-
Notifications
You must be signed in to change notification settings - Fork 121
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Apply mTLS config from policy #4770
base: main
Are you sure you want to change the base?
Conversation
This pull request does not have a backport label. Could you fix it @pchila? 🙏
NOTE: |
This pull request is now in conflicts. Could you fix it? 🙏
|
d51dcc1
to
a457ba3
Compare
Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane) |
5b7af1a
to
bd9fe64
Compare
Quality Gate passedIssues Measures |
# - security: impacts on the security of a product or a user’s deployment. | ||
# - upgrade: important information for someone upgrading from a prior version | ||
# - other: does not fit into any of the other categories | ||
kind: bug-fix |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IIUC, mTLS (Agent presenting a certificate to Fleet Server / proxy) is a new feature, so this should probably be feature
or enhancement
?
kind: bug-fix | |
kind: feature |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Issue #2247 is flagged as bug so I put this as bug-fix... this changelog is related to reading Certificate Authorities from fleet policy, the other fragment is for presenting a certificate to Fleet server.
The other fragment is also flagged as bug-fix but that one is pointing to #2248 which is labeled as enhancement
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ha, I think both should be enhancements but this is probably best decided by @nimarezainia.
kind: bug-fix | ||
|
||
# Change summary; a 80ish characters long description of the change. | ||
summary: Load fleet.ssl.certificate_authorities from agent policy |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we rephrase this in more end-user-friendly terms?
What does this PR do?
This PR implements reading and applying TLS configuration for Fleet client using CA, certificate and key included in Fleet policy.
This PR:
Note to reviewers: refactor of ProxyURL integration tests has been moved to PR #4813 , so for initial review you can have a look at this set of commits or wait till PR #4813 is merged and this PR rebased onto the new main
Why is it important?
Configuring TLS via the policy allows agent to connect to Fleet (possibly via a proxy) using custom CAs or enabling mTLS (certificate verification of both the client and the server).
Checklist
[ ] I have made corresponding changes to the documentation[ ] I have made corresponding change to the default configuration files./changelog/fragments
using the changelog toolDisruptive User Impact
How to test this PR locally
In order to test this PR we need:
Related issues
fleet.ssl.certificate_authorities
from agent policy #2247fleet.ssl.certificate
andfleet.ssl.key
from agent policy #2248Questions to ask yourself