[Fleet] Support output and Fleet server proxies on serverless

[jillguyonnet]

Closes #165672

Summary

This PR adds support for custom output and Fleet server hosts with proxies in serverless mode:

• Proxies are re-enabled in serverless.
• It is possible to add custom Fleet server hosts in serverless, with the constraint that the host URL must match the Elasticsearch URL of the default host.
• New Elasticsearch outputs must also have the default host URL.

Testing

The below requirements should be tested in serverless mode for observability and security project types:

# elasticsearch
yarn es serverless --kill
# kibana: one of
yarn serverless-oblt
yarn serverless-security

⚠️ In addition, stateful mode should not be affected by any of these changes.

Config

In order to test this change, you will need the following configuration to mirror a serverless setup.

Create a serverless.dev.yml if you don't have one already and set a project id (this is required for Fleet's cloud.isServerlessEnabled to correctly be true):

xpack.cloud.serverless.project_id: test-123

In kibana.devl.yml, make sure the default Fleet server hosts and default output have the expected ids:

xpack.fleet.fleetServerHosts:
  - id: default-fleet-server
    name: Default Fleet server
    is_default: true
    host_urls: ['https://host.docker.internal:8220']
xpack.fleet.outputs:
  - id: es-default-output
    name: Default output
    type: elasticsearch
    is_default: true
    is_default_monitoring: true
    hosts: ['https://host.docker.internal:9200']

Requirements

• User can create proxy configurations in the Fleet UI and API.
• User can create new Fleet server host via the UI
  • The Fleet Server Hosts dropdown is disabled and set to the default host URL
• User can create new Fleet server host via the API
  • The request should succeed if the host URL is set the the default one
  • Otherwise the request should fail
• User can add a proxy config to the Fleet server host config
• User can select a custom Fleet Server host configuration from the Agent policy settings page
• User can create new Fleet Elasticsearch output via the UI
  • The Hosts dropdown is disabled and set to the default Elasticsearch URL
• User can create new Fleet Elasticsearch output via the API
  • The request should succeed if the host URL is set the the default one
  • Otherwise the request should fail
• User can add a proxy config to the Elasticsearch output
• User can select a custom Elasticsearch output configuration from the Agent policy settings page
• User can create a custom Logstash output with proxy
• User can create a custom Kafka output with proxy

Checklist

• Documentation was added for features that require explanation or tutorials
• Unit or functional tests were updated or added to match the most common scenarios

Screenshots

Fleet settings (proxies available):

Adding and editing a Fleet server host:

Adding and editing an Elasticsearch output:

[apmmachine]

🤖 GitHub comments

Expand to view the GitHub comments

Just comment with:

• /oblt-deploy : Deploy a Kibana instance using the Observability test environments.
• /oblt-deploy-serverless : Deploy a serverless Kibana instance using the Observability test environments.
• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[juliaElastic]

Testing this locally, I started a security project. I am able to create proxy but can't assign it to the default fleet server host (API call fails), and I can't create another fleet server host.

Also when I try to create a new ES output with a proxy, can't save it as it says host url is required. The field looks populated and disabled, but fails the form validation.

[jillguyonnet]

Thank you for testing @juliaElastic!

I have made some changes locally following @nchaulet's indications, I will check this before committing.

Also thanks for pointing out the different project types, I have only been using observability type so far. Correct me if I'm wrong: we should test this for security and observability types, correct? (as well as testing that there were no changes affecting stateful mode)

[juliaElastic]

Also thanks for pointing out the different project types, I have only been using observability type so far. Correct me if I'm wrong: we should test this for security and observability types, correct? (as well as testing that there were no changes affecting stateful mode)

Yes, security and observability project type have fleet enabled, the elasticsearch project type has fleet disabled.

[jillguyonnet]

/ci

[juliaElastic]

I'm testing with the latest changes, and still seeing a missing host url when trying to add a new elasticsearch output:

For the fleet server hosts, I can see the button now to add a new one, though it comes with an empty host url. Shouldn't it be pre-populated with the default url and not be changeable? I see there is a validation to prevent adding a different url when clicking on Continue.
Also I'm wondering if instead of reusing the Add Fleet Server flyout, we could add a simplified version, something like the Edit Fleet server flyout in create mode. Currently, there is a lot of options on the flyout that are not relevant for serverless (quickstart/advanced, enroll fleet server) and adding a proxy to a new host entry can't be done in one step.

[jillguyonnet]

@juliaElastic Thanks again for testing!

Regarding creating an output: does the default output in your setup have id es-default-output? I set the following in my kibana.dev.yml to make it work per the fleet controller config:

xpack.fleet.outputs:
  - id: es-default-output
    name: Default output
    type: elasticsearch
    is_default: true
    is_default_monitoring: true
    hosts: ['https://host.docker.internal:9200']

I guess the same question applies to the default Fleet server host:

xpack.fleet.fleetServerHosts:
  - id: default-fleet-server
    name: Default Fleet server
    is_default: true
    host_urls: ['https://host.docker.internal:8220']
If the ids are correct, can you please share your config?

I really like your suggestion about simplifying the flyout for creating a Fleet server, that's a great point 👍 Let me check it out, I don't think it would be very complicated.

[juliaElastic]

Regarding creating an output: does the default output in your setup have id es-default-output?

My bad, I don't have these ids. I'll add to the preconfig locally and test again. Sorry for the false alarm.

[jillguyonnet]

My bad, I don't have these ids. I'll add to the preconfig locally and test again. Sorry for the false alarm.

No worries, I understand these ids are fixed in serverless but please correct me if that's not the case. I will update the testing steps to make that clearer.

[jillguyonnet]

Maybe it would make sense to extract this to a Fleet-specific config file?

[juliaElastic]

yes, perhaps Fleet related tests could move to test_suites/fleet?

[jillguyonnet]

After some thought, I added new config files for Fleet in the test_suites/observability/fleet and test_suites/security/fleet folders in order to preserve the existing structure by project type and avoid adding unnecessary config to other tests. I also added a paragraph in the README on how to run these. Let me know how that sounds.

[juliaElastic]

Oh okay, I didn't realise it means the project type. I'm good with these changes 👍

[jillguyonnet]

/ci

[nchaulet]

Just did some tests, and it seems to work well for output.

For the fleet server I think the idea of @juliaElastic to reuse the edit fleet server flyout to allow to add one will make sense (I think the flyout almost support it)

[nimarezainia]

@nimarezainia Could you please give feedback on the flyouts? The latest screenshots are in the PR description.

@jillguyonnet thank you. Could we add a description why the user can't create a new fleet server - I think being descriptive is better here. So if I may suggest:

"You may create another Fleet Server definition reachable via a proxy. In context of the serverless project, Fleet Service is managed by Elastic. Creation of a new one is therefore not permitted."

[jillguyonnet]

@elasticmachine merge upstream

[jillguyonnet]

@jillguyonnet thank you. Could we add a description why the user can't create a new fleet server - I think being descriptive is better here. So if I may suggest:

"You may create another Fleet Server definition reachable via a proxy. In context of the serverless project, Fleet Service is managed by Elastic. Creation of a new one is therefore not permitted."

Thank you! I've updated the text and corresponding screenshot.

[azasypkin]

Change in test/plugin_functional/test_suites/core_plugins/rendering.ts, LGTM.

[jillguyonnet]

@elasticmachine merge upstream

[nchaulet]

just tested the fleet server hosts flyout and it's working as expected. LGTM 🚀

[juliaElastic]

LGTM

[kibana-ci]

💛 Build succeeded, but was flaky

• Buildkite Build
• Commit: 2df7a75

Failed CI Steps

• x-pack/test/functional/apps/lens/open_in_lens/tsvb/config.ts
• FTR Configs #7
• FTR Configs #60
• FTR Configs #71

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
fleet	1.2MB	1.2MB	+1.3KB

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id	before	after	diff
fleet	151.7KB	151.8KB	+121.0B

History

• 💛 Build #191291 was flaky a3a5562
• 💚 Build #191127 succeeded 1d20fcc
• 💔 Build #191035 failed f12b764
• 💚 Build #190551 succeeded 034a198
• 💔 Build #190413 failed c2e769d

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @jillguyonnet