Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add an integration test using a proxy with mTLS for control plane and Elastic Defend installed #5716

Closed
8 tasks done
AndersonQ opened this issue Oct 7, 2024 · 1 comment · Fixed by #5889
Closed
8 tasks done

Add an integration test using a proxy with mTLS for control plane and Elastic Defend installed #5716

AndersonQ opened this issue Oct 7, 2024 · 1 comment · Fixed by #5889
Assignees
@AndersonQ
Labels
Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team Testing

Comments

@AndersonQ
Copy link
Member

AndersonQ commented Oct 7, 2024
edited
Loading

This test should validate the mTLS flow for control-plane (communication with fleet-server) through an proxy with mTLS and having Elastic Defend integration installed.

The test should:

  • use RSA TLS certificates (Elastic Defend restriction)
  • validate passphrase protected certificate key for the client works. (As the server is the proxy, it's pointless to test it supports passphrase protected key)
  • use proxytest for proxy
  • use Elastic Cloud for the Elastic Stack
  • configure a wrong fleet-server address, which the proxy should correct
  • validate connections are flowing through the proxy. Ideally the proxy will assert it. However just the fact the configured host is invalid is enough
    • for the Elastic Agent
    • for Elastic Defend

Test scenarios:

  • mTLS configuration passed throughout the CLI at install/enroll time. No configuration in the policy
    • with passphrase protected key
    • without passphrase protected key
  • mTLS configuration passed through CLI and present in the policy. The policy configuration should take precedence
    • both (cli and policy) using plain certificate key
    • [ ] both (cli and policy) using passphrase protected key not possible, the proxy UI does not allow to add a passphrase or passphrase path
    • cli configuration with passphrase protected key, policy configuration without passphrase protected key
    • cli with mTLS and passphrase protected key, policy with on-way TLS. The policy must take precedence and remove the client TLS configuration
  • [x] mTLS configuration only in the policy: test skipped, see Agent partially applies new fleet-server TLS configuration #5888
    - fleet-server is reachable without proxy
    - the fleet-server host configured in the policy is only reachable through the proxy
  • removing the proxy from the policy does not remove it from the agent:
    • it's the same as "an empty proxy from the policy does not change the current configuration"

Out of scope:

  • data plane connections (with Elasticsearch or any other output)
  • any test on the fleet-server side of things
  • certificate rotation
@AndersonQ AndersonQ self-assigned this Oct 7, 2024
@AndersonQ AndersonQ added Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team Testing labels Oct 7, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)

@AndersonQ AndersonQ mentioned this issue Oct 30, 2024
Merged
4 tasks
This was referenced Nov 5, 2024
Merged
Merged
@AndersonQ AndersonQ mentioned this issue Nov 7, 2024
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AndersonQ AndersonQ

Labels
Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team Testing
Projects
None yet
Milestone
No milestone
2 participants
@AndersonQ @elasticmachine