Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Elastic-Agent] Modify output to be insecure if flag is provided #28007

Merged
merged 12 commits into from
Oct 13, 2021
4 changes: 4 additions & 0 deletions x-pack/elastic-agent/pkg/agent/cmd/container.go
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,7 @@ The following actions are possible and grouped based on the actions.
FLEET_SERVER_ELASTICSEARCH_USERNAME - elasticsearch username for Fleet Server [$ELASTICSEARCH_USERNAME]
FLEET_SERVER_ELASTICSEARCH_PASSWORD - elasticsearch password for Fleet Server [$ELASTICSEARCH_PASSWORD]
FLEET_SERVER_ELASTICSEARCH_CA - path to certificate authority to use with communicate with elasticsearch [$ELASTICSEARCH_CA]
FLEET_SERVER_ELASTICSEARCH_INSECURE - disables cert validation for communication with Elasticsearch
FLEET_SERVER_SERVICE_TOKEN - service token to use for communication with elasticsearch
FLEET_SERVER_POLICY_ID - policy ID for Fleet Server to use for itself ("Default Fleet Server policy" used when undefined)
FLEET_SERVER_HOST - binding host for Fleet Server HTTP (overrides the policy). By default this is 0.0.0.0.
Expand Down Expand Up @@ -384,6 +385,9 @@ func buildEnrollArgs(cfg setupConfig, token string, policyID string) ([]string,
if cfg.FleetServer.InsecureHTTP || cfg.Fleet.Insecure {
args = append(args, "--insecure")
}
if cfg.FleetServer.Elasticsearch.Insecure {
args = append(args, "--fleet-server-es-insecure")
}
} else {
if cfg.Fleet.URL == "" {
return nil, errors.New("FLEET_URL is required when FLEET_ENROLL is true without FLEET_SERVER_ENABLE")
Expand Down
30 changes: 19 additions & 11 deletions x-pack/elastic-agent/pkg/agent/cmd/enroll.go
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@ func addEnrollFlags(cmd *cobra.Command) {
cmd.Flags().StringP("enrollment-token", "t", "", "Enrollment token to use to enroll Agent into Fleet")
cmd.Flags().StringP("fleet-server-es", "", "", "Start and run a Fleet Server along side this Elastic Agent connecting to the provided elasticsearch")
cmd.Flags().StringP("fleet-server-es-ca", "", "", "Path to certificate authority to use with communicate with elasticsearch")
cmd.Flags().BoolP("fleet-server-es-insecure", "", false, "Disables validation of certificates")
cmd.Flags().StringP("fleet-server-service-token", "", "", "Service token to use for communication with elasticsearch")
cmd.Flags().StringP("fleet-server-policy", "", "", "Start and run a Fleet Server on this specific policy")
cmd.Flags().StringP("fleet-server-host", "", "", "Fleet Server HTTP binding host (overrides the policy)")
Expand Down Expand Up @@ -101,6 +102,7 @@ func buildEnrollmentFlags(cmd *cobra.Command, url string, token string) []string
}
fServer, _ := cmd.Flags().GetString("fleet-server-es")
fElasticSearchCA, _ := cmd.Flags().GetString("fleet-server-es-ca")
fElasticSearchInsecure, _ := cmd.Flags().GetBool("fleet-server-es-insecure")
fServiceToken, _ := cmd.Flags().GetString("fleet-server-service-token")
fPolicy, _ := cmd.Flags().GetString("fleet-server-policy")
fHost, _ := cmd.Flags().GetString("fleet-server-host")
Expand Down Expand Up @@ -201,6 +203,10 @@ func buildEnrollmentFlags(cmd *cobra.Command, url string, token string) []string
args = append(args, "--delay-enroll")
}

if fElasticSearchInsecure {
args = append(args, "--fleet-server-es-insecure")
}

return args
}

Expand Down Expand Up @@ -268,6 +274,7 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command, args []string) error {
enrollmentToken, _ := cmd.Flags().GetString("enrollment-token")
fServer, _ := cmd.Flags().GetString("fleet-server-es")
fElasticSearchCA, _ := cmd.Flags().GetString("fleet-server-es-ca")
fElasticSearchInsecure, _ := cmd.Flags().GetBool("fleet-server-es-insecure")
fHeaders, _ := cmd.Flags().GetStringSlice("header")
fServiceToken, _ := cmd.Flags().GetString("fleet-server-service-token")
fPolicy, _ := cmd.Flags().GetString("fleet-server-policy")
Expand Down Expand Up @@ -302,17 +309,18 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command, args []string) error {
ProxyHeaders: mapFromEnvList(proxyHeaders),
DelayEnroll: delayEnroll,
FleetServer: enrollCmdFleetServerOption{
ConnStr: fServer,
ElasticsearchCA: fElasticSearchCA,
ServiceToken: fServiceToken,
PolicyID: fPolicy,
Host: fHost,
Port: fPort,
Cert: fCert,
CertKey: fCertKey,
Insecure: fInsecure,
SpawnAgent: !fromInstall,
Headers: mapFromEnvList(fHeaders),
ConnStr: fServer,
ElasticsearchCA: fElasticSearchCA,
ElasticsearchInsecure: fElasticSearchInsecure,
ServiceToken: fServiceToken,
PolicyID: fPolicy,
Host: fHost,
Port: fPort,
Cert: fCert,
CertKey: fCertKey,
Insecure: fInsecure,
SpawnAgent: !fromInstall,
Headers: mapFromEnvList(fHeaders),
},
}

Expand Down
42 changes: 27 additions & 15 deletions x-pack/elastic-agent/pkg/agent/cmd/enroll_cmd.go
Original file line number Diff line number Diff line change
Expand Up @@ -73,17 +73,18 @@ type enrollCmd struct {

// enrollCmdFleetServerOption define all the supported enrollment options for bootstrapping with Fleet Server.
type enrollCmdFleetServerOption struct {
ConnStr string
ElasticsearchCA string
ServiceToken string
PolicyID string
Host string
Port uint16
Cert string
CertKey string
Insecure bool
SpawnAgent bool
Headers map[string]string
ConnStr string
ElasticsearchCA string
ElasticsearchInsecure bool
ServiceToken string
PolicyID string
Host string
Port uint16
Cert string
CertKey string
Insecure bool
SpawnAgent bool
Headers map[string]string
}

// enrollCmdOption define all the supported enrollment option.
Expand Down Expand Up @@ -304,6 +305,7 @@ func (c *enrollCmd) fleetServerBootstrap(ctx context.Context) (string, error) {
c.options.ProxyURL,
c.options.ProxyDisabled,
c.options.ProxyHeaders,
c.options.FleetServer.ElasticsearchInsecure,
)
if err != nil {
return "", err
Expand Down Expand Up @@ -497,7 +499,9 @@ func (c *enrollCmd) enroll(ctx context.Context, persistentConfig map[string]inte
c.options.FleetServer.Host, c.options.FleetServer.Port,
c.options.FleetServer.Cert, c.options.FleetServer.CertKey, c.options.FleetServer.ElasticsearchCA,
c.options.FleetServer.Headers,
c.options.ProxyURL, c.options.ProxyDisabled, c.options.ProxyHeaders)
c.options.ProxyURL, c.options.ProxyDisabled, c.options.ProxyHeaders,
c.options.FleetServer.ElasticsearchInsecure,
)
if err != nil {
return err
}
Expand Down Expand Up @@ -806,16 +810,21 @@ func createFleetServerBootstrapConfig(
proxyURL string,
proxyDisabled bool,
proxyHeaders map[string]string,
insecure bool,
) (*configuration.FleetAgentConfig, error) {
localFleetServer := connStr != ""

es, err := configuration.ElasticsearchFromConnStr(connStr, serviceToken)
es, err := configuration.ElasticsearchFromConnStr(connStr, serviceToken, insecure)
if err != nil {
return nil, err
}
if esCA != "" {
es.TLS = &tlscommon.Config{
CAs: []string{esCA},
if es.TLS == nil {
es.TLS = &tlscommon.Config{
CAs: []string{esCA},
}
} else {
es.TLS.CAs = []string{esCA}
}
}
if host == "" {
Expand Down Expand Up @@ -857,6 +866,9 @@ func createFleetServerBootstrapConfig(
Key: key,
},
}
if insecure {
cfg.Server.TLS.VerificationMode = tlscommon.VerifyNone
}
}

if localFleetServer {
Expand Down
1 change: 1 addition & 0 deletions x-pack/elastic-agent/pkg/agent/cmd/inspect.go
Original file line number Diff line number Diff line change
Expand Up @@ -259,6 +259,7 @@ func getProgramsFromConfig(log *logger.Logger, agentInfo *info.AgentInfo, cfg *c
if err != nil {
return nil, err
}

composableWaiter := newWaitForCompose(composableCtrl)
configModifiers := &pipeline.ConfigModifiers{
Decorators: []pipeline.DecoratorFunc{modifiers.InjectMonitoring},
Expand Down
2 changes: 2 additions & 0 deletions x-pack/elastic-agent/pkg/agent/cmd/setup_config.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ type elasticsearchConfig struct {
Username string `config:"username"`
Password string `config:"password"`
ServiceToken string `config:"service_token"`
Insecure bool `config:"insecure"`
}

type kibanaConfig struct {
Expand Down Expand Up @@ -92,6 +93,7 @@ func defaultAccessConfig() (setupConfig, error) {
Password: envWithDefault("changeme", "FLEET_SERVER_ELASTICSEARCH_PASSWORD", "ELASTICSEARCH_PASSWORD"),
ServiceToken: envWithDefault("", "FLEET_SERVER_SERVICE_TOKEN"),
CA: envWithDefault("", "FLEET_SERVER_ELASTICSEARCH_CA", "ELASTICSEARCH_CA"),
Insecure: envBool("FLEET_SERVER_ELASTICSEARCH_INSECURE"),
},
Enable: envBool("FLEET_SERVER_ENABLE"),
Host: envWithDefault("", "FLEET_SERVER_HOST"),
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ type Elasticsearch struct {
}

// ElasticsearchFromConnStr returns an Elasticsearch configuration from the connection string.
func ElasticsearchFromConnStr(conn string, serviceToken string) (Elasticsearch, error) {
func ElasticsearchFromConnStr(conn string, serviceToken string, insecure bool) (Elasticsearch, error) {
u, err := url.Parse(conn)
if err != nil {
return Elasticsearch{}, err
Expand All @@ -64,6 +64,11 @@ func ElasticsearchFromConnStr(conn string, serviceToken string) (Elasticsearch,
Path: u.Path,
TLS: nil,
}
if insecure {
cfg.TLS = &tlscommon.Config{
VerificationMode: tlscommon.VerifyNone,
}
}
if serviceToken != "" {
cfg.ServiceToken = serviceToken
return cfg, nil
Expand Down
5 changes: 5 additions & 0 deletions x-pack/elastic-agent/pkg/agent/transpiler/ast.go
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,11 @@ func (d *Dict) Find(key string) (Node, bool) {
return nil, false
}

// Insert inserts a value into a collection.
func (d *Dict) Insert(node Node) {
d.value = append(d.value, node)
}

func (d *Dict) String() string {
var sb strings.Builder
for i := 0; i < len(d.value); i++ {
Expand Down