Merged

catalog-info.yaml

@@ -114,7 +114,7 @@ apiVersion: backstage.io/v1alpha1
 kind: Resource
 metadata:
   name: buildkite-pipeline-elastic-agent-testing-bk
-  description: Buildkite pipeline for the Elastic Agent extended testing
+  description: Elastic Agent extended testing using buildkite agents
   links:
     - title: Pipeline
       url: https://buildkite.com/elastic/elastic-agent-extended-testing-bk

changelog/fragments/1727453779-inspect-command-will-redact-secret_paths-in-policy.yaml

@@ -0,0 +1,34 @@
+# Kind can be one of:
+# - breaking-change: a change to previously-documented behavior
+# - deprecation: functionality that is being removed in a later release
+# - bug-fix: fixes a problem in a previous version
+# - enhancement: extends functionality but does not break or fix existing behavior
+# - feature: new functionality
+# - known-issue: problems that we are aware of in a given version
+# - security: impacts on the security of a product or a user’s deployment.
+# - upgrade: important information for someone upgrading from a prior version
+# - other: does not fit into any of the other categories
+kind: enhancement
+
+# Change summary; a 80ish characters long description of the change.
+summary: inspect command will redact secret_paths in policy
+
+# Long description; in case the summary is not enough to describe the change
+# this field accommodate a description without length limits.
+# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment.
+description: |
+  The elastic-agent inspect command will now redact any secret values when displaying output.
+  The keys that are redacted are expected to be defined in the "secret_paths" attribute.
+
+# Affected component; usually one of "elastic-agent", "fleet-server", "filebeat", "metricbeat", "auditbeat", "all", etc.
+component:
+
+# PR URL; optional; the PR number that added the changeset.
+# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
+# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
+# Please provide it if you are adding a fragment for a different PR.
+#pr: https://github.com/owner/repo/1234
+
+# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
+# If not present is automatically filled by the tooling with the issue linked to the PR number.
+#issue: https://github.com/owner/repo/1234

docs/elastic-agent-logging.md

@@ -77,5 +77,5 @@ receives.
 
 ## Total footprint
 Given the two log outputs and their default log rotation policies, the
-Elastic-Agent needs about 210Mb (20Mb x 7 + 10Mb + 7 = 210Mb) of disk
+Elastic-Agent needs about 210Mb (20Mb x 7 + 10Mb x 7 = 210Mb) of disk
 for logging.

internal/pkg/agent/cmd/inspect.go

@@ -28,6 +28,7 @@ import (
 	"github.com/elastic/elastic-agent/internal/pkg/cli"
 	"github.com/elastic/elastic-agent/internal/pkg/config"
 	"github.com/elastic/elastic-agent/internal/pkg/config/operations"
+	"github.com/elastic/elastic-agent/internal/pkg/diagnostics"
 	"github.com/elastic/elastic-agent/pkg/component"
 	"github.com/elastic/elastic-agent/pkg/core/logger"
 	"github.com/elastic/elastic-agent/pkg/utils"
@@ -235,7 +236,7 @@ func inspectConfig(ctx context.Context, cfgPath string, opts inspectConfigOpts,
 }
 
 func printMapStringConfig(mapStr map[string]interface{}, streams *cli.IOStreams) error {
-	data, err := yaml.Marshal(mapStr)
+	data, err := yaml.Marshal(diagnostics.RedactSecretPaths(mapStr, streams.Err))
 	if err != nil {
 		return errors.New(err, "could not marshal to YAML")
 	}

internal/pkg/agent/cmd/run.go

@@ -627,7 +627,7 @@ func initTracer(agentName, version string, mcfg *monitoringCfg.MonitoringConfig)
 		defer os.Unsetenv(envCACert)
 	}
 	if cfg.SamplingRate != nil {
-		os.Setenv(envSampleRate, strconv.FormatFloat(float64(*cfg.SamplingRate), 'b', -1, 32))
+		os.Setenv(envSampleRate, strconv.FormatFloat(float64(*cfg.SamplingRate), 'f', -1, 32))
 		defer os.Unsetenv(envSampleRate)
 	}
 

internal/pkg/agent/cmd/run_test.go

@@ -0,0 +1,95 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0;
+// you may not use this file except in compliance with the Elastic License 2.0.
+
+package cmd
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	monitoringCfg "github.com/elastic/elastic-agent/internal/pkg/core/monitoring/config"
+)
+
+func Test_initTracer(t *testing.T) {
+	tenPercentSamplingRate := float32(0.1)
+
+	type args struct {
+		agentName string
+		version   string
+		mcfg      *monitoringCfg.MonitoringConfig
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    assert.ValueAssertionFunc // value assertion for *apm.Tracer returned by initTracer
+		wantErr assert.ErrorAssertionFunc
+	}{
+		{
+			name: "monitoring config disabled",
+			args: args{
+				agentName: "testagent",
+				version:   "1.2.3",
+				mcfg: &monitoringCfg.MonitoringConfig{
+					Enabled: false,
+				},
+			},
+			want:    assert.Nil,
+			wantErr: assert.NoError,
+		},
+		{
+			name: "monitoring config enabled but traces disabled",
+			args: args{
+				agentName: "testagent",
+				version:   "1.2.3",
+				mcfg: &monitoringCfg.MonitoringConfig{
+					Enabled:       true,
+					MonitorTraces: false,
+				},
+			},
+			want:    assert.Nil,
+			wantErr: assert.NoError,
+		},
+		{
+			name: "traces enabled, no TLS",
+			args: args{
+				agentName: "testagent",
+				version:   "1.2.3",
+				mcfg: &monitoringCfg.MonitoringConfig{
+					Enabled:       true,
+					MonitorTraces: true,
+					APM: monitoringCfg.APMConfig{
+						Environment: "unit-test",
+						APIKey:      "api-key",
+						SecretToken: "secret-token",
+						Hosts:       []string{"localhost:8888"},
+						GlobalLabels: map[string]string{
+							"k1": "v1",
+							"k2": "v2",
+						},
+						TLS:          monitoringCfg.APMTLS{},
+						SamplingRate: &tenPercentSamplingRate,
+					},
+				},
+			},
+			want:    assert.NotNil,
+			wantErr: assert.NoError,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := initTracer(tt.args.agentName, tt.args.version, tt.args.mcfg)
+			if got != nil {
+				t.Cleanup(func() {
+					got.Close()
+				})
+			}
+			if !tt.wantErr(t, err, fmt.Sprintf("initTracer(%v, %v, %v)", tt.args.agentName, tt.args.version, tt.args.mcfg)) {
+				return
+			}
+			tt.want(t, got, "initTracer(%v, %v, %v)", tt.args.agentName, tt.args.version, tt.args.mcfg)
+		})
+	}
+}

internal/pkg/diagnostics/diagnostics.go

@@ -20,10 +20,12 @@ import (
 	"time"
 
 	"github.com/elastic/elastic-agent/pkg/control/v2/client"
+	"github.com/elastic/go-ucfg"
 
 	"gopkg.in/yaml.v3"
 
 	"github.com/elastic/elastic-agent/internal/pkg/agent/application/paths"
+	"github.com/elastic/elastic-agent/internal/pkg/config"
 	"github.com/elastic/elastic-agent/internal/pkg/release"
 	"github.com/elastic/elastic-agent/pkg/component"
 	"github.com/elastic/elastic-agent/version"
@@ -570,3 +572,39 @@ func saveLogs(name string, logPath string, zw *zip.Writer) error {
 
 	return nil
 }
+
+// RedactSecretPaths will check the passed mapStr input for a secret_paths attribute.
+// If found it will replace the value for every key in the paths list with <REDACTED> and return the resulting map.
+// Any issues or errors will be written to the errOut writer.
+func RedactSecretPaths(mapStr map[string]any, errOut io.Writer) map[string]any {
+	v, ok := mapStr["secret_paths"]
+	if !ok {
+		fmt.Fprintln(errOut, "No output redaction: secret_paths attribute not found.")
+		return mapStr
+	}
+	arr, ok := v.([]interface{})
+	if !ok {
+		fmt.Fprintln(errOut, "No output redaction: secret_paths attribute is not a list.")
+		return mapStr
+	}
+	cfg := ucfg.MustNewFrom(mapStr)
+	for _, v := range arr {
+		key, ok := v.(string)
+		if !ok {
+			fmt.Fprintf(errOut, "No output redaction for %q: expected type string, is type %T.\n", v, v)
+			continue
+		}
+
+		if ok, _ := cfg.Has(key, -1, ucfg.PathSep(".")); ok {
+			err := cfg.SetString(key, -1, REDACTED, ucfg.PathSep("."))
+			if err != nil {
+				fmt.Fprintf(errOut, "No output redaction for %q: %v.\n", key, err)
+			}
+		}
+	}
+	result, err := config.MustNewConfigFrom(cfg).ToMapStr()
+	if err != nil {
+		return mapStr
+	}
+	return result
+}