[Ai4Soc] Tier specific security serverless config files (#213577)

## Summary Allows hiding project specific features using tier specific config files. We need this to be able to gate certain features on a new serverless tier (`searchAiLake`) that is a subset of features from `essentials`/`complete`. The following illustration outlines the approach with tier specific serverless config files. ![Screenshot 2025-03-06 at 10 42 53 AM](https://github.com/user-attachments/assets/613dbeda-d075-46b0-948d-816ee901a141) ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [ ] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations. - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [ ] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) ### Identify risks Does this PR introduce any risks? For example, consider risks like hard to test bugs, performance regression, potential of data loss. Describe the risk, its severity, and mitigation for each identified risk. Invite stakeholders and evaluate how to proceed before merging. - [ ] [See some risk examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx) - [ ] ...
2025-04-18 23:21:39 -04:00 · 2025-03-12 17:21:25 +01:00 · 2025-03-12 17:21:25 +01:00 · 78647b01ee
commit 78647b01ee
parent f8a3051605
7 changed files with 103 additions and 0 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@ -1856,6 +1856,9 @@ packages/kbn-monaco/src/esql @elastic/kibana-esql
 /config/serverless.es.yml @elastic/kibana-core @elastic/kibana-security
 /config/serverless.oblt.yml @elastic/kibana-core @elastic/kibana-security
 /config/serverless.security.yml @elastic/kibana-core @elastic/kibana-security
+/config/serverless.security.search_ai_lake.yml @elastic/security-solution @elastic/kibana-security
+/config/serverless.security.essentials.yml @elastic/security-solution @elastic/kibana-security
+/config/serverless.security.complete.yml @elastic/security-solution @elastic/kibana-security
 /typings/ @elastic/kibana-core
 /test/analytics @elastic/kibana-core
 /src/platform/packages/shared/kbn-test/src/jest/setup/mocks.kbn_i18n_react.js @elastic/kibana-core
--- a/.gitignore
+++ b/.gitignore
@ -65,6 +65,9 @@ webpackstats.json
 !/config/serverless.es.yml
 !/config/serverless.oblt.yml
 !/config/serverless.security.yml
+!/config/serverless.security.essentials.yml
+!/config/serverless.security.complete.yml
+!/config/serverless.security.search_ai_lake.yml
 !/config/node.options
 coverage
 !/test/common/fixtures/plugins/coverage
--- a/config/serverless.security.complete.yml
+++ b/config/serverless.security.complete.yml
@ -0,0 +1 @@
+# Security Complete tier config
--- a/config/serverless.security.essentials.yml
+++ b/config/serverless.security.essentials.yml
@ -0,0 +1,2 @@
+# Security Essentials tier config
+
--- a/config/serverless.security.search_ai_lake.yml
+++ b/config/serverless.security.search_ai_lake.yml
@ -0,0 +1 @@
+# Security Search AI Lake tier config
--- a/src/cli/serve/compile_config_stack.js
+++ b/src/cli/serve/compile_config_stack.js
@ -51,6 +51,19 @@ export function compileConfigStack({ configOverrides, devConfig, dev, serverless
    }
  }

+  if (serverlessMode === 'security') {
+    // Security specific tier configs
+    const serverlessSecurityTier = getSecurityTierFromCfg(configs);
+    if (serverlessSecurityTier) {
+      configs.push(resolveConfig(`serverless.${serverlessMode}.${serverlessSecurityTier}.yml`));
+      if (dev && devConfig !== false) {
+        configs.push(
+          resolveConfig(`serverless.${serverlessMode}.${serverlessSecurityTier}.dev.yml`)
+        );
+      }
+    }
+  }
+
  return configs.filter(isNotNull);
 }

@ -64,6 +77,18 @@ function getServerlessModeFromCfg(configs) {
  return config.serverless;
 }

+/** @typedef {'search_ai_lake' | 'essentials' | 'complete'} ServerlessSecurityTier */
+/**
+ * @param {string[]} configs List of configuration file paths
+ * @returns {ServerlessSecurityTier|undefined} The serverless security tier in the summed configs
+ */
+function getSecurityTierFromCfg(configs) {
+  const config = getConfigFromFiles(configs.filter(isNotNull));
+
+  const productType = _.get(config, 'xpack.securitySolutionServerless.productTypes', [])[0];
+  return productType?.product_tier;
+}
+
 /**
 * @param {string} fileName Name of the config within the config directory
 * @returns {string | null} The resolved path to the config, if it exists, null otherwise
--- a/src/cli/serve/compile_config_stack.test.js
+++ b/src/cli/serve/compile_config_stack.test.js
@ -74,6 +74,74 @@ describe('compileConfigStack', () => {
    ]);
  });

+  it.each(['search_ai_lake', 'essentials', 'complete'])(
+    'adds all `security` %s tier config to the stack',
+    async (productTier) => {
+      getConfigFromFiles.mockImplementationOnce(() => {
+        return {
+          serverless: 'es',
+          xpack: {
+            securitySolutionServerless: {
+              enabled: true,
+              productTypes: [
+                {
+                  product_line: 'security',
+                  product_tier: productTier,
+                },
+              ],
+            },
+          },
+        };
+      });
+      const configList = compileConfigStack({
+        serverless: 'security',
+        dev: true,
+      }).map(toFileNames);
+
+      expect(configList).toEqual([
+        'serverless.yml',
+        'serverless.security.yml',
+        'kibana.yml',
+        'kibana.dev.yml',
+        'serverless.dev.yml',
+        'serverless.security.dev.yml',
+        `serverless.security.${productTier}.yml`,
+        `serverless.security.${productTier}.dev.yml`,
+      ]);
+    }
+  );
+
+  it('adds no additional `security` tier config to the stack when no product tier', async () => {
+    getConfigFromFiles.mockImplementationOnce(() => {
+      return {
+        serverless: 'es',
+        xpack: {
+          securitySolutionServerless: {
+            enabled: true,
+            productTypes: [
+              {
+                product_line: 'security',
+              },
+            ],
+          },
+        },
+      };
+    });
+    const configList = compileConfigStack({
+      serverless: 'security',
+      dev: true,
+    }).map(toFileNames);
+
+    expect(configList).toEqual([
+      'serverless.yml',
+      'serverless.security.yml',
+      'kibana.yml',
+      'kibana.dev.yml',
+      'serverless.dev.yml',
+      'serverless.security.dev.yml',
+    ]);
+  });
+
  it('defaults to "es" if --serverless and --dev are there', async () => {
    getConfigFromFiles.mockImplementationOnce(() => {
      return {