elastic
diff --git a/‎beater/cloudbeat.go
+94-29 b/‎beater/cloudbeat.go
+94-29
diff --git a/‎beater/cloudbeat_test.go
+197 b/‎beater/cloudbeat_test.go
+197
@@ -37,6 +37,10 @@ import (
 	"github.com/gofrs/uuid"
 )
 
+const (
+	reconfigureWaitTimeout = 5 * time.Minute
+)
+
 // cloudbeat configuration.
 type cloudbeat struct {
 	ctx    context.Context
@@ -122,12 +126,25 @@ func (bt *cloudbeat) Run(b *beat.Beat) error {
 	bt.log.Info("cloudbeat is running! Hit CTRL-C to stop it.")
 
 	// Configure the beats Manager to start after all the reloadable hooks are initialized
-	// and shutdown when the function return.
+	// and shutdown when the function returns.
 	if err := b.Manager.Start(); err != nil {
 		return err
 	}
 	defer b.Manager.Stop()
 
+	// Wait for Fleet-side reconfiguration only if cloudbeat is running in Agent-managed mode.
+	if b.Manager.Enabled() {
+		bt.log.Infof("Waiting for initial reconfiguration from Fleet server...")
+		update, err := bt.reconfigureWait(reconfigureWaitTimeout)
+		if err != nil {
+			return err
+		}
+
+		if err := bt.configUpdate(update); err != nil {
+			return fmt.Errorf("failed to update with initial reconfiguration from Fleet server: %w", err)
+		}
+	}
+
 	if err := bt.data.Run(bt.ctx); err != nil {
 		return err
 	}
@@ -154,49 +171,97 @@ func (bt *cloudbeat) Run(b *beat.Beat) error {
 			return nil
 
 		case update := <-bt.configUpdates:
-			if err := bt.config.Update(update); err != nil {
-				bt.log.Errorf("Could not update cloudbeat config: %v", err)
-				break
+			if err := bt.configUpdate(update); err != nil {
+				bt.log.Errorf("Failed to update cloudbeat config: %v", err)
 			}
 
-			policies, err := csppolicies.CISKubernetes()
-			if err != nil {
-				bt.log.Errorf("Could not load CIS Kubernetes policies: %v", err)
-				break
-			}
+		case fetchedResources := <-output:
+			cycleId, _ := uuid.NewV4()
+			cycleStart := time.Now()
+			bt.log.Infof("Eval cycle %v has started", cycleId)
+
+			cycleMetadata := transformer.CycleMetadata{CycleId: cycleId}
+			// TODO: send events through a channel and publish them by a configured threshold & time
+			events := bt.transformer.ProcessAggregatedResources(fetchedResources, cycleMetadata)
+
+			bt.log.Infof("Publishing %d events to index", len(events))
+			bt.client.PublishAll(events)
+
+			bt.log.Infof("Eval cycle %v published %d events after %s", cycleId, len(events), time.Since(cycleStart))
+		}
+	}
+}
+
+// reconfigureWait will wait for and consume incoming reconfuration from the Fleet server, and keep
+// discarding them until the incoming config contains the necessary information to start cloudbeat
+// properly, thereafter returning the valid config.
+func (bt *cloudbeat) reconfigureWait(timeout time.Duration) (*common.Config, error) {
+	start := time.Now()
+	timer := time.After(timeout)
+
+	for {
+		select {
+		case <-bt.ctx.Done():
+			return nil, fmt.Errorf("cancelled via context")
 
-			if len(bt.config.Streams) == 0 {
-				bt.log.Infof("Did not receive any input stream, skipping.")
-				break
+		case <-timer:
+			return nil, fmt.Errorf("timed out waiting for reconfiguration")
+
+		case update, ok := <-bt.configUpdates:
+			if !ok {
+				return nil, fmt.Errorf("reconfiguration channel is closed")
 			}
 
-			y, err := bt.config.DataYaml()
+			c, err := config.New(update)
 			if err != nil {
-				bt.log.Errorf("Could not marshal to YAML: %v", err)
-				break
+				bt.log.Errorf("Could not parse reconfiguration %v, skipping with error: %v", update.FlattenedKeys(), err)
+				continue
 			}
 
-			if err := csppolicies.HostBundleWithDataYaml("bundle.tar.gz", policies, y); err != nil {
-				bt.log.Errorf("Could not update bundle with dataYaml: %v", err)
-				break
+			if len(c.Streams) == 0 {
+				bt.log.Infof("No streams received in reconfiguration %v", update.FlattenedKeys())
+				continue
 			}
 
-			bt.log.Infof("Bundle updated with dataYaml: %s", y)
+			if c.Streams[0].DataYaml == nil {
+				bt.log.Infof("data_yaml not present in reconfiguration %v", update.FlattenedKeys())
+				continue
+			}
 
-		case fetchedResources := <-output:
-			cycleId, _ := uuid.NewV4()
-			bt.log.Infof("Cycle %v has started", cycleId)
+			bt.log.Infof("Received valid reconfiguration after waiting for %s", time.Since(start))
+			return update, nil
+		}
+	}
+}
 
-			cycleMetadata := transformer.CycleMetadata{CycleId: cycleId}
-			// TODO: send events through a channel and publish them by a configured threshold & time
-			events := bt.transformer.ProcessAggregatedResources(fetchedResources, cycleMetadata)
+// configUpdate applies incoming reconfiguration from the Fleet server to the cloudbeat config,
+// and updates the hosted bundle with the new values.
+func (bt *cloudbeat) configUpdate(update *common.Config) error {
+	if err := bt.config.Update(bt.log, update); err != nil {
+		return err
+	}
 
-			bt.log.Infof("Publishing %d events to index", len(events))
-			bt.client.PublishAll(events)
+	policies, err := csppolicies.CISKubernetes()
+	if err != nil {
+		return fmt.Errorf("could not load CIS Kubernetes policies: %w", err)
+	}
 
-			bt.log.Infof("Cycle %v has ended", cycleId)
-		}
+	if len(bt.config.Streams) == 0 {
+		bt.log.Infof("Did not receive any input stream from incoming config, skipping.")
+		return nil
 	}
+
+	y, err := bt.config.DataYaml()
+	if err != nil {
+		return fmt.Errorf("could not marshal to YAML: %w", err)
+	}
+
+	if err := csppolicies.HostBundleWithDataYaml("bundle.tar.gz", policies, y); err != nil {
+		return fmt.Errorf("could not update bundle with dataYaml: %w", err)
+	}
+
+	bt.log.Infof("Bundle updated with dataYaml: %s", y)
+	return nil
 }
 
 func InitRegistry(log *logp.Logger, c config.Config) (manager.FetchersRegistry, error) {
 
@@ -0,0 +1,197 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package beater
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/elastic/beats/v7/libbeat/common"
+	"github.com/elastic/beats/v7/libbeat/logp"
+	"github.com/stretchr/testify/suite"
+)
+
+type BeaterTestSuite struct {
+	suite.Suite
+
+	log *logp.Logger
+}
+
+func TestBeaterTestSuite(t *testing.T) {
+	s := new(BeaterTestSuite)
+	s.log = logp.NewLogger("cloudbeat_beater_test_suite")
+
+	if err := logp.TestingSetup(); err != nil {
+		t.Error(err)
+	}
+
+	suite.Run(t, s)
+}
+
+func (s *BeaterTestSuite) SetupTest() {
+}
+
+func (s *BeaterTestSuite) TestReconfigureWait() {
+	ctx, cancel := context.WithCancel(context.Background())
+
+	beat := &cloudbeat{
+		ctx:    ctx,
+		cancel: cancel,
+		log:    s.log,
+	}
+
+	configNoStreams, err := common.NewConfigFrom(`
+    not_streams:
+      - data_yaml:
+          activated_rules:
+            cis_k8s:
+              - a
+              - b
+              - c
+              - d
+              - e
+`)
+	s.NoError(err)
+
+	configNoDataYaml, err := common.NewConfigFrom(`
+    streams:
+      - not_data_yaml:
+          activated_rules:
+            cis_k8s:
+              - a
+              - b
+              - c
+              - d
+              - e
+`)
+	s.NoError(err)
+
+	configWithDataYaml, err := common.NewConfigFrom(`
+    streams:
+      - data_yaml:
+          activated_rules:
+            cis_k8s:
+              - a
+              - b
+              - c
+              - d
+              - e
+`)
+	s.NoError(err)
+
+	type incomingConfigs []struct {
+		after  time.Duration
+		config *common.Config
+	}
+
+	testcases := []struct {
+		timeout  time.Duration
+		configs  incomingConfigs
+		expected *common.Config
+	}{
+		{
+			5 * time.Millisecond,
+			incomingConfigs{},
+			nil,
+		},
+		{
+			40 * time.Millisecond,
+			incomingConfigs{
+				{1 * time.Millisecond, configWithDataYaml},
+			},
+			configWithDataYaml,
+		},
+		{
+			40 * time.Millisecond,
+			incomingConfigs{
+				{1 * time.Millisecond, configNoStreams},
+				{1 * time.Millisecond, configNoDataYaml},
+				{1 * time.Millisecond, configNoStreams},
+			},
+			nil,
+		},
+		{
+			40 * time.Millisecond,
+			incomingConfigs{
+				{1 * time.Millisecond, configNoStreams},
+				{1 * time.Millisecond, configNoDataYaml},
+				{1 * time.Millisecond, configNoStreams},
+				{1 * time.Millisecond, configWithDataYaml},
+			},
+			configWithDataYaml,
+		},
+		{
+			40 * time.Millisecond,
+			incomingConfigs{
+				{1 * time.Millisecond, configNoStreams},
+				{1 * time.Millisecond, configNoDataYaml},
+				{1 * time.Millisecond, configNoStreams},
+				{40 * time.Millisecond, configWithDataYaml},
+			},
+			nil,
+		},
+		{
+			40 * time.Millisecond,
+			incomingConfigs{
+				{1 * time.Millisecond, configNoStreams},
+				{40 * time.Millisecond, configNoDataYaml},
+				{1 * time.Millisecond, configNoStreams},
+			},
+			nil,
+		},
+		{
+			40 * time.Millisecond,
+			incomingConfigs{
+				{1 * time.Millisecond, configNoDataYaml},
+				{1 * time.Millisecond, configWithDataYaml},
+				{1 * time.Millisecond, configNoStreams},
+			},
+			configWithDataYaml,
+		},
+		{
+			40 * time.Millisecond,
+			incomingConfigs{
+				{1 * time.Millisecond, configWithDataYaml},
+				{1 * time.Millisecond, configNoStreams},
+			},
+			configWithDataYaml,
+		},
+	}
+
+	for _, tcase := range testcases {
+		cu := make(chan *common.Config)
+		beat.configUpdates = cu
+
+		go func(ic incomingConfigs) {
+			defer close(cu)
+
+			for _, c := range ic {
+				time.Sleep(c.after)
+				cu <- c.config
+			}
+		}(tcase.configs)
+
+		u, err := beat.reconfigureWait(tcase.timeout)
+		if tcase.expected == nil {
+			s.Error(err)
+		} else {
+			s.Equal(tcase.expected, u)
+		}
+	}
+}