Add a feature toggle

michel-laterman · michel-laterman · commit b59e45c32eb8 · 2025-09-17T09:41:12.000-07:00
diff --git a/changelog/fragments/1757633911-Add-agent_policy_id-and-policy_revision_idx-to-checkin-requests.yaml b/changelog/fragments/1757633911-Add-agent_policy_id-and-policy_revision_idx-to-checkin-requests.yaml
@@ -22,7 +22,9 @@ description: |
   policy. These details will replace the need for an ack on
   policy_change actions, and will be used to determine when to send a
   policy change when there is a new revision available, or when the
-  agent is reassigned to a different policy.
+  agent is reassigned to a different policy. Add a server setting under
+  feature_flags.ignore_checkin_policy_id that disables this behavour and
+  restores the previous approach.
 
 # Affected component; usually one of "elastic-agent", "fleet-server", "filebeat", "metricbeat", "auditbeat", "all", etc.
 component: fleet-server
diff --git a/fleet-server.reference.yml b/fleet-server.reference.yml
@@ -270,6 +270,13 @@ fleet:
 #       upstream_url: "https://artifacts.elastic.co/GPG-KEY-elastic-agent"
 #       # By default dir is the directory containing the fleet-server executable (following symlinks) joined with elastic-agent-upgrade-keys
 #       dir: ./elastic-agent-upgrade-keys
+#
+#      # Toggles to enable new behaviour or restore old behaviour.
+#      feature_flags:
+#        // ignore agent_policy_id and policy_revision_idx attributes that may be present in the checkin request bodies.
+#        // POLICY_CHANGE actions need an explicit ack if this is set.
+#        ignore_checkin_policy_id: false
+#
 #    # monitor options are advanced configuration and should not be adjusted is most cases
 #    monitor:
 #      fetch_size: 1000 # The number of documents that each monitor may fetch at once
diff --git a/internal/pkg/api/handleCheckin.go b/internal/pkg/api/handleCheckin.go
@@ -1147,8 +1147,8 @@ func calcPollDuration(zlog zerolog.Logger, pollDuration, setupDuration, jitterDu
 // The API keys will be managed if the agent reports a new policy id from its last checkin, or if the revision is different than what the last checkin reported.
 // It returns the revision idx that should be used when subscribing for new POLICY_CHANGE actons and optional args to use when doing the non-tick checkin.
 func (ct *CheckinT) processPolicyDetails(ctx context.Context, zlog zerolog.Logger, agent *model.Agent, req *CheckinRequest) (int64, []checkin.Option, error) {
-	// no details specified
-	if req == nil || req.PolicyRevisionIdx == nil || req.AgentPolicyId == nil {
+	// no details specified or attributes are ignored by config
+	if ct.cfg.Features.IgnoreCheckinPolicyID || req == nil || req.PolicyRevisionIdx == nil || req.AgentPolicyId == nil {
 		return agent.PolicyRevisionIdx, nil, nil
 	}
 	policyID := *req.AgentPolicyId
diff --git a/internal/pkg/api/handleCheckin_test.go b/internal/pkg/api/handleCheckin_test.go
@@ -1319,4 +1319,28 @@ func TestProcessPolicyDetails(t *testing.T) {
 			pm.AssertExpectations(t)
 		})
 	}
+
+	t.Run("IgnoreCheckinPolicyID flag is set", func(t *testing.T) {
+		logger := testlog.SetLogger(t)
+		checkin := &CheckinT{
+			cfg: config.Server{
+				Features: config.FeatureFlags{
+					IgnoreCheckinPolicyID: true,
+				},
+			},
+		}
+		revIDX, opts, err := checkin.processPolicyDetails(t.Context(), logger,
+			&model.Agent{
+				PolicyID:          policyID,
+				PolicyRevisionIdx: 1,
+			},
+			&CheckinRequest{
+				AgentPolicyId:     &policyID,
+				PolicyRevisionIdx: &revIDX2,
+			},
+		)
+		assert.NoError(t, err)
+		assert.Equal(t, int64(1), revIDX)
+		assert.Empty(t, opts)
+	})
 }
diff --git a/internal/pkg/config/input.go b/internal/pkg/config/input.go
@@ -77,6 +77,7 @@ type (
 		StaticPolicyTokens StaticPolicyTokens      `config:"static_policy_tokens"`
 		PGP                PGP                     `config:"pgp"`
 		PDKDF2             PBKDF2                  `config:"pdkdf2"`
+		Features           FeatureFlags            `config:"feature_flags"`
 	}
 
 	StaticPolicyTokens struct {
@@ -91,6 +92,13 @@ type (
 		TokenKey string `config:"token_key"`
 		PolicyID string `config:"policy_id"`
 	}
+
+	// FeatureFlags contains toggles to enable new behaviour, or restore old behaviour.
+	FeatureFlags struct {
+		// IgnoreCheckinPolicyID when true will ignore the agent_policy_id and policy_revision_idx attributes in checkin request bodies.
+		// This setting restores previous behaviour where all POLICY_CHANGE actions need an explicit ack.
+		IgnoreCheckinPolicyID bool `config:"ignore_checkin_policy_id"`
+	}
 )
 
 // InitDefaults initializes the defaults for the configuration.

Original file line number	Diff line number	Diff line change
`@@ -77,6 +77,7 @@ type (`
`77`	`77`	StaticPolicyTokens StaticPolicyTokens `config:"static_policy_tokens"`
`78`	`78`	PGP PGP `config:"pgp"`
`79`	`79`	PDKDF2 PBKDF2 `config:"pdkdf2"`
	`80`	+ Features FeatureFlags `config:"feature_flags"`
`80`	`81`	`}`
`81`	`82`
`82`	`83`	`StaticPolicyTokens struct {`
`@@ -91,6 +92,13 @@ type (`
`91`	`92`	TokenKey string `config:"token_key"`
`92`	`93`	PolicyID string `config:"policy_id"`
`93`	`94`	`}`
	`95`	`+`
	`96`	`+ // FeatureFlags contains toggles to enable new behaviour, or restore old behaviour.`
	`97`	`+ FeatureFlags struct {`
	`98`	`+ // IgnoreCheckinPolicyID when true will ignore the agent_policy_id and policy_revision_idx attributes in checkin request bodies.`
	`99`	`+ // This setting restores previous behaviour where all POLICY_CHANGE actions need an explicit ack.`
	`100`	+ IgnoreCheckinPolicyID bool `config:"ignore_checkin_policy_id"`
	`101`	`+ }`
`94`	`102`	`)`
`95`	`103`
`96`	`104`	`// InitDefaults initializes the defaults for the configuration.`