[Fleet] Mark Fleet-managed Saved Object tags with managed: true
#176924
Comments
kpollich
added
the
Team:Fleet
|
Pinging @elastic/fleet (Team:Fleet) |
|
Any progress on this? The Kibana managed content changes can't take effect until we have the |
|
Hey @drewdaemon - no progress on this yet. It's scheduled for delivery in 8.15.0. Is that an acceptable timeline here? |
|
@kpollich no pressure from me 👍 . Just making sure it's clear that the changes Fleet requested from platform WRT managed content won't be effectual until this is complete. |
|
Hey @kpollich 👋 This draft PR contains the change to mark the tags with On current Vs. with the change, after installing I'm investigating routes for updating existing tags. The |
Definitely agree that the eventual consistency route would be the easiest lift in terms of development effort, but I'm not sure it's the right thing to do here. There's no guarantee that users will update all their integrations, and we'll have integrations that don't publish a new versions for many months that will prevent users from seeing these changes. So, I think pursuing a backfill is probably the right solution here. We have some prior art here with a backfill at the Fleet setup level, e.g. kibana/x-pack/plugins/fleet/server/services/setup.ts Lines 204 to 205 in e35800d kibana/x-pack/plugins/fleet/server/services/output.ts Lines 1061 to 1085 in e35800d There might also be an avenue to migrate the tags saved objects themselves through a saved object migration, but I'm not sure where the actual |
|
Looks like the tag saved object is defined in I don't think saved object migrations would be a fit here because you are making a conditional change, not something for all tag saved objects. But I will let the core team advise. cc @elastic/appex-sharedux , owners of the tag SO |
|
I've been trying to see if I can update Fleet-created tags from Fleet setup, similar to the backfill linked above. The PR's second commit shows a WIP effort, which not actually working yet... I suspect there is much more to it 🙂 I came across #154515 while investigating how this might be implemented, although I'm not clear whether updates are supported yet. Perhaps someone from @elastic/kibana-core could chime in. |
Yeah that's correct. Ideally "shared" types such as SOs shouldn't define migrations for "functional" migrations driven by a type consumer's need.
Just to make sure, we're talking about updating the In which case I think this is not something we're supporting right now, yeah, but ccing @TinaHeiligers as she's probably more up-to-date on that feature than I am. |
Yes. The goal here is that Fleet-managed tag SO have |
|
After discussion, I opened #185972 for review with the restricted scope of marking new Fleet-managed tags with I have provisionally opened #186191 as a followup issue for backfilling existing tags, which will be prioritised depending on whether updating the |
## Summary Closes #176924 This is part 1 of making all Fleet-managed tags with the `managed: true` property in the Saved Object. With this change, new tags are created with `managed: true`. As discussed in #176924, a followup effort will be required to backfill existing tags. ### Steps to reproduce 1. Boot up a fresh ES instance with no prior data and start Kibana on `main`. 2. Go to Stack Management -> Tags: there should be no pre-existing tags. 3. In Fleet, create an agent policy with the System integration. 4. Go back to Stack Management -> Tags: there should be 4 non-managed tags: <img width="1667" alt="Screenshot 2024-06-13 at 16 22 39" src="https://github.com/elastic/kibana/assets/23701614/8bd1c390-4709-4dce-8a82-b6ab05c06412"> 5. Check out this branch and restart Kibana. 6. Install another integration, e.g. Apache HTTP Server. 7. Go back to Stack Management -> Tags: a new tag should have been created for the new integration. This tag should be managed and not editable in the UI: <img width="1667" alt="Screenshot 2024-06-13 at 16 25 53" src="https://github.com/elastic/kibana/assets/23701614/11fe3c94-0847-45d8-91d5-3cdea1d1df6a"> 8. (Optional): you can also check that this works for a new stack by starting a fresh ES instance and Kibana on this branch. In step 4 above, the 4 tags created after creating the agent policy with System should all be managed and not editable: <img width="1667" alt="Screenshot 2024-06-13 at 16 29 22" src="https://github.com/elastic/kibana/assets/23701614/53dd7336-bda5-4e25-a0c3-8cc192ec35dd"> NB: the 4 tags created in the flow above reflect 3 different types of tag: - the `Managed` tag which all package assets are tagged with - package tags (`Elastic Agent` and `System` in this case) - tags defined in the integration's `tag.yml` ([in system's case](https://github.com/elastic/integrations/blob/main/packages/system/kibana/tags.yml), that's `Security Solution`) ### Checklist - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
When Fleet creates tags, we need to mark them as
managed: truein order to prevent users from editing them directly in the Stack Management UI.Relevant code
kibana/x-pack/plugins/fleet/server/services/epm/kibana/assets/tag_assets.ts
Lines 162 to 247 in c01ac61
These
tagobjects should havemanaged: trueprovided when created.We should also make sure we can update existing tags in users' deployments to have the
managed: trueproperty set. This can likely be done with an additional check when we discover an existing tag during theensurecalls above.The text was updated successfully, but these errors were encountered: