Add ca_sha256
to default Elasticsearch output in Fleet during setup for security on by default
#120120
Labels
enhancement
New value added to drive a business result
required-for-8.0
This work is required to be done before 8.0 lands, bc it relates to a breaking change or similar.
Team:Fleet
Team label for Observability Data Collection Fleet team
v8.0.0
When a new on-prem cluster is created in 8.0, Elasticsearch will automatically generate a self-signed certificate authority and use that to sign certificates. In order for Agents to be able to ingest data, we need to automatically configure the default Elasticsearch output to use the self-signed certs generated during setup.
This can be done by modifying the "interactive setup mode" plugin in Kibana. This plugin includes a script and web UI that users can use to properly configure the
kibana.yml
using an enrollment token received from Elasticsearch. We want to modify this script to add the following to thekibana.yml
:This should roughly match the default output constant here:
kibana/x-pack/plugins/fleet/common/constants/output.ts
Lines 18 to 24 in 7395d35
The interactive setup code can be found here:
The enroll route used when configuring Kibana using an enrollment token from ES is here:
https://github.com/elastic/kibana/blob/main/src/plugins/interactive_setup/server/routes/enroll.ts
The configure route used when configuring Kibana using manual configuration mode is here:
https://github.com/elastic/kibana/blob/main/src/plugins/interactive_setup/server/routes/configure.ts
The setup CLI is here which uses the same service and the enroll route:
https://github.com/elastic/kibana/blob/main/src/cli_setup/cli_setup.ts
Note that when testing this, you cannot use
yarn es snapshot
as this will pre-configure security rather than using the self-generated security. You should start ES manually using./bin/elasticsearch
from a 8.0.0 snapshot.The text was updated successfully, but these errors were encountered: