Read and apply mTLS config from policy #4398
Conversation
|
Pinging @elastic/elastic-agent (Team:Elastic-Agent) |
dev-tools/notice/overrides.json
Outdated
| @@ -1,5 +1,6 @@ | |||
| {"name": "github.com/elastic/beats/v7", "licenceType": "Elastic"} | |||
| {"name": "github.com/elastic/elastic-agent-client/v7", "licenceType": "Elastic"} | |||
| {"name": "github.com/AndersonQ/elastic-agent-libs", "licenceType": "Elastic"} | |||
There was a problem hiding this comment.
Waiting elastic/elastic-agent-libs#189 to be merged
go.mod
Outdated
| @@ -282,3 +282,5 @@ replace ( | |||
|
|
|||
| // Exclude this version because the version has an invalid checksum. | |||
| exclude github.com/docker/distribution v2.8.0+incompatible | |||
|
|
|||
| replace github.com/elastic/elastic-agent-libs => github.com/AndersonQ/elastic-agent-libs v0.0.0-20240307144511-b45f19396c67 | |||
There was a problem hiding this comment.
Waiting elastic/elastic-agent-libs#189 to be merged
|
This pull request is now in conflicts. Could you fix it? 🙏 |
dev-tools/notice/overrides.json
Outdated
| @@ -1,5 +1,6 @@ | |||
| {"name": "github.com/elastic/beats/v7", "licenceType": "Elastic"} | |||
| {"name": "github.com/elastic/elastic-agent-client/v7", "licenceType": "Elastic"} | |||
| {"name": "github.com/AndersonQ/elastic-agent-libs", "licenceType": "Apache-2.0"} | |||
There was a problem hiding this comment.
Waiting elastic/elastic-agent-libs#189 to be merged
| return false | ||
| } | ||
| } | ||
|
|
||
| // should it ignore empty headers? |
There was a problem hiding this comment.
Empty headers from Fleet? This should have the same precedence rules as everything else.
There was a problem hiding this comment.
yes, empty proxy headers. Thinking better bout it, if there is a new or non-nil/non-empty proxy config, if the new has no headers, we need to override them. So I think it's correct as it's right now
| if cfg.Transport.TLS.Certificate == emptyCertificate { | ||
| h.log.Debug("TLS certificate/key from fleet are empty or null, the TLS config will not be changed") | ||
| } else { | ||
| h.config.Fleet.Client.Transport.TLS.Certificate = cfg.Transport.TLS.Certificate |
There was a problem hiding this comment.
Is the Certificate configuration from Fleet always complete? Does it or could it ever allow updating only individual fields?
If it does this unintentionally clears the ones that weren't set, for example if someone sets only the Certificate but not the Key and Key were set previously.
I suppose if this happened unintentionally and broke things it would be reverted, but it would be hard for a user to debug.
We either need to make debugging that failure easier or just prevent it from happening entirely.
There was a problem hiding this comment.
Is the Certificate configuration from Fleet always complete?
Well, I don't see how one would change a certificate and not the key and the key's passphrase.
Besides again we're in the problem of "remove it" or "no change". Changing it all atomically seems to me the best and less error prone approach.
|
@cmacknz I did the changes or replied to your comments. Could you re-review |
These questions aren't answered yet :) If you are testing this manually, the instructions need to be the PR description. |
|
my bad, I missed them.
No, but I can test
I don't think we can with our current setup. It cannot be tested with Elastic Cloud, but we could modify the mock fleet-server to have TLS or the mock proxy. Either would do |
|
68.0% Coverage on New Code
0.0% Duplication on New Code
| defaultcfg := configuration.DefaultFleetAgentConfig() | ||
|
|
||
| if cfg.Protocol != defaultcfg.Client.Protocol || | ||
| cfg.Host != defaultcfg.Client.Host || |
There was a problem hiding this comment.
what if you're changing from localhost:5602 to localhost:5601
| "new_proxy_url", cfg.Transport.Proxy.URL.String()) | ||
| } else { | ||
| h.log.Debugw("received proxy from fleet, applying it", | ||
| "old_proxy_url", "nil", |
There was a problem hiding this comment.
can be simplified with string variable oldProxy = h.config.Fleet.Client.Transport.Proxy.URL != nil ? h.config.Fleet.Client.Transport.Proxy.URL.String() : "nil"
c# syntax but you get the idea
|
This pull request is now in conflicts. Could you fix it? 🙏 |
|
What does this PR do?
Receive and apply:
fleet.ssl.certificate_authoritiesfleet.ssl.certificatefleet.ssl.keyfleet.ssl.key_passphrasefleet.ssl.key_passphrase_pathThe policy provided config has precedence over the CLI parameters and an empty or absent config on a policy is ignored.
Why is it important?
The Elastic Agent should support mTLS for communicating with fleet-server.
Checklist
[ ] I have made corresponding changes to the documentation[ ] I have made corresponding change to the default configuration files./changelog/fragmentsusing the changelog tool[ ] I have added an integration test or an E2E testHow to test this PR locally
Related issues
fleet.ssl.certificate_authoritiesfrom agent policy #2247fleet.ssl.certificateandfleet.ssl.keyfrom agent policy #2248Questions to ask yourself