Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add ca_sha256 to default Elasticsearch output in Fleet during setup for security on by default #120120

Closed
Tracked by #116620
joshdover opened this issue Dec 1, 2021 · 2 comments · Fixed by #120276
Closed
Tracked by #116620
Assignees
Labels
enhancement New value added to drive a business result required-for-8.0 This work is required to be done before 8.0 lands, bc it relates to a breaking change or similar. Team:Fleet Team label for Observability Data Collection Fleet team v8.0.0

Comments

@joshdover
Copy link
Contributor

joshdover commented Dec 1, 2021

When a new on-prem cluster is created in 8.0, Elasticsearch will automatically generate a self-signed certificate authority and use that to sign certificates. In order for Agents to be able to ingest data, we need to automatically configure the default Elasticsearch output to use the self-signed certs generated during setup.

This can be done by modifying the "interactive setup mode" plugin in Kibana. This plugin includes a script and web UI that users can use to properly configure the kibana.yml using an enrollment token received from Elasticsearch. We want to modify this script to add the following to the kibana.yml:

xpack.fleet.outputs:
  - id: fleet-default-output
    is_default: true
    is_default_monitoring: true
    name: default
    type: elasticsearch 
    hosts:
      - <ES host from interactive setup>
    ca_sha256: <CA fingerprint from interactive setup>

This should roughly match the default output constant here:

export const DEFAULT_OUTPUT: NewOutput = {
name: DEFAULT_OUTPUT_ID,
is_default: true,
is_default_monitoring: true,
type: outputType.Elasticsearch,
hosts: [''],
};

The interactive setup code can be found here:
The enroll route used when configuring Kibana using an enrollment token from ES is here:
https://github.com/elastic/kibana/blob/main/src/plugins/interactive_setup/server/routes/enroll.ts

The configure route used when configuring Kibana using manual configuration mode is here:
https://github.com/elastic/kibana/blob/main/src/plugins/interactive_setup/server/routes/configure.ts

The setup CLI is here which uses the same service and the enroll route:
https://github.com/elastic/kibana/blob/main/src/cli_setup/cli_setup.ts

Note that when testing this, you cannot use yarn es snapshot as this will pre-configure security rather than using the self-generated security. You should start ES manually using ./bin/elasticsearch from a 8.0.0 snapshot.

@joshdover joshdover added enhancement New value added to drive a business result Team:Fleet Team label for Observability Data Collection Fleet team required-for-8.0 This work is required to be done before 8.0 lands, bc it relates to a breaking change or similar. labels Dec 1, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/fleet (Team:Fleet)

@nchaulet
Copy link
Member

nchaulet commented Dec 2, 2021

Looking a little how the setup|configuration is done I think we can add our fleet output config in the kibana_config_writer module https://github.com/elastic/kibana/blob/main/src/plugins/interactive_setup/server/kibana_config_writer.ts#L62

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New value added to drive a business result required-for-8.0 This work is required to be done before 8.0 lands, bc it relates to a breaking change or similar. Team:Fleet Team label for Observability Data Collection Fleet team v8.0.0
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants