[verifier_otel] Make policy_id, policy_name, package_policy_id multi:true#19965
[verifier_otel] Make policy_id, policy_name, package_policy_id multi:true#19965seanrathier wants to merge 12 commits into
Conversation
Make `policy_id`, `policy_name`, and `package_policy_id` `multi: true` in `manifest.yml`, positionally aligned with `policy_templates`, so a single verifier_otel package policy can carry per-target-integration values. Update `input.yml.hbs` to iterate the parallel arrays by index and emit one `policies[]` entry per target integration, each with exactly one `integrations[]` entry. `policy_id` may repeat across entries when target integrations share an agent policy. Bumps version 0.0.1 -> 0.0.2 and updates policy/system test fixtures to the new array-valued shape (the policy fixture now exercises two targets sharing a `policy_id` with distinct `package_policy_id`s). Refs elastic/security-team#17149 Parent epic elastic/security-team#16847 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…hange Per-target `package_policy_id` is delivered by Kibana creating one verifier_otel package policy per target integration, not by carrying parallel arrays in a single package policy. So `input.yml.hbs` and the test fixtures stay unchanged. Only `manifest.yml` flips `policy_id`, `policy_name`, and `package_policy_id` to `multi: true`. Changelog collapsed to a single one-sentence entry. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Net diff vs main is now: three `multi: false` -> `multi: true` flips on `policy_id`, `policy_name`, and `package_policy_id`, plus the 0.0.1 -> 0.0.2 version bump and one-line changelog entry. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
`multi: false` -> `multi: true` is a value-set widening: every input the field previously accepted is still accepted, and Fleet auto-coerces saved scalar values to single-element arrays on upgrade. The template and fixtures are unchanged so rendered output is byte-identical for existing single-target deployments. No user action is required, which is the signature of `enhancement` rather than `breaking-change`. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
… var Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
… receiver shape Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…t arrays Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
✅ Elastic Docs Style Checker (Vale)No issues found on modified lines! The Vale linter checks documentation changes against the Elastic Docs style guide. To use Vale locally or report issues, refer to Elastic style guide for Vale. |
TL;DRThe Remediation
Investigation detailsRoot CauseThis is a changelog-link configuration failure in the PR diff. The PR adds two The verifier package step is classified as inconclusive from available data: Evidence
Verification
Follow-up
What is this? | From workflow: PR Buildkite Detective Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not. |
…olicy compiler output Bumping conditions.kibana.version to ^9.5.0 changed which Kibana version CI tests against (9.5.0-SNAPSHOT, resolved as the oldest version satisfying the constraint). That version's OTel agent-policy compiler assigns a component ID to the generic forward connector/pipeline too, shifting our receiver's pipeline from componentid-0 to componentid-1, and adds nil-guards to the transform processor's set() statements. The policies: payload itself is unchanged. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
The original PR (elastic#18786) was superseded by elastic#19965 after a rebase to resolve conflicts with main. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
|
✅ All changelog entries have the correct PR link. |
💚 Build Succeeded
History
cc @seanrathier |
Update
mainto resolve merge conflicts (main had already shippedverifier_otel0.1.0 for an unrelated change).verifier_otelto0.2.0and consolidates the changelog entries for this change under that version.policy_id,policy_name, andpackage_policy_idmulti: true, and requires Kibana^9.5.0.Supersedes #18786 due to a fork push permission issue — original author is @Omolola-Akinleye.
Summary
Implements elastic/security-team#17149 (parent epic #16847).
Each verification log emitted by the OTel verifier must carry the integration's
package_policy.idso Fleet background task can aggregate verifier logs by package-policy instance. Today,policy_id,policy_name, andpackage_policy_idaremulti: false, which prevents the package manifest from multiple package policy id values when needed. We need to associate multiple permissions by package policy id(integration).This PR flips those three fields to
multi: trueinmanifest.yml. Per-target distribution itself is delivered by Kibana, which creates oneverifier_otelpackage policy per target integration; soinput.yml.hbsand the test fixtures are intentionally unchanged.Changes
packages/verifier_otel/manifest.ymlpolicy_id,policy_name,package_policy_idflipped tomulti: true.policy_templates.0.1.0→0.2.0.multi: false:package_name,package_title,package_version,identity_federation_id,identity_federation_name,verification_id,verification_type,provider,account_type, allcredentials_*.packages/verifier_otel/changelog.yml—0.2.0entry added.Test plan
elastic-package lint— passes.elastic-package check— package builds (verifier_otel-0.1.0.zip).elastic-package test static— passes.elastic-package test policy— to be confirmed in CI.