Add cloud-defend to agent container images

changelog/fragments/1764188813-add-cloud-defend-packaging.yaml

@@ -0,0 +1,45 @@
+# REQUIRED
+# Kind can be one of:
+# - breaking-change: a change to previously-documented behavior
+# - deprecation: functionality that is being removed in a later release
+# - bug-fix: fixes a problem in a previous version
+# - enhancement: extends functionality but does not break or fix existing behavior
+# - feature: new functionality
+# - known-issue: problems that we are aware of in a given version
+# - security: impacts on the security of a product or a user’s deployment.
+# - upgrade: important information for someone upgrading from a prior version
+# - other: does not fit into any of the other categories
+kind: enhancement
+
+# REQUIRED for all kinds
+# Change summary; a 80ish characters long description of the change.
+summary: Add cloud-defend to container image agent packages
+
+# REQUIRED for breaking-change, deprecation, known-issue
+# Long description; in case the summary is not enough to describe the change
+# this field accommodate a description without length limits.
+# description:
+
+# REQUIRED for breaking-change, deprecation, known-issue
+# impact:
+
+# REQUIRED for breaking-change, deprecation, known-issue
+# action:
+
+# REQUIRED for all kinds
+# Affected component; usually one of "elastic-agent", "fleet-server", "filebeat", "metricbeat", "auditbeat", "all", etc.
+component: elastic-agent
+
+# AUTOMATED
+# OPTIONAL to manually add other PR URLs
+# PR URL: A link the PR that added the changeset.
+# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
+# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
+# Please provide it if you are adding a fragment for a different PR.
+# pr: https://github.com/owner/repo/1234
+
+# AUTOMATED
+# OPTIONAL to manually add other issue URLs
+# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
+# If not present is automatically filled by the tooling with the issue linked to the PR number.
+# issue: https://github.com/owner/repo/1234

dev-tools/packaging/packages.yml

@@ -95,6 +95,16 @@ components:
       - *linux-amd64
       - *linux-arm64
     packageTypes: *all-package-types
+  - &comp-cloud-defend
+    projectName: cloud-defend
+    packageName: cloud-defend-{{.Version}}-{{.Platform}}.{{.Ext}}
+    rootDir: cloud-defend-{{.Version}}-{{.Platform}}
+    binaryName: cloud-defend
+    fips: false
+    platforms:
+      - *linux-amd64
+    packageTypes:
+      - *pkg-type-docker
   - &comp-connectors
     projectName: connectors
     packageName: connectors-{{.Version}}.zip
@@ -241,6 +251,20 @@ shared:
 
   # components included in elastic-agent package specs defined before components support in this YAML
   - &elastic_agent_components
+    components:
+      - *comp-agentbeat
+      - *comp-apm_server
+      - *comp-cloudbeat
+      - *comp-cloud-defend
+      - *comp-connectors
+      - *comp-endpoint
+      - *comp-fleet-server
+      - *comp-pf-elastic-collector
+      - *comp-pf-elastic-symbolizer
+      - *comp-pf-host-agent
+
+  # components for cloud/service variants (excludes cloud-defend)
+  - &elastic_agent_cloud_components
     components:
       - *comp-agentbeat
       - *comp-apm_server
@@ -436,6 +460,14 @@ shared:
       <<: *linux_otel_files
       <<: *agent_unpacked_components_files
 
+  - &agent_cloud_binary_spec
+    <<: *common
+    <<: *elastic_agent_cloud_components
+    files:
+      <<: *agent_binary_files
+      <<: *linux_otel_files
+      <<: *agent_unpacked_components_files
+
   - &agent_binary_fips_spec
     <<: *common_fips
     <<: *elastic_agent_fips_components
@@ -538,6 +570,31 @@ shared:
         source: '{{ repo.RootDir }}/deploy/kubernetes/elastic-agent-standalone/templates.d'
         mode: 0755
 
+  - &agent_cloud_docker_spec
+    <<: *agent_cloud_binary_spec
+    extra_vars:
+      dockerfile: 'Dockerfile.elastic-agent.tmpl'
+      docker_entrypoint: 'docker-entrypoint.elastic-agent.tmpl'
+      user: '{{ .BeatName }}'
+      linux_capabilities: ''
+      beats_install_path: "install"
+    files:
+      'elastic-agent.yml':
+        source: 'elastic-agent.docker.yml'
+        mode: 0600
+        config: true
+      'otel.yml':
+        source: 'otel.yml'
+        mode: 0600
+        config: true
+      '.elastic-agent.active.commit':
+        content: >
+          {{ commit }}
+        mode: 0644
+      'hints.inputs.d':
+        source: '{{ repo.RootDir }}/deploy/kubernetes/elastic-agent-standalone/templates.d'
+        mode: 0755
+
   - &agent_docker_fips_spec
     <<: *agent_binary_fips_spec
     extra_vars:
@@ -1458,7 +1515,7 @@ specs:
       arch: amd64
       types: [docker]
       spec:
-        <<: *agent_docker_spec
+        <<: *agent_cloud_docker_spec
         # The cloud image is always based on Wolfi
         <<: *docker_wolfi_spec
         <<: *docker_builder_spec
@@ -1471,7 +1528,7 @@ specs:
       arch: arm64
       types: [docker]
       spec:
-        <<: *agent_docker_spec
+        <<: *agent_cloud_docker_spec
         # The cloud image is always based on Wolfi
         <<: *docker_wolfi_arm_spec
         <<: *docker_builder_arm_spec
@@ -1485,7 +1542,7 @@ specs:
       arch: amd64
       types: [ docker ]
       spec:
-        <<: *agent_docker_spec
+        <<: *agent_cloud_docker_spec
         # The service image is always based on Wolfi
         <<: *docker_wolfi_spec
         <<: *docker_builder_spec
@@ -1499,7 +1556,7 @@ specs:
       arch: arm64
       types: [ docker ]
       spec:
-        <<: *agent_docker_spec
+        <<: *agent_cloud_docker_spec
         # The service image is always based on Wolfi
         <<: *docker_wolfi_arm_spec
         <<: *docker_builder_arm_spec

dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl

@@ -39,6 +39,7 @@ RUN true && \
     chmod 0755 {{ $beatHome }}/data/elastic-agent-*/components/*beat && \
     (chmod 0755 {{ $beatHome }}/data/elastic-agent-*/components/osquery* || true) && \
     (chmod 0755 {{ $beatHome }}/data/elastic-agent-*/components/apm-server || true) && \
+    (chmod 0755 {{ $beatHome }}/data/elastic-agent-*/components/cloud-defend || true) && \
     (chmod 0755 {{ $beatHome }}/data/elastic-agent-*/components/endpoint-security || true) && \
     (chmod 0755 {{ $beatHome }}/data/elastic-agent-*/components/fleet-server || true) && \
     (chmod 0755 {{ $beatHome }}/data/elastic-agent-*/components/pf-elastic-collector || true) && \

dev-tools/packaging/templates/ironbank/Dockerfile.tmpl

@@ -74,13 +74,14 @@ RUN find / -xdev -perm -4000 -exec chmod u-s {} +
 # Provide a non-root user to run the process.
 RUN groupadd --gid 1000 ${ELASTIC_PRODUCT} && useradd --uid 1000 --gid 1000 --groups 0 --home-dir /usr/share/${ELASTIC_PRODUCT} --no-create-home ${ELASTIC_PRODUCT}
 
-# Elastic Agent permissions
+# Elastic Agent permissions
 RUN find /usr/share//elastic-agent/data -type d -exec chmod 0777 {} \; && \
     find /usr/share//elastic-agent/data -type f -exec chmod 0666 {} \; && \
     chmod 0755 /usr/share//elastic-agent/data/elastic-agent-*/elastic-agent && \
     chmod 0755 /usr/share//elastic-agent/data/elastic-agent-*/components/*beat && \
     (chmod 0755 /usr/share/elastic-agent/data/elastic-agent-*/components/osquery* || true) && \
     (chmod 0755 /usr/share/elastic-agent/data/elastic-agent-*/components/apm-server || true) && \
+    (chmod 0755 /usr/share/elastic-agent/data/elastic-agent-*/components/cloud-defend || true) && \
     (chmod 0755 /usr/share/elastic-agent/data/elastic-agent-*/components/endpoint-security || true) && \
     (chmod 0755 /usr/share/elastic-agent/data/elastic-agent-*/components/fleet-server || true) && \
     (chmod 0755 /usr/share/elastic-agent/data/elastic-agent-*/components/pf-elastic-collector || true) && \

magefile.go

@@ -643,6 +643,9 @@ func DownloadManifest(ctx context.Context) error {
 		return fmt.Errorf("failed extracting dependencies: %w", err)
 	}
 
+	// Only include components that support at least one of the selected package types
+	dependencies = packaging.FilterComponents(dependencies, supportsSelectedPackageTypesFilter(platforms, devtools.SelectedPackageTypes))
+
 	if e := manifest.DownloadComponents(ctx, dependencies, devtools.ManifestURL, platforms, dropPath); e != nil {
 		return fmt.Errorf("failed to download the manifest file, %w", e)
 	}
@@ -1404,6 +1407,10 @@ func collectPackageDependencies(platforms []string, packageVersion string, packa
 	} else {
 		archivePath = movePackagesToArchive(dropPath, platforms, packageVersion, dependencies)
 	}
+
+	// Only include components that support at least one of the selected package types
+	dependencies = packaging.FilterComponents(dependencies, supportsSelectedPackageTypesFilter(platforms, packageTypes))
+
 	return archivePath, dropPath, dependencies
 }
 
@@ -1424,6 +1431,21 @@ func supportsAtLeastOnePackageType(platform string, spec packaging.BinarySpec, p
 	return false
 }
 
+// supportsSelectedPackageTypesFilter returns a filter which will exclude components that do not support at least one of the selected package types
+func supportsSelectedPackageTypesFilter(platforms []string, packageTypes []devtools.PackageType) packaging.ComponentFilter {
+	return func(dep packaging.BinarySpec) bool {
+		for _, platform := range platforms {
+			if supportsAtLeastOnePackageType(platform, dep, packageTypes) {
+				return true
+			}
+		}
+		if mg.Verbose() {
+			log.Printf(">>> Filtering out component %s as it doesn't support any selected package types %v", dep.BinaryName, packageTypes)
+		}
+		return false
+	}
+}
+
 func removePythonWheels(matches []string, version string, dependencies []packaging.BinarySpec) []string {
 	if hasSnapshotEnv() {
 		version = fmt.Sprintf("%s-SNAPSHOT", version)