From 5495670e4c7c4d9b5b76951ec8455899b7a7ca37 Mon Sep 17 00:00:00 2001
From: Michael Wolf <michael.wolf@elastic.co>
Date: Wed, 26 Nov 2025 09:27:09 -0800
Subject: [PATCH 1/7] Add cloud-defend to agent packages.

---
 dev-tools/packaging/packages.yml                       | 10 ++++++++++
 .../templates/docker/Dockerfile.elastic-agent.tmpl     |  1 +
 dev-tools/packaging/templates/ironbank/Dockerfile.tmpl |  3 ++-
 3 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/dev-tools/packaging/packages.yml b/dev-tools/packaging/packages.yml
index 30478a5b174..6ef952022fa 100644
--- a/dev-tools/packaging/packages.yml
+++ b/dev-tools/packaging/packages.yml
@@ -95,6 +95,15 @@ components:
       - *linux-amd64
       - *linux-arm64
     packageTypes: *all-package-types
+  - &comp-cloud-defend
+    projectName: cloud-defend
+    packageName: cloud-defend-{{.Version}}-{{.Platform}}.{{.Ext}}
+    rootDir: cloud-defend-{{.Version}}-{{.Platform}}
+    binaryName: cloud-defend
+    fips: false
+    platforms:
+      - *linux-amd64
+    packageTypes: *all-package-types
   - &comp-connectors
     projectName: connectors
     packageName: connectors-{{.Version}}.zip
@@ -245,6 +254,7 @@ shared:
       - *comp-agentbeat
       - *comp-apm_server
       - *comp-cloudbeat
+      - *comp-cloud-defend
       - *comp-connectors
       - *comp-endpoint
       - *comp-fleet-server
diff --git a/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl b/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl
index 30d0d8e0960..2f54faa2b28 100644
--- a/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl
+++ b/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl
@@ -39,6 +39,7 @@ RUN true && \
     chmod 0755 {{ $beatHome }}/data/elastic-agent-*/components/*beat && \
     (chmod 0755 {{ $beatHome }}/data/elastic-agent-*/components/osquery* || true) && \
     (chmod 0755 {{ $beatHome }}/data/elastic-agent-*/components/apm-server || true) && \
+    (chmod 0755 {{ $beatHome }}/data/elastic-agent-*/components/cloud-defend || true) && \
     (chmod 0755 {{ $beatHome }}/data/elastic-agent-*/components/endpoint-security || true) && \
     (chmod 0755 {{ $beatHome }}/data/elastic-agent-*/components/fleet-server || true) && \
     (chmod 0755 {{ $beatHome }}/data/elastic-agent-*/components/pf-elastic-collector || true) && \
diff --git a/dev-tools/packaging/templates/ironbank/Dockerfile.tmpl b/dev-tools/packaging/templates/ironbank/Dockerfile.tmpl
index 36c47d58780..5df0b6ed64f 100644
--- a/dev-tools/packaging/templates/ironbank/Dockerfile.tmpl
+++ b/dev-tools/packaging/templates/ironbank/Dockerfile.tmpl
@@ -74,13 +74,14 @@ RUN find / -xdev -perm -4000 -exec chmod u-s {} +
 # Provide a non-root user to run the process.
 RUN groupadd --gid 1000 ${ELASTIC_PRODUCT} && useradd --uid 1000 --gid 1000 --groups 0 --home-dir /usr/share/${ELASTIC_PRODUCT} --no-create-home ${ELASTIC_PRODUCT}
 
-# Elastic Agent permissions
+# Elastic Agent permissions
 RUN find /usr/share//elastic-agent/data -type d -exec chmod 0777 {} \; && \
     find /usr/share//elastic-agent/data -type f -exec chmod 0666 {} \; && \
     chmod 0755 /usr/share//elastic-agent/data/elastic-agent-*/elastic-agent && \
     chmod 0755 /usr/share//elastic-agent/data/elastic-agent-*/components/*beat && \
     (chmod 0755 /usr/share/elastic-agent/data/elastic-agent-*/components/osquery* || true) && \
     (chmod 0755 /usr/share/elastic-agent/data/elastic-agent-*/components/apm-server || true) && \
+    (chmod 0755 /usr/share/elastic-agent/data/elastic-agent-*/components/cloud-defend || true) && \
     (chmod 0755 /usr/share/elastic-agent/data/elastic-agent-*/components/endpoint-security || true) && \
     (chmod 0755 /usr/share/elastic-agent/data/elastic-agent-*/components/fleet-server || true) && \
     (chmod 0755 /usr/share/elastic-agent/data/elastic-agent-*/components/pf-elastic-collector || true) && \

From c821fdc2cd097326a5f04d26718b98ce2f9334c0 Mon Sep 17 00:00:00 2001
From: Michael Wolf <michael.wolf@elastic.co>
Date: Wed, 26 Nov 2025 09:43:53 -0800
Subject: [PATCH 2/7] Add separate cloud/service package configurations

In order to exclude cloud-defend from cloud and service images, the
package configuration for these image types needed to be separated from
the elastic_agent_components.

This adds the new configurations, which exclude cloud-defend, and
applies them to the these images.
---
 dev-tools/packaging/packages.yml | 54 +++++++++++++++++++++++++++++---
 1 file changed, 50 insertions(+), 4 deletions(-)

diff --git a/dev-tools/packaging/packages.yml b/dev-tools/packaging/packages.yml
index 6ef952022fa..95c4f0c937c 100644
--- a/dev-tools/packaging/packages.yml
+++ b/dev-tools/packaging/packages.yml
@@ -262,6 +262,19 @@ shared:
       - *comp-pf-elastic-symbolizer
       - *comp-pf-host-agent
 
+  # components for cloud/service variants (excludes cloud-defend)
+  - &elastic_agent_cloud_components
+    components:
+      - *comp-agentbeat
+      - *comp-apm_server
+      - *comp-cloudbeat
+      - *comp-connectors
+      - *comp-endpoint
+      - *comp-fleet-server
+      - *comp-pf-elastic-collector
+      - *comp-pf-elastic-symbolizer
+      - *comp-pf-host-agent
+
   # components included in FIPS-capable elastic-agent package specs
   - &elastic_agent_fips_components
     components:
@@ -446,6 +459,14 @@ shared:
       <<: *linux_otel_files
       <<: *agent_unpacked_components_files
 
+  - &agent_cloud_binary_base
+    <<: *common
+    <<: *elastic_agent_cloud_components
+    files:
+      <<: *agent_binary_files
+      <<: *linux_otel_files
+      <<: *agent_unpacked_components_files
+
   - &agent_binary_fips_spec
     <<: *common_fips
     <<: *elastic_agent_fips_components
@@ -548,6 +569,31 @@ shared:
         source: '{{ repo.RootDir }}/deploy/kubernetes/elastic-agent-standalone/templates.d'
         mode: 0755
 
+  - &agent_cloud_docker_base
+    <<: *agent_cloud_binary_base
+    extra_vars:
+      dockerfile: 'Dockerfile.elastic-agent.tmpl'
+      docker_entrypoint: 'docker-entrypoint.elastic-agent.tmpl'
+      user: '{{ .BeatName }}'
+      linux_capabilities: ''
+      beats_install_path: "install"
+    files:
+      'elastic-agent.yml':
+        source: 'elastic-agent.docker.yml'
+        mode: 0600
+        config: true
+      'otel.yml':
+        source: 'otel.yml'
+        mode: 0600
+        config: true
+      '.elastic-agent.active.commit':
+        content: >
+          {{ commit }}
+        mode: 0644
+      'hints.inputs.d':
+        source: '{{ repo.RootDir }}/deploy/kubernetes/elastic-agent-standalone/templates.d'
+        mode: 0755
+
   - &agent_docker_fips_spec
     <<: *agent_binary_fips_spec
     extra_vars:
@@ -1468,7 +1514,7 @@ specs:
       arch: amd64
       types: [docker]
       spec:
-        <<: *agent_docker_spec
+        <<: *agent_cloud_docker_base
         # The cloud image is always based on Wolfi
         <<: *docker_wolfi_spec
         <<: *docker_builder_spec
@@ -1481,7 +1527,7 @@ specs:
       arch: arm64
       types: [docker]
       spec:
-        <<: *agent_docker_spec
+        <<: *agent_cloud_docker_base
         # The cloud image is always based on Wolfi
         <<: *docker_wolfi_arm_spec
         <<: *docker_builder_arm_spec
@@ -1495,7 +1541,7 @@ specs:
       arch: amd64
       types: [ docker ]
       spec:
-        <<: *agent_docker_spec
+        <<: *agent_cloud_docker_base
         # The service image is always based on Wolfi
         <<: *docker_wolfi_spec
         <<: *docker_builder_spec
@@ -1509,7 +1555,7 @@ specs:
       arch: arm64
       types: [ docker ]
       spec:
-        <<: *agent_docker_spec
+        <<: *agent_cloud_docker_base
         # The service image is always based on Wolfi
         <<: *docker_wolfi_arm_spec
         <<: *docker_builder_arm_spec

From ff3816b994b347240e5086476db594dd68a1f138 Mon Sep 17 00:00:00 2001
From: Michael Wolf <michael.wolf@elastic.co>
Date: Wed, 26 Nov 2025 11:44:33 -0800
Subject: [PATCH 3/7] Use container-specific specs to include cloud-defend

In order to exclude cloud-defend in non-container packages,
create container-specific specs which include it.
---
 ...1764188813-add-cloud-defend-packaging.yaml | 45 +++++++++++++++++++
 dev-tools/packaging/packages.yml              | 16 +++----
 2 files changed, 53 insertions(+), 8 deletions(-)
 create mode 100644 changelog/fragments/1764188813-add-cloud-defend-packaging.yaml

diff --git a/changelog/fragments/1764188813-add-cloud-defend-packaging.yaml b/changelog/fragments/1764188813-add-cloud-defend-packaging.yaml
new file mode 100644
index 00000000000..7e008645adc
--- /dev/null
+++ b/changelog/fragments/1764188813-add-cloud-defend-packaging.yaml
@@ -0,0 +1,45 @@
+# REQUIRED
+# Kind can be one of:
+# - breaking-change: a change to previously-documented behavior
+# - deprecation: functionality that is being removed in a later release
+# - bug-fix: fixes a problem in a previous version
+# - enhancement: extends functionality but does not break or fix existing behavior
+# - feature: new functionality
+# - known-issue: problems that we are aware of in a given version
+# - security: impacts on the security of a product or a user’s deployment.
+# - upgrade: important information for someone upgrading from a prior version
+# - other: does not fit into any of the other categories
+kind: enhancement
+
+# REQUIRED for all kinds
+# Change summary; a 80ish characters long description of the change.
+summary: Add cloud-defend to container image agent packages
+
+# REQUIRED for breaking-change, deprecation, known-issue
+# Long description; in case the summary is not enough to describe the change
+# this field accommodate a description without length limits.
+# description:
+
+# REQUIRED for breaking-change, deprecation, known-issue
+# impact:
+
+# REQUIRED for breaking-change, deprecation, known-issue
+# action:
+
+# REQUIRED for all kinds
+# Affected component; usually one of "elastic-agent", "fleet-server", "filebeat", "metricbeat", "auditbeat", "all", etc.
+component: elastic-agent
+
+# AUTOMATED
+# OPTIONAL to manually add other PR URLs
+# PR URL: A link the PR that added the changeset.
+# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
+# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
+# Please provide it if you are adding a fragment for a different PR.
+# pr: https://github.com/owner/repo/1234
+
+# AUTOMATED
+# OPTIONAL to manually add other issue URLs
+# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
+# If not present is automatically filled by the tooling with the issue linked to the PR number.
+# issue: https://github.com/owner/repo/1234
diff --git a/dev-tools/packaging/packages.yml b/dev-tools/packaging/packages.yml
index 95c4f0c937c..cafbd224594 100644
--- a/dev-tools/packaging/packages.yml
+++ b/dev-tools/packaging/packages.yml
@@ -103,7 +103,7 @@ components:
     fips: false
     platforms:
       - *linux-amd64
-    packageTypes: *all-package-types
+    packageTypes: *pkg-type-docker
   - &comp-connectors
     projectName: connectors
     packageName: connectors-{{.Version}}.zip
@@ -459,7 +459,7 @@ shared:
       <<: *linux_otel_files
       <<: *agent_unpacked_components_files
 
-  - &agent_cloud_binary_base
+  - &agent_cloud_binary_spec
     <<: *common
     <<: *elastic_agent_cloud_components
     files:
@@ -569,8 +569,8 @@ shared:
         source: '{{ repo.RootDir }}/deploy/kubernetes/elastic-agent-standalone/templates.d'
         mode: 0755
 
-  - &agent_cloud_docker_base
-    <<: *agent_cloud_binary_base
+  - &agent_cloud_docker_spec
+    <<: *agent_cloud_binary_spec
     extra_vars:
       dockerfile: 'Dockerfile.elastic-agent.tmpl'
       docker_entrypoint: 'docker-entrypoint.elastic-agent.tmpl'
@@ -1514,7 +1514,7 @@ specs:
       arch: amd64
       types: [docker]
       spec:
-        <<: *agent_cloud_docker_base
+        <<: *agent_cloud_docker_spec
         # The cloud image is always based on Wolfi
         <<: *docker_wolfi_spec
         <<: *docker_builder_spec
@@ -1527,7 +1527,7 @@ specs:
       arch: arm64
       types: [docker]
       spec:
-        <<: *agent_cloud_docker_base
+        <<: *agent_cloud_docker_spec
         # The cloud image is always based on Wolfi
         <<: *docker_wolfi_arm_spec
         <<: *docker_builder_arm_spec
@@ -1541,7 +1541,7 @@ specs:
       arch: amd64
       types: [ docker ]
       spec:
-        <<: *agent_cloud_docker_base
+        <<: *agent_cloud_docker_spec
         # The service image is always based on Wolfi
         <<: *docker_wolfi_spec
         <<: *docker_builder_spec
@@ -1555,7 +1555,7 @@ specs:
       arch: arm64
       types: [ docker ]
       spec:
-        <<: *agent_cloud_docker_base
+        <<: *agent_cloud_docker_spec
         # The service image is always based on Wolfi
         <<: *docker_wolfi_arm_spec
         <<: *docker_builder_arm_spec

From ed3f208d73ea53b542b4ab32b080106a5b611953 Mon Sep 17 00:00:00 2001
From: Michael Wolf <michael.wolf@elastic.co>
Date: Wed, 26 Nov 2025 13:01:41 -0800
Subject: [PATCH 4/7] Change PackageTypes to use a list

---
 dev-tools/packaging/packages.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/dev-tools/packaging/packages.yml b/dev-tools/packaging/packages.yml
index cafbd224594..850eab7b413 100644
--- a/dev-tools/packaging/packages.yml
+++ b/dev-tools/packaging/packages.yml
@@ -103,7 +103,8 @@ components:
     fips: false
     platforms:
       - *linux-amd64
-    packageTypes: *pkg-type-docker
+    packageTypes:
+      - *pkg-type-docker
   - &comp-connectors
     projectName: connectors
     packageName: connectors-{{.Version}}.zip

From 9b1e075c581452788ab4565faeb1889c50f37af0 Mon Sep 17 00:00:00 2001
From: Michael Wolf <michael.wolf@elastic.co>
Date: Mon, 1 Dec 2025 12:42:40 -0800
Subject: [PATCH 5/7] Set MAGEFILE_VERBOSE (for testing only)

---
 .buildkite/scripts/steps/integration-package.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.buildkite/scripts/steps/integration-package.sh b/.buildkite/scripts/steps/integration-package.sh
index 0a454d99ded..1e68ae84c93 100755
--- a/.buildkite/scripts/steps/integration-package.sh
+++ b/.buildkite/scripts/steps/integration-package.sh
@@ -12,5 +12,6 @@ source .buildkite/scripts/common.sh
 export SNAPSHOT="true"
 export EXTERNAL="true"
 export USE_PACKAGE_VERSION="true"
+export MAGEFILE_VERBOSE="true"
 
 mage package

From e77ca83008047b56f4d99ad6d9e0b5e4d8984ed3 Mon Sep 17 00:00:00 2001
From: Michael Wolf <michael.wolf@elastic.co>
Date: Wed, 3 Dec 2025 15:30:42 -0800
Subject: [PATCH 6/7] Revert "Set MAGEFILE_VERBOSE (for testing only)"

This reverts commit 9b1e075c581452788ab4565faeb1889c50f37af0.
---
 .buildkite/scripts/steps/integration-package.sh | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.buildkite/scripts/steps/integration-package.sh b/.buildkite/scripts/steps/integration-package.sh
index 1e68ae84c93..0a454d99ded 100755
--- a/.buildkite/scripts/steps/integration-package.sh
+++ b/.buildkite/scripts/steps/integration-package.sh
@@ -12,6 +12,5 @@ source .buildkite/scripts/common.sh
 export SNAPSHOT="true"
 export EXTERNAL="true"
 export USE_PACKAGE_VERSION="true"
-export MAGEFILE_VERBOSE="true"
 
 mage package

From f7025180f00762f2691d427d8b9b37f9d4f6e792 Mon Sep 17 00:00:00 2001
From: Michael Wolf <michael.wolf@elastic.co>
Date: Wed, 3 Dec 2025 20:53:17 -0800
Subject: [PATCH 7/7] Reapply "Set MAGEFILE_VERBOSE (for testing only)"

This reverts commit e77ca83008047b56f4d99ad6d9e0b5e4d8984ed3.
---
 .buildkite/scripts/steps/integration-package.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.buildkite/scripts/steps/integration-package.sh b/.buildkite/scripts/steps/integration-package.sh
index 0a454d99ded..1e68ae84c93 100755
--- a/.buildkite/scripts/steps/integration-package.sh
+++ b/.buildkite/scripts/steps/integration-package.sh
@@ -12,5 +12,6 @@ source .buildkite/scripts/common.sh
 export SNAPSHOT="true"
 export EXTERNAL="true"
 export USE_PACKAGE_VERSION="true"
+export MAGEFILE_VERBOSE="true"
 
 mage package