Add fleet reserved variable validation

[MichelLosier]

What does this PR do?

• Adds validation around the inclusion of use_apm, and data_stream.dataset variable overrides, which fleet already injects automatically if not present.
• use_apm
  • is of type bool
  • is used only on otelcol inputs of streams that are traces or dynamic_signal_types
• data_stream.dataset
  • is of type text

Where we do injection in fleet, but defer to existing declarations:

• https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/fleet/common/services/policy_template.ts#L212-L221

Why is it important?

While already allowing integrations to decide on the default value of these special handled variables, these validations make sure that the expected variable types and constraints are observed.

Checklist

• I have added test packages to test/packages that prove my change is effective.
• I have added an entry in spec/changelog.yml.

Related issues

• Closes: [Change Proposal] Support providing a default value for use_apm variable in integration type packages #1100

[MichelLosier]

test integrations

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 937c5d04-73e9-4add-b0e0-483ccbc32eae

📥 Commits

Reviewing files that changed from the base of the PR and between 7f1d76c and f38767f.

📒 Files selected for processing (7)

• code/go/internal/validator/semantic/validate_fleet_reserved_vars.go
• code/go/internal/validator/spec.go
• spec/changelog.yml
• test/packages/bad_input_fleet_reserved_vars/manifest.yml
• test/packages/bad_integration_fleet_reserved_vars/manifest.yml
• test/packages/good_input_fleet_reserved_vars/manifest.yml
• test/packages/good_integration_fleet_reserved_vars/manifest.yml

✅ Files skipped from review due to trivial changes (5)

• spec/changelog.yml
• test/packages/good_input_fleet_reserved_vars/manifest.yml
• test/packages/good_integration_fleet_reserved_vars/manifest.yml
• test/packages/bad_integration_fleet_reserved_vars/manifest.yml
• test/packages/bad_input_fleet_reserved_vars/manifest.yml

---

📝 Walkthrough

Walkthrough

A new semantic validator ValidateFleetReservedVars was added and wired into the spec validation pipeline (gated for pkg types integration/input and version >= 3.6.1). It reads package manifests (including data-stream manifests), normalizes streams, and validates Fleet-reserved variables: use_apm must appear only on otelcol inputs, be declared as type bool, and is permitted only for traces streams unless dynamic_signal_types: true; data_stream.dataset must be type text. Tests and package fixtures for valid and invalid cases were added.

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	PR implements validation for Fleet-reserved variables (use_apm, data_stream.dataset) with type enforcement and eligibility constraints, matching issue #1100 requirements.
Out of Scope Changes check	✅ Passed	All changes are scoped to reserved variable validation: semantic validator implementation, comprehensive test coverage, integration test fixtures, and changelog updates.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

• 🛠️ Update Documentation: Commit on current branch
• 🛠️ Update Documentation: Create PR

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@code/go/internal/validator/spec.go`:
- Line 233: The semantic validator registration for ValidateFleetReservedVars is
currently unconditional; update its entry in the validator registrations list
(the slice containing {fn: semantic.ValidateFleetReservedVars}) to include the
package types it applies to (e.g., types.Integration or the appropriate types
enum) via a types field and add the since field with the spec version when this
validator was introduced (e.g., "vX.Y.Z"), so the rule is only enforced for the
intended package type(s) and for specs at or after that version.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4c6725de-024d-40e3-b069-bd15b3c09c76

📥 Commits

Reviewing files that changed from the base of the PR and between 06b46cb and 7f1d76c.

📒 Files selected for processing (29)

• code/go/internal/validator/semantic/validate_fleet_reserved_vars.go
• code/go/internal/validator/semantic/validate_fleet_reserved_vars_test.go
• code/go/internal/validator/spec.go
• code/go/pkg/validator/validator_test.go
• test/packages/bad_input_fleet_reserved_vars/agent/input/input.yml.hbs
• test/packages/bad_input_fleet_reserved_vars/changelog.yml
• test/packages/bad_input_fleet_reserved_vars/docs/README.md
• test/packages/bad_input_fleet_reserved_vars/manifest.yml
• test/packages/bad_integration_fleet_reserved_vars/LICENSE.txt
• test/packages/bad_integration_fleet_reserved_vars/changelog.yml
• test/packages/bad_integration_fleet_reserved_vars/data_stream/sample/agent/stream/stream.yml.hbs
• test/packages/bad_integration_fleet_reserved_vars/data_stream/sample/fields/base-fields.yml
• test/packages/bad_integration_fleet_reserved_vars/data_stream/sample/manifest.yml
• test/packages/bad_integration_fleet_reserved_vars/docs/README.md
• test/packages/bad_integration_fleet_reserved_vars/manifest.yml
• test/packages/good_input_fleet_reserved_vars/agent/input/input.yml.hbs
• test/packages/good_input_fleet_reserved_vars/changelog.yml
• test/packages/good_input_fleet_reserved_vars/docs/README.md
• test/packages/good_input_fleet_reserved_vars/manifest.yml
• test/packages/good_integration_fleet_reserved_vars/LICENSE.txt
• test/packages/good_integration_fleet_reserved_vars/changelog.yml
• test/packages/good_integration_fleet_reserved_vars/data_stream/log/agent/stream/stream.yml.hbs
• test/packages/good_integration_fleet_reserved_vars/data_stream/log/fields/base-fields.yml
• test/packages/good_integration_fleet_reserved_vars/data_stream/log/manifest.yml
• test/packages/good_integration_fleet_reserved_vars/data_stream/otel/agent/stream/stream.yml.hbs
• test/packages/good_integration_fleet_reserved_vars/data_stream/otel/fields/base-fields.yml
• test/packages/good_integration_fleet_reserved_vars/data_stream/otel/manifest.yml
• test/packages/good_integration_fleet_reserved_vars/docs/README.md
• test/packages/good_integration_fleet_reserved_vars/manifest.yml

[elastic-vault-github-plugin-prod]

Created or updated PR in integrations repository to test this version. Check elastic/integrations#18319

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 7f1d76c

History

• 💚 Build #2033 succeeded ee912db

[teresaromero]

i always struggle with path construction between linux/windows. use path.Join instead to avoid slash errors between platforms

[teresaromero]

i see the tests passed with this config 🤔 interesting

[MichelLosier]

oof yes, good catch! 😄

[teresaromero]

looks good! couple thoughts:

• variables for integrations can be defined also at package root level (vars) and policy template input level (vars), i think we are missing these cases. for input packages is also a vars at root level and the one at the policy templates
• i was thinking if perhaps instead of creating the streams variables and then running again a loop, we could run validation on the only loop when normalizing. this way we just go through once and we can append validation errors on the go, skipping the variables we are not interested. if i read correctly, the streams list have variables we dont even care. wdyt?