Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Fleet] Add .fleet-secrets system index #95625

Merged
merged 22 commits into from
May 12, 2023
Merged

[Fleet] Add .fleet-secrets system index #95625

merged 22 commits into from
May 12, 2023

Conversation

hop-dev
Copy link
Contributor

@hop-dev hop-dev commented Apr 27, 2023
edited by juliaElastic
Loading

Part of elastic/kibana#154715

Closes #95143

The .fleet-secrets index will contain agent policy secrets. An example of a secret is a password or API key. Kibana has write access only to the index, and fleet server has read access.

I have kept it in the fleet area as it is managed by us.

@hop-dev hop-dev self-assigned this Apr 27, 2023
@elasticsearchmachine elasticsearchmachine added v8.9.0 external-contributor Pull request authored by a developer outside the Elasticsearch team labels Apr 27, 2023
@hop-dev hop-dev marked this pull request as ready for review May 2, 2023 16:12
@hop-dev hop-dev added >feature Team:Core/Infra Meta label for core/infra team labels May 9, 2023
@elasticsearchmachine elasticsearchmachine removed the Team:Core/Infra Meta label for core/infra team label May 9, 2023
@hop-dev hop-dev added the Team:Core/Infra Meta label for core/infra team label May 9, 2023
@elasticsearchmachine elasticsearchmachine removed the Team:Core/Infra Meta label for core/infra team label May 9, 2023
@hop-dev hop-dev added :Core/Infra/Core Core issues without another label :Core/Infra/Plugins Plugin API and infrastructure and removed :Core/Infra/Core Core issues without another label labels May 9, 2023
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-core-infra (Team:Core/Infra)

@elasticsearchmachine elasticsearchmachine added the Team:Core/Infra Meta label for core/infra team label May 9, 2023
@elasticsearchmachine
Copy link
Collaborator

Hi @hop-dev, I've created a changelog YAML for you.

@hop-dev hop-dev requested a review from andreidan May 9, 2023 14:05
@hop-dev hop-dev mentioned this pull request May 9, 2023
Closed
@hop-dev hop-dev removed the request for review from andreidan May 9, 2023 15:52
@rjernst rjernst requested a review from williamrandolph May 9, 2023 19:57
rjernst
rjernst reviewed May 9, 2023
View reviewed changes
Copy link
Member

@rjernst rjernst left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've asked @williamrandolph to take a look, but in the meantime, I have one general thought. While I understand the note about the intention to use this index with enterprise search in the future, I think the name is too generic. It could easily be confused by developers as a general purpose index within Elasticsearch internals, such as .security. I think the name should be narrowed.

One idea is .external-secrets. Another (and my preferred) is to use .fleet-secrets here, and use another system index name for enterprise search. In any case, these are system indices, so the preferred approach is to wrap these indices with rest apis which have complete control over them. Then the particular index name matters even less.

@jimczi
Copy link
Contributor

jimczi commented May 10, 2023

One idea is .external-secrets. Another (and my preferred) is to use .fleet-secrets here, and use another system index name for enterprise search. In any case, these are system indices, so the preferred approach is to wrap these indices with rest apis which have complete control over them. Then the particular index name matters even less.

+1 for .fleet-secrets, the sharing is not mandatory and we might want different rest APIs for fleet and enterprise-search.

@hop-dev
Copy link
Contributor Author

hop-dev commented May 10, 2023

@rjernst @jimczi on reflection I think you are completely right, thanks for the feedback.

I will test the change now and get back to you 👍

@hop-dev
Copy link
Contributor Author

hop-dev commented May 10, 2023

@rjernst @jimczi I have moved to .fleet-secrets now

@hop-dev hop-dev changed the title [Fleet] Add .secrets system index [Fleet] Add .fleet-secrets system index May 10, 2023
@elasticsearchmachine
Copy link
Collaborator

Hi @hop-dev, I've updated the changelog YAML for you.

@hop-dev hop-dev requested a review from rjernst May 11, 2023 15:01
@juliaElastic
Copy link
Contributor

@rjernst @jimczi Are you ready to approve? We are waiting for this to go ahead with the Fleet feature.

@juliaElastic
Copy link
Contributor

@hop-dev updated a few remaining occurrences of .secrets.

@hop-dev
Copy link
Contributor Author

hop-dev commented May 12, 2023

@juliaElastic Thanks for that! I have re-posted in #es-core-infra to try and get a review

rjernst
rjernst approved these changes May 12, 2023
View reviewed changes
Copy link
Member

@rjernst rjernst left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@hop-dev hop-dev merged commit 4767f1e into elastic:main May 12, 2023
@hop-dev hop-dev deleted the fleet-secrets branch May 12, 2023 14:35
This was referenced May 13, 2023
Merged
Closed
This was referenced Jul 17, 2023
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rjernst rjernst rjernst approved these changes

@williamrandolph williamrandolph Awaiting requested review from williamrandolph

Assignees

@hop-dev hop-dev

Labels
:Core/Infra/Plugins Plugin API and infrastructure external-contributor Pull request authored by a developer outside the Elasticsearch team >feature Team:Core/Infra Meta label for core/infra team Team:Fleet v8.9.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Fleet] Create .fleet-secrets system index
5 participants
@hop-dev @elasticsearchmachine @jimczi @juliaElastic @rjernst