agent-mode loads output from policy

[michel-laterman]

What is the problem this PR solves?

When running in agent-mode fleet-server can never connect to any additional Elasticsearch hosts.

From the discussions in the initial attempt to fix this issue in the elastic-agent (elastic/elastic-agent#4473) we have decided to treat the output config that the agent passes to the fleet-server more like a "bootstrap" block that the fleet-server can use to form an initial connection to ES and pull more output config from the associated policy.

This approach does not solve for the edge-case where the URL used in bootstrapping (specified when enrolling/installing) goes down and the fleet-server needs to be restarted.
In this case fleet-server will not be healthy as it can't gather output config from the bootstrap ES host.
Additionally we still expect that the bootstrap es host will never be removed as a valid output.

How does this PR solve the problem?

Allow the self-monitor that fleet-server starts when in agent mode to send a config.Config struct through the server's config channel. This struct only has the Output and (new) RevisionIdx attributes set from values retrieved from the policy output.
When fleet receives new config it will handle the output only config as a special case and merge it with the previous
output config in order to get an up to date complete config.
When merging config, non-default values from the policy are preferred.
For an output block to be used, at least one host must be reachable.

How to test this PR locally

1. Enroll an elastic-agent instance running fleet-server and add another host to the elasticsearch output in fleet (ui)

• the new host does not need to be a valid elasticsearch host

2. Gather a diagnostics bundle from the elastic-agent
3. The fleet-server.yml in the bundle should have multiple hosts in the output block, logs in the bundle should also indicate that the output block from the latest revision is being used

Design Checklist

• I have ensured my design is stateless and will work when multiple fleet-server instances are behind a load balancer.
• I have or intend to scale test my changes, ensuring it will work reliably with 100K+ agents connected.
• I have included fail safe mechanisms to limit the load on fleet-server: rate limiting, circuit breakers, caching, load shedding, etc.

Checklist

• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in ./changelog/fragments using the changelog tool

Related issues

• Closes Fleet Server configuration does not contain all the hosts available in the Elasticsearch cluster elastic-agent#2784

[michel-laterman]

buildkite test this

[michel-laterman]

buildkite test this

[michel-laterman]

I found that without this in the mocked calls list the test will panic because the cancel() call when the state updates to healthy interrupts something and returns the context cancelled error triggering a fail-state detection instead of a stopping call

[nchaulet]

@michel-laterman why do we need to merge the policy here? cannot use what come from the config? the proxy and tls settings should be configured there too no? otherwise there is no way for user to change proxy and tls from Fleet right?

[michel-laterman]

Currently the elastic-agent injection will not replace keys that are already present in local config:

https://github.com/elastic/elastic-agent/blob/2873f66e40fbbb490dc1367cb4cf2c9ccc937ae3/internal/pkg/agent/application/fleet_server_bootstrap.go#L67-L77

So the agent can set tls.CAs from policy if it was not an enrollment arg (i'm not sure if it serializes locally)
but the bigger issue is that the agent only ever sends a single host in the output block due to this behaviour

[juliaElastic]

Should we raise an ingest-docs issue to document this feature?

[michel-laterman]

yes, we should

[cmacknz]

This approach does not solve for the edge-case where the URL used in bootstrapping (specified when enrolling/installing) goes down and the fleet-server needs to be restarted.
In this case fleet-server will not be healthy as it can't gather output config from the bootstrap ES host.
Additionally we still expect that the bootstrap es host will never be removed as a valid output.

As long as agent has received a policy from Fleet server at least once, it will have persisted it locally on disk. This should mean that except for the very first time agent checks in, there is a cached set of fleet server outputs that are going to arrive via the control protocol.

Are the control protocol outputs also added to the set of Fleet server hosts when they are receive? They are the same as the ones Fleet Server could query itself, they just come in via a different path.

Removing the bootstrap broker is interesting, it might make sense to model the bootstrap broker as an explicit thing in Fleet if somebody asks us for this. Its purpose is to get the policy the very first time before there are policy outputs to read from. At the same time, once you have gotten the policy at least once, there shouldn't ever be a need to rely only on the bootstrap output again.

[cmacknz]

Modelling the bootstrap broker explicitly in diagnostics as something separate from the outputs in the policy might also be a way to account for it diagnostics.

[michel-laterman]

@cmacknz, just to be clear I have not adjusted any bootstrap behaviour in fleet-server or the elastic-agent.
I've just allowed the policy self-monitor to send updates to the config reload channel

We know that the (elastic-agent) component modifier adjusts the es hosts it sends to fleet-server to use only what is specified during enrollment when elastic-agent is not restarted if the desciption of agent persistency is correct:

As long as agent has received a policy from Fleet server at least once, it will have persisted it locally on disk. This should mean that except for the very first time agent checks in, there is a cached set of fleet server outputs that are going to arrive via the control protocol.

So we can have an edge case that occurs as follows:

• ES hosts are set to A, B
• fleet-server is enrolled with host A
  • policy monitor will send A, B to reload
• fleet-server policy is adjusted by user (i.e., max_agent has changed)
• elastic-agent will send updated policy with only host A (if the agent has not been restarted)
  • policy monitor will then sent A, B to reload again

I'm going to test what output is sent to a fleet-server after an agent restarts
My plan is to run elasticsearch + kibana locally, then enroll an agent running fleet-server and explicitly pass the es ca.
After it is healthy i'll adjust the output to have a different path to the (same) ca and an additional es host then restart the agent

[cmacknz]

We know that the (elastic-agent) component modifier adjusts the es hosts it sends to fleet-server to use only what is specified during enrollment when elastic-agent is not restarted if the description of agent persistency is correct:

Ugh right we are overriding the outputs in the policy. We'd need fleet server to cache the outputs list to get around this.

I don't want to blow up the scope of this change too much, but I wonder if all of this would be simpler if we defined Fleet server to always have two outputs, one is explicitly the bootstrap output and the other is the set of standard outputs in the policy (which may overlap with bootstrap). The bootstrap output only gets used if the standard outputs don't exist yet.

That way you'd benefit from the agent's cache of the most recent policy. Basically we'd want agent to keep injecting an output it would just be an additional output instead of overwriting the single output that exists today.

[michel-laterman]

I tried the following for a test:

Created 8.14-SNAPSHOT on qa
Built an agent using the main branch (did not include fleet-server from this pr)

• enrolled a new fleet-server/agent instance in fleet using a custom policy and default output with --es-certificate-authorities=/etc/ssl/certs/ca-certificates
• copied ca file to another location (/tmp)
• added ssl.certificate_authorities: ["/tmp/ca-certificates.crt"] to es output in kibana

the new ssl.certificate_authorities value did not appear in fleet-server.yml from any diagnostics i collected (before/after restarting the agent)

I also then tried uninstalling the agent, then re-installing without the --es-certificate-authorities flag and found that fleet-server's output includes

        tls:
            verification_mode: full
            certificate_authorities:
                - /tmp/ca-certificates.crt
            renegotiation: never

and the ca path appears in fleet-server's "initial server configuration" message.

The main finding is that the elastic-agent will never replace an attribute that was present during enrolment with a value from a policy when sending config to fleet-server.
As a result we still are going to have the existing edge cases around restarts

[michel-laterman]

buildkite test this

[michel-laterman]

@juliaElastic I've added this method so we use the use_output attribute of the fleet-server input to get the output name directly instead of scanning for the 1st elasticsearch type output

[elastic-sonarqube]

Quality Gate passed

The SonarQube Quality Gate passed, but some issues were introduced.

3 New issues
0 Security Hotspots
69.7% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

[lucabelluccini]

Hello!

• Would it be possible to cover/describe the behavior of the ES hosts for Fleet Server integration in the documentation especially if there is some subtle consequence on first enrollment?
• Can we make sure the EA diagnostic reflect the real hosts being used?
• Possibly, describe the new behavior in the known issue https://support.elastic.dev/knowledge/view/f69b6e46

[michel-laterman]

@cmacknz I created #3464 to handle output bootstrap tracking separately to limit how large this pr grows. Should I make another issue in fleet server to discuss/track my findings above?

The main finding is that the elastic-agent will never replace an attribute that was present during enrolment with a value from a policy when sending config to fleet-server.
As a result we still are going to have the existing edge cases around restarts

@lucabelluccini I can confirm that the fleet-server.yml will be accurate in collected diagnostics.
I'll add a section that outlines expected behaviour for 8.14+ in our support docs
I'll also work with our docs team to get our public docs updated as well.

[greicefaustino]

Hey team, in which version we will have this fixed? There's a tentative release version? Are there other dependencies to be merged?

[cmacknz]

8.14.0 would be the first version with the fix.

[lucabelluccini]

PLEASE NOTE: THIS FIX HAS BEEN REVERTED IN #3496
KB updated to reflect the old behavior https://support.elastic.co/knowledge/f69b6e46