[Fleet] View & Edit Secret Variables #157176
Conversation
🤖 GitHub commentsExpand to view the GitHub comments
Just comment with:
|
hop-dev
changed the title
hop-dev
force-pushed
the
secrets-ui
branch
2 times, most recently
from
6846323 to
bc7d2a2
Compare
hop-dev
added
release_note:skip
|
Pinging @elastic/fleet (Team:Fleet) |
|
|
||
| secretIds.forEach((secretId, idx) => { | ||
| const regex = new RegExp(`\\$co\\.elastic\\.secret\\{${secretId}\\}`, 'g'); | ||
| formattedText = formattedText.replace(regex, `\${SECRET_${idx}}`); |
There was a problem hiding this comment.
It is not possible to use the same secretId multiple times in one policy, right? Asking because replace only replaces the first match.
There was a problem hiding this comment.
This looks fine from what I can see: the ids are auto generated so they should at least be unique for a given package policy. This is stated in the proposal doc but can also be seen in the secrets service here.
| const yaml = fullAgentPolicyToYaml(agentPolicyWithSecrets, (policy) => JSON.stringify(policy)); | ||
|
|
||
| expect(yaml).toMatchInlineSnapshot( | ||
| `"{\\"id\\":\\"1234\\",\\"outputs\\":{\\"default\\":{\\"type\\":\\"elasticsearch\\",\\"hosts\\":[\\"http://localhost:9200\\"]}},\\"inputs\\":[{\\"id\\":\\"test_input-secrets-abcd1234\\",\\"revision\\":1,\\"name\\":\\"secrets-1\\",\\"type\\":\\"test_input\\",\\"data_stream\\":{\\"namespace\\":\\"default\\"},\\"use_output\\":\\"default\\",\\"package_policy_id\\":\\"abcd1234\\",\\"package_var_secret\\":\\"\${SECRET_0}\\",\\"input_var_secret\\":\\"\${SECRET_1}\\",\\"streams\\":[{\\"id\\":\\"test_input-secrets.log-abcd1234\\",\\"data_stream\\":{\\"type\\":\\"logs\\",\\"dataset\\":\\"secrets.log\\"},\\"package_var_secret\\":\\"\${SECRET_0}\\",\\"input_var_secret\\":\\"\${SECRET_1}\\",\\"stream_var_secret\\":\\"\${SECRET_2}\\"}],\\"meta\\":{\\"package\\":{\\"name\\":\\"secrets\\",\\"version\\":\\"1.0.0\\"}}}],\\"secret_references\\":[{\\"id\\":\\"secret-id-1\\"},{\\"id\\":\\"secret-id-2\\"},{\\"id\\":\\"secret-id-3\\"}],\\"revision\\":2,\\"agent\\":{},\\"signed\\":{},\\"output_permissions\\":{},\\"fleet\\":{}}"` |
There was a problem hiding this comment.
If this policy was used with envvars to provide SECRET_x values, it shouldn't cause any problems that the policy has secret_references. We should test to make sure.
| > | ||
| <FormattedMessage | ||
| id="xpack.fleet.policyDetails.secretsDescription" | ||
| defaultMessage="Kibana does not have access to secret values. You will need to set these values manually after deploying the agent policy. Look out for environment variables in the format {envVarPrefix} in the agent configuration." |
There was a problem hiding this comment.
@nimarezainia Could you confirm the copy of the callout?
There was a problem hiding this comment.
cc @zombieFox as well for input. Could we provide a screenshot here with context as well to help us confirm the copy?
There was a problem hiding this comment.
See the second recording in the description.
I think the goal here is to be able to easily use the policy in a standalone config by providing envvars for secrets e.g. SECRET_0.
There was a problem hiding this comment.
I don't have a screenshot of the Callout. I believe Julia is correct, it can be seen in the video demo.
There was a problem hiding this comment.
i think the copy is very descriptive.
|
Reviewed the code and looks good, added a few comments. |
|
Testing locally and noticed that the Edit integration policy page shows the secrets as hidden even when the feature flag is turned off (so secrets are still part of the policy doc). |
|
@elasticmachine merge upstream |
|
Also noticed a bug on enabling the feature flag:
|
|
Creating a new integration policy after the feature flag is enabled looks good, I can see the replaced values in the Agent policy: |
|
Good point about the desired behaviour when the feature flag is turned off. Also, I'm confused by something: when I edit the package policy and click |
|
Was the package policy created with feature flag off? If so, it is expected to see the previous value as the secrets were not stored separately. |
|
@nimarezainia Could we get your input on the expected behaviour when the feature flag is disabled per Julia's comment above? In the current implementation, if a package provides a secret value and the flag is disabled, when the user edits the package policy the UI will show a secret field type like in the screenshot below. Furthermore, editing the variable will result in the old value being visible (second screenshot). 
|
|
@elasticmachine merge upstream |
|
@jillguyonnet I would say:
Which means that all secrets created before this option will never be completely hidden. |
@jillguyonnet if I understand this correctly, I would say that when the feature flag is disabled, the edit policy page should behave as it does today without these changes. Feature flag is off be default. So a user who doesn't want this feature (or is unaware of it) shouldn't see a change in behavior. |
|
@elasticmachine merge upstream |
💚 Build Succeeded
Metrics [docs]Async chunks
Page load bundle
Unknown metric groupsESLint disabled line counts
Total ESLint disabled count
History
To update your PR or re-run it, just comment with: |
|
@juliaElastic Here's a summary of the remaining questions: 👍 UI when with 👍 When a secret value was created with the flag disabled and the flag was then enabled at a later stage, in the current implementation the first time the user edits this input the old value will be shown, and in subsequent changes it will be hidden (@jlind23 's comment above). I'm not sure yet how this could be addressed, but we could leave that as a followup. WDYT? |
|
Thanks for the changes! I'm ok to merge and leave the bugfix to a follow up. |
|
Sounds good, I also looked up your question about the uniqueness of secret id per package policy and I think we're good. I'll merge and open a followup issue for the bugfix. |
|
Followup bugfix issue: #160537 |
…ets index (#163075) Closes #162915 ## Summary Replace direct calls to Fleet Secrets index with new API calls introduced with elastic/elasticsearch#97728 ### New ES secrets APIs: ``` POST /_fleet/secret/ { "value": "<secret value>" } // Returns the id of the created secret { "id": "<secret_id>" } DELETE /_fleet/secret/<secret_id> // returns { "deleted": true } ``` NOTE: I tried running the secrets integration tests in #162732 but there is some ES error that I'm not sure how to address. I think that the test can be worked on separately ### Testing Testing steps are the exact same as #157176: - Start EPR locally loading the `Secrets` test package from Kibana: ``` docker run -p 8080:8080 -v /Users/<YOUR_PATH>/kibana/x-pack/test/fleet_api_integration/apis/fixtures/test_packages:/packages/test-packages -v /Users/<YOUR_PATH>/kibana/x-pack/test/fleet_api_integration/apis/fixtures/package_registry_config.yml:/package-registry/config.yml docker.elastic.co/package-registry/package-registry:main ``` - Point `kibana.dev.yml` to local EPR: ``` xpack.fleet.registryUrl: http://localhost:8080 ``` - Enable the secrets feature flag `secretsStorage` - Start kibana and navigate to `integrations`, install `Secrets` package. - It should create and edit the package policy successfully <img width="1800" alt="Screenshot 2023-08-08 at 16 26 52" src="https://github.com/elastic/kibana/assets/16084106/5e2b77d9-71a9-4c5f-8b3b-5fc6546d562f"> - The yml policy should have the redacted secrets and secrets ids: <img width="771" alt="Screenshot 2023-08-08 at 15 43 22" src="https://github.com/elastic/kibana/assets/16084106/7db22c6b-b0db-4eb6-bc68-7174374c9c74"> --------- Co-authored-by: Kibana Machine <[email protected]>
…ets index (elastic#163075) Closes elastic#162915 ## Summary Replace direct calls to Fleet Secrets index with new API calls introduced with elastic/elasticsearch#97728 ### New ES secrets APIs: ``` POST /_fleet/secret/ { "value": "<secret value>" } // Returns the id of the created secret { "id": "<secret_id>" } DELETE /_fleet/secret/<secret_id> // returns { "deleted": true } ``` NOTE: I tried running the secrets integration tests in elastic#162732 but there is some ES error that I'm not sure how to address. I think that the test can be worked on separately ### Testing Testing steps are the exact same as elastic#157176: - Start EPR locally loading the `Secrets` test package from Kibana: ``` docker run -p 8080:8080 -v /Users/<YOUR_PATH>/kibana/x-pack/test/fleet_api_integration/apis/fixtures/test_packages:/packages/test-packages -v /Users/<YOUR_PATH>/kibana/x-pack/test/fleet_api_integration/apis/fixtures/package_registry_config.yml:/package-registry/config.yml docker.elastic.co/package-registry/package-registry:main ``` - Point `kibana.dev.yml` to local EPR: ``` xpack.fleet.registryUrl: http://localhost:8080 ``` - Enable the secrets feature flag `secretsStorage` - Start kibana and navigate to `integrations`, install `Secrets` package. - It should create and edit the package policy successfully <img width="1800" alt="Screenshot 2023-08-08 at 16 26 52" src="https://github.com/elastic/kibana/assets/16084106/5e2b77d9-71a9-4c5f-8b3b-5fc6546d562f"> - The yml policy should have the redacted secrets and secrets ids: <img width="771" alt="Screenshot 2023-08-08 at 15 43 22" src="https://github.com/elastic/kibana/assets/16084106/7db22c6b-b0db-4eb6-bc68-7174374c9c74"> --------- Co-authored-by: Kibana Machine <[email protected]>
Summary
Closes #154731
Related to #154715
Adds a new component for viewing and editing secret values in the policy editor. Secrets can be written on policy create, when editing a policy, if a secret is filled then we give the user the option to replace the value only.
Also when viewing the agent policy yaml, hide secret references and replace them with incremental env var names, and add a callout which tells the user they need to replace the vars.
I have kept the UI un-opinionated about which type of field can be a secret.
Secret variable in package policy editor:
secret_input_demo.mp4
Replaced secrets and new callout in policy yaml viewer:
policy_yaml_demo.mp4
Testing
secrets-1.0.0package to testChecklist
Delete any items that are not applicable to this PR.
Risk Matrix
Delete this section if it is not applicable to this PR.
Before closing this PR, invite QA, stakeholders, and other developers to identify risks that should be tested prior to the change/feature release.
When forming the risk matrix, consider some of the following examples and how they may potentially impact the change:
For maintainers