Skip to content

Adding test for enrolling local FIPS agent into ECH FIPS Fleet Server #8197

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Adding test for enrolling local FIPS agent into ECH FIPS Fleet Server #8197

wants to merge 2 commits into from

Conversation

ycombinator
Copy link
Contributor

⚠️ Currently blocked on https://github.com/elastic/ingest-dev/issues/5264 and #8035 for CI being able to actually run these tests on a FIPS-configured VM. ⚠️

What does this PR do?

This PR adds an integration test that a) enrolls a locally-built FIPS-capable Elastic Agent into a FIPS-capable Fleet Server running in ECH, b) adds the system integration to that Agent's policy, and c) ensures that data from the system integration shows up in Elasticsearch.

Why is it important?

This test proves that it's possible for a local (on-prem) FIPS-capable Elastic Agent to enroll into a FIPS-capable Fleet Server (aka Integrations Server) running in EC; while also exercising the connection between Fleet and the Elastic Package Registry (EPR) by installing the system integration; and also ensuring that the data path from Agent to Elasticsearch works as well.

Checklist

  • I have read and understood the pull request guidelines of this project.
  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in ./changelog/fragments using the changelog tool
  • I have added an integration test or an E2E test

Disruptive User Impact

None; this PR adds an integration test.

@mergify Mergify
Copy link
Contributor

mergify bot commented May 20, 2025

This pull request does not have a backport label. Could you fix it @ycombinator? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-./d./d is the label that automatically backports to the 8./d branch. /d is the digit
  • backport-active-all is the label that automatically backports to all active branches.
  • backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
  • backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

@ycombinator ycombinator added skip-changelog Testing backport-8.19 Automated backport to the 8.19 branch Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team labels May 20, 2025
@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube

@elasticmachine
Copy link
Contributor

elasticmachine commented May 21, 2025
edited
Loading

💔 Build Failed

Failed CI Steps

History

cc @ycombinator

@ycombinator ycombinator marked this pull request as ready for review May 21, 2025 18:31
@ycombinator ycombinator requested a review from a team as a code owner May 21, 2025 18:31
@elasticmachine
Copy link
Contributor

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)

simitt
simitt reviewed May 22, 2025
View reviewed changes
testing/integration/enroll_fips_test.go
ctx, cancel := context.WithTimeout(context.Background(), 3*time.Minute)
defer cancel()

policyResp, _, err := tools.InstallAgentWithPolicy(ctx, t, installOpts, fixture, info.KibanaClient, basePolicy)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Where is the part that defines this enrollment to happen to the Fleet Server as part of the Integrations Server on ECH? I checked the code and understand it is enrolling to the default Fleet Server, but I don't easily spot where the connection to Integrations Server is made.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@simitt simitt simitt left review comments

@michel-laterman michel-laterman Awaiting requested review from michel-laterman michel-laterman is a code owner automatically assigned from elastic/elastic-agent-control-plane

@swiatekm swiatekm Awaiting requested review from swiatekm swiatekm is a code owner automatically assigned from elastic/elastic-agent-control-plane

At least 1 approving review is required to merge this pull request.

Assignees

@ycombinator ycombinator

Labels
backport-8.19 Automated backport to the 8.19 branch skip-changelog Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team Testing
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ycombinator @elasticmachine @simitt