[8.15] [Fleet] Missing policy filter in Fleet Server check to enable secrets (#187935) (#188089)

# Backport

This will backport the following commits from `main` to `8.15`:
- [[Fleet] Missing policy filter in Fleet Server check to enable secrets
(#187935)](https://github.com/elastic/kibana/pull/187935)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Julia
Bardi","email":"90178898+juliaElastic@users.noreply.github.com"},"sourceCommit":{"committedDate":"2024-07-11T10:57:01Z","message":"[Fleet]
Missing policy filter in Fleet Server check to enable secrets
(#187935)\n\n## Summary\r\n\r\nCloses
https://github.com/elastic/kibana/issues/187933\r\nCloses
https://github.com/elastic/kibana/issues/186845\r\n\r\nFixed missing
policy filter when checking if Fleet Servers met minimum\r\nversion to
enable secrets storage.\r\nThe integration tests cover now a case where
there are no fleet servers\r\nbut there are agents with minimum version,
to verify that the query\r\nfilters them out.\r\n\r\nManual verification
is hard because you can't enroll an agent without\r\nenrolling FS with
at least the same version.\r\nIt could be done by manually creating docs
in `.fleet-agents`.\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios","sha":"5761a382e144799b09e45fe5cd59e0c1a012c81e","branchLabelMapping":{"^v8.16.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","Team:Fleet","backport:prev-minor","v8.16.0"],"title":"[Fleet]
Missing policy filter in Fleet Server check to enable
secrets","number":187935,"url":"https://github.com/elastic/kibana/pull/187935","mergeCommit":{"message":"[Fleet]
Missing policy filter in Fleet Server check to enable secrets
(#187935)\n\n## Summary\r\n\r\nCloses
https://github.com/elastic/kibana/issues/187933\r\nCloses
https://github.com/elastic/kibana/issues/186845\r\n\r\nFixed missing
policy filter when checking if Fleet Servers met minimum\r\nversion to
enable secrets storage.\r\nThe integration tests cover now a case where
there are no fleet servers\r\nbut there are agents with minimum version,
to verify that the query\r\nfilters them out.\r\n\r\nManual verification
is hard because you can't enroll an agent without\r\nenrolling FS with
at least the same version.\r\nIt could be done by manually creating docs
in `.fleet-agents`.\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios","sha":"5761a382e144799b09e45fe5cd59e0c1a012c81e"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/187935","number":187935,"mergeCommit":{"message":"[Fleet]
Missing policy filter in Fleet Server check to enable secrets
(#187935)\n\n## Summary\r\n\r\nCloses
https://github.com/elastic/kibana/issues/187933\r\nCloses
https://github.com/elastic/kibana/issues/186845\r\n\r\nFixed missing
policy filter when checking if Fleet Servers met minimum\r\nversion to
enable secrets storage.\r\nThe integration tests cover now a case where
there are no fleet servers\r\nbut there are agents with minimum version,
to verify that the query\r\nfilters them out.\r\n\r\nManual verification
is hard because you can't enroll an agent without\r\nenrolling FS with
at least the same version.\r\nIt could be done by manually creating docs
in `.fleet-agents`.\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios","sha":"5761a382e144799b09e45fe5cd59e0c1a012c81e"}}]}]
BACKPORT-->

Co-authored-by: Julia Bardi <90178898+juliaElastic@users.noreply.github.com>

x-pack/plugins/fleet/server/services/fleet_server/index.test.ts

@@ -115,6 +115,13 @@ describe('checkFleetServerVersionsForSecretsStorage', () => {
       version
     );
     expect(result).toBe(true);
+    expect(mockedGetAgentsByKuery).toHaveBeenCalledWith(
+      esClientMock,
+      soClientMock,
+      expect.objectContaining({
+        kuery: 'policy_id:("1" or "2")',
+      })
+    );
   });
 });
 

x-pack/plugins/fleet/server/services/fleet_server/index.ts

@@ -128,11 +128,19 @@ export async function checkFleetServerVersionsForSecretsStorage(
       hasMore = false;
     }
   }
+  if (policyIds.size === 0) {
+    return false;
+  }
+
+  const kuery = `policy_id:(${Array.from(policyIds)
+    .map((id) => `"${id}"`)
+    .join(' or ')})`;
 
   const managedAgentPolicies = await agentPolicyService.getAllManagedAgentPolicies(soClient);
   const fleetServerAgents = await getAgentsByKuery(esClient, soClient, {
     showInactive: true,
     perPage: SO_SEARCH_LIMIT,
+    kuery,
   });
 
   if (fleetServerAgents.agents.length === 0) {

x-pack/test/fleet_api_integration/apis/policy_secrets.ts

@@ -847,6 +847,8 @@ export default function (providerContext: FtrProviderContext) {
       it('should not store secrets if fleet server does not meet minimum version', async () => {
         const { fleetServerAgentPolicy } = await createFleetServerAgentPolicy();
         await createFleetServerAgent(fleetServerAgentPolicy.id, 'server_1', '7.0.0');
+        const { fleetServerAgentPolicy: fleetServerPolicy2 } = await createFleetServerAgentPolicy(); // extra policy to verify `or` condition
+        await createFleetServerAgent(fleetServerPolicy2.id, 'server_1', '8.12.0');
 
         await callFleetSetup();
 
@@ -865,7 +867,10 @@ export default function (providerContext: FtrProviderContext) {
       });
 
       it('should not store secrets if there are no fleet servers', async () => {
+        await createFleetServerAgentPolicy();
         const agentPolicy = await createAgentPolicy();
+        // agent with new version shouldn't make storage secrets enabled
+        await createFleetServerAgent(agentPolicy.id, 'server_2', '8.12.0');
         const packagePolicyWithSecrets = await createPackagePolicyWithSecrets(agentPolicy.id);
 
         // secret should be in plain text i.e not a secret refrerence