Implement k8s secrets provider for Agent

[ChrsMark]

This PR aims to add support for consuming k8s secrets through Agent's variables.

Note: This is still a draft but comments are needed so as to verify it's going to the right direction, so plz @blakerouse @exekias feel free to comment here.

How to test this:

0. Create the k8s secret:

cat << EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: somesecret
type: Opaque
data:
  value: $(echo -n "passpass" | base64)
EOF

1. Use the following config:

providers.kubernetes_secrets:
  kube_config: /Users/chrismark/.kube/config

inputs:
  - type: logfile
    streams:
      - paths: ${env.logpath}/${kubernetes_secrets.default.somesecret.value}/another.log

2. Run inspect command to check what is the compiled configuration (use proper path for the elastic-agent.yml config file :
   logpath=/var/log ./elastic-agent -c /Users/ubuntu/Desktop/elastic-agent.yml inspect output -o default

Verify that the following is produced:

[default] filebeat:
filebeat:
  inputs:
  - index: logs-generic-default
    paths: /var/log/passpass/another.log

Unit testing:

1. go test -v ./pkg/agent/transpiler/... -run TestVars_ReplaceWithFetchContextProvider
2. go test -v ./pkg/composable/providers/kubernetessecrets...

Closes #24143

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Build Cause: Pull request #24789 updated

• Start Time: 2021-04-01T11:39:01.501+0000

• Duration: 69 min 51 sec

• Commit: e47bb5a

Test stats 🧪

Test	Results
Failed	0
Passed	6612
Skipped	16
Total	6628

Trends 🧪

💚 Flaky test report

Tests succeeded.

Expand to view the summary

Test stats 🧪

Test	Results
Failed	0
Passed	6612
Skipped	16
Total	6628

[elasticmachine]

Pinging @elastic/integrations (Team:Integrations)

[blakerouse]

This is looking really good and took the path I was wanting to see. Just some cleanups that need to be done first.

[ChrsMark]

Thanks for reviewing @blakerouse! I applied changes based on your comments so please have another look. As far as adding tests is concerned I plan to add them, in this PR, once we verify that implementation is settled so as to avoid changing them along the review rounds. Let me know what you think, thanks!

[blakerouse]

Is it possible that getting a value from a fetch context provider returns something other than a string?

Below you can see that it will replace full objects if its a varString. I worry based on placing this before the switch val.(type) we are missing that as a possibility with a fetch context provider.

[ChrsMark]

I see, however no strong opinion here since I'm not super familiar with the combinations that could occur. Do you think that removing continue and being able to get to the switch block after the Fetch() action would be sth that we want?

[blakerouse]

Now that I took a closer look at this file. This is definitely in the wrong place. At its current location it would try to find a constant string in a fetch context provider, we do not want that.

Looking at it, this needs to be removed from here and moved into the:

func (v *Vars) Lookup(name string) (interface{}, bool) {
	return v.tree.Lookup(name)
}

Leaving this function untouched.

[ChrsMark]

@blakerouse I tried to move (see f023688) the code inside func (v *Vars) Lookup(name string) (interface{}, bool) method of the same file but it does not seem to work (using same configuration so far) and I'm not sure that I can follow the flow here. I see that the method is called at

beats/x-pack/elastic-agent/pkg/eql/visitor.go

Line 281 in 01eb297

val, ok := v.vars.Lookup(name)

and when debugging the flow with additional debug messages I cannot find anything useful so far. Could you please provide more content here?

[blakerouse]

I think I see the issue. You need to do the following:

Add the following function to Vars:

// lookupNode performs a lookup on the AST, but keeps the result as a `Node`.
//
// This is different from `Lookup` which returns the actual type, not the AST type.
func (v *Vars) lookupNode(name string) (Node, bool) {
	// check if the value can be retrieved from a FetchContextProvider
	for providerName, provider := range v.fetchContextProviders {
		if varPrefixMatched(name, providerName) {
			fetchProvider := provider.(composable.FetchContextProvider)
			fval, found := fetchProvider.Fetch(name)
			if found {
				return &StrVal{value: fval}, true
			} else {
				return &StrVal{value: ""}, false
			}
		}
	}
	// lookup in the AST tree
	return Lookup(v.tree, name)
}

Then change node, ok := Lookup(v.tree, val.Value()) to node, ok := v.lookupNode(val.Value()).

See if that works.

[ChrsMark]

👍🏼 This fixes the issue, thank you!

[blakerouse]

Being that a context provider is only considered a fetch context provider if it implements the FetchContextProvider interface and if it stops implementing the interface it will just stop working without any warning.

It would be good to add a compile check to ensure that it implements that interface in this file.

var _ FetchContextProvider = (*contextProviderK8sSecrets)(nil)

[ChrsMark]

The addition of the new lookupNode solves the latest issue. @blakerouse do you think we are ok now with the changes? shall I proceed with adding some tests?

[ChrsMark]

@blakerouse I proceeded with adding some tests too. Let me know what you think.

[blakerouse]

Code looks good, tests looks good. Ready to merge!