Introduce Kibana task to deploy agentless connectors for 9.0

[artem-shelkovnikov]

Closes https://github.com/elastic/search-team/issues/8508

Closes https://github.com/elastic/search-team/issues/8465

Summary

This PR adds a background task for search_connectors plugin. This task checks connector records and agentless package policies and sees if new connector was added/old was deleted, and then adds/deletes package policies for these connectors.

Scenario 1: a new connector was added by a user/API call

User creates an Elastic-managed connector:

Screen.Recording.2024-12-25.at.12.59.14.mov

When the user is done, a package policy is created by this background task:

Screen.Recording.2024-12-25.at.13.00.14.mov

Scenario 2: a connector was deleted by a user/API call

User deletes an Elastic-managed connector:

Screen.Recording.2024-12-25.at.13.21.13.mov

Checklist

Check the PR satisfies following conditions.

Reviewers should verify this PR satisfies this list as well.

• Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
• Documentation was added for features that require explanation or tutorials
• Unit or functional tests were updated or added to match the most common scenarios
• If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the docker list
• This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The release_note:breaking label should be applied in these situations.
• Flaky Test Runner was used on any tests changed
• The PR description includes the appropriate Release Notes section, and the correct release_note:* label is applied per the guidelines

[artem-shelkovnikov]

This was done due to the fact that I needed a create method that depends on a lot of other private/internal methods.

I had to either make the methods public + add here; or I could pass the service itself. Potentially there might be other way, but I'm not familiar enough with Kibana development yet to know, please tell me if there's a better way :)

[elasticmachine]

Pinging @elastic/fleet (Team:Fleet)

[artem-shelkovnikov]

Side-effect of removing the usage of AgentPolicyServiceInterface: interface had getByIDs and implementation has getByIds. I chose the latter to stay, but it's easy to rename implementation to getByIDs. This was mostly done to avoid pinging other code owners that might have used the interface method name.

[artem-shelkovnikov]

For some reason this doesn't work - I never get a policy that has supports_agentless field.

[artem-shelkovnikov]

Using our regular NATIVE_CONNECTOR_DEFINITIONS as a source of truth for connectors that we support. I could theoretically instead list integrations that are branched off connectors-py instead, is it possible/better?

[artem-shelkovnikov]

@elastic/fleet - what's the minimal interval with which we could query fleet package policies (we narrow them with a kuery that only returns our package elastic_connectors?

Can we do 10 seconds? 30 seconds?

[juliaElastic]

If we only query for a certain package, there shouldn't be too many results, so it shouldn't be a problem with scale. I think using 30s sounds fine too, 10s might be too frequent.

[artem-shelkovnikov]

Do we even need to retry, since we run pretty often?

[juliaElastic]

Fleet changes LGTM

[jedrazb]

Great stuff! The changes in the search_connectors plugin LGTM. I have a couple of minor comments regarding naming and one question about hardcoding the package version in the task manager logic.

I’ll defer reviewing the changes in the fleet plugin to the fleet team. EDIT: I see they just approved 🚀

[jedrazb]

do we need this version hardcoded here? The current (latest) version in the integration registry should be def tracked somewhere by fleet, can we look it up in the package registry dynamically?

Context, 0.0.4 is already outdated

[jedrazb]

Maybe code edited in this PR will help? https://github.com/elastic/kibana/pull/192081/files here I was able to access package info and adjust permissions dynamically

[jedrazb]

potential followup: It would be cool if we could force schedule this when e.g. a user creates a new connector. This would limit the wait time for the infrastructure to get deployed.

[artem-shelkovnikov]

Yes! Should be easy, because I already actually schedule this task during plugin startup - doing it again is easy and will require really minor refactoring.

[jedrazb]

🚢

[mikecote]

Taking a quick look here from Response Ops. I was reading the PR description and was wondering if we need to have this task run every 30s indefinitely or if it would be possible to make it event based so it runs after a user creates or deletes a connector? Or perhaps a combo of the two but the schedule runs less frequently?

[pmuellr]

was thinking the same ...

[artem-shelkovnikov]

For now this seemed to us like the best way to move forward:

The task runs and checks if any agentless policies need to be created for our connector records. Connector records can be created in multiple ways:

1. User creates a connector via UI
2. Connector is created automatically by already running agentless connector deployment
3. User creates a connector via API/CLI

Scenario #1 can be done with an event triggered by Kibana UI easily. Scenario #2 does not need this logic. Scenario #3 really needs this task - our CLI doesn't have access to Task Manager + our API is hosted in Elasticsearch, and Elasticsearch also has no way to affect this task run time.

This way we've taken current approach with polling every 30 seconds (a minute should be fine too), plus the task itself queries reasonably small amount of data, I believe, for it hopefully not to be too problematic.

[pmuellr]

The GenAI connectors have a similar sort of constraint, where something in Kibana wants to know when connectors get created / updated / deleted. Added in #189027

That PR originally contained some connector logic for the new "hooks", but we extracted that and restructured into a stand-alone PR: #194081 , rather than ship the two pieces together.

So, in theory case 3 can be handled this way.

Looking at those PRs, I'm also wondering if you need to handle the case of connectors being updated / deleted ...

[artem-shelkovnikov]

I've skimmed through. the change but don't understand how it handles case 3 - we have customer calling Elasticsearch API directly, Kibana is not involved in this.

So we cannot have hooks attached to this call, all we can do is poll the content of a couple indices to see if changes were made. Am I missing some detail in the mentioned PR that works around this limitation?

Connector update is not important for us, but deletion is also handled in this PR

[pmuellr]

Oh, these aren't alerting connectors? These are "search" connectors? If so, you're correct, completely different "connector" framework I was talking about (I was talking about the alerting connectors).

[elasticmachine]

💛 Build succeeded, but was flaky

• Buildkite Build
• Commit: 75b22f7

Failed CI Steps

• FTR Configs #22
• Post-Build

Test Failures

• [job] [logs] FTR Configs #22 / Index Management app Index Management: index templates tab Index template tab "after each" hook for "can create an index template with data retention"
• [job] [logs] FTR Configs #22 / Index Management app Index Management: index templates tab Index template tab can create an index template with data retention

Metrics [docs]

‼️ ERROR: no builds found for mergeBase sha [69cb966]

History

• 💔 Build #264260 failed 0f4db80
• 💚 Build #263964 succeeded b96ec2e
• 💛 Build #263775 was flaky 898020b
• 💚 Build #263434 succeeded e6e96b8
• 💔 Build #263422 failed ee087ba

[pmuellr]

ResponseOps code LGTM, left a few comments

[pmuellr]

Setting this to the largest value you are willing to live with, will be helpful to Kibana's task throughput :-)

I believe a comment in the PR indicated it could be set to "1m" which would cut down the executions by 50% (useful!)

[pmuellr]

Note that if you want to have the cancel actually stop the task from running, you'll have to do a bit more. This function is invoked when TM decides the task needs to be cancelled (running longer than it's time limit). The basic idea is you set a local indicating you've been cancelled, and then can check that in the run() method. Example here:

kibana/x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/entity_store/task/field_retention_enrichment_task.ts

Lines 250 to 279 in 0e13d86

	const createTaskRunnerFactory =
	({
	logger,
	telemetry,
	executeEnrichPolicy,
	getStoreSize,
	}: {
	logger: Logger;
	telemetry: AnalyticsServiceSetup;
	executeEnrichPolicy: ExecuteEnrichPolicy;
	getStoreSize: GetStoreSize;
	}) =>
	({ taskInstance }: { taskInstance: ConcreteTaskInstance }) => {
	let cancelled = false;
	const isCancelled = () => cancelled;
	return {
	run: async () =>
	runTask({
	executeEnrichPolicy,
	getStoreSize,
	isCancelled,
	logger,
	taskInstance,
	telemetry,
	}),
	cancel: async () => {
	cancelled = true;
	},
	};
	};

- note that this code doesn't actually seem to use the isCancelled() local function they created - I think it did at one point, must have been removed in another PR ...