Enable the Cloud Security Posture Kibana plugin (#767)

* add to kibana.yml

* remove newline

* add 80 config file

* fix license

* use symlinks

* Revert "use symlinks"

This reverts commit 1faa0bd.

* virtual files

* use semver

* fix static

* retrigger stuck CI

* add configuration variant map

* use old semver

* fix static check

Author: eyalkraft

internal/profile/_static/kibana_config_80.yml

@@ -0,0 +1,46 @@
+server.name: kibana
+server.host: "0.0.0.0"
+
+elasticsearch.hosts: [ "http://elasticsearch:9200" ]
+elasticsearch.serviceAccountToken: "AAEAAWVsYXN0aWMva2liYW5hL2VsYXN0aWMtcGFja2FnZS1raWJhbmEtdG9rZW46b2x4b051SWNRa0tYMHdXazdLWmFBdw"
+
+monitoring.ui.container.elasticsearch.enabled: true
+
+xpack.fleet.registryUrl: "http://package-registry:8080"
+xpack.fleet.agents.enabled: true
+xpack.fleet.agents.elasticsearch.hosts: ["http://elasticsearch:9200"]
+xpack.fleet.agents.fleet_server.hosts: ["http://fleet-server:8220"]
+
+xpack.encryptedSavedObjects.encryptionKey: "12345678901234567890123456789012"
+
+xpack.fleet.packages:
+  - name: system
+    version: latest
+  - name: elastic_agent
+    version: latest
+  - name: fleet_server
+    version: latest
+xpack.fleet.agentPolicies:
+  - name: Elastic-Agent (elastic-package)
+    id: elastic-agent-managed-ep
+    is_default: true
+    is_managed: false
+    namespace: default
+    monitoring_enabled:
+      - logs
+      - metrics
+    package_policies:
+      - name: system-1
+        id: default-system
+        package:
+          name: system
+  - name: Fleet Server (elastic-package)
+    id: fleet-server-policy
+    is_default_fleet_server: true
+    is_managed: false
+    namespace: default
+    package_policies:
+      - name: fleet_server-1
+        id: default-fleet-server
+        package:
+          name: fleet_server

internal/profile/_static/kibana_config_8x.yml

@@ -13,6 +13,8 @@ xpack.fleet.agents.fleet_server.hosts: ["http://fleet-server:8220"]
 
 xpack.encryptedSavedObjects.encryptionKey: "12345678901234567890123456789012"
 
+xpack.cloudSecurityPosture.enabled: true
+
 xpack.fleet.packages:
   - name: system
     version: latest

internal/profile/profile.go

@@ -38,10 +38,13 @@ type configFile string
 var managedProfileFiles = map[configFile]NewConfig{
 	ElasticAgentDefaultEnvFile:     newElasticAgentDefaultEnv,
 	ElasticAgent8xEnvFile:          newElasticAgent8xEnv,
+	ElasticAgent80EnvFile:          newElasticAgent80Env,
 	ElasticsearchConfigDefaultFile: newElasticsearchConfigDefault,
 	ElasticsearchConfig8xFile:      newElasticsearchConfig8x,
+	ElasticsearchConfig80File:      newElasticsearchConfig80,
 	KibanaConfigDefaultFile:        newKibanaConfigDefault,
 	KibanaConfig8xFile:             newKibanaConfig8x,
+	KibanaConfig80File:             newKibanaConfig80,
 	PackageRegistryDockerfileFile:  newPackageRegistryDockerfile,
 	PackageRegistryConfigFile:      newPackageRegistryConfig,
 	SnapshotFile:                   newSnapshotFile,

internal/profile/static.go

@@ -53,6 +53,20 @@ func newKibanaConfig8x(_ string, profilePath string) (*simpleFile, error) {
 	}, nil
 }
 
+// KibanaConfig80File is the Kibana config file for 8.0 stack family (8.0 to 8.1)
+const KibanaConfig80File configFile = "kibana.config.80.yml"
+
+//go:embed _static/kibana_config_80.yml
+var kibanaConfig80Yml string
+
+func newKibanaConfig80(_ string, profilePath string) (*simpleFile, error) {
+	return &simpleFile{
+		name: string(KibanaConfig80File),
+		path: filepath.Join(profilePath, profileStackPath, string(KibanaConfig80File)),
+		body: kibanaConfig80Yml,
+	}, nil
+}
+
 // ElasticsearchConfigDefaultFile is the default Elasticsearch config file
 const ElasticsearchConfigDefaultFile configFile = "elasticsearch.config.default.yml"
 
@@ -81,6 +95,18 @@ func newElasticsearchConfig8x(_ string, profilePath string) (*simpleFile, error)
 	}, nil
 }
 
+// ElasticsearchConfig80File is the Elasticsearch virtual config file name for 8.0 stack family (8.0 to 8.1)
+// This file does not exist in the source code, since it's identical to the 8x config file.
+const ElasticsearchConfig80File configFile = "elasticsearch.config.80.yml"
+
+func newElasticsearchConfig80(_ string, profilePath string) (*simpleFile, error) {
+	return &simpleFile{
+		name: string(ElasticsearchConfig80File),
+		path: filepath.Join(profilePath, profileStackPath, string(ElasticsearchConfig80File)),
+		body: elasticsearchConfig8xYml,
+	}, nil
+}
+
 // PackageRegistryConfigFile is the config file for the Elastic Package registry
 const PackageRegistryConfigFile configFile = "package-registry.config.yml"
 
@@ -117,6 +143,18 @@ func newPackageRegistryDockerfile(_ string, profilePath string) (*simpleFile, er
 	}, nil
 }
 
+// ElasticAgent80EnvFile is the .env for the 8.0 stack.
+// This file does not exist in the source code, since it's identical to the 8x env file.
+const ElasticAgent80EnvFile configFile = "elastic-agent.80.env"
+
+func newElasticAgent80Env(_ string, profilePath string) (*simpleFile, error) {
+	return &simpleFile{
+		name: string(ElasticAgent80EnvFile),
+		path: filepath.Join(profilePath, profileStackPath, string(ElasticAgent80EnvFile)),
+		body: elasticAgent8xEnv,
+	}, nil
+}
+
 // ElasticAgent8xEnvFile is the .env for the 8x stack.
 const ElasticAgent8xEnvFile configFile = "elastic-agent.8x.env"
 

internal/stack/variants.go

@@ -6,20 +6,40 @@ package stack
 
 import (
 	"fmt"
-	"strings"
+
+	"github.com/Masterminds/semver"
 )
 
+// configurationVariantMap is a map of version constraints and their matching configuration variant.
+// This map is used to deploy different versions of the Elastic stack with matching configurations.
+var configurationVariantMap = map[string]string{
+	"8.0-0 - 8.1.x-x": "80",
+	"^8.2-0":          "8x",
+}
+
 // stackVariantAsEnv function returns a stack variant based on the given stack version.
-// We identified two variants:
+// We identified three variants:
 // * default, covers all of 7.x branches
-// * 8x, supports different configuration options in Kibana
+// * 80, covers stack versions 8.0.0 to 8.1.x
+// * 8x, supports different configuration options in Kibana, covers stack versions 8.2.0+
 func stackVariantAsEnv(version string) string {
 	return fmt.Sprintf("STACK_VERSION_VARIANT=%s", selectStackVersion(version))
 }
 
 func selectStackVersion(version string) string {
-	if strings.HasPrefix(version, "8.") {
-		return "8x"
+	if v, err := semver.NewVersion(version); err == nil {
+		for constraint, variant := range configurationVariantMap {
+			if checkVersion(v, constraint) {
+				return variant
+			}
+		}
 	}
 	return "default"
 }
+
+func checkVersion(v *semver.Version, constraint string) bool {
+	if constraint, err := semver.NewConstraint(constraint); err == nil {
+		return constraint.Check(v)
+	}
+	return false
+}

internal/stack/variants_test.go

@@ -0,0 +1,53 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package stack
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+var tests = []struct {
+	version string
+	variant string
+}{
+	{"", "default"},
+	{"7", "default"},
+	{"7.0.0", "default"},
+	{"7.14.99-SNAPSHOT", "default"},
+	{"8", "80"},
+	{"8-0", "80"},
+	{"8.0.0-alpha", "80"},
+	{"8.0.0", "80"},
+	{"8.0.33", "80"},
+	{"8.0.33-beta", "80"},
+	{"8.1-0", "80"},
+	{"8.1", "80"},
+	{"8.1-alpha", "80"},
+	{"8.1.0-alpha", "80"},
+	{"8.1.0", "80"},
+	{"8.1.58", "80"},
+	{"8.1.99-beta", "80"},
+	{"8.1.999-SNAPSHOT", "80"},
+	{"8.2-0", "8x"},
+	{"8.2", "8x"},
+	{"8.2.0-alpha", "8x"},
+	{"8.2.0", "8x"},
+	{"8.2.58", "8x"},
+	{"8.2.99-gamma", "8x"},
+	{"8.2.777-SNAPSHOT+arm64", "8x"},
+	{"8.5", "8x"},
+	{"9", "default"},
+}
+
+func TestSelectStackVersion(t *testing.T) {
+	for _, tt := range tests {
+		t.Run(tt.version, func(t *testing.T) {
+			selected := selectStackVersion(tt.version)
+			assert.Equal(t, tt.variant, selected)
+		})
+	}
+}