-
Notifications
You must be signed in to change notification settings - Fork 121
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Read and apply mTLS config from policy #4398
base: main
Are you sure you want to change the base?
Conversation
Pinging @elastic/elastic-agent (Team:Elastic-Agent) |
dev-tools/notice/overrides.json
Outdated
@@ -1,5 +1,6 @@ | |||
{"name": "github.com/elastic/beats/v7", "licenceType": "Elastic"} | |||
{"name": "github.com/elastic/elastic-agent-client/v7", "licenceType": "Elastic"} | |||
{"name": "github.com/AndersonQ/elastic-agent-libs", "licenceType": "Elastic"} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Waiting elastic/elastic-agent-libs#189 to be merged
go.mod
Outdated
@@ -282,3 +282,5 @@ replace ( | |||
|
|||
// Exclude this version because the version has an invalid checksum. | |||
exclude github.com/docker/distribution v2.8.0+incompatible | |||
|
|||
replace github.com/elastic/elastic-agent-libs => github.com/AndersonQ/elastic-agent-libs v0.0.0-20240307144511-b45f19396c67 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Waiting elastic/elastic-agent-libs#189 to be merged
This pull request is now in conflicts. Could you fix it? 🙏
|
dev-tools/notice/overrides.json
Outdated
@@ -1,5 +1,6 @@ | |||
{"name": "github.com/elastic/beats/v7", "licenceType": "Elastic"} | |||
{"name": "github.com/elastic/elastic-agent-client/v7", "licenceType": "Elastic"} | |||
{"name": "github.com/AndersonQ/elastic-agent-libs", "licenceType": "Apache-2.0"} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Waiting elastic/elastic-agent-libs#189 to be merged
return false | ||
} | ||
} | ||
|
||
// should it ignore empty headers? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Empty headers from Fleet? This should have the same precedence rules as everything else.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, empty proxy headers. Thinking better bout it, if there is a new or non-nil/non-empty proxy config, if the new has no headers, we need to override them. So I think it's correct as it's right now
if cfg.Transport.TLS.Certificate == emptyCertificate { | ||
h.log.Debug("TLS certificate/key from fleet are empty or null, the TLS config will not be changed") | ||
} else { | ||
h.config.Fleet.Client.Transport.TLS.Certificate = cfg.Transport.TLS.Certificate |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is the Certificate configuration from Fleet always complete? Does it or could it ever allow updating only individual fields?
If it does this unintentionally clears the ones that weren't set, for example if someone sets only the Certificate
but not the Key
and Key
were set previously.
I suppose if this happened unintentionally and broke things it would be reverted, but it would be hard for a user to debug.
We either need to make debugging that failure easier or just prevent it from happening entirely.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is the Certificate configuration from Fleet always complete?
Well, I don't see how one would change a certificate and not the key and the key's passphrase.
Besides again we're in the problem of "remove it" or "no change". Changing it all atomically seems to me the best and less error prone approach.
@cmacknz I did the changes or replied to your comments. Could you re-review |
These questions aren't answered yet :) If you are testing this manually, the instructions need to be the PR description. |
my bad, I missed them.
No, but I can test
I don't think we can with our current setup. It cannot be tested with Elastic Cloud, but we could modify the mock fleet-server to have TLS or the mock proxy. Either would do |
Quality Gate passedThe SonarQube Quality Gate passed, but some issues were introduced. 3 New issues |
defaultcfg := configuration.DefaultFleetAgentConfig() | ||
|
||
if cfg.Protocol != defaultcfg.Client.Protocol || | ||
cfg.Host != defaultcfg.Client.Host || |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what if you're changing from localhost:5602 to localhost:5601
"new_proxy_url", cfg.Transport.Proxy.URL.String()) | ||
} else { | ||
h.log.Debugw("received proxy from fleet, applying it", | ||
"old_proxy_url", "nil", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can be simplified with string variable oldProxy = h.config.Fleet.Client.Transport.Proxy.URL != nil ? h.config.Fleet.Client.Transport.Proxy.URL.String() : "nil"
c# syntax but you get the idea
This pull request is now in conflicts. Could you fix it? 🙏
|
|
What does this PR do?
Receive and apply:
fleet.ssl.certificate_authorities
fleet.ssl.certificate
fleet.ssl.key
fleet.ssl.key_passphrase
fleet.ssl.key_passphrase_path
The policy provided config has precedence over the CLI parameters and an empty or absent config on a policy is ignored.
Why is it important?
The Elastic Agent should support mTLS for communicating with fleet-server.
Checklist
[ ] I have made corresponding changes to the documentation[ ] I have made corresponding change to the default configuration files./changelog/fragments
using the changelog tool[ ] I have added an integration test or an E2E testHow to test this PR locally
Related issues
fleet.ssl.certificate_authorities
from agent policy #2247fleet.ssl.certificate
andfleet.ssl.key
from agent policy #2248Questions to ask yourself