Skip to content

Commit

Permalink
[Elastic-Agent] Modify output to be insecure if flag is provided (ela…
Browse files Browse the repository at this point in the history
…stic#28007)

[Elastic-Agent] Modify output to be insecure if flag is provided (elastic#28007)
  • Loading branch information
michalpristas authored Oct 13, 2021
1 parent 7aad689 commit 9c6a0bb
Show file tree
Hide file tree
Showing 7 changed files with 64 additions and 27 deletions.
4 changes: 4 additions & 0 deletions x-pack/elastic-agent/pkg/agent/cmd/container.go
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,7 @@ The following actions are possible and grouped based on the actions.
FLEET_SERVER_ELASTICSEARCH_USERNAME - elasticsearch username for Fleet Server [$ELASTICSEARCH_USERNAME]
FLEET_SERVER_ELASTICSEARCH_PASSWORD - elasticsearch password for Fleet Server [$ELASTICSEARCH_PASSWORD]
FLEET_SERVER_ELASTICSEARCH_CA - path to certificate authority to use with communicate with elasticsearch [$ELASTICSEARCH_CA]
FLEET_SERVER_ELASTICSEARCH_INSECURE - disables cert validation for communication with Elasticsearch
FLEET_SERVER_SERVICE_TOKEN - service token to use for communication with elasticsearch
FLEET_SERVER_POLICY_ID - policy ID for Fleet Server to use for itself ("Default Fleet Server policy" used when undefined)
FLEET_SERVER_HOST - binding host for Fleet Server HTTP (overrides the policy). By default this is 0.0.0.0.
Expand Down Expand Up @@ -384,6 +385,9 @@ func buildEnrollArgs(cfg setupConfig, token string, policyID string) ([]string,
if cfg.FleetServer.InsecureHTTP || cfg.Fleet.Insecure {
args = append(args, "--insecure")
}
if cfg.FleetServer.Elasticsearch.Insecure {
args = append(args, "--fleet-server-es-insecure")
}
} else {
if cfg.Fleet.URL == "" {
return nil, errors.New("FLEET_URL is required when FLEET_ENROLL is true without FLEET_SERVER_ENABLE")
Expand Down
30 changes: 19 additions & 11 deletions x-pack/elastic-agent/pkg/agent/cmd/enroll.go
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@ func addEnrollFlags(cmd *cobra.Command) {
cmd.Flags().StringP("enrollment-token", "t", "", "Enrollment token to use to enroll Agent into Fleet")
cmd.Flags().StringP("fleet-server-es", "", "", "Start and run a Fleet Server along side this Elastic Agent connecting to the provided elasticsearch")
cmd.Flags().StringP("fleet-server-es-ca", "", "", "Path to certificate authority to use with communicate with elasticsearch")
cmd.Flags().BoolP("fleet-server-es-insecure", "", false, "Disables validation of certificates")
cmd.Flags().StringP("fleet-server-service-token", "", "", "Service token to use for communication with elasticsearch")
cmd.Flags().StringP("fleet-server-policy", "", "", "Start and run a Fleet Server on this specific policy")
cmd.Flags().StringP("fleet-server-host", "", "", "Fleet Server HTTP binding host (overrides the policy)")
Expand Down Expand Up @@ -101,6 +102,7 @@ func buildEnrollmentFlags(cmd *cobra.Command, url string, token string) []string
}
fServer, _ := cmd.Flags().GetString("fleet-server-es")
fElasticSearchCA, _ := cmd.Flags().GetString("fleet-server-es-ca")
fElasticSearchInsecure, _ := cmd.Flags().GetBool("fleet-server-es-insecure")
fServiceToken, _ := cmd.Flags().GetString("fleet-server-service-token")
fPolicy, _ := cmd.Flags().GetString("fleet-server-policy")
fHost, _ := cmd.Flags().GetString("fleet-server-host")
Expand Down Expand Up @@ -201,6 +203,10 @@ func buildEnrollmentFlags(cmd *cobra.Command, url string, token string) []string
args = append(args, "--delay-enroll")
}

if fElasticSearchInsecure {
args = append(args, "--fleet-server-es-insecure")
}

return args
}

Expand Down Expand Up @@ -268,6 +274,7 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command, args []string) error {
enrollmentToken, _ := cmd.Flags().GetString("enrollment-token")
fServer, _ := cmd.Flags().GetString("fleet-server-es")
fElasticSearchCA, _ := cmd.Flags().GetString("fleet-server-es-ca")
fElasticSearchInsecure, _ := cmd.Flags().GetBool("fleet-server-es-insecure")
fHeaders, _ := cmd.Flags().GetStringSlice("header")
fServiceToken, _ := cmd.Flags().GetString("fleet-server-service-token")
fPolicy, _ := cmd.Flags().GetString("fleet-server-policy")
Expand Down Expand Up @@ -302,17 +309,18 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command, args []string) error {
ProxyHeaders: mapFromEnvList(proxyHeaders),
DelayEnroll: delayEnroll,
FleetServer: enrollCmdFleetServerOption{
ConnStr: fServer,
ElasticsearchCA: fElasticSearchCA,
ServiceToken: fServiceToken,
PolicyID: fPolicy,
Host: fHost,
Port: fPort,
Cert: fCert,
CertKey: fCertKey,
Insecure: fInsecure,
SpawnAgent: !fromInstall,
Headers: mapFromEnvList(fHeaders),
ConnStr: fServer,
ElasticsearchCA: fElasticSearchCA,
ElasticsearchInsecure: fElasticSearchInsecure,
ServiceToken: fServiceToken,
PolicyID: fPolicy,
Host: fHost,
Port: fPort,
Cert: fCert,
CertKey: fCertKey,
Insecure: fInsecure,
SpawnAgent: !fromInstall,
Headers: mapFromEnvList(fHeaders),
},
}

Expand Down
42 changes: 27 additions & 15 deletions x-pack/elastic-agent/pkg/agent/cmd/enroll_cmd.go
Original file line number Diff line number Diff line change
Expand Up @@ -73,17 +73,18 @@ type enrollCmd struct {

// enrollCmdFleetServerOption define all the supported enrollment options for bootstrapping with Fleet Server.
type enrollCmdFleetServerOption struct {
ConnStr string
ElasticsearchCA string
ServiceToken string
PolicyID string
Host string
Port uint16
Cert string
CertKey string
Insecure bool
SpawnAgent bool
Headers map[string]string
ConnStr string
ElasticsearchCA string
ElasticsearchInsecure bool
ServiceToken string
PolicyID string
Host string
Port uint16
Cert string
CertKey string
Insecure bool
SpawnAgent bool
Headers map[string]string
}

// enrollCmdOption define all the supported enrollment option.
Expand Down Expand Up @@ -304,6 +305,7 @@ func (c *enrollCmd) fleetServerBootstrap(ctx context.Context) (string, error) {
c.options.ProxyURL,
c.options.ProxyDisabled,
c.options.ProxyHeaders,
c.options.FleetServer.ElasticsearchInsecure,
)
if err != nil {
return "", err
Expand Down Expand Up @@ -497,7 +499,9 @@ func (c *enrollCmd) enroll(ctx context.Context, persistentConfig map[string]inte
c.options.FleetServer.Host, c.options.FleetServer.Port,
c.options.FleetServer.Cert, c.options.FleetServer.CertKey, c.options.FleetServer.ElasticsearchCA,
c.options.FleetServer.Headers,
c.options.ProxyURL, c.options.ProxyDisabled, c.options.ProxyHeaders)
c.options.ProxyURL, c.options.ProxyDisabled, c.options.ProxyHeaders,
c.options.FleetServer.ElasticsearchInsecure,
)
if err != nil {
return err
}
Expand Down Expand Up @@ -806,16 +810,21 @@ func createFleetServerBootstrapConfig(
proxyURL string,
proxyDisabled bool,
proxyHeaders map[string]string,
insecure bool,
) (*configuration.FleetAgentConfig, error) {
localFleetServer := connStr != ""

es, err := configuration.ElasticsearchFromConnStr(connStr, serviceToken)
es, err := configuration.ElasticsearchFromConnStr(connStr, serviceToken, insecure)
if err != nil {
return nil, err
}
if esCA != "" {
es.TLS = &tlscommon.Config{
CAs: []string{esCA},
if es.TLS == nil {
es.TLS = &tlscommon.Config{
CAs: []string{esCA},
}
} else {
es.TLS.CAs = []string{esCA}
}
}
if host == "" {
Expand Down Expand Up @@ -857,6 +866,9 @@ func createFleetServerBootstrapConfig(
Key: key,
},
}
if insecure {
cfg.Server.TLS.VerificationMode = tlscommon.VerifyNone
}
}

if localFleetServer {
Expand Down
1 change: 1 addition & 0 deletions x-pack/elastic-agent/pkg/agent/cmd/inspect.go
Original file line number Diff line number Diff line change
Expand Up @@ -259,6 +259,7 @@ func getProgramsFromConfig(log *logger.Logger, agentInfo *info.AgentInfo, cfg *c
if err != nil {
return nil, err
}

composableWaiter := newWaitForCompose(composableCtrl)
configModifiers := &pipeline.ConfigModifiers{
Decorators: []pipeline.DecoratorFunc{modifiers.InjectMonitoring},
Expand Down
2 changes: 2 additions & 0 deletions x-pack/elastic-agent/pkg/agent/cmd/setup_config.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ type elasticsearchConfig struct {
Username string `config:"username"`
Password string `config:"password"`
ServiceToken string `config:"service_token"`
Insecure bool `config:"insecure"`
}

type kibanaConfig struct {
Expand Down Expand Up @@ -92,6 +93,7 @@ func defaultAccessConfig() (setupConfig, error) {
Password: envWithDefault("changeme", "FLEET_SERVER_ELASTICSEARCH_PASSWORD", "ELASTICSEARCH_PASSWORD"),
ServiceToken: envWithDefault("", "FLEET_SERVER_SERVICE_TOKEN"),
CA: envWithDefault("", "FLEET_SERVER_ELASTICSEARCH_CA", "ELASTICSEARCH_CA"),
Insecure: envBool("FLEET_SERVER_ELASTICSEARCH_INSECURE"),
},
Enable: envBool("FLEET_SERVER_ENABLE"),
Host: envWithDefault("", "FLEET_SERVER_HOST"),
Expand Down
7 changes: 6 additions & 1 deletion x-pack/elastic-agent/pkg/agent/configuration/fleet_server.go
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ type Elasticsearch struct {
}

// ElasticsearchFromConnStr returns an Elasticsearch configuration from the connection string.
func ElasticsearchFromConnStr(conn string, serviceToken string) (Elasticsearch, error) {
func ElasticsearchFromConnStr(conn string, serviceToken string, insecure bool) (Elasticsearch, error) {
u, err := url.Parse(conn)
if err != nil {
return Elasticsearch{}, err
Expand All @@ -64,6 +64,11 @@ func ElasticsearchFromConnStr(conn string, serviceToken string) (Elasticsearch,
Path: u.Path,
TLS: nil,
}
if insecure {
cfg.TLS = &tlscommon.Config{
VerificationMode: tlscommon.VerifyNone,
}
}
if serviceToken != "" {
cfg.ServiceToken = serviceToken
return cfg, nil
Expand Down
5 changes: 5 additions & 0 deletions x-pack/elastic-agent/pkg/agent/transpiler/ast.go
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,11 @@ func (d *Dict) Find(key string) (Node, bool) {
return nil, false
}

// Insert inserts a value into a collection.
func (d *Dict) Insert(node Node) {
d.value = append(d.value, node)
}

func (d *Dict) String() string {
var sb strings.Builder
for i := 0; i < len(d.value); i++ {
Expand Down

0 comments on commit 9c6a0bb

Please sign in to comment.