migrate fleet integration_policy to framework, fix secret churn #797
Conversation
daemitus
force-pushed
the
newfeat
branch
2 times, most recently
from
26d5955 to
9310f58
Compare
|
@daemitus Thanks for the work you have put into this. if I understand correctly, this PR is based on #785. In order to make the diff in this PR only containing the changes necessary to fix the issue with the secret ref (#689), I suggest to use |
|
Oh sure
…On Fri, Sep 27, 2024, 2:05 AM Lucas Bremgartner ***@***.***> wrote:
@daemitus <https://github.com/daemitus> Thanks for the work you have put
into this.
if I understand correctly, this PR is based on #785
<#785>. In
order to make the diff in this PR only containing the changes necessary to
fix the issue with the secret ref (#689
<#689>),
I suggest to use daemitus:feat as merge target instead of main, at least
for the time until daemitus:feat is merged. What do you think?
—
Reply to this email directly, view it on GitHub
<#797 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAFMTBHWGTGU4MCCRXXWQSLZYTYSDAVCNFSM6AAAAABO52NGMWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNZYGQ3DOMZVHA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
daemitus
force-pushed
the
newfeat
branch
2 times, most recently
from
8726779 to
1dd7646
Compare
| @@ -63,7 +63,6 @@ jobs: | |||
| xpack.security.enabled: true | |||
| xpack.security.authc.api_key.enabled: true | |||
| xpack.security.authc.token.enabled: true | |||
| xpack.security.http.ssl.enabled: false | |||
There was a problem hiding this comment.
defaults to false, not included in the makefile
| KIBANA_FLEET_PASSWORD: ${{ env.ELASTIC_PASSWORD }} | ||
| ports: | ||
| - 8220:8220 | ||
| options: --restart="unless-stopped" |
There was a problem hiding this comment.
To test for secret storage, an actual fleet server is necessary. It'll fail until the kibana password is set, so keep restarting it.
| @@ -123,8 +140,6 @@ jobs: | |||
| - name: Setup Kibana user | |||
| run: make set-kibana-password | |||
| env: | |||
| ELASTICSEARCH_ENDPOINTS: "http://localhost:9200" | |||
| ELASTICSEARCH_USERNAME: "elastic" | |||
There was a problem hiding this comment.
unused arguments in this makefile directive
| @@ -134,10 +149,17 @@ jobs: | |||
| run: |- | |||
| echo "apikey=$(make create-es-api-key | jq -r .encoded)" >> "$GITHUB_OUTPUT" | |||
| env: | |||
| ELASTICSEARCH_ENDPOINTS: "http://localhost:9200" | |||
| ELASTICSEARCH_USERNAME: "elastic" | |||
There was a problem hiding this comment.
unused arguments in this makefile directive
| SOURCE_LOCATION ?= $(shell pwd) | ||
| , := , |
There was a problem hiding this comment.
escaping JSON commas in the setup fleet payloads. This makes me sad, but not much of a better way to do it when wrapping in the retry func
| } | ||
| } | ||
|
|
||
| handleVars(utils.Deref(resp.Vars)) |
There was a problem hiding this comment.
fwiw, without using the x-go-remove-unnecessary-pointers flag, you have to sprinkle these deref methods everywhere. Being able to range a nil map is nice.
| Key string | ||
| Path path.Path | ||
| Diags diag.Diagnostics | ||
| } |
There was a problem hiding this comment.
The idea with using these, is to make the iter functions in each of these helpers a little less wordy. If you don't inline the function, you'll still have access to the parent metadata.
| // 'existing' will be placed at the end of the list. Inputs are identified by | ||
| // their ID ('input_id'). The 'incoming' slice will be sorted in-place. | ||
| func sortInputs(incoming []integrationPolicyInputModel, existing []integrationPolicyInputModel) { | ||
| if len(existing) == 0 { |
There was a problem hiding this comment.
This is a change from previous that I think addresses a bug that was not noticed before. When importing, existing will be empty/null. And if you have more than 1 import, the order will get randomized (thanks go-maps), so the import test will randomly fail.
generated/fleet/getschema.go
Outdated
There was a problem hiding this comment.
Can we just use a newer version of the spec?
There was a problem hiding this comment.
most of the fleet changes in getschema (including secret_references) are still missing on the main branch. i was playing around with it yesterday, seeing what would need doing.
There was a problem hiding this comment.
I can look into bumping the spec once this is done. I wanted to incorporate some of the transforms upstream anyways. Based on what I've seen, its likely going to require some extra work on getschema anyways.
daemitus
changed the title
* origin/main: fix package policy secrets (#821) chore(deps): update codecov/codecov-action digest to b9fd7d1 (#815) Bump release memory Switch to golang 1.23.2 in release Bump release memory Prepare release v0.11.8 (#810) Add key_id as an explicit attribute (#789) standalone-output resource (#811) Add URL support to data_view field_formats (#812) migrate fleet integration_policy to framework, fix secret churn (#797) Allow mappings to be unknown to support mappings defined in index templates (#803)
Dependent on #785 (will fix this up after merge to clean up the diff)
Solves #689
secretID -> actualin the private resource state.Actually testing the secrets required implementing an actual fleet server. So theres a bunch of changes in the makefile and github actions setting that up.
newin the original order ifoldwas not present, e.g. during import. Since only the TCP integration was ever tested, the go maps are unordered/randomized issue never cropped up. Nownewis sorted by inputID ifoldis not present. If both are present, existing functionality is preserved.