elastic · lykkin · Feb 8, 2022 · Feb 8, 2022 · Feb 8, 2022 · Feb 8, 2022
@@ -159,3 +159,4 @@
 - Discover changes in Kubernetes nodes metadata as soon as they happen. {pull}23139[23139]
 - Add results of inspect output command into archive produced by diagnostics collect. {pull}29902[29902]
 - Add support for loading input configuration from external configuration files in standalone mode. You can load inputs from YAML configuration files under the folder `{path.config}/inputs.d`. {pull}30087[30087]
+- Changed the default policy selection logic. When an agent is unmanaged and no policy id/name has been specified upon enroll, the agent will select a random unmanaged policy. {issue}29774[29774] {pull}30256[30256]
@@ -64,6 +64,10 @@ paths based on the operating system then starts the Elastic Agent service. The
 When the `container` command is executed it first copies the `data/downloads` directory
 into a state path (`STATE_PATH`) then it executes the `enroll` command.
 
+When using the `container` command, a policy ID for the agent should be supplied via the
+`FLEET_SERVER_POLICY` environment variable. If this value is omitted, the agent will attempt
+to use the default policy ID, which can be configured via `DEFAULT_FLEET_SERVER_POLICY`
+
 ==== Enroll Command
 
 This is where all the actual work of bootstrapping is performed.

@@ -81,6 +81,7 @@ The following actions are possible and grouped based on the actions.
   KIBANA_FLEET_HOST - kibana host to enable create enrollment token on [$KIBANA_HOST]
   FLEET_TOKEN_NAME - token name to use for fetching token from Kibana. This requires Kibana configs to be set.
   FLEET_TOKEN_POLICY_NAME - token policy name to use for fetching token from Kibana. This requires Kibana configs to be set.
+  DEFAULT_FLEET_TOKEN_POLICY_NAME - token policy name to use when [$FLEET_TOKEN_POLICY_NAME] is not set. Defaults to "Default policy".
 
 * Bootstrapping Fleet Server
   This bootstraps the Fleet Server to be run by this Elastic Agent. At least one Fleet Server is required in a Fleet
@@ -95,7 +96,8 @@ The following actions are possible and grouped based on the actions.
   FLEET_SERVER_ELASTICSEARCH_CA_TRUSTED_FINGERPRINT - The sha-256 fingerprint value of the certificate authority to trust
   FLEET_SERVER_ELASTICSEARCH_INSECURE - disables cert validation for communication with Elasticsearch
   FLEET_SERVER_SERVICE_TOKEN - service token to use for communication with elasticsearch
-  FLEET_SERVER_POLICY_ID - policy ID for Fleet Server to use for itself ("Default Fleet Server policy" used when undefined)
+  FLEET_SERVER_POLICY_ID - policy ID for Fleet Server to use for itself ([$DEFAULT_FLEET_SERVER_POLICY_ID] used when undefined)
+  DEFAULT_FLEET_SERVER_POLICY_ID - policy ID for Fleet Server to use for itself when none is specified. (defaults to "fleet-server-policy")
   FLEET_SERVER_HOST - binding host for Fleet Server HTTP (overrides the policy). By default this is 0.0.0.0.
   FLEET_SERVER_PORT - binding port for Fleet Server HTTP (overrides the policy)
   FLEET_SERVER_CERT - path to certificate to use for HTTPS endpoint
@@ -146,6 +148,10 @@ func logError(streams *cli.IOStreams, err error) {
 	fmt.Fprintf(streams.Err, "Error: %v\n%s\n", err, troubleshootMessage())
 }
 
+func logWarn(streams *cli.IOStreams, a ...interface{}) {
+	fmt.Fprintln(streams.Out, append([]interface{}{"WARN: "}, a...)...)
+}
+
 func logInfo(streams *cli.IOStreams, a ...interface{}) {
 	fmt.Fprintln(streams.Out, a...)
 }
@@ -498,7 +504,10 @@ func kibanaFetchPolicy(cfg setupConfig, client *kibana.Client, streams *cli.IOSt
 	if err != nil {
 		return nil, err
 	}
-	return findPolicy(cfg, policies.Items)
+	if err != nil {
+		return nil, err
+	}
+	return findPolicy(cfg, policies.Items, streams)
 }
 
 func kibanaFetchToken(cfg setupConfig, client *kibana.Client, policy *kibanaPolicy, streams *cli.IOStreams, tokenName string) (string, error) {
@@ -541,31 +550,46 @@ func kibanaClient(cfg kibanaConfig, headers map[string]string) (*kibana.Client,
 	}, 0, "Elastic-Agent")
 }
 
-func findPolicy(cfg setupConfig, policies []kibanaPolicy) (*kibanaPolicy, error) {
+func findPolicy(cfg setupConfig, policies []kibanaPolicy, streams *cli.IOStreams) (*kibanaPolicy, error) {
 	policyID := ""
 	policyName := cfg.Fleet.TokenPolicyName
 	if cfg.FleetServer.Enable {
 		policyID = cfg.FleetServer.PolicyID
 	}
+
 	for _, policy := range policies {
 		if policyID != "" {
 			if policyID == policy.ID {
+				logInfo(streams, "using policy with id", policyID)
 				return &policy, nil
 			}
 		} else if policyName != "" {
 			if policyName == policy.Name {
+				logInfo(streams, "using policy named", policyName)
 				return &policy, nil
 			}
 		} else if cfg.FleetServer.Enable {
-			if policy.IsDefaultFleetServer {
+			if policy.ID == cfg.FleetServer.DefaultPolicyID {
+				logWarn(streams, "using default fleet policy id:", policy.ID)
 				return &policy, nil
 			}
 		} else {
-			if policy.IsDefault {
+			if policy.Name == cfg.Fleet.DefaultTokenPolicyName {
+				logWarn(streams, "using default policy name:", policy.Name)
 				return &policy, nil
 			}
 		}
 	}
+
+	if cfg.FleetServer.Enable {
+		if policyID == "" {
+			logWarn(streams, "No policy id set, please set the FLEET_SERVER_POLICY_ID environment variable to the fleet server policy id.")
+		}
+	} else {
+		if policyName == "" {
+			logWarn(streams, "No policy name set, please set the FLEET_TOKEN_POLICY_NAME environment variable to the agent policy name.")
+		}
+	}
 	return nil, fmt.Errorf(`unable to find policy named "%s"`, policyName)
 }
 
@@ -899,11 +923,9 @@ func copyFile(destPath string, srcPath string, mode os.FileMode) error {
 }
 
 type kibanaPolicy struct {
-	ID                   string `json:"id"`
-	Name                 string `json:"name"`
-	Status               string `json:"status"`
-	IsDefault            bool   `json:"is_default"`
-	IsDefaultFleetServer bool   `json:"is_default_fleet_server"`
+	ID     string `json:"id"`
+	Name   string `json:"name"`
+	Status string `json:"status"`
 }
 
 type kibanaPolicies struct {

@@ -0,0 +1,199 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package cmd
+
+import (
+	"testing"
+
+	"github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/cli"
+
+	"github.com/stretchr/testify/require"
+)
+
+var (
+	defaultFleetPolicy = kibanaPolicy{
+		ID:     "fleet-server-policy",
+		Name:   "Default Fleet Server policy",
+		Status: "active",
+	}
+	defaultAgentPolicy = kibanaPolicy{
+		ID:     "2016d7cc-135e-5583-9758-3ba01f5a06e5",
+		Name:   "Default policy",
+		Status: "active",
+	}
+	nondefaultAgentPolicy = kibanaPolicy{
+		ID:     "bc634ea6-8460-4925-babd-7540c3e7df24",
+		Name:   "Another free policy",
+		Status: "active",
+	}
+
+	nondefaultFleetPolicy = kibanaPolicy{
+		ID:     "7b0093d2-7eab-4862-86c8-63b3dd1db001",
+		Name:   "Some kinda dependent policy",
+		Status: "active",
+	}
+)
+
+var streams *cli.IOStreams = cli.NewIOStreams()
+
+var policies kibanaPolicies = kibanaPolicies{
+	Items: []kibanaPolicy{
+		defaultFleetPolicy,
+		defaultAgentPolicy,
+		nondefaultAgentPolicy,
+		nondefaultFleetPolicy,
+	},
+}
+
+// Finding policies
+
+func TestFindPolicyById(t *testing.T) {
+	cfg := setupConfig{
+		FleetServer: fleetServerConfig{
+			Enable:   true,
+			PolicyID: "7b0093d2-7eab-4862-86c8-63b3dd1db001",
+		},
+	}
+
+	policy, err := findPolicy(cfg, policies.Items, streams)
+	require.NoError(t, err)
+	require.Equal(t, &nondefaultFleetPolicy, policy)
+}
+
+func TestFindPolicyByName(t *testing.T) {
+	cfg := setupConfig{
+		Fleet: fleetConfig{
+			TokenPolicyName: "Default policy",
+		},
+	}
+
+	policy, err := findPolicy(cfg, policies.Items, streams)
+	require.NoError(t, err)
+	require.Equal(t, &defaultAgentPolicy, policy)
+}
+
+func TestFindPolicyByIdOverName(t *testing.T) {
+	cfg := setupConfig{
+		Fleet: fleetConfig{
+			TokenPolicyName: "Default policy",
+		},
+		FleetServer: fleetServerConfig{
+			Enable:   true,
+			PolicyID: "7b0093d2-7eab-4862-86c8-63b3dd1db001",
+		},
+	}
+
+	policy, err := findPolicy(cfg, policies.Items, streams)
+	require.NoError(t, err)
+	require.Equal(t, &nondefaultFleetPolicy, policy)
+}
+
+func TestFindPolicyByIdMiss(t *testing.T) {
+	cfg := setupConfig{
+		FleetServer: fleetServerConfig{
+			Enable:   true,
+			PolicyID: "invalid id",
+		},
+	}
+
+	policy, err := findPolicy(cfg, policies.Items, streams)
+	require.Error(t, err)
+	require.Nil(t, policy)
+}
+
+func TestFindPolicyByNameMiss(t *testing.T) {
+	cfg := setupConfig{
+		Fleet: fleetConfig{
+			TokenPolicyName: "invalid name",
+		},
+	}
+
+	policy, err := findPolicy(cfg, policies.Items, streams)
+	require.Error(t, err)
+	require.Nil(t, policy)
+}
+
+func TestFindPolicyDefaultFleet(t *testing.T) {
+	cfg := setupConfig{
+		FleetServer: fleetServerConfig{
+			Enable:          true,
+			DefaultPolicyID: "fleet-server-policy",
+		},
+	}
+
+	items := []kibanaPolicy{
+		defaultAgentPolicy,
+		nondefaultAgentPolicy,
+		nondefaultFleetPolicy,
+		defaultFleetPolicy,
+	}
+
+	policy, err := findPolicy(cfg, items, streams)
+	require.NoError(t, err)
+	require.Equal(t, &defaultFleetPolicy, policy)
+}
+
+func TestFindPolicyAmbiguousNoDefaultFleet(t *testing.T) {
+	cfg := setupConfig{
+		FleetServer: fleetServerConfig{
+			Enable: true,
+		},
+	}
+
+	items := []kibanaPolicy{
+		defaultAgentPolicy,
+		nondefaultAgentPolicy,
+		nondefaultFleetPolicy,
+		defaultFleetPolicy,
+	}
+
+	policy, err := findPolicy(cfg, items, streams)
+	require.Error(t, err)
+	require.Nil(t, policy)
+}
+
+func TestFindPolicyDefaultNonFleet(t *testing.T) {
+	cfg := setupConfig{
+		Fleet: fleetConfig{
+			DefaultTokenPolicyName: "Default policy",
+		},
+		FleetServer: fleetServerConfig{
+			Enable: false,
+		},
+	}
+
+	policy, err := findPolicy(cfg, policies.Items, streams)
+	require.NoError(t, err)
+	require.Equal(t, &defaultAgentPolicy, policy)
+}
+
+func TestFindPolicyNoMatchNonFleet(t *testing.T) {
+	cfg := setupConfig{
+		FleetServer: fleetServerConfig{
+			Enable: false,
+		},
+	}
+
+	policy, err := findPolicy(cfg, policies.Items, streams)
+	require.Error(t, err)
+	require.Nil(t, policy)
+}
+
+func TestFindPolicyNoMatchFleet(t *testing.T) {
+	cfg := setupConfig{
+		FleetServer: fleetServerConfig{
+			Enable: true,
+		},
+	}
+
+	items := []kibanaPolicy{
+		defaultAgentPolicy,
+		nondefaultAgentPolicy,
+		nondefaultFleetPolicy,
+	}
+	policy, err := findPolicy(cfg, items, streams)
+	require.Error(t, err)
+	require.Nil(t, policy)
+}