Skip to content

template_path validation for streams and template policies #986

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 50 commits into from
Closed

template_path validation for streams and template policies #986

wants to merge 50 commits into from

Conversation

teresaromero
Copy link

@teresaromero teresaromero commented Sep 26, 2025
edited
Loading

What does this PR do?

Add validation for policy templates template_path.

Depending on the type of package, input or integration, the template_path for the policy_template can be found of different locations.

  • In the case of input type, the template_path field under policy_template is required, so if this is empty and error is thrown. If the value exist, its looked up under /agents/input folder at the root of the package.

  • In the case of integration type, the template_path is under policy_template.inputs. This field is optional at the package manifest.

    • In the case of being not-empty, validation looks for the file under /agents/input folder at the root of the package.
    • In the case of being empty, the validation looks for the assigned stream of the input. Taking the input.type as key, validation looks at all the data streams manifest looking for the stream.input name that matches the input.type. Once there is a match, the template_path of the stream is also not required.
      • In case the template_field is not empty at the stream manifest, validation checks this file exists under /agents/stream folder at the root of the stream folder (data_stream//).
      • In case the template_field is empty, the default file name stream.yml.hbs is checked.

Why is it important?

When Fleet compiles the templates of the policies and the data streams, if the file does not exist or has not been declared at the manifest, it fails. This prevents this error by validating the package before it is installed.

Checklist

  • Added unit tests for the new validation functions.

  • Added spec tests with new testdata packages.

  • I have added test packages to test/packages that prove my change is effective.

  • I have added an entry in spec/changelog.yml.

Related issues

Resolves #703

@teresaromero teresaromero requested a review from a team as a code owner September 26, 2025 09:50
@teresaromero
Copy link
Author

test-integrations

@elastic-vault-github-plugin-prod elastic-vault-github-plugin-prod bot mentioned this pull request Sep 26, 2025
Draft
@elastic-vault-github-plugin-prod
Copy link

Created or updated PR in integrations repository to test this version. Check elastic/integrations#15480

mrodm
mrodm reviewed Sep 26, 2025
View reviewed changes
@teresaromero teresaromero force-pushed the 703-stream-yml-hbs-exists branch from 04ef625 to 05904c0 Compare September 29, 2025 13:10
@teresaromero
Add validation for data stream template paths
78b6c7d
@teresaromero
Add new testdata packages for stream template validation
6b5db09
@teresaromero
Add validation for stream templates and corresponding tests
78ebe46
@teresaromero
Add validation for input and integration policy template paths with c…
f09e0d6 
…orresponding tests
@teresaromero
Fix policy template validation to support nested inputs and improve e…
84cf7b1 
…rror messaging
@teresaromero
Add testdata for input and integration policy templates
45f462b
@teresaromero
Add tests for input and integration policy template validation, inclu…
cd6c408 
…ding valid and invalid cases
@teresaromero
Format imports with goimports
bc144d4
@teresaromero
Move validation test from spec to validator. Move testdata to test/pa…
edbba40 
…ckages
@teresaromero
fix test maifest and spec example to align to validation path
5045d28
@teresaromero
Refactor validateDataStreamManifestTemplates to simplify parameters b…
423793f 
…y removing manifestPath, constructing it internally instead.
@teresaromero
Improve error messaging in template path validation by using %w for w…
fb191e2 
…rapping errors in validateDataStreamManifestTemplates and ValidateInputPolicyTemplates functions.
@teresaromero
Update error messages in template path validation tests for clarity a…
526c665 
…nd consistency
@teresaromero teresaromero force-pushed the 703-stream-yml-hbs-exists branch from 38ba51b to 526c665 Compare September 29, 2025 14:25
@teresaromero teresaromero force-pushed the 703-stream-yml-hbs-exists branch from 0e0ecdb to 364d708 Compare September 30, 2025 08:41
@teresaromero
Copy link
Author

test-integrations

@elastic-vault-github-plugin-prod
Copy link

Created or updated PR in integrations repository to test this version. Check elastic/integrations#15480

@teresaromero
Copy link
Author

test-integrations

@elastic-vault-github-plugin-prod
Copy link

Created or updated PR in integrations repository to test this version. Check elastic/integrations#15480

@teresaromero
Copy link
Author

test-integrations

@elastic-vault-github-plugin-prod
Copy link

Created or updated PR in integrations repository to test this version. Check elastic/integrations#15480

mrodm
mrodm reviewed Oct 14, 2025
View reviewed changes
code/go/internal/validator/semantic/validate_input_policy_template_path.go Outdated
Comment on lines 53 to 55
if input.TemplatePath == "" {
continue // template_path is optional
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, in this case if there is not template_path defined, does fleet looks for any default input template ?
I was wondering if it should be added some other validation here or not.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

from what i have investigated, when an integration has inputs within its policy_template, the template_paths that are not explicitly described there, are taken from the data_streams.

https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/fleet/server/services/epm/packages/assets.ts#L12

there is some logic i don't fully understand but my guess is that from the assetMap, it takes the data stream name from the package manifest inputs and looks for the data stream associated to it. Perhaps the validation to be done at package spec should be that, this inputs need to have a data_stream associated to be able to "skip" describing the template?

@elasticmachine
Copy link

elasticmachine commented Oct 16, 2025
edited
Loading

💔 Build Failed

Failed CI Steps

History

@teresaromero teresaromero requested a review from nchaulet October 16, 2025 12:43
@teresaromero
Copy link
Author

@mrodm @nchaulet I've updated the PR taking into account how fleet handled the template_paths for integrations with inputs.

After some consideration i've realized the entry point is always the policy_template of a manifest, regardless the type of the package. Then there is the difference between inputs and integrations.

I've added the train of thought on the PR description, and updated the code to validate like so.
The test data is failing as probably the packages are not aligned with this, before changing all the packages i would like to confirm this is the way.

I've unified the validation, as i was taking into account the streams where separated from the package manifest policy.. but with this change there should be just one validation rule, as the data_streams templates should be a match with the manifest inputs ???

@teresaromero
Copy link
Author

closing this in favour of #1000
follow up PR coming for integration packages

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrodm mrodm mrodm left review comments

@nchaulet nchaulet Awaiting requested review from nchaulet

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Linter] Ensure stream.yml.hbs exists if it will be fallen back on

3 participants

@teresaromero @elasticmachine @mrodm