[Fleet] Fixes to preconfigure API #96094
Conversation
Zacqary
added
v8.0.0
release_note:skip
|
Pinging @elastic/fleet (Feature:Fleet) |
|
Pinging @elastic/fleet (Team:Fleet) |
| @@ -45,7 +45,7 @@ export async function ensurePreconfiguredPackagesAndPolicies( | |||
| // If there are multiple packages with duplicate versions, separate them with semicolons, e.g | |||
| // package-a:1.0.0, package-a:2.0.0; package-b:1.0.0, package-b:2.0.0 | |||
| const duplicateList = duplicatePackages | |||
| .map(([, versions]) => versions.map((v) => `${v.name}:${v.version}`).join(', ')) | |||
| .map(([, versions]) => versions.map((v) => `${v.name}-${v.version}`).join(', ')) | |||
There was a problem hiding this comment.
I'm starting to wonder if what you have with the : is actually better. I know I used the - in some of my tests but : looks pretty intuitive. What is the reason you changed it?
There was a problem hiding this comment.
- is used everywhere else in the codebase, such as this example in EPM's package registry: https://github.com/elastic/kibana/blob/master/x-pack/plugins/fleet/server/services/epm/registry/index.ts#L65
I like : better too but I think consistency is the most important.
There was a problem hiding this comment.
I wonder if we mix two things here. The part you linked is the name of the .zip file I think. The reason we have - there is because it is pretty uncomment to have : in a file name. So it is apache-1.2.3.zip instead of apache:1.2.3.zip as file name. We also copied here what is used for the other stack downloads. I would think for configuration we could use the :. But as packages are not allowed to have any - in the name it is also something we could change later on and adjust all the places where it is used. So good to move forward with your change 👍
| @@ -45,7 +45,7 @@ export async function ensurePreconfiguredPackagesAndPolicies( | |||
| // If there are multiple packages with duplicate versions, separate them with semicolons, e.g | |||
| // package-a:1.0.0, package-a:2.0.0; package-b:1.0.0, package-b:2.0.0 | |||
| const duplicateList = duplicatePackages | |||
| .map(([, versions]) => versions.map((v) => `${v.name}:${v.version}`).join(', ')) | |||
| .map(([, versions]) => versions.map((v) => `${v.name}-${v.version}`).join(', ')) | |||
There was a problem hiding this comment.
Can use pkgToPkgKey
to ensure the correct value and avoid the duplication| @@ -123,7 +137,7 @@ export async function ensurePreconfiguredPackagesAndPolicies( | |||
| id: p.policy.id, | |||
| updated_at: p.policy.updated_at, | |||
| })), | |||
| packages: preconfiguredPackages.map((pkg) => `${pkg.name}:${pkg.version}`), | |||
| packages: preconfiguredPackages.map((pkg) => `${pkg.name}-${pkg.version}`), | |||
There was a problem hiding this comment.
Same comment re: pkgToPkgKey
There was a problem hiding this comment.
I tested a few scenarios and it does what it should.
One thing I stumbled over this that I set is_managed but then was still able to delete the policy. Not sure if this is related to this PR or something still being worked on. @jfsiii probably knows.
|
@ruflin managed policies should not be able to be deleted Can you add more detail about the steps you took so Zacqary or I can confirm/fix? |
|
@jfsiii Tried to take it out of my copy / paste history and did not run it yet again. But I think that is the command I used: |
|
@ruflin thanks. That would create the policy. How did you delete it? Via the UI or another curl command? |
|
I used the UI. |
|
@ruflin Even though you were able to delete the policy, did it still prevent you from adding a new integration from the UI? I just want to make sure the |
💚 Build Succeeded
Metrics [docs]
History
To update your PR or re-run it, just comment with: cc @Zacqary |
|
@ruflin Just tested and I wasn't able to reproduce your issue. Deleting a managed preconfigured policy threw a |
|
@Zacqary Probably an error on my end. I'll try again on master. |
|
I tested again and indeed I get the error. What confused me was that the |
|
@ruflin I am working on that right now #96492 (comment) |
Summary
Closes #95788
is_managedflag when creating a new policyis_defaultandis_default_fleet_serverflagsforceflag to thepackagesschema instead of passing it by default; this restores the ability for the package registry to throw an error when trying to install and outdated package, unless the user passesforce: trueintentionally-instead of:Testing examples
Send a
PUTto/api/fleet/preconfigurationwith the following payloads to test different scenarios:forceflag{ "packages": [ { "name": "apache", "version": "0.3.4", "force": true } ] }Also remove
force: trueand ensure that this request fails.is_managed{ "agentPolicies": [ { "name": "Preconfigured Managed Policy", "id": 1, "namespace": "test", "is_managed": true, "package_policies": [ { "package": { "name": "system" }, "name": "System Integration" } ] } ] }After the policy is created, go to the policy in the Fleet UI and try to add an integration. Ensure that it throws an error related to being a managed policy.
is_default/is_default_fleet_serverBefore running this, restart
yarn es snapshotso that you're working with a fresh cluster. Then run this request BEFORE opening the Fleet app for the first time.{ "agentPolicies": [ { "name": "Preconfigured Default Policy", "id": 1, "namespace": "test", "is_default": true, "package_policies": [ { "package": { "name": "system" }, "name": "System Integration" } ] }, { "name": "Preconfigured Default Fleet Policy", "id": 1, "namespace": "test", "is_default_fleet_server": true, "package_policies": [ { "package": { "name": "system" }, "name": "System Integration" } ] } ] }After running this, open Fleet and ensure that these are the only two policies created, instead of Fleet creating new Default policies.
Confirm by running this test scenario with only one of the
DefaultorDefault Fleet Serverpolicies. When Fleet initializes, it should create a default policy for whichever one you did not preconfigure.Checklist