Introduce apm-server.auth.* config (#5457)

* Introduce `apm-server.auth.*` config

Introduce the new AgentAuth config structure, which
holds API Key and secret token auth. Later we will
add "anonymous" auth here too.

We also introduce a new YAML naming scheme for the
config, `apm-server.auth.*`. The old config is
deprecated and copied across to the new config fields.

* docs: update config names

* apmpackage: update auth config keys

(cherry picked from commit fc60576)

# Conflicts:
#	apmpackage/apm/agent/input/template.yml.hbs
#	beater/config/config.go
#	beater/jaeger/server.go
#	beater/processors.go
#	beater/server.go
#	changelogs/head.asciidoc

apmpackage/apm/agent/input/template.yml.hbs

@@ -1,7 +1,17 @@
 apm-server:
+<<<<<<< HEAD
     api_key:
         enabled: {{api_key_enabled}}
         limit: {{api_key_limit}}
+=======
+    host: {{host}}
+    auth:
+        secret_token: {{secret_token}}
+        api_key:
+            enabled: {{api_key_enabled}}
+            limit: {{api_key_limit}}
+    max_event_size: {{max_event_bytes}}
+>>>>>>> fc605761 (Introduce `apm-server.auth.*` config (#5457))
     capture_personal_data: {{capture_personal_data}}
     idle_timeout: {{idle_timeout}}
     default_service_environment: {{default_service_environment}}
@@ -28,6 +38,7 @@ apm-server:
         enabled: {{enable_rum}}
         event_rate.limit: {{rum_event_rate_limit}}
         event_rate.lru_size: {{rum_event_rate_lru_size}}
+<<<<<<< HEAD
         exclude_from_grouping: {{rum_exclude_from_grouping}}
         library_pattern: {{rum_library_pattern}}
         response_headers: {{rum_response_headers}}
@@ -53,3 +64,5 @@ apm-server:
         {{/each}}
     {{/if}}
     write_timeout: {{write_timeout}}
+=======
+>>>>>>> fc605761 (Introduce `apm-server.auth.*` config (#5457))

beater/config/config.go

@@ -200,6 +200,9 @@ func DefaultConfig() *Config {
 		Sampling:            defaultSamplingConfig(),
 		DataStreams:         defaultDataStreamsConfig(),
 		AgentAuth:           defaultAgentAuth(),
+<<<<<<< HEAD
 		JavaAttacherConfig:  defaultJavaAttacherConfig(),
+=======
+>>>>>>> fc605761 (Introduce `apm-server.auth.*` config (#5457))
 	}
 }

beater/jaeger/server.go

@@ -83,7 +83,16 @@ func NewServer(
 		if cfg.JaegerConfig.GRPC.AuthTag != "" {
 			// By default auth is not required for Jaeger - users
 			// must explicitly specify which tag to use.
+<<<<<<< HEAD
 			agentAuth = cfg.AgentAuth
+=======
+			// TODO(axw) share auth builder with beater/api.
+			var err error
+			authBuilder, err = authorization.NewBuilder(cfg.AgentAuth)
+			if err != nil {
+				return nil, err
+			}
+>>>>>>> fc605761 (Introduce `apm-server.auth.*` config (#5457))
 		}
 		authBuilder, err := authorization.NewBuilder(agentAuth)
 		if err != nil {

beater/processors.go

@@ -20,7 +20,10 @@ package beater
 import (
 	"context"
 	"fmt"
+<<<<<<< HEAD:beater/processors.go
 	"time"
+=======
+>>>>>>> fc605761 (Introduce `apm-server.auth.*` config (#5457)):beater/authprocessor.go
 
 	"github.com/elastic/apm-server/beater/authorization"
 	"github.com/elastic/apm-server/beater/ratelimit"
@@ -45,6 +48,7 @@ func verifyAuthorizedFor(ctx context.Context, meta *model.Metadata) error {
 		return nil
 	}
 	return fmt.Errorf("%w: %s", authorization.ErrUnauthorized, result.Reason)
+<<<<<<< HEAD:beater/processors.go
 }
 
 // rateLimitBatchProcessor is a model.BatchProcessor that rate limits based on
@@ -59,4 +63,6 @@ func rateLimitBatchProcessor(ctx context.Context, batch *model.Batch) error {
 		}
 	}
 	return nil
+=======
+>>>>>>> fc605761 (Introduce `apm-server.auth.*` config (#5457)):beater/authprocessor.go
 }

beater/server.go

@@ -120,12 +120,17 @@ func newServer(
 	reporter publish.Reporter,
 	batchProcessor model.BatchProcessor,
 ) (server, error) {
+<<<<<<< HEAD
 	agentcfgFetchReporter := agentcfg.NewReporter(agentcfg.NewFetcher(cfg), batchProcessor, 30*time.Second)
 	ratelimitStore, err := ratelimit.NewStore(
 		cfg.RumConfig.EventRate.LruSize,
 		cfg.RumConfig.EventRate.Limit,
 		3, // burst multiplier
 	)
+=======
+	fetcher := agentcfg.NewFetcher(cfg)
+	httpServer, err := newHTTPServer(logger, info, cfg, tracer, reporter, batchProcessor, fetcher)
+>>>>>>> fc605761 (Introduce `apm-server.auth.*` config (#5457))
 	if err != nil {
 		return server{}, err
 	}

changelogs/head.asciidoc

@@ -0,0 +1,37 @@
+[[release-notes-head]]
+== APM Server version HEAD
+
+https://github.com/elastic/apm-server/compare/7.13\...master[View commits]
+
+[float]
+==== Breaking Changes
+* Removed monitoring counters `apm-server.processor.stream.errors.{queue,server,closed}` {pull}5453[5453]
+
+[float]
+==== Bug fixes
+* Fix panic due to misaligned 64-bit access on 32-bit architectures {pull}5277[5277]
+* Fixed tail-based sampling pubsub to use _seq_no correctly {pull}5126[5126]
+* Removed service name from dataset {pull}5451[5451]
+
+[float]
+==== Intake API Changes
+
+[float]
+==== Added
+* Support setting agent configuration from apm-server.yml {pull}5177[5177]
+* Add metric_type and unit to field metadata of system metrics {pull}5230[5230]
+* Display apm-server url in fleet ui's apm-server integration {pull}4895[4895]
+* Translate otel messaging.* semantic conventions to ECS {pull}5334[5334]
+* Add support for dynamic histogram metrics {pull}5239[5239]
+* Tail-sampling processor now resumes subscription from previous position after restart {pull}5350[5350]
+* Add support for histograms to metrics intake {pull}5360[5360]
+* Upgrade Go to 1.16.5 {pull}5454[5454]
+* Add units to metric fields {pull}5395[5395]
+* Add support for adjusting OTel event timestamps using `telemetry.sdk.elastic_export_timestamp` {pull}5433[5433]
+* Add support for OpenTelemetry labels describing mobile connectivity {pull}5436[5436]
+* Introduce `apm-server.auth.*` config {pull}5457[5457]
+
+[float]
+==== Deprecated
+* `apm-server.secret_token` is now `apm-server.auth.secret_token` {pull}5457[5457]
+* `apm-server.api_key` is now `apm-server.auth.api_key` {pull}5457[5457]