[Fleet] Unable to enroll a Fleet server in a policy with more than 10 inactive enrollment tokens

[nchaulet]

It's not possible to install a Fleet server in a policy with more than 10 inactive enrollment tokens.

let say you have a fleet-server-policy with 10 inactive enrollment tokens and 1 active installing Fleet server results in Fleet stuck in the following state

{"log.level":"info","@timestamp":"2022-10-26T14:14:32.693Z","log.origin":{"file.name":"cmd/enroll_cmd.go","file.line":792},"message":"Fleet Server - Waiting on active enrollment keys to be created in policy with Fleet Server integration: fleet-server-policy","ecs.version":"1.6.0"}

I think the issue is because we fetch all enrollment token (active or not) in a policy without size parameter, by default ES search return only the 10 first document matching the search, so the active token could not be returned.

Potential solutions

We should probably pass a size paramter when fetching enrollment tokens, we could also filter on active tokens in the query instead of doing the filtering on Fleet sever here

fleet-server/internal/pkg/policy/self.go

Line 231 in df33e2f

tokens = filterActiveTokens(tokens)

[michel-laterman]

It should be pretty straightforward to query for active tokens, @kpollich should we backport a fix to 8.5?

[kpollich]

Yes let's look to backport this for sure.