Merge branch 'main' into o11y-rbac-rule-feature-branch

.buildkite/pipelines/on_merge_unsupported_ftrs.yml

@@ -88,7 +88,7 @@ steps:
   - command: .buildkite/scripts/steps/functional/defend_workflows.sh
     label: 'Defend Workflows Cypress Tests'
     agents:
-      queue: n2-4-spot
+      queue: n2-4-virt
     depends_on: build
     timeout_in_minutes: 120
     parallelism: 6

.buildkite/pipelines/pull_request/defend_workflows.yml

@@ -14,7 +14,7 @@ steps:
   - command: .buildkite/scripts/steps/functional/defend_workflows_serverless.sh
     label: 'Defend Workflows Cypress Tests on Serverless'
     agents:
-      queue: n2-4-spot
+      queue: n2-4-virt
     depends_on: build
     timeout_in_minutes: 120
     parallelism: 2

packages/kbn-dev-utils/src/dev_service_account.ts

@@ -10,7 +10,7 @@ const env = process.env;
 
 /**
  * `kibana-dev` service account token for connecting to ESS
- * See packages/kbn-es/src/ess_resources/README.md
+ * See packages/kbn-es/src/serverless_resources/README.md
  */
 export const kibanaDevServiceAccount = {
   token:

packages/kbn-es/src/cli_commands/serverless.ts

@@ -28,19 +28,19 @@ export const serverless: Command = {
     return dedent`
     Options:
 
-      --tag               Image tag of ESS to run from ${SERVERLESS_REPO} [default: ${SERVERLESS_TAG}]
-      --image             Full path of ESS image to run, has precedence over tag. [default: ${SERVERLESS_IMG}]
+      --tag               Image tag of ES serverless to run from ${SERVERLESS_REPO} [default: ${SERVERLESS_TAG}]
+      --image             Full path of ES serverless image to run, has precedence over tag. [default: ${SERVERLESS_IMG}]
       
-      --background        Start ESS without attaching to the first node's logs
+      --background        Start ES serverless without attaching to the first node's logs
       --basePath          Path to the directory where the ES cluster will store data
       --clean             Remove existing file system object store before running
-      --kill              Kill running ESS nodes if detected on startup
+      --kill              Kill running ES serverless nodes if detected on startup
       --port              The port to bind to on 127.0.0.1 [default: ${DEFAULT_PORT}]
-      --ssl               Enable HTTP SSL on Elasticsearch
+      --ssl               Enable HTTP SSL on the ES cluster
       --skipTeardown      If this process exits, leave the ES cluster running in the background
       --waitForReady      Wait for the ES cluster to be ready to serve requests
       
-      -E                  Additional key=value settings to pass to Elasticsearch
+      -E                  Additional key=value settings to pass to ES
       -F                  Absolute paths for files to mount into containers
 
     Examples:

packages/kbn-es/src/paths.ts

@@ -24,31 +24,43 @@ export const ES_CONFIG = 'config/elasticsearch.yml';
 
 export const ES_KEYSTORE_BIN = maybeUseBat('./bin/elasticsearch-keystore');
 
-export const ESS_OPERATOR_USERS_PATH = resolve(__dirname, './ess_resources/operator_users.yml');
-export const ESS_SERVICE_TOKENS_PATH = resolve(__dirname, './ess_resources/service_tokens');
+export const SERVERLESS_OPERATOR_USERS_PATH = resolve(
+  __dirname,
+  './serverless_resources/operator_users.yml'
+);
+export const SERVERLESS_SERVICE_TOKENS_PATH = resolve(
+  __dirname,
+  './serverless_resources/service_tokens'
+);
 
-export const ESS_USERS_PATH = resolve(__dirname, './ess_resources/users');
-export const ESS_USERS_ROLES_PATH = resolve(__dirname, './ess_resources/users_roles');
+export const SERVERLESS_USERS_PATH = resolve(__dirname, './serverless_resources/users');
+export const SERVERLESS_USERS_ROLES_PATH = resolve(__dirname, './serverless_resources/users_roles');
 
-export const ESS_ROLES_PATH = resolve(__dirname, './ess_resources/roles.yml');
-export const ESS_ROLE_MAPPING_PATH = resolve(__dirname, './ess_resources/role_mapping.yml');
+export const SERVERLESS_ROLES_PATH = resolve(__dirname, './serverless_resources/roles.yml');
+export const SERVERLESS_ROLE_MAPPING_PATH = resolve(
+  __dirname,
+  './serverless_resources/role_mapping.yml'
+);
 
-export const ESS_SECRETS_PATH = resolve(__dirname, './ess_resources/secrets.json');
+export const SERVERLESS_SECRETS_PATH = resolve(__dirname, './serverless_resources/secrets.json');
 
-export const ESS_SECRETS_SSL_PATH = resolve(__dirname, './ess_resources/secrets_ssl.json');
+export const SERVERLESS_SECRETS_SSL_PATH = resolve(
+  __dirname,
+  './serverless_resources/secrets_ssl.json'
+);
 
-export const ESS_JWKS_PATH = resolve(__dirname, './ess_resources/jwks.json');
+export const SERVERLESS_JWKS_PATH = resolve(__dirname, './serverless_resources/jwks.json');
 
-export const ESS_RESOURCES_PATHS = [
-  ESS_OPERATOR_USERS_PATH,
-  ESS_ROLE_MAPPING_PATH,
-  ESS_ROLES_PATH,
-  ESS_SERVICE_TOKENS_PATH,
-  ESS_USERS_PATH,
-  ESS_USERS_ROLES_PATH,
+export const SERVERLESS_RESOURCES_PATHS = [
+  SERVERLESS_OPERATOR_USERS_PATH,
+  SERVERLESS_ROLE_MAPPING_PATH,
+  SERVERLESS_ROLES_PATH,
+  SERVERLESS_SERVICE_TOKENS_PATH,
+  SERVERLESS_USERS_PATH,
+  SERVERLESS_USERS_ROLES_PATH,
 ];
 
-export const ESS_CONFIG_PATH = '/usr/share/elasticsearch/config/';
+export const SERVERLESS_CONFIG_PATH = '/usr/share/elasticsearch/config/';
 
 // Files need to be inside config for permissions reasons inside the container
-export const ESS_FILES_PATH = `${ESS_CONFIG_PATH}files/`;
+export const SERVERLESS_FILES_PATH = `${SERVERLESS_CONFIG_PATH}files/`;

packages/kbn-es/src/ess_resources/README.md → packages/kbn-es/src/serverless_resources/README.md

@@ -1,5 +1,5 @@
 # Elasticsearch Serverless Resources
-The resources in this directory are used for seeding Elasticsearch Serverless (ESS) images with users, roles and tokens for SSL and authentication. ESS requires file realm authentication, so we will bind mount them into the containers at `/usr/share/elasticsearch/config/`.
+The resources in this directory are used for seeding Elasticsearch Serverless images with users, roles and tokens for SSL and authentication. Serverless requires file realm authentication, so we will bind mount them into the containers at `/usr/share/elasticsearch/config/`.
 
 ## Users
 
@@ -21,7 +21,7 @@ password: changeme
 
 ## Service Account and Tokens
 
-This section for Service Accounts was originally from the [ESS repository](https://github.com/elastic/elasticsearch-serverless/blob/main/serverless-build-tools/src/main/resources/README.service_tokens.md).
+This section for Service Accounts was originally from the [ES Serverless repository](https://github.com/elastic/elasticsearch-serverless/blob/main/serverless-build-tools/src/main/resources/README.service_tokens.md).
 
 The "service_tokens" file contains this line:
 ```
@@ -46,4 +46,4 @@ If a node is configured to use this `service_tokens` file, then you can authenti
 curl -H "Authorization: Bearer AAEAAWVsYXN0aWMva2liYW5hL2tpYmFuYS1kZXY6VVVVVVVVTEstKiBaNA" http://localhost:9200/_security/_authenticate
 ```
 
-The name of the token (`kibana-dev`) is important because the `operator_users.yml` file designates that token as an operator and allows us to seed an ESS cluster with this token.
+The name of the token (`kibana-dev`) is important because the `operator_users.yml` file designates that token as an operator and allows us to seed a serverless cluster with this token.

packages/kbn-es/src/utils/docker.test.ts

@@ -32,7 +32,12 @@ import {
 } from './docker';
 import { ToolingLog, ToolingLogCollectingWriter } from '@kbn/tooling-log';
 import { ES_P12_PATH } from '@kbn/dev-utils';
-import { ESS_CONFIG_PATH, ESS_RESOURCES_PATHS, ESS_SECRETS_PATH, ESS_JWKS_PATH } from '../paths';
+import {
+  SERVERLESS_CONFIG_PATH,
+  SERVERLESS_RESOURCES_PATHS,
+  SERVERLESS_SECRETS_PATH,
+  SERVERLESS_JWKS_PATH,
+} from '../paths';
 import * as waitClusterUtil from './wait_until_cluster_ready';
 
 jest.mock('execa');
@@ -77,8 +82,8 @@ afterEach(() => {
   jest.clearAllMocks();
 });
 
-const essResources = ESS_RESOURCES_PATHS.reduce<string[]>((acc, path) => {
-  acc.push(`${path}:${ESS_CONFIG_PATH}${basename(path)}`);
+const serverlessResources = SERVERLESS_RESOURCES_PATHS.reduce<string[]>((acc, path) => {
+  acc.push(`${path}:${SERVERLESS_CONFIG_PATH}${basename(path)}`);
 
   return acc;
 }, []);
@@ -88,10 +93,10 @@ const volumeCmdTest = async (volumeCmd: string[]) => {
   expect(volumeCmd).toEqual(
     expect.arrayContaining([
       ...getESp12Volume(),
-      ...essResources,
+      ...serverlessResources,
       `${baseEsPath}:/objectstore:z`,
-      `${ESS_SECRETS_PATH}:${ESS_CONFIG_PATH}secrets/secrets.json:z`,
-      `${ESS_JWKS_PATH}:${ESS_CONFIG_PATH}secrets/jwks.json:z`,
+      `${SERVERLESS_SECRETS_PATH}:${SERVERLESS_CONFIG_PATH}secrets/secrets.json:z`,
+      `${SERVERLESS_JWKS_PATH}:${SERVERLESS_CONFIG_PATH}secrets/jwks.json:z`,
     ])
   );
 
@@ -428,7 +433,11 @@ describe('setupServerlessVolumes()', () => {
 
     const volumeCmd = await setupServerlessVolumes(log, { basePath: baseEsPath, ssl: true });
 
-    const requiredPaths = [`${baseEsPath}:/objectstore:z`, ES_P12_PATH, ...ESS_RESOURCES_PATHS];
+    const requiredPaths = [
+      `${baseEsPath}:/objectstore:z`,
+      ES_P12_PATH,
+      ...SERVERLESS_RESOURCES_PATHS,
+    ];
     const pathsNotIncludedInCmd = requiredPaths.filter(
       (path) => !volumeCmd.some((cmd) => cmd.includes(path))
     );

packages/kbn-es/src/utils/docker.ts

@@ -24,17 +24,17 @@ import {
 import { createCliError } from '../errors';
 import { EsClusterExecOptions } from '../cluster_exec_options';
 import {
-  ESS_RESOURCES_PATHS,
-  ESS_SECRETS_PATH,
-  ESS_JWKS_PATH,
-  ESS_CONFIG_PATH,
-  ESS_FILES_PATH,
-  ESS_SECRETS_SSL_PATH,
+  SERVERLESS_RESOURCES_PATHS,
+  SERVERLESS_SECRETS_PATH,
+  SERVERLESS_JWKS_PATH,
+  SERVERLESS_CONFIG_PATH,
+  SERVERLESS_FILES_PATH,
+  SERVERLESS_SECRETS_SSL_PATH,
 } from '../paths';
 import {
   ELASTIC_SERVERLESS_SUPERUSER,
   ELASTIC_SERVERLESS_SUPERUSER_PASSWORD,
-} from './ess_file_realm';
+} from './serverless_file_realm';
 import { SYSTEM_INDICES_SUPERUSER } from './native_realm';
 import { waitUntilClusterReady } from './wait_until_cluster_ready';
 
@@ -167,21 +167,27 @@ const DEFAULT_SERVERLESS_ESARGS: Array<[string, string]> = [
 
   ['xpack.security.authc.realms.jwt.jwt1.order', '-98'],
 
-  ['xpack.security.authc.realms.jwt.jwt1.pkc_jwkset_path', `${ESS_CONFIG_PATH}secrets/jwks.json`],
+  [
+    'xpack.security.authc.realms.jwt.jwt1.pkc_jwkset_path',
+    `${SERVERLESS_CONFIG_PATH}secrets/jwks.json`,
+  ],
 
   ['xpack.security.operator_privileges.enabled', 'true'],
 
   ['xpack.security.transport.ssl.enabled', 'true'],
 
-  ['xpack.security.transport.ssl.keystore.path', `${ESS_CONFIG_PATH}certs/elasticsearch.p12`],
+  [
+    'xpack.security.transport.ssl.keystore.path',
+    `${SERVERLESS_CONFIG_PATH}certs/elasticsearch.p12`,
+  ],
 
   ['xpack.security.transport.ssl.verification_mode', 'certificate'],
 ];
 
 const DEFAULT_SSL_ESARGS: Array<[string, string]> = [
   ['xpack.security.http.ssl.enabled', 'true'],
 
-  ['xpack.security.http.ssl.keystore.path', `${ESS_CONFIG_PATH}certs/elasticsearch.p12`],
+  ['xpack.security.http.ssl.keystore.path', `${SERVERLESS_CONFIG_PATH}certs/elasticsearch.p12`],
 
   ['xpack.security.http.ssl.verification_mode', 'certificate'],
 ];
@@ -193,7 +199,10 @@ const DOCKER_SSL_ESARGS: Array<[string, string]> = [
 
   ['xpack.security.transport.ssl.enabled', 'true'],
 
-  ['xpack.security.transport.ssl.keystore.path', `${ESS_CONFIG_PATH}certs/elasticsearch.p12`],
+  [
+    'xpack.security.transport.ssl.keystore.path',
+    `${SERVERLESS_CONFIG_PATH}certs/elasticsearch.p12`,
+  ],
 
   ['xpack.security.transport.ssl.verification_mode', 'certificate'],
 
@@ -436,16 +445,16 @@ export function resolveEsArgs(
 }
 
 export function getESp12Volume() {
-  return ['--volume', `${ES_P12_PATH}:${ESS_CONFIG_PATH}certs/elasticsearch.p12`];
+  return ['--volume', `${ES_P12_PATH}:${SERVERLESS_CONFIG_PATH}certs/elasticsearch.p12`];
 }
 
 /**
  * Removes REPO_ROOT from hostPath. Keep the rest to avoid filename collisions.
- * Returns the path where a file will be mounted inside the ES or ESS container.
+ * Returns the path where a file will be mounted inside the ES or ES serverless container.
  * /root/kibana/package/foo/bar.json => /usr/share/elasticsearch/files/package/foo/bar.json
  */
 export function getDockerFileMountPath(hostPath: string) {
-  return join(ESS_FILES_PATH, hostPath.replace(REPO_ROOT, ''));
+  return join(SERVERLESS_FILES_PATH, hostPath.replace(REPO_ROOT, ''));
 }
 
 /**
@@ -491,21 +500,23 @@ export async function setupServerlessVolumes(log: ToolingLog, options: Serverles
     volumeCmds.push(...fileCmds);
   }
 
-  const essResources = ESS_RESOURCES_PATHS.reduce<string[]>((acc, path) => {
-    acc.push('--volume', `${path}:${ESS_CONFIG_PATH}${basename(path)}`);
+  const serverlessResources = SERVERLESS_RESOURCES_PATHS.reduce<string[]>((acc, path) => {
+    acc.push('--volume', `${path}:${SERVERLESS_CONFIG_PATH}${basename(path)}`);
 
     return acc;
   }, []);
 
   volumeCmds.push(
     ...getESp12Volume(),
-    ...essResources,
+    ...serverlessResources,
 
     '--volume',
-    `${ssl ? ESS_SECRETS_SSL_PATH : ESS_SECRETS_PATH}:${ESS_CONFIG_PATH}secrets/secrets.json:z`,
+    `${
+      ssl ? SERVERLESS_SECRETS_SSL_PATH : SERVERLESS_SECRETS_PATH
+    }:${SERVERLESS_CONFIG_PATH}secrets/secrets.json:z`,
 
     '--volume',
-    `${ESS_JWKS_PATH}:${ESS_CONFIG_PATH}secrets/jwks.json:z`
+    `${SERVERLESS_JWKS_PATH}:${SERVERLESS_CONFIG_PATH}secrets/jwks.json:z`
   );
 
   return volumeCmds;
@@ -592,7 +603,7 @@ export async function runServerlessCluster(log: ToolingLog, options: ServerlessO
 
   if (options.ssl) {
     log.warning(`SSL has been enabled for ES. Kibana should be started with the SSL flag so that it can authenticate with ES.
-  See packages/kbn-es/src/ess_resources/README.md for additional information on authentication.
+  See packages/kbn-es/src/serverless_resources/README.md for additional information on authentication.
     `);
   }
 
@@ -631,7 +642,7 @@ export async function runServerlessCluster(log: ToolingLog, options: ServerlessO
   }
 
   if (!options.background) {
-    // The ESS cluster has to be started detached, so we attach a logger afterwards for output
+    // The serverless cluster has to be started detached, so we attach a logger afterwards for output
     await execa('docker', ['logs', '-f', SERVERLESS_NODES[0].name], {
       // inherit is required to show Docker output and Java console output for pw, enrollment token, etc
       stdio: ['ignore', 'inherit', 'inherit'],

packages/kbn-es/src/utils/index.ts

@@ -17,4 +17,4 @@ export { buildSnapshot } from './build_snapshot';
 export { archiveForPlatform } from './build_snapshot';
 export * from './parse_timeout_to_ms';
 export * from './docker';
-export * from './ess_file_realm';
+export * from './serverless_file_realm';

x-pack/plugins/alerting/common/routes/maintenance_window/apis/archive/index.ts

@@ -0,0 +1,23 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export { archiveBodySchema, archiveParamsSchema } from './schemas/latest';
+export type {
+  ArchiveMaintenanceWindowRequestBody,
+  ArchiveMaintenanceWindowRequestParams,
+  ArchiveMaintenanceWindowResponse,
+} from './types/latest';
+
+export {
+  archiveBodySchema as archiveBodySchemaV1,
+  archiveParamsSchema as archiveParamsSchemaV1,
+} from './schemas/v1';
+export type {
+  ArchiveMaintenanceWindowRequestBody as ArchiveMaintenanceWindowRequestBodyV1,
+  ArchiveMaintenanceWindowRequestParams as ArchiveMaintenanceWindowRequestParamsV1,
+  ArchiveMaintenanceWindowResponse as ArchiveMaintenanceWindowResponseV1,
+} from './types/latest';

x-pack/plugins/alerting/common/routes/maintenance_window/apis/archive/schemas/latest.ts

@@ -0,0 +1,8 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export { archiveBodySchema, archiveParamsSchema } from './v1';

x-pack/plugins/alerting/common/routes/maintenance_window/apis/archive/schemas/v1.ts

@@ -0,0 +1,16 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { schema } from '@kbn/config-schema';
+
+export const archiveParamsSchema = schema.object({
+  id: schema.string(),
+});
+
+export const archiveBodySchema = schema.object({
+  archive: schema.boolean(),
+});

x-pack/plugins/alerting/common/routes/maintenance_window/apis/archive/types/latest.ts

@@ -0,0 +1,12 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export type {
+  ArchiveMaintenanceWindowRequestBody,
+  ArchiveMaintenanceWindowRequestParams,
+  ArchiveMaintenanceWindowResponse,
+} from './v1';