[Fleet] handle API key upgrade/renewal #85777
Comments
nchaulet
added
the
Team:Fleet
|
Pinging @elastic/ingest-management (Team:Ingest Management) |
|
@nchaulet can you remind me the consequences of this? it is like an existing Elastic Agent would not work with an APM integration from a newer release? |
|
@jalvz so the agent enrolled on a Kibana running a version < 7.11 and the user that used Fleet in kibana < 7.11 will not be able to use the APM integration as the api key will not have the |
|
got it, thanks. |
|
Just to make sure: this is still planned for 7.12, right? |
|
We did not any work on that for 7.12, There still a few discussions on how this should and I am wondering if we should do the work in Kibana or wait Fleet Server for that, and for 7.12 document that you need to re-enroll your agent to have the correct permissions. cc @ruflin |
|
Ok, that is a bit unfortunate. Thanks |
|
We are in talks to the ES team about this issue and I hope we find a solution where we don't require to regenerate all API Keys. If we have to regenerate, agree it needs to be done in fleet-server. |
|
I'm wondering if we implement elastic/fleet-server#101 and #94058 this issue might get resolved. |
This would move the problem away from Kibana and move the API key upgrade/renewal part to elastic/fleet-server#101 |
|
I think you are correct here, that would make it a single flow and really clear the responsibility:
|
|
There is an issue here we found: elastic/fleet-server#101 (comment) Currently Beats does not reload the output when a new API Key arrives. |
|
Going to close this issue as the solution here must happen in Beats / fleet-server and not Fleet. |
Description
it's possible we add new permission to Fleet API keys (Like here #85761)
In this case we want:
fleet_enrolluser, this need a user interaction:The text was updated successfully, but these errors were encountered: