Allow dev stand-alone execution (#2212)

* Add SNAPSHOT only stand alone mode

Allow the fleet-server to run independantly of the elastic-agent when a
SNAPSHOT is built.
When in stand alone mode the fleet-server agent will create an agent
record for itself in the agents index with the ID specified in the
fleet.yml file. After regular startup the agent will also send checkins
to it's API handler in order to appear as a healthy agent in the UI.
All config is read from the fleet.yml file. Actions and policy changes
are ignored. action seq numbers are not persisted.

* Add license headers

* test fixes

* Change to DEV flag, add readme

* minor cleanup

* add old config for testing

* fix stand alone yml

* Fix data race in tests caused by logger contention

* Fix setup issue

* Add tls instructions

* return default load limits when passed a 0 value

* Update internal/pkg/server/standAlone_release.go

Co-authored-by: Anderson Queiroz <me@andersonq.me>

* Update internal/pkg/server/standAlone_release.go

Co-authored-by: Anderson Queiroz <me@andersonq.me>

* Update README.md

Co-authored-by: Anderson Queiroz <me@andersonq.me>

* Update internal/pkg/server/standAlone_dev.go

Co-authored-by: Anderson Queiroz <me@andersonq.me>

* Update internal/pkg/server/standAlone_dev.go

Co-authored-by: Anderson Queiroz <me@andersonq.me>

* removed commented code

* added changelog

* standalone:false for integration test

Co-authored-by: Julia Bardi <90178898+juliaElastic@users.noreply.github.com>
Co-authored-by: Anderson Queiroz <me@andersonq.me>
Co-authored-by: Julia Bardi <julia.bardi@elastic.co>

Author: 3 people

CHANGELOG.next.asciidoc

@@ -35,3 +35,4 @@
 - Storing checkin message in last_checkin_message {pull}1932[1932]
 - Allow upgrade actions to signal that they will be retried. {pull}1887[1887]
 - Replaced upgrade expiration and minimum_execution_duration with rollout_duration_seconds. {pull}2243[2243]
+- Document how to run fleet server locally. {issue}1423[1423] {pull}2212[2212]

Makefile

@@ -54,7 +54,7 @@ list-platforms: ## - Show the possible PLATFORMS
 .PHONY: local
 local: ## - Build local binary for local environment (bin/fleet-server)
 	@printf "${CMD_COLOR_ON} Build binaries using local go installation\n${CMD_COLOR_OFF}"
-	go build -gcflags="${GCFLAGS}" -ldflags="${LDFLAGS}" -o ./bin/fleet-server .
+	go build $(if $(DEV),-tags="dev",) -gcflags="${GCFLAGS}" -ldflags="${LDFLAGS}" -o ./bin/fleet-server .
 	@printf "${CMD_COLOR_ON} Binaries in ./bin/\n${CMD_COLOR_OFF}"
 
 .PHONY: clean
@@ -147,7 +147,7 @@ $(PLATFORM_TARGETS): release-%:
 	$(eval $@_GO_ARCH := $(lastword $(subst /, ,$(lastword $(subst release-, ,$@)))))
 	$(eval $@_ARCH := $(TARGET_ARCH_$($@_GO_ARCH)))
 	$(eval $@_BUILDMODE:= $(BUILDMODE_$($@_OS)_$($@_GO_ARCH)))
-	GOOS=$($@_OS) GOARCH=$($@_GO_ARCH) go build -gcflags="${GCFLAGS}" -ldflags="${LDFLAGS}" $($@_BUILDMODE) -o build/binaries/fleet-server-$(VERSION)-$($@_OS)-$($@_ARCH)/fleet-server .
+	GOOS=$($@_OS) GOARCH=$($@_GO_ARCH) go build $(if $(DEV),-tags="dev",) -gcflags="${GCFLAGS}" -ldflags="${LDFLAGS}" $($@_BUILDMODE) -o build/binaries/fleet-server-$(VERSION)-$($@_OS)-$($@_ARCH)/fleet-server .
 	@$(MAKE) OS=$($@_OS) ARCH=$($@_ARCH) package-target
 
 .PHONY: package-target

README.md

@@ -1,166 +1,152 @@
 [![Build Status](https://fleet-ci.elastic.co/job/fleet-server/job/fleet-server-mbp/job/main/badge/icon)](https://fleet-ci.elastic.co/job/Ingest-manager/job/fleet-server/job/main/)
 
-# Fleet Server implementation
+# Fleet Server
 
-## Development
-
-fleet-server is under development. The following are notes to help developers onboarding to the project to quickly get running. These notes might change at any time.
+Fleet server is the control server to manage a fleet of [elastic-agents](https://github.com/elastic/elastic-agent).
 
-## Setup for fleet-server development
+For production deployments the fleet-server is supervised and bootstrapped by an elastic-agent.
 
-### ES and Kinaba from SNAPSHOTS API
+To assist with development the fleet-server may run in a stand-alone mode.
 
-Download them from the snapshots API:
-Edit the version and OS/arch to suit your system, or [check the API](https://artifacts-api.elastic.co/v1/search/8.4-SNAPSHOT) (change the version if needed) if the ones below does not suit you.
- - 8.4.0-SNAPSHOT-linux-x86_64.tar.gz
- - 8.4.0-SNAPSHOT-darwin-aarch64.tar.gz
- - 8.4.0-SNAPSHOT-windows-x86_64.zip
+## Compatibility and upgrades
 
-TODO: parse the JSON to get the URL
-```shell
-wget https://snapshots.elastic.co/8.4.0-64eb2b35/downloads/elasticsearch/elasticsearch-8.4.0-SNAPSHOT-linux-x86_64.tar.gz
-wget https://snapshots.elastic.co/8.4.0-64eb2b35/downloads/kibana/kibana-8.4.0-SNAPSHOT-linux-x86_64.tar.gz
+Fleet-server communicates with Elasticsearch. Elasticsearch must be on the same version or newer.
+Fleet server is always on the exact same version as the Elastic Agent running fleet-server.
+Any Elastic Agent enrolling into a fleet-server must be the same version or older.
+For Kibana it is assumed it is on the same version as Elasticsearch. With this the compatibility looks as following:
 ```
-
-Follow the instructions for [ElasticSearch](https://www.elastic.co/downloads/elasticsearch) and [Kibana](https://www.elastic.co/downloads/kibana)
-
-### fleet-server+agent on a Vagrant VM
-
-The Vagrant machine assumes the `elastic-agent`, `beats` and `fleet-server` repos are in the same folder.
-Thus, it mounts `../` to `/vagrant` on the Vagrant machine. The vagrant machine IP address is `192.168.56.43`.
-Use `https://192.168.56.43:8220` as fleet-server host.
-
-### Grab or build the Elastic-Agent
-
-For detailed instructions, check the [Elastic-Agent](https://github.com/elastic/elastic-agent) repo.
-```shell
-cd YOUR_ELASTIC_AGENT_FOLDER
-SNAPSHOT=true EXTERNAL=true PLATFORMS="linux/amd64" PACKAGES="tar.gz" mage -v dev:package # adjust PLATFORMS and PACKAGES to your system and needs.
+Elastic Agent <= Elastic Agent with fleet-server <= Elasticsearch / Kibana
 ```
 
-### Build and Package
+There might be differences on the bugfix version.
 
-Change `release-linux/amd64` to `release-YOUR_OS/platform`. Run `make list-platforms` to check
-out the possible values.
+For upgrades Elasticsearch/Kibana must be upgraded first, then the Elastic Agent with fleet-server followed by any other Elastic Agents.
 
-The `DEV=true` will allow the binary to be debugged ~~with a debugger~~.
+## MacOSX Version
 
-```shell
-DEV=true SNAPSHOT=true make release-linux/amd64
+The [golang-crossbuild](https://github.com/elastic/golang-crossbuild) produces images used for testing/building.
+The `golang-crossbuild:1.16.X-darwin-debian10` images expects the minimum MacOSX version to be 10.14+.
 
-vagrant up
-vagrant ssh
-```
+## Development
 
-For the Elastic-Agent to use your build of the fleet-server, unpack the elastic agent and add your fleet-server tar.gz and sha512 to
-`elastic-agent-8.Y.Z-SNAPSHOT-OS-ARCH/data/elastic-agent-*/downloads/`. 
+The following are notes to help developers onboarding to the project to quickly get running. These notes might change at any time.
 
-Then go to `Kibana > Managment > Fleet` and follow the instructions there.
+### Development build
 
-#### tl;dr/example:
+To compile the fleet-server in development mode set the env var `DEV=true`.
+When compiled in development mode the fleet-server will support debugging and stand-alone execution.
+i.e.:
 ```shell
-cp /vagrant/elastic-agent/build/distributions/elastic-agent-8.4.0-SNAPSHOT-linux-x86_64.tar.gz* ./
-tar xzvf elastic-agent-8.4.0-SNAPSHOT-linux-x86_64.tar.gz
-cd elastic-agent-8.4.0-SNAPSHOT-linux-x86_64
-cp /vagrant/fleet-server/build/distributions/fleet-server-8.4.0-SNAPSHOT-linux-x86_64.tar.gz* ./data/elastic-agent-494b79/downloads/
-./elastic-agent install ...
+SNAPSHOT=true DEV=true make release-darwin/amd64
+GOOS=darwin GOARCH=amd64 go build -tags="dev" -gcflags="all=-N -l" -ldflags="-X main.Version=8.7.0 -X main.Commit=31668e0 -X main.BuildTime=2022-12-23T20:06:20Z" -buildmode=pie -o build/binaries/fleet-server-8.7.0-darwin-x86_64/fleet-server .
 ```
 
-## Setup for Elastic-Agent development
+Change `release-darwin/amd64` to `release-YOUR_OS/platform`.
+Run `make list-platforms` to check out the possible values.
 
-### From source
-To run and test fleet-server, a recent version of Elastic Agent and Kibana are needed. In the following Elastic Agent and Kibana are built from source. The fleet-server itself is not built from source but pulled from the latest snapshot build. It would be possible to also pull Elastic Agent or Kibana from the latest snapshot but the assumption that is made here that whoever is testing this, is likely developing either Elastic Agent or on the Kibana side.
+The `SNAPSHOT` flag sets the snapshot version flag.
 
+### Running a development build
 
-### Kibana setup
+#### ES and Kibana from SNAPSHOTS API on host
 
-The source code of Kibana must be checked out. After checkout, the following command must be run:
+Download SNAPSHOT builds for Elasticsearch and Kibana from the snapshots API:
+Edit the version and OS/arch to suit your system, or [check the API](https://artifacts-api.elastic.co/v1/search/8.7-SNAPSHOT) (change the version if needed) if the ones below does not suit you.
+ - 8.7.0-SNAPSHOT-linux-x86_64.tar.gz
+ - 8.7.0-SNAPSHOT-darwin-aarch64.tar.gz
+ - 8.7.0-SNAPSHOT-windows-x86_64.zip
 
+TODO: parse the JSON to get the URL
+```shell
+wget https://snapshots.elastic.co/8.7.0-19f30181/downloads/elasticsearch/elasticsearch-8.7.0-SNAPSHOT-linux-x86_64.tar.gz
+wget https://snapshots.elastic.co/8.7.0-19f30181/downloads/kibana/kibana-8.7.0-SNAPSHOT-linux-x86_64.tar.gz
 ```
-yarn kbn bootstrap
-```
-
-This will take a while the first time it is run. An error might be return in case not a valid node version is installed. Use nvm to install the correct version.
 
-Now the following two commands must be run in parallel:
-
-```
-# Start ES
-yarn es snapshot -E xpack.security.authc.api_key.enabled=true
+Generally you will need to unarchive and run the binaries:
 
-# Start KB
-yarn start --no-base-path
+```shell
+tar -xzf elasticsearch-8.7.0-SNAPSHOT-linux-x86_64.tar.gz
+cd elasticsearch-8.7.0-SNAPSHOT
+./bin/elasticsearch
 ```
 
-As soon as all is running, go to `http://localhost:5601`, enter `elastic/changeme` as credential and navigate to Fleet. Trigger the Fleet setup. As soon as this is completed, copy the `policy id` and `enrollment token` for the fleet-server policy. The policy id can be copied from the URL, the enrollment token can be found in the Enrollment Token list.
-
-NOTE: This step can be skipped if the full command below for the Elastic Agent is used.
+The elasticsearch output will output the `elastic` user's password and a Kibana configuration string.
 
-Now Kibana is running and ready. The next step is to setup Elastic Agent.
+```shell
+tar -xzf kibana-8.7.0-SNAPSHOT-linux-x86_64.tar.gz
+cd kibana-8.7.0-SNAPSHOT
+./bin/kibana
+```
 
-## Elastic-Agent
+The kibana output will show a URL that will need to be visted in order to configure Kibana with the string elasticsearch provides.
 
-To build the Elastic Agent from source, check out the [elastic-agent repository](https://github.com/elastic/elastic-agent), then run the following command:
+More instructions for setup can be found in the [Elastic Stack Installation Guide](https://www.elastic.co/guide/en/elastic-stack/current/installing-elastic-stack.html).
 
-```
-SNAPSHOT=true DEV=true PLATFORMS=linux|darwin|windows mage package
-```
+#### fleet-server stand alone
 
-The above assumes you are running on OS X. Set `PLATFORMS` to the one in you are running on. This speeds up packaging as it only builds it for your platform. As soon as this is completed (it might take a while for the first time) navigate to `build/distributions` and unpackage the `.tar.gz`. Change working directory to the elastic-agent directory and start the Elastic Agent:
+Access the Fleet UI on Kibana and generate a fleet-server policy.
+Set the following env vars with the information from Kibana:
+- `ELASTICSEARCH_CA_TRUSTED_FINGERPRINT`
+- `ELASTICSEARCH_SERVICE_TOKEN`
+- `FLEET_SERVER_POLICY_ID`
 
-```
-KIBANA_HOST=http://localhost:5601 KIBANA_USERNAME=elastic KIBANA_PASSWORD=changeme ELASTICSEARCH_HOST=http://localhost:9200 ELASTICSEARCH_USERNAME=elastic ELASTICSEARCH_PASSWORD=changeme KIBANA_FLEET_SETUP=1 FLEET_SERVER_ENABLE=1 sudo ./elastic-agent container
+Create a self-signed TLS CA and cert+key for the fleet-server instance, you can use [elasticsearch-certutil](https://www.elastic.co/guide/en/elasticsearch/reference/current/certutil.html) for this:
+```shell
+# Create a CA
+../elasticsearch/bin/elasticsearch-certutil ca --pem --out stack.zip
+unzip stack.zip
+# Create a cert+key
+../elasticsearch/bin/elasticsearch-certutil cert --pem --ca-cert ca/ca.crt --ca-key ca/ca.key --ip $HOST_IP_ADDR --out cert.zip
+unzip cert.zip
 ```
 
-This will start up Elastic Agent with fleet-server and directly enroll it. In addition, Fleet is set up inside Kibana. In case the setup is done already in Kibana manually, the following command can be used:
+Ensure that `server.ssl.enabled: true` is set as well as the `server.ssl.certificate` and `server.ssl.key` attributes in `fleet-server.yml`
 
+Then run the fleet-server:
+```shell
+./build/binaries/fleet-server-8.7.0-darwin-x86_64/fleet-server -c fleet-server.yml
 ```
-sudo ./elastic-agent enroll --fleet-server=http://elastic:changeme@localhost:9200 --fleet-server-policy={fleet-server-policy-id} --enrollment-token={policy-enrollment-token}
-```
-
-## Running Elastic Agent with fleet-server in container
+By default the fleet-server will attempt to connect to Elasticsearch on `https://localhost:9200`, if this needs to be changed set it with `ELASTICSEARCH_HOSTS`
+The fleet-server should appear as an agent with the ID `dev-fleet-server`.
 
-If you want to run Elastic Agent and fleet-server in a container but built Kibana from source, you have to add the following to your `config/kibana.dev.yml`:
-
-```
-server.host: 0.0.0.0
-```
+Any additional agents will need the `ca/ca.crt` file to enroll (or will need to use the `--insecure` flag).
 
-This makes sure, Kibana is accessible from the container. Start Kibana as before but for Elasticsearch, run the following command:
+#### fleet-server+agent on a Vagrant VM
 
-```
-yarn es snapshot -E xpack.security.authc.api_key.enabled=true -E http.host=0.0.0.0
+The development Vagrant machine assumes the `elastic-agent`, `beats`, and `fleet-server` repos are in the same folder.
+Thus, it mounts `../` to `/vagrant` on the Vagrant machine. The vagrant machine IP address is `192.168.56.43`.
+Use `https://192.168.56.43:8220` as fleet-server host.
+```shell
+vagrant up
+vagrant ssh
 ```
 
-This makes sure also Elasticsearch is accessible to the container.
+##### Build the elastic-agent
 
-Start the Elastic Agent with the following command:
-
-```
-docker run -e KIBANA_HOST=http://{YOUR-IP}:5601 -e KIBANA_USERNAME=elastic -e KIBANA_PASSWORD=changeme -e ELASTICSEARCH_HOST=http://{YOUR-IP}:9200 -e ELASTICSEARCH_USERNAME=elastic -e ELASTICSEARCH_PASSWORD=changeme -e KIBANA_FLEET_SETUP=1 -e FLEET_SERVER_ENABLE=1 -e FLEET_SERVER_INSECURE_HTTP=1 docker.elastic.co/beats/elastic-agent:8.0.0-SNAPSHOT
+Once in the Vagrant VM, and assuming that the repos are correctly mounted in `/vagrant`.
+Build the agent by running:
+```shell
+cd /vagrant/elastic-agent
+SNAPSHOT=true EXTERNAL=true PLATFORMS="linux/amd64" PACKAGES="tar.gz" mage -v dev:package # adjust PLATFORMS and PACKAGES to your system and needs.
 ```
 
-Replace {YOUR-IP} with the IP address of your machine.
+For detailed instructions, check the [Elastic-Agent](https://github.com/elastic/elastic-agent) repo.
 
-## fleet-server repo
+##### Run the elastic-agent+fleet-server in Vagrant
 
-By default the above will download the most recent snapshot build for fleet-server. To use your own development build, run `make release` in the fleet-server repository, go to `build/distributions` and copy the `.tar.gz` and `sha512` file to the `data/elastic-agent-{hash}/downloads` inside the elastic-agent directory. Now you run with your own build of fleet-server.
+Copy and unpack the elastic-agent `.tar.gz` file and replace the `fleet-server` binary in `elastic-agent-8.Y.Z-SNAPSHOT-OS-ARCH/data/elastic-agent-*/components/` with the snapshot from the fleet-server repo.
 
+Then go to `Kibana > Managment > Fleet` and follow the instructions there.
 
-## Compatibility and upgrades
+The vagrant machine IP address is `192.168.56.43`.
+Use `https://192.168.56.43:8220` as fleet-server host.
 
-Fleet server is always on the exact same version as Elastic Agent running fleet-server. Any Elastic Agent enrolling into a fleet-server must be the same version or older. Fleet-server communicates with Elasticsearch. Elasticsearch must be on the same version or newer. For Kibana it is assumed it is on the same version as Elasticsearch. With this the compatibility looks as following:
+##### tl;dr/example:
 
+```shell
+cp /vagrant/elastic-agent/build/distributions/elastic-agent-8.7.0-SNAPSHOT-linux-x86_64.tar.gz* ./
+tar -xzf elastic-agent-8.7.0-SNAPSHOT-linux-x86_64.tar.gz
+cd elastic-agent-8.7.0-SNAPSHOT-linux-x86_64
+cp build/binaries/fleet-server-8.7.0-SNAPSHOT-linux-x86_64/fleet-server ./data/elastic-agent-494b79/components/
+./elastic-agent install ...
 ```
-Elastic Agent <= Elastic Agent with fleet-server) <= Elasticsearch / Kibana
-```
-
-There might be differences on the bugfix version.
-
-If an upgrade is done, Elasticsearch / Kibana have to be upgraded first, then Elastic Agent with fleet-server and last the Elastic Agents.
-
-
-## MacOSX Version
-
-The [golang-crossbuild](https://github.com/elastic/golang-crossbuild) produces images used for testing/building.
-The `golang-crossbuild:1.16.X-darwin-debian10` images expects the minimum MacOSX version to be 10.14+.

cmd/fleet/main.go

@@ -112,7 +112,7 @@ func getRunCommand(bi build.Info) func(cmd *cobra.Command, args []string) error
 				return err
 			}
 
-			srv, err := server.NewFleet(bi, state.NewLog())
+			srv, err := server.NewFleet(bi, state.NewLog(), true)
 			if err != nil {
 				return err
 			}

fleet-server.yml

@@ -1,62 +1,31 @@
+# This config is intended to be used with a stand-alone fleet-server instance for development.
 output:
   elasticsearch:
-    hosts: '${ELASTICSEARCH_HOSTS:localhost:9200}'
+    hosts: '${ELASTICSEARCH_HOSTS:https://localhost:9200}'
     service_token: '${ELASTICSEARCH_SERVICE_TOKEN}'
+    ssl.ca_trusted_fingerprint: '${ELASTICSEARCH_CA_TRUSTED_FINGERPRINT}'
 
 fleet:
   agent:
-    id: 1e4954ce-af37-4731-9f4a-407b08e69e42
-    logging:
-      level: '${LOG_LEVEL:DEBUG}'
+    id: '${FLEET_SERVER_AGENT_ID:dev-fleet-server}'
 
-# Input config provided by the Elastic Agent for the server
-#inputs:
-#  - type: fleet-server
+inputs:
+  - type: fleet-server
+    policy.id: '${FLEET_SERVER_POLICY_ID:fleet-server-policy}'
 #    server:
-#      host: localhost
-#      port: 8220
-#      timeouts:
-#        checkin_long_poll: 300s # long poll timeout
-#      instrumentation:
-#        enabled: false
-#        hosts: ["localhost:8200"]
-#      profiler:
-#        enabled: true # enable profiler
-#      limits:
-#        policy_throttle: 100ms
-#        max_connetions: 150
-#          checkin_limit:
-#            interval: 100ms
-#            burst: 25
-#            max: 100
-#          artifact_limit:
-#            interval: 10ms
-#            burst: 5
-#            max: 10
-#          ack_limit:
-#            interval: 10ms
-#            burst: 20
-#            max: 10
-#          enroll_limit:
-#            interval: 50ms
-#            burst: 10
-#            max: 8
-#        ssl:
-#          enabled: true
-#          certificate: /creds/cert.pem
-#          key: /creds/key.pem
-#    cache:
-#      num_counters: 500000  # 10x times expected count
-#      max_cost: 50 * 1024 * 1024  # 50MiB cache size
+#      ssl:
+#        enabled: true
+#        certificate: /creds/cert.pem
+#        key: /creds/key.pem
+#        key_passphrase: /creds/key.pem
 
 logging:
   to_stderr: true # Force the logging output to stderr
-  #level: trace
+  pretty: true
+  level: '${LOG_LEVEL:DEBUG}'
 
 # Enables the stats endpoint under http://localhost:5601 by default.
 # Additional stats can be found under http://127.0.0.1:5066/stats and http://127.0.0.1:5066/state
 http.enabled: true
 #http.host: http://127.0.0.1
 #http.port: 5601
-#http.named_pipe.user:
-#http.named_pipe.security_descriptor:

internal/pkg/api/handleCheckin.go

@@ -135,10 +135,10 @@ func (ct *CheckinT) handleCheckin(zlog *zerolog.Logger, w http.ResponseWriter, r
 
 	// Safely check if the agent version is different, return empty string otherwise
 	newVer := agent.CheckDifferentVersion(ver)
-	return ct.processRequest(*zlog, w, r, start, agent, newVer)
+	return ct.ProcessRequest(*zlog, w, r, start, agent, newVer)
 }
 
-func (ct *CheckinT) processRequest(zlog zerolog.Logger, w http.ResponseWriter, r *http.Request, start time.Time, agent *model.Agent, ver string) error {
+func (ct *CheckinT) ProcessRequest(zlog zerolog.Logger, w http.ResponseWriter, r *http.Request, start time.Time, agent *model.Agent, ver string) error {
 
 	ctx := r.Context()