[Fleet] Add package rollback API#226754
Merged
jillguyonnet merged 24 commits intoelastic:mainfrom Jul 18, 2025
Merged
Conversation
jillguyonnet
added
release_note:enhancement
backport:skip
…t --include-path /api/status --include-path /api/alerting/rule/ --include-path /api/alerting/rules --include-path /api/actions --include-path /api/security/role --include-path /api/spaces --include-path /api/streams --include-path /api/fleet --include-path /api/dashboards --include-path /api/saved_objects/_import --include-path /api/saved_objects/_export --include-path /api/maintenance_window --update'
Contributor
|
Pinging @elastic/fleet (Team:Fleet) |
juliaElastic
reviewed
Jul 8, 2025
juliaElastic
reviewed
Jul 8, 2025
juliaElastic
reviewed
Jul 8, 2025
juliaElastic
reviewed
Jul 8, 2025
juliaElastic
reviewed
Jul 8, 2025
juliaElastic
reviewed
Jul 8, 2025
juliaElastic
reviewed
Jul 8, 2025
Contributor
There was a problem hiding this comment.
It would be great to add integration tests for the new rollback API and do manual testing with agents using the package policies and ingesting data to data streams, to make sure the rollback doesn't disrupt data ingestion.
Member
There was a problem hiding this comment.
Adding to this, it would be good to test with input packages as well to make sure it doesn't break them.
juliaElastic
reviewed
Jul 8, 2025
juliaElastic
reviewed
Jul 8, 2025
juliaElastic
reviewed
Jul 8, 2025
criamico
reviewed
Jul 8, 2025
Member
There was a problem hiding this comment.
Adding to this, it would be good to test with input packages as well to make sure it doesn't break them.
Member
Author
|
@elasticmachine merge upstream |
…t --include-path /api/status --include-path /api/alerting/rule/ --include-path /api/alerting/rules --include-path /api/actions --include-path /api/security/role --include-path /api/spaces --include-path /api/streams --include-path /api/fleet --include-path /api/dashboards --include-path /api/saved_objects/_import --include-path /api/saved_objects/_export --include-path /api/maintenance_window --update'
Member
Author
|
@juliaElastic @criamico thank you for your feedback. I'm still working on functional tests, but I pushed a bunch of improvements and updated the PR description with additional test cases. Please feel free to try and break this. 🙂 |
Member
Author
|
@elasticmachine merge upstream |
Contributor
Flaky Test Runner Stats🟠 Some tests failed. - kibana-flaky-test-suite-runner#8644[❌] x-pack/test/fleet_api_integration/config.epm.ts: 75/100 tests passed. |
Member
Author
|
@elasticmachine merge upstream |
jillguyonnet
commented
Jul 16, 2025
| timeout: 30_000, | ||
| retryCount: 25, | ||
| retryDelay: 10000, | ||
| timeout: 60_000, |
Member
Author
There was a problem hiding this comment.
Thanks for the review @juliaElastic - FYI I had to increase the retries and timeout in this test as the extra logic caused it to be too slow. It made me realise that we don't exclude rollback logic from managed policies, which should perhaps be addressed as a followup, WDYT?
Contributor
There was a problem hiding this comment.
Why is setup trying to run rollback?
I agree that we probably shouldn't allow rolling back managed policies.
Member
Author
There was a problem hiding this comment.
Why is setup trying to run rollback?
It isn't - it's the saving previous revisions logic here that adds extra time. Not sure why this didn't come up in the original PR.
Edit: I've kicked off a flaky test runner build to check if it's robust enough with these settings.
I agree that we probably shouldn't allow rolling back managed policies.
OK if I open a followup issue for this?
Contributor
There was a problem hiding this comment.
I see, it makes sense. A follow up issue sounds good.
Member
Author
|
@elastic/core-docs @elastic/experience-docs Could I please get your review on this? |
Contributor
Flaky Test Runner Stats🎉 All tests passed! - kibana-flaky-test-suite-runner#8669[✅] x-pack/platform/test/fleet_api_integration/config.epm.ts: 100/100 tests passed. |
Contributor
Flaky Test Runner Stats🎉 All tests passed! - kibana-flaky-test-suite-runner#8679[✅] x-pack/platform/test/fleet_api_integration/config.fleet.ts: 100/100 tests passed. |
Member
florent-leborgne
left a comment
florent-leborgne
left a comment
There was a problem hiding this comment.
Hi! Looks like the API docs output files are no longer part of this PR. In case you'll re-add them, I mainly have one comment about making sure that the API's version availability is correctly set so it appears clearly in the docs:
If there is a version requirement to use this API, it should be specified with an availability attribute like this I believe (see example):
options: {
availability: {
since: '9.1.0',
},
florent-leborgne
approved these changes
Jul 18, 2025
Member
florent-leborgne
left a comment
florent-leborgne
left a comment
There was a problem hiding this comment.
Thanks for specifying the availability options 🙏 LGTM for docs
Contributor
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]Public APIs missing comments
Public APIs missing exports
Page load bundle
History
|
Bluefinger
pushed a commit
to Bluefinger/kibana
that referenced
this pull request
Jul 22, 2025
## Summary Closes elastic/ingest-dev#5445 This PR adds a public API endpoint `POST kbn:/api/fleet/epm/packages/{packageName}/rollback` that rolls back an integration to the previous installed version, provided that previous version had been saved and that all integration policies (in all spaces) have corresponding saved previous revisions. This endpoint updates integration policies across all spaces. For example, given the following: * The `system` integration was installed on 2.2.0 with integration policies (also on 2.2.0) in multiple spaces. * The integration was upgraded to 2.3.2 and all integration policies were also upgraded. Then rolling back the integration will install 2.2.0 and update integration policies in all spaces to the latest revision they were on for 2.2.0. Rollback will fail if: * The integration has no `previous_version` property set (set on upgrade, see elastic#222779). * At least one integration policy (in any space) doesn't have a saved previous revision (SO with id `{id}:prev`). * At least one integration policy (in any space) has a saved previous revision with a different previous version. ### Implementation details 1. Package policies rollback step 1 1. Create temporary SO copies in order to reverse the rollback in case of failure. 2. Update SO with data from saved previous revisions. 2. Package rollback 3. Package policies rollback step 2 * If package rollback succeeded, delete temporary SO copies and previous revision SO + bump agent policy revisions. * If package rollback failed, restore SO to pre-rollback (using temporary SO copies) and delete these copies. ### Testing 1. Create a custom space with default accesses. 5. In the default space install a package on an older version and make sure to have a package policy (edit the version in the browser URL and add the package). Choose a version old enough to have a few more recent versions to test with. 6. In the custom space, add the package on the same older version in order to create a package policy. You should now have a package policy on this older version on both spaces. 7. Go to Dev Tools and issue a rollback request: it should fail with `No previous version found for package {pkgName}`. 8. Force upgrade the package to a newer (not the latest) version with ``` POST kbn:/api/fleet/epm/packages/{pkgName}/{pkgVersion} { "force": true } ``` This doesn't upgrade the package policies. 9. Issue a rollback request: it should fail with `No previous version found for package policies: [policyId1, policyId2]`. 10. Force upgrade the package again to a newer version. 11. In the UI, upgrade both package policies. 12. Go to Dev Tools and issue a rollback request: it should fail with `Wrong previous version for package policies: [policyId1, policyId2]`. This is because the package was upgraded from v1 to v2 to v3, but policies were directly upgraded from v1 to v3. 13. Force upgrade the package again to a newer version. 14. In the UI, upgrade both package policies. 15. Take note of the revisions the agent policies are on. 16. Go to Dev Tools and issue a rollback request: this time, it should succeed and roll back the package and its policies in both spaces to the previous version. 17. Check in the UI that the rollback looks correct (agent policy revisions should have been bumped). For completeness, you can check the saved objects of the package and the package policies: * the package SO should have the correct (older) version and `previous_version: null` * the package policy SO storing the revision with the previous version (with id ending in `:prev`) should have been deleted * the current package policy SO should have the correct (older) version, `latest_revision: true` and revision number bumped by 1 * there should be no temporary SO (with id ending in `:copy`) ### Checklist - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [x] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [x] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. ### Identify risks Risk of incorrect integration policy data after rolling back the integration to its previous version. --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
kertal
pushed a commit
to kertal/kibana
that referenced
this pull request
Jul 25, 2025
## Summary Closes elastic/ingest-dev#5445 This PR adds a public API endpoint `POST kbn:/api/fleet/epm/packages/{packageName}/rollback` that rolls back an integration to the previous installed version, provided that previous version had been saved and that all integration policies (in all spaces) have corresponding saved previous revisions. This endpoint updates integration policies across all spaces. For example, given the following: * The `system` integration was installed on 2.2.0 with integration policies (also on 2.2.0) in multiple spaces. * The integration was upgraded to 2.3.2 and all integration policies were also upgraded. Then rolling back the integration will install 2.2.0 and update integration policies in all spaces to the latest revision they were on for 2.2.0. Rollback will fail if: * The integration has no `previous_version` property set (set on upgrade, see elastic#222779). * At least one integration policy (in any space) doesn't have a saved previous revision (SO with id `{id}:prev`). * At least one integration policy (in any space) has a saved previous revision with a different previous version. ### Implementation details 1. Package policies rollback step 1 1. Create temporary SO copies in order to reverse the rollback in case of failure. 2. Update SO with data from saved previous revisions. 2. Package rollback 3. Package policies rollback step 2 * If package rollback succeeded, delete temporary SO copies and previous revision SO + bump agent policy revisions. * If package rollback failed, restore SO to pre-rollback (using temporary SO copies) and delete these copies. ### Testing 1. Create a custom space with default accesses. 5. In the default space install a package on an older version and make sure to have a package policy (edit the version in the browser URL and add the package). Choose a version old enough to have a few more recent versions to test with. 6. In the custom space, add the package on the same older version in order to create a package policy. You should now have a package policy on this older version on both spaces. 7. Go to Dev Tools and issue a rollback request: it should fail with `No previous version found for package {pkgName}`. 8. Force upgrade the package to a newer (not the latest) version with ``` POST kbn:/api/fleet/epm/packages/{pkgName}/{pkgVersion} { "force": true } ``` This doesn't upgrade the package policies. 9. Issue a rollback request: it should fail with `No previous version found for package policies: [policyId1, policyId2]`. 10. Force upgrade the package again to a newer version. 11. In the UI, upgrade both package policies. 12. Go to Dev Tools and issue a rollback request: it should fail with `Wrong previous version for package policies: [policyId1, policyId2]`. This is because the package was upgraded from v1 to v2 to v3, but policies were directly upgraded from v1 to v3. 13. Force upgrade the package again to a newer version. 14. In the UI, upgrade both package policies. 15. Take note of the revisions the agent policies are on. 16. Go to Dev Tools and issue a rollback request: this time, it should succeed and roll back the package and its policies in both spaces to the previous version. 17. Check in the UI that the rollback looks correct (agent policy revisions should have been bumped). For completeness, you can check the saved objects of the package and the package policies: * the package SO should have the correct (older) version and `previous_version: null` * the package policy SO storing the revision with the previous version (with id ending in `:prev`) should have been deleted * the current package policy SO should have the correct (older) version, `latest_revision: true` and revision number bumped by 1 * there should be no temporary SO (with id ending in `:copy`) ### Checklist - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [x] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [x] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. ### Identify risks Risk of incorrect integration policy data after rolling back the integration to its previous version. --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes https://github.com/elastic/ingest-dev/issues/5445
This PR adds a public API endpoint
POST kbn:/api/fleet/epm/packages/{packageName}/rollbackthat rolls back an integration to the previous installed version, provided that previous version had been saved and that all integration policies (in all spaces) have corresponding saved previous revisions.This endpoint updates integration policies across all spaces. For example, given the following:
systemintegration was installed on 2.2.0 with integration policies (also on 2.2.0) in multiple spaces.Then rolling back the integration will install 2.2.0 and update integration policies in all spaces to the latest revision they were on for 2.2.0.
Rollback will fail if:
previous_versionproperty set (set on upgrade, see [Fleet] Save package policy previous revision on package upgrade #222779).{id}:prev).Implementation details
Testing
No previous version found for package {pkgName}.No previous version found for package policies: [policyId1, policyId2].Wrong previous version for package policies: [policyId1, policyId2]. This is because the package was upgraded from v1 to v2 to v3, but policies were directly upgraded from v1 to v3.previous_version: null:prev) should have been deletedlatest_revision: trueand revision number bumped by 1:copy)Checklist
release_note:*label is applied per the guidelinesbackport:*labels.Identify risks
Risk of incorrect integration policy data after rolling back the integration to its previous version.