[9.0] [Cloud Security] Add upgrade agentless deployment background task (#207143) (#218814)

# Backport

This will backport the following commits from `main` to `9.0`:
- [[Cloud Security] Add upgrade agentless deployment background task
(#207143)](#207143)

<!--- Backport version: 9.6.6 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT
[{"author":{"name":"Lola","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-02-27T01:56:23Z","message":"[Cloud
Security] Add upgrade agentless deployment background task
(#207143)\n\n## Summary\n\nSummarize your PR. If it involves visual
changes include a screenshot or\ngif.\nThis PR add background task to
upgrade Agentless Deployments after\nKibana Stack has been upgrade in
ESS. Once the Kibana stack upgrades, the task will do following:\n1.
Fetch agentless policies with package policies that have agents\n2.
Check if agentless agents version is upgradeable by use
`semverLT`\nwhich see if current agent version less than latest
available upgrade\nversion and current kibana version\n3. If agent
version is upgradedable, then task will calls Agentless\nUpgrade
Endpoint to upgrade agentless deployment.\n4. Agent should be upgraded
to latest available upgraded
version\n\n\n![image](https://github.com/user-attachments/assets/e1ad05bf-469e-4eb8-bef0-b4e2edcbb0a0)\n\n\n**How
to test PR:**\n\nPrerequisite:\nInstall
[QAF\nTool](https://docs.elastic.dev/appex-qa/qaf/getting-started)\nCreate
EC cloud api key [QAF
Elastic\nCloud](https://docs.elastic.dev/appex-qa/qaf/features/ec-deployments)\n\n1.
Go to Elastic Cloud and Create ESS Deployment in
`8.17.0-SNAPSHOT`\n```qaf elastic-cloud deployments create --environment
production --region gcp-us-west2 --stack-version 8.17.0-SNAPSHOT
--version-validation --deployment-name <DEPLOYMENT_NAME> ```\n2. Create
an Agentless Integration\n3. Upgrade stack to `8.18.0-SNAPSHOT` >
`8.19.0-SNAPSHOT`\n4. Run the following QAF command \n```qaf
elastic-cloud deployments upgrade <DEPLOYMENT_NAME>\n9.1.0-SNAPSHOT
--kb-docker-image\ndocker.elastic.co/kibana-ci/kibana-cloud:9.1.0-SNAPSHOT-5e00106755e7084d1325e784eb27f91db9724c89```\n\n---------\n\nCo-authored-by:
kibanamachine
<[email protected]>","sha":"f8e31e5fcbb28f485e309fbacf9a2aca9f8d3a2c","branchLabelMapping":{"^v9.1.0$":"main","^v8.19.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:enhancement","Team:Fleet","release_note:feature","Team:Cloud
Security","backport:prev-minor","ci:cloud-deploy","v9.1.0","v8.19.0","v8.18.1"],"title":"[Cloud
Security] Create upgrade agentless deployment background
task","number":207143,"url":"https://github.com/elastic/kibana/pull/207143","mergeCommit":{"message":"[Cloud
Security] Add upgrade agentless deployment background task
(#207143)\n\n## Summary\n\nSummarize your PR. If it involves visual
changes include a screenshot or\ngif.\nThis PR add background task to
upgrade Agentless Deployments after\nKibana Stack has been upgrade in
ESS. Once the Kibana stack upgrades, the task will do following:\n1.
Fetch agentless policies with package policies that have agents\n2.
Check if agentless agents version is upgradeable by use
`semverLT`\nwhich see if current agent version less than latest
available upgrade\nversion and current kibana version\n3. If agent
version is upgradedable, then task will calls Agentless\nUpgrade
Endpoint to upgrade agentless deployment.\n4. Agent should be upgraded
to latest available upgraded
version\n\n\n![image](https://github.com/user-attachments/assets/e1ad05bf-469e-4eb8-bef0-b4e2edcbb0a0)\n\n\n**How
to test PR:**\n\nPrerequisite:\nInstall
[QAF\nTool](https://docs.elastic.dev/appex-qa/qaf/getting-started)\nCreate
EC cloud api key [QAF
Elastic\nCloud](https://docs.elastic.dev/appex-qa/qaf/features/ec-deployments)\n\n1.
Go to Elastic Cloud and Create ESS Deployment in
`8.17.0-SNAPSHOT`\n```qaf elastic-cloud deployments create --environment
production --region gcp-us-west2 --stack-version 8.17.0-SNAPSHOT
--version-validation --deployment-name <DEPLOYMENT_NAME> ```\n2. Create
an Agentless Integration\n3. Upgrade stack to `8.18.0-SNAPSHOT` >
`8.19.0-SNAPSHOT`\n4. Run the following QAF command \n```qaf
elastic-cloud deployments upgrade <DEPLOYMENT_NAME>\n9.1.0-SNAPSHOT
--kb-docker-image\ndocker.elastic.co/kibana-ci/kibana-cloud:9.1.0-SNAPSHOT-5e00106755e7084d1325e784eb27f91db9724c89```\n\n---------\n\nCo-authored-by:
kibanamachine
<[email protected]>","sha":"f8e31e5fcbb28f485e309fbacf9a2aca9f8d3a2c"}},"sourceBranch":"main","suggestedTargetBranches":["8.18"],"targetPullRequestStates":[{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/207143","number":207143,"mergeCommit":{"message":"[Cloud
Security] Add upgrade agentless deployment background task
(#207143)\n\n## Summary\n\nSummarize your PR. If it involves visual
changes include a screenshot or\ngif.\nThis PR add background task to
upgrade Agentless Deployments after\nKibana Stack has been upgrade in
ESS. Once the Kibana stack upgrades, the task will do following:\n1.
Fetch agentless policies with package policies that have agents\n2.
Check if agentless agents version is upgradeable by use
`semverLT`\nwhich see if current agent version less than latest
available upgrade\nversion and current kibana version\n3. If agent
version is upgradedable, then task will calls Agentless\nUpgrade
Endpoint to upgrade agentless deployment.\n4. Agent should be upgraded
to latest available upgraded
version\n\n\n![image](https://github.com/user-attachments/assets/e1ad05bf-469e-4eb8-bef0-b4e2edcbb0a0)\n\n\n**How
to test PR:**\n\nPrerequisite:\nInstall
[QAF\nTool](https://docs.elastic.dev/appex-qa/qaf/getting-started)\nCreate
EC cloud api key [QAF
Elastic\nCloud](https://docs.elastic.dev/appex-qa/qaf/features/ec-deployments)\n\n1.
Go to Elastic Cloud and Create ESS Deployment in
`8.17.0-SNAPSHOT`\n```qaf elastic-cloud deployments create --environment
production --region gcp-us-west2 --stack-version 8.17.0-SNAPSHOT
--version-validation --deployment-name <DEPLOYMENT_NAME> ```\n2. Create
an Agentless Integration\n3. Upgrade stack to `8.18.0-SNAPSHOT` >
`8.19.0-SNAPSHOT`\n4. Run the following QAF command \n```qaf
elastic-cloud deployments upgrade <DEPLOYMENT_NAME>\n9.1.0-SNAPSHOT
--kb-docker-image\ndocker.elastic.co/kibana-ci/kibana-cloud:9.1.0-SNAPSHOT-5e00106755e7084d1325e784eb27f91db9724c89```\n\n---------\n\nCo-authored-by:
kibanamachine
<[email protected]>","sha":"f8e31e5fcbb28f485e309fbacf9a2aca9f8d3a2c"}},{"branch":"8.x","label":"v8.19.0","branchLabelMappingKey":"^v8.19.0$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/213134","number":213134,"state":"MERGED","mergeCommit":{"sha":"5b98df8f790c2f9212790c1973b54f19c0d18799","message":"[8.x]
[Cloud Security] Add upgrade agentless deployment background task
(#207143) (#213134)\n\n# Backport\n\nThis will backport the following
commits from `main` to `8.x`:\n- [[Cloud Security] Add upgrade agentless
deployment background
task\n(#207143)](https://github.com/elastic/kibana/pull/207143)\n\n\n\n###
Questions ?\nPlease refer to the [Backport
tool\ndocumentation](https://github.com/sorenlouv/backport)\n\n\n\n---------\n\nCo-authored-by:
kibanamachine
<[email protected]>"}},{"branch":"8.18","label":"v8.18.1","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

---------

Co-authored-by: Lola <[email protected]>

Author: seanrathier

x-pack/platform/plugins/shared/fleet/common/constants/agentless.ts

@@ -15,6 +15,23 @@ export const AGENTLESS_GLOBAL_TAG_NAME_ORGANIZATION = 'organization';
 export const AGENTLESS_GLOBAL_TAG_NAME_DIVISION = 'division';
 export const AGENTLESS_GLOBAL_TAG_NAME_TEAM = 'team';
 
+export const MAXIMUM_RETRIES = 3;
+
+const HTTP_500_INTERNAL_SERVER_ERROR = 500;
+const HTTP_502_BAD_GATEWAY = 502;
+const HTTP_503_SERVICE_UNAVAILABLE = 503;
+const HTTP_504_GATEWAY_TIMEOUT = 504;
+
+const ECONNREFUSED_CODE = 'ECONNREFUSED';
+
+export const RETRYABLE_HTTP_STATUSES = [
+  HTTP_500_INTERNAL_SERVER_ERROR,
+  HTTP_502_BAD_GATEWAY,
+  HTTP_503_SERVICE_UNAVAILABLE,
+  HTTP_504_GATEWAY_TIMEOUT,
+];
+
+export const RETRYABLE_SERVER_CODES = [ECONNREFUSED_CODE];
 // Allowed output types for agentless integrations
 export const AGENTLESS_ALLOWED_OUTPUT_TYPES = [outputType.Elasticsearch];
 

x-pack/platform/plugins/shared/fleet/common/experimental_features.ts

@@ -11,6 +11,7 @@ const _allowedExperimentalValues = {
   showExperimentalShipperOptions: false,
   useSpaceAwareness: false,
   enableAutomaticAgentUpgrades: false,
+  enabledUpgradeAgentlessDeploymentsTask: false,
 };
 
 /**

x-pack/platform/plugins/shared/fleet/server/errors/index.ts

@@ -65,6 +65,12 @@ export class AgentlessAgentDeleteError extends FleetError {
     super(`Error deleting agentless agent in Fleet, ${message}`);
   }
 }
+
+export class AgentlessAgentUpgradeError extends FleetError {
+  constructor(message: string) {
+    super(`Error upgrading agentless agent in Fleet, ${message}`);
+  }
+}
 export class AgentlessAgentConfigError extends FleetError {
   constructor(message: string) {
     super(`Error validating Agentless API configuration in Fleet, ${message}`);

x-pack/platform/plugins/shared/fleet/server/mocks/index.ts

@@ -140,6 +140,7 @@ export const createAppContextStartContractMock = (
       : {}),
     unenrollInactiveAgentsTask: {} as any,
     deleteUnenrolledAgentsTask: {} as any,
+    updateAgentlessDeploymentsTask: {} as any,
   };
 };
 

x-pack/platform/plugins/shared/fleet/server/plugin.ts

@@ -147,6 +147,7 @@ import { registerUpgradeManagedPackagePoliciesTask } from './services/setup/mana
 import { registerDeployAgentPoliciesTask } from './services/agent_policies/deploy_agent_policies_task';
 import { DeleteUnenrolledAgentsTask } from './tasks/delete_unenrolled_agents_task';
 import { registerBumpAgentPoliciesTask } from './services/agent_policies/bump_agent_policies_task';
+import { UpgradeAgentlessDeploymentsTask } from './tasks/upgrade_agentless_deployment';
 
 export interface FleetSetupDeps {
   security: SecurityPluginSetup;
@@ -198,6 +199,7 @@ export interface FleetAppContext {
   uninstallTokenService: UninstallTokenServiceInterface;
   unenrollInactiveAgentsTask: UnenrollInactiveAgentsTask;
   deleteUnenrolledAgentsTask: DeleteUnenrolledAgentsTask;
+  updateAgentlessDeploymentsTask: UpgradeAgentlessDeploymentsTask;
   taskManagerStart?: TaskManagerStartContract;
   fetchUsage?: (abortController: AbortController) => Promise<FleetUsage | undefined>;
 }
@@ -301,6 +303,7 @@ export class FleetPlugin
   private fleetMetricsTask?: FleetMetricsTask;
   private unenrollInactiveAgentsTask?: UnenrollInactiveAgentsTask;
   private deleteUnenrolledAgentsTask?: DeleteUnenrolledAgentsTask;
+  private updateAgentlessDeploymentsTask?: UpgradeAgentlessDeploymentsTask;
 
   private agentService?: AgentService;
   private packageService?: PackageService;
@@ -648,6 +651,11 @@ export class FleetPlugin
       logFactory: this.initializerContext.logger,
     });
 
+    this.updateAgentlessDeploymentsTask = new UpgradeAgentlessDeploymentsTask({
+      core,
+      taskManager: deps.taskManager,
+      logFactory: this.initializerContext.logger,
+    });
     // Register fields metadata extractors
     registerFieldsMetadataExtractors({ core, fieldsMetadata: deps.fieldsMetadata });
   }
@@ -694,6 +702,7 @@ export class FleetPlugin
       uninstallTokenService,
       unenrollInactiveAgentsTask: this.unenrollInactiveAgentsTask!,
       deleteUnenrolledAgentsTask: this.deleteUnenrolledAgentsTask!,
+      updateAgentlessDeploymentsTask: this.updateAgentlessDeploymentsTask!,
       taskManagerStart: plugins.taskManager,
       fetchUsage: this.fetchUsage,
     });
@@ -704,6 +713,11 @@ export class FleetPlugin
     this.checkDeletedFilesTask?.start({ taskManager: plugins.taskManager }).catch(() => {});
     this.unenrollInactiveAgentsTask?.start({ taskManager: plugins.taskManager }).catch(() => {});
     this.deleteUnenrolledAgentsTask?.start({ taskManager: plugins.taskManager }).catch(() => {});
+
+    this.updateAgentlessDeploymentsTask
+      ?.start({ taskManager: plugins.taskManager })
+      .catch(() => {});
+
     startFleetUsageLogger(plugins.taskManager).catch(() => {});
     this.fleetMetricsTask
       ?.start(plugins.taskManager, core.elasticsearch.client.asInternalUser)

x-pack/platform/plugins/shared/fleet/server/services/agents/agentless_agent.test.ts

@@ -512,6 +512,47 @@ describe('Agentless Agent service', () => {
     );
   });
 
+  it('should upgraded agentless agent for ESS', async () => {
+    const returnValue = {
+      id: 'mocked',
+      regional_id: 'mocked',
+    };
+    (axios as jest.MockedFunction<typeof axios>).mockResolvedValueOnce(returnValue);
+    jest.spyOn(appContextService, 'getConfig').mockReturnValue({
+      agentless: {
+        enabled: true,
+        api: {
+          url: 'http://api.agentless.com',
+          tls: {
+            certificate: '/path/to/cert',
+            key: '/path/to/key',
+            ca: '/path/to/ca',
+          },
+        },
+      },
+    } as any);
+    jest.spyOn(appContextService, 'getCloud').mockReturnValue({ isCloudEnabled: true } as any);
+
+    await agentlessAgentService.upgradeAgentlessDeployment(
+      'mocked-agentless-agent-policy-id',
+      '8.17.0'
+    );
+
+    expect(axios).toHaveBeenCalledTimes(1);
+
+    expect(axios).toHaveBeenCalledWith(
+      expect.objectContaining({
+        headers: expect.anything(),
+        httpsAgent: expect.anything(),
+        method: 'PUT',
+        data: {
+          stack_version: '8.17.0',
+        },
+        url: 'http://api.agentless.com/api/v1/ess/deployments/mocked-agentless-agent-policy-id',
+      })
+    );
+  });
+
   it('should delete agentless agent for serverless', async () => {
     const returnValue = {
       id: 'mocked',