Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Read and apply mTLS config from policy #4398

Closed
wants to merge 33 commits into from
Closed

Read and apply mTLS config from policy #4398

wants to merge 33 commits into from

Conversation

AndersonQ
Copy link
Member

@AndersonQ AndersonQ commented Mar 11, 2024
edited
Loading

What does this PR do?

Receive and apply:

  • fleet.ssl.certificate_authorities
  • fleet.ssl.certificate
  • fleet.ssl.key
  • fleet.ssl.key_passphrase
  • fleet.ssl.key_passphrase_path

The policy provided config has precedence over the CLI parameters and an empty or absent config on a policy is ignored.

Why is it important?

The Elastic Agent should support mTLS for communicating with fleet-server.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • [ ] I have made corresponding changes to the documentation
  • [ ] I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in ./changelog/fragments using the changelog tool
  • [ ] I have added an integration test or an E2E test

How to test this PR locally

Related issues

Questions to ask yourself

  • How are we going to support this in production?
  • How are we going to measure its adoption?
  • How are we going to debug this?
  • What are the metrics I should take care of?
  • ...

@AndersonQ AndersonQ added Team:Elastic-Agent Label for the Agent team backport-skip labels Mar 11, 2024
@AndersonQ AndersonQ self-assigned this Mar 11, 2024
@AndersonQ AndersonQ requested a review from a team as a code owner March 11, 2024 15:49
@elasticmachine
Copy link
Contributor

Pinging @elastic/elastic-agent (Team:Elastic-Agent)

AndersonQ
AndersonQ commented Mar 11, 2024
View reviewed changes
dev-tools/notice/overrides.json Outdated
@@ -1,5 +1,6 @@
{"name": "github.com/elastic/beats/v7", "licenceType": "Elastic"}
{"name": "github.com/elastic/elastic-agent-client/v7", "licenceType": "Elastic"}
{"name": "github.com/AndersonQ/elastic-agent-libs", "licenceType": "Elastic"}
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Waiting elastic/elastic-agent-libs#189 to be merged

AndersonQ
AndersonQ commented Mar 11, 2024
View reviewed changes
go.mod Outdated
@@ -282,3 +282,5 @@ replace (

// Exclude this version because the version has an invalid checksum.
exclude github.com/docker/distribution v2.8.0+incompatible

replace github.com/elastic/elastic-agent-libs => github.com/AndersonQ/elastic-agent-libs v0.0.0-20240307144511-b45f19396c67
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Waiting elastic/elastic-agent-libs#189 to be merged

@AndersonQ AndersonQ marked this pull request as draft March 13, 2024 13:36
@mergify Mergify
Copy link
Contributor

mergify bot commented Mar 19, 2024

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b 2247-mtls upstream/2247-mtls
git merge upstream/main
git push upstream 2247-mtls

AndersonQ
AndersonQ commented Mar 19, 2024
View reviewed changes
dev-tools/notice/overrides.json Outdated
@@ -1,5 +1,6 @@
{"name": "github.com/elastic/beats/v7", "licenceType": "Elastic"}
{"name": "github.com/elastic/elastic-agent-client/v7", "licenceType": "Elastic"}
{"name": "github.com/AndersonQ/elastic-agent-libs", "licenceType": "Apache-2.0"}
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Waiting elastic/elastic-agent-libs#189 to be merged

@AndersonQ AndersonQ requested a review from cmacknz March 21, 2024 15:21
@AndersonQ
Copy link
Member Author

@cmacknz I did the changes or replied to your comments. Could you re-review

@cmacknz
Copy link
Member

cmacknz commented Mar 21, 2024

Was this tested against a real instance of Fleet (or Fleet Server)?

Is there any way we can integration test this? If anything here is broken in an unexpected way Fleet connectivity gets completely broken so lets be as thorough as we can.

These questions aren't answered yet :)

If you are testing this manually, the instructions need to be the PR description.

@AndersonQ
Copy link
Member Author

my bad, I missed them.

Was this tested against a real instance of Fleet (or Fleet Server)?

No, but I can test

Is there any way we can integration test this? If anything here is broken in an unexpected way Fleet connectivity gets completely broken so lets be as thorough as we can.

I don't think we can with our current setup. It cannot be tested with Elastic Cloud, but we could modify the mock fleet-server to have TLS or the mock proxy. Either would do

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

The SonarQube Quality Gate passed, but some issues were introduced.

3 New issues
0 Security Hotspots
68.0% 68.0% Coverage on New Code
0.0% 0.0% Duplication on New Code

See analysis details on SonarQube

michalpristas
michalpristas reviewed Apr 3, 2024
View reviewed changes
internal/pkg/agent/application/actions/handlers/handler_action_policy_change.go
defaultcfg := configuration.DefaultFleetAgentConfig()

if cfg.Protocol != defaultcfg.Client.Protocol ||
cfg.Host != defaultcfg.Client.Host ||
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what if you're changing from localhost:5602 to localhost:5601

michalpristas
michalpristas reviewed Apr 3, 2024
View reviewed changes
internal/pkg/agent/application/actions/handlers/handler_action_policy_change.go
"new_proxy_url", cfg.Transport.Proxy.URL.String())
} else {
h.log.Debugw("received proxy from fleet, applying it",
"old_proxy_url", "nil",
Copy link
Contributor

@michalpristas michalpristas Apr 3, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can be simplified with string variable oldProxy = h.config.Fleet.Client.Transport.Proxy.URL != nil ? h.config.Fleet.Client.Transport.Proxy.URL.String() : "nil"
c# syntax but you get the idea

@AndersonQ AndersonQ marked this pull request as draft April 12, 2024 13:19
@mergify Mergify
Copy link
Contributor

mergify bot commented Apr 15, 2024

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b 2247-mtls upstream/2247-mtls
git merge upstream/main
git push upstream 2247-mtls

@ycombinator
Copy link
Contributor

I don't think we can with our current setup. It cannot be tested with Elastic Cloud, but we could modify the mock fleet-server to have TLS or the mock proxy. Either would do

#4497

This was referenced May 10, 2024
Closed
Closed
@pchila pchila mentioned this pull request May 16, 2024
Merged
5 tasks
@AndersonQ
Copy link
Member Author

closed in favour of #4770

@AndersonQ AndersonQ closed this Jun 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@michalpristas michalpristas michalpristas left review comments

@blakerouse blakerouse Awaiting requested review from blakerouse blakerouse is a code owner automatically assigned from elastic/elastic-agent-control-plane

@leehinman leehinman Awaiting requested review from leehinman

@cmacknz cmacknz Awaiting requested review from cmacknz

Assignees

@AndersonQ AndersonQ

Labels
backport-skip Team:Elastic-Agent Label for the Agent team
Projects
None yet
Milestone
No milestone
5 participants
@AndersonQ @elasticmachine @cmacknz @ycombinator @michalpristas