-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Expose elasticsearch.ssl.certificateAuthorities to plugins #116626
Comments
Pinging @elastic/kibana-core (Team:Core) |
cc @elastic/kibana-security can you just confirm it would be fine to expose the |
Yes, this is OK, these PEM strings are not secret or sensitive
Yes, we need to provide the fully resolved/parsed value, because this array is derived from all of kibana/src/core/server/elasticsearch/elasticsearch_config.ts Lines 421 to 482 in 6792bdf
|
If we'd like to be on the safe side, we could only expose the CA fingerprints from Core and not the entire CA. |
Yeah, if that's all we need right now, that might be best. |
@planadecu @lukeelmers This is something we'd like to leverage for fixing the onboarding flow for on-prem users in 8.0 (where Elasticsearch configured self-signed certs by default). Is this something we could get in the next few weeks? If not, would you accept a PR to Core from our team to expose this? |
We are planning our next sprint tomorrow and can get back to you about our capacity then. But I'd be fine to accept a PR to Core if y'all wanted to pick this up. Based on my understanding of #116620, I think we could consider this a bugfix, and therefore I don't have concerns about adding it even though we have passed the 8.0 Stack FF. |
@joshdover In our planning today we ended up being pretty overloaded, so we aren't going to be able to pick this one up in the next 3 weeks. Still open to accepting a PR if you'd like to do it though! (We can also earmark it for next sprint, but I don't want to hold y'all up since that is getting closer to solutions FF) |
@lukeelmers Thanks for letting me know. I plan to submit a PR in the next week or so. |
Going with a different approach, no longer necessary: #120276 |
Blocks #116620
In order to support security on by default, Fleet needs to provide the fingerprint for Elasticsearch's self-signed CA to Fleet Server and Elastic Agents. To do this, our plugin will need to access the
ssl.certificateAuthorities
field from the Elasticsearch configuration.Currently, the
config.legacy.globalConfig$
API only provides a few values:kibana/src/core/server/plugins/types.ts
Line 366 in 2856e19
It'd be nice if we could be sure to get the fully resolved value from the
ElasticsearchConfig
class rather than the field provided by the config schema which may or may not be an array, etc.The text was updated successfully, but these errors were encountered: