diff --git a/x-pack/elastic-agent/pkg/agent/cmd/container.go b/x-pack/elastic-agent/pkg/agent/cmd/container.go index cc925d0cb4e..f64654d66e7 100644 --- a/x-pack/elastic-agent/pkg/agent/cmd/container.go +++ b/x-pack/elastic-agent/pkg/agent/cmd/container.go @@ -96,6 +96,7 @@ The following actions are possible and grouped based on the actions. FLEET_SERVER_ELASTICSEARCH_USERNAME - elasticsearch username for Fleet Server [$ELASTICSEARCH_USERNAME] FLEET_SERVER_ELASTICSEARCH_PASSWORD - elasticsearch password for Fleet Server [$ELASTICSEARCH_PASSWORD] FLEET_SERVER_ELASTICSEARCH_CA - path to certificate authority to use with communicate with elasticsearch [$ELASTICSEARCH_CA] + FLEET_SERVER_ELASTICSEARCH_INSECURE - disables cert validation for communication with Elasticsearch FLEET_SERVER_SERVICE_TOKEN - service token to use for communication with elasticsearch FLEET_SERVER_POLICY_ID - policy ID for Fleet Server to use for itself ("Default Fleet Server policy" used when undefined) FLEET_SERVER_HOST - binding host for Fleet Server HTTP (overrides the policy). By default this is 0.0.0.0. @@ -378,6 +379,9 @@ func buildEnrollArgs(cfg setupConfig, token string, policyID string) ([]string, if cfg.FleetServer.InsecureHTTP || cfg.Fleet.Insecure { args = append(args, "--insecure") } + if cfg.FleetServer.Elasticsearch.Insecure { + args = append(args, "--fleet-server-es-insecure") + } } else { if cfg.Fleet.URL == "" { return nil, errors.New("FLEET_URL is required when FLEET_ENROLL is true without FLEET_SERVER_ENABLE") diff --git a/x-pack/elastic-agent/pkg/agent/cmd/enroll.go b/x-pack/elastic-agent/pkg/agent/cmd/enroll.go index 2966c7dafe8..934f1dbc6d2 100644 --- a/x-pack/elastic-agent/pkg/agent/cmd/enroll.go +++ b/x-pack/elastic-agent/pkg/agent/cmd/enroll.go @@ -53,6 +53,7 @@ func addEnrollFlags(cmd *cobra.Command) { cmd.Flags().StringP("enrollment-token", "t", "", "Enrollment token to use to enroll Agent into Fleet") cmd.Flags().StringP("fleet-server-es", "", "", "Start and run a Fleet Server along side this Elastic Agent connecting to the provided elasticsearch") cmd.Flags().StringP("fleet-server-es-ca", "", "", "Path to certificate authority to use with communicate with elasticsearch") + cmd.Flags().BoolP("fleet-server-es-insecure", "", false, "Disables validation of certificates") cmd.Flags().StringP("fleet-server-service-token", "", "", "Service token to use for communication with elasticsearch") cmd.Flags().StringP("fleet-server-policy", "", "", "Start and run a Fleet Server on this specific policy") cmd.Flags().StringP("fleet-server-host", "", "", "Fleet Server HTTP binding host (overrides the policy)") @@ -79,6 +80,7 @@ func buildEnrollmentFlags(cmd *cobra.Command, url string, token string) []string } fServer, _ := cmd.Flags().GetString("fleet-server-es") fElasticSearchCA, _ := cmd.Flags().GetString("fleet-server-es-ca") + fElasticSearchInsecure, _ := cmd.Flags().GetBool("fleet-server-es-insecure") fServiceToken, _ := cmd.Flags().GetString("fleet-server-service-token") fPolicy, _ := cmd.Flags().GetString("fleet-server-policy") fHost, _ := cmd.Flags().GetString("fleet-server-host") @@ -174,6 +176,17 @@ func buildEnrollmentFlags(cmd *cobra.Command, url string, token string) []string args = append(args, k+"="+v) } +<<<<<<< HEAD +======= + if delayEnroll { + args = append(args, "--delay-enroll") + } + + if fElasticSearchInsecure { + args = append(args, "--fleet-server-es-insecure") + } + +>>>>>>> 62d84db2a4 ([Elastic-Agent] Modify output to be insecure if flag is provided (#28007)) return args } @@ -236,6 +249,7 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command, args []string) error { enrollmentToken, _ := cmd.Flags().GetString("enrollment-token") fServer, _ := cmd.Flags().GetString("fleet-server-es") fElasticSearchCA, _ := cmd.Flags().GetString("fleet-server-es-ca") + fElasticSearchInsecure, _ := cmd.Flags().GetBool("fleet-server-es-insecure") fHeaders, _ := cmd.Flags().GetStringSlice("header") fServiceToken, _ := cmd.Flags().GetString("fleet-server-service-token") fPolicy, _ := cmd.Flags().GetString("fleet-server-policy") @@ -266,6 +280,7 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command, args []string) error { Staging: staging, FixPermissions: fromInstall, FleetServer: enrollCmdFleetServerOption{ +<<<<<<< HEAD ConnStr: fServer, ElasticsearchCA: fElasticSearchCA, ServiceToken: fServiceToken, @@ -280,6 +295,20 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command, args []string) error { ProxyURL: fProxyURL, ProxyDisabled: fProxyDisabled, ProxyHeaders: mapFromEnvList(fProxyHeaders), +======= + ConnStr: fServer, + ElasticsearchCA: fElasticSearchCA, + ElasticsearchInsecure: fElasticSearchInsecure, + ServiceToken: fServiceToken, + PolicyID: fPolicy, + Host: fHost, + Port: fPort, + Cert: fCert, + CertKey: fCertKey, + Insecure: fInsecure, + SpawnAgent: !fromInstall, + Headers: mapFromEnvList(fHeaders), +>>>>>>> 62d84db2a4 ([Elastic-Agent] Modify output to be insecure if flag is provided (#28007)) }, } diff --git a/x-pack/elastic-agent/pkg/agent/cmd/enroll_cmd.go b/x-pack/elastic-agent/pkg/agent/cmd/enroll_cmd.go index e49ce7de5dd..c347c565743 100644 --- a/x-pack/elastic-agent/pkg/agent/cmd/enroll_cmd.go +++ b/x-pack/elastic-agent/pkg/agent/cmd/enroll_cmd.go @@ -71,6 +71,7 @@ type enrollCmd struct { // enrollCmdFleetServerOption define all the supported enrollment options for bootstrapping with Fleet Server. type enrollCmdFleetServerOption struct { +<<<<<<< HEAD ConnStr string ElasticsearchCA string ServiceToken string @@ -85,6 +86,20 @@ type enrollCmdFleetServerOption struct { ProxyURL string ProxyDisabled bool ProxyHeaders map[string]string +======= + ConnStr string + ElasticsearchCA string + ElasticsearchInsecure bool + ServiceToken string + PolicyID string + Host string + Port uint16 + Cert string + CertKey string + Insecure bool + SpawnAgent bool + Headers map[string]string +>>>>>>> 62d84db2a4 ([Elastic-Agent] Modify output to be insecure if flag is provided (#28007)) } // enrollCmdOption define all the supported enrollment option. @@ -265,9 +280,16 @@ func (c *enrollCmd) fleetServerBootstrap(ctx context.Context) (string, error) { c.options.FleetServer.Host, c.options.FleetServer.Port, c.options.FleetServer.Cert, c.options.FleetServer.CertKey, c.options.FleetServer.ElasticsearchCA, c.options.FleetServer.Headers, +<<<<<<< HEAD c.options.FleetServer.ProxyURL, c.options.FleetServer.ProxyDisabled, c.options.FleetServer.ProxyHeaders, +======= + c.options.ProxyURL, + c.options.ProxyDisabled, + c.options.ProxyHeaders, + c.options.FleetServer.ElasticsearchInsecure, +>>>>>>> 62d84db2a4 ([Elastic-Agent] Modify output to be insecure if flag is provided (#28007)) ) if err != nil { return "", err @@ -462,7 +484,13 @@ func (c *enrollCmd) enroll(ctx context.Context, persistentConfig map[string]inte c.options.FleetServer.Host, c.options.FleetServer.Port, c.options.FleetServer.Cert, c.options.FleetServer.CertKey, c.options.FleetServer.ElasticsearchCA, c.options.FleetServer.Headers, +<<<<<<< HEAD c.options.FleetServer.ProxyURL, c.options.FleetServer.ProxyDisabled, c.options.FleetServer.ProxyHeaders) +======= + c.options.ProxyURL, c.options.ProxyDisabled, c.options.ProxyHeaders, + c.options.FleetServer.ElasticsearchInsecure, + ) +>>>>>>> 62d84db2a4 ([Elastic-Agent] Modify output to be insecure if flag is provided (#28007)) if err != nil { return err } @@ -765,16 +793,21 @@ func createFleetServerBootstrapConfig( proxyURL string, proxyDisabled bool, proxyHeaders map[string]string, + insecure bool, ) (*configuration.FleetAgentConfig, error) { localFleetServer := connStr != "" - es, err := configuration.ElasticsearchFromConnStr(connStr, serviceToken) + es, err := configuration.ElasticsearchFromConnStr(connStr, serviceToken, insecure) if err != nil { return nil, err } if esCA != "" { - es.TLS = &tlscommon.Config{ - CAs: []string{esCA}, + if es.TLS == nil { + es.TLS = &tlscommon.Config{ + CAs: []string{esCA}, + } + } else { + es.TLS.CAs = []string{esCA} } } if host == "" { @@ -816,6 +849,9 @@ func createFleetServerBootstrapConfig( Key: key, }, } + if insecure { + cfg.Server.TLS.VerificationMode = tlscommon.VerifyNone + } } if localFleetServer { diff --git a/x-pack/elastic-agent/pkg/agent/cmd/inspect.go b/x-pack/elastic-agent/pkg/agent/cmd/inspect.go index 16b589bf9d1..b9dd8da58df 100644 --- a/x-pack/elastic-agent/pkg/agent/cmd/inspect.go +++ b/x-pack/elastic-agent/pkg/agent/cmd/inspect.go @@ -259,6 +259,7 @@ func getProgramsFromConfig(log *logger.Logger, agentInfo *info.AgentInfo, cfg *c if err != nil { return nil, err } + composableWaiter := newWaitForCompose(composableCtrl) configModifiers := &pipeline.ConfigModifiers{ Decorators: []pipeline.DecoratorFunc{modifiers.InjectMonitoring}, diff --git a/x-pack/elastic-agent/pkg/agent/cmd/setup_config.go b/x-pack/elastic-agent/pkg/agent/cmd/setup_config.go index 4330c967e9f..95057ebd431 100644 --- a/x-pack/elastic-agent/pkg/agent/cmd/setup_config.go +++ b/x-pack/elastic-agent/pkg/agent/cmd/setup_config.go @@ -43,6 +43,7 @@ type elasticsearchConfig struct { Username string `config:"username"` Password string `config:"password"` ServiceToken string `config:"service_token"` + Insecure bool `config:"insecure"` } type kibanaConfig struct { @@ -91,6 +92,7 @@ func defaultAccessConfig() (setupConfig, error) { Password: envWithDefault("changeme", "FLEET_SERVER_ELASTICSEARCH_PASSWORD", "ELASTICSEARCH_PASSWORD"), ServiceToken: envWithDefault("", "FLEET_SERVER_SERVICE_TOKEN"), CA: envWithDefault("", "FLEET_SERVER_ELASTICSEARCH_CA", "ELASTICSEARCH_CA"), + Insecure: envBool("FLEET_SERVER_ELASTICSEARCH_INSECURE"), }, Enable: envBool("FLEET_SERVER_ENABLE"), Host: envWithDefault("", "FLEET_SERVER_HOST"), diff --git a/x-pack/elastic-agent/pkg/agent/configuration/fleet_server.go b/x-pack/elastic-agent/pkg/agent/configuration/fleet_server.go index eacc22bf141..25298c6e2b5 100644 --- a/x-pack/elastic-agent/pkg/agent/configuration/fleet_server.go +++ b/x-pack/elastic-agent/pkg/agent/configuration/fleet_server.go @@ -47,7 +47,7 @@ type Elasticsearch struct { } // ElasticsearchFromConnStr returns an Elasticsearch configuration from the connection string. -func ElasticsearchFromConnStr(conn string, serviceToken string) (Elasticsearch, error) { +func ElasticsearchFromConnStr(conn string, serviceToken string, insecure bool) (Elasticsearch, error) { u, err := url.Parse(conn) if err != nil { return Elasticsearch{}, err @@ -64,6 +64,11 @@ func ElasticsearchFromConnStr(conn string, serviceToken string) (Elasticsearch, Path: u.Path, TLS: nil, } + if insecure { + cfg.TLS = &tlscommon.Config{ + VerificationMode: tlscommon.VerifyNone, + } + } if serviceToken != "" { cfg.ServiceToken = serviceToken return cfg, nil diff --git a/x-pack/elastic-agent/pkg/agent/transpiler/ast.go b/x-pack/elastic-agent/pkg/agent/transpiler/ast.go index 31bb2faaa7c..742453eb489 100644 --- a/x-pack/elastic-agent/pkg/agent/transpiler/ast.go +++ b/x-pack/elastic-agent/pkg/agent/transpiler/ast.go @@ -104,6 +104,11 @@ func (d *Dict) Find(key string) (Node, bool) { return nil, false } +// Insert inserts a value into a collection. +func (d *Dict) Insert(node Node) { + d.value = append(d.value, node) +} + func (d *Dict) String() string { var sb strings.Builder for i := 0; i < len(d.value); i++ {