Skip to content

build(deps): bump github.com/elastic/elastic-agent-libs from 0.44.0 to 0.46.0#7309

Open
dependabot[bot] wants to merge 2 commits into
mainfrom
dependabot/go_modules/github.com/elastic/elastic-agent-libs-0.45.0
Open

build(deps): bump github.com/elastic/elastic-agent-libs from 0.44.0 to 0.46.0#7309
dependabot[bot] wants to merge 2 commits into
mainfrom
dependabot/go_modules/github.com/elastic/elastic-agent-libs-0.45.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 2, 2026

Copy link
Copy Markdown
Contributor

Bumps github.com/elastic/elastic-agent-libs from 0.44.0 to 0.46.0.

Release notes

Sourced from github.com/elastic/elastic-agent-libs's releases.

v0.46.0

What's Changed

New Contributors

Full Changelog: elastic/elastic-agent-libs@v0.45.0...v0.46.0

v0.45.0

What's Changed

New Contributors

Full Changelog: elastic/elastic-agent-libs@v0.44.0...v0.45.0

Commits
  • 27a06f4 Add opt-in header-value expansion to the redact package (#429)
  • d72ff20 Bump go version to 1.25.11 (#428)
  • 4d6d224 fix(updatecli): remove obsolete .golangci.yml target from bump-golang manifes...
  • 06027d5 feat(tlscommon): enforce FIPS 140-3 peer cert key types across all TLS verifi...
  • See full diff in compare view

@dependabot dependabot Bot added automation backport-active-all Automated backport with mergify to all the active branches dependency Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team labels Jul 2, 2026
@dependabot dependabot Bot requested a review from a team as a code owner July 2, 2026 00:33
@dependabot dependabot Bot added the automation label Jul 2, 2026
@dependabot dependabot Bot requested review from swiatekm and ycombinator July 2, 2026 00:33
@dependabot dependabot Bot added dependency Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team backport-active-all Automated backport with mergify to all the active branches labels Jul 2, 2026
@github-actions

This comment has been minimized.

@github-actions

This comment has been minimized.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

TL;DR

The new failure is caused by the github.com/elastic/elastic-agent-libs v0.45.0 TLS/FIPS behavior change, not by the earlier module metadata issue. The dependency now installs a tls.Config.VerifyConnection callback and enforces FIPS 140-3 peer certificate key sizes in modes that previously passed these tests.

Remediation

  • Update internal/pkg/config/output_test.go so the HTTPS expected tls.Config allows or expects the new non-nil VerifyConnection callback when using tlscommon.VerifyNone under the FIPS build.
  • Update internal/pkg/es/client_test.go either to expect the RSA-1024 rejection with this dependency under requirefips, or replace internal/pkg/es/testdata/fips_invalid.{crt,key} with a FIPS-valid 2048-bit fixture if the test is meant to cover a successful TLS connection.
  • Validate with GODEBUG=fips140=on,tlsmlkem=0 go test -tags=grpcnotrace,requirefips -race ./internal/pkg/config ./internal/pkg/es and the FIPS-only unit target.
Investigation details

Root Cause

PR #7309 bumps github.com/elastic/elastic-agent-libs from v0.44.0 to v0.45.0. That release includes feat(tlscommon): enforce FIPS 140-3 peer cert key types across all TLS verification modes, which intentionally changes the TLS config produced by tlscommon.LoadTLSConfig.

Two existing tests still assert the old behavior:

  1. internal/pkg/config/output_test.go:166-181 builds an expected HTTPS tls.Config for tlscommon.VerifyNone without VerifyConnection, and internal/pkg/config/output_test.go:211 compares the full config. With v0.45.0, the actual config has VerifyConnection set.
  2. internal/pkg/es/client_test.go:208-216 only expects the RSA-1024 fixture failure when fips140.Enforced() is true. The new dependency enforces the FIPS key-size check in the requirefips/fips140=on path too, so the test now receives tls: certificate uses RSA-1024 public key which is not allowed by FIPS 140-3. The weak fixture is embedded at internal/pkg/es/client_test.go:223-224.

Evidence

  • Build: https://buildkite.com/elastic/fleet-server/builds/15326
  • Failed jobs: :smartbear-testexecute: Run unit tests with FIPS and :smartbear-testexecute: Run fips140=only unit tests
  • Buildkite’s prefetched log excerpt is tail-only and shows the final go test -tags=grpcnotrace,requirefips ... ./... exiting with FAIL after visible packages pass. Reproducing the PR head locally with the same FIPS-on flags exposed the hidden failing packages:
=== RUN   TestToESConfig/https
- VerifyConnection: <nil>
+ VerifyConnection: <non-nil>
--- FAIL: TestToESConfig/https
--- FAIL: TestToESConfig/mixed-https
FAIL github.com/elastic/fleet-server/v7/internal/pkg/config

=== RUN   TestConnectionTLS
Error: Received unexpected error:
  tls: certificate uses RSA-1024 public key which is not allowed by FIPS 140-3 (minimum 2048 bits)
--- FAIL: TestConnectionTLS
FAIL github.com/elastic/fleet-server/v7/internal/pkg/es

Verification

  • Reproduced on PR head b01900a242e149fa5f9e19ef8e60e0edb2ccc87c with GODEBUG=fips140=on,tlsmlkem=0 go test -tags=grpcnotrace,requirefips -v -race -coverprofile=build/coverage-linux.out ./....
  • Checked the latest prior detective comment; it covered the older check-ci/go mod tidy failure on a previous commit, so this is a separate root cause.

What is this? | From workflow: PR Buildkite Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

@swiatekm

swiatekm commented Jul 2, 2026

Copy link
Copy Markdown
Member

buildkite test this

@swiatekm swiatekm enabled auto-merge (squash) July 2, 2026 08:02
swiatekm
swiatekm previously approved these changes Jul 2, 2026
Bumps [github.com/elastic/elastic-agent-libs](https://github.com/elastic/elastic-agent-libs) from 0.44.0 to 0.46.0.
- [Release notes](https://github.com/elastic/elastic-agent-libs/releases)
- [Commits](elastic/elastic-agent-libs@v0.44.0...v0.46.0)

---
updated-dependencies:
- dependency-name: github.com/elastic/elastic-agent-libs
  dependency-version: 0.45.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title build(deps): bump github.com/elastic/elastic-agent-libs from 0.44.0 to 0.45.0 build(deps): bump github.com/elastic/elastic-agent-libs from 0.44.0 to 0.46.0 Jul 2, 2026
@dependabot dependabot Bot force-pushed the dependabot/go_modules/github.com/elastic/elastic-agent-libs-0.45.0 branch from b01900a to 80686fe Compare July 2, 2026 18:47
@dependabot @github

dependabot Bot commented on behalf of github Jul 3, 2026

Copy link
Copy Markdown
Contributor Author

A newer version of github.com/elastic/elastic-agent-libs exists, but since this PR has been edited by someone other than Dependabot I haven't updated it. You'll get a PR for the updated version as normal once this PR is merged.

@swiatekm

swiatekm commented Jul 3, 2026

Copy link
Copy Markdown
Member

buildkite test this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

automation backport-active-all Automated backport with mergify to all the active branches dependency Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant