diff --git a/x-pack/elastic-agent/CHANGELOG.next.asciidoc b/x-pack/elastic-agent/CHANGELOG.next.asciidoc index bb72322c0db..8fcefd59486 100644 --- a/x-pack/elastic-agent/CHANGELOG.next.asciidoc +++ b/x-pack/elastic-agent/CHANGELOG.next.asciidoc @@ -150,3 +150,4 @@ - Add diagnostics collect command to gather beat metadata, config, policy, and logs and bundle it into an archive. {pull}28461[28461] - Add `KIBANA_FLEET_SERVICE_TOKEN` to Elastic Agent container. {pull}28096[28096] - Allow pprof endpoints for elastic-agent or beats if enabled. {pull}28983[28983] {pull}29155[29155] +- Mark username/password settings for fleet-server as deprecated. {pull}29434[29434] diff --git a/x-pack/elastic-agent/_meta/config/common.p2.yml.tmpl b/x-pack/elastic-agent/_meta/config/common.p2.yml.tmpl index c49369d77c6..3635a95b4f7 100644 --- a/x-pack/elastic-agent/_meta/config/common.p2.yml.tmpl +++ b/x-pack/elastic-agent/_meta/config/common.p2.yml.tmpl @@ -5,8 +5,9 @@ outputs: default: type: elasticsearch hosts: [127.0.0.1:9200] - username: elastic - password: changeme + api_key: "example-key" + #username: elastic + #password: changeme inputs: - type: system/metrics @@ -74,6 +75,9 @@ inputs: # # optional values # #protocol: "https" +# #service_token: "example-token" +# # Note that fleet-server basic auth is deprecated for and will be removed in 8.0 +# # service_token should be used instead. # #username: "elastic" # #password: "changeme" # #path: "" diff --git a/x-pack/elastic-agent/_meta/config/common.reference.p2.yml.tmpl b/x-pack/elastic-agent/_meta/config/common.reference.p2.yml.tmpl index f0c77e983ba..6eb8b559798 100644 --- a/x-pack/elastic-agent/_meta/config/common.reference.p2.yml.tmpl +++ b/x-pack/elastic-agent/_meta/config/common.reference.p2.yml.tmpl @@ -5,8 +5,9 @@ outputs: default: type: elasticsearch hosts: [127.0.0.1:9200] - username: elastic - password: changeme + api_key: "example-key" + #username: elastic + #password: changeme inputs: - type: system/metrics @@ -43,6 +44,9 @@ inputs: # # optional values # #protocol: "https" +# #service_token: "example-token" +# # Note that fleet-server basic auth is deprecated and will be removed in 8.0 +# # service_token should be used instead. # #username: "elastic" # #password: "changeme" # #path: "" diff --git a/x-pack/elastic-agent/_meta/config/elastic-agent.docker.yml.tmpl b/x-pack/elastic-agent/_meta/config/elastic-agent.docker.yml.tmpl index 69a80678db8..c8bb66459f8 100644 --- a/x-pack/elastic-agent/_meta/config/elastic-agent.docker.yml.tmpl +++ b/x-pack/elastic-agent/_meta/config/elastic-agent.docker.yml.tmpl @@ -43,6 +43,9 @@ inputs: # # optional values # #protocol: "https" +# #service_token: "${FLEET_SERVER_SERVICE_TOKEN}" +# # Note that fleet-server basic auth is deprecated and will be removed in 8.0 +# # service_token should be used instead. # #username: "elastic" # #password: "changeme" # #path: "" diff --git a/x-pack/elastic-agent/elastic-agent.docker.yml b/x-pack/elastic-agent/elastic-agent.docker.yml index 9bf7307aacf..0fb32e58e2f 100644 --- a/x-pack/elastic-agent/elastic-agent.docker.yml +++ b/x-pack/elastic-agent/elastic-agent.docker.yml @@ -43,6 +43,9 @@ inputs: # # optional values # #protocol: "https" +# #service_token: "${FLEET_SERVER_SERVICE_TOKEN}" +# # Note that fleet-server basic auth is deprecated and will be removed in 8.0 +# # service_token should be used instead. # #username: "elastic" # #password: "changeme" # #path: "" diff --git a/x-pack/elastic-agent/elastic-agent.reference.yml b/x-pack/elastic-agent/elastic-agent.reference.yml index 575caefc105..672f7e9f317 100644 --- a/x-pack/elastic-agent/elastic-agent.reference.yml +++ b/x-pack/elastic-agent/elastic-agent.reference.yml @@ -11,8 +11,9 @@ outputs: default: type: elasticsearch hosts: [127.0.0.1:9200] - username: elastic - password: changeme + api_key: "example-key" + #username: elastic + #password: changeme inputs: - type: system/metrics @@ -49,6 +50,9 @@ inputs: # # optional values # #protocol: "https" +# #service_token: "example-token" +# # Note that fleet-server basic auth is deprecated and will be removed in 8.0 +# # service_token should be used instead. # #username: "elastic" # #password: "changeme" # #path: "" diff --git a/x-pack/elastic-agent/elastic-agent.yml b/x-pack/elastic-agent/elastic-agent.yml index 606aefabfbc..9450ce550cb 100644 --- a/x-pack/elastic-agent/elastic-agent.yml +++ b/x-pack/elastic-agent/elastic-agent.yml @@ -11,8 +11,9 @@ outputs: default: type: elasticsearch hosts: [127.0.0.1:9200] - username: elastic - password: changeme + api_key: "example-key" + #username: elastic + #password: changeme inputs: - type: system/metrics @@ -80,6 +81,9 @@ inputs: # # optional values # #protocol: "https" +# #service_token: "example-token" +# # Note that fleet-server basic auth is deprecated for and will be removed in 8.0 +# # service_token should be used instead. # #username: "elastic" # #password: "changeme" # #path: "" diff --git a/x-pack/elastic-agent/pkg/agent/cmd/container.go b/x-pack/elastic-agent/pkg/agent/cmd/container.go index e7a64cec193..99565bda666 100644 --- a/x-pack/elastic-agent/pkg/agent/cmd/container.go +++ b/x-pack/elastic-agent/pkg/agent/cmd/container.go @@ -27,6 +27,7 @@ import ( "github.com/spf13/cobra" "gopkg.in/yaml.v2" + "github.com/elastic/beats/v7/libbeat/common/cfgwarn" "github.com/elastic/beats/v7/libbeat/common/transport/httpcommon" "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" "github.com/elastic/beats/v7/libbeat/kibana" @@ -93,8 +94,8 @@ The following actions are possible and grouped based on the actions. FLEET_SERVER_ENABLE - set to 1 enables bootstrapping of Fleet Server inside Elastic Agent (forces FLEET_ENROLL enabled) FLEET_SERVER_ELASTICSEARCH_HOST - elasticsearch host for Fleet Server to communicate with [$ELASTICSEARCH_HOST] - FLEET_SERVER_ELASTICSEARCH_USERNAME - elasticsearch username for Fleet Server [$ELASTICSEARCH_USERNAME] - FLEET_SERVER_ELASTICSEARCH_PASSWORD - elasticsearch password for Fleet Server [$ELASTICSEARCH_PASSWORD] + FLEET_SERVER_ELASTICSEARCH_USERNAME - elasticsearch username for Fleet Server. Deprecated, use FLEET_SERVICE_SERVICE_TOKEN instead. [$ELASTICSEARCH_USERNAME] + FLEET_SERVER_ELASTICSEARCH_PASSWORD - elasticsearch password for Fleet Server. Deprecated, use FLEET_SERVICE_SERVICE_TOKEN instead. [$ELASTICSEARCH_PASSWORD] FLEET_SERVER_ELASTICSEARCH_CA - path to certificate authority to use with communicate with elasticsearch [$ELASTICSEARCH_CA] FLEET_SERVER_ELASTICSEARCH_INSECURE - disables cert validation for communication with Elasticsearch FLEET_SERVER_SERVICE_TOKEN - service token to use for communication with elasticsearch @@ -122,8 +123,8 @@ The following environment variables are provided as a convenience to prevent a l be used when the same credentials will be used across all the possible actions above. ELASTICSEARCH_HOST - elasticsearch host [http://elasticsearch:9200] - ELASTICSEARCH_USERNAME - elasticsearch username [elastic] - ELASTICSEARCH_PASSWORD - elasticsearch password [changeme] + ELASTICSEARCH_USERNAME - elasticsearch username. Deprecated, use FLEET_SERVER_SERVICE_TOKEN instead. [elastic] + ELASTICSEARCH_PASSWORD - elasticsearch password. Deprecated, use FLEET_SERVER_SERVICE_TOKEN instead. [changeme] ELASTICSEARCH_CA - path to certificate authority to use with communicate with elasticsearch KIBANA_HOST - kibana host [http://kibana:5601] KIBANA_USERNAME - kibana username [$ELASTICSEARCH_USERNAME] @@ -426,6 +427,7 @@ func buildFleetServerConnStr(cfg fleetServerConfig) (string, error) { if cfg.Elasticsearch.ServiceToken != "" { return fmt.Sprintf("%s://%s%s", u.Scheme, u.Host, path), nil } + cfgwarn.Deprecate("8.0.0", "Support for basic authorization (FLEET_SERVER_ELASTICSEARCH_USERNAME:FLEET_SERVER_ELASTICSEARCH_PASSWORD) is deprecated. Please use FLEET_SERVER_SERVICE_TOKEN instead.") return fmt.Sprintf("%s://%s:%s@%s%s", u.Scheme, cfg.Elasticsearch.Username, cfg.Elasticsearch.Password, u.Host, path), nil } diff --git a/x-pack/elastic-agent/pkg/agent/configuration/fleet_server.go b/x-pack/elastic-agent/pkg/agent/configuration/fleet_server.go index 425d899a55b..22f3b572f64 100644 --- a/x-pack/elastic-agent/pkg/agent/configuration/fleet_server.go +++ b/x-pack/elastic-agent/pkg/agent/configuration/fleet_server.go @@ -7,6 +7,7 @@ package configuration import ( "net/url" + "github.com/elastic/beats/v7/libbeat/common/cfgwarn" "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" ) @@ -81,6 +82,7 @@ func ElasticsearchFromConnStr(conn string, serviceToken string, insecure bool) ( if !ok { return Elasticsearch{}, errors.New("invalid connection string: must include a password unless a service token is provided") } + cfgwarn.Deprecate("8.0.0", "Support for basic authorization (username:password) is deprecated. Please use service_token.") cfg.Username = u.User.Username() cfg.Password = password return cfg, nil