[8.x](backport #5542) Decrypt client TLS certificate key for Elastic Defend

[mergify]

What does this PR do?

It adds EndpointTLSComponentModifier which will check if the client certificate key is encrypted, if so, it'll decrypt the key and pass it decrypted to endpoint (Elastic Defend)

Why is it important?

Elastic Defend does not support passphrase-protected certificate key, but the agent does. It'll allow the agent to receive passphrase protected client certificate key and still work when Elastic Defend is installed.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• [ ] I have made corresponding changes to the documentation
• [ ] I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in ./changelog/fragments using the changelog tool
• [ ] I have added an integration test or an E2E test

Author's checklist

Acceptance Criteria:

• The Elastic Agent injects the decrypted private key into the fleet.ssl.key configuration setting within Elastic Defend's configuration.
• Unit tests verify that the decrypted key is correctly injected into the Elastic Defend configuration.
  • extend the TestEndpointSignedComponentModifier to include a check for the mTLS client certificate key decryption.
  • Integration tests: Out of scope for this ticket as it's require Improve test proxy/mock fleet server to proxy HTTPS connections #4903 to be done first.

Disruptive User Impact

• None

How to test this PR locally

adjust the IPs/hostnames as needed

you might need to build a 8.16 agent out of main:

AGENT_PACKAGE_VERSION=8.16.0-SNAPSHOT BEATS_VERSION=8.16.0-SNAPSHOT DEV=true SNAPSHOT=true EXTERNAL=true PLATFORMS="linux/amd64" PACKAGES="tar.gz" mage package

create 2 TLS certificates

use elastic-agent-libs/testing/certutil/cmd to create the certificates. Make sure to use [email protected]+ which supports generating RSA certificates as Elastic Defend only accepts RSA certificates.

go run main.go --prefix server --pass server --ips 10.80.40.162,127.0.0.1 --rsa
go run main.go --prefix client --pass client  --ips 10.80.40.42,127.0.0.1 --rsa

you should have:

-rw------- 1 ainsoph ainsoph  288 Sep 20 18:35 client-ca_key.pem
-rw------- 1 ainsoph ainsoph  899 Sep 20 18:35 client-ca.pem
-rw------- 1 ainsoph ainsoph  399 Sep 20 18:35 client-localhost_enc-key.pem
-rw------- 1 ainsoph ainsoph  288 Sep 20 18:35 client-localhost_key.pem
-rw------- 1 ainsoph ainsoph    6 Sep 20 18:35 client-localhost-passphrase
-rw------- 1 ainsoph ainsoph  916 Sep 20 18:35 client-localhost.pem

-rw------- 1 ainsoph ainsoph  288 Sep 20 18:27 server-ca_key.pem
-rw------- 1 ainsoph ainsoph  904 Sep 20 18:27 server-ca.pem
-rw------- 1 ainsoph ainsoph  399 Sep 20 18:27 server-localhost_enc-key.pem
-rw------- 1 ainsoph ainsoph  288 Sep 20 18:27 server-localhost_key.pem
-rw------- 1 ainsoph ainsoph    6 Sep 20 18:27 server-localhost-passphrase
-rw------- 1 ainsoph ainsoph  916 Sep 20 18:27 server-localhost.pem

start a elastic stack (considering elastic-cloud)

add a fleet server with mTLS

elastic-agent install -nf \
--url=https://10.80.40.162:8220 \
--fleet-server-es=https://fleet.elastic-cloud.com:443 \
--fleet-server-service-token=a-token \
--fleet-server-policy=fleet-server-policy \
--certificate-authorities=/root/certs/server-ca.pem,/root/certs/client-ca.pem,/etc/ssl/certs/ca-certificates.crt \
--fleet-server-cert=/root/certs/server-localhost.pem \
--fleet-server-cert-key=/root/certs/server-localhost_enc-key.pem \
--fleet-server-cert-key-passphrase=/root/certs/server-localhost-passphrase \
--elastic-agent-cert=/root/certs/client-localhost.pem \
--elastic-agent-cert-key=/root/certs/client-localhost_enc-key.pem \
--elastic-agent-cert-key-passphrase=/root/certs/client-localhost-passphrase \
--fleet-server-client-auth=required \
--fleet-server-port=8220

create a policy with Elastic Defend

add an agent to that policy

elastic-agent install -nf \
--url=https://10.80.40.162:8220 \
--enrollment-token=a-token
--certificate-authorities=/root/certs/server-ca.pem,/etc/ssl/certs/ca-certificates.crt \
--elastic-agent-cert=/root/certs/client-localhost.pem \
--elastic-agent-cert-key=/root/certs/client-localhost_enc-key.pem \
--elastic-agent-cert-key-passphrase=/root/certs/client-localhost-passphrase

Related issues

• Closes Pass the decrypted mTLS client certificate key to Elastic Defend #5490

Questions to ask yourself

• How are we going to support this in production?
• How are we going to measure its adoption?
• How are we going to debug this?
• What are the metrics I should take care of?
• ...

---

This is an automatic backport of pull request #5542 done by [Mergify](https://mergify.com).

[elastic-sonarqube]

Quality Gate failed

Failed conditions
0.0% Coverage on New Code (required ≥ 40%)

See analysis details on SonarQube