Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[DO NOT MERGE][8.16](backport #4042) update elastic-agent-libs #4049

Open
wants to merge 1 commit into
base: 8.16
Choose a base branch
from

Conversation

mergify[bot]
Copy link
Contributor

@mergify mergify bot commented Oct 25, 2024

Wait until 8.16.0 is released before merging

What is the problem this PR solves?

fleet-server using an outdated version of elastic-agent-libs

How does this PR solve the problem?

by updating elastic-agent-libs ot its latest version

How to test this PR locally

Ensure mTLS is still working

adjust the IPs/hostnames as needed

build a fleet-server out of this PR

go build

you might need to build an 8.16 agent out of main:

AGENT_PACKAGE_VERSION=8.16.0-SNAPSHOT BEATS_VERSION=8.16.0-SNAPSHOT DEV=true SNAPSHOT=true EXTERNAL=true PLATFORMS="linux/amd64" PACKAGES="tar.gz" mage package

add your fleet server built to the agent package

tar -xf elastic-agent-8.16.0-SNAPSHOT-linux-x86_64.tar.gz
cp path/tp/your/fleet-server ./elastic-agent-8.16.0-SNAPSHOT-linux-x86_64/data/elastic-agent-*/components/fleet-server

create 2 TLS certificates

  • use elastic-agent-libs/testing/certutil/cmd to create the certificates. Make sure to use elastic-agent-libs with this PR merged or use the PR branch
  • either make your fleet-server reachable on fleet-server or change -name fleet-server to a valid DNS for your fleet-server.
go run main.go -prefix server -name fleet-server -noip
go run main.go -client -prefix client

you should have:

-rw------- 1 ainsoph ainsoph  312 Oct 24 16:36 client-ca_key.pem
-rw------- 1 ainsoph ainsoph  928 Oct 24 16:36 client-ca.pem
-rw------- 1 ainsoph ainsoph  312 Oct 24 16:36 client-client_key.pem
-rw------- 1 ainsoph ainsoph  895 Oct 24 16:36 client-client.pem

-rw------- 1 ainsoph ainsoph  312 Oct 24 16:37 server-ca_key.pem
-rw------- 1 ainsoph ainsoph  932 Oct 24 16:37 server-ca.pem
-rw------- 1 ainsoph ainsoph  312 Oct 24 16:37 server-fleet-server_key.pem
-rw------- 1 ainsoph ainsoph  928 Oct 24 16:37 server-fleet-server.pem

start an elastic stack (considering elastic-cloud)

add a fleet server with mTLS

elastic-agent install -nf \
--url=https://fleet-server:8220 \
--fleet-server-es=https://es.elastic-cloud.com:443 \
--fleet-server-service-token=a-service-token \
--fleet-server-policy=fleet-server-policy \
--certificate-authorities=/root/certs/server-ca.pem,/root/certs/client-ca.pem,/etc/ssl/certs/ca-certificates.crt \
--fleet-server-cert=/root/certs/server-fleet-server.pem \
--fleet-server-cert-key=/root/certs/server-fleet-server_key.pem \
--elastic-agent-cert=/root/certs/client-client.pem \
--elastic-agent-cert-key=/root/certs/client-client_key.pem \
--fleet-server-client-auth=required \
--fleet-server-port=8220

create a policy with Elastic Defend

add an agent to that policy

elastic-agent install -nf \
--url=https://fleet-server:8220 \
--enrollment-token=a-token \
--certificate-authorities=/root/certs/server-ca.pem,/etc/ssl/certs/ca-certificates.crt \
--elastic-agent-cert=/root/certs/client-client.pem \
--elastic-agent-cert-key=/root/certs/client-client_key.pem 

Design Checklist

  • [ ] I have ensured my design is stateless and will work when multiple fleet-server instances are behind a load balancer.
  • [ ] I have or intend to scale test my changes, ensuring it will work reliably with 100K+ agents connected.
  • [ ] I have included fail safe mechanisms to limit the load on fleet-server: rate limiting, circuit breakers, caching, load shedding, etc.

Checklist

  • [ ] I have commented my code, particularly in hard-to-understand areas
  • [ ] I have made corresponding changes to the documentation
  • [ ] I have made corresponding change to the default configuration files
  • [ ] I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in ./changelog/fragments using the changelog tool

Related issues

  • N/A

This is an automatic backport of pull request #4042 done by [Mergify](https://mergify.com).

@mergify mergify bot requested a review from a team as a code owner October 25, 2024 18:38
@mergify mergify bot added the backport label Oct 25, 2024
@mergify mergify bot requested a review from kaanyalti October 25, 2024 18:39
@mergify mergify bot added the conflicts There is a conflict in the backported pull request label Oct 25, 2024
@mergify mergify bot requested a review from pchila October 25, 2024 18:39
Copy link
Contributor Author

mergify bot commented Oct 25, 2024

Cherry-pick of 7d77467 has failed:

On branch mergify/bp/8.16/pr-4042
Your branch is up to date with 'origin/8.16'.

You are currently cherry-picking commit 7d77467.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Changes to be committed:
	new file:   changelog/fragments/1729782694-Fleet-Server-uses-'ssl.verification_mode:-certificate'-by-default-for-incomming-client-connections.yaml

Unmerged paths:
  (use "git add <file>..." to mark resolution)
	both modified:   NOTICE.txt
	both modified:   go.mod
	both modified:   go.sum
	both modified:   testing/go.mod
	both modified:   testing/go.sum

To fix up this pull request, you can check it out locally. See documentation: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally

Copy link
Contributor Author

mergify bot commented Oct 28, 2024

This pull request has not been merged yet. Could you please review and merge it @AndersonQ? 🙏

@pierrehilbert pierrehilbert added the Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team label Oct 28, 2024
@pierrehilbert pierrehilbert requested review from AndersonQ and removed request for kaanyalti and pchila October 28, 2024 08:33
@AndersonQ
Copy link
Member

we'll wait 8.16.0 to be release, then we can merge it

@pierrehilbert pierrehilbert changed the title [8.16](backport #4042) update elastic-agent-libs [DO NOT MERGE][8.16](backport #4042) update elastic-agent-libs Oct 29, 2024
@pierrehilbert
Copy link
Contributor

I updated the title and the description to make it clear.

elastic-agent-libs v0.14.0 sets the server side certificate verification mode to 'certificate' by default

(cherry picked from commit 7d77467)
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarQube

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport conflicts There is a conflict in the backported pull request Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants