much we want to worry about that situation.
| @@ -95,7 +96,8 @@ The following actions are possible and grouped based on the actions. | |||
| FLEET_SERVER_ELASTICSEARCH_CA_TRUSTED_FINGERPRINT - The sha-256 fingerprint value of the certificate authority to trust | |||
| FLEET_SERVER_ELASTICSEARCH_INSECURE - disables cert validation for communication with Elasticsearch | |||
| FLEET_SERVER_SERVICE_TOKEN - service token to use for communication with elasticsearch | |||
| FLEET_SERVER_POLICY_ID - policy ID for Fleet Server to use for itself ("Default Fleet Server policy" used when undefined) | |||
| FLEET_SERVER_POLICY_ID - policy ID for Fleet Server to use for itself ([$DEFAULT_FLEET_SERVER_POLICY_ID] used when undefined) | |||
| DEFAULT_FLEET_SERVER_POLICY_ID - policy ID for Fleet Server to use for itself when none is specified. (defaults to "fleet-server-policy") | |||
There was a problem hiding this comment.
Don't see the need for this option. Just make the default for FLEET_SERVER_POLICY_ID when one is not provided.
|
|
||
| if cfg.FleetServer.Enable { | ||
| if policyID == "" { | ||
| logWarn(streams, "No policy id set, please set the FLEET_SERVER_POLICY_ID environment variable to the fleet server policy id.") |
There was a problem hiding this comment.
Maybe I missed part of a conversation, but whats the point of this warning? I believe that Fleet Server will find the policy correctly without an ID. So is a warning here really needed?
There was a problem hiding this comment.
here's what i understand this code to mean:
this would be hit if the user didn't configure either a policy id or default when hosting a fleet server under the agent. this gives more specific information to the user assuming the agent fails to find a policy to get a token from.
this coincides with a path that halts start up of the agent.
i'll add comments for both of this situation, and the one below.
| } | ||
| } else { | ||
| if policyName == "" { | ||
| logWarn(streams, "No policy name set, please set the FLEET_TOKEN_POLICY_NAME environment variable to the agent policy name.") |
There was a problem hiding this comment.
Again can you give me more detail here? Maybe a code comment would be good to explain the flow here.
|
This pull request is now in conflicts. Could you fix it? 🙏 |
|
@lykkin can you apply the comments / changes from @blakerouse? |
|
@lykkin can we close this one as it's targeting the old elastic agent folder? |
|
This PR is not relevant anymore as agent was moved. |
What does this PR do?
Updates the agent policy selection logic to avoid using the
is_default*flags.Fixes #29774
Checklist
CHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.How to test this PR locally
Unit tests are added for the new code.
Related issues
Closes #29774
Use cases
Screenshots
Logs