[Fleet] Add auth fields to agent binary download source

[jillguyonnet]

Summary

Closes https://github.com/elastic/ingest-dev/issues/6647

This PR adds authentication fields to Elastic Agent binary download sources in Fleet:

export interface DownloadSourceBase {
  name: string;
  host: string;
  is_default: boolean;
  proxy_id?: string | null;
  ssl?: {
    certificate_authorities?: string[];
    certificate?: string;
    key?: string;
  };
  auth?: {
    headers?: Array<{
      key: string;
      value: string;
    }>;
    username?: string;
    password?: string;
    api_key?: string;
  };
  secrets?: DownloadSourceSecrets;
}

interface DownloadSourceSecrets extends BaseSSLSecrets {
  auth?: {
    password?: SOSecret;
    api_key?: SOSecret;
  }
}

Behaviour

A download source can have one of the following auth config:

• no auth settings
• auth headers only
• auth username+password, no headers
• auth username+password, with headers
• API key, no headers
• API key, with headers

Validation exists to ensure that only these states are allowed on create and update.

Password and API key fields can be stored as plain text or secrets, with the following rules:

• If a password or API key is stored as plain text and the download source is updated with a secret, the secret should replace the plain text value.
• If a password or API key is stored as a secret and the download source is updated with a plain text value, this value should be converted into a new secret, i.e. once secret storage is used it is enforced.

UI

Following designs in https://github.com/elastic/ingest-dev/issues/6403, the new auth credentials config is under a new "Authentication" accordion section. Following discussion on this, I renamed the pre-existing "Authentication" accordion section for configuring a secure connection with TLS to "TLS / Secure connection".

Before

After

Checklist

• Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
• Documentation was added for features that require explanation or tutorials
• Unit or functional tests were updated or added to match the most common scenarios
• Flaky Test Runner was used on any tests changed
• The PR description includes the appropriate Release Notes section, and the correct release_note:* label is applied per the guidelines
• Review the backport guidelines and apply applicable backport:* labels.

Identify risks

Low probability risk of affecting creation or update of Elastic Agent binary download sources managed by Fleet.

Release note

Adds authentication fields to Elastic Agent binary download sources managed by Fleet in support of connecting to self-hosted artifact registries.

[elasticmachine]

Pinging @elastic/fleet (Team:Fleet)

[jillguyonnet]

@elasticmachine merge upstream

[florent-leborgne]

Docs/Copy LGTM just some nits on capitalization (use sentence case except for branded terms/proper nouns)

[juliaElastic]

I noticed we have now two Authentication accordions, we could ask for some UX advice on how to structure it better, maybe rename one or put them under the same accordion.

[jillguyonnet]

I noticed we have now two Authentication accordions, we could ask for some UX advice on how to structure it better, maybe rename one or put them under the same accordion.

Oof, I can't believe I didn't notice that! Yeah, best unify, I will check with @sileschristian.

[juliaElastic]

We should validate that either username/password or apikey is provided if auth is set. Now if only headers are provided, the download source is updated and secrets are deleted.

Probably worth confirming with @nimarezainia if we want to support setting Headers only without other auth settings.

Suggested by Cursor:

Low/Medium – headers‑only auth updates are accepted and can wipe credentials.
Server validation allows an auth object with only headers (no username/password or api_key). That passes validation, but in update logic isAuthBeingUpdated becomes true whenever auth is present, which allows extractAndUpdateDownloadSourceSecrets to delete existing auth secrets. A headers‑only update can therefore clear stored username/password or api_key unintentionally. If the intended contract is “none / username+password / api_key only” (as in PR summary), this should be rejected server‑side.

[jillguyonnet]

Thanks for raising this!

I think allowing setting auth headers only might make sense for supporting custom auth schemes. It would be great if @nimarezainia could confirm if that's something we want to do. I went ahead with some modifications assuming that we do, will of course change that if we don't.

Assuming we do support auth headers only, I think the cleanest approach is to pass the complete auth state in API requests (that's what the UI does in general), meaning omitted fields would get reset. I have pushed a change to unify that across the API and UI. Below is an updated screenshot showing that the header fields are always visible even if no credentials are set.

If we don't want to support headers only and enforce username/password or API key as the only authentication methods, then we can:

• either keep the approach of always passing the complete auth state and enforce that either username/password or API key are specified: simpler logic
• or be more flexible and allow partial updates (e.g. specifying headers only doesn't touch the rest of the auth data, possible to change password without specifying username): more logic, maybe more user friendly

[nimarezainia]

thanks @jillguyonnet, I think we should support the headers. We can't enforce that username/password or API key is entered since currently we don't have that restriction and it would essentially be a breaking change.

I believe the options you have here are valid. @cmacknz do you see any issues with this?

[jillguyonnet]

Thanks Nima 👍 I updated the PR description. The possible auth states are:

• none
• headers only
• username+password, with or without headers
• API key, with or without headers

[jillguyonnet]

@elasticmachine merge upstream

[juliaElastic]

LGTM

[kibanamachine]

Flaky Test Runner Stats

🎉 All tests passed! - kibana-flaky-test-suite-runner#10700

[✅] x-pack/platform/test/fleet_api_integration/config.fleet.ts: 25/25 tests passed.

see run history

[afharo]

SO changes LGTM

[kc13greiner]

Question: I am curious to understand the implications of adding a new field here without a new model version. Also, the existing SO model version does not specify a forwardCompatibility schema. What would a previous version of Kibana do if it encounters this SO with an additional attribute?

Looking at this ESO doc, the guidance recommends:

Implement a Model Version and wrap it in a call to createModelVersion. Implement Model Version changes as needed. Implement a forwardCompatibility schema and ignore unknowns if the previous version of Kibana will not be able to tolerate additions to the attribute.

cc @elastic/kibana-core can you weigh in regarding the lack of model version and forwardCompatibility schema?

[kc13greiner]

@afharo Just want to confirm 😅

[elasticmachine]

💛 Build succeeded, but was flaky

• Buildkite Build
• Commit: 54fd83a

Failed CI Steps

• FTR Configs #133
• FTR Configs #133

Test Failures

• [job] [logs] FTR Configs #133 / Agent Builder tools MCP tools creating MCP tools should create an MCP tool by selecting connector and tool
• [job] [logs] FTR Configs #133 / Agent Builder tools MCP tools creating MCP tools should create an MCP tool by selecting connector and tool

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id	before	after	diff
fleet	1421	1423	+2

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
fleet	2.2MB	2.2MB	+12.5KB

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id	before	after	diff
fleet	189.0KB	189.0KB	+57.0B

History

• 💚 Build #391597 succeeded 0b8728a
• 💔 Build #390570 failed 40e643d
• 💔 Build #390350 failed 3c72b0a
• 💔 Build #390335 failed d24619b
• 💔 Build #390081 failed 8bb621b

cc @jillguyonnet

[kc13greiner]

LGTM!