From 9c6a0bb8a69fa8113656cdc40023f94ab2bb85de Mon Sep 17 00:00:00 2001 From: Michal Pristas Date: Wed, 13 Oct 2021 10:44:52 +0200 Subject: [PATCH] [Elastic-Agent] Modify output to be insecure if flag is provided (#28007) [Elastic-Agent] Modify output to be insecure if flag is provided (#28007) --- .../elastic-agent/pkg/agent/cmd/container.go | 4 ++ x-pack/elastic-agent/pkg/agent/cmd/enroll.go | 30 ++++++++----- .../elastic-agent/pkg/agent/cmd/enroll_cmd.go | 42 ++++++++++++------- x-pack/elastic-agent/pkg/agent/cmd/inspect.go | 1 + .../pkg/agent/cmd/setup_config.go | 2 + .../pkg/agent/configuration/fleet_server.go | 7 +++- .../elastic-agent/pkg/agent/transpiler/ast.go | 5 +++ 7 files changed, 64 insertions(+), 27 deletions(-) diff --git a/x-pack/elastic-agent/pkg/agent/cmd/container.go b/x-pack/elastic-agent/pkg/agent/cmd/container.go index 8d0a4bb4287..d19f94e4267 100644 --- a/x-pack/elastic-agent/pkg/agent/cmd/container.go +++ b/x-pack/elastic-agent/pkg/agent/cmd/container.go @@ -96,6 +96,7 @@ The following actions are possible and grouped based on the actions. FLEET_SERVER_ELASTICSEARCH_USERNAME - elasticsearch username for Fleet Server [$ELASTICSEARCH_USERNAME] FLEET_SERVER_ELASTICSEARCH_PASSWORD - elasticsearch password for Fleet Server [$ELASTICSEARCH_PASSWORD] FLEET_SERVER_ELASTICSEARCH_CA - path to certificate authority to use with communicate with elasticsearch [$ELASTICSEARCH_CA] + FLEET_SERVER_ELASTICSEARCH_INSECURE - disables cert validation for communication with Elasticsearch FLEET_SERVER_SERVICE_TOKEN - service token to use for communication with elasticsearch FLEET_SERVER_POLICY_ID - policy ID for Fleet Server to use for itself ("Default Fleet Server policy" used when undefined) FLEET_SERVER_HOST - binding host for Fleet Server HTTP (overrides the policy). By default this is 0.0.0.0. @@ -384,6 +385,9 @@ func buildEnrollArgs(cfg setupConfig, token string, policyID string) ([]string, if cfg.FleetServer.InsecureHTTP || cfg.Fleet.Insecure { args = append(args, "--insecure") } + if cfg.FleetServer.Elasticsearch.Insecure { + args = append(args, "--fleet-server-es-insecure") + } } else { if cfg.Fleet.URL == "" { return nil, errors.New("FLEET_URL is required when FLEET_ENROLL is true without FLEET_SERVER_ENABLE") diff --git a/x-pack/elastic-agent/pkg/agent/cmd/enroll.go b/x-pack/elastic-agent/pkg/agent/cmd/enroll.go index 20407ac1af1..eed3b6b026a 100644 --- a/x-pack/elastic-agent/pkg/agent/cmd/enroll.go +++ b/x-pack/elastic-agent/pkg/agent/cmd/enroll.go @@ -54,6 +54,7 @@ func addEnrollFlags(cmd *cobra.Command) { cmd.Flags().StringP("enrollment-token", "t", "", "Enrollment token to use to enroll Agent into Fleet") cmd.Flags().StringP("fleet-server-es", "", "", "Start and run a Fleet Server along side this Elastic Agent connecting to the provided elasticsearch") cmd.Flags().StringP("fleet-server-es-ca", "", "", "Path to certificate authority to use with communicate with elasticsearch") + cmd.Flags().BoolP("fleet-server-es-insecure", "", false, "Disables validation of certificates") cmd.Flags().StringP("fleet-server-service-token", "", "", "Service token to use for communication with elasticsearch") cmd.Flags().StringP("fleet-server-policy", "", "", "Start and run a Fleet Server on this specific policy") cmd.Flags().StringP("fleet-server-host", "", "", "Fleet Server HTTP binding host (overrides the policy)") @@ -101,6 +102,7 @@ func buildEnrollmentFlags(cmd *cobra.Command, url string, token string) []string } fServer, _ := cmd.Flags().GetString("fleet-server-es") fElasticSearchCA, _ := cmd.Flags().GetString("fleet-server-es-ca") + fElasticSearchInsecure, _ := cmd.Flags().GetBool("fleet-server-es-insecure") fServiceToken, _ := cmd.Flags().GetString("fleet-server-service-token") fPolicy, _ := cmd.Flags().GetString("fleet-server-policy") fHost, _ := cmd.Flags().GetString("fleet-server-host") @@ -201,6 +203,10 @@ func buildEnrollmentFlags(cmd *cobra.Command, url string, token string) []string args = append(args, "--delay-enroll") } + if fElasticSearchInsecure { + args = append(args, "--fleet-server-es-insecure") + } + return args } @@ -268,6 +274,7 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command, args []string) error { enrollmentToken, _ := cmd.Flags().GetString("enrollment-token") fServer, _ := cmd.Flags().GetString("fleet-server-es") fElasticSearchCA, _ := cmd.Flags().GetString("fleet-server-es-ca") + fElasticSearchInsecure, _ := cmd.Flags().GetBool("fleet-server-es-insecure") fHeaders, _ := cmd.Flags().GetStringSlice("header") fServiceToken, _ := cmd.Flags().GetString("fleet-server-service-token") fPolicy, _ := cmd.Flags().GetString("fleet-server-policy") @@ -302,17 +309,18 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command, args []string) error { ProxyHeaders: mapFromEnvList(proxyHeaders), DelayEnroll: delayEnroll, FleetServer: enrollCmdFleetServerOption{ - ConnStr: fServer, - ElasticsearchCA: fElasticSearchCA, - ServiceToken: fServiceToken, - PolicyID: fPolicy, - Host: fHost, - Port: fPort, - Cert: fCert, - CertKey: fCertKey, - Insecure: fInsecure, - SpawnAgent: !fromInstall, - Headers: mapFromEnvList(fHeaders), + ConnStr: fServer, + ElasticsearchCA: fElasticSearchCA, + ElasticsearchInsecure: fElasticSearchInsecure, + ServiceToken: fServiceToken, + PolicyID: fPolicy, + Host: fHost, + Port: fPort, + Cert: fCert, + CertKey: fCertKey, + Insecure: fInsecure, + SpawnAgent: !fromInstall, + Headers: mapFromEnvList(fHeaders), }, } diff --git a/x-pack/elastic-agent/pkg/agent/cmd/enroll_cmd.go b/x-pack/elastic-agent/pkg/agent/cmd/enroll_cmd.go index 8d18bf6ef9a..38e1a865b4d 100644 --- a/x-pack/elastic-agent/pkg/agent/cmd/enroll_cmd.go +++ b/x-pack/elastic-agent/pkg/agent/cmd/enroll_cmd.go @@ -73,17 +73,18 @@ type enrollCmd struct { // enrollCmdFleetServerOption define all the supported enrollment options for bootstrapping with Fleet Server. type enrollCmdFleetServerOption struct { - ConnStr string - ElasticsearchCA string - ServiceToken string - PolicyID string - Host string - Port uint16 - Cert string - CertKey string - Insecure bool - SpawnAgent bool - Headers map[string]string + ConnStr string + ElasticsearchCA string + ElasticsearchInsecure bool + ServiceToken string + PolicyID string + Host string + Port uint16 + Cert string + CertKey string + Insecure bool + SpawnAgent bool + Headers map[string]string } // enrollCmdOption define all the supported enrollment option. @@ -304,6 +305,7 @@ func (c *enrollCmd) fleetServerBootstrap(ctx context.Context) (string, error) { c.options.ProxyURL, c.options.ProxyDisabled, c.options.ProxyHeaders, + c.options.FleetServer.ElasticsearchInsecure, ) if err != nil { return "", err @@ -497,7 +499,9 @@ func (c *enrollCmd) enroll(ctx context.Context, persistentConfig map[string]inte c.options.FleetServer.Host, c.options.FleetServer.Port, c.options.FleetServer.Cert, c.options.FleetServer.CertKey, c.options.FleetServer.ElasticsearchCA, c.options.FleetServer.Headers, - c.options.ProxyURL, c.options.ProxyDisabled, c.options.ProxyHeaders) + c.options.ProxyURL, c.options.ProxyDisabled, c.options.ProxyHeaders, + c.options.FleetServer.ElasticsearchInsecure, + ) if err != nil { return err } @@ -806,16 +810,21 @@ func createFleetServerBootstrapConfig( proxyURL string, proxyDisabled bool, proxyHeaders map[string]string, + insecure bool, ) (*configuration.FleetAgentConfig, error) { localFleetServer := connStr != "" - es, err := configuration.ElasticsearchFromConnStr(connStr, serviceToken) + es, err := configuration.ElasticsearchFromConnStr(connStr, serviceToken, insecure) if err != nil { return nil, err } if esCA != "" { - es.TLS = &tlscommon.Config{ - CAs: []string{esCA}, + if es.TLS == nil { + es.TLS = &tlscommon.Config{ + CAs: []string{esCA}, + } + } else { + es.TLS.CAs = []string{esCA} } } if host == "" { @@ -857,6 +866,9 @@ func createFleetServerBootstrapConfig( Key: key, }, } + if insecure { + cfg.Server.TLS.VerificationMode = tlscommon.VerifyNone + } } if localFleetServer { diff --git a/x-pack/elastic-agent/pkg/agent/cmd/inspect.go b/x-pack/elastic-agent/pkg/agent/cmd/inspect.go index 023f41a544c..56a8f97c131 100644 --- a/x-pack/elastic-agent/pkg/agent/cmd/inspect.go +++ b/x-pack/elastic-agent/pkg/agent/cmd/inspect.go @@ -259,6 +259,7 @@ func getProgramsFromConfig(log *logger.Logger, agentInfo *info.AgentInfo, cfg *c if err != nil { return nil, err } + composableWaiter := newWaitForCompose(composableCtrl) configModifiers := &pipeline.ConfigModifiers{ Decorators: []pipeline.DecoratorFunc{modifiers.InjectMonitoring}, diff --git a/x-pack/elastic-agent/pkg/agent/cmd/setup_config.go b/x-pack/elastic-agent/pkg/agent/cmd/setup_config.go index f0076af5435..6852bd2491e 100644 --- a/x-pack/elastic-agent/pkg/agent/cmd/setup_config.go +++ b/x-pack/elastic-agent/pkg/agent/cmd/setup_config.go @@ -43,6 +43,7 @@ type elasticsearchConfig struct { Username string `config:"username"` Password string `config:"password"` ServiceToken string `config:"service_token"` + Insecure bool `config:"insecure"` } type kibanaConfig struct { @@ -92,6 +93,7 @@ func defaultAccessConfig() (setupConfig, error) { Password: envWithDefault("changeme", "FLEET_SERVER_ELASTICSEARCH_PASSWORD", "ELASTICSEARCH_PASSWORD"), ServiceToken: envWithDefault("", "FLEET_SERVER_SERVICE_TOKEN"), CA: envWithDefault("", "FLEET_SERVER_ELASTICSEARCH_CA", "ELASTICSEARCH_CA"), + Insecure: envBool("FLEET_SERVER_ELASTICSEARCH_INSECURE"), }, Enable: envBool("FLEET_SERVER_ENABLE"), Host: envWithDefault("", "FLEET_SERVER_HOST"), diff --git a/x-pack/elastic-agent/pkg/agent/configuration/fleet_server.go b/x-pack/elastic-agent/pkg/agent/configuration/fleet_server.go index eacc22bf141..25298c6e2b5 100644 --- a/x-pack/elastic-agent/pkg/agent/configuration/fleet_server.go +++ b/x-pack/elastic-agent/pkg/agent/configuration/fleet_server.go @@ -47,7 +47,7 @@ type Elasticsearch struct { } // ElasticsearchFromConnStr returns an Elasticsearch configuration from the connection string. -func ElasticsearchFromConnStr(conn string, serviceToken string) (Elasticsearch, error) { +func ElasticsearchFromConnStr(conn string, serviceToken string, insecure bool) (Elasticsearch, error) { u, err := url.Parse(conn) if err != nil { return Elasticsearch{}, err @@ -64,6 +64,11 @@ func ElasticsearchFromConnStr(conn string, serviceToken string) (Elasticsearch, Path: u.Path, TLS: nil, } + if insecure { + cfg.TLS = &tlscommon.Config{ + VerificationMode: tlscommon.VerifyNone, + } + } if serviceToken != "" { cfg.ServiceToken = serviceToken return cfg, nil diff --git a/x-pack/elastic-agent/pkg/agent/transpiler/ast.go b/x-pack/elastic-agent/pkg/agent/transpiler/ast.go index 31bb2faaa7c..742453eb489 100644 --- a/x-pack/elastic-agent/pkg/agent/transpiler/ast.go +++ b/x-pack/elastic-agent/pkg/agent/transpiler/ast.go @@ -104,6 +104,11 @@ func (d *Dict) Find(key string) (Node, bool) { return nil, false } +// Insert inserts a value into a collection. +func (d *Dict) Insert(node Node) { + d.value = append(d.value, node) +} + func (d *Dict) String() string { var sb strings.Builder for i := 0; i < len(d.value); i++ {