Add OTel collector properties to policy schema (#5169)

Support provisioning of OTel collector configuration for hybrid agents.

Add the OTel collector properties to the policy models and the OpenAPI
schema, so they can be received and forwarded to agents. Include logic
to clone the new fields in the model, and add a basic integration test.

Author: jsoriano

changelog/fragments/1756122604-Add-OTel-collector-properties-to-policy-schema.yaml

@@ -0,0 +1,34 @@
+# Kind can be one of:
+# - breaking-change: a change to previously-documented behavior
+# - deprecation: functionality that is being removed in a later release
+# - bug-fix: fixes a problem in a previous version
+# - enhancement: extends functionality but does not break or fix existing behavior
+# - feature: new functionality
+# - known-issue: problems that we are aware of in a given version
+# - security: impacts on the security of a product or a user’s deployment.
+# - upgrade: important information for someone upgrading from a prior version
+# - other: does not fit into any of the other categories
+kind: feature
+
+# Change summary; a 80ish characters long description of the change.
+summary: Add OTel collector properties to policy schema
+
+# Long description; in case the summary is not enough to describe the change
+# this field accommodate a description without length limits.
+# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment.
+description: |
+  Add OTel collector properties to the policy schema. This way policies defined in Fleet that include
+  this data are forwarded to agents.
+
+# Affected component; usually one of "elastic-agent", "fleet-server", "filebeat", "metricbeat", "auditbeat", "all", etc.
+component: fleet-server
+
+# PR URL; optional; the PR number that added the changeset.
+# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
+# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
+# Please provide it if you are adding a fragment for a different PR.
+pr: https://github.com/elastic/fleet-server/pull/5169
+
+# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
+# If not present is automatically filled by the tooling with the issue linked to the PR number.
+issue: https://github.com/elastic/fleet-server/issues/5241

internal/pkg/api/openapi.gen.go

@@ -6,6 +6,7 @@ package model
 
 import (
 	"maps"
+	"slices"
 	"time"
 )
 
@@ -92,21 +93,46 @@ func ClonePolicyData(d *PolicyData) *PolicyData {
 		OutputPermissions: d.OutputPermissions,
 		Outputs:           cloneMap(d.Outputs),
 		Revision:          d.Revision,
-		SecretReferences:  make([]SecretReferencesItems, 0, len(d.SecretReferences)),
+		SecretReferences:  slices.Clone(d.SecretReferences),
+
+		// OTel config.
+		Connectors: maps.Clone(d.Connectors),
+		Exporters:  maps.Clone(d.Exporters),
+		Extensions: maps.Clone(d.Extensions),
+		Processors: maps.Clone(d.Processors),
+		Receivers:  maps.Clone(d.Receivers),
 	}
 	for _, m := range d.Inputs {
 		res.Inputs = append(res.Inputs, maps.Clone(m))
 	}
-	res.SecretReferences = append(res.SecretReferences, d.SecretReferences...)
 	if d.Signed != nil {
 		res.Signed = &Signed{
 			Data:      d.Signed.Data,
 			Signature: d.Signed.Signature,
 		}
 	}
+	if d.Service != nil {
+		res.Service = cloneOTelService(d.Service)
+	}
 	return res
 }
 
+func cloneOTelService(s *Service) *Service {
+	var clone Service
+	clone.Extensions = slices.Clone(s.Extensions)
+	if len(s.Pipelines) > 0 {
+		clone.Pipelines = make(map[string]*PipelinesItem)
+		for id, pipeline := range s.Pipelines {
+			clone.Pipelines[id] = &PipelinesItem{
+				Exporters:  slices.Clone(pipeline.Exporters),
+				Processors: slices.Clone(pipeline.Processors),
+				Receivers:  slices.Clone(pipeline.Receivers),
+			}
+		}
+	}
+	return &clone
+}
+
 // cloneMap does a deep copy on a map of objects
 // TODO generics?
 func cloneMap(m map[string]map[string]interface{}) map[string]map[string]interface{} {

internal/pkg/model/ext.go

@@ -97,6 +97,7 @@ func NewParsedPolicy(ctx context.Context, bulker bulk.Bulk, p model.Policy) (*Pa
 		Inputs:     policyInputs,
 		SecretKeys: secretKeys,
 	}
+
 	if trace := apm.TransactionFromContext(ctx); trace != nil {
 		// Pass current transaction link (should be a monitor transaction) to caller (likely a client request).
 		tCtx := trace.TraceContext()

internal/pkg/model/schema.go

@@ -1673,3 +1673,112 @@ func Test_SmokeTest_AuditUnenroll(t *testing.T) {
 	cancel()
 	srv.waitExit() //nolint:errcheck // test case
 }
+
+func TestCheckinOTelColPolicy(t *testing.T) {
+	ctx, cancel := context.WithCancel(t.Context())
+	defer cancel()
+
+	idSuffix := uuid.Must(uuid.NewV4()).String()
+	componentID := func(id string) string {
+		return fmt.Sprintf("%s/%s", id, idSuffix)
+	}
+	policyData := model.PolicyData{
+		Outputs: map[string]map[string]interface{}{
+			"default": {
+				"type": "elasticsearch",
+			},
+		},
+		OutputPermissions: json.RawMessage(`{"default": {}}`),
+		Inputs:            []map[string]any{},
+		Receivers: map[string]any{
+			componentID("somereceiver"): map[string]any{},
+		},
+		Processors: map[string]any{
+			componentID("someprocessor"): map[string]any{},
+		},
+		Connectors: map[string]any{
+			componentID("forward"): map[string]any{},
+		},
+		Exporters: map[string]any{
+			componentID("someexporter"): map[string]any{},
+		},
+		Service: &model.Service{
+			Pipelines: map[string]*model.PipelinesItem{
+				componentID("metrics"): &model.PipelinesItem{
+					Receivers:  []string{componentID("somereceiver")},
+					Processors: []string{componentID("someprocessor")},
+					Exporters:  []string{componentID("forward")},
+				},
+				"metrics": &model.PipelinesItem{
+					Receivers: []string{componentID("forward")},
+					Exporters: []string{componentID("someexporter")},
+				},
+			},
+		},
+	}
+
+	// Start test server
+	srv, err := startTestServer(t, ctx, policyData)
+	require.NoError(t, err)
+	ctx = testlog.SetLogger(t).WithContext(ctx)
+
+	cli := cleanhttp.DefaultClient()
+	// enroll an agent
+	t.Log("Enroll an agent")
+	req, err := http.NewRequestWithContext(ctx, "POST", srv.buildURL("", "enroll"), strings.NewReader(enrollBody))
+	require.NoError(t, err)
+	req.Header.Set("Authorization", "ApiKey "+srv.enrollKey)
+	req.Header.Set("User-Agent", "elastic agent "+serverVersion)
+	req.Header.Set("Content-Type", "application/json")
+	res, err := cli.Do(req)
+	require.NoError(t, err)
+
+	require.Equal(t, http.StatusOK, res.StatusCode)
+	t.Log("Agent enrollment successful")
+	p, _ := io.ReadAll(res.Body)
+	res.Body.Close()
+	var obj map[string]interface{}
+	err = json.Unmarshal(p, &obj)
+	require.NoError(t, err)
+
+	item := obj["item"]
+	mm, ok := item.(map[string]interface{})
+	require.True(t, ok, "expected attribute item to be an object")
+	agentID, ok := mm["id"].(string)
+	require.True(t, ok, "expected attribute id to be a string")
+
+	apiKey, ok := mm["access_api_key"].(string)
+	require.True(t, ok, "expected attribute apiKey to be a string")
+
+	// checkin
+	t.Logf("Fake a checkin for agent %s", agentID)
+	req, err = http.NewRequestWithContext(ctx, "POST", srv.buildURL(agentID, "checkin"), strings.NewReader(checkinBody))
+	require.NoError(t, err)
+	req.Header.Set("Authorization", "ApiKey "+apiKey)
+	req.Header.Set("User-Agent", "elastic agent "+serverVersion)
+	req.Header.Set("Content-Type", "application/json")
+	res, err = cli.Do(req)
+	require.NoError(t, err)
+	defer res.Body.Close()
+
+	require.Equal(t, http.StatusOK, res.StatusCode)
+	t.Log("Checkin successful, verify body")
+	p, err = io.ReadAll(res.Body)
+	require.NoError(t, err)
+
+	err = json.Unmarshal(p, &obj)
+	require.NoError(t, err)
+
+	actionsRaw, ok := obj["actions"]
+	require.True(t, ok, "expected actions is missing")
+	actions, ok := actionsRaw.([]interface{})
+	require.True(t, ok, "expected actions to be an array")
+	require.Greater(t, len(actions), 0, "expected at least 1 action")
+	action, ok := actions[0].(map[string]interface{})
+	require.True(t, ok, "expected action to be an object")
+	_, ok = action["id"].(string)
+	require.True(t, ok, "expected action id to be string")
+	aAgentID, ok := action["agent_id"].(string)
+	require.True(t, ok, "expected action agent_id to be string")
+	require.Equal(t, agentID, aAgentID)
+}