Allow routing for integrations that are not input packages

[gsantoro]

What does this PR do?

This PR add permissions to reroute logs to logs-*-* for integrations that are not input packages.

The full list of packages to edit is:

kubernetes.container_logs
system.syslog
activemq.log
auditd.log
aws.cloudwatch_logs
aws.ec2_logs
kafka.log
docker.container_logs

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

• [ ]

How to test this PR locally

Related issues

• Relates Allow routing for integrations that are not input packages #6255

Screenshots

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-06-13T12:11:58.706+0000

• Duration: 52 min 27 sec

Test stats 🧪

Test	Results
Failed	0
Passed	531
Skipped	4
Total	535

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[elasticmachine]

🌐 Coverage report

Name	Metrics % (covered/total)	Diff
Packages	100.0% (22/22)	💚
Files	95.833% (23/24)	👎 -4.167
Classes	95.833% (23/24)	👎 -4.167
Methods	84.645% (441/521)	👎 -4.244
Lines	90.563% (12466/13765)	👎 -9.437
Conditionals	100.0% (0/0)	💚

[tommyers-elastic]

CSP integration changes look good to me - only thing on my mind is the future - someone looking at this file without the context of routing rules etc, they might be able to look up what these settings do, but there is some implicit coupling to other parts of the system here that i think would be good to call out 'at the source'. can we comment what the settings are for?

[gsantoro]

about

CSP integration changes look good to me - only thing on my mind is the future - someone looking at this file without the context of routing rules etc, they might be able to look up what these settings do, but there is some implicit coupling to other parts of the system here that i think would be good to call out 'at the source'. can we comment what the settings are for?

I think that we could add a comment like

# Ensures agents have permissions to write data to `logs-nginx.*-*`

like the one you can see at here

[felixbarny]

I've updated the versions so that it increments the minor version, not the bug fix version now.

[felixbarny]

Can we bump the minor version of the integration rather than the bugfix, as this is adding features we want to follow the semantic versioning.

Done.

Please test any of the packages on an older version of the stack, while we can assume that fleet should ignore those settings, try to take a look at the oldest version of the stack any of these packages support (8.x, 7.x?), and see if that is still the case. If not, please bump the min kibana version of that package.

This will need to wait until Giuseppe is back. @joshdover, since you implemented the flags in fleet, how big do you think is the risk that packages with these flags cause issues when used in older stack versions?

I assume these settings are now documented?

These settings are documented in the package spec: https://github.com/elastic/package-spec/blob/e29dd918bc5a6e81cb0b36ae8a3c4b4738f1d68e/spec/integration/data_stream/manifest.spec.yml#L304-L309

I was a bit unsure why each package has to define the fact that they are allowed to have dynamic settings,

While dynamic dataset/namespace is enabled by default for input packages, regular integrations need to opt-in for each data stream. That's because not all integrations will want to open up the API key permissions. The regular API key permissions are very narrowly scoped to the exact dataset and namespace, for example logs-nginx.access.default. The dynamic_dataset flag results in the dataset part to be a wildcard in the API key permissions. So if a package sets both dynamic_dataset and dynamic_namespace, the API key permissions are expanded to logs-*-*.

will this then show dataset settings in the UI, or is it something else?

No, this will not show in any UI.

[gsantoro]

I have tested now the rerouting of logs for the following use cases:

• docker.container_logs in 8.9.0-SNAPSHOT Elastic stack
• docker.container_logs in 8.8.0 Elastic stack

[gsantoro]

/test

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 22eb873

History

• 💚 Build #21 succeeded 22eb873

cc @gsantoro

[elasticmachine]

Package activemq - 0.10.0 containing this change is available at https://epr.elastic.co/search?package=activemq

[elasticmachine]

Package auditd - 3.9.0 containing this change is available at https://epr.elastic.co/search?package=auditd

[elasticmachine]

Package aws - 1.44.0 containing this change is available at https://epr.elastic.co/search?package=aws

[elasticmachine]

Package docker - 2.6.0 containing this change is available at https://epr.elastic.co/search?package=docker

[elasticmachine]

Package kafka - 1.7.0 containing this change is available at https://epr.elastic.co/search?package=kafka

[elasticmachine]

Package kubernetes - 1.42.0 containing this change is available at https://epr.elastic.co/search?package=kubernetes

[elasticmachine]

Package system - 1.33.0 containing this change is available at https://epr.elastic.co/search?package=system

[ruflin]

@gsantoro With this change you accidentally release TSDB which was still in beta!

[ishleenk17]

@gsantoro Are we considering System Integration TSDB as GA now or are we planning to revert the change ?

[lalit-satapathy]

TSDB in system is now approved to be in GA. #6607