Add support for release field in agentless deployment mode

[MichelLosier]

What does this PR do?

• Adds support for a release field in the agentless deployment mode. This is to help indicate a different maturity level than that of the package semver. Accepts values beta, ga. Absence implies beta by default

Why is it important?

Agentless deployment modes for an integration can be at a different level of functional maturity than the default deployment of an integration. This will help communicate that expectation to users downstream in Kibana.

Checklist

• I have added test packages to test/packages that prove my change is effective.
• I have added an entry in spec/changelog.yml.

Related issues

• Closes: [Change Proposal] Allow to declare a maturity level in the agentless deployment mode #1098

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds an optional release string (enum: beta, preview) to deployment_modes.agentless in the manifest schema and records it in the changelog for version 3.6.1-next. Validation now performs an early check: if a manifest has exactly one policy_template with deployment_modes.default explicitly disabled and deployment_modes.agentless enabled, any non-empty deployment_modes.agentless.release is rejected with a structured validation error. A new unexported helper implements this check; unit tests (three valid, one invalid) and a test package/fixtures were added.

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	PR adds release field to agentless deployment mode schema, validates against invalid configurations, and includes tests and documentation as specified in issue #1098.
Out of Scope Changes check	✅ Passed	All changes align with issue #1098 objectives: schema update, validation logic, tests, and test package for agentless release field support.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

• 🛠️ Update Documentation: Commit on current branch
• 🛠️ Update Documentation: Create PR

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@spec/integration/manifest.spec.yml`:
- Around line 298-312: The new YAML schema property
deployment_modes.agentless.release was added without a version patch; add a
version patch that removes this property for spec versions < 3.6.1 so older
manifests cannot accept deployment_modes.agentless.release. Update the
manifest.spec.yml version-patch section (also mirror the change for the related
block noted around the 947-1073 region) to explicitly delete or disallow the
agentless.release key for pre-3.6.1 schemas, ensuring the enum/type entries for
release only exist in the 3.6.1+ schema.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d7107b47-2c92-4504-9934-141a3ba94d17

📥 Commits

Reviewing files that changed from the base of the PR and between 06b46cb and 6b7538c.

📒 Files selected for processing (4)

• code/go/internal/validator/semantic/validate_deployment_modes.go
• code/go/internal/validator/semantic/validate_deployment_modes_test.go
• spec/changelog.yml
• spec/integration/manifest.spec.yml

[coderabbitai]

♻️ Duplicate comments (1)

spec/integration/manifest.spec.yml (1)

298-310: ⚠️ Potential issue | 🟠 Major

Missing backward-compat patch for deployment_modes.agentless.release.

Line 298 introduces a new field, but there is no versions patch removing it for before: 3.6.1. Without that, older format_version schemas can incorrectly accept policy_templates[].deployment_modes.agentless.release.

Proposed fix

 versions:
+  - before: 3.6.1
+    patch:
+      - op: remove
+        path: "/definitions/deployment_modes/properties/agentless/properties/release"
   - before: 3.6.0
     patch:
       # Support for otelcol and dynamic_signal_types in integration packages.
       - op: add

As per coding guidelines: "Version patches enable backward compatibility by removing features from older spec versions."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@spec/integration/manifest.spec.yml` around lines 298 - 310, Add a
backward-compatibility version patch that removes the new field
deployment_modes.agentless.release for older schema versions (before: 3.6.1);
specifically create a patch under the manifest schema's versions array that
targets before: 3.6.1 and deletes the
policy_templates[*].deployment_modes.agentless.release entry so older
format_version values will not accept this new field. Ensure the patch
references the exact path policy_templates[].deployment_modes.agentless.release
and follows existing patch structure used for other removed fields.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@spec/integration/manifest.spec.yml`:
- Around line 298-310: Add a backward-compatibility version patch that removes
the new field deployment_modes.agentless.release for older schema versions
(before: 3.6.1); specifically create a patch under the manifest schema's
versions array that targets before: 3.6.1 and deletes the
policy_templates[*].deployment_modes.agentless.release entry so older
format_version values will not accept this new field. Ensure the patch
references the exact path policy_templates[].deployment_modes.agentless.release
and follows existing patch structure used for other removed fields.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7851cc51-f971-4bee-83b9-859483422622

📥 Commits

Reviewing files that changed from the base of the PR and between 18ad1df and 26d9b88.

📒 Files selected for processing (1)

• spec/integration/manifest.spec.yml

[teresaromero]

will it be single too if Default.Enabled == nil ?

maybe we can extract this to a smaller helper validateAgentlessReleaseDeployment so the main function is cleaner? we could just add unit tests based on the input (manifest struct), and then add test under the validation tests packages with fixtures, wdyt?

[MichelLosier]

Good idea! Added this in 789b7d3

will it be single too if Default.Enabled == nil ?

From my understanding if Default.Enabled == nil then absence get translated into implicitly supporting "agent" deployment, which means we have more than 1 deployment mode with agentless.

[MichelLosier]

@teresaromero Changed the direction here a little bit, to just accept ga and beta as values for release, with beta` as the implied default as to the comment here: #1098 (comment)

[MichelLosier]

test integrations

[elastic-vault-github-plugin-prod]

Created or updated PR in integrations repository to test this version. Check elastic/integrations#18315

[mrodm]

This should be moved to a new section 3.6.3-next, since 3.6.0-3.6.2 were already released/published.

[mrodm]

At the moment of reviewing this PR, there are 70 packages using deployment_modes in their manifests in the integrations repository.

That would mean that all of them would be considered as beta when the kibana change is merged (and released). Could that be an issue ?

[MichelLosier]

Ya that is currently the intent, all agentless deployments are considered beta except for CSPM.

That said, currently re-visiting the default value behavior here: #1098 (comment)

I've staged up a PR for CSPM as GA: elastic/integrations#18552

[teresaromero]

👍🏻 . i wonder if this is not a patch but a minor version update, as we are adding a new field 🤔

[MichelLosier]

i wonder if this is not a patch but a minor version update, as we are adding a new field

Good catch, it does require a Kibana version to be interpreted, but that said it does not require packages to constrain to that Kibana version. Docs will consume this separately. The next minor does seem to be the better home.

I've also updated the description of the field regarding the defaulting behavior in Kibana as discussed in the most recent comments here: #1098

This should be all the changes intended from my end.

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: a154d36

History

• 💚 Build #2115 succeeded 9c48de5
• 💚 Build #2103 succeeded 041333f
• 💚 Build #2028 succeeded f506cbc
• 💚 Build #2025 succeeded dc1b1dc
• 💔 Build #2024 failed 20f5f3e
• 💚 Build #2020 succeeded c5fd750

[teresaromero]

👍🏻 thanks!