[Fleet] When removing a inputs type package policy, clean up assets#218582
[Fleet] When removing a inputs type package policy, clean up assets#218582criamico merged 46 commits intoelastic:mainfrom
Conversation
criamico
added
the
Team:Fleet
| return installingPackages; | ||
| } | ||
|
|
||
| export async function installAssetsForInputPackagePolicy(opts: { |
There was a problem hiding this comment.
I moved this function to a new file that groups the utilities needed for input-type packages
criamico
added
v9.0.1
release_note:skip
|
@elasticmachine merge upstream |
|
Pinging @elastic/fleet (Team:Fleet) |
x-pack/platform/plugins/shared/fleet/server/services/epm/packages/input_type_packages.ts
Outdated
Show resolved
Hide resolved
|
@elasticmachine merge upstream |
| if (!installation) { | ||
| throw new FleetError(`${packageInfo.name} is not installed`); | ||
| } | ||
| await cleanupAssets(installation, esClient, soClient); |
There was a problem hiding this comment.
I think here we probably need a little more logic, it seems to me we only want to delete the assets for a the specific datastream defined by that package policy. An input integration could have been used for multiple package policy, also we should check there are no other package policy for that integration defining the same package policy. wdyt?
There was a problem hiding this comment.
we should check there are no other package policy for that integration defining the same package policy
Yes @jillguyonnet added a check in here: https://github.com/criamico/kibana/blob/1db6c23088f2f45fc5c9ed227fc369fe02b6ec4f/x-pack/platform/plugins/shared/fleet/server/services/package_policy.ts#L1686
There was a problem hiding this comment.
The current logic is removing all package assets if we are removing the last policy for this package, so assuming 2 package policies system-1 and system-2:
- remove
system-1-> assets are left untouched - remove
system-2(last policy) -> all assets are removed
Note that the package itself isn't uninstalled.
it seems to me we only want to delete the assets for a the specific datastream defined by that package policy
Is there a scenario where creating a package policy can create assets that are only relevant to this policy? e.g. with a custom dataset? If that's the case, then maybe we want additional logic to the above to clean up these specific assets, something like:
- remove
system-1-> only assets specific tosystem-1are removed - remove
system-2(last policy) -> all assets are removed
WDYT?
There was a problem hiding this comment.
Thanks @jillguyonnet, I checked and the second scenario you described seems correct.
I'll remove only the assets related to the package policy dataset name, according with @nchaulet comment:
it seems to me we only want to delete the assets for a the specific datastream defined by that package policy
There was a problem hiding this comment.
Is there a scenario where creating a package policy can create assets that are only relevant to this policy? e.g. with a custom dataset? If that's the case, then maybe we want additional logic to the above to clean up these specific assets, something like:
Yes this is the case with input package policies (they are a little confusing to understand), for those policies we create if they do not exists the index template, pipeline for the provided dataset.
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
| const dataStreamType = | ||
| packagePolicy.inputs[0].streams[0].vars?.[DATA_STREAM_TYPE_VAR_NAME]?.value || | ||
| packagePolicy.inputs[0].streams[0].data_stream?.type || | ||
| 'logs'; |
|
This might not be related to this change, but I'm trying with Custom UDP Logs and it looks it adds 2 asset references that don't actually exist and then are left hanging when the package policy is removed. Is that known? Before adding the integration: After adding it:
After deleting the package policy: |
| setAgentBasedPackageAndAgentPolicies(mappedPoliciesData); | ||
| }, [agentBasedData, mapPoliciesData]); | ||
|
|
||
| const isInputPackageDatasetUsedByMultiplePolicies = useCallback( |
There was a problem hiding this comment.
I think this will probably not work with space awareness enabled, as the dataset could be used in policies in a different space, I think here one solution could be to put the responsability on the user and ask him if he want to delete the related assets and explain if other policies use that template it will be problematic wdyt?
There was a problem hiding this comment.
otherwise we could do that check in the API and throw if there is pacakge policy using that dataset and the call is done without a force flag
There was a problem hiding this comment.
Probably having that check in the API is better, and we can handle this nicely in the UI, with a warning assets for that package policy has not been deleted as they are used by other package policy ...
There was a problem hiding this comment.
Is the plan to have space awareness enabled for all users in the long run, or will it remain an optional feature? Depending on this we might pick different options.
There was a problem hiding this comment.
Probably having that check in the API is better, and we can handle this nicely in the UI, with a warning assets for that package policy has not been deleted as they are used by other package policy ...
it looks like a sensible way to handle it. I'll check this solution and see if there are any caveats.
There was a problem hiding this comment.
I just did a test with two spaces where I added Custom UDP Logs both times with udp.generic dataset. When I removed the package policy in the second space, it deleted the assets. So I think you're right, the logic needs to be space aware. I agree with the solution of making the API space aware and warning the user that assets were not deleted because they are used by another package policy in another space (which mightn't be obvious).
There was a problem hiding this comment.
Is the plan to have space awareness enabled for all users in the long run, or will it remain an optional feature? Depending on this we might pick different options.
Yes space aware will be the default starting from 9.1
@jillguyonnet so the fact that the two assets are left there should be correct, as they don't match the dataset name; however I'm not sure why those two assets don't exist, I noticed it but forgot to open a ticket for it. |
|
@elasticmachine merge upstream |
| const { items: allPackagePolicies } = await packagePolicyService.list(allSpacesSoClient, { | ||
| kuery: `${PACKAGE_POLICY_SAVED_OBJECT_TYPE}.package.name:${pkgName}`, | ||
| spaceId: '*', | ||
| }); |
There was a problem hiding this comment.
@nchaulet I moved the logic to find if the dataset is used by other policies directly in the endpoint and I made it space aware; it will fail directly in the api response, so I removed almost all the logic from the UI.
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]Public APIs missing comments
Async chunks
Page load bundle
History
|
…lastic#218582) Fixes elastic#209789 ## Summary For `inputs` type integrations ([docs](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/fleet/dev_docs/input_packages.md)), we install all the assets when creating the integration policy and not at integration install time (like for "regular": integrations). However the clean up of assets doesn't happen when removing the integration policy and this leaves around orphaned assets that are not working anymore. - This PR adds a new endpoint that removes the datastream assets ``` DELETE kbn:/api/fleet/epm/packages/{pkgName}/{pkgVersion}/datastream_assets?packagePolicyId={Id} ``` - The new endpoint is called by the UI when removing the integration policy; - Only the datastream assets that match exactly the dataset name are removed; assets that are common across the integration are kept and can only be deleted when the whole integration is uninstalled. Additional changes: - I did some light refactoring of the functions for inputs-type integrations to make the code more readable - Updated the dev_docs about input-type integrations that haven't been touched for long time ### Testing - Install an input-type package, for instance "custom logs" - Check the assets created under the tab `assets` - Check that the package has only this integration policy - Remove the integration policy for the package - a warning is shown: <img width="937" alt="Screenshot 2025-05-09 at 16 58 51" src="https://github.com/user-attachments/assets/0f86ab38-e0a9-47f5-91f5-71b83e17f2e3" /> - Verify that the assets related to the package are cleaned up as well - Try again but with several integration policies - In this case the clean up doesn't happen ### Delete assets when there are two integration policies with different dataset names Dataset names are`udp.generic` and `udp.test` - in the video I deleted policy `udp-2` having dataset name `udp.test` and the relative assets are no longer present: https://github.com/user-attachments/assets/23350051-1b26-4e52-914d-62f784809c80 ### Delete assets when there are two integration policies with same dataset names In this case there are two different policies having the same dataset name `udp.generic`, when deleting the policy there is no warning to remove the assets. In fact they can be deleted only when there is only one remaining policy using them: https://github.com/user-attachments/assets/f75668dd-a4ce-4f5a-ba5d-c99911278dfc ### Checklist - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> Co-authored-by: jillguyonnet <jill.guyonnet@gmail.com> Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
…lastic#218582) Fixes elastic#209789 ## Summary For `inputs` type integrations ([docs](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/fleet/dev_docs/input_packages.md)), we install all the assets when creating the integration policy and not at integration install time (like for "regular": integrations). However the clean up of assets doesn't happen when removing the integration policy and this leaves around orphaned assets that are not working anymore. - This PR adds a new endpoint that removes the datastream assets ``` DELETE kbn:/api/fleet/epm/packages/{pkgName}/{pkgVersion}/datastream_assets?packagePolicyId={Id} ``` - The new endpoint is called by the UI when removing the integration policy; - Only the datastream assets that match exactly the dataset name are removed; assets that are common across the integration are kept and can only be deleted when the whole integration is uninstalled. Additional changes: - I did some light refactoring of the functions for inputs-type integrations to make the code more readable - Updated the dev_docs about input-type integrations that haven't been touched for long time ### Testing - Install an input-type package, for instance "custom logs" - Check the assets created under the tab `assets` - Check that the package has only this integration policy - Remove the integration policy for the package - a warning is shown: <img width="937" alt="Screenshot 2025-05-09 at 16 58 51" src="https://github.com/user-attachments/assets/0f86ab38-e0a9-47f5-91f5-71b83e17f2e3" /> - Verify that the assets related to the package are cleaned up as well - Try again but with several integration policies - In this case the clean up doesn't happen ### Delete assets when there are two integration policies with different dataset names Dataset names are`udp.generic` and `udp.test` - in the video I deleted policy `udp-2` having dataset name `udp.test` and the relative assets are no longer present: https://github.com/user-attachments/assets/23350051-1b26-4e52-914d-62f784809c80 ### Delete assets when there are two integration policies with same dataset names In this case there are two different policies having the same dataset name `udp.generic`, when deleting the policy there is no warning to remove the assets. In fact they can be deleted only when there is only one remaining policy using them: https://github.com/user-attachments/assets/f75668dd-a4ce-4f5a-ba5d-c99911278dfc ### Checklist - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> Co-authored-by: jillguyonnet <jill.guyonnet@gmail.com> Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
5 participants
Fixes #209789
Summary
For
inputstype integrations (docs), we install all the assets when creating the integration policy and not at integration install time (like for "regular": integrations).However the clean up of assets doesn't happen when removing the integration policy and this leaves around orphaned assets that are not working anymore.
Additional changes:
Testing
assetsDelete assets when there are two integration policies with different dataset names
Dataset names are
udp.genericandudp.test- in the video I deleted policyudp-2having dataset nameudp.testand the relative assets are no longer present:Screen.Recording.2025-05-14.at.16.29.26.mov
Delete assets when there are two integration policies with same dataset names
In this case there are two different policies having the same dataset name
udp.generic, when deleting the policy there is no warning to remove the assets. In fact they can be deleted only when there is only one remaining policy using them:Screen.Recording.2025-05-14.at.16.36.47.mov
Checklist