Skip to content

build(deps): bump github.com/elastic/elastic-agent-libs from 0.44.0 to 0.46.0#7309

Open
dependabot[bot] wants to merge 2 commits into
mainfrom
dependabot/go_modules/github.com/elastic/elastic-agent-libs-0.45.0
Open

build(deps): bump github.com/elastic/elastic-agent-libs from 0.44.0 to 0.46.0#7309
dependabot[bot] wants to merge 2 commits into
mainfrom
dependabot/go_modules/github.com/elastic/elastic-agent-libs-0.45.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 2, 2026

Copy link
Copy Markdown
Contributor

Bumps github.com/elastic/elastic-agent-libs from 0.44.0 to 0.46.0.

Release notes

Sourced from github.com/elastic/elastic-agent-libs's releases.

v0.46.0

What's Changed

New Contributors

Full Changelog: elastic/elastic-agent-libs@v0.45.0...v0.46.0

v0.45.0

What's Changed

New Contributors

Full Changelog: elastic/elastic-agent-libs@v0.44.0...v0.45.0

Commits
  • 27a06f4 Add opt-in header-value expansion to the redact package (#429)
  • d72ff20 Bump go version to 1.25.11 (#428)
  • 4d6d224 fix(updatecli): remove obsolete .golangci.yml target from bump-golang manifes...
  • 06027d5 feat(tlscommon): enforce FIPS 140-3 peer cert key types across all TLS verifi...
  • See full diff in compare view

@dependabot dependabot Bot added automation backport-active-all Automated backport with mergify to all the active branches dependency Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team labels Jul 2, 2026
@dependabot dependabot Bot requested a review from a team as a code owner July 2, 2026 00:33
@dependabot dependabot Bot added the automation label Jul 2, 2026
@dependabot dependabot Bot requested review from swiatekm and ycombinator July 2, 2026 00:33
@dependabot dependabot Bot added dependency Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team backport-active-all Automated backport with mergify to all the active branches labels Jul 2, 2026
@github-actions

This comment has been minimized.

@github-actions

This comment has been minimized.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

TL;DR

The new failure is caused by the github.com/elastic/elastic-agent-libs v0.45.0 TLS/FIPS behavior change, not by the earlier module metadata issue. The dependency now installs a tls.Config.VerifyConnection callback and enforces FIPS 140-3 peer certificate key sizes in modes that previously passed these tests.

Remediation

  • Update internal/pkg/config/output_test.go so the HTTPS expected tls.Config allows or expects the new non-nil VerifyConnection callback when using tlscommon.VerifyNone under the FIPS build.
  • Update internal/pkg/es/client_test.go either to expect the RSA-1024 rejection with this dependency under requirefips, or replace internal/pkg/es/testdata/fips_invalid.{crt,key} with a FIPS-valid 2048-bit fixture if the test is meant to cover a successful TLS connection.
  • Validate with GODEBUG=fips140=on,tlsmlkem=0 go test -tags=grpcnotrace,requirefips -race ./internal/pkg/config ./internal/pkg/es and the FIPS-only unit target.
Investigation details

Root Cause

PR #7309 bumps github.com/elastic/elastic-agent-libs from v0.44.0 to v0.45.0. That release includes feat(tlscommon): enforce FIPS 140-3 peer cert key types across all TLS verification modes, which intentionally changes the TLS config produced by tlscommon.LoadTLSConfig.

Two existing tests still assert the old behavior:

  1. internal/pkg/config/output_test.go:166-181 builds an expected HTTPS tls.Config for tlscommon.VerifyNone without VerifyConnection, and internal/pkg/config/output_test.go:211 compares the full config. With v0.45.0, the actual config has VerifyConnection set.
  2. internal/pkg/es/client_test.go:208-216 only expects the RSA-1024 fixture failure when fips140.Enforced() is true. The new dependency enforces the FIPS key-size check in the requirefips/fips140=on path too, so the test now receives tls: certificate uses RSA-1024 public key which is not allowed by FIPS 140-3. The weak fixture is embedded at internal/pkg/es/client_test.go:223-224.

Evidence

  • Build: https://buildkite.com/elastic/fleet-server/builds/15326
  • Failed jobs: :smartbear-testexecute: Run unit tests with FIPS and :smartbear-testexecute: Run fips140=only unit tests
  • Buildkite’s prefetched log excerpt is tail-only and shows the final go test -tags=grpcnotrace,requirefips ... ./... exiting with FAIL after visible packages pass. Reproducing the PR head locally with the same FIPS-on flags exposed the hidden failing packages:
=== RUN   TestToESConfig/https
- VerifyConnection: <nil>
+ VerifyConnection: <non-nil>
--- FAIL: TestToESConfig/https
--- FAIL: TestToESConfig/mixed-https
FAIL github.com/elastic/fleet-server/v7/internal/pkg/config

=== RUN   TestConnectionTLS
Error: Received unexpected error:
  tls: certificate uses RSA-1024 public key which is not allowed by FIPS 140-3 (minimum 2048 bits)
--- FAIL: TestConnectionTLS
FAIL github.com/elastic/fleet-server/v7/internal/pkg/es

Verification

  • Reproduced on PR head b01900a242e149fa5f9e19ef8e60e0edb2ccc87c with GODEBUG=fips140=on,tlsmlkem=0 go test -tags=grpcnotrace,requirefips -v -race -coverprofile=build/coverage-linux.out ./....
  • Checked the latest prior detective comment; it covered the older check-ci/go mod tidy failure on a previous commit, so this is a separate root cause.

What is this? | From workflow: PR Buildkite Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

@swiatekm

swiatekm commented Jul 2, 2026

Copy link
Copy Markdown
Member

buildkite test this

@swiatekm swiatekm enabled auto-merge (squash) July 2, 2026 08:02
swiatekm
swiatekm previously approved these changes Jul 2, 2026
@dependabot dependabot Bot changed the title build(deps): bump github.com/elastic/elastic-agent-libs from 0.44.0 to 0.45.0 build(deps): bump github.com/elastic/elastic-agent-libs from 0.44.0 to 0.46.0 Jul 2, 2026
@dependabot dependabot Bot force-pushed the dependabot/go_modules/github.com/elastic/elastic-agent-libs-0.45.0 branch from b01900a to 80686fe Compare July 2, 2026 18:47
@dependabot @github

dependabot Bot commented on behalf of github Jul 3, 2026

Copy link
Copy Markdown
Contributor Author

A newer version of github.com/elastic/elastic-agent-libs exists, but since this PR has been edited by someone other than Dependabot I haven't updated it. You'll get a PR for the updated version as normal once this PR is merged.

@swiatekm

swiatekm commented Jul 3, 2026

Copy link
Copy Markdown
Member

buildkite test this

dependabot Bot and others added 2 commits July 8, 2026 11:15
Bumps [github.com/elastic/elastic-agent-libs](https://github.com/elastic/elastic-agent-libs) from 0.44.0 to 0.46.0.
- [Release notes](https://github.com/elastic/elastic-agent-libs/releases)
- [Commits](elastic/elastic-agent-libs@v0.44.0...v0.46.0)

---
updated-dependencies:
- dependency-name: github.com/elastic/elastic-agent-libs
  dependency-version: 0.45.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@ycombinator ycombinator force-pushed the dependabot/go_modules/github.com/elastic/elastic-agent-libs-0.45.0 branch from d605b17 to 017dc82 Compare July 8, 2026 18:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

automation backport-active-all Automated backport with mergify to all the active branches dependency Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants