Add OTel collector properties to policy schema

[jsoriano]

What is the problem this PR solves?

Support provisioning of OTel collector configuration for hybrid agents.

How does this PR solve the problem?

Add the OTel collector properties to the schema.

How to test this PR locally

Use the kibana code from elastic/kibana#227673 (already merged in main). Enable the feature flag enableOtelIntegrations.

Using elastic-package to install the scenario (with these instructions: https://github.com/elastic/elastic-package/blob/main/docs/howto/use_existing_stack.md).

mage build:cover docker:customagentimage
export ELASTIC_AGENT_IMAGE_REF_OVERRIDE=<image tag generated in previous step>
export ELASTIC_PACKAGE_ELASTICSEARCH_PASSWORD=changeme
export ELASTIC_PACKAGE_ELASTICSEARCH_USERNAME=elastic
export ELASTIC_PACKAGE_KIBANA_HOST=http://localhost:5601
export ELASTIC_PACKAGE_ELASTICSEARCH_HOST=http://localhost:9200
elastic-package stack up -v -d --provider environment --version 9.2.0-SNAPSHOT

Then install the package from elastic/integrations#14315 and try to use it.

Design Checklist

• I have ensured my design is stateless and will work when multiple fleet-server instances are behind a load balancer.
• I have or intend to scale test my changes, ensuring it will work reliably with 100K+ agents connected.
• I have included fail safe mechanisms to limit the load on fleet-server: rate limiting, circuit breakers, caching, load shedding, etc.

Checklist

• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in ./changelog/fragments using the changelog tool

Related issues

• Required for [Fleet] Introduce basic support for OTEL input integrations in Fleet kibana#227673.
• Closes Extend schemas to support OTel configuration for Hybrid agents #5241.

[prodsecmachine]

🎉 Snyk checks have passed. No issues have been found so far.

✅ security/snyk check is complete. No issues have been found. (View Details)

✅ license/snyk check is complete. No issues have been found. (View Details)

[mergify]

This pull request does not have a backport label. Could you fix it @jsoriano? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-./d./d is the label to automatically backport to the 8./d branch. /d is the digit
• backport-active-all is the label that automatically backports to all active branches.
• backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
• backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

[jsoriano]

@cmacknz we are noticing that at some point since the policy is generated in Fleet (with elastic/kibana#227673), and received by the Agent, the OTel parts are gone.

I tried adding the fields in the Fleet Server in this review, but it doesn't seem to be enough.

Do you know if there is something else that would need to be modified in Fleet Server or Elastic Agent for the Agent to receive the OTel configuration? Or does the Agent need to be started in some special way to act as an hybrid agent?

cc @criamico

[cmacknz]

Do you know if there is something else that would need to be modified in Fleet Server or Elastic Agent for the Agent to receive the OTel configuration? Or does the Agent need to be started in some special way to act as an hybrid agent?

Agent will (should) accept collector configuration keys without issue. The way to check if agent is responsible for stripping out the configuration is to collect diagnostics and look at the pre-config.yml, that should be the agent policy before agent processed any of it.

@michel-laterman might have an idea of where these keys get dropped. Some other part of the internal fleet-server policy model or an index mapping or something.

[michel-laterman]

It should also be added as part of the openapi definition:

fleet-server/model/openapi.yml

Line 561 in 2099046

policyData:

[jsoriano]

Thanks @michel-laterman, this helped.

I am seeing now OTel specific errors in the agent:

no receiver configuration specified in config
service::pipelines: service must have at least one pipeline

This probably goes back to the configuration we generate in Fleet, we will take a look, but good to see the Agent trying to run an OTel config generated from a Fleet policy 🙂

[jsoriano]

Ah no, I spoke too quickly, I see the same error even if no OTel package is included in the policy 🤔

Is it possible to see exactly what Fleet Server is sending to the Agent?

[cmacknz]

It should be in the output of elastic-agent inspect or in diagnostics.

[jsoriano]

With current code, I see this error in agent logs:

{"log.level":"warn","@timestamp":"2025-08-13T14:06:30.979Z","log.origin":{"function":"github.com/elastic/elastic-agent/internal/pkg/agent/application/gateway/fleet.(*FleetGateway).doExecute","file.name":"fleet/fleet_gateway.go","file.line":199},"message":"Possible transient error during checkin with fleet-server, retrying","log":{"source":"elastic-agent"},"error":{"message":"could not decode the response, raw response: "},"request_duration_ns":774654481,"failed_checkins":2,"retry_after_ns":123230918117,"ecs.version":"1.6.0"}

[cmacknz]

OK the problem is in Fleet server, we are getting a non-200 response back but it isn't telling us which one. It's trying to parse an explicit error but there isn't any so it just logs nothing.

https://github.com/elastic/elastic-agent/blob/92bebb22f7e862f6f58d479c1014f461942ecd3d/internal/pkg/fleetapi/checkin_cmd.go#L129-L131

This is the source of that log https://github.com/elastic/elastic-agent/blob/92bebb22f7e862f6f58d479c1014f461942ecd3d/internal/pkg/fleetapi/client/client.go#L128-L129

We can modify the error handling there to get the HTTP status code and that will help narrow down where in Fleet Server the problem is, though I'd hope Fleet Server has some logs about whatever is going wrong too.

[cmacknz]

I think if you pull out the policy generated by Kibana we can write a test isolating the problem in fleet-server to speed up debugging.

fleet-server/internal/pkg/server/fleet_secrets_integration_test.go

Lines 174 to 208 in c5f7f37

	// create agent policy with secret reference
	enrollKey := createAgentPolicyWithSecrets(t, ctx, srv.bulker, secretID, secretRef, outputSecretID)
	cli := cleanhttp.DefaultClient()
	// enroll an agent
	t.Log("Enroll an agent")
	req, err := http.NewRequestWithContext(ctx, "POST", srv.baseURL()+"/api/fleet/agents/enroll", strings.NewReader(enrollBody))
	require.NoError(t, err)
	req.Header.Set("Authorization", "ApiKey "+enrollKey)
	req.Header.Set("User-Agent", "elastic agent "+serverVersion)
	req.Header.Set("Content-Type", "application/json")
	res, err := cli.Do(req)
	require.NoError(t, err)
	require.Equal(t, http.StatusOK, res.StatusCode)
	t.Log("Agent enrollment successful")
	p, _ := io.ReadAll(res.Body)
	res.Body.Close()
	var obj map[string]interface{}
	err = json.Unmarshal(p, &obj)
	require.NoError(t, err)
	item := obj["item"]
	mm, ok := item.(map[string]interface{})
	require.True(t, ok, "expected attribute item to be an object")
	id := mm["id"]
	str, ok := id.(string)
	require.True(t, ok, "expected attribute id to be a string")
	apiKey := mm["access_api_key"]
	key, ok := apiKey.(string)
	require.True(t, ok, "expected attribute apiKey to be a string")
	// checkin
	t.Logf("Fake a checkin for agent %s", str)
	req, err = http.NewRequestWithContext(ctx, "POST", srv.baseURL()+"/api/fleet/agents/"+str+"/checkin", strings.NewReader(checkinBody))

That looks like a reasonable template for doing this, where you can create a policy and make requests to the /checkin API without relying on a real agent. This will take Kibana and Elastic Agent out of the equation.

You could probably remove elastic agent using curl if you could get it's API key but I suspect there will be several problems in Fleet Server to get past so writing an integration test for this will be the fastest way to flush them all out.

[jsoriano]

Current code works, but the policy doesn't include an exporter yet, so the collector fails to start with:

collector exited with error (will try to recover in 0s): invalid configuration: no exporter configuration specified in config
service::pipelines::metrics: must have at least one exporter

If I hardcode an exporter, the collector starts and works as expected.

I will continue adding integration tests in this PR as suggested, so we can test that fleet-server propagates the policies to agents. And then we can work on https://github.com/elastic/ingest-dev/issues/5712.

[jsoriano]

Integration test added, as well as changelog entry. Opening for review.

[ebeahan]

@michel-laterman @michalpristas this one still needs a review from our side.

[michel-laterman]

Looking good, have some comments

[elastic-sonarqube]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
42.1% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

[michel-laterman]

LGTM