Merge branch 'main' into feat/case_templates

elastic · Jul 1, 2024 · daebf7f · daebf7f
2 parents 6319822 + 1767aa4
commit daebf7f
Show file tree

Hide file tree

Showing 41 changed files with 666 additions and 375 deletions.
diff --git a/packages/kbn-doc-links/src/get_doc_links.ts b/packages/kbn-doc-links/src/get_doc_links.ts
@@ -865,6 +865,7 @@ export const getDocLinks = ({ kibanaBranch, buildFlavor }: GetDocLinkOptions): D
       scalingKubernetesResourcesAndLimits: `${FLEET_DOCS}scaling-on-kubernetes.html#_specifying_resources_and_limits_in_agent_manifests`,
       roleAndPrivileges: `${FLEET_DOCS}fleet-roles-and-privileges.html`,
       proxiesSettings: `${FLEET_DOCS}fleet-agent-proxy-support.html`,
+      unprivilegedMode: `${FLEET_DOCS}elastic-agent-unprivileged.html#unprivileged-change-mode`,
     },
     integrationDeveloper: {
       upload: `${INTEGRATIONS_DEV_DOCS}upload-a-new-integration.html`,

diff --git a/packages/kbn-doc-links/src/types.ts b/packages/kbn-doc-links/src/types.ts
@@ -554,6 +554,7 @@ export interface DocLinks {
     scalingKubernetesResourcesAndLimits: string;
     roleAndPrivileges: string;
     proxiesSettings: string;
+    unprivilegedMode: string;
   }>;
   readonly integrationDeveloper: {
     upload: string;

diff --git a/packages/kbn-es/src/cli_commands/serverless.ts b/packages/kbn-es/src/cli_commands/serverless.ts
@@ -6,10 +6,12 @@
  * Side Public License, v 1.
  */
 
+import chalk from 'chalk';
 import dedent from 'dedent';
 import getopts from 'getopts';
 import { ToolingLog } from '@kbn/tooling-log';
 import { getTimeReporter } from '@kbn/ci-stats-reporter';
+import { MOCK_IDP_REALM_NAME } from '@kbn/mock-idp-utils';
 
 import { basename } from 'path';
 import { SERVERLESS_RESOURCES_PATHS } from '../paths';
@@ -44,8 +46,8 @@ export const serverless: Command = {
       --kill              Kill running ES serverless nodes if detected on startup
       --host              Publish ES docker container on additional host IP
       --port              The port to bind to on 127.0.0.1 [default: ${DEFAULT_PORT}]
-      --ssl               Enable HTTP SSL on the ES cluster
-      --kibanaUrl         Fully qualified URL where Kibana is hosted (including base path). [default: https://localhost:5601/]
+      --ssl               Enable HTTP SSL on the ES cluster [default: true]
+      --kibanaUrl         Fully qualified URL where Kibana is hosted (including base path). [default: http://localhost:5601/]
       --skipTeardown      If this process exits, leave the ES cluster running in the background
       --waitForReady      Wait for the ES cluster to be ready to serve requests
       --resources         Overrides resources under ES 'config/' directory, which are by default
@@ -103,7 +105,12 @@ export const serverless: Command = {
       ],
       boolean: ['clean', 'ssl', 'kill', 'background', 'skipTeardown', 'waitForReady'],
 
-      default: { ...defaults, kibanaUrl: 'https://localhost:5601/', dataPath: 'stateless' },
+      default: {
+        ...defaults,
+        kibanaUrl: 'http://localhost:5601/',
+        dataPath: 'stateless',
+        ssl: true,
+      },
     }) as unknown as ServerlessOptions;
 
     if (!options.projectType) {
@@ -114,7 +121,16 @@ export const serverless: Command = {
 
     if (!isServerlessProjectType(options.projectType)) {
       throw createCliError(
-        `Invalid projectPype '${options.projectType}', supported values: ${supportedProjectTypesStr}`
+        `Invalid projectType '${options.projectType}', supported values: ${supportedProjectTypesStr}`
+      );
+    }
+
+    // In case `--no-ssl` CLI argument is provided.
+    if (!options.ssl) {
+      log.warning(
+        `Serverless ES cluster cannot configure ${chalk.bold.cyan(
+          MOCK_IDP_REALM_NAME
+        )} realm since TLS is disabled.`
       );
     }
 

diff --git a/packages/kbn-es/src/utils/docker.ts b/packages/kbn-es/src/utils/docker.ts
@@ -767,14 +767,9 @@ export async function runServerlessCluster(log: ToolingLog, options: ServerlessO
   Login with username ${chalk.bold.cyan(ELASTIC_SERVERLESS_SUPERUSER)} or ${chalk.bold.cyan(
     SYSTEM_INDICES_SUPERUSER
   )} and password ${chalk.bold.magenta(ELASTIC_SERVERLESS_SUPERUSER_PASSWORD)}
-  Stop the cluster:     ${chalk.bold(`docker container stop ${nodeNames.join(' ')}`)}
-    `);
-
-  if (options.ssl) {
-    log.warning(`SSL has been enabled for ES. Kibana should be started with the SSL flag so that it can authenticate with ES.
   See packages/kbn-es/src/serverless_resources/README.md for additional information on authentication.
+  Stop the cluster:     ${chalk.bold(`docker container stop ${nodeNames.join(' ')}`)}
     `);
-  }
 
   if (!options.skipTeardown) {
     // SIGINT will not trigger in FTR (see cluster.runServerless for FTR signal)

diff --git a/packages/kbn-mock-idp-plugin/public/login_page.tsx b/packages/kbn-mock-idp-plugin/public/login_page.tsx
@@ -145,7 +145,7 @@ export const LoginPage = () => {
                 >
                   Log in
                 </EuiButton>,
-                <EuiButtonEmpty size="xs" href="/">
+                <EuiButtonEmpty size="xs" href="/login">
                   More login options
                 </EuiButtonEmpty>,
               ]}

diff --git a/src/cli/serve/serve.js b/src/cli/serve/serve.js
@@ -114,38 +114,11 @@ export function applyConfigOverrides(rawConfig, opts, extraCliOptions, keystoreC
   // only used to set cliArgs.envName, we don't want to inject that into the config
   delete extraCliOptions.env;
 
+  let isServerlessSamlSupported = false;
   if (opts.dev) {
     if (opts.serverless) {
       setServerlessKibanaDevServiceAccountIfPossible(get, set, opts);
-
-      // Configure realm if supported (ES only supports SAML when run with SSL)
-      if (opts.ssl && MOCK_IDP_PLUGIN_SUPPORTED) {
-        // Ensure the plugin is loaded in dynamically to exclude from production build
-        // eslint-disable-next-line import/no-dynamic-require
-        const { MOCK_IDP_REALM_NAME } = require(MOCK_IDP_PLUGIN_PATH);
-
-        if (has('server.basePath')) {
-          console.log(
-            `Custom base path is not supported when running in Serverless, it will be removed.`
-          );
-          _.unset(rawConfig, 'server.basePath');
-        }
-
-        set(`xpack.security.authc.providers.saml.${MOCK_IDP_REALM_NAME}`, {
-          order: Number.MAX_SAFE_INTEGER,
-          realm: MOCK_IDP_REALM_NAME,
-          icon: 'user',
-          description: 'Continue as Test User',
-          hint: 'Allows testing serverless user roles',
-        });
-        // Add basic realm since defaults won't be applied when a provider has been configured
-        if (!has('xpack.security.authc.providers.basic')) {
-          set('xpack.security.authc.providers.basic.basic', {
-            order: 0,
-            enabled: true,
-          });
-        }
-      }
+      isServerlessSamlSupported = tryConfigureServerlessSamlProvider(rawConfig, opts);
     }
 
     if (!has('elasticsearch.serviceAccountToken') && opts.devCredentials !== false) {
@@ -182,7 +155,7 @@ export function applyConfigOverrides(rawConfig, opts, extraCliOptions, keystoreC
   }
 
   // Kib/ES encryption
-  if (opts.ssl) {
+  if (opts.ssl || isServerlessSamlSupported) {
     // @kbn/dev-utils is part of devDependencies
     // eslint-disable-next-line import/no-extraneous-dependencies
     const { CA_CERT_PATH } = require('@kbn/dev-utils');
@@ -278,6 +251,7 @@ export default function (program) {
     command
       .option('--dev', 'Run the server with development mode defaults')
       .option('--ssl', 'Run the dev server using HTTPS')
+      .option('--no-ssl', 'Run the server without HTTPS')
       .option('--http2', 'Run the dev server using HTTP2 with TLS')
       .option('--dist', 'Use production assets from kbn/optimizer')
       .option(
@@ -303,13 +277,14 @@ export default function (program) {
       serverless: opts.serverless || unknownOptions.serverless,
     });
 
-    const configsEvaluted = getConfigFromFiles(configs);
+    const configsEvaluated = getConfigFromFiles(configs);
     const isServerlessMode = !!(
-      configsEvaluted.serverless ||
+      configsEvaluated.serverless ||
       opts.serverless ||
       unknownOptions.serverless
     );
 
+    const isServerlessSamlSupported = isServerlessMode && opts.ssl !== false;
     const cliArgs = {
       dev: !!opts.dev,
       envName: unknownOptions.env ? unknownOptions.env.name : undefined,
@@ -324,7 +299,7 @@ export default function (program) {
       // elastic.co links.
       // We also want to run without base path when running in serverless mode so that Elasticsearch can
       // connect to Kibana's mock identity provider.
-      basePath: opts.runExamples || isServerlessMode ? false : !!opts.basePath,
+      basePath: opts.runExamples || isServerlessSamlSupported ? false : !!opts.basePath,
       optimize: !!opts.optimize,
       disableOptimizer: !opts.optimizer,
       oss: !!opts.oss,
@@ -362,3 +337,76 @@ function mergeAndReplaceArrays(objValue, srcValue) {
     return undefined;
   }
 }
+
+/**
+ * Tries to configure SAML provider in serverless mode and applies the necessary configuration.
+ * @param rawConfig Full configuration object.
+ * @param opts CLI options.
+ * @returns {boolean} True if SAML provider was successfully configured.
+ */
+function tryConfigureServerlessSamlProvider(rawConfig, opts) {
+  if (!MOCK_IDP_PLUGIN_SUPPORTED || opts.ssl === false) {
+    return false;
+  }
+
+  // Ensure the plugin is loaded in dynamically to exclude from production build
+  // eslint-disable-next-line import/no-dynamic-require
+  const { MOCK_IDP_REALM_NAME } = require(MOCK_IDP_PLUGIN_PATH);
+
+  // Check if there are any custom authentication providers already configure with the order `0` reserved for the
+  // Serverless SAML provider.
+  let hasBasicOrTokenProviderConfigured = false;
+  const providersConfig = _.get(rawConfig, 'xpack.security.authc.providers', {});
+  for (const [providerType, providers] of Object.entries(providersConfig)) {
+    if (providerType === 'basic' || providerType === 'token') {
+      hasBasicOrTokenProviderConfigured = true;
+    }
+
+    for (const [providerName, provider] of Object.entries(providers)) {
+      if (provider.order === 0) {
+        console.warn(
+          `The serverless SAML authentication provider won't be configured because the order "0" is already used by the custom authentication provider "${providerType}/${providerName}".` +
+            `Please update the custom provider to use a different order or remove it to allow the serverless SAML provider to be configured.`
+        );
+        return false;
+      }
+    }
+  }
+
+  if (_.has(rawConfig, 'server.basePath')) {
+    console.warn(
+      `Custom base path is not supported when running in Serverless, it will be removed.`
+    );
+    _.unset(rawConfig, 'server.basePath');
+  }
+
+  if (opts.ssl) {
+    console.info(
+      'Kibana is being served over HTTPS. Make sure to adjust the `--kibanaUrl` parameter while running the local Serverless ES cluster.'
+    );
+  }
+
+  // Make SAML provider the first in the provider chain
+  lodashSet(rawConfig, `xpack.security.authc.providers.saml.${MOCK_IDP_REALM_NAME}`, {
+    order: 0,
+    realm: MOCK_IDP_REALM_NAME,
+    icon: 'user',
+    description: 'Continue as Test User',
+    hint: 'Allows testing serverless user roles',
+  });
+
+  // Disable login selector to automatically trigger SAML authentication, unless it's explicitly enabled.
+  if (!_.has(rawConfig, 'xpack.security.authc.selector.enabled')) {
+    lodashSet(rawConfig, 'xpack.security.authc.selector.enabled', false);
+  }
+
+  // Since we explicitly configured SAML authentication provider, default Basic provider won't be automatically
+  // configured, and we have to do it manually instead unless other Basic or Token provider was already configured.
+  if (!hasBasicOrTokenProviderConfigured) {
+    lodashSet(rawConfig, 'xpack.security.authc.providers.basic.basic', {
+      order: Number.MAX_SAFE_INTEGER,
+    });
+  }
+
+  return true;
+}
diff --git a/...leet/sections/agent_policy/create_package_policy_page/single_page_layout/root_callout.tsx b/...leet/sections/agent_policy/create_package_policy_page/single_page_layout/root_callout.tsx
@@ -5,15 +5,19 @@
  * 2.0.
  */
 
-import { EuiCallOut } from '@elastic/eui';
+import { EuiCallOut, EuiLink } from '@elastic/eui';
 import { FormattedMessage } from '@kbn/i18n-react';
 import React from 'react';
 
+import { useStartServices } from '../../../../hooks';
+
 interface Props {
   dataStreams: Array<{ name: string; title: string }>;
 }
 
 export const RootPrivilegesCallout: React.FC<Props> = ({ dataStreams }) => {
+  const { docLinks } = useStartServices();
+
   return (
     <EuiCallOut
       size="m"
@@ -35,7 +39,17 @@ export const RootPrivilegesCallout: React.FC<Props> = ({ dataStreams }) => {
         <>
           <FormattedMessage
             id="xpack.fleet.addIntegration.confirmModal.unprivilegedAgentsDataStreamsMessage"
-            defaultMessage="This integration has the following data streams that require Elastic Agents to have root privileges. To ensure that all data required by the integration can be collected, enroll agents using an account with root privileges."
+            defaultMessage="This integration has the following data streams that require Elastic Agents to have root privileges. To ensure that all data required by the integration can be collected, enroll agents using an account with root privileges.  For more information, see the {guideLink}"
+            values={{
+              guideLink: (
+                <EuiLink href={docLinks.links.fleet.unprivilegedMode} target="_blank" external>
+                  <FormattedMessage
+                    id="xpack.fleet.addIntegration.confirmModal.unprivilegedAgentsDataStreamsMessage.guideLink"
+                    defaultMessage="Fleet and Elastic Agent Guide"
+                  />
+                </EuiLink>
+              ),
+            }}
           />
           <ul>
             {dataStreams.map((item) => (

diff --git a/x-pack/plugins/fleet/public/applications/integrations/layouts/default.tsx b/x-pack/plugins/fleet/public/applications/integrations/layouts/default.tsx
@@ -81,7 +81,7 @@ export const DefaultLayout: React.FC<Props> = memo(
         rightColumn={
           CreateIntegrationCardButton ? (
             <EuiFlexItem grow={false}>
-              <CreateIntegrationCardButton href={getHref('integration_create')} />
+              <CreateIntegrationCardButton />
             </EuiFlexItem>
           ) : undefined
         }

diff --git a/...lugins/fleet/public/applications/integrations/sections/epm/components/side_bar_column.tsx b/...lugins/fleet/public/applications/integrations/sections/epm/components/side_bar_column.tsx
@@ -0,0 +1,13 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import styled from 'styled-components';
+import { EuiFlexItem } from '@elastic/eui';
+
+export const SideBarColumn = styled(EuiFlexItem)`
+  max-width: 160px;
+`;
diff --git a/...gins/fleet/public/applications/integrations/sections/epm/screens/detail/assets/assets.tsx b/...gins/fleet/public/applications/integrations/sections/epm/screens/detail/assets/assets.tsx
@@ -34,6 +34,7 @@ import {
   useFleetStatus,
 } from '../../../../../hooks';
 import { sendGetBulkAssets } from '../../../../../hooks';
+import { SideBarColumn } from '../../../components/side_bar_column';
 
 import { DeferredAssetsSection } from './deferred_assets_accordion';
 import { AssetsAccordion } from './assets_accordion';
@@ -299,7 +300,7 @@ export const AssetsPage = ({ packageInfo, refetchPackageInfo }: AssetsPanelProps
 
   return (
     <EuiFlexGroup alignItems="flexStart">
-      <EuiFlexItem grow={1} />
+      <SideBarColumn grow={1} />
       <EuiFlexItem grow={7}>
         {fetchError && (
           <>

diff --git a/...gins/fleet/public/applications/integrations/sections/epm/screens/detail/configs/index.tsx b/...gins/fleet/public/applications/integrations/sections/epm/screens/detail/configs/index.tsx
@@ -26,6 +26,7 @@ import { useGetInputsTemplatesQuery, useStartServices } from '../../../../../hoo
 import { PrereleaseCallout } from '../overview/overview';
 
 import { isPackagePrerelease } from '../../../../../../../../common/services';
+import { SideBarColumn } from '../../../components/side_bar_column';
 
 interface ConfigsProps {
   packageInfo: PackageInfo;
@@ -56,7 +57,7 @@ export const Configs: React.FC<ConfigsProps> = ({ packageInfo }) => {
 
   return (
     <EuiFlexGroup data-test-subj="epm.Configs" alignItems="flexStart">
-      <EuiFlexItem grow={1} />
+      <SideBarColumn grow={1} />
       <EuiFlexItem grow={7}>
         {isLoading && !configs ? (
           <EuiSkeletonText lines={10} />

diff --git a/...gins/fleet/public/applications/integrations/sections/epm/screens/detail/custom/custom.tsx b/...gins/fleet/public/applications/integrations/sections/epm/screens/detail/custom/custom.tsx
@@ -12,6 +12,7 @@ import { useLink, useUIExtension } from '../../../../../hooks';
 import type { PackageInfo } from '../../../../../types';
 import { pkgKeyFromPackageInfo } from '../../../../../services';
 import { ExtensionWrapper } from '../../../../../components';
+import { SideBarColumn } from '../../../components/side_bar_column';
 
 interface Props {
   packageInfo: PackageInfo;
@@ -24,7 +25,7 @@ export const CustomViewPage: React.FC<Props> = memo(({ packageInfo }) => {
 
   return customViewExtension ? (
     <EuiFlexGroup alignItems="flexStart">
-      <EuiFlexItem grow={1} />
+      <SideBarColumn grow={1} />
       <EuiFlexItem grow={7}>
         <ExtensionWrapper>
           <customViewExtension.Component pkgkey={pkgkey} packageInfo={packageInfo} />

diff --git a/...leet/public/applications/integrations/sections/epm/screens/detail/documentation/index.tsx b/...leet/public/applications/integrations/sections/epm/screens/detail/documentation/index.tsx
@@ -29,6 +29,7 @@ import type {
 } from '../../../../../types';
 import { useStartServices } from '../../../../../../../hooks';
 import { getStreamsForInputType } from '../../../../../../../../common/services';
+import { SideBarColumn } from '../../../components/side_bar_column';
 
 interface Props {
   packageInfo: PackageInfo;
@@ -70,7 +71,7 @@ export const DocumentationPage: React.FunctionComponent<Props> = ({ packageInfo,
 
   return (
     <EuiFlexGroup alignItems="flexStart">
-      <EuiFlexItem grow={1} />
+      <SideBarColumn grow={1} />
       <EuiFlexItem grow={7}>
         <EuiText>
           <FormattedMessage