Merge branch 'main' into k8sprovider-replicaset-onlymeta

elastic · Oct 7, 2024 · c794854 · c794854
2 parents 6fcd64f + 1eb5e12
commit c794854
Show file tree

Hide file tree

Showing 18 changed files with 16,402 additions and 36,171 deletions.
diff --git a/.golangci.yml b/.golangci.yml
@@ -112,13 +112,11 @@ linters-settings:
     # Forbid any `replace` directives that are intended temporarily only during
     # development. The modules listed below are intended to be replaced permanently.
     replace-allow-list:
-      - github.com/Microsoft/go-winio
       - github.com/Shopify/sarama
       - github.com/dop251/goja
       - github.com/dop251/goja_nodejs
       - github.com/fsnotify/fsnotify
       - github.com/openshift/api
-      - github.com/tonistiigi/fifo
 
   gosimple:
     # Select the Go version to target. The default is '1.13'.

diff --git a/NOTICE.txt b/NOTICE.txt
diff --git a/...727964717-Add-filebeat-otel-receiver.yaml → ...d-will-redact-secret_paths-in-policy.yaml b/...727964717-Add-filebeat-otel-receiver.yaml → ...d-will-redact-secret_paths-in-policy.yaml
@@ -11,21 +11,23 @@
 kind: enhancement
 
 # Change summary; a 80ish characters long description of the change.
-summary: Add filebeat otel receiver
+summary: inspect command will redact secret_paths in policy
 
 # Long description; in case the summary is not enough to describe the change
 # this field accommodate a description without length limits.
 # NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment.
-#description:
+description: |
+  The elastic-agent inspect command will now redact any secret values when displaying output.
+  The keys that are redacted are expected to be defined in the "secret_paths" attribute.
 
-# Affected component; a word indicating the component this changeset affects.
-component: elastic-agent
+# Affected component; usually one of "elastic-agent", "fleet-server", "filebeat", "metricbeat", "auditbeat", "all", etc.
+component:
 
 # PR URL; optional; the PR number that added the changeset.
 # If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
 # NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
 # Please provide it if you are adding a fragment for a different PR.
-pr: https://github.com/elastic/elastic-agent/pull/5672
+#pr: https://github.com/owner/repo/1234
 
 # Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
 # If not present is automatically filled by the tooling with the issue linked to the PR number.

diff --git a/dev-tools/notice/overrides.json b/dev-tools/notice/overrides.json
@@ -18,4 +18,3 @@
 {"name": "github.com/pascaldekloe/goe", "licenceFile": "LICENSE", "licenceType": "CC0-1.0"}
 {"name": "github.com/dnaeon/go-vcr", "licenceFile": "LICENSE", "licenceType": "BSD-2-Clause"}
 {"name": "github.com/grpc-ecosystem/go-grpc-middleware/v2", "licenceFile": "LICENSE", "licenceType": "Apache-2.0"}
-{"name": "github.com/JohnCGriffin/overflow", "licenceFile": "README.md", "licenceType": "MIT"}
diff --git a/docs/elastic-agent-logging.md b/docs/elastic-agent-logging.md
@@ -77,5 +77,5 @@ receives.
 
 ## Total footprint
 Given the two log outputs and their default log rotation policies, the
-Elastic-Agent needs about 210Mb (20Mb x 7 + 10Mb + 7 = 210Mb) of disk
+Elastic-Agent needs about 210Mb (20Mb x 7 + 10Mb x 7 = 210Mb) of disk
 for logging.
diff --git a/go.mod b/go.mod
diff --git a/go.sum b/go.sum
diff --git a/internal/pkg/agent/cmd/inspect.go b/internal/pkg/agent/cmd/inspect.go
@@ -28,6 +28,7 @@ import (
 	"github.com/elastic/elastic-agent/internal/pkg/cli"
 	"github.com/elastic/elastic-agent/internal/pkg/config"
 	"github.com/elastic/elastic-agent/internal/pkg/config/operations"
+	"github.com/elastic/elastic-agent/internal/pkg/diagnostics"
 	"github.com/elastic/elastic-agent/pkg/component"
 	"github.com/elastic/elastic-agent/pkg/core/logger"
 	"github.com/elastic/elastic-agent/pkg/utils"
@@ -235,7 +236,7 @@ func inspectConfig(ctx context.Context, cfgPath string, opts inspectConfigOpts,
 }
 
 func printMapStringConfig(mapStr map[string]interface{}, streams *cli.IOStreams) error {
-	data, err := yaml.Marshal(mapStr)
+	data, err := yaml.Marshal(diagnostics.RedactSecretPaths(mapStr, streams.Err))
 	if err != nil {
 		return errors.New(err, "could not marshal to YAML")
 	}

diff --git a/internal/pkg/agent/cmd/run.go b/internal/pkg/agent/cmd/run.go
@@ -627,7 +627,7 @@ func initTracer(agentName, version string, mcfg *monitoringCfg.MonitoringConfig)
 		defer os.Unsetenv(envCACert)
 	}
 	if cfg.SamplingRate != nil {
-		os.Setenv(envSampleRate, strconv.FormatFloat(float64(*cfg.SamplingRate), 'b', -1, 32))
+		os.Setenv(envSampleRate, strconv.FormatFloat(float64(*cfg.SamplingRate), 'f', -1, 32))
 		defer os.Unsetenv(envSampleRate)
 	}
 

diff --git a/internal/pkg/agent/cmd/run_test.go b/internal/pkg/agent/cmd/run_test.go
@@ -0,0 +1,95 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0;
+// you may not use this file except in compliance with the Elastic License 2.0.
+
+package cmd
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	monitoringCfg "github.com/elastic/elastic-agent/internal/pkg/core/monitoring/config"
+)
+
+func Test_initTracer(t *testing.T) {
+	tenPercentSamplingRate := float32(0.1)
+
+	type args struct {
+		agentName string
+		version   string
+		mcfg      *monitoringCfg.MonitoringConfig
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    assert.ValueAssertionFunc // value assertion for *apm.Tracer returned by initTracer
+		wantErr assert.ErrorAssertionFunc
+	}{
+		{
+			name: "monitoring config disabled",
+			args: args{
+				agentName: "testagent",
+				version:   "1.2.3",
+				mcfg: &monitoringCfg.MonitoringConfig{
+					Enabled: false,
+				},
+			},
+			want:    assert.Nil,
+			wantErr: assert.NoError,
+		},
+		{
+			name: "monitoring config enabled but traces disabled",
+			args: args{
+				agentName: "testagent",
+				version:   "1.2.3",
+				mcfg: &monitoringCfg.MonitoringConfig{
+					Enabled:       true,
+					MonitorTraces: false,
+				},
+			},
+			want:    assert.Nil,
+			wantErr: assert.NoError,
+		},
+		{
+			name: "traces enabled, no TLS",
+			args: args{
+				agentName: "testagent",
+				version:   "1.2.3",
+				mcfg: &monitoringCfg.MonitoringConfig{
+					Enabled:       true,
+					MonitorTraces: true,
+					APM: monitoringCfg.APMConfig{
+						Environment: "unit-test",
+						APIKey:      "api-key",
+						SecretToken: "secret-token",
+						Hosts:       []string{"localhost:8888"},
+						GlobalLabels: map[string]string{
+							"k1": "v1",
+							"k2": "v2",
+						},
+						TLS:          monitoringCfg.APMTLS{},
+						SamplingRate: &tenPercentSamplingRate,
+					},
+				},
+			},
+			want:    assert.NotNil,
+			wantErr: assert.NoError,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := initTracer(tt.args.agentName, tt.args.version, tt.args.mcfg)
+			if got != nil {
+				t.Cleanup(func() {
+					got.Close()
+				})
+			}
+			if !tt.wantErr(t, err, fmt.Sprintf("initTracer(%v, %v, %v)", tt.args.agentName, tt.args.version, tt.args.mcfg)) {
+				return
+			}
+			tt.want(t, got, "initTracer(%v, %v, %v)", tt.args.agentName, tt.args.version, tt.args.mcfg)
+		})
+	}
+}
diff --git a/internal/pkg/diagnostics/diagnostics.go b/internal/pkg/diagnostics/diagnostics.go
@@ -20,10 +20,12 @@ import (
 	"time"
 
 	"github.com/elastic/elastic-agent/pkg/control/v2/client"
+	"github.com/elastic/go-ucfg"
 
 	"gopkg.in/yaml.v3"
 
 	"github.com/elastic/elastic-agent/internal/pkg/agent/application/paths"
+	"github.com/elastic/elastic-agent/internal/pkg/config"
 	"github.com/elastic/elastic-agent/internal/pkg/release"
 	"github.com/elastic/elastic-agent/pkg/component"
 	"github.com/elastic/elastic-agent/version"
@@ -570,3 +572,39 @@ func saveLogs(name string, logPath string, zw *zip.Writer) error {
 
 	return nil
 }
+
+// RedactSecretPaths will check the passed mapStr input for a secret_paths attribute.
+// If found it will replace the value for every key in the paths list with <REDACTED> and return the resulting map.
+// Any issues or errors will be written to the errOut writer.
+func RedactSecretPaths(mapStr map[string]any, errOut io.Writer) map[string]any {
+	v, ok := mapStr["secret_paths"]
+	if !ok {
+		fmt.Fprintln(errOut, "No output redaction: secret_paths attribute not found.")
+		return mapStr
+	}
+	arr, ok := v.([]interface{})
+	if !ok {
+		fmt.Fprintln(errOut, "No output redaction: secret_paths attribute is not a list.")
+		return mapStr
+	}
+	cfg := ucfg.MustNewFrom(mapStr)
+	for _, v := range arr {
+		key, ok := v.(string)
+		if !ok {
+			fmt.Fprintf(errOut, "No output redaction for %q: expected type string, is type %T.\n", v, v)
+			continue
+		}
+
+		if ok, _ := cfg.Has(key, -1, ucfg.PathSep(".")); ok {
+			err := cfg.SetString(key, -1, REDACTED, ucfg.PathSep("."))
+			if err != nil {
+				fmt.Fprintf(errOut, "No output redaction for %q: %v.\n", key, err)
+			}
+		}
+	}
+	result, err := config.MustNewConfigFrom(cfg).ToMapStr()
+	if err != nil {
+		return mapStr
+	}
+	return result
+}