systemtest: use known fleet-server TLS certs (#5427) (#5432)

Generate and use a cert/key pair for fleet-server, and supply the CA certificate to the elastic-agent container in tests. (cherry picked from commit e18957c) Co-authored-by: Andrew Wilkins <[email protected]>
elastic · Jun 10, 2021 · 9588023 · 9588023
1 parent 45ab387
commit 9588023
Show file tree

Hide file tree

Showing 5 changed files with 97 additions and 1 deletion.
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -97,12 +97,18 @@ services:
       FLEET_SERVER_ELASTICSEARCH_HOST: http://elasticsearch:9200
       FLEET_SERVER_ELASTICSEARCH_USERNAME: "${ES_SUPERUSER_USER:-admin}"
       FLEET_SERVER_ELASTICSEARCH_PASSWORD: "${ES_SUPERUSER_PASS:-changeme}"
+      FLEET_SERVER_CERT: /etc/pki/tls/certs/fleet-server.pem
+      FLEET_SERVER_CERT_KEY: /etc/pki/tls/private/fleet-server-key.pem
+      FLEET_URL: https://fleet-server:8220
       KIBANA_FLEET_SETUP: "true"
       KIBANA_HOST: "http://kibana:5601"
       KIBANA_USERNAME: "${ES_SUPERUSER_USER:-admin}"
       KIBANA_PASSWORD: "${ES_SUPERUSER_PASS:-changeme}"
     depends_on:
       elasticsearch: { condition: service_healthy }
+    volumes:
+      - "./testing/docker/fleet-server/certificate.pem:/etc/pki/tls/certs/fleet-server.pem"
+      - "./testing/docker/fleet-server/key.pem:/etc/pki/tls/private/fleet-server-key.pem"
 
   package-registry:
     image: docker.elastic.co/package-registry/distribution:snapshot

diff --git a/systemtest/containers.go b/systemtest/containers.go
@@ -30,6 +30,7 @@ import (
 	"os"
 	"os/exec"
 	"path"
+	"path/filepath"
 	"strings"
 	"time"
 
@@ -365,7 +366,6 @@ func (c *ElasticAgentContainer) Start() error {
 	defer cancel()
 
 	// Update request from user-definable fields.
-	c.request.Env["FLEET_INSECURE"] = "1"
 	c.request.Env["FLEET_URL"] = c.fleetServerURL
 	if c.FleetEnrollmentToken != "" {
 		c.request.Env["FLEET_ENROLL"] = "1"
@@ -379,6 +379,15 @@ func (c *ElasticAgentContainer) Start() error {
 		c.request.BindMounts[source] = path.Join(c.installDir, target)
 	}
 
+	// Inject CA certificate for verifying fleet-server.
+	containerCACertPath := "/etc/pki/tls/certs/fleet-ca.pem"
+	hostCACertPath, err := filepath.Abs("../testing/docker/fleet-server/ca.pem")
+	if err != nil {
+		return err
+	}
+	c.request.BindMounts[hostCACertPath] = containerCACertPath
+	c.request.Env["FLEET_CA"] = containerCACertPath
+
 	container, err := testcontainers.GenericContainer(ctx, testcontainers.GenericContainerRequest{
 		ContainerRequest: c.request,
 	})

diff --git a/testing/docker/fleet-server/ca.pem b/testing/docker/fleet-server/ca.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEuTCCAyGgAwIBAgIQP5xwBoeDe2Fa7GyUeDrLfzANBgkqhkiG9w0BAQsFADB1
+MR4wHAYDVQQKExVta2NlcnQgZGV2ZWxvcG1lbnQgQ0ExJTAjBgNVBAsMHGFuZHJl
+d0Bnb2F0IChBbmRyZXcgV2lsa2lucykxLDAqBgNVBAMMI21rY2VydCBhbmRyZXdA
+Z29hdCAoQW5kcmV3IFdpbGtpbnMpMB4XDTIxMDYxMDAyMDEzM1oXDTMxMDYxMDAy
+MDEzM1owdTEeMBwGA1UEChMVbWtjZXJ0IGRldmVsb3BtZW50IENBMSUwIwYDVQQL
+DBxhbmRyZXdAZ29hdCAoQW5kcmV3IFdpbGtpbnMpMSwwKgYDVQQDDCNta2NlcnQg
+YW5kcmV3QGdvYXQgKEFuZHJldyBXaWxraW5zKTCCAaIwDQYJKoZIhvcNAQEBBQAD
+ggGPADCCAYoCggGBAOaFTfeUzZ7Vgudh6KrfWryPSGXrAhngDOBjRp4tlOhypsW+
+ybUXB49YHmFvnZH6gwUl6WG1ixKVUAMc/jQEePCBsEkeUuqV1U0P734YpAqjuRJf
+t9Xf/Efo4OYwBDsOD071V9YADig9lD1qIEFyuXJ99rzPWBFw8tNuA3/Xnxzh9zUa
+heL3aQ03V2b8Wkhf7Q3g5btwQt0fhEFo2tTuY4H5iSn/84QvgHAj7pyWvDFMPOo4
+LTnRC0hEtxCbmcviEpN/rbswOuLdTpie+Q4jIPm/WBkOr8ckTRAC7njtXCijxFEY
+WywBCZPT40FleeI3h74Md5wnffchZvr6yNN00K6trguTFPBKC4c4XG7NBlHxSIEo
+oF2b7y+X4iV9JNoMaYLvi12GYhHddnv8Cr1OdVSVlXqM1DInXk+g4fDeKmZy+Ffv
+QwnEtX5CKCCbJC/sJphrRsrgM6tq5uxFA5rxwBk1hmizqkL8jCWKY6LKDvfUXPMF
+JHTH+o3a6ewuwPV78QIDAQABo0UwQzAOBgNVHQ8BAf8EBAMCAgQwEgYDVR0TAQH/
+BAgwBgEB/wIBADAdBgNVHQ4EFgQUxzrrY8H5mamcn5Yx7eKno5atZ8YwDQYJKoZI
+hvcNAQELBQADggGBAI1JNxY8KBHNi3yg8sW6jlsMo/lqS0ghSJiPWbLAIE9CpNRJ
+lyhKc0J4TQKHKav/PY5AmoEC8pOluncz7jeaCsk5l9vv1iYJp1KU7EQwEsafRMS9
+TupwnJ4GvW2je085RGByNPnEBUfa99g5fF9l0SBLcqYZo2EJeXTzOoUmoOSI45wU
+0A2r3X4ucDs5eTw/6mA3GHsm92JDODxZWVRlZ5OQZVhHo6fm2J0Gy+tOslypZiI3
+mV0XhF9MVASLwC7GBsQ2yOt3AXRi7gBzxezhzsrxh2iCxOo3A5FlDp88gXzsgI4m
+k5YFhnDAm6aYYIJnjotTVNG6BN9e/YH91vKuNax7h9oaSIjxolMe9TR+tnG7DZ6K
+5A18hXi9lnnHXvRJrHuVFBMxaU16lLNM+bh1l00HEs0owG8x713zGY90hq9EW8Js
+X/5fO5U4u6C6QBOtV1+U11MyTyM62j+6yWnUaPELWD0R0LmzvnwQCrHWSQ2o+2IY
+mhU21Ex5j9nxU4tFuQ==
+-----END CERTIFICATE-----
diff --git a/testing/docker/fleet-server/certificate.pem b/testing/docker/fleet-server/certificate.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEOzCCAqOgAwIBAgIQMbTNJXcilk0w4lgVeOqmyjANBgkqhkiG9w0BAQsFADB1
+MR4wHAYDVQQKExVta2NlcnQgZGV2ZWxvcG1lbnQgQ0ExJTAjBgNVBAsMHGFuZHJl
+d0Bnb2F0IChBbmRyZXcgV2lsa2lucykxLDAqBgNVBAMMI21rY2VydCBhbmRyZXdA
+Z29hdCAoQW5kcmV3IFdpbGtpbnMpMB4XDTIxMDYxMDAyMDE0NloXDTIzMDkxMDAy
+MDE0NlowUDEnMCUGA1UEChMebWtjZXJ0IGRldmVsb3BtZW50IGNlcnRpZmljYXRl
+MSUwIwYDVQQLDBxhbmRyZXdAZ29hdCAoQW5kcmV3IFdpbGtpbnMpMIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8+ZMTi2V878ZKLVTNbllVGOO8RLzLDMF
+oBxK6oOAu4H8B4gIefsmacuruEd58iBbl0mAWPS+ii8YqsfkVAtVvkVXvnNZGObh
+XTRfI1ytQ9w2ADobQY08z0uw7wUsv4bk1evoBpWedMomwmCJQ693scNLAfHoOds2
+0yrg0UOiuwZGS6clID1Fn+Aiwit8hwqvEAC3nT5jq9vIxgCQQoyKzmA/prGyUqkp
+MvMP4E77Jtm1L0wPffsC0/69J2ZNBfwT2cR0R+5C3sglarIK3QAZFPK90HGFVWOz
+GweU1kscL744myuj55wugchSkm3JzDgv1hitngy5fd294q9CGPIQiwIDAQABo2ww
+ajAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwHwYDVR0jBBgw
+FoAUxzrrY8H5mamcn5Yx7eKno5atZ8YwIgYDVR0RBBswGYIMZmxlZXQtc2VydmVy
+gglsb2NhbGhvc3QwDQYJKoZIhvcNAQELBQADggGBAKKq2OTw4+qpn86dU2njn44/
+DCmQet1UTtgNuLEiM18noaEOChEt/yjBmtgiLWtDBUb5JSz92Qgrk4inKXSg0MuV
+RyvVej10A/rkKrS3zLozukEZQAAjNlS5nkRExT/ZAjFUcBQiDYTieSVgN2kKmMQJ
+kQteqP+UdcS4KFkJYUz3Iijdmxq3m9NWnGJShUacp5jKv/Bhcw4MMbL5EWr6Wt6t
+1qGXY7O96IFSTQtnWcHy2IVUSwom+Fkk3Oy24qWoxVvC0l7jsBLwvhtbMaHO5Adw
+ORVRzk0Imk2faC7r8/Lv/el7g558TLPvo99K7YhWkDUYhVGNv3Wf3eT4JszRI4J0
+jHJ31EN+OIWg37gKYKBPqFMtykYjtJChvnPxzncGA1RauT03dIZAc3Y2b65o5MjG
+C8FPbsCWWHbHWJA3hGzv5C3klBJpX/OLM56gT5RPBMOLAcIKq802WIahfaQqkSKl
+8uOasEBXQYWzQtAj/h8kAicI7z1gcl4PUM6uZimE6A==
+-----END CERTIFICATE-----
diff --git a/testing/docker/fleet-server/key.pem b/testing/docker/fleet-server/key.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDz5kxOLZXzvxko
+tVM1uWVUY47xEvMsMwWgHErqg4C7gfwHiAh5+yZpy6u4R3nyIFuXSYBY9L6KLxiq
+x+RUC1W+RVe+c1kY5uFdNF8jXK1D3DYAOhtBjTzPS7DvBSy/huTV6+gGlZ50yibC
+YIlDr3exw0sB8eg52zbTKuDRQ6K7BkZLpyUgPUWf4CLCK3yHCq8QALedPmOr28jG
+AJBCjIrOYD+msbJSqSky8w/gTvsm2bUvTA99+wLT/r0nZk0F/BPZxHRH7kLeyCVq
+sgrdABkU8r3QcYVVY7MbB5TWSxwvvjibK6PnnC6ByFKSbcnMOC/WGK2eDLl93b3i
+r0IY8hCLAgMBAAECggEBANbdMKXCpRKpbDmfnCF9JVZ1qqyYHB/5BuCpbBozJUqK
+1YOxBH6pkYqsQahDV5vFg8rAltBHNEC6AsoY9P5RSgUoQ4dlSL2WUD1y8MlPUNiy
+e+QxTGewTDz2mnXHIkfMR3Zpr+t1DbYnjIO61dIKF7FDsaWR/hpSE3duk8XnBsoo
+oaWoYZY/cUhNT8fhbPbVSf+2ExrIsA228qkUfgasVcf8CNHVtvyxvX73ipuM8CyH
+97p9gDL2YpRgVvs2BfQ0fzf54KRXuwcUGlKP+wzsgSoPoBHDJW1hRfTzlnXqKBe1
+V21kIFgW3wshBanX35pOOZxYvEC3u3Z1nf8RFAKov3kCgYEA93hrl5HR5HzEF9UV
+gHlNhwVoO4t83tvecUWgbhXtHdvJADPQCriPI4hTbcYCFDtPmULAMS7QdxmcTyMR
+kVnx6M8r+tgfEXZyO3T091A6OAPsf+TNfXTHczWMPVrY3btVKFOhzUiLRwBABX0g
+tbjfjzoUg+4wEAsBIYOLAc8XIRcCgYEA/E5e3VppjgCEUWMEd2GZV+Olh8sqr7XL
+ER19tUlbtg4K9/arAXuZ3ATMeORqViRKULIxdsEcINim1RD3z/c2b5Jur2Oq0Z6c
+vLvr7+jO4UExQq5RHPfELBxVQqBrSXKFAsUjrdF4rIGpJSIL7mzckmQuX1LcukVH
+g4iSs/ldbK0CgYAS6v++nIUhJHCRKdb09VD5623mb2liWAiPPDVhdQelarHY9B0J
+VMaMftVx5Nsv1MDnBHVQzTVehXSvkAy9wdR+aagBCxiE6zscVHqNlXJ96b7goAsd
+dhnxMry/y/wcJ0ABTzNlUBBlox1Bzij7+2ALwPLkiwbdkxnJCBdOUhiAjQKBgB1q
+ocLbHL1yr/qxOb8VgQRvRUhs1qA/6Noo/xQY5nl2b67zcoKsv4aYhKJ/tyot9wAr
+lnrLDxWBTQpAfTQhFZaykvcd/reL76hNnLePBDfdGvo0Sr6+4H9oGkS3YWrh0EI/
+a+aDKreqMmdi7dMxnBHxXjq89YE+PJVIYhpbs5nNAoGAE+XPHxu2d+Mke8MewkwS
+fIb0NyPvuDQzBIFGmD9Ycqtyfu1KUESQF2xVZm0UEhRltVjbnGopnng2cYDjyO3V
+2q4L0z1vw02wYZ7Unzb7zX4hfa914g8XwkL1xwCowmiTw5p7UJkWRL7Nv/JXyW5t
+/o22TWgyQO0gAm1KTFkTqkM=
+-----END PRIVATE KEY-----