diff --git a/x-pack/elastic-agent/pkg/agent/cmd/container.go b/x-pack/elastic-agent/pkg/agent/cmd/container.go index cc925d0cb4e..f64654d66e7 100644 --- a/x-pack/elastic-agent/pkg/agent/cmd/container.go +++ b/x-pack/elastic-agent/pkg/agent/cmd/container.go @@ -96,6 +96,7 @@ The following actions are possible and grouped based on the actions. FLEET_SERVER_ELASTICSEARCH_USERNAME - elasticsearch username for Fleet Server [$ELASTICSEARCH_USERNAME] FLEET_SERVER_ELASTICSEARCH_PASSWORD - elasticsearch password for Fleet Server [$ELASTICSEARCH_PASSWORD] FLEET_SERVER_ELASTICSEARCH_CA - path to certificate authority to use with communicate with elasticsearch [$ELASTICSEARCH_CA] + FLEET_SERVER_ELASTICSEARCH_INSECURE - disables cert validation for communication with Elasticsearch FLEET_SERVER_SERVICE_TOKEN - service token to use for communication with elasticsearch FLEET_SERVER_POLICY_ID - policy ID for Fleet Server to use for itself ("Default Fleet Server policy" used when undefined) FLEET_SERVER_HOST - binding host for Fleet Server HTTP (overrides the policy). By default this is 0.0.0.0. @@ -378,6 +379,9 @@ func buildEnrollArgs(cfg setupConfig, token string, policyID string) ([]string, if cfg.FleetServer.InsecureHTTP || cfg.Fleet.Insecure { args = append(args, "--insecure") } + if cfg.FleetServer.Elasticsearch.Insecure { + args = append(args, "--fleet-server-es-insecure") + } } else { if cfg.Fleet.URL == "" { return nil, errors.New("FLEET_URL is required when FLEET_ENROLL is true without FLEET_SERVER_ENABLE") diff --git a/x-pack/elastic-agent/pkg/agent/cmd/enroll.go b/x-pack/elastic-agent/pkg/agent/cmd/enroll.go index 2966c7dafe8..ceec23aceea 100644 --- a/x-pack/elastic-agent/pkg/agent/cmd/enroll.go +++ b/x-pack/elastic-agent/pkg/agent/cmd/enroll.go @@ -53,6 +53,7 @@ func addEnrollFlags(cmd *cobra.Command) { cmd.Flags().StringP("enrollment-token", "t", "", "Enrollment token to use to enroll Agent into Fleet") cmd.Flags().StringP("fleet-server-es", "", "", "Start and run a Fleet Server along side this Elastic Agent connecting to the provided elasticsearch") cmd.Flags().StringP("fleet-server-es-ca", "", "", "Path to certificate authority to use with communicate with elasticsearch") + cmd.Flags().BoolP("fleet-server-es-insecure", "", false, "Disables validation of certificates") cmd.Flags().StringP("fleet-server-service-token", "", "", "Service token to use for communication with elasticsearch") cmd.Flags().StringP("fleet-server-policy", "", "", "Start and run a Fleet Server on this specific policy") cmd.Flags().StringP("fleet-server-host", "", "", "Fleet Server HTTP binding host (overrides the policy)") @@ -79,6 +80,7 @@ func buildEnrollmentFlags(cmd *cobra.Command, url string, token string) []string } fServer, _ := cmd.Flags().GetString("fleet-server-es") fElasticSearchCA, _ := cmd.Flags().GetString("fleet-server-es-ca") + fElasticSearchInsecure, _ := cmd.Flags().GetBool("fleet-server-es-insecure") fServiceToken, _ := cmd.Flags().GetString("fleet-server-service-token") fPolicy, _ := cmd.Flags().GetString("fleet-server-policy") fHost, _ := cmd.Flags().GetString("fleet-server-host") @@ -174,6 +176,10 @@ func buildEnrollmentFlags(cmd *cobra.Command, url string, token string) []string args = append(args, k+"="+v) } + if fElasticSearchInsecure { + args = append(args, "--fleet-server-es-insecure") + } + return args } @@ -236,6 +242,7 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command, args []string) error { enrollmentToken, _ := cmd.Flags().GetString("enrollment-token") fServer, _ := cmd.Flags().GetString("fleet-server-es") fElasticSearchCA, _ := cmd.Flags().GetString("fleet-server-es-ca") + fElasticSearchInsecure, _ := cmd.Flags().GetBool("fleet-server-es-insecure") fHeaders, _ := cmd.Flags().GetStringSlice("header") fServiceToken, _ := cmd.Flags().GetString("fleet-server-service-token") fPolicy, _ := cmd.Flags().GetString("fleet-server-policy") @@ -266,20 +273,21 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command, args []string) error { Staging: staging, FixPermissions: fromInstall, FleetServer: enrollCmdFleetServerOption{ - ConnStr: fServer, - ElasticsearchCA: fElasticSearchCA, - ServiceToken: fServiceToken, - PolicyID: fPolicy, - Host: fHost, - Port: fPort, - Cert: fCert, - CertKey: fCertKey, - Insecure: fInsecure, - SpawnAgent: !fromInstall, - Headers: mapFromEnvList(fHeaders), - ProxyURL: fProxyURL, - ProxyDisabled: fProxyDisabled, - ProxyHeaders: mapFromEnvList(fProxyHeaders), + ConnStr: fServer, + ElasticsearchCA: fElasticSearchCA, + ElasticsearchInsecure: fElasticSearchInsecure, + ServiceToken: fServiceToken, + PolicyID: fPolicy, + Host: fHost, + Port: fPort, + Cert: fCert, + CertKey: fCertKey, + Insecure: fInsecure, + SpawnAgent: !fromInstall, + Headers: mapFromEnvList(fHeaders), + ProxyURL: fProxyURL, + ProxyDisabled: fProxyDisabled, + ProxyHeaders: mapFromEnvList(fProxyHeaders), }, } diff --git a/x-pack/elastic-agent/pkg/agent/cmd/enroll_cmd.go b/x-pack/elastic-agent/pkg/agent/cmd/enroll_cmd.go index e49ce7de5dd..005c359d586 100644 --- a/x-pack/elastic-agent/pkg/agent/cmd/enroll_cmd.go +++ b/x-pack/elastic-agent/pkg/agent/cmd/enroll_cmd.go @@ -71,20 +71,21 @@ type enrollCmd struct { // enrollCmdFleetServerOption define all the supported enrollment options for bootstrapping with Fleet Server. type enrollCmdFleetServerOption struct { - ConnStr string - ElasticsearchCA string - ServiceToken string - PolicyID string - Host string - Port uint16 - Cert string - CertKey string - Insecure bool - SpawnAgent bool - Headers map[string]string - ProxyURL string - ProxyDisabled bool - ProxyHeaders map[string]string + ConnStr string + ElasticsearchCA string + ElasticsearchInsecure bool + ServiceToken string + PolicyID string + Host string + Port uint16 + Cert string + CertKey string + Insecure bool + SpawnAgent bool + Headers map[string]string + ProxyURL string + ProxyDisabled bool + ProxyHeaders map[string]string } // enrollCmdOption define all the supported enrollment option. @@ -268,6 +269,7 @@ func (c *enrollCmd) fleetServerBootstrap(ctx context.Context) (string, error) { c.options.FleetServer.ProxyURL, c.options.FleetServer.ProxyDisabled, c.options.FleetServer.ProxyHeaders, + c.options.FleetServer.ElasticsearchInsecure, ) if err != nil { return "", err @@ -462,7 +464,8 @@ func (c *enrollCmd) enroll(ctx context.Context, persistentConfig map[string]inte c.options.FleetServer.Host, c.options.FleetServer.Port, c.options.FleetServer.Cert, c.options.FleetServer.CertKey, c.options.FleetServer.ElasticsearchCA, c.options.FleetServer.Headers, - c.options.FleetServer.ProxyURL, c.options.FleetServer.ProxyDisabled, c.options.FleetServer.ProxyHeaders) + c.options.FleetServer.ProxyURL, c.options.FleetServer.ProxyDisabled, c.options.FleetServer.ProxyHeaders, + c.options.FleetServer.ElasticsearchInsecure) if err != nil { return err } @@ -765,16 +768,21 @@ func createFleetServerBootstrapConfig( proxyURL string, proxyDisabled bool, proxyHeaders map[string]string, + insecure bool, ) (*configuration.FleetAgentConfig, error) { localFleetServer := connStr != "" - es, err := configuration.ElasticsearchFromConnStr(connStr, serviceToken) + es, err := configuration.ElasticsearchFromConnStr(connStr, serviceToken, insecure) if err != nil { return nil, err } if esCA != "" { - es.TLS = &tlscommon.Config{ - CAs: []string{esCA}, + if es.TLS == nil { + es.TLS = &tlscommon.Config{ + CAs: []string{esCA}, + } + } else { + es.TLS.CAs = []string{esCA} } } if host == "" { @@ -816,6 +824,9 @@ func createFleetServerBootstrapConfig( Key: key, }, } + if insecure { + cfg.Server.TLS.VerificationMode = tlscommon.VerifyNone + } } if localFleetServer { diff --git a/x-pack/elastic-agent/pkg/agent/cmd/inspect.go b/x-pack/elastic-agent/pkg/agent/cmd/inspect.go index 16b589bf9d1..b9dd8da58df 100644 --- a/x-pack/elastic-agent/pkg/agent/cmd/inspect.go +++ b/x-pack/elastic-agent/pkg/agent/cmd/inspect.go @@ -259,6 +259,7 @@ func getProgramsFromConfig(log *logger.Logger, agentInfo *info.AgentInfo, cfg *c if err != nil { return nil, err } + composableWaiter := newWaitForCompose(composableCtrl) configModifiers := &pipeline.ConfigModifiers{ Decorators: []pipeline.DecoratorFunc{modifiers.InjectMonitoring}, diff --git a/x-pack/elastic-agent/pkg/agent/cmd/setup_config.go b/x-pack/elastic-agent/pkg/agent/cmd/setup_config.go index 4330c967e9f..95057ebd431 100644 --- a/x-pack/elastic-agent/pkg/agent/cmd/setup_config.go +++ b/x-pack/elastic-agent/pkg/agent/cmd/setup_config.go @@ -43,6 +43,7 @@ type elasticsearchConfig struct { Username string `config:"username"` Password string `config:"password"` ServiceToken string `config:"service_token"` + Insecure bool `config:"insecure"` } type kibanaConfig struct { @@ -91,6 +92,7 @@ func defaultAccessConfig() (setupConfig, error) { Password: envWithDefault("changeme", "FLEET_SERVER_ELASTICSEARCH_PASSWORD", "ELASTICSEARCH_PASSWORD"), ServiceToken: envWithDefault("", "FLEET_SERVER_SERVICE_TOKEN"), CA: envWithDefault("", "FLEET_SERVER_ELASTICSEARCH_CA", "ELASTICSEARCH_CA"), + Insecure: envBool("FLEET_SERVER_ELASTICSEARCH_INSECURE"), }, Enable: envBool("FLEET_SERVER_ENABLE"), Host: envWithDefault("", "FLEET_SERVER_HOST"), diff --git a/x-pack/elastic-agent/pkg/agent/configuration/fleet_server.go b/x-pack/elastic-agent/pkg/agent/configuration/fleet_server.go index eacc22bf141..25298c6e2b5 100644 --- a/x-pack/elastic-agent/pkg/agent/configuration/fleet_server.go +++ b/x-pack/elastic-agent/pkg/agent/configuration/fleet_server.go @@ -47,7 +47,7 @@ type Elasticsearch struct { } // ElasticsearchFromConnStr returns an Elasticsearch configuration from the connection string. -func ElasticsearchFromConnStr(conn string, serviceToken string) (Elasticsearch, error) { +func ElasticsearchFromConnStr(conn string, serviceToken string, insecure bool) (Elasticsearch, error) { u, err := url.Parse(conn) if err != nil { return Elasticsearch{}, err @@ -64,6 +64,11 @@ func ElasticsearchFromConnStr(conn string, serviceToken string) (Elasticsearch, Path: u.Path, TLS: nil, } + if insecure { + cfg.TLS = &tlscommon.Config{ + VerificationMode: tlscommon.VerifyNone, + } + } if serviceToken != "" { cfg.ServiceToken = serviceToken return cfg, nil diff --git a/x-pack/elastic-agent/pkg/agent/transpiler/ast.go b/x-pack/elastic-agent/pkg/agent/transpiler/ast.go index 31bb2faaa7c..742453eb489 100644 --- a/x-pack/elastic-agent/pkg/agent/transpiler/ast.go +++ b/x-pack/elastic-agent/pkg/agent/transpiler/ast.go @@ -104,6 +104,11 @@ func (d *Dict) Find(key string) (Node, bool) { return nil, false } +// Insert inserts a value into a collection. +func (d *Dict) Insert(node Node) { + d.value = append(d.value, node) +} + func (d *Dict) String() string { var sb strings.Builder for i := 0; i < len(d.value); i++ {