[Fleet] Only enable secrets storage if all Fleet Servers are at a minimum supported version #157456
Comments
juliaElastic
added
the
Team:Fleet
|
Pinging @elastic/fleet (Team:Fleet) |
|
I believe this could be as simple as replacing the current feature flag check with the fleet server version check. We should prominently log that we are not storing secrets securely, but probably not every time as that could get quite noisy? @juliaElastic One area that may need scoping here, should we inform the user that their secrets are not being stored securely because of their fleet server version? We could have a dismissible banner on the agents page informing them. I guess it may not even have to mention secrets, just that keeping your fleet server up to date means you get the latest features. Maybe one for @nimarezainia |
|
I think it would be best to always log the result of the Fleet Server check in case we get SDHs and want to investigate whether the secrets logic has a bug or it was disabled because of old Fleet Servers, hopefully not going to happen often. I think for the UI we should add a banner that can be dismissed. I would let the exact wording to @nimarezainia, at least mentioning that using the latest Fleet Servers is recommended to get the latest security features. |
|
One thought I have had is that we could simplify this by saying that once secrets are "on" they can't be turned off. I.e once the user has met the fleet server requirement, secrets are enabled and even if they add an old fleet serve from that point we will still continue to use them. This way we don't have to deal with the scenario where a policy has secrets, but then they add an old fleet server, we would not be able to revert to not usng secrets in that scenario because we cannot read the values from the secrets index. We would need a place to store that secrets are enabled, maybe a new saved object (that is hidden and not exportable)? Then the check would be:
|
|
If a user does not have a fleet server I think secrets should be disabled. This is because if they proceed to add a fleet server of a lower version, their policy breaks. Whereas disabling secrets and then re-enabling them is a non breaking change. |
|
@juliaElastic @joshdover do you agree with this approach? Just checking no conversations have been had outisde of this issue.
|
|
Overall plan makes sense to me, a couple thoughts:
I wish we could avoid this, but I see your point. Another option could be to show a warning in the UI if an Agent < 8.10 w/ Fleet Server policy is enrolled, prompting the user to upgrade it. My assumption being that even if output secrets aren't working that the Fleet Server agent should still be able to receive upgrade actions. We also need to account for the Serverless case where there will be no Fleet Server agents. In this case secrets should always be enabled - I think we can probably drive this from one of the kibana.yml configs.
SO makes sense, but let's see if we have any existing settings SO we can use. I'd rather not have a specific SO type just for a single boolean flag. If we don't have one, let's just make the type name rather generic so we can use it for other things in the future. |
|
I agree with this (the condition with 8.10 if we make it), we could use the existing |
….10.0 (#163627) ## Summary Closes #157456 Secret storage requires that fleet servers are 8.10.0 or above. This PR adds a backend check that all fleet servers are above 8.10.0 before enabling secrets storage. Once all fleet servers are above that version, secrets are permanently enabled. the fleet server check checks all agents in policies that contain the fleet server package. A flag on the`ingest_manager_settings` saved. object `secret_storage_requirements_met` is used to make a note that the check has previously passed, meaning we don't have to keep querying the agents and policies. Test scenarios (all covered by integration tests) : - given a deployment with no fleet servers connected, on creating a package policy with secret variables, the values should be stored in plain text not as a secret reference - given a deployment with at least one fleet server that is below 8.10.0, on creating a package policy with secret variables, the values should be stored in plain text not as a secret reference - given a deployment where all fleet servers are 8.10.0 or above, secrets should be stored as secret references and in the secrets index - if a package policy was created before secrets were enabled, and since its creation the fleet server versions pass the check, when updating that policy, all secrets should move to being secret references. --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Julia Bardi <julia.bardi@elastic.co> Co-authored-by: Julia Bardi <90178898+juliaElastic@users.noreply.github.com>
….10.0 (elastic#163627) ## Summary Closes elastic#157456 Secret storage requires that fleet servers are 8.10.0 or above. This PR adds a backend check that all fleet servers are above 8.10.0 before enabling secrets storage. Once all fleet servers are above that version, secrets are permanently enabled. the fleet server check checks all agents in policies that contain the fleet server package. A flag on the`ingest_manager_settings` saved. object `secret_storage_requirements_met` is used to make a note that the check has previously passed, meaning we don't have to keep querying the agents and policies. Test scenarios (all covered by integration tests) : - given a deployment with no fleet servers connected, on creating a package policy with secret variables, the values should be stored in plain text not as a secret reference - given a deployment with at least one fleet server that is below 8.10.0, on creating a package policy with secret variables, the values should be stored in plain text not as a secret reference - given a deployment where all fleet servers are 8.10.0 or above, secrets should be stored as secret references and in the secrets index - if a package policy was created before secrets were enabled, and since its creation the fleet server versions pass the check, when updating that policy, all secrets should move to being secret references. --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Julia Bardi <julia.bardi@elastic.co> Co-authored-by: Julia Bardi <90178898+juliaElastic@users.noreply.github.com>
Part of #154715
For backwards compatibility, even after the secrets storage work is GA, we want to ensure that secrets storage is turned on when all the Fleet Servers are on a minimum supported version (e.g. 8.9 or 8.10).
The text was updated successfully, but these errors were encountered: