Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Fleet] Configure ca trusted fingerprint for on prem users #120549

Merged
merged 5 commits into from
Dec 8, 2021

Conversation

nchaulet
Copy link
Member

@nchaulet nchaulet commented Dec 6, 2021

Summary

Fixes #116620 #120608

With the changes for security on by default, we need to pass a ca fingerprint to the agents to allow them to communicate with Elasticsearch.

Done in that PR:

  • Add the field ca_trusted_fingerprint on output instead of using the existing ca_sha256
  • Use that field to populate ssl.ca_trusted_fingerprint in the output part of the agent policy.
  • Add the flag --fleet-server-es-ca-trusted-fingerprint to install instructions for Fleet server.

Depends on #29128 and elastic/beats#29128

Fleet server install instruction
Screen Shot 2021-12-07 at 2 34 40 PM

.fleet-policies for the default fleet server policy

Screen Shot 2021-12-07 at 2 31 39 PM

@nchaulet nchaulet added v8.0.0 release_note:skip Skip the PR/issue when compiling release notes Team:Fleet Team label for Observability Data Collection Fleet team auto-backport Deprecated - use backport:version if exact versions are needed v8.1.0 labels Dec 6, 2021
@nchaulet nchaulet self-assigned this Dec 6, 2021
@joshdover
Copy link
Contributor

joshdover commented Dec 7, 2021

@nchaulet this will fix #116620 as well as update the work done in #120276, correct?

Do you also plan to cover #120608 in this as well?

@nchaulet
Copy link
Member Author

nchaulet commented Dec 7, 2021

@joshdover Yes it will cover the 3 issue you mentioned

@nchaulet nchaulet force-pushed the fleet-ca-trusted-fingerprint branch from 1daca88 to 5579aef Compare December 7, 2021 19:01
@nchaulet nchaulet requested a review from thomheymann December 7, 2021 19:37
@nchaulet nchaulet marked this pull request as ready for review December 7, 2021 19:39
@nchaulet nchaulet requested review from a team as code owners December 7, 2021 19:39
@elasticmachine
Copy link
Contributor

Pinging @elastic/fleet (Team:Fleet)

Comment on lines +45 to +50
const commandArgumentsStr = commandArguments.reduce((acc, [key, val]) => {
if (acc === '' && key === 'url') {
return `--${key}=${val}`;
}
return (acc += ` ${newLineSeparator} --${key}=${val}`);
}, '');
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice 👍

@nchaulet nchaulet requested a review from joshdover December 8, 2021 14:11
Copy link
Contributor

@thomheymann thomheymann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Optional nit but otherwise LGTM.

@@ -131,7 +132,7 @@ describe('KibanaConfigWriter', () => {
elasticsearch.hosts: [some-host]
elasticsearch.serviceAccountToken: some-value
elasticsearch.ssl.certificateAuthorities: [/data/ca_1234.crt]
xpack.fleet.outputs: [{id: fleet-default-output, name: default, is_default: true, is_default_monitoring: true, type: elasticsearch, hosts: [some-host], ca_sha256: fingerprint256}]
xpack.fleet.outputs: [{id: fleet-default-output, name: default, is_default: true, is_default_monitoring: true, type: elasticsearch, hosts: [some-host], ca_trusted_fingerprint: d486ce00ac71e41d2b70d087a555fa5dd1936cdb458079537ba3ac133e4834d6}]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Much prefer this to the previous config name but is it worth aligning this with elasticsearch-js client for consistency?
https://www.elastic.co/guide/en/elasticsearch/client/javascript-api/current/basic-config.html

caFingerprint - If configured, verify that the fingerprint of the CA certificate that has signed the certificate of the server matches the supplied fingerprint. Only accepts SHA256 digest fingerprints.

(We don't use elasticsearch.ssl.trustedCertificateAuthorities either but I don't know what Fleet conventions are)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The field is named ca_trusted_fingerprint in libbeat and the agent, so I think we probably to keep that consistent here.

@kibana-ci
Copy link
Collaborator

💛 Build succeeded, but was flaky

Metrics [docs]

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id before after diff
fleet 1144 1145 +1

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
fleet 643.4KB 643.6KB +157.0B

Saved Objects .kibana field count

Every field in each saved object type adds overhead to Elasticsearch. Kibana needs to keep the total field count below Elasticsearch's default limit of 1000 fields. Only specify field mappings for the fields you wish to search on or query. See https://www.elastic.co/guide/en/kibana/master/development-plugin-saved-objects.html#_mappings

id before after diff
ingest-outputs 11 12 +1
Unknown metric groups

API count

id before after diff
fleet 1251 1252 +1

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @nchaulet

@nchaulet nchaulet merged commit 6c81068 into elastic:main Dec 8, 2021
@nchaulet nchaulet deleted the fleet-ca-trusted-fingerprint branch December 8, 2021 15:52
@kibanamachine
Copy link
Contributor

💔 Backport failed

Status Branch Result
8.0 Commit could not be cherrypicked due to conflicts

To backport manually run:
node scripts/backport --pr 120549

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
auto-backport Deprecated - use backport:version if exact versions are needed release_note:skip Skip the PR/issue when compiling release notes Team:Fleet Team label for Observability Data Collection Fleet team v8.0.0 v8.1.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Fleet] Add ES certificate authority fingerprint argument to Fleet Server install command
6 participants