-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Fleet] Configure ca trusted fingerprint for on prem users #120549
Conversation
@joshdover Yes it will cover the 3 issue you mentioned |
1daca88
to
5579aef
Compare
Pinging @elastic/fleet (Team:Fleet) |
...tions/fleet/sections/agents/agent_requirements_page/components/install_command_utils.test.ts
Show resolved
Hide resolved
const commandArgumentsStr = commandArguments.reduce((acc, [key, val]) => { | ||
if (acc === '' && key === 'url') { | ||
return `--${key}=${val}`; | ||
} | ||
return (acc += ` ${newLineSeparator} --${key}=${val}`); | ||
}, ''); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice 👍
x-pack/plugins/fleet/server/services/agent_policies/full_agent_policy.ts
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Optional nit but otherwise LGTM.
@@ -131,7 +132,7 @@ describe('KibanaConfigWriter', () => { | |||
elasticsearch.hosts: [some-host] | |||
elasticsearch.serviceAccountToken: some-value | |||
elasticsearch.ssl.certificateAuthorities: [/data/ca_1234.crt] | |||
xpack.fleet.outputs: [{id: fleet-default-output, name: default, is_default: true, is_default_monitoring: true, type: elasticsearch, hosts: [some-host], ca_sha256: fingerprint256}] | |||
xpack.fleet.outputs: [{id: fleet-default-output, name: default, is_default: true, is_default_monitoring: true, type: elasticsearch, hosts: [some-host], ca_trusted_fingerprint: d486ce00ac71e41d2b70d087a555fa5dd1936cdb458079537ba3ac133e4834d6}] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: Much prefer this to the previous config name but is it worth aligning this with elasticsearch-js client for consistency?
https://www.elastic.co/guide/en/elasticsearch/client/javascript-api/current/basic-config.html
caFingerprint
- If configured, verify that the fingerprint of the CA certificate that has signed the certificate of the server matches the supplied fingerprint. Only accepts SHA256 digest fingerprints.
(We don't use elasticsearch.ssl.trustedCertificateAuthorities
either but I don't know what Fleet conventions are)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The field is named ca_trusted_fingerprint
in libbeat and the agent, so I think we probably to keep that consistent here.
💛 Build succeeded, but was flaky
Metrics [docs]Public APIs missing comments
Async chunks
Saved Objects .kibana field count
History
To update your PR or re-run it, just comment with: cc @nchaulet |
💔 Backport failed
To backport manually run: |
Summary
Fixes #116620 #120608
With the changes for security on by default, we need to pass a ca fingerprint to the agents to allow them to communicate with Elasticsearch.
Done in that PR:
ca_trusted_fingerprint
on output instead of using the existingca_sha256
ssl.ca_trusted_fingerprint
in the output part of the agent policy.--fleet-server-es-ca-trusted-fingerprint
to install instructions for Fleet server.Depends on #29128 and elastic/beats#29128
Fleet server install instruction
.fleet-policies for the default fleet server policy