[Fleet] Missing policy filter in Fleet Server check to enable secrets (#187935)

## Summary Closes https://github.com/elastic/kibana/issues/187933 Closes https://github.com/elastic/kibana/issues/186845 Fixed missing policy filter when checking if Fleet Servers met minimum version to enable secrets storage. The integration tests cover now a case where there are no fleet servers but there are agents with minimum version, to verify that the query filters them out. Manual verification is hard because you can't enroll an agent without enrolling FS with at least the same version. It could be done by manually creating docs in `.fleet-agents`. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
2025-04-23 09:19:04 -04:00 · 2024-07-11 12:57:01 +02:00 · 2024-07-11 12:57:01 +02:00 · 5761a382e1
commit 5761a382e1
parent 12bd8fe53a
3 changed files with 20 additions and 0 deletions
--- a/x-pack/plugins/fleet/server/services/fleet_server/index.test.ts
+++ b/x-pack/plugins/fleet/server/services/fleet_server/index.test.ts
@ -115,6 +115,13 @@ describe('checkFleetServerVersionsForSecretsStorage', () => {
      version
    );
    expect(result).toBe(true);
+    expect(mockedGetAgentsByKuery).toHaveBeenCalledWith(
+      esClientMock,
+      soClientMock,
+      expect.objectContaining({
+        kuery: 'policy_id:("1" or "2")',
+      })
+    );
  });
 });

--- a/x-pack/plugins/fleet/server/services/fleet_server/index.ts
+++ b/x-pack/plugins/fleet/server/services/fleet_server/index.ts
@ -128,11 +128,19 @@ export async function checkFleetServerVersionsForSecretsStorage(
      hasMore = false;
    }
  }
+  if (policyIds.size === 0) {
+    return false;
+  }
+
+  const kuery = `policy_id:(${Array.from(policyIds)
+    .map((id) => `"${id}"`)
+    .join(' or ')})`;

  const managedAgentPolicies = await agentPolicyService.getAllManagedAgentPolicies(soClient);
  const fleetServerAgents = await getAgentsByKuery(esClient, soClient, {
    showInactive: true,
    perPage: SO_SEARCH_LIMIT,
+    kuery,
  });

  if (fleetServerAgents.agents.length === 0) {
--- a/x-pack/test/fleet_api_integration/apis/policy_secrets.ts
+++ b/x-pack/test/fleet_api_integration/apis/policy_secrets.ts
@ -847,6 +847,8 @@ export default function (providerContext: FtrProviderContext) {
      it('should not store secrets if fleet server does not meet minimum version', async () => {
        const { fleetServerAgentPolicy } = await createFleetServerAgentPolicy();
        await createFleetServerAgent(fleetServerAgentPolicy.id, 'server_1', '7.0.0');
+        const { fleetServerAgentPolicy: fleetServerPolicy2 } = await createFleetServerAgentPolicy(); // extra policy to verify `or` condition
+        await createFleetServerAgent(fleetServerPolicy2.id, 'server_1', '8.12.0');

        await callFleetSetup();

@ -865,7 +867,10 @@ export default function (providerContext: FtrProviderContext) {
      });

      it('should not store secrets if there are no fleet servers', async () => {
+        await createFleetServerAgentPolicy();
        const agentPolicy = await createAgentPolicy();
+        // agent with new version shouldn't make storage secrets enabled
+        await createFleetServerAgent(agentPolicy.id, 'server_2', '8.12.0');
        const packagePolicyWithSecrets = await createPackagePolicyWithSecrets(agentPolicy.id);

        // secret should be in plain text i.e not a secret refrerence