Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Fleet] policy revision_idx source of truth #173538

Closed
michel-laterman opened this issue Dec 18, 2023 · 6 comments
Closed

[Fleet] policy revision_idx source of truth #173538

michel-laterman opened this issue Dec 18, 2023 · 6 comments
Assignees
@michel-laterman
Labels
Team:Fleet Team label for Observability Data Collection Fleet team

Comments

@michel-laterman
Copy link

The PR elastic/fleet-server#3131 to remove the fleet-server coordinator changes some migration logic to increment the revision_idx instead of the removed coordinator_idx in a .fleet-policy document in order to force fleet-server to reload the policy and generate a new outputs block.

However, fleet's current source of truth for this attribute is part of the agent policy saved object so we may run into a conflict as they differ.
@michel-laterman michel-laterman added the Team:Fleet Team label for Observability Data Collection Fleet team label Dec 18, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/fleet (Team:Fleet)

@michel-laterman michel-laterman mentioned this issue Dec 18, 2023
Merged
5 tasks
@nchaulet
Copy link
Member

I think it make sense to have kibana to be the source of truth for revision, I am wondering if we can have another mechanism in fleet server.

@nchaulet
Copy link
Member

@michel-laterman I do not think it should be possible for fleet-server to increment revision idx, we will not be able to know when a policy is out-of-date, and the new revision will not match our saved objects, I am wondering if it's better to include a new field? write to a new index fleet-server processed policies? (thinking loud here)

@michel-laterman
Copy link
Author

We increment the coordinator_idx/revision_idx in order to signal the policy monitor to generate new api keys as part of output migration for v8.5.0: https://github.com/elastic/fleet-server/blob/main/internal/pkg/dl/migration.go#L187-L205.
If we changed the migration that updates the idx number to alter another field it would need to be one that the policy monitor is aware of.

Or we may be able to try to change the checkin handler on fleet-server to detect a migrated agent; i think this would be a document with outputs.default.api_key="" and outputs.default.permission_hash=$VALUE and force it to process the policy and prepare outputs for the agent. Does that seem correct to you?

@AndersonQ if you remember any details of the issue (elastic/fleet-server#1672) we would welcome your input

@AndersonQ
Copy link
Member

@AndersonQ if you remember any details of the issue (elastic/fleet-server#1672) we would welcome your input

@michel-laterman, what I remember is pretty much what I commented in the code, the coordinator_idx is increased to force the api keys to be regenerated. As long as they are regenerated, it's fine.

@michel-laterman
Copy link
Author

elastic/fleet-server#3131 has been updated so that fleet-server will no longer increment the revision_idx and the above migration strategy will be used

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@michel-laterman michel-laterman

Labels
Team:Fleet Team label for Observability Data Collection Fleet team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@AndersonQ @nchaulet @elasticmachine @michel-laterman