Skip to content

[9.4](backport #51921) update elastic-agent-libs to v0.46.1#51934

Open
mergify[bot] wants to merge 1 commit into
9.4from
mergify/bp/9.4/pr-51921
Open

[9.4](backport #51921) update elastic-agent-libs to v0.46.1#51934
mergify[bot] wants to merge 1 commit into
9.4from
mergify/bp/9.4/pr-51921

Conversation

@mergify

@mergify mergify Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Proposed commit message

    update elastic-agent-libs to v0.46.1
    
    Improve logging when TLS certificates and keys fail to load preventing it from
    logging a malformed key when it fails to load.

Checklist

  • [ ] My code follows the style guidelines of this project
  • [ ] I have commented my code, particularly in hard-to-understand areas
  • [ ] I have made corresponding changes to the documentation
  • [ ] I have made corresponding change to the default configuration files
  • [ ] I have added tests that prove my fix is effective or that my feature works. Where relevant, I have used the stresstest.sh script to run them under stress conditions and race detector to verify their stability.
  • I have added an entry in ./changelog/fragments using the changelog tool.

Disruptive User Impact

None

How to test this PR locally

Try to load a malformed certificate key. Check elastic/elastic-agent-libs#431 for details

Related issues

  • N/A

This is an automatic backport of pull request #51921 done by [Mergify](https://mergify.com).

@mergify mergify Bot added backport conflicts There is a conflict in the backported pull request labels Jul 14, 2026
@mergify mergify Bot requested review from a team as code owners July 14, 2026 15:41
@mergify mergify Bot added backport conflicts There is a conflict in the backported pull request labels Jul 14, 2026
@mergify

mergify Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor Author

Cherry-pick of 8674b2f has failed:

On branch mergify/bp/9.4/pr-51921
Your branch is up to date with 'origin/9.4'.

You are currently cherry-picking commit 8674b2f08.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Changes to be committed:
	new file:   changelog/fragments/1784030419-update-elastic-agent-libs-to-v0.46.1.yaml
	modified:   x-pack/filebeat/input/o365audit/auth/cert.go
	modified:   x-pack/filebeat/input/o365audit/config.go
	modified:   x-pack/filebeat/input/o365audit/input.go

Unmerged paths:
  (use "git add <file>..." to mark resolution)
	both modified:   NOTICE.txt
	both modified:   go.mod
	both modified:   go.sum

To fix up this pull request, you can check it out locally. See documentation: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally

@botelastic botelastic Bot added the needs_team Indicates that the issue/PR needs a Team:* label label Jul 14, 2026
@github-actions

Copy link
Copy Markdown
Contributor

🤖 GitHub comments

Just comment with:

  • run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)
  • /test : Run the Buildkite pipeline.

@github-actions github-actions Bot added the Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team label Jul 14, 2026
@infra-vault-gh-plugin-prod

Copy link
Copy Markdown

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

@botelastic botelastic Bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jul 14, 2026
@mergify mergify Bot mentioned this pull request Jul 14, 2026
1 task
@github-actions

Copy link
Copy Markdown
Contributor

TL;DR

The beats-libbeat FIPS-140-only unit test failure is deterministic and caused by the 9.4 backport retaining an outdated TLS error assertion. TestConnectionTLS expects tls: internal error, but the FIPS-only handshake now fails earlier with the explicit RSA-1024 certificate policy error.

Remediation

  • Update libbeat/esleg/eslegclient/connection_test.go in the backport so the FIPS branch accepts/asserts RSA-1024 public key which is not allowed by FIPS 140-3 (and retain the non-FIPS success assertion).
  • Re-run go test for ./libbeat/esleg/eslegclient under the FIPS-only configuration; a retry without the test update is expected to fail again.
Investigation details

Root Cause

The backport PR updates elastic-agent-libs to v0.46.1 but does not include the corresponding TestConnectionTLS assertion update. The 9.4 test still checks for the old generic tls: internal error; the current test on the source branch checks the concrete FIPS policy error instead.

Evidence

  • Build: https://buildkite.com/elastic/beats/builds/49411
  • Job/step: Libbeat: Ubuntu x86_64 fips140=only Unit Tests (beats-libbeat build 31457)
  • Log: libbeat/esleg/eslegclient.TestConnectionTLS failed at connection_test.go:279; the server reported crypto/rsa: use of keys smaller than 2048 bits is not allowed in FIPS 140-only mode and the client returned certificate uses RSA-1024 public key which is not allowed by FIPS 140-3.
  • The failing assertion expected tls: internal error.
  • The test fixture is intentionally RSA-1024 (connection_test.go documents this at lines 247-252 and embeds fips_invalid.key at line 295).

Verification

  • The failure log shows 4,190 tests completed with exactly one failure; no local test was run because this workflow is read-only and the provided failure log is conclusive.

What is this? | From workflow: PR Buildkite Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

@github-actions

Copy link
Copy Markdown
Contributor

TL;DR

The golangci-lint step fails in all three matrix jobs because the backport introduces five lint errors in x-pack/filebeat/input/o365audit. Fix the reported error handling and error strings, then rerun the workflow.

Remediation

  • In x-pack/filebeat/input/o365audit/input.go, handle the type assertion at line 98 and the return value from timed.Wait at line 141.
  • Replace the direct cancellation-error comparison at line 126 with errors.Is.
  • Remove the trailing periods from the two errors.New messages at x-pack/filebeat/input/o365audit/config.go:143 and :146.
  • Rerun the golangci-lint workflow across Linux, Windows, and macOS.
Investigation details

Root Cause

The merged pull-request revision is linted with golangci-lint v2.12.2 and reports two errcheck findings, one errorlint finding, and two staticcheck findings in the O365 audit input changes.

Evidence

  • Workflow: https://github.com/elastic/beats/actions/runs/29346882227
  • Jobs/step: lint (ubuntu-latest), lint (windows-latest), and lint (macos-latest) / golangci-lint
  • Key log excerpts: input.go:98:14: Error return value is not checked; input.go:141:14: Error return value of timed.Wait is not checked; input.go:126:8: comparing with != will fail on wrapped errors; and config.go:143:10 plus config.go:146:10: ST1005: error strings should not end with punctuation or newlines. Each job reports 5 issues.

Validation

  • No local tests were run; this read-only investigation is based on the workflow logs.

Follow-up

  • The existing detective comment on this PR is a separate Buildkite FIPS test report; no prior PR Actions Detective report was found, so this is a new failure diagnosis.

What is this? | From workflow: PR Actions Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

Improve logging when TLS certificates and keys fail to load preventing it from
logging a malformed key when it fails to load.

full changelog: elastic/elastic-agent-libs@v0.45.0...v0.46.1=

(cherry picked from commit 8674b2f)
@AndersonQ AndersonQ force-pushed the mergify/bp/9.4/pr-51921 branch from 614e537 to 0ca0af4 Compare July 15, 2026 09:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

backport conflicts There is a conflict in the backported pull request Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant