From d227832515860e21f76736a41f071635406e0108 Mon Sep 17 00:00:00 2001 From: Shaunak Kashyap Date: Thu, 19 Sep 2024 20:22:33 -0700 Subject: [PATCH 1/6] Update docker dependency (#5538) --- NOTICE.txt | 216 ++++++++++++++++++++++++++++++++++++++++++++++++++++- go.mod | 3 +- go.sum | 6 +- 3 files changed, 220 insertions(+), 5 deletions(-) diff --git a/NOTICE.txt b/NOTICE.txt index ca4b0ba88e7..5073f286758 100644 --- a/NOTICE.txt +++ b/NOTICE.txt @@ -206,11 +206,11 @@ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -------------------------------------------------------------------------------- Dependency : github.com/docker/docker -Version: v27.0.3+incompatible +Version: v27.2.1+incompatible Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/docker/docker@v27.0.3+incompatible/LICENSE: +Contents of probable licence file $GOMODCACHE/github.com/docker/docker@v27.2.1+incompatible/LICENSE: Apache License @@ -43954,6 +43954,218 @@ Contents of probable licence file $GOMODCACHE/github.com/moby/sys/user@v0.1.0/LI limitations under the License. +-------------------------------------------------------------------------------- +Dependency : github.com/moby/sys/userns +Version: v0.1.0 +Licence type (autodetected): Apache-2.0 +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/moby/sys/userns@v0.1.0/LICENSE: + + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + + -------------------------------------------------------------------------------- Dependency : github.com/moby/term Version: v0.5.0 diff --git a/go.mod b/go.mod index 24dcc36dd32..b2b91c37418 100644 --- a/go.mod +++ b/go.mod @@ -9,7 +9,7 @@ require ( github.com/blakesmith/ar v0.0.0-20150311145944-8bd4349a67f2 github.com/cavaliergopher/rpm v1.2.0 github.com/cenkalti/backoff/v4 v4.3.0 - github.com/docker/docker v27.0.3+incompatible + github.com/docker/docker v27.2.1+incompatible github.com/docker/go-units v0.5.0 github.com/dolmen-go/contextio v0.0.0-20200217195037-68fc5150bcd5 github.com/elastic/elastic-agent-autodiscover v0.8.2 @@ -289,6 +289,7 @@ require ( github.com/moby/docker-image-spec v1.3.1 // indirect github.com/moby/locker v1.0.1 // indirect github.com/moby/spdystream v0.4.0 // indirect + github.com/moby/sys/userns v0.1.0 // indirect github.com/moby/term v0.5.0 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect diff --git a/go.sum b/go.sum index 3f742b4b5db..ecbd3934989 100644 --- a/go.sum +++ b/go.sum @@ -220,8 +220,8 @@ github.com/docker/cli v25.0.1+incompatible h1:mFpqnrS6Hsm3v1k7Wa/BO23oz0k121MTbT github.com/docker/cli v25.0.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker v27.0.3+incompatible h1:aBGI9TeQ4MPlhquTQKq9XbK79rKFVwXNUAYz9aXyEBE= -github.com/docker/docker v27.0.3+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v27.2.1+incompatible h1:fQdiLfW7VLscyoeYEBz7/J8soYFDZV1u6VW6gJEjNMI= +github.com/docker/docker v27.2.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A= github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0= github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c= @@ -769,6 +769,8 @@ github.com/moby/sys/sequential v0.5.0 h1:OPvI35Lzn9K04PBbCLW0g4LcFAJgHsvXsRyewg5 github.com/moby/sys/sequential v0.5.0/go.mod h1:tH2cOOs5V9MlPiXcQzRC+eEyab644PWKGRYaaV5ZZlo= github.com/moby/sys/user v0.1.0 h1:WmZ93f5Ux6het5iituh9x2zAG7NFY9Aqi49jjE1PaQg= github.com/moby/sys/user v0.1.0/go.mod h1:fKJhFOnsCN6xZ5gSfbM6zaHGgDJMrqt9/reuj4T7MmU= +github.com/moby/sys/userns v0.1.0 h1:tVLXkFOxVu9A64/yh59slHVv9ahO9UIev4JZusOLG/g= +github.com/moby/sys/userns v0.1.0/go.mod h1:IHUYgu/kao6N8YZlp9Cf444ySSvCmDlmzUcYfDHOl28= github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0= github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= From 346e5be59eb3d32bf05652235f8d486eda9780a0 Mon Sep 17 00:00:00 2001 From: Anderson Queiroz Date: Fri, 20 Sep 2024 05:37:11 +0200 Subject: [PATCH 2/6] add support for CLI flag for mTLS client certificate key passphrase (#5494) It adds support for encrypted client certificate key during install/enroll, which done by the cli flag `--elastic-agent-cert-key-passphrase`. --- ...protected-mTLS-client-certificate-key.yaml | 35 +++ .../handler_action_policy_change_test.go | 40 ++++ internal/pkg/agent/cmd/enroll.go | 18 ++ internal/pkg/agent/cmd/enroll_cmd.go | 6 +- internal/pkg/agent/cmd/enroll_cmd_test.go | 218 +++++++++++++++++- 5 files changed, 308 insertions(+), 9 deletions(-) create mode 100644 changelog/fragments/1726040648-Add-support-for-passphrase-protected-mTLS-client-certificate-key.yaml diff --git a/changelog/fragments/1726040648-Add-support-for-passphrase-protected-mTLS-client-certificate-key.yaml b/changelog/fragments/1726040648-Add-support-for-passphrase-protected-mTLS-client-certificate-key.yaml new file mode 100644 index 00000000000..d9fcaad8db8 --- /dev/null +++ b/changelog/fragments/1726040648-Add-support-for-passphrase-protected-mTLS-client-certificate-key.yaml @@ -0,0 +1,35 @@ +# Kind can be one of: +# - breaking-change: a change to previously-documented behavior +# - deprecation: functionality that is being removed in a later release +# - bug-fix: fixes a problem in a previous version +# - enhancement: extends functionality but does not break or fix existing behavior +# - feature: new functionality +# - known-issue: problems that we are aware of in a given version +# - security: impacts on the security of a product or a user’s deployment. +# - upgrade: important information for someone upgrading from a prior version +# - other: does not fit into any of the other categories +kind: feature + +# Change summary; a 80ish characters long description of the change. +summary: Add support for passphrase protected mTLS client certificate key during install/enroll + +# Long description; in case the summary is not enough to describe the change +# this field accommodate a description without length limits. +# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment. +description: | + Adds `--elastic-agent-cert-key-passphrase` command line flag for the `install` + and `enroll` commands. The new flag accepts a absolute path for a file containing + a passphrase to be used to decrypt the mTLS client certificate key. + +# Affected component; a word indicating the component this changeset affects. +component: + +# PR URL; optional; the PR number that added the changeset. +# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added. +# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number. +# Please provide it if you are adding a fragment for a different PR. +#pr: https://github.com/owner/repo/1234 + +# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of). +# If not present is automatically filled by the tooling with the issue linked to the PR number. +#issue: https://github.com/owner/repo/1234 diff --git a/internal/pkg/agent/application/actions/handlers/handler_action_policy_change_test.go b/internal/pkg/agent/application/actions/handlers/handler_action_policy_change_test.go index d68483d3ab6..4895959c17f 100644 --- a/internal/pkg/agent/application/actions/handlers/handler_action_policy_change_test.go +++ b/internal/pkg/agent/application/actions/handlers/handler_action_policy_change_test.go @@ -741,6 +741,46 @@ func TestPolicyChangeHandler_handlePolicyChange_FleetClientSettings(t *testing.T "unexpected error when applying fleet.ssl.certificate and key") }, }, + { + name: "certificate and key without passphrase clear out previous passphrase", + originalCfg: &configuration.Configuration{ + Fleet: &configuration.FleetAgentConfig{ + Client: remote.Config{ + Host: fleetmTLSServer.URL, + Transport: httpcommon.HTTPTransportSettings{ + TLS: &tlscommon.Config{ + CAs: []string{string(fleetRootPair.Cert)}, + Certificate: tlscommon.CertificateConfig{ + Certificate: "some certificate", + Key: "some key", + Passphrase: "", + PassphrasePath: "/path/to/passphrase", + }, + }, + }, + }, + AccessAPIKey: "ignore", + }, + Settings: configuration.DefaultSettingsConfig(), + }, + newCfg: map[string]interface{}{ + "fleet.ssl.enabled": true, + "fleet.ssl.certificate": string(agentChildPair.Cert), + "fleet.ssl.key": string(agentChildPair.Key), + }, + setterCalledCount: 1, + wantCAs: []string{string(fleetRootPair.Cert)}, + wantCertificateConfig: tlscommon.CertificateConfig{ + Certificate: string(agentChildPair.Cert), + Key: string(agentChildPair.Key), + Passphrase: "", + PassphrasePath: "", + }, + assertErr: func(t *testing.T, err error) { + assert.NoError(t, err, + "unexpected error when applying fleet.ssl.certificate and key") + }, + }, { name: "certificate and key with passphrase_path is applied when present", originalCfg: &configuration.Configuration{ diff --git a/internal/pkg/agent/cmd/enroll.go b/internal/pkg/agent/cmd/enroll.go index 093bf9e7377..924ab373f8f 100644 --- a/internal/pkg/agent/cmd/enroll.go +++ b/internal/pkg/agent/cmd/enroll.go @@ -84,6 +84,7 @@ func addEnrollFlags(cmd *cobra.Command) { cmd.Flags().StringP("ca-sha256", "p", "", "Comma-separated list of certificate authority hash pins for server verification used by Elastic Agent and Fleet Server") cmd.Flags().StringP("elastic-agent-cert", "", "", "Elastic Agent client certificate to use with Fleet Server during mTLS authentication") cmd.Flags().StringP("elastic-agent-cert-key", "", "", "Elastic Agent client private key to use with Fleet Server during mTLS authentication") + cmd.Flags().StringP("elastic-agent-cert-key-passphrase", "", "", "Path for private key passphrase file used to decrypt Elastic Agent client certificate key") cmd.Flags().BoolP("insecure", "i", false, "Allow insecure connection made by the Elastic Agent. It's also required to use a Fleet Server on a HTTP endpoint") cmd.Flags().StringP("staging", "", "", "Configures Elastic Agent to download artifacts from a staging build") cmd.Flags().StringP("proxy-url", "", "", "Configures the proxy URL: when bootstrapping Fleet Server, it's the proxy used by Fleet Server to connect to Elasticsearch; when enrolling the Elastic Agent to Fleet Server, it's the proxy used by the Elastic Agent to connect to Fleet Server") @@ -111,6 +112,16 @@ func validateEnrollFlags(cmd *cobra.Command) error { if key != "" && !filepath.IsAbs(key) { return errors.New("--elastic-agent-cert-key must be provided as an absolute path", errors.M("path", key), errors.TypeConfig) } + keyPassphrase, _ := cmd.Flags().GetString("elastic-agent-cert-key-passphrase") + if keyPassphrase != "" { + if !filepath.IsAbs(keyPassphrase) { + return errors.New("--elastic-agent-cert-key-passphrase must be provided as an absolute path", errors.M("path", keyPassphrase), errors.TypeConfig) + } + + if cert == "" || key == "" { + return errors.New("--elastic-agent-cert and --elastic-agent-cert-key must be provided when using --elastic-agent-cert-key-passphrase", errors.M("path", keyPassphrase), errors.TypeConfig) + } + } esCa, _ := cmd.Flags().GetString("fleet-server-es-ca") if esCa != "" && !filepath.IsAbs(esCa) { return errors.New("--fleet-server-es-ca must be provided as an absolute path", errors.M("path", esCa), errors.TypeConfig) @@ -180,6 +191,7 @@ func buildEnrollmentFlags(cmd *cobra.Command, url string, token string) []string ca, _ := cmd.Flags().GetString("certificate-authorities") cert, _ := cmd.Flags().GetString("elastic-agent-cert") key, _ := cmd.Flags().GetString("elastic-agent-cert-key") + keyPassphrase, _ := cmd.Flags().GetString("elastic-agent-cert-key-passphrase") sha256, _ := cmd.Flags().GetString("ca-sha256") insecure, _ := cmd.Flags().GetBool("insecure") staging, _ := cmd.Flags().GetString("staging") @@ -285,6 +297,10 @@ func buildEnrollmentFlags(cmd *cobra.Command, url string, token string) []string args = append(args, "--elastic-agent-cert-key") args = append(args, key) } + if keyPassphrase != "" { + args = append(args, "--elastic-agent-cert-key-passphrase") + args = append(args, keyPassphrase) + } if sha256 != "" { args = append(args, "--ca-sha256") args = append(args, sha256) @@ -422,6 +438,7 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command) error { caSHA256 := cli.StringToSlice(caSHA256str) cert, _ := cmd.Flags().GetString("elastic-agent-cert") key, _ := cmd.Flags().GetString("elastic-agent-cert-key") + keyPassphrase, _ := cmd.Flags().GetString("elastic-agent-cert-key-passphrase") ctx := handleSignal(context.Background()) @@ -449,6 +466,7 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command) error { CASha256: caSHA256, Certificate: cert, Key: key, + KeyPassphrasePath: keyPassphrase, Insecure: insecure, UserProvidedMetadata: make(map[string]interface{}), Staging: staging, diff --git a/internal/pkg/agent/cmd/enroll_cmd.go b/internal/pkg/agent/cmd/enroll_cmd.go index 68a1e018f3f..2bb07dde414 100644 --- a/internal/pkg/agent/cmd/enroll_cmd.go +++ b/internal/pkg/agent/cmd/enroll_cmd.go @@ -111,6 +111,7 @@ type enrollCmdOption struct { CASha256 []string `yaml:"ca_sha256,omitempty"` Certificate string `yaml:"certificate,omitempty"` Key string `yaml:"key,omitempty"` + KeyPassphrasePath string `yaml:"key_passphrase_path,omitempty"` Insecure bool `yaml:"insecure,omitempty"` EnrollAPIKey string `yaml:"enrollment_key,omitempty"` Staging string `yaml:"staging,omitempty"` @@ -149,8 +150,9 @@ func (e *enrollCmdOption) remoteConfig() (remote.Config, error) { } if e.Certificate != "" || e.Key != "" { tlsCfg.Certificate = tlscommon.CertificateConfig{ - Certificate: e.Certificate, - Key: e.Key, + Certificate: e.Certificate, + Key: e.Key, + PassphrasePath: e.KeyPassphrasePath, } } diff --git a/internal/pkg/agent/cmd/enroll_cmd_test.go b/internal/pkg/agent/cmd/enroll_cmd_test.go index d24794f6b0c..cc13b2ab252 100644 --- a/internal/pkg/agent/cmd/enroll_cmd_test.go +++ b/internal/pkg/agent/cmd/enroll_cmd_test.go @@ -7,12 +7,17 @@ package cmd import ( "bytes" "context" + "crypto/rand" "crypto/tls" + "crypto/x509" + "encoding/pem" + "fmt" "io" "net" "net/http" "net/http/httptest" "os" + "path/filepath" "runtime" "strconv" "sync/atomic" @@ -22,6 +27,7 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" + "github.com/elastic/elastic-agent-libs/testing/certutil" "github.com/elastic/elastic-agent/internal/pkg/agent/configuration" "github.com/elastic/elastic-agent/internal/pkg/agent/errors" "github.com/elastic/elastic-agent/internal/pkg/cli" @@ -113,6 +119,95 @@ func TestEnroll(t *testing.T) { }, )) + t.Run("successfully enroll with mTLS and save fleet config in the store", func(t *testing.T) { + agentCertPassphrase := "a really secure passphrase" + passphrasePath := filepath.Join(t.TempDir(), "passphrase") + err := os.WriteFile( + passphrasePath, + []byte(agentCertPassphrase), + 0666) + require.NoError(t, err, + "could not write agent child certificate key passphrase to temp directory") + + tlsCfg, _, agentCertPathPair, fleetRootPathPair, _ := + mTLSServer(t, agentCertPassphrase) + + mockHandlerCalled := false + mockHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + mockHandlerCalled = true + w.WriteHeader(http.StatusOK) + _, _ = w.Write([]byte(` +{ + "action": "created", + "item": { + "id": "a9328860-ec54-11e9-93c4-d72ab8a69391", + "active": true, + "policy_id": "69f3f5a0-ec52-11e9-93c4-d72ab8a69391", + "type": "PERMANENT", + "enrolled_at": "2019-10-11T18:26:37.158Z", + "user_provided_metadata": { + "custom": "customize" + }, + "local_metadata": { + "platform": "linux", + "version": "8.0.0" + }, + "actions": [], + "access_api_key": "my-access-api-key" + } +}`)) + }) + + s := httptest.NewUnstartedServer(mockHandler) + s.TLS = tlsCfg + s.StartTLS() + defer s.Close() + + store := &mockStore{} + enrollOptions := enrollCmdOption{ + CAs: []string{string(fleetRootPathPair.Cert)}, + Certificate: string(agentCertPathPair.Cert), + Key: string(agentCertPathPair.Key), + KeyPassphrasePath: passphrasePath, + + URL: s.URL, + EnrollAPIKey: "my-enrollment-api-key", + UserProvidedMetadata: map[string]interface{}{"custom": "customize"}, + SkipCreateSecret: skipCreateSecret, + SkipDaemonRestart: true, + } + cmd, err := newEnrollCmd( + log, + &enrollOptions, + "", + store, + ) + require.NoError(t, err, "could not create enroll command") + + streams, _, _, _ := cli.NewTestingIOStreams() + ctx, cancel := context.WithTimeout(context.Background(), 1*time.Minute) + defer cancel() + + err = cmd.Execute(ctx, streams) + require.NoError(t, err, "enroll command returned and unexpected error") + + fleetCfg, err := readConfig(store.Content) + require.NoError(t, err, "could not read fleet config from store") + + assert.True(t, mockHandlerCalled, "mock handler should have been called") + fleetTLS := fleetCfg.Client.Transport.TLS + + require.NotNil(t, fleetTLS, `fleet client TLS config should have been set`) + assert.Equal(t, s.URL, fmt.Sprintf("%s://%s", + fleetCfg.Client.Protocol, fleetCfg.Client.Host)) + assert.Equal(t, enrollOptions.CAs, fleetTLS.CAs) + assert.Equal(t, + enrollOptions.Certificate, fleetTLS.Certificate.Certificate) + assert.Equal(t, enrollOptions.Key, fleetTLS.Certificate.Key) + assert.Equal(t, + enrollOptions.KeyPassphrasePath, fleetTLS.Certificate.PassphrasePath) + }) + t.Run("successfully enroll with TLS and save access api key in the store", withTLSServer( func(t *testing.T) *http.ServeMux { mux := http.NewServeMux() @@ -167,7 +262,7 @@ func TestEnroll(t *testing.T) { defer cancel() if err := cmd.Execute(ctx, streams); err != nil { - t.Fatalf("enrrol coms returned and unexpected error: %v", err) + t.Fatalf("enroll command returned and unexpected error: %v", err) } config, err := readConfig(store.Content) @@ -229,7 +324,7 @@ func TestEnroll(t *testing.T) { defer cancel() if err := cmd.Execute(ctx, streams); err != nil { - t.Fatalf("enrrol coms returned and unexpected error: %v", err) + t.Fatalf("enroll command returned and unexpected error: %v", err) } assert.True(t, store.Called) @@ -522,21 +617,55 @@ func TestValidateEnrollFlags(t *testing.T) { t.Run("no flags", func(t *testing.T) { cmd := newEnrollCommandWithArgs([]string{}, streams) err := validateEnrollFlags(cmd) - require.NoError(t, err) + + assert.NoError(t, err) }) t.Run("service_token and a service_token_path are mutually exclusive", func(t *testing.T) { + absPath, err := filepath.Abs("/path/to/token") + require.NoError(t, err, "could not get absolute absPath") + cmd := newEnrollCommandWithArgs([]string{}, streams) - err := cmd.Flags().Set("fleet-server-service-token-path", "/path/to/token") + err = cmd.Flags().Set("fleet-server-service-token-path", absPath) require.NoError(t, err) err = cmd.Flags().Set("fleet-server-service-token", "token-value") require.NoError(t, err) + err = validateEnrollFlags(cmd) - require.Error(t, err) + assert.Error(t, err) var agentErr errors.Error - require.ErrorAs(t, err, &agentErr) - require.Equal(t, errors.TypeConfig, agentErr.Type()) + assert.ErrorAs(t, err, &agentErr) + assert.Equal(t, errors.TypeConfig, agentErr.Type()) + }) + + t.Run("elastic-agent-cert-key does not require key-passphrase", func(t *testing.T) { + absPath, err := filepath.Abs("/path/to/elastic-agent-cert-key") + require.NoError(t, err, "could not get absolute absPath") + + cmd := newEnrollCommandWithArgs([]string{}, streams) + err = cmd.Flags().Set("elastic-agent-cert-key", absPath) + require.NoError(t, err, "could not set flag 'elastic-agent-cert-key'") + + err = validateEnrollFlags(cmd) + + assert.NoError(t, err, "validateEnrollFlags should have succeeded") + }) + + t.Run("elastic-agent-cert-key-passphrase requires certificate and key", func(t *testing.T) { + absPath, err := filepath.Abs("/path/to/elastic-agent-cert-key-passphrase") + require.NoError(t, err, "could not get absolute absPath") + + cmd := newEnrollCommandWithArgs([]string{}, streams) + err = cmd.Flags().Set("elastic-agent-cert-key-passphrase", absPath) + require.NoError(t, err, "could not set flag 'elastic-agent-cert-key-passphrase'") + + err = validateEnrollFlags(cmd) + + assert.Error(t, err, "validateEnrollFlags should not accept only --elastic-agent-cert-key-passphrase") + var agentErr errors.Error + assert.ErrorAs(t, err, &agentErr) + assert.Equal(t, errors.TypeConfig, agentErr.Type()) }) } @@ -645,6 +774,81 @@ func withTLSServer( } } +// mTLSServer generates the necessary certificates and tls.Config for a mTLS +// server. If agentPassphrase is given, it'll encrypt the agent's client +// certificate key. +// It returns the *tls.Config to be used with httptest.NewUnstartedServer, +// the agentRootPair, agentChildPair, fleetRootPathPair, fleetCertPathPair. +// Theirs Cert and Key values are the path to the respective certificate and +// certificate key in PEM format. +func mTLSServer(t *testing.T, agentPassphrase string) ( + *tls.Config, certutil.Pair, certutil.Pair, certutil.Pair, certutil.Pair) { + + dir := t.TempDir() + + // generate certificates + agentRootPair, agentCertPair, err := certutil.NewRootAndChildCerts() + require.NoError(t, err, "could not create agent's root CA and child certificate") + + // encrypt keys if needed + if agentPassphrase != "" { + agentChildDERKey, _ := pem.Decode(agentCertPair.Key) + require.NoError(t, err, "could not create tls.Certificates from child certificate") + + encPem, err := x509.EncryptPEMBlock( //nolint:staticcheck // we need to drop support for this, but while we don't, it needs to be tested. + rand.Reader, + "EC PRIVATE KEY", + agentChildDERKey.Bytes, + []byte(agentPassphrase), + x509.PEMCipherAES128) + require.NoError(t, err, "failed encrypting agent child certificate key block") + + agentCertPair.Key = pem.EncodeToMemory(encPem) + } + + agentRootPathPair := savePair(t, dir, "agent_ca", agentRootPair) + agentCertPathPair := savePair(t, dir, "agent_cert", agentCertPair) + + fleetRootPair, fleetChildPair, err := certutil.NewRootAndChildCerts() + require.NoError(t, err, "could not create fleet-server's root CA and child certificate") + fleetRootPathPair := savePair(t, dir, "fleet_ca", fleetRootPair) + fleetCertPathPair := savePair(t, dir, "fleet_cert", fleetChildPair) + + // configure server's TLS + fleetRootCertPool := x509.NewCertPool() + fleetRootCertPool.AppendCertsFromPEM(fleetRootPair.Cert) + cert, err := tls.X509KeyPair(fleetRootPair.Cert, fleetRootPair.Key) + require.NoError(t, err, "could not create tls.Certificates from child certificate") + + agentRootCertPool := x509.NewCertPool() + agentRootCertPool.AppendCertsFromPEM(agentRootPair.Cert) + + cfg := &tls.Config{ //nolint:gosec // it's just a test + RootCAs: fleetRootCertPool, + Certificates: []tls.Certificate{cert}, + ClientCAs: agentRootCertPool, + ClientAuth: tls.RequireAndVerifyClientCert, + } + + return cfg, agentRootPathPair, agentCertPathPair, fleetRootPathPair, fleetCertPathPair +} + +// savePair saves the key pair on {dest}/{name}.pem and {dest}/{name}_key.pem +func savePair(t *testing.T, dest string, name string, pair certutil.Pair) certutil.Pair { + certPath := filepath.Join(dest, name+".pem") + err := os.WriteFile(certPath, pair.Cert, 0o600) + require.NoErrorf(t, err, "could not save %s certificate", name) + + keyPath := filepath.Join(dest, name+"_key.pem") + err = os.WriteFile(keyPath, pair.Key, 0o600) + require.NoErrorf(t, err, "could not save %s certificate key", name) + + return certutil.Pair{ + Cert: []byte(certPath), + Key: []byte(keyPath), + } +} + func bytesToTMPFile(b []byte) (string, error) { f, err := os.CreateTemp("", "prefix") if err != nil { From 2feeb369af34a2f632f3d5860cb8faa15eb249d2 Mon Sep 17 00:00:00 2001 From: Shaunak Kashyap Date: Thu, 19 Sep 2024 21:14:07 -0700 Subject: [PATCH 3/6] Clarify purpose of `.agent-versions` file (#5522) * Clarify commit message * Convert file to YML and add header comment * Reintroducing rand/v2 import cleaned up by IDE * Use YAML v3 * Replace .agent-versions.json with .agent-versions.yml * Running mage fmt * Adding a newline in the header comment * Fix comment * Fix commit message * Look for changes in new file * Moving + renaming agent versions file * Updating code to refer to new file location + name * Running mage integration:updateVersions --- .agent-versions.json | 9 --------- .github/workflows/bump-agent-versions.sh | 6 +++--- magefile.go | 17 +++++++++++++---- .../testdata/.upgrade-test-agent-versions.yml | 12 ++++++++++++ testing/upgradetest/versions.go | 13 ++++++++----- 5 files changed, 36 insertions(+), 21 deletions(-) delete mode 100644 .agent-versions.json create mode 100644 testing/integration/testdata/.upgrade-test-agent-versions.yml diff --git a/.agent-versions.json b/.agent-versions.json deleted file mode 100644 index e49dc8f2d6d..00000000000 --- a/.agent-versions.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "testVersions": [ - "8.15.2-SNAPSHOT", - "8.15.1", - "8.14.3", - "7.17.24", - "7.17.24-SNAPSHOT" - ] -} diff --git a/.github/workflows/bump-agent-versions.sh b/.github/workflows/bump-agent-versions.sh index 95bd0c156ef..e82eeb8383e 100755 --- a/.github/workflows/bump-agent-versions.sh +++ b/.github/workflows/bump-agent-versions.sh @@ -3,7 +3,7 @@ set -e package_version=$(mage integration:updatePackageVersion) version_requirements=$(mage integration:updateVersions) -changes=$(git status -s -uno .agent-versions.json .package-version) +changes=$(git status -s -uno testing/integration/testdata/.upgrade-test-agent-versions.yml .package-version) if [ -z "$changes" ] then echo "The version files didn't change, skipping..." @@ -19,10 +19,10 @@ else # the mage target above requires to be on a release branch # so, the new branch should not be created before the target is run git checkout -b update-agent-versions-$GITHUB_RUN_ID - git add .agent-versions.json .package-version + git add testing/integration/testdata/.upgrade-test-agent-versions.yml .package-version nl=$'\n' # otherwise the new line character is not recognized properly - commit_desc="These files are used for picking agent versions in integration tests.${nl}${nl}The content is based on responses from https://www.elastic.co/api/product_versions and https://snapshots.elastic.co${nl}${nl}The current update is generated based on the following requirements:${nl}${nl}Package version: ${package_version}${nl}${nl}\`\`\`json${nl}${version_requirements}${nl}\`\`\`" + commit_desc="These files are used for picking the starting (pre-upgrade) or ending (post-upgrade) agent versions in upgrade integration tests.${nl}${nl}The content is based on responses from https://www.elastic.co/api/product_versions and https://snapshots.elastic.co${nl}${nl}The current update is generated based on the following requirements:${nl}${nl}Package version: ${package_version}${nl}${nl}\`\`\`json${nl}${version_requirements}${nl}\`\`\`" git commit -m "[$GITHUB_REF_NAME][Automation] Update versions" -m "$commit_desc" git push --set-upstream origin "update-agent-versions-$GITHUB_RUN_ID" diff --git a/magefile.go b/magefile.go index b21e0382ffa..e236d07a6d2 100644 --- a/magefile.go +++ b/magefile.go @@ -14,6 +14,7 @@ import ( "errors" "fmt" "html/template" + "io" "io/fs" "log" "maps" @@ -1904,7 +1905,7 @@ func (Integration) Kubernetes(ctx context.Context) error { return integRunner(ctx, false, "") } -// UpdateVersions runs an update on the `.agent-versions.json` fetching +// UpdateVersions runs an update on the `.agent-versions.yml` fetching // the latest version list from the artifact API. func (Integration) UpdateVersions(ctx context.Context) error { maxSnapshots := 3 @@ -1950,11 +1951,19 @@ func (Integration) UpdateVersions(ctx context.Context) error { } defer file.Close() - encoder := json.NewEncoder(file) - encoder.SetIndent("", " ") + // Write header + header := "# This file is generated automatically. Please do not manually edit it.\n\n" + + "# The testVersions list in this file specifies Elastic Agent versions to be used as\n" + + "# the starting (pre-upgrade) or ending (post-upgrade) versions of Elastic Agent in\n" + + "# upgrade integration tests.\n\n" + + io.WriteString(file, header) + + encoder := yaml.NewEncoder(file) + encoder.SetIndent(2) err = encoder.Encode(versionFileData) if err != nil { - return fmt.Errorf("failed to encode JSON to file %s: %w", upgradetest.AgentVersionsFilename, err) + return fmt.Errorf("failed to encode YAML to file %s: %w", upgradetest.AgentVersionsFilename, err) } return nil } diff --git a/testing/integration/testdata/.upgrade-test-agent-versions.yml b/testing/integration/testdata/.upgrade-test-agent-versions.yml new file mode 100644 index 00000000000..f6e55d7e978 --- /dev/null +++ b/testing/integration/testdata/.upgrade-test-agent-versions.yml @@ -0,0 +1,12 @@ +# This file is generated automatically. Please do not manually edit it. + +# The testVersions list in this file specifies Elastic Agent versions to be used as +# the starting (pre-upgrade) or ending (post-upgrade) versions of Elastic Agent in +# upgrade integration tests. + +testVersions: + - 8.16.0-SNAPSHOT + - 8.15.2-SNAPSHOT + - 8.15.1 + - 8.15.0 + - 7.17.25-SNAPSHOT diff --git a/testing/upgradetest/versions.go b/testing/upgradetest/versions.go index 5e9c135c639..b2da0962c0b 100644 --- a/testing/upgradetest/versions.go +++ b/testing/upgradetest/versions.go @@ -6,7 +6,6 @@ package upgradetest import ( "context" - "encoding/json" "errors" "fmt" "os" @@ -15,6 +14,8 @@ import ( "sort" "strings" + "gopkg.in/yaml.v3" + "github.com/elastic/elastic-agent/pkg/testing/define" "github.com/elastic/elastic-agent/pkg/version" ) @@ -68,11 +69,11 @@ type VersionRequirements struct { SnapshotBranches []string } -const AgentVersionsFilename = ".agent-versions.json" +var AgentVersionsFilename string type AgentVersions struct { // TestVersions contains semver-compliant versions of the agent to run integration tests against. - TestVersions []string `json:"testVersions"` + TestVersions []string `yaml:"testVersions"` } var ( @@ -80,6 +81,8 @@ var ( ) func init() { + AgentVersionsFilename = filepath.Join("testing", "integration", "testdata", ".upgrade-test-agent-versions.yml") + v, err := getAgentVersions() if err != nil { panic(err) @@ -116,11 +119,11 @@ func getAgentVersions() (*AgentVersions, error) { } defer f.Close() - d := json.NewDecoder(f) + d := yaml.NewDecoder(f) var versionFile AgentVersions err = d.Decode(&versionFile) if err != nil { - return nil, fmt.Errorf("failed to decode JSON in %s: %w", filePath, err) + return nil, fmt.Errorf("failed to decode YAML in %s: %w", filePath, err) } return &versionFile, nil From aa56bc96223f780737ec194341c1270bb11ebbbc Mon Sep 17 00:00:00 2001 From: Alexandros Sapranidis Date: Fri, 20 Sep 2024 10:13:31 +0300 Subject: [PATCH 4/6] Add pprofextension from the OTel-contrib (#5556) * Add pprofextension from the OTel-contrilib This commit adds the pprofextension to the OTel collector. Signed-off-by: Alexandros Sapranidis --- NOTICE.txt | 211 ++++++++++++++++++ .../1726739016-otel-pprof-extension.yaml | 32 +++ go.mod | 1 + go.sum | 2 + internal/pkg/otel/README.md | 1 + internal/pkg/otel/components.go | 2 + 6 files changed, 249 insertions(+) create mode 100644 changelog/fragments/1726739016-otel-pprof-extension.yaml diff --git a/NOTICE.txt b/NOTICE.txt index 5073f286758..436c2e3fd24 100644 --- a/NOTICE.txt +++ b/NOTICE.txt @@ -5018,6 +5018,217 @@ Contents of probable licence file $GOMODCACHE/github.com/open-telemetry/opentele limitations under the License. +-------------------------------------------------------------------------------- +Dependency : github.com/open-telemetry/opentelemetry-collector-contrib/extension/pprofextension +Version: v0.109.0 +Licence type (autodetected): Apache-2.0 +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/open-telemetry/opentelemetry-collector-contrib/extension/pprofextension@v0.109.0/LICENSE: + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + + -------------------------------------------------------------------------------- Dependency : github.com/open-telemetry/opentelemetry-collector-contrib/extension/storage/filestorage Version: v0.109.0 diff --git a/changelog/fragments/1726739016-otel-pprof-extension.yaml b/changelog/fragments/1726739016-otel-pprof-extension.yaml new file mode 100644 index 00000000000..418727a9322 --- /dev/null +++ b/changelog/fragments/1726739016-otel-pprof-extension.yaml @@ -0,0 +1,32 @@ +# Kind can be one of: +# - breaking-change: a change to previously-documented behavior +# - deprecation: functionality that is being removed in a later release +# - bug-fix: fixes a problem in a previous version +# - enhancement: extends functionality but does not break or fix existing behavior +# - feature: new functionality +# - known-issue: problems that we are aware of in a given version +# - security: impacts on the security of a product or a user’s deployment. +# - upgrade: important information for someone upgrading from a prior version +# - other: does not fit into any of the other categories +kind: enhancement + +# Change summary; a 80ish characters long description of the change. +summary: Add pprof extension to OTel dependencies + +# Long description; in case the summary is not enough to describe the change +# this field accommodate a description without length limits. +# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment. +#description: + +# Affected component; a word indicating the component this changeset affects. +component: elastic-agent + +# PR URL; optional; the PR number that added the changeset. +# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added. +# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number. +# Please provide it if you are adding a fragment for a different PR. +pr: https://github.com/elastic/elastic-agent/pull/5556 + +# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of). +# If not present is automatically filled by the tooling with the issue linked to the PR number. +#issue: https://github.com/owner/repo/1234 diff --git a/go.mod b/go.mod index b2b91c37418..f4b92220a16 100644 --- a/go.mod +++ b/go.mod @@ -40,6 +40,7 @@ require ( github.com/mitchellh/hashstructure v1.1.0 github.com/oklog/ulid/v2 v2.1.0 github.com/open-telemetry/opentelemetry-collector-contrib/extension/healthcheckextension v0.109.0 + github.com/open-telemetry/opentelemetry-collector-contrib/extension/pprofextension v0.109.0 github.com/open-telemetry/opentelemetry-collector-contrib/receiver/jaegerreceiver v0.109.0 github.com/open-telemetry/opentelemetry-collector-contrib/receiver/prometheusreceiver v0.109.0 github.com/open-telemetry/opentelemetry-collector-contrib/receiver/zipkinreceiver v0.109.0 diff --git a/go.sum b/go.sum index ecbd3934989..fae37a0fde7 100644 --- a/go.sum +++ b/go.sum @@ -823,6 +823,8 @@ github.com/open-telemetry/opentelemetry-collector-contrib/extension/encoding/otl github.com/open-telemetry/opentelemetry-collector-contrib/extension/encoding/otlpencodingextension v0.109.0/go.mod h1:UKEwVBxPn/wRMKelq+9pdYlnkVFQ8h8yh5c8k2tRjNU= github.com/open-telemetry/opentelemetry-collector-contrib/extension/healthcheckextension v0.109.0 h1:/DYYZTFiMLxmx2XKzCepDT/VDv3u9gIgdzUQvdL2gtM= github.com/open-telemetry/opentelemetry-collector-contrib/extension/healthcheckextension v0.109.0/go.mod h1:ydMgguz0dLWUQnIK3ogZQaoFKXGeLI37KqAtpsJAI6s= +github.com/open-telemetry/opentelemetry-collector-contrib/extension/pprofextension v0.109.0 h1:LEpo+3dMUJ7cAoX2xqQXmLuCGlA5OVSQl1c/Os3ZhYk= +github.com/open-telemetry/opentelemetry-collector-contrib/extension/pprofextension v0.109.0/go.mod h1:1gBYb3ohJNGVaMD2N5GPhpKU8W9jvPI3uHPIgmUGcyM= github.com/open-telemetry/opentelemetry-collector-contrib/extension/storage v0.109.0 h1:49eU82qM9YhubCPh4o9z+6t8sw9ytS3sfPi/1Yzf0UQ= github.com/open-telemetry/opentelemetry-collector-contrib/extension/storage v0.109.0/go.mod h1:t+2SQm0yPa+1GYpoOg7/lzZ4cHgk3os6uqALvnBA1aU= github.com/open-telemetry/opentelemetry-collector-contrib/extension/storage/filestorage v0.109.0 h1:g79FG4aNXwnpatYBoEfSm+ngQF6gJ7MHBL9z2uzqQa4= diff --git a/internal/pkg/otel/README.md b/internal/pkg/otel/README.md index 6cad3c29a16..1b95d1c4f7a 100644 --- a/internal/pkg/otel/README.md +++ b/internal/pkg/otel/README.md @@ -69,6 +69,7 @@ This section provides a summary of components included in the Elastic Distributi | Component | Version | |---|---| | [healthcheckextension](https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/extension/healthcheckextension/v0.109.0/extension/healthcheckextension/README.md) | v0.109.0 | +| [pprofextension](https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/extension/pprofextension/v0.109.0/extension/pprofextension/README.md) | v0.109.0 | | [filestorage](https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/extension/storage/filestorage/v0.109.0/extension/storage/filestorage/README.md) | v0.109.0 | | [memorylimiterextension](https://github.com/open-telemetry/opentelemetry-collector/blob/extension/memorylimiterextension/v0.109.0/extension/memorylimiterextension/README.md) | v0.109.0 | diff --git a/internal/pkg/otel/components.go b/internal/pkg/otel/components.go index c213760271d..803fafb619f 100644 --- a/internal/pkg/otel/components.go +++ b/internal/pkg/otel/components.go @@ -47,6 +47,7 @@ import ( // Extensions "github.com/open-telemetry/opentelemetry-collector-contrib/extension/healthcheckextension" + pprofextension "github.com/open-telemetry/opentelemetry-collector-contrib/extension/pprofextension" filestorage "github.com/open-telemetry/opentelemetry-collector-contrib/extension/storage/filestorage" "go.opentelemetry.io/collector/extension/memorylimiterextension" // for putting backpressure when approach a memory limit @@ -114,6 +115,7 @@ func components() (otelcol.Factories, error) { memorylimiterextension.NewFactory(), filestorage.NewFactory(), healthcheckextension.NewFactory(), + pprofextension.NewFactory(), ) if err != nil { return otelcol.Factories{}, err From 10038fcadb5ad4d4a7353562f32f119db37ab0c3 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 20 Sep 2024 10:02:41 +0200 Subject: [PATCH 5/6] chore: deps(updatecli/policy): bump "ghcr.io/updatecli/policies/autod... (#5576) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ... iscovery/updatecli" Updatecli version policy Made with ❤️️ by updatecli Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --- updatecli-compose.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/updatecli-compose.yaml b/updatecli-compose.yaml index e2c76250129..ac2acac5786 100644 --- a/updatecli-compose.yaml +++ b/updatecli-compose.yaml @@ -7,7 +7,7 @@ policies: - .ci/updatecli/values.d/scm.yml - .ci/updatecli/values.d/ironbank.yml - name: Update Updatecli policies - policy: ghcr.io/updatecli/policies/autodiscovery/updatecli:0.5.0@sha256:df7fb3a9e3348a9749527edf867be1090f452f9ee0c2116aab6de39729850d53 + policy: ghcr.io/updatecli/policies/autodiscovery/updatecli:0.8.0@sha256:99e9e61b501575c2c176c39f2275998d198b590a3f6b1fe829f7315f8d457e7f values: - .ci/updatecli/values.d/scm.yml - .ci/updatecli/values.d/updatecli-compose.yml From fc6ed90211d6fef990e3251ff652e833b5225374 Mon Sep 17 00:00:00 2001 From: Mauri de Souza Meneguzzo Date: Fri, 20 Sep 2024 05:04:14 -0300 Subject: [PATCH 6/6] Change maintainer label to opencontainers in Dockerfile (#5527) * Change maintainer label to opencontainers in Dockerfile The old way of specifying maintainers in a Dockerfile was to use the MAINTAINER instruction. This is now deprecated and the maintainer label was used instead. Nowadays the recommended way to set a maintainer is through the `org.opencontainers.image.authors` label. See https://docs.docker.com/reference/build-checks/maintainer-deprecated/. * add changelog entry --- ...e-to-org.opencontainers.image.authors.yaml | 32 +++++++++++++++++++ .../docker/Dockerfile.elastic-agent.tmpl | 2 +- 2 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 changelog/fragments/1726238750-change-deprecated-maintainer-label-in-Dockerfile-to-org.opencontainers.image.authors.yaml diff --git a/changelog/fragments/1726238750-change-deprecated-maintainer-label-in-Dockerfile-to-org.opencontainers.image.authors.yaml b/changelog/fragments/1726238750-change-deprecated-maintainer-label-in-Dockerfile-to-org.opencontainers.image.authors.yaml new file mode 100644 index 00000000000..c3f963082b1 --- /dev/null +++ b/changelog/fragments/1726238750-change-deprecated-maintainer-label-in-Dockerfile-to-org.opencontainers.image.authors.yaml @@ -0,0 +1,32 @@ +# Kind can be one of: +# - breaking-change: a change to previously-documented behavior +# - deprecation: functionality that is being removed in a later release +# - bug-fix: fixes a problem in a previous version +# - enhancement: extends functionality but does not break or fix existing behavior +# - feature: new functionality +# - known-issue: problems that we are aware of in a given version +# - security: impacts on the security of a product or a user’s deployment. +# - upgrade: important information for someone upgrading from a prior version +# - other: does not fit into any of the other categories +kind: other + +# Change summary; a 80ish characters long description of the change. +summary: change deprecated maintainer label in Dockerfile to org.opencontainers.image.authors + +# Long description; in case the summary is not enough to describe the change +# this field accommodate a description without length limits. +# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment. +#description: + +# Affected component; usually one of "elastic-agent", "fleet-server", "filebeat", "metricbeat", "auditbeat", "all", etc. +component: elastic-agent + +# PR URL; optional; the PR number that added the changeset. +# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added. +# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number. +# Please provide it if you are adding a fragment for a different PR. +pr: https://github.com/elastic/elastic-agent/pull/5527 + +# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of). +# If not present is automatically filled by the tooling with the issue linked to the PR number. +#issue: https://github.com/owner/repo/1234 diff --git a/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl b/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl index 990ba461e9e..cd5906f5cf7 100644 --- a/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl +++ b/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl @@ -108,8 +108,8 @@ LABEL \ org.opencontainers.image.licenses="{{ .License }}" \ org.opencontainers.image.title="{{ .BeatName | title }}" \ org.opencontainers.image.vendor="{{ .BeatVendor }}" \ + org.opencontainers.image.authors="infra@elastic.co" \ name="{{ .BeatName }}" \ - maintainer="infra@elastic.co" \ vendor="{{ .BeatVendor }}" \ version="{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}" \ release="1" \