feat: Add package registry to eck

[tehbooom]

Elastic Package Registry (EPR) has been highly requested to be added to ECK.

EPR does not have any references since it does not require a license nor any other application.

The following was implemented for EPR

• defaults to TLS
• Sets the default container image to docker.elastic.co/package-registry/distribution
• Users can set their own images
• Users can update the config following the reference
• Kibana can reference the EPR like Elasticsearch and Enterprise Search
• If Kibana references EPR and TLS is enabled it will populate xpack.fleet.registryUrl and set the environment variable NODE_EXTRA_CA_CERTS to the path of EPR's CA which is mounted
• If a user provides their own NODE_EXTRA_CA_CERTS with a mount the controller will combine the certs appending the EPR's CA to the users specified CA

This was tested with and without setting NODE_EXTRA_CA_CERTS using the below manifest

apiVersion: epr.k8s.elastic.co/v1alpha1
kind: ElasticPackageRegistry
metadata:
  name: registry
spec:
  version: 9.1.2
  count: 1
  podTemplate:
    spec:
      containers:
      - name: package-registry
        image: docker.elastic.co/package-registry/distribution:lite-9.1.2
---
apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
  name: elasticsearch
spec:
  version: 9.1.2
  nodeSets:
  - name: default
    count: 1
---
apiVersion: kibana.k8s.elastic.co/v1
kind: Kibana
metadata:
  name: kibana
spec:
  version: 9.1.2
  count: 1
  elasticsearchRef:
    name: elasticsearch
  packageRegistryRef:
    name: registry
  config:
    telemetry.optIn: false
    xpack.fleet.isAirGapped: true
    xpack.fleet.agents.elasticsearch.hosts: ["https://elasticsearch-es-http.default.svc:9200"]
    xpack.fleet.agents.fleet_server.hosts: ["https://fleet-server-agent-http.default.svc:8220"]
    xpack.fleet.packages:
      - name: system
        version: latest
      - name: elastic_agent
        version: latest
      - name: fleet_server
        version: latest
    xpack.fleet.agentPolicies:
      - name: Fleet Server on ECK policy
        id: eck-fleet-server
        namespace: default
        monitoring_enabled:
          - logs
          - metrics
        unenroll_timeout: 900
        package_policies:
        - name: fleet_server-1
          id: fleet_server-1
          package:
            name: fleet_server
  podTemplate:
    spec:
      containers:
      - name: kibana
        env:
        - name: NODE_EXTRA_CA_CERTS
          value: /custom/user/ca-bundle.crt
        volumeMounts:
        - name: custom-ca
          mountPath: /custom/user
          readOnly: true
      volumes:
      - name: custom-ca
        secret:
          secretName: user-custom-ca-secret
---
apiVersion: v1
kind: Secret
metadata:
  name: user-custom-ca-secret
  namespace: default
type: Opaque
data:
  ca-bundle.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZtVENDQTRHZ0F3SUJBZ0lVYjVrK2d6V3A5YjljWTV4bkhUcWZNdHFHUXIwd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1hERUxNQWtHQTFVRUJoTUNXRmd4RlRBVEJnTlZCQWNNREVSbFptRjFiSFFnUTJsMGVURWNNQm9HQTFVRQpDZ3dUUkdWbVlYVnNkQ0JEYjIxd1lXNTVJRXgwWkRFWU1CWUdBMVVFQXd3UGRHVnpkQzVsYkdGemRHbGpMbU52Ck1CNFhEVEkxTURneU1ERTRNakl3T0ZvWERUTTFNRGd4T0RFNE1qSXdPRm93WERFTE1Ba0dBMVVFQmhNQ1dGZ3gKRlRBVEJnTlZCQWNNREVSbFptRjFiSFFnUTJsMGVURWNNQm9HQTFVRUNnd1RSR1ZtWVhWc2RDQkRiMjF3WVc1NQpJRXgwWkRFWU1CWUdBMVVFQXd3UGRHVnpkQzVsYkdGemRHbGpMbU52TUlJQ0lqQU5CZ2txaGtpRzl3MEJBUUVGCkFBT0NBZzhBTUlJQ0NnS0NBZ0VBMHljTGVySWR3LzdpbGlKMzVBUEZ4bUx6TFRnNWRhUStWSUttS2lNbStlTTYKanJOY3lnbGphNVFEbHYvMStGUm5hamhrRTBobHoycXEzTjk0U1pYN3M2eHBnQUVzMGVQQ3VaZVBNU2VUYlYyRgp0YlIxNnFuM0JjenVxN3laOXZwdHR3MmJRdkJkY3JzZFU4T2RYUWhGNFd4QUFwODRKYWlMNmkzMlA2K2VPODBwCmh3Z1kwS0F1bzZoZC8zaFpNME14M2MwRmJmU0JHaTUyOHZKODYzUDRXZlEwMWdtUUxVbGl0UlhhTUhiaDRXSm0KOU45c0psUXpnbkNuQjZ6YkZjZ2gweWxrakd0UzBIZEo3eSs3dmE0Q1BqdkxlWGpwTnZuQzRjTmlocnp4Wmw5bQphM0ZVdVpiU0lRekE2ZFlkdkdrT2V3OTJEek1BaTdldU14UDdyYVhRejZmc1N6U1V4N1RjQWl5M2E5VU9Fdi9rCk5NV3VTbDlUMHRRSkhJSzJMc0t0MlVKWVVHWk4wOWU2SUVSTlJOL0FIUjVDbTlhcVQ1Q2ZyQW9JVVhNdUg2S1oKN1JCZFFockRxL2xEQk54bWs5dW44V2lic0NSVnkvVXRJQ3lOSytxbGpGUWZEd01hNkRkd3BjcnpnTWZnU3RTawpLek1LRUJla2N0Q0Q4dHNmTjZYem5USmNBYUJETzFlQWZyT0Z2NG1PTXJqVG90OEYvK3pxN0dXNTlqWTRvdFhMCkY3TnpadFl0eWsvbDRvb2hUZUFuM1ptd1BDMGJFQ1FkTmpTVkZ6ZXJCamE4ZjhacGpKRzNjUllyVmh6YUNsRWMKRU5wbFRHcldVaUVwRDdnTnNlNWNDSnZpQU12NHdwait2QTVVNlA3Z0MxUUtKV2hWS3BVYWcvTmtTSUFCRmtrQwpBd0VBQWFOVE1GRXdIUVlEVlIwT0JCWUVGTWdldEVJajZtRWdsZURGNkVNdUY4NXVnYzdZTUI4R0ExVWRJd1FZCk1CYUFGTWdldEVJajZtRWdsZURGNkVNdUY4NXVnYzdZTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3RFFZSktvWkkKaHZjTkFRRUxCUUFEZ2dJQkFEOFU3dm1yWmhHTUZiV2YzRDZlNy84TUwzWEhLRk5TNy9UeWF3U2tvdGVSTVdFbgp1RWhQK2dmbkdUT2ZITFlQeHl5eEJ4U041T29sZHRJclo5dnhBc2dlYWJzSkJaenhQVHpxU09VN3h3b09LcTlRCmdKRUYxL0ZmemFlR1V5dVE2S1ZaZ0QvZ1JPSW42Ri9OUGlzM1pvbUpPOStuVWdTTnNiUm9RYmdPUGdPV3Q3Z1gKVEhuOHJpdUp2OXRPNFBRN09Sa3pubDJYbERlcE9xNVpwSUtkcVl0Rm5MUjF3SllyREZESmt0Q3h6MzFob0FrZwpSVjlSU1BSMFFxZ1JQeFNpNGpXdkNGUk5XTUFJc0NadGJsWExRRUljWGI1YnlsWXV2a3psTTJ4dHlHK3FaRFhMCnFoZDVNeFZIUkpqTzE1VEdpZXFRcUpMVkZyVElhTHFoaXZpQ1pUbDJoVkYxVlpPVG05MU5aeE53M25RL3JyeDgKK2VQV2xTWlZKWXc3SDRkWkx5WTFjRUxLT0YrZDJybVNSZ2pWaHZycUZ3R1M3MUQzYkV4Y0dSakNrOHNQWEZyRwpsOFRzY05RMXBPSGVuNlJhOFhVdGtxU1doZllFb3owZjBEem4wYmt4c2VWaCttS1BHV3QxcHdlemVFTFVwaHE3CmwwSVRLeis1b1lqYWVHTDRia25kcWlpemwzWkc2N0lYL3VyR0dQVUxkLzU1NEtRMFFPMS92S3Y2dE1YMWc0dVMKWHdWc0pzQjlrTUIwRFFxbDhRYmg0UEJ2ZW9RRTZvL3BycXRtWjR1RWdDMCt1cm5paDlCY1FweFNKOUljR1kxTQpBQzRBcG5Pem1CYTFhUVBMcDRaRFIxQXpFK1hXWDd2WWNWYUxleUJxRzRja3dwbUtOUnhpcnJjS2NaMkYKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
---
apiVersion: agent.k8s.elastic.co/v1alpha1
kind: Agent
metadata:
  name: fleet-server
spec:
  version: 9.1.2
  kibanaRef:
    name: kibana
  elasticsearchRefs:
  - name: elasticsearch
  mode: fleet
  fleetServerEnabled: true
  policyID: eck-fleet-server
  deployment:
    replicas: 1
    podTemplate:
      spec:
        serviceAccountName: fleet-server
        automountServiceAccountToken: true
        resources:
          requests:
            cpu: 200m
            memory: 1Gi
          limits:
            cpu: 1
            memory: 2Gi
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: fleet-server
  namespace: default
rules:
- apiGroups: [""]
  resources:
  - pods
  - namespaces
  - nodes
  verbs:
  - get
  - watch
  - list
- apiGroups: ["apps"]
  resources:
    - replicasets
  verbs:
    - get
    - watch
    - list
- apiGroups: ["batch"]
  resources:
    - jobs
  verbs:
    - get
    - watch
    - list
- apiGroups: ["coordination.k8s.io"]
  resources:
  - leases
  verbs:
  - get
  - create
  - update
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: fleet-server
  namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: fleet-server
  namespace: default
subjects:
- kind: ServiceAccount
  name: fleet-server
  namespace: default
roleRef:
  kind: ClusterRole
  name: fleet-server
  apiGroup: rbac.authorization.k8s.io

[prodsecmachine]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Licenses	0	0	0	0	0 issues
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[github-actions]

🔍 Preview links for changed docs

• docs/reference/api-reference/main.md

[jsoriano]

Took a quick look from the side of the team maintaining Package Registry.

It looks great, thanks for adding support for package registry in ECK, this will help many users.

Added some comments, please let us know if you need a more in-depth review from our side.

[jsoriano]

Is there an image used by default, or setting the image is required?

[tehbooom]

Yes the default version is package-registry/distribution:<version> where the user specifies the version. Version is a required field so if they do not specify one it will fail. Something I thought about was adding a epr_type or something like that where the user could specify the different EPR versions we publish. Like 9.1.2, lite-9.1.2, production, and lite. However I think its just as easy to specify the image in the template if you want something other than package-registry/distribution:<version>

[barkbay]

While doing a first test I just realized that the default image is around ~5Gb 😅 (I was wondering why my container was not starting 🙃 ). I'm also wondering if it would not make sense to have short flag to select the image "type".

Edit: I just had a Pod that failed to start with the following error on GKE:

  Warning  Failed               90s    kubelet            Failed to pull image "docker.elastic.co/package-registry/distribution:9.1.0": failed to pull and unpack image "docker.elastic.co/package-registry/distribution:9.1.0": failed to extract layer sha256:0f0888ef6ac576c67e3a9acf8ec7216533b7f3144aeb14c9b93d0db9469830cd: write /var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/889/fs/packages/package-storage/security_detection_engine-9.0.9-beta.1.zip: no space left on device: unknown

I also had disk pressure conditions. I think the image size should be highlighted in the documentation so that K8s nodes can handle it.

Edit 2: This maybe also means that we need to check the disk size on the nodes used for our e2e tests

[tehbooom]

@jsoriano do you think we should change the default image to be something smaller? I selected this image because it is what we recommend.

[jsoriano]

Yeah, the lite images were added as smaller images for this kind of use cases, but even this image is starting to be too big.

There are vanilla images that don't contain any package. They fail to start if no directory with packages is configured, but they can also be configured in proxy mode, to forward requests for example to the public EPR.

Latest of these images is docker.elastic.co/package-registry/package-registry:v1.31.1.

There is an open issue about allowing to start even if no package is available yet: elastic/package-registry#1351.

More about the proxy mode in https://github.com/elastic/package-registry/?tab=readme-ov-file#proxy-mode.

We also have a WIP to create custom distributions, and smaller images elastic/package-registry#1335.

[Copilot]

Pull Request Overview

This PR adds Elastic Package Registry (EPR) support to ECK, introducing a new CRD for deploying EPR instances and enabling Kibana to reference EPR instances for Fleet package management.

• Adds ElasticPackageRegistry CRD with controller to manage EPR deployments
• Enables Kibana to associate with EPR instances via packageRegistryRef field
• Implements TLS certificate handling and CA mounting for secure communication between Kibana and EPR

Reviewed Changes

Copilot reviewed 60 out of 61 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
pkg/apis/epr/v1alpha1/	New API definitions for ElasticPackageRegistry CRD
pkg/controller/packageregistry/	Controller implementation for managing EPR resources
pkg/controller/association/controller/kibana_epr.go	Association controller for Kibana-EPR relationships
pkg/apis/kibana/v1/kibana_types.go	Adds packageRegistryRef field and EPR association support
pkg/controller/kibana/	Updates Kibana controller to handle EPR associations and CA certificates
test/e2e/	E2E tests for EPR functionality and associations

Comments suppressed due to low confidence (1)

pkg/controller/kibana/pod_test.go:1

• The comment on line 67 says 'readinessProbe is the readiness probe for the maps container' but this function is in the packageregistry controller and should refer to the package registry container.

// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[tehbooom]

@tehbooom 👋 please let me know when you need another review, thanks!

@barkbay

Added EPR to ECK diagnostics here.

I still need to update our documentation. I know we changed how we do documentation so if you could please point me in the right direction where ECK docs live that would be great. This PR is ready for another review. Thanks!

[barkbay]

I still need to update our documentation. I know we changed how we do documentation so if you could please point me in the right direction where ECK docs live that would be great. This PR is ready for another review. Thanks!

Documentation has moved here: https://github.com/elastic/docs-content Please note that the main branch of that repo is immediately published, therefore do not merge the doc PR until the feature has been released.

I'll try to take another look to your PR this week, I'm struggling to keep up with the pace of PRs opened in this repo 😅

[barkbay]

buildkite test this -f p=gke,E2E_TAGS=epr

[barkbay]

buildkite test this -f p=gke,E2E_TAGS=epr

[barkbay]

E2E tests are still failing with:

  Warning  Failed               12m   kubelet            Failed to pull image "docker.elastic.co/package-registry/distribution:9.1.2": failed to pull and unpack image "docker.elastic.co/package-registry/distribution:9.1.2": failed to extract layer sha256:57bbe197467b8b19ba0705f05ee41860ff3bb44020ed5986df96bfed4614e630: write /var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/396/fs/packages/package-storage/security_detection_engine-8.6.8.zip: no space left on device

We also have to find a solution for this. IIUC elastic/package-registry#1335 would be the way to go? I'll also try to check if we can increase the disk on GKE nodes, but it would still mean that we may have to skip other providers (AWS, Azure, Kind...).

IIUC the image currently requires ~14Gi:

docker.elastic.co/package-registry/distribution                                       9.1.2                                             d127b26dc3000       13.8GB

[barkbay]

Pods are being recreated in my dev env because of changes in packageregistry.k8s.elastic.co/config-hash while I do nothing:

Edit: Nevermind, it's because I used short lived certificates to test certificate rotation, and it seems it requires the Pod to be recreated. @tehbooom Could you confirm that certificates are not hot reloaded?

[barkbay]

Would it make things easier to implement and debug if we ask the users to not use NODE_EXTRA_CA_CERTS but instead allow them to add custom certificates using an alternate env. variable, for example KIBANA_EXTRA_CA_CERTS (I'm asking because the way we handle NODE_EXTRA_CA_CERTS feels a bit "hacky" to me tbh)

[pebrc]

I think one issue with that would be that there might be already users that we would break if we stopped supporting user defined NODE_EXTRA_CA_CERTS

[tehbooom]

I think one issue with that would be that there might be already users that we would break if we stopped supporting user defined NODE_EXTRA_CA_CERTS

Agreed. However, if we did use KIBANA_EXTRA_CA_CERTS what would it make it easier to debug and implement? You are still checking if the user provided extra CAs.

[naemono]

Initial look at this I failed to submit previously.

[pebrc]

Approach looks reasonable with one exception: I am also not a big fan of of the NODE_EXTRA_CA_CERTS init container hackery but don't see a good alternative right now if we want to be backwards compatible.

Main blocker to merge this imo is the lack of UBI images for the package registry.

I could not get the recommended default image to work, as the k8s nodes in my environment ran out of ephemeral storage while trying to pull the image. I wonder how viable this image is for any environment? I was successful with the lite image though.

[pebrc]

I think one issue with that would be that there might be already users that we would break if we stopped supporting user defined NODE_EXTRA_CA_CERTS

[tehbooom]

Ive update the test image to be the lite image since others have stated it works with that image

[tehbooom]

I don't remember the scenario as its been sometime. But putting this after the check to see if it was already initialized would give me x509 errors. I think it was if I added EPR after Kibana was already deployed it wouldnt pick up the new certificate.

[tehbooom]

I think one issue with that would be that there might be already users that we would break if we stopped supporting user defined NODE_EXTRA_CA_CERTS

Agreed. However, if we did use KIBANA_EXTRA_CA_CERTS what would it make it easier to debug and implement? You are still checking if the user provided extra CAs.

[pebrc]

buildkite test this -f p=gke,E2E_TAGS=epr

[tehbooom]

buildkite test this -f p=gke,E2E_TAGS=epr