Skip to content

[9.3](backport #51921) update elastic-agent-libs to v0.46.1#51935

Open
mergify[bot] wants to merge 2 commits into
9.3from
mergify/bp/9.3/pr-51921
Open

[9.3](backport #51921) update elastic-agent-libs to v0.46.1#51935
mergify[bot] wants to merge 2 commits into
9.3from
mergify/bp/9.3/pr-51921

Conversation

@mergify

@mergify mergify Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Proposed commit message

    update elastic-agent-libs to v0.46.1
    
    Improve logging when TLS certificates and keys fail to load preventing it from
    logging a malformed key when it fails to load.

Checklist

  • [ ] My code follows the style guidelines of this project
  • [ ] I have commented my code, particularly in hard-to-understand areas
  • [ ] I have made corresponding changes to the documentation
  • [ ] I have made corresponding change to the default configuration files
  • [ ] I have added tests that prove my fix is effective or that my feature works. Where relevant, I have used the stresstest.sh script to run them under stress conditions and race detector to verify their stability.
  • I have added an entry in ./changelog/fragments using the changelog tool.

Disruptive User Impact

None

How to test this PR locally

Try to load a malformed certificate key. Check elastic/elastic-agent-libs#431 for details

Related issues

  • N/A

This is an automatic backport of pull request #51921 done by [Mergify](https://mergify.com).

Improve logging when TLS certificates and keys fail to load preventing it from
logging a malformed key when it fails to load.

full changelog: elastic/elastic-agent-libs@v0.45.0...v0.46.1=

(cherry picked from commit 8674b2f)

# Conflicts:
#	NOTICE.txt
#	go.mod
#	go.sum
@mergify mergify Bot added backport conflicts There is a conflict in the backported pull request labels Jul 14, 2026
@mergify mergify Bot requested review from a team as code owners July 14, 2026 15:41
@mergify mergify Bot added backport conflicts There is a conflict in the backported pull request labels Jul 14, 2026
@mergify

mergify Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor Author

Cherry-pick of 8674b2f has failed:

On branch mergify/bp/9.3/pr-51921
Your branch is up to date with 'origin/9.3'.

You are currently cherry-picking commit 8674b2f08.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Changes to be committed:
	new file:   changelog/fragments/1784030419-update-elastic-agent-libs-to-v0.46.1.yaml
	modified:   x-pack/filebeat/input/o365audit/auth/cert.go
	modified:   x-pack/filebeat/input/o365audit/config.go
	modified:   x-pack/filebeat/input/o365audit/input.go

Unmerged paths:
  (use "git add <file>..." to mark resolution)
	both modified:   NOTICE.txt
	both modified:   go.mod
	both modified:   go.sum

To fix up this pull request, you can check it out locally. See documentation: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally

@botelastic botelastic Bot added the needs_team Indicates that the issue/PR needs a Team:* label label Jul 14, 2026
@github-actions

Copy link
Copy Markdown
Contributor

🤖 GitHub comments

Just comment with:

  • run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)
  • /test : Run the Buildkite pipeline.

@github-actions github-actions Bot added the Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team label Jul 14, 2026
@infra-vault-gh-plugin-prod

Copy link
Copy Markdown

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

@botelastic botelastic Bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jul 14, 2026
@mergify mergify Bot mentioned this pull request Jul 14, 2026
1 task
@github-actions

This comment has been minimized.

@github-actions

Copy link
Copy Markdown
Contributor

TL;DR

The Ubuntu golangci-lint job failed on five new findings in the O365 Audit changes; macOS and Windows were cancelled after the Ubuntu failure. Fix the reported errcheck, errorlint, and staticcheck findings, then rerun the workflow.

Remediation

  • Handle the unchecked type assertion/error path reported in x-pack/filebeat/input/o365audit/input.go:98 and check the return value from timed.Wait at input.go:141.
  • Replace the direct wrapped-error comparison at input.go:126 with an errors.Is check.
  • Remove the trailing periods from the two validation error strings in x-pack/filebeat/input/o365audit/config.go:143 and config.go:146.
  • Run the scoped O365 Audit tests and rerun golangci-lint (or the workflow) to confirm all five findings are resolved.
Investigation details

Root Cause

The changed O365 Audit files introduce five lint violations detected by golangci-lint v2.12.2. The failure is source-level, not an infrastructure or runner failure.

Evidence

  • Workflow: https://github.com/elastic/beats/actions/runs/29347068910
  • Job/step: lint (ubuntu-latest) / golangci-lint
  • Key log excerpt: input.go:98:14: Error return value is not checked (errcheck); input.go:141:14: Error return value of timed.Wait is not checked (errcheck); input.go:126:8: comparing with != will fail on wrapped errors (errorlint); config.go:143:10 and config.go:146:10: ST1005: error strings should not end with punctuation or newlines (staticcheck); 5 issues

Validation

No source tests were run by this read-only investigation.

Follow-up

After applying the fixes, rerun the failed workflow for PR #51935.


What is this? | From workflow: PR Actions Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

@github-actions

Copy link
Copy Markdown
Contributor

TL;DR

The Ubuntu fips140=only unit-test failure is a source-level incompatibility in libbeat/esleg/eslegclient/TestConnectionTLS, not an infrastructure failure. The backport test expects tls: internal error, but the FIPS runtime now rejects the fixture certificate earlier and returns certificate uses RSA-1024 public key which is not allowed by FIPS 140-3.

Remediation

  • Update the 9.3 backport's TestConnectionTLS assertion at libbeat/esleg/eslegclient/connection_test.go:279 to assert the RSA-1024 rejection (or otherwise accept the concrete FIPS certificate-policy error), matching the behavior shown in the failing log.
  • Run GODEBUG=fips140=only go test ./libbeat/esleg/eslegclient -run TestConnectionTLS -count=1, then rerun mage goFIPSOnlyUnitTest.
Investigation details

Root Cause

The test server uses the embedded 1024-bit RSA key/certificate (connection_test.go:294-298). In FIPS-only mode, Go rejects that certificate because RSA keys below 2048 bits are prohibited. The test still checks for the older generic handshake error, so the test fails even though the TLS policy rejection is functioning correctly.

Evidence

  • Build: https://buildkite.com/elastic/beats/builds/49412
  • Job/step: Libbeat: Ubuntu x86_64 fips140=only Unit Tests (mage goFIPSOnlyUnitTest)
  • Key log excerpt: connection_test.go:279: Error "Get \"(127.0.0.1/redacted)\": tls: certificate uses RSA-1024 public key which is not allowed by FIPS 140-3" does not contain "tls: internal error"
  • The same log also records the server-side crypto/rsa: use of keys smaller than 2048 bits is not allowed in FIPS 140-only mode.

Verification

The scoped local FIPS test could not be executed because the environment attempted to download Go 1.26.4 and the download itself failed under GODEBUG=fips140=only (crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode).


What is this? | From workflow: PR Buildkite Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

backport conflicts There is a conflict in the backported pull request Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant