[Fleet] fix output ssl config order#230758
Merged
juliaElastic merged 2 commits intoelastic:mainfrom Aug 6, 2025
Merged
Conversation
juliaElastic
added
backport:prev-minor
backport:version
botelastic
bot
added
the
Team:Fleet
Contributor
|
Pinging @elastic/fleet (Team:Fleet) |
Contributor
|
Starting backport for target branches: 8.17, 8.18, 8.19, 9.0, 9.1 |
Contributor
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]
History
|
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Aug 6, 2025
## Summary
While testing, encountered another issue with ssl output config.
It seems that the preconfig comes with some defaults (`{ certificate:
'', certificate_authorities: [] }`) that override the config set in
advanced yaml on the UI.
Change the order so that the advanced yaml comes after preconfig.
To verify:
- Add an elasticsearch output with Advanced YAML config:
```
ssl:
certificate_authorities:
- /test/ca.crt
verification_mode: "none"
```
- Add output to an agent policy
- View full policy JSON and verify the ssl config is correct
<img width="818" height="1169" alt="image"
src="https://github.com/user-attachments/assets/2c654805-b1f3-4364-a138-fc4d6bc22c52"
/>
<img width="1512" height="1239" alt="image"
src="https://github.com/user-attachments/assets/e2849f17-83d3-4d87-90f7-4b68b817143e"
/>
- Preconfiguration should still work
```
xpack.fleet.outputs:
- hosts:
- https://localhost:9200
id: eck-fleet-agent-output-elasticsearch
name: eck-elasticsearch
ssl:
certificate_authorities:
- /test/ca.crt
type: elasticsearch
xpack.fleet.agentPolicies:
- name: Test preconfigured
id: test-preconfigured
is_managed: false
namespace: default
monitoring_enabled: []
package_policies: []
data_output_id: eck-fleet-agent-output-elasticsearch
```
<img width="1527" height="1236" alt="image"
src="https://github.com/user-attachments/assets/b74aa02e-ac79-44f0-81a4-d3788608dd27"
/>
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [ ] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
- [ ] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.
- [ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [ ] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
- [ ] Review the [backport
guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)
and apply applicable `backport:*` labels.
### Identify risks
Does this PR introduce any risks? For example, consider risks like hard
to test bugs, performance regression, potential of data loss.
Describe the risk, its severity, and mitigation for each identified
risk. Invite stakeholders and evaluate how to proceed before merging.
- [ ] [See some risk
examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)
- [ ] ...
(cherry picked from commit 8c99241)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Aug 6, 2025
## Summary
While testing, encountered another issue with ssl output config.
It seems that the preconfig comes with some defaults (`{ certificate:
'', certificate_authorities: [] }`) that override the config set in
advanced yaml on the UI.
Change the order so that the advanced yaml comes after preconfig.
To verify:
- Add an elasticsearch output with Advanced YAML config:
```
ssl:
certificate_authorities:
- /test/ca.crt
verification_mode: "none"
```
- Add output to an agent policy
- View full policy JSON and verify the ssl config is correct
<img width="818" height="1169" alt="image"
src="https://github.com/user-attachments/assets/2c654805-b1f3-4364-a138-fc4d6bc22c52"
/>
<img width="1512" height="1239" alt="image"
src="https://github.com/user-attachments/assets/e2849f17-83d3-4d87-90f7-4b68b817143e"
/>
- Preconfiguration should still work
```
xpack.fleet.outputs:
- hosts:
- https://localhost:9200
id: eck-fleet-agent-output-elasticsearch
name: eck-elasticsearch
ssl:
certificate_authorities:
- /test/ca.crt
type: elasticsearch
xpack.fleet.agentPolicies:
- name: Test preconfigured
id: test-preconfigured
is_managed: false
namespace: default
monitoring_enabled: []
package_policies: []
data_output_id: eck-fleet-agent-output-elasticsearch
```
<img width="1527" height="1236" alt="image"
src="https://github.com/user-attachments/assets/b74aa02e-ac79-44f0-81a4-d3788608dd27"
/>
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [ ] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
- [ ] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.
- [ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [ ] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
- [ ] Review the [backport
guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)
and apply applicable `backport:*` labels.
### Identify risks
Does this PR introduce any risks? For example, consider risks like hard
to test bugs, performance regression, potential of data loss.
Describe the risk, its severity, and mitigation for each identified
risk. Invite stakeholders and evaluate how to proceed before merging.
- [ ] [See some risk
examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)
- [ ] ...
(cherry picked from commit 8c99241)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Aug 6, 2025
## Summary
While testing, encountered another issue with ssl output config.
It seems that the preconfig comes with some defaults (`{ certificate:
'', certificate_authorities: [] }`) that override the config set in
advanced yaml on the UI.
Change the order so that the advanced yaml comes after preconfig.
To verify:
- Add an elasticsearch output with Advanced YAML config:
```
ssl:
certificate_authorities:
- /test/ca.crt
verification_mode: "none"
```
- Add output to an agent policy
- View full policy JSON and verify the ssl config is correct
<img width="818" height="1169" alt="image"
src="https://github.com/user-attachments/assets/2c654805-b1f3-4364-a138-fc4d6bc22c52"
/>
<img width="1512" height="1239" alt="image"
src="https://github.com/user-attachments/assets/e2849f17-83d3-4d87-90f7-4b68b817143e"
/>
- Preconfiguration should still work
```
xpack.fleet.outputs:
- hosts:
- https://localhost:9200
id: eck-fleet-agent-output-elasticsearch
name: eck-elasticsearch
ssl:
certificate_authorities:
- /test/ca.crt
type: elasticsearch
xpack.fleet.agentPolicies:
- name: Test preconfigured
id: test-preconfigured
is_managed: false
namespace: default
monitoring_enabled: []
package_policies: []
data_output_id: eck-fleet-agent-output-elasticsearch
```
<img width="1527" height="1236" alt="image"
src="https://github.com/user-attachments/assets/b74aa02e-ac79-44f0-81a4-d3788608dd27"
/>
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [ ] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
- [ ] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.
- [ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [ ] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
- [ ] Review the [backport
guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)
and apply applicable `backport:*` labels.
### Identify risks
Does this PR introduce any risks? For example, consider risks like hard
to test bugs, performance regression, potential of data loss.
Describe the risk, its severity, and mitigation for each identified
risk. Invite stakeholders and evaluate how to proceed before merging.
- [ ] [See some risk
examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)
- [ ] ...
(cherry picked from commit 8c99241)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Aug 6, 2025
## Summary
While testing, encountered another issue with ssl output config.
It seems that the preconfig comes with some defaults (`{ certificate:
'', certificate_authorities: [] }`) that override the config set in
advanced yaml on the UI.
Change the order so that the advanced yaml comes after preconfig.
To verify:
- Add an elasticsearch output with Advanced YAML config:
```
ssl:
certificate_authorities:
- /test/ca.crt
verification_mode: "none"
```
- Add output to an agent policy
- View full policy JSON and verify the ssl config is correct
<img width="818" height="1169" alt="image"
src="https://github.com/user-attachments/assets/2c654805-b1f3-4364-a138-fc4d6bc22c52"
/>
<img width="1512" height="1239" alt="image"
src="https://github.com/user-attachments/assets/e2849f17-83d3-4d87-90f7-4b68b817143e"
/>
- Preconfiguration should still work
```
xpack.fleet.outputs:
- hosts:
- https://localhost:9200
id: eck-fleet-agent-output-elasticsearch
name: eck-elasticsearch
ssl:
certificate_authorities:
- /test/ca.crt
type: elasticsearch
xpack.fleet.agentPolicies:
- name: Test preconfigured
id: test-preconfigured
is_managed: false
namespace: default
monitoring_enabled: []
package_policies: []
data_output_id: eck-fleet-agent-output-elasticsearch
```
<img width="1527" height="1236" alt="image"
src="https://github.com/user-attachments/assets/b74aa02e-ac79-44f0-81a4-d3788608dd27"
/>
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [ ] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
- [ ] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.
- [ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [ ] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
- [ ] Review the [backport
guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)
and apply applicable `backport:*` labels.
### Identify risks
Does this PR introduce any risks? For example, consider risks like hard
to test bugs, performance regression, potential of data loss.
Describe the risk, its severity, and mitigation for each identified
risk. Invite stakeholders and evaluate how to proceed before merging.
- [ ] [See some risk
examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)
- [ ] ...
(cherry picked from commit 8c99241)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Aug 6, 2025
## Summary
While testing, encountered another issue with ssl output config.
It seems that the preconfig comes with some defaults (`{ certificate:
'', certificate_authorities: [] }`) that override the config set in
advanced yaml on the UI.
Change the order so that the advanced yaml comes after preconfig.
To verify:
- Add an elasticsearch output with Advanced YAML config:
```
ssl:
certificate_authorities:
- /test/ca.crt
verification_mode: "none"
```
- Add output to an agent policy
- View full policy JSON and verify the ssl config is correct
<img width="818" height="1169" alt="image"
src="https://github.com/user-attachments/assets/2c654805-b1f3-4364-a138-fc4d6bc22c52"
/>
<img width="1512" height="1239" alt="image"
src="https://github.com/user-attachments/assets/e2849f17-83d3-4d87-90f7-4b68b817143e"
/>
- Preconfiguration should still work
```
xpack.fleet.outputs:
- hosts:
- https://localhost:9200
id: eck-fleet-agent-output-elasticsearch
name: eck-elasticsearch
ssl:
certificate_authorities:
- /test/ca.crt
type: elasticsearch
xpack.fleet.agentPolicies:
- name: Test preconfigured
id: test-preconfigured
is_managed: false
namespace: default
monitoring_enabled: []
package_policies: []
data_output_id: eck-fleet-agent-output-elasticsearch
```
<img width="1527" height="1236" alt="image"
src="https://github.com/user-attachments/assets/b74aa02e-ac79-44f0-81a4-d3788608dd27"
/>
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [ ] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
- [ ] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.
- [ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [ ] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
- [ ] Review the [backport
guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)
and apply applicable `backport:*` labels.
### Identify risks
Does this PR introduce any risks? For example, consider risks like hard
to test bugs, performance regression, potential of data loss.
Describe the risk, its severity, and mitigation for each identified
risk. Invite stakeholders and evaluate how to proceed before merging.
- [ ] [See some risk
examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)
- [ ] ...
(cherry picked from commit 8c99241)
Contributor
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Aug 6, 2025
# Backport This will backport the following commits from `main` to `9.1`: - [[Fleet] fix output ssl config order (#230758)](#230758) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Julia Bardi","email":"90178898+juliaElastic@users.noreply.github.com"},"sourceCommit":{"committedDate":"2025-08-06T14:13:11Z","message":"[Fleet] fix output ssl config order (#230758)\n\n## Summary\n\nWhile testing, encountered another issue with ssl output config. \nIt seems that the preconfig comes with some defaults (`{ certificate:\n'', certificate_authorities: [] }`) that override the config set in\nadvanced yaml on the UI.\nChange the order so that the advanced yaml comes after preconfig.\n\nTo verify:\n- Add an elasticsearch output with Advanced YAML config:\n```\nssl:\n certificate_authorities:\n - /test/ca.crt\n verification_mode: \"none\" \n```\n- Add output to an agent policy\n- View full policy JSON and verify the ssl config is correct\n\n<img width=\"818\" height=\"1169\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/2c654805-b1f3-4364-a138-fc4d6bc22c52\"\n/>\n<img width=\"1512\" height=\"1239\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/e2849f17-83d3-4d87-90f7-4b68b817143e\"\n/>\n\n- Preconfiguration should still work\n```\nxpack.fleet.outputs:\n - hosts:\n - https://localhost:9200\n id: eck-fleet-agent-output-elasticsearch\n name: eck-elasticsearch\n ssl:\n certificate_authorities:\n - /test/ca.crt\n type: elasticsearch\n\nxpack.fleet.agentPolicies:\n - name: Test preconfigured\n id: test-preconfigured\n is_managed: false\n namespace: default\n monitoring_enabled: []\n package_policies: []\n data_output_id: eck-fleet-agent-output-elasticsearch\n```\n\n<img width=\"1527\" height=\"1236\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/b74aa02e-ac79-44f0-81a4-d3788608dd27\"\n/>\n\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [ ] Any text added follows [EUI's writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\nsentence case text and includes [i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)\n- [ ]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas added for features that require explanation or tutorials\n- [ ] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [ ] If a plugin configuration key changed, check if it needs to be\nallowlisted in the cloud and added to the [docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)\n- [ ] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.\n- [ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [ ] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [ ] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.\n\n### Identify risks\n\nDoes this PR introduce any risks? For example, consider risks like hard\nto test bugs, performance regression, potential of data loss.\n\nDescribe the risk, its severity, and mitigation for each identified\nrisk. Invite stakeholders and evaluate how to proceed before merging.\n\n- [ ] [See some risk\nexamples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)\n- [ ] ...","sha":"8c992417c5fa304bd623efc5ce0841c6a1b7113f","branchLabelMapping":{"^v9.2.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","Team:Fleet","backport:prev-minor","backport:prev-major","backport:version","v9.2.0","v9.0.5"],"title":"[Fleet] fix output ssl config order","number":230758,"url":"https://github.com/elastic/kibana/pull/230758","mergeCommit":{"message":"[Fleet] fix output ssl config order (#230758)\n\n## Summary\n\nWhile testing, encountered another issue with ssl output config. \nIt seems that the preconfig comes with some defaults (`{ certificate:\n'', certificate_authorities: [] }`) that override the config set in\nadvanced yaml on the UI.\nChange the order so that the advanced yaml comes after preconfig.\n\nTo verify:\n- Add an elasticsearch output with Advanced YAML config:\n```\nssl:\n certificate_authorities:\n - /test/ca.crt\n verification_mode: \"none\" \n```\n- Add output to an agent policy\n- View full policy JSON and verify the ssl config is correct\n\n<img width=\"818\" height=\"1169\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/2c654805-b1f3-4364-a138-fc4d6bc22c52\"\n/>\n<img width=\"1512\" height=\"1239\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/e2849f17-83d3-4d87-90f7-4b68b817143e\"\n/>\n\n- Preconfiguration should still work\n```\nxpack.fleet.outputs:\n - hosts:\n - https://localhost:9200\n id: eck-fleet-agent-output-elasticsearch\n name: eck-elasticsearch\n ssl:\n certificate_authorities:\n - /test/ca.crt\n type: elasticsearch\n\nxpack.fleet.agentPolicies:\n - name: Test preconfigured\n id: test-preconfigured\n is_managed: false\n namespace: default\n monitoring_enabled: []\n package_policies: []\n data_output_id: eck-fleet-agent-output-elasticsearch\n```\n\n<img width=\"1527\" height=\"1236\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/b74aa02e-ac79-44f0-81a4-d3788608dd27\"\n/>\n\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [ ] Any text added follows [EUI's writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\nsentence case text and includes [i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)\n- [ ]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas added for features that require explanation or tutorials\n- [ ] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [ ] If a plugin configuration key changed, check if it needs to be\nallowlisted in the cloud and added to the [docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)\n- [ ] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.\n- [ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [ ] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [ ] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.\n\n### Identify risks\n\nDoes this PR introduce any risks? For example, consider risks like hard\nto test bugs, performance regression, potential of data loss.\n\nDescribe the risk, its severity, and mitigation for each identified\nrisk. Invite stakeholders and evaluate how to proceed before merging.\n\n- [ ] [See some risk\nexamples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)\n- [ ] ...","sha":"8c992417c5fa304bd623efc5ce0841c6a1b7113f"}},"sourceBranch":"main","suggestedTargetBranches":["9.0"],"targetPullRequestStates":[{"branch":"main","label":"v9.2.0","branchLabelMappingKey":"^v9.2.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/230758","number":230758,"mergeCommit":{"message":"[Fleet] fix output ssl config order (#230758)\n\n## Summary\n\nWhile testing, encountered another issue with ssl output config. \nIt seems that the preconfig comes with some defaults (`{ certificate:\n'', certificate_authorities: [] }`) that override the config set in\nadvanced yaml on the UI.\nChange the order so that the advanced yaml comes after preconfig.\n\nTo verify:\n- Add an elasticsearch output with Advanced YAML config:\n```\nssl:\n certificate_authorities:\n - /test/ca.crt\n verification_mode: \"none\" \n```\n- Add output to an agent policy\n- View full policy JSON and verify the ssl config is correct\n\n<img width=\"818\" height=\"1169\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/2c654805-b1f3-4364-a138-fc4d6bc22c52\"\n/>\n<img width=\"1512\" height=\"1239\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/e2849f17-83d3-4d87-90f7-4b68b817143e\"\n/>\n\n- Preconfiguration should still work\n```\nxpack.fleet.outputs:\n - hosts:\n - https://localhost:9200\n id: eck-fleet-agent-output-elasticsearch\n name: eck-elasticsearch\n ssl:\n certificate_authorities:\n - /test/ca.crt\n type: elasticsearch\n\nxpack.fleet.agentPolicies:\n - name: Test preconfigured\n id: test-preconfigured\n is_managed: false\n namespace: default\n monitoring_enabled: []\n package_policies: []\n data_output_id: eck-fleet-agent-output-elasticsearch\n```\n\n<img width=\"1527\" height=\"1236\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/b74aa02e-ac79-44f0-81a4-d3788608dd27\"\n/>\n\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [ ] Any text added follows [EUI's writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\nsentence case text and includes [i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)\n- [ ]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas added for features that require explanation or tutorials\n- [ ] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [ ] If a plugin configuration key changed, check if it needs to be\nallowlisted in the cloud and added to the [docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)\n- [ ] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.\n- [ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [ ] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [ ] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.\n\n### Identify risks\n\nDoes this PR introduce any risks? For example, consider risks like hard\nto test bugs, performance regression, potential of data loss.\n\nDescribe the risk, its severity, and mitigation for each identified\nrisk. Invite stakeholders and evaluate how to proceed before merging.\n\n- [ ] [See some risk\nexamples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)\n- [ ] ...","sha":"8c992417c5fa304bd623efc5ce0841c6a1b7113f"}},{"branch":"9.0","label":"v9.0.5","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Julia Bardi <90178898+juliaElastic@users.noreply.github.com>
kibanamachine
added a commit
that referenced
this pull request
Aug 6, 2025
# Backport This will backport the following commits from `main` to `8.19`: - [[Fleet] fix output ssl config order (#230758)](#230758) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Julia Bardi","email":"90178898+juliaElastic@users.noreply.github.com"},"sourceCommit":{"committedDate":"2025-08-06T14:13:11Z","message":"[Fleet] fix output ssl config order (#230758)\n\n## Summary\n\nWhile testing, encountered another issue with ssl output config. \nIt seems that the preconfig comes with some defaults (`{ certificate:\n'', certificate_authorities: [] }`) that override the config set in\nadvanced yaml on the UI.\nChange the order so that the advanced yaml comes after preconfig.\n\nTo verify:\n- Add an elasticsearch output with Advanced YAML config:\n```\nssl:\n certificate_authorities:\n - /test/ca.crt\n verification_mode: \"none\" \n```\n- Add output to an agent policy\n- View full policy JSON and verify the ssl config is correct\n\n<img width=\"818\" height=\"1169\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/2c654805-b1f3-4364-a138-fc4d6bc22c52\"\n/>\n<img width=\"1512\" height=\"1239\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/e2849f17-83d3-4d87-90f7-4b68b817143e\"\n/>\n\n- Preconfiguration should still work\n```\nxpack.fleet.outputs:\n - hosts:\n - https://localhost:9200\n id: eck-fleet-agent-output-elasticsearch\n name: eck-elasticsearch\n ssl:\n certificate_authorities:\n - /test/ca.crt\n type: elasticsearch\n\nxpack.fleet.agentPolicies:\n - name: Test preconfigured\n id: test-preconfigured\n is_managed: false\n namespace: default\n monitoring_enabled: []\n package_policies: []\n data_output_id: eck-fleet-agent-output-elasticsearch\n```\n\n<img width=\"1527\" height=\"1236\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/b74aa02e-ac79-44f0-81a4-d3788608dd27\"\n/>\n\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [ ] Any text added follows [EUI's writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\nsentence case text and includes [i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)\n- [ ]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas added for features that require explanation or tutorials\n- [ ] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [ ] If a plugin configuration key changed, check if it needs to be\nallowlisted in the cloud and added to the [docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)\n- [ ] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.\n- [ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [ ] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [ ] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.\n\n### Identify risks\n\nDoes this PR introduce any risks? For example, consider risks like hard\nto test bugs, performance regression, potential of data loss.\n\nDescribe the risk, its severity, and mitigation for each identified\nrisk. Invite stakeholders and evaluate how to proceed before merging.\n\n- [ ] [See some risk\nexamples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)\n- [ ] ...","sha":"8c992417c5fa304bd623efc5ce0841c6a1b7113f","branchLabelMapping":{"^v9.2.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","Team:Fleet","backport:prev-minor","backport:prev-major","backport:version","v9.2.0","v9.0.5"],"title":"[Fleet] fix output ssl config order","number":230758,"url":"https://github.com/elastic/kibana/pull/230758","mergeCommit":{"message":"[Fleet] fix output ssl config order (#230758)\n\n## Summary\n\nWhile testing, encountered another issue with ssl output config. \nIt seems that the preconfig comes with some defaults (`{ certificate:\n'', certificate_authorities: [] }`) that override the config set in\nadvanced yaml on the UI.\nChange the order so that the advanced yaml comes after preconfig.\n\nTo verify:\n- Add an elasticsearch output with Advanced YAML config:\n```\nssl:\n certificate_authorities:\n - /test/ca.crt\n verification_mode: \"none\" \n```\n- Add output to an agent policy\n- View full policy JSON and verify the ssl config is correct\n\n<img width=\"818\" height=\"1169\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/2c654805-b1f3-4364-a138-fc4d6bc22c52\"\n/>\n<img width=\"1512\" height=\"1239\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/e2849f17-83d3-4d87-90f7-4b68b817143e\"\n/>\n\n- Preconfiguration should still work\n```\nxpack.fleet.outputs:\n - hosts:\n - https://localhost:9200\n id: eck-fleet-agent-output-elasticsearch\n name: eck-elasticsearch\n ssl:\n certificate_authorities:\n - /test/ca.crt\n type: elasticsearch\n\nxpack.fleet.agentPolicies:\n - name: Test preconfigured\n id: test-preconfigured\n is_managed: false\n namespace: default\n monitoring_enabled: []\n package_policies: []\n data_output_id: eck-fleet-agent-output-elasticsearch\n```\n\n<img width=\"1527\" height=\"1236\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/b74aa02e-ac79-44f0-81a4-d3788608dd27\"\n/>\n\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [ ] Any text added follows [EUI's writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\nsentence case text and includes [i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)\n- [ ]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas added for features that require explanation or tutorials\n- [ ] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [ ] If a plugin configuration key changed, check if it needs to be\nallowlisted in the cloud and added to the [docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)\n- [ ] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.\n- [ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [ ] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [ ] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.\n\n### Identify risks\n\nDoes this PR introduce any risks? For example, consider risks like hard\nto test bugs, performance regression, potential of data loss.\n\nDescribe the risk, its severity, and mitigation for each identified\nrisk. Invite stakeholders and evaluate how to proceed before merging.\n\n- [ ] [See some risk\nexamples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)\n- [ ] ...","sha":"8c992417c5fa304bd623efc5ce0841c6a1b7113f"}},"sourceBranch":"main","suggestedTargetBranches":["9.0"],"targetPullRequestStates":[{"branch":"main","label":"v9.2.0","branchLabelMappingKey":"^v9.2.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/230758","number":230758,"mergeCommit":{"message":"[Fleet] fix output ssl config order (#230758)\n\n## Summary\n\nWhile testing, encountered another issue with ssl output config. \nIt seems that the preconfig comes with some defaults (`{ certificate:\n'', certificate_authorities: [] }`) that override the config set in\nadvanced yaml on the UI.\nChange the order so that the advanced yaml comes after preconfig.\n\nTo verify:\n- Add an elasticsearch output with Advanced YAML config:\n```\nssl:\n certificate_authorities:\n - /test/ca.crt\n verification_mode: \"none\" \n```\n- Add output to an agent policy\n- View full policy JSON and verify the ssl config is correct\n\n<img width=\"818\" height=\"1169\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/2c654805-b1f3-4364-a138-fc4d6bc22c52\"\n/>\n<img width=\"1512\" height=\"1239\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/e2849f17-83d3-4d87-90f7-4b68b817143e\"\n/>\n\n- Preconfiguration should still work\n```\nxpack.fleet.outputs:\n - hosts:\n - https://localhost:9200\n id: eck-fleet-agent-output-elasticsearch\n name: eck-elasticsearch\n ssl:\n certificate_authorities:\n - /test/ca.crt\n type: elasticsearch\n\nxpack.fleet.agentPolicies:\n - name: Test preconfigured\n id: test-preconfigured\n is_managed: false\n namespace: default\n monitoring_enabled: []\n package_policies: []\n data_output_id: eck-fleet-agent-output-elasticsearch\n```\n\n<img width=\"1527\" height=\"1236\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/b74aa02e-ac79-44f0-81a4-d3788608dd27\"\n/>\n\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [ ] Any text added follows [EUI's writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\nsentence case text and includes [i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)\n- [ ]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas added for features that require explanation or tutorials\n- [ ] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [ ] If a plugin configuration key changed, check if it needs to be\nallowlisted in the cloud and added to the [docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)\n- [ ] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.\n- [ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [ ] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [ ] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.\n\n### Identify risks\n\nDoes this PR introduce any risks? For example, consider risks like hard\nto test bugs, performance regression, potential of data loss.\n\nDescribe the risk, its severity, and mitigation for each identified\nrisk. Invite stakeholders and evaluate how to proceed before merging.\n\n- [ ] [See some risk\nexamples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)\n- [ ] ...","sha":"8c992417c5fa304bd623efc5ce0841c6a1b7113f"}},{"branch":"9.0","label":"v9.0.5","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Julia Bardi <90178898+juliaElastic@users.noreply.github.com>
kibanamachine
added a commit
that referenced
this pull request
Aug 6, 2025
# Backport This will backport the following commits from `main` to `8.17`: - [[Fleet] fix output ssl config order (#230758)](#230758) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Julia Bardi","email":"90178898+juliaElastic@users.noreply.github.com"},"sourceCommit":{"committedDate":"2025-08-06T14:13:11Z","message":"[Fleet] fix output ssl config order (#230758)\n\n## Summary\n\nWhile testing, encountered another issue with ssl output config. \nIt seems that the preconfig comes with some defaults (`{ certificate:\n'', certificate_authorities: [] }`) that override the config set in\nadvanced yaml on the UI.\nChange the order so that the advanced yaml comes after preconfig.\n\nTo verify:\n- Add an elasticsearch output with Advanced YAML config:\n```\nssl:\n certificate_authorities:\n - /test/ca.crt\n verification_mode: \"none\" \n```\n- Add output to an agent policy\n- View full policy JSON and verify the ssl config is correct\n\n<img width=\"818\" height=\"1169\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/2c654805-b1f3-4364-a138-fc4d6bc22c52\"\n/>\n<img width=\"1512\" height=\"1239\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/e2849f17-83d3-4d87-90f7-4b68b817143e\"\n/>\n\n- Preconfiguration should still work\n```\nxpack.fleet.outputs:\n - hosts:\n - https://localhost:9200\n id: eck-fleet-agent-output-elasticsearch\n name: eck-elasticsearch\n ssl:\n certificate_authorities:\n - /test/ca.crt\n type: elasticsearch\n\nxpack.fleet.agentPolicies:\n - name: Test preconfigured\n id: test-preconfigured\n is_managed: false\n namespace: default\n monitoring_enabled: []\n package_policies: []\n data_output_id: eck-fleet-agent-output-elasticsearch\n```\n\n<img width=\"1527\" height=\"1236\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/b74aa02e-ac79-44f0-81a4-d3788608dd27\"\n/>\n\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [ ] Any text added follows [EUI's writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\nsentence case text and includes [i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)\n- [ ]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas added for features that require explanation or tutorials\n- [ ] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [ ] If a plugin configuration key changed, check if it needs to be\nallowlisted in the cloud and added to the [docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)\n- [ ] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.\n- [ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [ ] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [ ] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.\n\n### Identify risks\n\nDoes this PR introduce any risks? For example, consider risks like hard\nto test bugs, performance regression, potential of data loss.\n\nDescribe the risk, its severity, and mitigation for each identified\nrisk. Invite stakeholders and evaluate how to proceed before merging.\n\n- [ ] [See some risk\nexamples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)\n- [ ] ...","sha":"8c992417c5fa304bd623efc5ce0841c6a1b7113f","branchLabelMapping":{"^v9.2.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","Team:Fleet","backport:prev-minor","backport:prev-major","backport:version","v9.2.0","v9.0.5"],"title":"[Fleet] fix output ssl config order","number":230758,"url":"https://github.com/elastic/kibana/pull/230758","mergeCommit":{"message":"[Fleet] fix output ssl config order (#230758)\n\n## Summary\n\nWhile testing, encountered another issue with ssl output config. \nIt seems that the preconfig comes with some defaults (`{ certificate:\n'', certificate_authorities: [] }`) that override the config set in\nadvanced yaml on the UI.\nChange the order so that the advanced yaml comes after preconfig.\n\nTo verify:\n- Add an elasticsearch output with Advanced YAML config:\n```\nssl:\n certificate_authorities:\n - /test/ca.crt\n verification_mode: \"none\" \n```\n- Add output to an agent policy\n- View full policy JSON and verify the ssl config is correct\n\n<img width=\"818\" height=\"1169\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/2c654805-b1f3-4364-a138-fc4d6bc22c52\"\n/>\n<img width=\"1512\" height=\"1239\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/e2849f17-83d3-4d87-90f7-4b68b817143e\"\n/>\n\n- Preconfiguration should still work\n```\nxpack.fleet.outputs:\n - hosts:\n - https://localhost:9200\n id: eck-fleet-agent-output-elasticsearch\n name: eck-elasticsearch\n ssl:\n certificate_authorities:\n - /test/ca.crt\n type: elasticsearch\n\nxpack.fleet.agentPolicies:\n - name: Test preconfigured\n id: test-preconfigured\n is_managed: false\n namespace: default\n monitoring_enabled: []\n package_policies: []\n data_output_id: eck-fleet-agent-output-elasticsearch\n```\n\n<img width=\"1527\" height=\"1236\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/b74aa02e-ac79-44f0-81a4-d3788608dd27\"\n/>\n\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [ ] Any text added follows [EUI's writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\nsentence case text and includes [i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)\n- [ ]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas added for features that require explanation or tutorials\n- [ ] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [ ] If a plugin configuration key changed, check if it needs to be\nallowlisted in the cloud and added to the [docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)\n- [ ] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.\n- [ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [ ] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [ ] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.\n\n### Identify risks\n\nDoes this PR introduce any risks? For example, consider risks like hard\nto test bugs, performance regression, potential of data loss.\n\nDescribe the risk, its severity, and mitigation for each identified\nrisk. Invite stakeholders and evaluate how to proceed before merging.\n\n- [ ] [See some risk\nexamples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)\n- [ ] ...","sha":"8c992417c5fa304bd623efc5ce0841c6a1b7113f"}},"sourceBranch":"main","suggestedTargetBranches":["9.0"],"targetPullRequestStates":[{"branch":"main","label":"v9.2.0","branchLabelMappingKey":"^v9.2.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/230758","number":230758,"mergeCommit":{"message":"[Fleet] fix output ssl config order (#230758)\n\n## Summary\n\nWhile testing, encountered another issue with ssl output config. \nIt seems that the preconfig comes with some defaults (`{ certificate:\n'', certificate_authorities: [] }`) that override the config set in\nadvanced yaml on the UI.\nChange the order so that the advanced yaml comes after preconfig.\n\nTo verify:\n- Add an elasticsearch output with Advanced YAML config:\n```\nssl:\n certificate_authorities:\n - /test/ca.crt\n verification_mode: \"none\" \n```\n- Add output to an agent policy\n- View full policy JSON and verify the ssl config is correct\n\n<img width=\"818\" height=\"1169\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/2c654805-b1f3-4364-a138-fc4d6bc22c52\"\n/>\n<img width=\"1512\" height=\"1239\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/e2849f17-83d3-4d87-90f7-4b68b817143e\"\n/>\n\n- Preconfiguration should still work\n```\nxpack.fleet.outputs:\n - hosts:\n - https://localhost:9200\n id: eck-fleet-agent-output-elasticsearch\n name: eck-elasticsearch\n ssl:\n certificate_authorities:\n - /test/ca.crt\n type: elasticsearch\n\nxpack.fleet.agentPolicies:\n - name: Test preconfigured\n id: test-preconfigured\n is_managed: false\n namespace: default\n monitoring_enabled: []\n package_policies: []\n data_output_id: eck-fleet-agent-output-elasticsearch\n```\n\n<img width=\"1527\" height=\"1236\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/b74aa02e-ac79-44f0-81a4-d3788608dd27\"\n/>\n\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [ ] Any text added follows [EUI's writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\nsentence case text and includes [i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)\n- [ ]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas added for features that require explanation or tutorials\n- [ ] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [ ] If a plugin configuration key changed, check if it needs to be\nallowlisted in the cloud and added to the [docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)\n- [ ] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.\n- [ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [ ] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [ ] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.\n\n### Identify risks\n\nDoes this PR introduce any risks? For example, consider risks like hard\nto test bugs, performance regression, potential of data loss.\n\nDescribe the risk, its severity, and mitigation for each identified\nrisk. Invite stakeholders and evaluate how to proceed before merging.\n\n- [ ] [See some risk\nexamples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)\n- [ ] ...","sha":"8c992417c5fa304bd623efc5ce0841c6a1b7113f"}},{"branch":"9.0","label":"v9.0.5","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Julia Bardi <90178898+juliaElastic@users.noreply.github.com>
kibanamachine
added a commit
that referenced
this pull request
Aug 6, 2025
# Backport This will backport the following commits from `main` to `9.0`: - [[Fleet] fix output ssl config order (#230758)](#230758) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Julia Bardi","email":"90178898+juliaElastic@users.noreply.github.com"},"sourceCommit":{"committedDate":"2025-08-06T14:13:11Z","message":"[Fleet] fix output ssl config order (#230758)\n\n## Summary\n\nWhile testing, encountered another issue with ssl output config. \nIt seems that the preconfig comes with some defaults (`{ certificate:\n'', certificate_authorities: [] }`) that override the config set in\nadvanced yaml on the UI.\nChange the order so that the advanced yaml comes after preconfig.\n\nTo verify:\n- Add an elasticsearch output with Advanced YAML config:\n```\nssl:\n certificate_authorities:\n - /test/ca.crt\n verification_mode: \"none\" \n```\n- Add output to an agent policy\n- View full policy JSON and verify the ssl config is correct\n\n<img width=\"818\" height=\"1169\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/2c654805-b1f3-4364-a138-fc4d6bc22c52\"\n/>\n<img width=\"1512\" height=\"1239\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/e2849f17-83d3-4d87-90f7-4b68b817143e\"\n/>\n\n- Preconfiguration should still work\n```\nxpack.fleet.outputs:\n - hosts:\n - https://localhost:9200\n id: eck-fleet-agent-output-elasticsearch\n name: eck-elasticsearch\n ssl:\n certificate_authorities:\n - /test/ca.crt\n type: elasticsearch\n\nxpack.fleet.agentPolicies:\n - name: Test preconfigured\n id: test-preconfigured\n is_managed: false\n namespace: default\n monitoring_enabled: []\n package_policies: []\n data_output_id: eck-fleet-agent-output-elasticsearch\n```\n\n<img width=\"1527\" height=\"1236\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/b74aa02e-ac79-44f0-81a4-d3788608dd27\"\n/>\n\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [ ] Any text added follows [EUI's writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\nsentence case text and includes [i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)\n- [ ]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas added for features that require explanation or tutorials\n- [ ] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [ ] If a plugin configuration key changed, check if it needs to be\nallowlisted in the cloud and added to the [docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)\n- [ ] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.\n- [ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [ ] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [ ] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.\n\n### Identify risks\n\nDoes this PR introduce any risks? For example, consider risks like hard\nto test bugs, performance regression, potential of data loss.\n\nDescribe the risk, its severity, and mitigation for each identified\nrisk. Invite stakeholders and evaluate how to proceed before merging.\n\n- [ ] [See some risk\nexamples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)\n- [ ] ...","sha":"8c992417c5fa304bd623efc5ce0841c6a1b7113f","branchLabelMapping":{"^v9.2.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","Team:Fleet","backport:prev-minor","backport:prev-major","backport:version","v9.2.0","v9.0.5"],"title":"[Fleet] fix output ssl config order","number":230758,"url":"https://github.com/elastic/kibana/pull/230758","mergeCommit":{"message":"[Fleet] fix output ssl config order (#230758)\n\n## Summary\n\nWhile testing, encountered another issue with ssl output config. \nIt seems that the preconfig comes with some defaults (`{ certificate:\n'', certificate_authorities: [] }`) that override the config set in\nadvanced yaml on the UI.\nChange the order so that the advanced yaml comes after preconfig.\n\nTo verify:\n- Add an elasticsearch output with Advanced YAML config:\n```\nssl:\n certificate_authorities:\n - /test/ca.crt\n verification_mode: \"none\" \n```\n- Add output to an agent policy\n- View full policy JSON and verify the ssl config is correct\n\n<img width=\"818\" height=\"1169\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/2c654805-b1f3-4364-a138-fc4d6bc22c52\"\n/>\n<img width=\"1512\" height=\"1239\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/e2849f17-83d3-4d87-90f7-4b68b817143e\"\n/>\n\n- Preconfiguration should still work\n```\nxpack.fleet.outputs:\n - hosts:\n - https://localhost:9200\n id: eck-fleet-agent-output-elasticsearch\n name: eck-elasticsearch\n ssl:\n certificate_authorities:\n - /test/ca.crt\n type: elasticsearch\n\nxpack.fleet.agentPolicies:\n - name: Test preconfigured\n id: test-preconfigured\n is_managed: false\n namespace: default\n monitoring_enabled: []\n package_policies: []\n data_output_id: eck-fleet-agent-output-elasticsearch\n```\n\n<img width=\"1527\" height=\"1236\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/b74aa02e-ac79-44f0-81a4-d3788608dd27\"\n/>\n\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [ ] Any text added follows [EUI's writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\nsentence case text and includes [i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)\n- [ ]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas added for features that require explanation or tutorials\n- [ ] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [ ] If a plugin configuration key changed, check if it needs to be\nallowlisted in the cloud and added to the [docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)\n- [ ] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.\n- [ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [ ] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [ ] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.\n\n### Identify risks\n\nDoes this PR introduce any risks? For example, consider risks like hard\nto test bugs, performance regression, potential of data loss.\n\nDescribe the risk, its severity, and mitigation for each identified\nrisk. Invite stakeholders and evaluate how to proceed before merging.\n\n- [ ] [See some risk\nexamples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)\n- [ ] ...","sha":"8c992417c5fa304bd623efc5ce0841c6a1b7113f"}},"sourceBranch":"main","suggestedTargetBranches":["9.0"],"targetPullRequestStates":[{"branch":"main","label":"v9.2.0","branchLabelMappingKey":"^v9.2.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/230758","number":230758,"mergeCommit":{"message":"[Fleet] fix output ssl config order (#230758)\n\n## Summary\n\nWhile testing, encountered another issue with ssl output config. \nIt seems that the preconfig comes with some defaults (`{ certificate:\n'', certificate_authorities: [] }`) that override the config set in\nadvanced yaml on the UI.\nChange the order so that the advanced yaml comes after preconfig.\n\nTo verify:\n- Add an elasticsearch output with Advanced YAML config:\n```\nssl:\n certificate_authorities:\n - /test/ca.crt\n verification_mode: \"none\" \n```\n- Add output to an agent policy\n- View full policy JSON and verify the ssl config is correct\n\n<img width=\"818\" height=\"1169\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/2c654805-b1f3-4364-a138-fc4d6bc22c52\"\n/>\n<img width=\"1512\" height=\"1239\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/e2849f17-83d3-4d87-90f7-4b68b817143e\"\n/>\n\n- Preconfiguration should still work\n```\nxpack.fleet.outputs:\n - hosts:\n - https://localhost:9200\n id: eck-fleet-agent-output-elasticsearch\n name: eck-elasticsearch\n ssl:\n certificate_authorities:\n - /test/ca.crt\n type: elasticsearch\n\nxpack.fleet.agentPolicies:\n - name: Test preconfigured\n id: test-preconfigured\n is_managed: false\n namespace: default\n monitoring_enabled: []\n package_policies: []\n data_output_id: eck-fleet-agent-output-elasticsearch\n```\n\n<img width=\"1527\" height=\"1236\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/b74aa02e-ac79-44f0-81a4-d3788608dd27\"\n/>\n\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [ ] Any text added follows [EUI's writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\nsentence case text and includes [i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)\n- [ ]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas added for features that require explanation or tutorials\n- [ ] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [ ] If a plugin configuration key changed, check if it needs to be\nallowlisted in the cloud and added to the [docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)\n- [ ] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.\n- [ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [ ] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [ ] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.\n\n### Identify risks\n\nDoes this PR introduce any risks? For example, consider risks like hard\nto test bugs, performance regression, potential of data loss.\n\nDescribe the risk, its severity, and mitigation for each identified\nrisk. Invite stakeholders and evaluate how to proceed before merging.\n\n- [ ] [See some risk\nexamples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)\n- [ ] ...","sha":"8c992417c5fa304bd623efc5ce0841c6a1b7113f"}},{"branch":"9.0","label":"v9.0.5","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Julia Bardi <90178898+juliaElastic@users.noreply.github.com>
kibanamachine
added a commit
that referenced
this pull request
Aug 6, 2025
# Backport This will backport the following commits from `main` to `8.18`: - [[Fleet] fix output ssl config order (#230758)](#230758) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Julia Bardi","email":"90178898+juliaElastic@users.noreply.github.com"},"sourceCommit":{"committedDate":"2025-08-06T14:13:11Z","message":"[Fleet] fix output ssl config order (#230758)\n\n## Summary\n\nWhile testing, encountered another issue with ssl output config. \nIt seems that the preconfig comes with some defaults (`{ certificate:\n'', certificate_authorities: [] }`) that override the config set in\nadvanced yaml on the UI.\nChange the order so that the advanced yaml comes after preconfig.\n\nTo verify:\n- Add an elasticsearch output with Advanced YAML config:\n```\nssl:\n certificate_authorities:\n - /test/ca.crt\n verification_mode: \"none\" \n```\n- Add output to an agent policy\n- View full policy JSON and verify the ssl config is correct\n\n<img width=\"818\" height=\"1169\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/2c654805-b1f3-4364-a138-fc4d6bc22c52\"\n/>\n<img width=\"1512\" height=\"1239\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/e2849f17-83d3-4d87-90f7-4b68b817143e\"\n/>\n\n- Preconfiguration should still work\n```\nxpack.fleet.outputs:\n - hosts:\n - https://localhost:9200\n id: eck-fleet-agent-output-elasticsearch\n name: eck-elasticsearch\n ssl:\n certificate_authorities:\n - /test/ca.crt\n type: elasticsearch\n\nxpack.fleet.agentPolicies:\n - name: Test preconfigured\n id: test-preconfigured\n is_managed: false\n namespace: default\n monitoring_enabled: []\n package_policies: []\n data_output_id: eck-fleet-agent-output-elasticsearch\n```\n\n<img width=\"1527\" height=\"1236\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/b74aa02e-ac79-44f0-81a4-d3788608dd27\"\n/>\n\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [ ] Any text added follows [EUI's writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\nsentence case text and includes [i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)\n- [ ]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas added for features that require explanation or tutorials\n- [ ] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [ ] If a plugin configuration key changed, check if it needs to be\nallowlisted in the cloud and added to the [docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)\n- [ ] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.\n- [ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [ ] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [ ] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.\n\n### Identify risks\n\nDoes this PR introduce any risks? For example, consider risks like hard\nto test bugs, performance regression, potential of data loss.\n\nDescribe the risk, its severity, and mitigation for each identified\nrisk. Invite stakeholders and evaluate how to proceed before merging.\n\n- [ ] [See some risk\nexamples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)\n- [ ] ...","sha":"8c992417c5fa304bd623efc5ce0841c6a1b7113f","branchLabelMapping":{"^v9.2.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","Team:Fleet","backport:prev-minor","backport:prev-major","backport:version","v9.2.0","v9.0.5"],"title":"[Fleet] fix output ssl config order","number":230758,"url":"https://github.com/elastic/kibana/pull/230758","mergeCommit":{"message":"[Fleet] fix output ssl config order (#230758)\n\n## Summary\n\nWhile testing, encountered another issue with ssl output config. \nIt seems that the preconfig comes with some defaults (`{ certificate:\n'', certificate_authorities: [] }`) that override the config set in\nadvanced yaml on the UI.\nChange the order so that the advanced yaml comes after preconfig.\n\nTo verify:\n- Add an elasticsearch output with Advanced YAML config:\n```\nssl:\n certificate_authorities:\n - /test/ca.crt\n verification_mode: \"none\" \n```\n- Add output to an agent policy\n- View full policy JSON and verify the ssl config is correct\n\n<img width=\"818\" height=\"1169\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/2c654805-b1f3-4364-a138-fc4d6bc22c52\"\n/>\n<img width=\"1512\" height=\"1239\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/e2849f17-83d3-4d87-90f7-4b68b817143e\"\n/>\n\n- Preconfiguration should still work\n```\nxpack.fleet.outputs:\n - hosts:\n - https://localhost:9200\n id: eck-fleet-agent-output-elasticsearch\n name: eck-elasticsearch\n ssl:\n certificate_authorities:\n - /test/ca.crt\n type: elasticsearch\n\nxpack.fleet.agentPolicies:\n - name: Test preconfigured\n id: test-preconfigured\n is_managed: false\n namespace: default\n monitoring_enabled: []\n package_policies: []\n data_output_id: eck-fleet-agent-output-elasticsearch\n```\n\n<img width=\"1527\" height=\"1236\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/b74aa02e-ac79-44f0-81a4-d3788608dd27\"\n/>\n\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [ ] Any text added follows [EUI's writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\nsentence case text and includes [i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)\n- [ ]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas added for features that require explanation or tutorials\n- [ ] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [ ] If a plugin configuration key changed, check if it needs to be\nallowlisted in the cloud and added to the [docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)\n- [ ] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.\n- [ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [ ] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [ ] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.\n\n### Identify risks\n\nDoes this PR introduce any risks? For example, consider risks like hard\nto test bugs, performance regression, potential of data loss.\n\nDescribe the risk, its severity, and mitigation for each identified\nrisk. Invite stakeholders and evaluate how to proceed before merging.\n\n- [ ] [See some risk\nexamples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)\n- [ ] ...","sha":"8c992417c5fa304bd623efc5ce0841c6a1b7113f"}},"sourceBranch":"main","suggestedTargetBranches":["9.0"],"targetPullRequestStates":[{"branch":"main","label":"v9.2.0","branchLabelMappingKey":"^v9.2.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/230758","number":230758,"mergeCommit":{"message":"[Fleet] fix output ssl config order (#230758)\n\n## Summary\n\nWhile testing, encountered another issue with ssl output config. \nIt seems that the preconfig comes with some defaults (`{ certificate:\n'', certificate_authorities: [] }`) that override the config set in\nadvanced yaml on the UI.\nChange the order so that the advanced yaml comes after preconfig.\n\nTo verify:\n- Add an elasticsearch output with Advanced YAML config:\n```\nssl:\n certificate_authorities:\n - /test/ca.crt\n verification_mode: \"none\" \n```\n- Add output to an agent policy\n- View full policy JSON and verify the ssl config is correct\n\n<img width=\"818\" height=\"1169\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/2c654805-b1f3-4364-a138-fc4d6bc22c52\"\n/>\n<img width=\"1512\" height=\"1239\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/e2849f17-83d3-4d87-90f7-4b68b817143e\"\n/>\n\n- Preconfiguration should still work\n```\nxpack.fleet.outputs:\n - hosts:\n - https://localhost:9200\n id: eck-fleet-agent-output-elasticsearch\n name: eck-elasticsearch\n ssl:\n certificate_authorities:\n - /test/ca.crt\n type: elasticsearch\n\nxpack.fleet.agentPolicies:\n - name: Test preconfigured\n id: test-preconfigured\n is_managed: false\n namespace: default\n monitoring_enabled: []\n package_policies: []\n data_output_id: eck-fleet-agent-output-elasticsearch\n```\n\n<img width=\"1527\" height=\"1236\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/b74aa02e-ac79-44f0-81a4-d3788608dd27\"\n/>\n\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [ ] Any text added follows [EUI's writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\nsentence case text and includes [i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)\n- [ ]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas added for features that require explanation or tutorials\n- [ ] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [ ] If a plugin configuration key changed, check if it needs to be\nallowlisted in the cloud and added to the [docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)\n- [ ] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.\n- [ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [ ] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [ ] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.\n\n### Identify risks\n\nDoes this PR introduce any risks? For example, consider risks like hard\nto test bugs, performance regression, potential of data loss.\n\nDescribe the risk, its severity, and mitigation for each identified\nrisk. Invite stakeholders and evaluate how to proceed before merging.\n\n- [ ] [See some risk\nexamples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)\n- [ ] ...","sha":"8c992417c5fa304bd623efc5ce0841c6a1b7113f"}},{"branch":"9.0","label":"v9.0.5","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Julia Bardi <90178898+juliaElastic@users.noreply.github.com>
gergoabraham
pushed a commit
to gergoabraham/kibana
that referenced
this pull request
Aug 7, 2025
## Summary
While testing, encountered another issue with ssl output config.
It seems that the preconfig comes with some defaults (`{ certificate:
'', certificate_authorities: [] }`) that override the config set in
advanced yaml on the UI.
Change the order so that the advanced yaml comes after preconfig.
To verify:
- Add an elasticsearch output with Advanced YAML config:
```
ssl:
certificate_authorities:
- /test/ca.crt
verification_mode: "none"
```
- Add output to an agent policy
- View full policy JSON and verify the ssl config is correct
<img width="818" height="1169" alt="image"
src="https://github.com/user-attachments/assets/2c654805-b1f3-4364-a138-fc4d6bc22c52"
/>
<img width="1512" height="1239" alt="image"
src="https://github.com/user-attachments/assets/e2849f17-83d3-4d87-90f7-4b68b817143e"
/>
- Preconfiguration should still work
```
xpack.fleet.outputs:
- hosts:
- https://localhost:9200
id: eck-fleet-agent-output-elasticsearch
name: eck-elasticsearch
ssl:
certificate_authorities:
- /test/ca.crt
type: elasticsearch
xpack.fleet.agentPolicies:
- name: Test preconfigured
id: test-preconfigured
is_managed: false
namespace: default
monitoring_enabled: []
package_policies: []
data_output_id: eck-fleet-agent-output-elasticsearch
```
<img width="1527" height="1236" alt="image"
src="https://github.com/user-attachments/assets/b74aa02e-ac79-44f0-81a4-d3788608dd27"
/>
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [ ] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
- [ ] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.
- [ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [ ] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
- [ ] Review the [backport
guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)
and apply applicable `backport:*` labels.
### Identify risks
Does this PR introduce any risks? For example, consider risks like hard
to test bugs, performance regression, potential of data loss.
Describe the risk, its severity, and mitigation for each identified
risk. Invite stakeholders and evaluate how to proceed before merging.
- [ ] [See some risk
examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)
- [ ] ...
denar50
pushed a commit
to denar50/kibana
that referenced
this pull request
Aug 8, 2025
## Summary
While testing, encountered another issue with ssl output config.
It seems that the preconfig comes with some defaults (`{ certificate:
'', certificate_authorities: [] }`) that override the config set in
advanced yaml on the UI.
Change the order so that the advanced yaml comes after preconfig.
To verify:
- Add an elasticsearch output with Advanced YAML config:
```
ssl:
certificate_authorities:
- /test/ca.crt
verification_mode: "none"
```
- Add output to an agent policy
- View full policy JSON and verify the ssl config is correct
<img width="818" height="1169" alt="image"
src="https://github.com/user-attachments/assets/2c654805-b1f3-4364-a138-fc4d6bc22c52"
/>
<img width="1512" height="1239" alt="image"
src="https://github.com/user-attachments/assets/e2849f17-83d3-4d87-90f7-4b68b817143e"
/>
- Preconfiguration should still work
```
xpack.fleet.outputs:
- hosts:
- https://localhost:9200
id: eck-fleet-agent-output-elasticsearch
name: eck-elasticsearch
ssl:
certificate_authorities:
- /test/ca.crt
type: elasticsearch
xpack.fleet.agentPolicies:
- name: Test preconfigured
id: test-preconfigured
is_managed: false
namespace: default
monitoring_enabled: []
package_policies: []
data_output_id: eck-fleet-agent-output-elasticsearch
```
<img width="1527" height="1236" alt="image"
src="https://github.com/user-attachments/assets/b74aa02e-ac79-44f0-81a4-d3788608dd27"
/>
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [ ] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
- [ ] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.
- [ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [ ] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
- [ ] Review the [backport
guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)
and apply applicable `backport:*` labels.
### Identify risks
Does this PR introduce any risks? For example, consider risks like hard
to test bugs, performance regression, potential of data loss.
Describe the risk, its severity, and mitigation for each identified
risk. Invite stakeholders and evaluate how to proceed before merging.
- [ ] [See some risk
examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)
- [ ] ...
NicholasPeretti
pushed a commit
to NicholasPeretti/kibana
that referenced
this pull request
Aug 18, 2025
## Summary
While testing, encountered another issue with ssl output config.
It seems that the preconfig comes with some defaults (`{ certificate:
'', certificate_authorities: [] }`) that override the config set in
advanced yaml on the UI.
Change the order so that the advanced yaml comes after preconfig.
To verify:
- Add an elasticsearch output with Advanced YAML config:
```
ssl:
certificate_authorities:
- /test/ca.crt
verification_mode: "none"
```
- Add output to an agent policy
- View full policy JSON and verify the ssl config is correct
<img width="818" height="1169" alt="image"
src="https://github.com/user-attachments/assets/2c654805-b1f3-4364-a138-fc4d6bc22c52"
/>
<img width="1512" height="1239" alt="image"
src="https://github.com/user-attachments/assets/e2849f17-83d3-4d87-90f7-4b68b817143e"
/>
- Preconfiguration should still work
```
xpack.fleet.outputs:
- hosts:
- https://localhost:9200
id: eck-fleet-agent-output-elasticsearch
name: eck-elasticsearch
ssl:
certificate_authorities:
- /test/ca.crt
type: elasticsearch
xpack.fleet.agentPolicies:
- name: Test preconfigured
id: test-preconfigured
is_managed: false
namespace: default
monitoring_enabled: []
package_policies: []
data_output_id: eck-fleet-agent-output-elasticsearch
```
<img width="1527" height="1236" alt="image"
src="https://github.com/user-attachments/assets/b74aa02e-ac79-44f0-81a4-d3788608dd27"
/>
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [ ] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
- [ ] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.
- [ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [ ] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
- [ ] Review the [backport
guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)
and apply applicable `backport:*` labels.
### Identify risks
Does this PR introduce any risks? For example, consider risks like hard
to test bugs, performance regression, potential of data loss.
Describe the risk, its severity, and mitigation for each identified
risk. Invite stakeholders and evaluate how to proceed before merging.
- [ ] [See some risk
examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)
- [ ] ...
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
While testing, encountered another issue with ssl output config.
It seems that the preconfig comes with some defaults (
{ certificate: '', certificate_authorities: [] }) that override the config set in advanced yaml on the UI.Change the order so that the advanced yaml comes after preconfig.
To verify:
Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
release_note:breakinglabel should be applied in these situations.release_note:*label is applied per the guidelinesbackport:*labels.Identify risks
Does this PR introduce any risks? For example, consider risks like hard to test bugs, performance regression, potential of data loss.
Describe the risk, its severity, and mitigation for each identified risk. Invite stakeholders and evaluate how to proceed before merging.