Enable Fleet Server

[mtojek]

This PR adjusts the Elastic stack created by the elastic-package to supports Fleet Server.

Issue: #278

[mtojek]

Right now I can't enroll the agent to any policy (using 7.13.0):

➜  elastic-package git:(278-support-fleet-server) ✗ docker logs 47b5c520a12f -f
Performing setup of Fleet in Kibana
The Elastic Agent is currently in BETA and should not be used in production

2021-03-08T14:53:43.418Z	INFO	application/enroll_cmd.go:287	Generating self-signed certificate for Fleet Server
2021-03-08T14:53:43.787Z	INFO	application/enroll_cmd.go:435	Spawning Elastic Agent daemon as a subprocess to complete bootstrap process.
2021-03-08T14:53:44.793Z	INFO	application/enroll_cmd.go:513	waiting for Elastic Agent to start Fleet Server
2021-03-08T14:53:45.795Z	INFO	application/enroll_cmd.go:531	Fleet Server - Starting
2021-03-08T14:53:47.428Z	WARN	application/enroll_cmd.go:331	Remote server is not ready to accept connections, will retry in a moment.
2021-03-08T14:54:47.360Z	INFO	application/enroll_cmd.go:338	Retrying to enroll...
2021-03-08T14:54:47.363Z	WARN	application/enroll_cmd.go:331	Remote server is not ready to accept connections, will retry in a moment.

Keep in mind that I'd like to support 7.12.0 if possible (I expect new environment variables to be ignored).

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Build Cause: Pull request #279 updated

• Start Time: 2021-04-07T08:24:17.760+0000

• Duration: 23 min 45 sec

• Commit: 0f53750

Test stats 🧪

Test	Results
Failed	0
Passed	316
Skipped	1
Total	317

Trends 🧪

[nchaulet]

@mtojek I was able to have it running on 8.0 by adding - "FLEET_SERVER_INSECURE_HTTP=1"

[mtojek]

@nchaulet I added the suggested env and now I'm getting this error from Agent:

2021-03-09T18:37:09.755Z	ERROR	application/fleet_gateway.go:185	failed to dispatch actions, error: fail to generate program configuration: expecting Dict and received *transpiler.Key for '0'
2021-03-09T18:37:09.755Z	WARN	status/reporter.go:233	Elastic Agent status changed to: 'degraded'
2021-03-09T18:37:09.755Z	INFO	status/reporter.go:233	Elastic Agent status changed to: 'online'

Package revision in the agent's structure is "null".

[mtojek]

@blakerouse @ruflin @nchaulet I watched the observability demo session and @blakerouse's presentation (good job!) about running the agent with fleet server in a container and I'm confused about available configuration options. Recently I've removed FLEET_URL and KIBANA_HOST from global envs, but I saw @blakerouse used them. Unfortunately with current blockers it's hard to determine the correct set.

Shall I ask you to review both kibana.config.yml and snapshot.yml and recommend the best configuration for 7.13?

[blakerouse]

@mtojek FLEET_URL should not be required, but at the moment there is an issue that requires it. I am working to solve this issue. As for the KIBANA_HOST that is required if you want the container to perform the setup of Kibana working with Fleet, which when running with FLEET_SERVER_ENABLED is required, unless you are running at some hook on the Kibana container instead.

[mtojek]

FLEET_URL should not be required, but at the moment there is an issue that requires it. I am working to solve this issue.

Would you mind linking this issue for tracking purposes?

As for the KIBANA_HOST that is required if you want the container to perform the setup of Kibana working with Fleet, which when running with FLEET_SERVER_ENABLED is required, unless you are running at some hook on the Kibana container instead.

In this setup we've a long running Elastic cluster (Elasticsearch, Kibana, Package Registry) and two agents (so far):

1. Separate agent's container which is used for system tests (reassigning policies).
2. Agent's container in the Kubernetes cluster.

which gives us two agent containers, each one with own FleetServer inside. Can Kibana handle it without any problems?

[ruflin]

Two fleet-server should just work. If not, please let us know.

[ruflin]

This will change as part of elastic/beats#24713 and elastic/kibana#94364

[mtojek]

Thank you for reviewing this. What is the recommendation though? Should I wait until these PRs are merged?

[ruflin]

I would like to switch over elastic-package to fleet-server as soon as possible to have early testing. At the same time I do not want to impact the integrations team with potential bugs / changes. The above changes can only land if a dependency from endpoint is also merged at the same time. I think an easy trick on our side will be to just ahve both config options in already so things will keep working. @nchaulet is this assumption correct?

[nchaulet]

Yes thats correct we can have both options as soon my PR for fleet server hosts is merged (hopefully soon :) ) elastic/kibana#94364

[mtojek]

Status update:

I had a 1-1 with @ruflin regarding the configuration. I learnt much about the Fleet Server package, which seems to be the missing part for the system test runner to handle. I will adjust its implementation.

I will also use environment variables specified in the: https://github.com/elastic/beats/blob/master/x-pack/elastic-agent/pkg/agent/cmd/container.go#L61

[ruflin]

I wonder how in this scenario the elastic-agent will get the right enrollment token. We might still have to read it from Kibana.

[blakerouse]

Would prefer the usage of https here as well. But you will still need the FLEET_INSECURE=1 so it sets ssl.verification_mode: none.

[mtojek]

/test

[mtojek]

Status update:

I increased the interval between healthchecks and it skips the problematic gap when the Fleet Server is not available, but the flakiness still persists.

It seems that you can't assign the custom policy to the agent. There is no error in logs, but the policy revision is null. We're using this call to verify if the policy revision has been assigned.

EDIT:

I spotted also that the Fleet Server reports errors (status offline) in kibana:

14:43:36.582
elastic_agent
[elastic_agent][error] Could not communicate with Checking API will retry, error: fail to checkin to fleet: Post "http://fleet-server:8220/api/fleet/agents/3853ba23-2f6d-4a5f-a7e3-cd9acebe7c9a/checkin?": net/http: request canceled (Client.Timeout exceeded while awaiting headers)
14:50:15.741
elastic_agent
[elastic_agent][error] Could not communicate with Checking API will retry, error: fail to checkin to fleet: Post "http://fleet-server:8220/api/fleet/agents/3853ba23-2f6d-4a5f-a7e3-cd9acebe7c9a/checkin?": net/http: request canceled (Client.Timeout exceeded while awaiting headers)

[mtojek]

/test

[mtojek]

/test

[mtojek]

jenkins run the tests please

[mtojek]

jenkins run the tests please

[mtojek]

Passed: https://beats-ci.elastic.co/blue/organizations/jenkins/Ingest-manager%2Felastic-package/detail/PR-279/32/pipeline
Failed: https://beats-ci.elastic.co/blue/organizations/jenkins/Ingest-manager%2Felastic-package/detail/PR-279/31/pipeline/

I suspect that there is some flakiness around, maybe related to healthchecks.

[mtojek]

It looks like the PR is ready for review, no issues spotted and the CI reported the green status. Would you mind looking at it one more time to see if I haven't missed anything?

[ruflin]

I did a quick test on 7.13 and all works as expected. I must confess the setup took a bit longer then I expected but this is much more to the setup on the fleet-server / Fleet end then this scripting and we need to make improvements there.

[blakerouse]

You should not need this anymore. By default Elastic Agent will start Fleet Server with it bound to 0.0.0.0.

[mtojek]

Fixed

[mtojek]

Something doesn't work (connectivity issue), I will try to revert this one. Seems to be correct.

Unfortunately this one is also required, otherwise the fleet server is not reachable anymore. Maybe something hasn't been backported here?

[blakerouse]

I would rather see you run it without this flag. Why run it insecurely?

[mtojek]

For debugging purposes we can sniff network traffic and see requests/responses. It's not a production setup.

[blakerouse]

Can add --insecure to the curl command and change to https if you remove the FLEET_SERVER_INSECURE_HTTP below.

[blakerouse]

Would prefer the usage of https here as well. But you will still need the FLEET_INSECURE=1 so it sets ssl.verification_mode: none.

[blakerouse]

The status command landed, so it would be better to run that instead of this type of check.

test: "./elastic-agent status"

Should be enough, as it returns exit code 0 when the agent is healthy.

[mtojek]

Fixed

Unfortunately it fails with:

bash-4.2$ ./elastic-agent status
Error: failed to communicate with Elastic Agent daemon: rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dialing dial unix /usr/share/elastic-agent/data/tmp/elastic-agent-control.sock: connect: no such file or directory"

I opened issue for this: elastic/beats#24956

[ruflin]

@mtojek I would not block this PR on all the changes. We have a working version which can be used and we can always iterate on top of it. I think it is more important to start using fleet-server for all the testing instead of having all the perfect params.