Fix observability UIAM config and add CPS observability variant

packages/kbn-mock-idp-plugin/server/plugin.ts

@@ -22,7 +22,12 @@ import {
   STATEFUL_ROLES_ROOT_PATH,
 } from '@kbn/es';
 import type { ServerlessProductTier } from '@kbn/es/src/utils';
-import { createSAMLResponse, MOCK_IDP_LOGIN_PATH, MOCK_IDP_LOGOUT_PATH } from '@kbn/mock-idp-utils';
+import {
+  createSAMLResponse,
+  MOCK_IDP_LOGIN_PATH,
+  MOCK_IDP_LOGOUT_PATH,
+  projectTypeToAlias,
+} from '@kbn/mock-idp-utils';
 import { getSAMLRequestId } from '@kbn/mock-idp-utils/src/utils';
 
 import type { ConfigType } from './config';
@@ -39,14 +44,6 @@ const createSAMLResponseSchema = schema.object({
   url: schema.string(),
 });
 
-// BOOKMARK - List of Kibana project types
-const projectToAlias = new Map<string, string>([
-  ['observability', 'oblt'],
-  ['security', 'security'],
-  ['search', 'es'],
-  ['workplaceai', 'workplaceai'],
-]);
-
 const tierSpecificRolesFileExists = (filePath: string): boolean => {
   try {
     return existsSync(filePath);
@@ -56,8 +53,8 @@ const tierSpecificRolesFileExists = (filePath: string): boolean => {
 };
 
 const readServerlessRoles = (projectType: string, productTier?: ServerlessProductTier) => {
-  if (projectToAlias.has(projectType)) {
-    const alias = projectToAlias.get(projectType)!;
+  if (projectTypeToAlias.has(projectType)) {
+    const alias = projectTypeToAlias.get(projectType)!;
 
     const tierSpecificRolesResourcePath =
       productTier && resolve(SERVERLESS_ROLES_ROOT_PATH, alias, productTier, 'roles.yml');

src/platform/packages/private/kbn-mock-idp-utils/src/index.ts

@@ -47,4 +47,5 @@ export {
   getSAMLRequestId,
   createUiamSessionTokens,
   createUiamOAuthAccessToken,
+  projectTypeToAlias,
 } from './utils';

src/platform/packages/private/kbn-mock-idp-utils/src/utils.ts

@@ -292,10 +292,29 @@ export function generateCosmosDBApiRequestHeaders(
   };
 }
 
+// Kibana project type names mapped to CLI aliases used for role file paths.
+export const projectTypeToAlias = new Map<string, string>([
+  ['observability', 'oblt'],
+  ['security', 'security'],
+  ['search', 'es'],
+  ['workplaceai', 'workplaceai'],
+]);
+
+// Normalizes CLI aliases (e.g. 'oblt', 'es') to the canonical project type names
+// used in UIAM tokens and ES serverless configuration.
+// Note: 'es' maps to 'elasticsearch' for UIAM (not 'search' which is the Kibana solution name).
+const projectTypeAliases = new Map<string, string>([
+  ['oblt', 'observability'],
+  ['es', 'elasticsearch'],
+]);
+
+const normalizeProjectType = (projectType: string): string =>
+  projectTypeAliases.get(projectType) ?? projectType;
+
 export async function createUiamSessionTokens({
   username,
   organizationId,
-  projectType,
+  projectType: rawProjectType,
   roles,
   fullName,
   email,
@@ -313,6 +332,7 @@ export async function createUiamSessionTokens({
   accessTokenLifetimeSec?: number;
   refreshTokenLifetimeSec?: number;
 }) {
+  const projectType = normalizeProjectType(rawProjectType);
   const iat = Math.floor(Date.now() / 1000);
 
   const givenName = fullName ? fullName.split(' ')[0] : 'Test';

src/platform/packages/shared/kbn-scout/src/servers/configs/config_sets/cps_local/serverless/observability_complete.serverless.config.ts

@@ -0,0 +1,33 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+import {
+  ELASTIC_SERVERLESS_SUPERUSER,
+  ELASTIC_SERVERLESS_SUPERUSER_PASSWORD,
+  LINKED_CLUSTER_PORT_OFFSET,
+} from '@kbn/es';
+import { servers as uiamConfig } from '../../uiam_local/serverless/observability_complete.serverless.config';
+import type { ScoutServerConfig } from '../../../../../types';
+
+export const servers: ScoutServerConfig = {
+  ...uiamConfig,
+  servers: {
+    ...uiamConfig.servers,
+    linkedElasticsearch: {
+      ...uiamConfig.servers.elasticsearch,
+      port: (uiamConfig.servers.elasticsearch.port as number) + LINKED_CLUSTER_PORT_OFFSET,
+      username: ELASTIC_SERVERLESS_SUPERUSER,
+      password: ELASTIC_SERVERLESS_SUPERUSER_PASSWORD,
+    },
+  },
+  esServerlessOptions: {
+    uiam: true,
+    cps: true,
+  },
+};

src/platform/packages/shared/kbn-scout/src/servers/configs/config_sets/uiam_local/serverless/observability_complete.serverless.config.ts

@@ -9,7 +9,7 @@
 
 import { MOCK_IDP_UIAM_SERVICE_URL, MOCK_IDP_UIAM_SHARED_SECRET } from '@kbn/mock-idp-utils';
 import { KBN_CERT_PATH, KBN_KEY_PATH } from '@kbn/dev-utils';
-import { servers as defaultConfig } from '../../default/serverless/security_complete.serverless.config';
+import { servers as defaultConfig } from '../../default/serverless/observability_complete.serverless.config';
 import type { ScoutServerConfig } from '../../../../../types';
 
 // Indicates whether the config is used on CI or locally.
@@ -29,6 +29,14 @@ export const servers: ScoutServerConfig = {
       `--xpack.security.uiam.ssl.certificate=${KBN_CERT_PATH}`,
       `--xpack.security.uiam.ssl.key=${KBN_KEY_PATH}`,
       '--xpack.security.uiam.ssl.verificationMode=none',
+      // cloud.id is decoded by the security plugin to obtain the ES endpoint for UIAM API key conversion.
+      // CI:    decodes to https://es01:9220 (ES listens on port 9220 inside the Docker network)
+      // Local: decodes to https://host.docker.internal:9220 (ES is on the host, reached via Docker bridge)
+      `--xpack.cloud.id=${
+        isRunOnCI
+          ? 'ci:ZXMwMTo5MjIwJDo5MjIwJGtpYmFuYTo5MjIw'
+          : 'local-dev:ZG9ja2VyLmludGVybmFsOjkyMjAkaG9zdDo5MjIwJGtpYmFuYTo5MjIw'
+      }`,
     ],
   },
 };