diff --git a/changelog/fragments/1707852625-Prefer-elastic-agent-client-APMConfig-in-agent-mode.yaml b/changelog/fragments/1707852625-Prefer-elastic-agent-client-APMConfig-in-agent-mode.yaml new file mode 100644 index 000000000..4324c072d --- /dev/null +++ b/changelog/fragments/1707852625-Prefer-elastic-agent-client-APMConfig-in-agent-mode.yaml @@ -0,0 +1,36 @@ +# Kind can be one of: +# - breaking-change: a change to previously-documented behavior +# - deprecation: functionality that is being removed in a later release +# - bug-fix: fixes a problem in a previous version +# - enhancement: extends functionality but does not break or fix existing behavior +# - feature: new functionality +# - known-issue: problems that we are aware of in a given version +# - security: impacts on the security of a product or a user’s deployment. +# - upgrade: important information for someone upgrading from a prior version +# - other: does not fit into any of the other categories +kind: enhancement + +# Change summary; a 80ish characters long description of the change. +summary: Prefer elastic-agent-client APMConfig in agent mode + +# Long description; in case the summary is not enough to describe the change +# this field accommodate a description without length limits. +# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment. +description: | + While running in agent-mode fleet-server will use the APMConfig + settings of expected input if it's set over the settings in + inputs[0].server.instrumentation; this should make it easier for + managing agents to inject APM config data. + +# Affected component; a word indicating the component this changeset affects. +component: + +# PR URL; optional; the PR number that added the changeset. +# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added. +# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number. +# Please provide it if you are adding a fragment for a different PR. +pr: 3277 + +# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of). +# If not present is automatically filled by the tooling with the issue linked to the PR number. +issue: 2868 diff --git a/internal/pkg/server/agent.go b/internal/pkg/server/agent.go index 9cd318642..075cfb85e 100644 --- a/internal/pkg/server/agent.go +++ b/internal/pkg/server/agent.go @@ -20,6 +20,7 @@ import ( "github.com/rs/zerolog" "github.com/elastic/elastic-agent-client/v7/pkg/client" + "github.com/elastic/elastic-agent-client/v7/pkg/proto" "github.com/elastic/go-ucfg" "gopkg.in/yaml.v3" ) @@ -285,7 +286,7 @@ func (a *Agent) start(ctx context.Context) error { return a.reconfigure(ctx) } - cfg, err := a.configFromUnits() + cfg, err := a.configFromUnits(ctx) if err != nil { return err } @@ -331,7 +332,7 @@ func (a *Agent) reconfigure(ctx context.Context) error { return a.start(ctx) } - cfg, err := a.configFromUnits() + cfg, err := a.configFromUnits(ctx) if err != nil { return err } @@ -373,7 +374,7 @@ func (a *Agent) stop() { // configFromUnits takes both inputUnit and outputUnit and creates a single configuration just like fleet server was // being started from a configuration file. -func (a *Agent) configFromUnits() (*config.Config, error) { +func (a *Agent) configFromUnits(ctx context.Context) (*config.Config, error) { agentID := "" agentVersion := "" agentInfo := a.agent.AgentInfo() @@ -420,6 +421,26 @@ func (a *Agent) configFromUnits() (*config.Config, error) { return nil, err } + if expAPMCFG := expInput.APMConfig; expAPMCFG != nil { + instrumentationCfg, err := apmConfigToInstrumentation(expAPMCFG) + if err != nil { + zerolog.Ctx(ctx).Warn().Err(err).Msg("Unable to parse expected APM config as instrumentation config") + } else { + obj := map[string]interface{}{ + "inputs": []interface{}{map[string]interface{}{ + "server": map[string]interface{}{ + "instrumentation": instrumentationCfg, + }, + }, + }} + err = cfgData.Merge(obj, config.DefaultOptions...) + if err != nil { + zerolog.Ctx(ctx).Warn().Err(err).Msg("Failed to merge APM config into cfgData") + } + } + + } + cliCfg := ucfg.MustNewFrom(a.cliCfg, config.DefaultOptions...) err = cliCfg.Merge(cfgData, config.DefaultOptions...) if err != nil { @@ -427,3 +448,27 @@ func (a *Agent) configFromUnits() (*config.Config, error) { } return config.FromConfig(cliCfg) } + +// apmConfigToInstrumentation transforms the passed APMConfig into the Instrumentation config that is used by fleet-server. +func apmConfigToInstrumentation(src *proto.APMConfig) (config.Instrumentation, error) { + if apmest := src.GetElastic(); apmest != nil { + apmTLS := apmest.GetTls() + iTLS := config.InstrumentationTLS{ + SkipVerify: apmTLS.GetSkipVerify(), + ServerCertificate: apmTLS.GetServerCert(), + ServerCA: apmTLS.GetServerCa(), + } + + cfg := config.Instrumentation{ + Enabled: true, + TLS: iTLS, + Environment: apmest.GetEnvironment(), + APIKey: apmest.GetApiKey(), + SecretToken: apmest.GetSecretToken(), + Hosts: apmest.GetHosts(), + GlobalLabels: apmest.GetGlobalLabels(), + } + return cfg, nil + } + return config.Instrumentation{}, fmt.Errorf("unable to transform APMConfig to instrumentation") +} diff --git a/internal/pkg/server/agent_test.go b/internal/pkg/server/agent_test.go index 412efc759..a92d9ba91 100644 --- a/internal/pkg/server/agent_test.go +++ b/internal/pkg/server/agent_test.go @@ -84,7 +84,7 @@ func TestCLIOverrides(t *testing.T) { agent: clientMock, } - generatedCfg, err := agent.configFromUnits() + generatedCfg, err := agent.configFromUnits(context.Background()) require.NoError(t, err) require.Equal(t, httpEnabledExpected, generatedCfg.HTTP.Enabled) require.Equal(t, httpHostExpected, generatedCfg.HTTP.Host) @@ -190,7 +190,7 @@ func Test_Agent_configFromUnits(t *testing.T) { outputUnit: mockOutClient, } - cfg, err := a.configFromUnits() + cfg, err := a.configFromUnits(context.Background()) require.NoError(t, err) require.Len(t, cfg.Inputs, 1) assert.Equal(t, "fleet-server", cfg.Inputs[0].Type) @@ -230,9 +230,310 @@ func Test_Agent_configFromUnits(t *testing.T) { outputUnit: mockOutClient, } - cfg, err := a.configFromUnits() + cfg, err := a.configFromUnits(context.Background()) require.NoError(t, err) assert.Equal(t, "fleet-server", cfg.Inputs[0].Type) require.Len(t, cfg.Output.Elasticsearch.Hosts, 2) }) + t.Run("APM config is specified", func(t *testing.T) { + outStruct, err := structpb.NewStruct(map[string]interface{}{ + "service_token": "test-token", + }) + require.NoError(t, err) + mockOutClient := &mockClientUnit{} + mockOutClient.On("Expected").Return( + client.Expected{ + State: client.UnitStateHealthy, + LogLevel: client.UnitLogLevelInfo, + Config: &proto.UnitExpectedConfig{Source: outStruct}, + }) + + inStruct, err := structpb.NewStruct(map[string]interface{}{ + "type": "fleet-server", + "server": map[string]interface{}{ + "host": "0.0.0.0", + }, + }) + require.NoError(t, err) + mockInClient := &mockClientUnit{} + mockInClient.On("Expected").Return( + client.Expected{ + State: client.UnitStateHealthy, + LogLevel: client.UnitLogLevelInfo, + Config: &proto.UnitExpectedConfig{Source: inStruct}, + APMConfig: &proto.APMConfig{ + Elastic: &proto.ElasticAPM{ + Tls: &proto.ElasticAPMTLS{ + SkipVerify: false, + ServerCa: "/path/to/ca.crt", + }, + Environment: "test", + ApiKey: "apiKey", + SecretToken: "secretToken", + Hosts: []string{"testhost:8080"}, + GlobalLabels: "test", + }, + }, + }) + + a := &Agent{ + cliCfg: ucfg.New(), + agent: mockAgent, + inputUnit: mockInClient, + outputUnit: mockOutClient, + } + + cfg, err := a.configFromUnits(context.Background()) + require.NoError(t, err) + require.Len(t, cfg.Inputs, 1) + assert.Equal(t, "fleet-server", cfg.Inputs[0].Type) + assert.Equal(t, "0.0.0.0", cfg.Inputs[0].Server.Host) + assert.True(t, cfg.Inputs[0].Server.Instrumentation.Enabled) + assert.False(t, cfg.Inputs[0].Server.Instrumentation.TLS.SkipVerify) + assert.Equal(t, "/path/to/ca.crt", cfg.Inputs[0].Server.Instrumentation.TLS.ServerCA) + assert.Equal(t, "test", cfg.Inputs[0].Server.Instrumentation.Environment) + assert.Equal(t, "apiKey", cfg.Inputs[0].Server.Instrumentation.APIKey) + assert.Equal(t, "secretToken", cfg.Inputs[0].Server.Instrumentation.SecretToken) + assert.Equal(t, []string{"testhost:8080"}, cfg.Inputs[0].Server.Instrumentation.Hosts) + assert.Equal(t, "test", cfg.Inputs[0].Server.Instrumentation.GlobalLabels) + assert.Equal(t, "test-token", cfg.Output.Elasticsearch.ServiceToken) + }) + t.Run("APM config no tls", func(t *testing.T) { + outStruct, err := structpb.NewStruct(map[string]interface{}{ + "service_token": "test-token", + }) + require.NoError(t, err) + mockOutClient := &mockClientUnit{} + mockOutClient.On("Expected").Return( + client.Expected{ + State: client.UnitStateHealthy, + LogLevel: client.UnitLogLevelInfo, + Config: &proto.UnitExpectedConfig{Source: outStruct}, + }) + + inStruct, err := structpb.NewStruct(map[string]interface{}{ + "type": "fleet-server", + "server": map[string]interface{}{ + "host": "0.0.0.0", + }, + }) + require.NoError(t, err) + mockInClient := &mockClientUnit{} + mockInClient.On("Expected").Return( + client.Expected{ + State: client.UnitStateHealthy, + LogLevel: client.UnitLogLevelInfo, + Config: &proto.UnitExpectedConfig{Source: inStruct}, + APMConfig: &proto.APMConfig{ + Elastic: &proto.ElasticAPM{ + Environment: "test", + ApiKey: "apiKey", + SecretToken: "secretToken", + Hosts: []string{"testhost:8080"}, + GlobalLabels: "test", + }, + }, + }) + + a := &Agent{ + cliCfg: ucfg.New(), + agent: mockAgent, + inputUnit: mockInClient, + outputUnit: mockOutClient, + } + + cfg, err := a.configFromUnits(context.Background()) + require.NoError(t, err) + require.Len(t, cfg.Inputs, 1) + assert.Equal(t, "fleet-server", cfg.Inputs[0].Type) + assert.Equal(t, "0.0.0.0", cfg.Inputs[0].Server.Host) + assert.True(t, cfg.Inputs[0].Server.Instrumentation.Enabled) + assert.False(t, cfg.Inputs[0].Server.Instrumentation.TLS.SkipVerify) + assert.Empty(t, cfg.Inputs[0].Server.Instrumentation.TLS.ServerCA) + assert.Equal(t, "test", cfg.Inputs[0].Server.Instrumentation.Environment) + assert.Equal(t, "apiKey", cfg.Inputs[0].Server.Instrumentation.APIKey) + assert.Equal(t, "secretToken", cfg.Inputs[0].Server.Instrumentation.SecretToken) + assert.Equal(t, []string{"testhost:8080"}, cfg.Inputs[0].Server.Instrumentation.Hosts) + assert.Equal(t, "test", cfg.Inputs[0].Server.Instrumentation.GlobalLabels) + assert.Equal(t, "test-token", cfg.Output.Elasticsearch.ServiceToken) + }) + t.Run("APM config and instrumentation is specified", func(t *testing.T) { + outStruct, err := structpb.NewStruct(map[string]interface{}{ + "service_token": "test-token", + }) + require.NoError(t, err) + mockOutClient := &mockClientUnit{} + mockOutClient.On("Expected").Return( + client.Expected{ + State: client.UnitStateHealthy, + LogLevel: client.UnitLogLevelInfo, + Config: &proto.UnitExpectedConfig{Source: outStruct}, + }) + + inStruct, err := structpb.NewStruct(map[string]interface{}{ + "type": "fleet-server", + "server": map[string]interface{}{ + "host": "0.0.0.0", + "instrumentation": map[string]interface{}{ + "enabled": false, + "tls": map[string]interface{}{ + "skip_verify": true, + "server_certificate": "/path/to/cert.crt", + }, + "environment": "replace", + "api_key": "replace", + "secret_token": "replace", + "hosts": []interface{}{"replace"}, + }, + }, + }) + require.NoError(t, err) + mockInClient := &mockClientUnit{} + mockInClient.On("Expected").Return( + client.Expected{ + State: client.UnitStateHealthy, + LogLevel: client.UnitLogLevelInfo, + Config: &proto.UnitExpectedConfig{Source: inStruct}, + APMConfig: &proto.APMConfig{ + Elastic: &proto.ElasticAPM{ + Tls: &proto.ElasticAPMTLS{ + SkipVerify: false, + ServerCa: "/path/to/ca.crt", + }, + Environment: "test", + ApiKey: "apiKey", + SecretToken: "secretToken", + Hosts: []string{"testhost:8080"}, + GlobalLabels: "test", + }, + }, + }) + + a := &Agent{ + cliCfg: ucfg.New(), + agent: mockAgent, + inputUnit: mockInClient, + outputUnit: mockOutClient, + } + + cfg, err := a.configFromUnits(context.Background()) + require.NoError(t, err) + require.Len(t, cfg.Inputs, 1) + assert.Equal(t, "fleet-server", cfg.Inputs[0].Type) + assert.Equal(t, "0.0.0.0", cfg.Inputs[0].Server.Host) + assert.True(t, cfg.Inputs[0].Server.Instrumentation.Enabled) + assert.False(t, cfg.Inputs[0].Server.Instrumentation.TLS.SkipVerify) + assert.Equal(t, "/path/to/ca.crt", cfg.Inputs[0].Server.Instrumentation.TLS.ServerCA) + assert.Empty(t, cfg.Inputs[0].Server.Instrumentation.TLS.ServerCertificate, "expected use only config from APMConfig") + assert.Equal(t, "test", cfg.Inputs[0].Server.Instrumentation.Environment) + assert.Equal(t, "apiKey", cfg.Inputs[0].Server.Instrumentation.APIKey) + assert.Equal(t, "secretToken", cfg.Inputs[0].Server.Instrumentation.SecretToken) + assert.Equal(t, []string{"testhost:8080"}, cfg.Inputs[0].Server.Instrumentation.Hosts) + assert.Equal(t, "test", cfg.Inputs[0].Server.Instrumentation.GlobalLabels) + assert.Equal(t, "test-token", cfg.Output.Elasticsearch.ServiceToken) + }) + t.Run("APM config error", func(t *testing.T) { + outStruct, err := structpb.NewStruct(map[string]interface{}{ + "service_token": "test-token", + }) + require.NoError(t, err) + mockOutClient := &mockClientUnit{} + mockOutClient.On("Expected").Return( + client.Expected{ + State: client.UnitStateHealthy, + LogLevel: client.UnitLogLevelInfo, + Config: &proto.UnitExpectedConfig{Source: outStruct}, + }) + + inStruct, err := structpb.NewStruct(map[string]interface{}{ + "type": "fleet-server", + "server": map[string]interface{}{ + "host": "0.0.0.0", + }, + }) + require.NoError(t, err) + mockInClient := &mockClientUnit{} + mockInClient.On("Expected").Return( + client.Expected{ + State: client.UnitStateHealthy, + LogLevel: client.UnitLogLevelInfo, + Config: &proto.UnitExpectedConfig{Source: inStruct}, + APMConfig: &proto.APMConfig{}, + }) + + a := &Agent{ + cliCfg: ucfg.New(), + agent: mockAgent, + inputUnit: mockInClient, + outputUnit: mockOutClient, + } + + cfg, err := a.configFromUnits(context.Background()) + require.NoError(t, err) + require.Len(t, cfg.Inputs, 1) + assert.Equal(t, "fleet-server", cfg.Inputs[0].Type) + assert.Equal(t, "0.0.0.0", cfg.Inputs[0].Server.Host) + assert.False(t, cfg.Inputs[0].Server.Instrumentation.Enabled) + assert.Equal(t, "test-token", cfg.Output.Elasticsearch.ServiceToken) + }) + t.Run("no APMConfig has instrumentation config", func(t *testing.T) { + outStruct, err := structpb.NewStruct(map[string]interface{}{ + "service_token": "test-token", + }) + require.NoError(t, err) + mockOutClient := &mockClientUnit{} + mockOutClient.On("Expected").Return( + client.Expected{ + State: client.UnitStateHealthy, + LogLevel: client.UnitLogLevelInfo, + Config: &proto.UnitExpectedConfig{Source: outStruct}, + }) + + inStruct, err := structpb.NewStruct(map[string]interface{}{ + "type": "fleet-server", + "server": map[string]interface{}{ + "host": "0.0.0.0", + "instrumentation": map[string]interface{}{ + "enabled": true, + "tls": map[string]interface{}{ + "skip_verify": false, + "server_certificate": "/path/to/cert.crt", + }, + "environment": "test", + "secret_token": "testToken", + "hosts": []interface{}{"localhost:8080"}, + }, + }, + }) + require.NoError(t, err) + mockInClient := &mockClientUnit{} + mockInClient.On("Expected").Return( + client.Expected{ + State: client.UnitStateHealthy, + LogLevel: client.UnitLogLevelInfo, + Config: &proto.UnitExpectedConfig{Source: inStruct}, + }) + + a := &Agent{ + cliCfg: ucfg.New(), + agent: mockAgent, + inputUnit: mockInClient, + outputUnit: mockOutClient, + } + + cfg, err := a.configFromUnits(context.Background()) + require.NoError(t, err) + require.Len(t, cfg.Inputs, 1) + assert.Equal(t, "fleet-server", cfg.Inputs[0].Type) + assert.Equal(t, "0.0.0.0", cfg.Inputs[0].Server.Host) + assert.True(t, cfg.Inputs[0].Server.Instrumentation.Enabled) + assert.False(t, cfg.Inputs[0].Server.Instrumentation.TLS.SkipVerify) + assert.Equal(t, "/path/to/cert.crt", cfg.Inputs[0].Server.Instrumentation.TLS.ServerCertificate) + assert.Equal(t, "test", cfg.Inputs[0].Server.Instrumentation.Environment) + assert.Empty(t, cfg.Inputs[0].Server.Instrumentation.APIKey) + assert.Equal(t, "testToken", cfg.Inputs[0].Server.Instrumentation.SecretToken) + assert.Equal(t, []string{"localhost:8080"}, cfg.Inputs[0].Server.Instrumentation.Hosts) + assert.Empty(t, cfg.Inputs[0].Server.Instrumentation.GlobalLabels) + assert.Equal(t, "test-token", cfg.Output.Elasticsearch.ServiceToken) + }) }