Allow agent to override fleet settings

internal/pkg/agent/application/application.go

@@ -209,7 +209,11 @@ func New(
 			log.Info("Parsed configuration and determined agent is in Fleet Server bootstrap mode")
 
 			compModifiers = append(compModifiers, FleetServerComponentModifier(cfg.Fleet.Server))
-			configMgr = coordinator.NewConfigPatchManager(newFleetServerBootstrapManager(log), PatchAPMConfig(log, rawConfig))
+			configMgr = coordinator.NewConfigPatchManager(
+				newFleetServerBootstrapManager(log),
+				PatchAPMConfig(log, rawConfig),
+				PatchFleetConfig(log, rawConfig, caps, isManaged),
+			)
 		} else {
 			log.Info("Parsed configuration and determined agent is managed by Fleet")
 
@@ -259,7 +263,12 @@ func New(
 			if err != nil {
 				return nil, nil, nil, err
 			}
-			configMgr = coordinator.NewConfigPatchManager(managed, injectOutputOverrides(log, rawConfig), PatchAPMConfig(log, rawConfig))
+			configMgr = coordinator.NewConfigPatchManager(
+				managed,
+				injectOutputOverrides(log, rawConfig),
+				PatchAPMConfig(log, rawConfig),
+				PatchFleetConfig(log, rawConfig, caps, isManaged),
+			)
 		}
 	}
 

internal/pkg/agent/application/coordinator/testdata/overrides.yml

@@ -0,0 +1,8 @@
+agent:
+  monitoring:
+    enabled: true
+    use_output: default
+    logs: false
+    metrics: true
+    http:
+      port: 6774

internal/pkg/agent/application/fleet_config_patcher.go

@@ -0,0 +1,32 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0;
+// you may not use this file except in compliance with the Elastic License 2.0.
+
+package application
+
+import (
+	"github.com/elastic/elastic-agent/internal/pkg/agent/application/coordinator"
+	"github.com/elastic/elastic-agent/internal/pkg/capabilities"
+	"github.com/elastic/elastic-agent/internal/pkg/config"
+	"github.com/elastic/elastic-agent/pkg/core/logger"
+)
+
+func PatchFleetConfig(log *logger.Logger,
+	rawConfig *config.Config, // original config from fleet, this one won't reload
+	caps capabilities.Capabilities,
+	isManaged bool,
+) func(change coordinator.ConfigChange) coordinator.ConfigChange {
+	if !isManaged || // no need to override fleet config when not managed
+		caps == nil || !caps.AllowFleetOverride() {
+		return noop
+	}
+
+	return func(change coordinator.ConfigChange) coordinator.ConfigChange {
+		newConfig := change.Config()
+		if err := newConfig.Merge(rawConfig); err != nil {
+			log.Errorf("error merging fleet config into config change: %v", err)
+		}
+
+		return change
+	}
+}

internal/pkg/agent/application/fleet_config_patcher_test.go

@@ -0,0 +1,91 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0;
+// you may not use this file except in compliance with the Elastic License 2.0.
+
+package application
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/mock"
+	"github.com/stretchr/testify/require"
+
+	"github.com/elastic/elastic-agent/internal/pkg/agent/configuration"
+	"github.com/elastic/elastic-agent/internal/pkg/config"
+	"github.com/elastic/elastic-agent/pkg/core/logger/loggertest"
+)
+
+func Test_FleetPatcher(t *testing.T) {
+	configFile := filepath.Join(".", "coordinator", "testdata", "overrides.yml")
+
+	testCases := []struct {
+		name          string
+		isManaged     bool
+		featureEnable bool
+		expectedLogs  bool
+	}{
+		{name: "managed - enabled", isManaged: true, featureEnable: true, expectedLogs: false},
+		{name: "managed - disabled", isManaged: true, featureEnable: false, expectedLogs: true},
+		{name: "not managed - enabled", isManaged: false, featureEnable: true, expectedLogs: true},
+		{name: "not managed - disabled", isManaged: false, featureEnable: false, expectedLogs: true},
+	}
+
+	overridesFile, err := os.OpenFile(configFile, os.O_RDONLY, 0)
+	require.NoError(t, err)
+	defer overridesFile.Close()
+
+	rawConfig, err := config.NewConfigFrom(overridesFile)
+	require.NoError(t, err)
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			caps := &mockCapabilities{}
+			caps.On("AllowFleetOverride").Return(tc.featureEnable)
+
+			log, _ := loggertest.New(t.Name())
+
+			cfg, err := config.LoadFile(filepath.Join(".", "coordinator", "testdata", "config.yaml"))
+			require.NoError(t, err)
+
+			configChange := &mockConfigChange{
+				c: cfg,
+			}
+
+			patcher := PatchFleetConfig(log, rawConfig, caps, tc.isManaged)
+			patcher(configChange)
+
+			c := &configuration.Configuration{}
+			require.NoError(t, cfg.Agent.Unpack(&c))
+			assert.Equal(t, tc.expectedLogs, c.Settings.MonitoringConfig.MonitorLogs)
+			require.True(t, c.Settings.MonitoringConfig.MonitorMetrics)
+			require.True(t, c.Settings.MonitoringConfig.Enabled)
+		})
+	}
+}
+
+type mockCapabilities struct {
+	mock.Mock
+}
+
+func (m *mockCapabilities) AllowUpgrade(version string, sourceURI string) bool {
+	args := m.Called(version, sourceURI)
+	return args.Bool(0)
+}
+
+func (m *mockCapabilities) AllowInput(name string) bool {
+	args := m.Called()
+	return args.Bool(0)
+}
+
+func (m *mockCapabilities) AllowOutput(name string) bool {
+	args := m.Called()
+	return args.Bool(0)
+}
+
+func (m *mockCapabilities) AllowFleetOverride() bool {
+	args := m.Called()
+	return args.Bool(0)
+}

internal/pkg/capabilities/capabilities.go

@@ -19,13 +19,15 @@ type Capabilities interface {
 	AllowUpgrade(version string, sourceURI string) bool
 	AllowInput(name string) bool
 	AllowOutput(name string) bool
+	AllowFleetOverride() bool
 }
 
 type capabilitiesManager struct {
-	log          *logger.Logger
-	inputChecks  []*stringMatcher
-	outputChecks []*stringMatcher
-	upgradeCaps  []*upgradeCapability
+	log               *logger.Logger
+	inputChecks       []*stringMatcher
+	outputChecks      []*stringMatcher
+	upgradeCaps       []*upgradeCapability
+	fleetOverrideCaps []*fleetOverrideCapability
 }
 
 func (cm *capabilitiesManager) AllowInput(inputType string) bool {
@@ -40,6 +42,10 @@ func (cm *capabilitiesManager) AllowUpgrade(version string, uri string) bool {
 	return allowUpgrade(cm.log, version, uri, cm.upgradeCaps)
 }
 
+func (cm *capabilitiesManager) AllowFleetOverride() bool {
+	return allowFleetOverride(cm.log, cm.fleetOverrideCaps)
+}
+
 func LoadFile(capsFile string, log *logger.Logger) (Capabilities, error) {
 	// load capabilities from file
 	fd, err := os.Open(capsFile)
@@ -68,8 +74,10 @@ func Load(capsReader io.Reader, log *logger.Logger) (Capabilities, error) {
 	caps := spec.Capabilities
 
 	return &capabilitiesManager{
-		inputChecks:  caps.inputChecks,
-		outputChecks: caps.outputChecks,
-		upgradeCaps:  caps.upgradeChecks,
+		log:               log,
+		inputChecks:       caps.inputChecks,
+		outputChecks:      caps.outputChecks,
+		upgradeCaps:       caps.upgradeChecks,
+		fleetOverrideCaps: caps.fleetOverrideChecks,
 	}, nil
 }

internal/pkg/capabilities/fleet_override.go

@@ -0,0 +1,42 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0;
+// you may not use this file except in compliance with the Elastic License 2.0.
+
+package capabilities
+
+import "github.com/elastic/elastic-agent/pkg/core/logger"
+
+type fleetOverrideCapability struct {
+	// Whether a successful condition check lets an upgrade proceed or blocks it
+	rule allowOrDeny
+}
+
+func newFleetOverrideCapability(rule allowOrDeny) *fleetOverrideCapability {
+	return &fleetOverrideCapability{
+		rule: rule,
+	}
+}
+
+func allowFleetOverride(
+	log *logger.Logger,
+	fleetOverrideCaps []*fleetOverrideCapability,
+) bool {
+	// first match wins
+	for _, cap := range fleetOverrideCaps {
+		if cap == nil {
+			// being defensive here, should not happen
+			continue
+		}
+
+		switch cap.rule {
+		case ruleTypeAllow:
+			log.Debugf("Fleet override allowed by capability")
+			return true
+		case ruleTypeDeny:
+			log.Debugf("Fleet override denied by capability")
+			return false
+		}
+	}
+	// No matching capability found, disable by default
+	return false
+}

internal/pkg/capabilities/spec.go

@@ -13,9 +13,10 @@ import (
 // capabilitiesList deserializes a YAML list of capabilities into organized
 // arrays based on their type, for easy use by capabilitiesManager.
 type capabilitiesList struct {
-	inputChecks   []*stringMatcher
-	outputChecks  []*stringMatcher
-	upgradeChecks []*upgradeCapability
+	inputChecks         []*stringMatcher
+	outputChecks        []*stringMatcher
+	upgradeChecks       []*upgradeCapability
+	fleetOverrideChecks []*fleetOverrideCapability
 }
 
 // a type for capability values that must equal "allow" or "deny", enforced
@@ -81,6 +82,15 @@ func (r *capabilitiesList) UnmarshalYAML(unmarshal func(interface{}) error) erro
 				return err
 			}
 			r.upgradeChecks = append(r.upgradeChecks, cap)
+		} else if _, found = mm["fleet_override"]; found {
+			spec := struct {
+				Type allowOrDeny `yaml:"rule"`
+			}{}
+			if err := yaml.Unmarshal(partialYaml, &spec); err != nil {
+				return err
+			}
+			cap := newFleetOverrideCapability(spec.Type)
+			r.fleetOverrideChecks = append(r.fleetOverrideChecks, cap)
 		} else {
 			return fmt.Errorf("unexpected capability type for definition number '%d'", i)
 		}