[Security Solution][Endpoint] Add serverless Security project users/roles to cypress e2e test setup

[paul-tavares]

Summary

Goal of this PR is to re-enable the serverless tests that require the login credentials for users that have the pre-defined roles from serverless assigned to them.

@kbn/test changes

• Added support for esServerlessOptions to FTR config. Currently allows for resources to be defined
  • resources overrides were introduced in this PR
  • new FTR option will allow for testing serverless with a set of users/roles that are specific to the project type

Security Solution Plugin

• Added esServerlessOptions to the Defend Workflows cypress configurations
• Un-skips all serverless specific tests (now that we have support for users/roles that are specific to the Security project)
• Changed the default username for cypress login() task to be endpoint_operations_analyst
  • Note that the previously used endpoint_operations_analyst role was also updated to match the definition used for serverless.
• Added new common fleet_server_services cli module with reusable methods for working with fleet server, including generic startFleetServer() method
• New CLI script: node x-pack/plugins/security_solution/scripts/endpoint/start_fleet_server.js
  • Starts a fleet server locally (via Docker) and connects it to the Kibana
  • Supports running fleet server locally for serverless as well

---

Serverless specific tests now passing

Options available with new start_fleet_server.js cli script:

node ./x-pack/plugins/security_solution/scripts/endpoint/start_fleet_server.js --help

  node x-pack/plugins/security_solution/scripts/endpoint/start_fleet_server.js

  Start fleet-server locally and connect it to Kibana/ES

  Options:
    --version           Optional. The Agent version to be used when installing fleet server.
                        Default: uses the same version as the stack (kibana). Version
                        can also be from 'SNAPSHOT'.
                        NOTE: this value will be specifically set to 'latest' when ran against
                        kibana in serverless mode.
                        Examples: 8.6.0, 8.7.0-SNAPSHOT
    --policy            Optional. The UUID of the agent policy that should be used to enroll
                        fleet-server with Kibana/ES (Default: uses existing (if found) or
                        creates a new one)
    --force             Optional. If true, then fleet-server will be started and connected to
                        kibana even if one seems to already be configured.
    --port              Optional. The port number where fleet-server will listen for requests.
                        (Default: 8220)
    --username          Optional. User name to be used for auth against elasticsearch and
                        kibana (Default: elastic).
    --password          Optional. Password associated with the username (Default: changeme)
    --kibanaUrl         Optional. The url to Kibana (Default: http://127.0.0.1:5601)
    --elasticUrl        Optional. The url to Elasticsearch (Default: http://127.0.0.1:9200)
    --verbose, -v      Log verbosely
    --debug            Log debug messages (less than verbose)
    --quiet            Only log errors
    --silent           Don't log anything
    --help             Show this message

Output of the start_fleet_server.js script

start_fleet_server.js
 info Starting Fleet Server and connecting it to Kibana
   │ info Verifying Docker is installed.
       │ info Docker version 20.10.22, build 3a2c30b
   │ info Starting a new fleet server using Docker (version: 8.11.0-SNAPSHOT)
       │ info Kibana running in serverless mode.
       │        - will install/run standalone Fleet Server
       │        - version adjusted to [latest] from [8.11.0-SNAPSHOT]
       │ info Checking status of elastic Docker network.
           │ info Using existing network.
       │ info Fleet server started
       │ info Updating Fleet with new fleet server host: https://192.168.1.87:8220
           │ info No update needed. Fleet server host URL already defined in fleet settings.
       │ info Checking if Fleet output for Elasticsearch needs to be updated
       │ info Waiting for server to register with Elasticsearch
   │ info Done. Fleet server up and running
 info 

      Container Name: dev-fleet-server.8220
      Container Id:   ba131b3dd3a2ceb7a95e40b54bde7b8498318136f6665aa076b6716760ef1906

      View running output:  docker attach ---sig-proxy=false dev-fleet-server.8220
      Shell access:         docker exec -it dev-fleet-server.8220 /bin/bash
      Kill container:       docker kill ba131b3dd3a2ceb7a95e40b54bde7b8498318136f6665aa076b6716760ef1906
        

[paul-tavares]

FYI: I will have a follow up PR to refactor the existing endpint_agent_runner utility to use this module (will also look for import's for private modules of endpoint_agent_runner). For now, most of the code here is a duplicate.

[elasticmachine]

Pinging @elastic/security-defend-workflows (Team:Defend Workflows)

[tomsonpl]

Hey, I've gone through the code, left a few suggestions and questions (just to help me understand, thanks in advance 👍 ).
All in all, great job as usual, thanks for doing this 👍

[tomsonpl]

Why do we need to cast this like that?

[paul-tavares]

username is not set as a string in .flags

ref:

kibana/packages/kbn-dev-cli-runner/src/flags.ts

Line 23 in 7f82102

[key: string]: undefined | boolean | string | string[];

[tomsonpl]

redundant?

[tomsonpl]

would it be worth to add a log.verbose after this? as with hostToEnroll below?

[paul-tavares]

There is nothing here to log. The one below logs the Agent record in log.verbose()

[tomsonpl]

maybe worth to specify this as string | undefined , passing an empty string may be confusing. what do you think?

[tomsonpl]

same with policyId I guess ?

[paul-tavares]

These can't be undefined for managed fleet server. I'll make them optional and will add runtime validation.

[tomsonpl]

Yes, what I meant is it's either a string for manager fs or really undefined right?
But what you just did is also great, so thanks!

[paul-tavares]

correct

[tomsonpl]

this policy, coming from cliConfig.flags.policy - is this supposed to be supported only if used as a CLI and not CI (eg. cypress?). Which means that if provided, we do not call getOrCreateFleetServerAgentPolicyId ?

[paul-tavares]

correct - if policy (Fleet agent policy UUID) is provided, then we don't create one automatically if one does not yet exist. It could be used from CI or CLI - it does not matter. It just provides the consumer the ability to define the specific agent policy ID to use in starting the server

[tomsonpl]

Is there any case where we need to additionally create the network (in serverless mode)? I understand that network is being already created with dockerized ES.

[paul-tavares]

Not sure 🤷 . I think there are some additional discussions in @patrykkopycinski 's PR about creating additional networks for Agent (hosts).

[patrykkopycinski]

I just wanted to make it consistent to make sure all docker containers are running on the same docker network

[tomsonpl]

Is this necessary?

[paul-tavares]

Yes. If we don't, the host name in fleet is duplicated when we run it multiple times locally. This ensure that the host name is unique. It was also causing an issue when calling waitForHostToEnroll()

[tomsonpl]

I think we can set policyId the same way as serviceToken below, it might get more readable, what do you think?

[tomsonpl]

I see you use API_VERSIONS.public.v1 is it possible to use it also here?

[paul-tavares]

That const never made sense to me and I think will lead to issues. I was never really sure why a const was used. Version number will diverge at the api level (is my understanding) not the release level across all APIs

[tomsonpl]

and here

[jbudz]

packages/kbn-test

[dasansol92]

LGTM! Thanks!

[dasansol92]

Should we use the API_VERSIONS.public.v1 from fleet plugin?

[paul-tavares]

See my prior comment to @tomsonpl 's (same comment). I never really understood why we are using const's for API version

[ashokaditya]

Thanks for the changes. 🔥 I've not tested this locally but will take it for a spin later.

[ashokaditya]

I believe these should be .lists-* and .items-*

[paul-tavares]

I'm going to leave it as is, since it matches whats defined in Project Controller (cc/ @dhurley14 )

[ashokaditya]

This should be .alerts-security.alerts-*

[paul-tavares]

same comment as above

[kibana-ci]

💛 Build succeeded, but was flaky

• Buildkite Build
• Commit: 5693c7c

Failed CI Steps

• FTR Configs #1
• Security Solution Cypress Tests #9

Test Failures

• [job] [logs] FTR Configs #1 / dashboard app - group 6 dashboard snapshots compare controls snapshot in dark mode
• [job] [logs] Security Solution Cypress Tests #9 / Ransomware Detection Alerts Ransomware in Timelines Renders ransomware entries in timelines table Renders ransomware entries in timelines table

Metrics [docs]

✅ unchanged

History

• 💔 Build #165361 failed ea37cb3
• 💔 Build #165342 failed ecacb30
• 💔 Build #165319 failed f61e534
• 💚 Build #165123 succeeded 4b21538
• 💔 Build #165072 failed 0010825
• 💔 Build #165036 failed 09c5dab

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @paul-tavares

[patrykkopycinski]

Thank you @paul-tavares 🙇

[dmlemeshko]

kbn-test changes LGTM