Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Elastic Agent] Add options to bootstrap Fleet Server with TLS #24142

Merged
merged 4 commits into from
Feb 23, 2021
Merged

[Elastic Agent] Add options to bootstrap Fleet Server with TLS #24142

merged 4 commits into from
Feb 23, 2021

Conversation

blakerouse
Copy link
Contributor

What does this PR do?

Adds command line arguments to enroll and install so Fleet Server can be bootstrapped with TLS enabled. By default if no options are provided a self-signed certificate is generated and the Elastic Agent communicates to the local bootstrapped Fleet Server with a pinned CA.

Why is it important?

Required so Fleet Server is bootstrapped securely in the default case and provide the ability for custom certificates to be used for bootstrapping Fleet Server in production.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • [ ] I have made corresponding changes to the documentation
  • [ ] I have made corresponding change to the default configuration files
  • [ ] I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Related issues

@blakerouse blakerouse added the Team:Elastic-Agent Label for the Agent team label Feb 20, 2021
@blakerouse blakerouse self-assigned this Feb 20, 2021
@botelastic botelastic bot added needs_team Indicates that the issue/PR needs a Team:* label and removed needs_team Indicates that the issue/PR needs a Team:* label labels Feb 20, 2021
@blakerouse blakerouse marked this pull request as ready for review February 20, 2021 00:27
@elasticmachine
Copy link
Collaborator

Pinging @elastic/agent (Team:Agent)

@elasticmachine
Copy link
Collaborator

Pinging @elastic/ingest-management (Team:Ingest Management)

@elasticmachine
Copy link
Collaborator

elasticmachine commented Feb 20, 2021
edited by jenkins-beats-ci bot
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: blakerouse commented: /test

  • Start Time: 2021-02-22T13:11:12.350+0000

  • Duration: 52 min 57 sec

  • Commit: df28575

Test stats 🧪

Test Results
Failed 0
Passed 6534
Skipped 16
Total 6550

Trends 🧪

Image of Build Times

Image of Tests

💚 Flaky test report

Tests succeeded.

Expand to view the summary

Test stats 🧪

Test Results
Failed 0
Passed 6534
Skipped 16
Total 6550

@blakerouse
Copy link
Contributor Author

/test

michalpristas
michalpristas approved these changes Feb 23, 2021
View reviewed changes
Copy link
Contributor

@michalpristas michalpristas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

change looks good overall, we're starting to have a lot of flags
tested for regression on mac/linux seems ok

x-pack/elastic-agent/pkg/agent/application/enroll_cmd.go
return errors.New("certificate private key is required when certificate provided")
}
if c.options.FleetServerCertKey != "" && c.options.FleetServerCert == "" {
return errors.New("certificate is required when certificate private key is provided")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we add TypeSecurity or TypeConfig here

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

these are printed to stdout and not logged, so I think its best to just make them simple messages so its clear when using the CLI

x-pack/elastic-agent/pkg/agent/application/enroll_cmd.go
host = "localhost"
}
port := c.options.FleetServerPort
if port == 0 {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can this be negative?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no its an uint16

@blakerouse blakerouse merged commit 74b6e5e into elastic:master Feb 23, 2021
@blakerouse blakerouse deleted the agent-fleet-server-ssl branch February 23, 2021 18:34
@blakerouse blakerouse mentioned this pull request Feb 23, 2021
Merged
3 tasks
blakerouse added a commit to blakerouse/beats that referenced this pull request Feb 23, 2021
@blakerouse
[Elastic Agent] Add options to bootstrap Fleet Server with TLS (elast…
15266f0 
…ic#24142)

* Add support for SSL with bootstraping fleet-server.

* Run mage fmt.

* Fix issues with enrollment w/ fleet-server.

* Add changelog.

(cherry picked from commit 74b6e5e)
@blakerouse blakerouse mentioned this pull request Feb 23, 2021
Closed
blakerouse added a commit that referenced this pull request Mar 2, 2021
@blakerouse
[Elastic Agent] Add options to bootstrap Fleet Server with TLS (#24142)…
c807f79 
… (#24191)

* Add support for SSL with bootstraping fleet-server.

* Run mage fmt.

* Fix issues with enrollment w/ fleet-server.

* Add changelog.

(cherry picked from commit 74b6e5e)
@michalpristas michalpristas mentioned this pull request Jan 31, 2023
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@michalpristas michalpristas michalpristas approved these changes

Assignees

@blakerouse blakerouse

Labels
Team:Elastic-Agent Label for the Agent team v7.13.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@blakerouse @elasticmachine @michalpristas