From c6fb13b5823d71a0091cf3074b89dde5e8a990a9 Mon Sep 17 00:00:00 2001 From: Visha Angelova Date: Tue, 9 Dec 2025 10:49:57 +0100 Subject: [PATCH 1/2] Add links for using Fleet Server with a proxy + small sub fixes --- reference/fleet/add-fleet-server-cloud.md | 15 +++--- .../fleet/add-fleet-server-kubernetes.md | 22 ++++----- reference/fleet/add-fleet-server-mixed.md | 14 ++---- reference/fleet/add-fleet-server-on-prem.md | 16 +++---- reference/fleet/fleet-agent-proxy-managed.md | 46 ++++++------------- .../fleet/fleet-agent-proxy-standalone.md | 9 ++-- reference/fleet/fleet-agent-proxy-support.md | 13 ++---- .../fleet-agent-serverless-restrictions.md | 6 +-- reference/fleet/fleet-server-monitoring.md | 2 +- reference/fleet/fleet-server-scalability.md | 33 +++++-------- reference/fleet/fleet-server-secrets.md | 6 +-- reference/fleet/fleet-server.md | 28 +++++------ reference/fleet/host-proxy-env-vars.md | 5 +- reference/fleet/migrate-elastic-agent.md | 2 +- 14 files changed, 79 insertions(+), 138 deletions(-) diff --git a/reference/fleet/add-fleet-server-cloud.md b/reference/fleet/add-fleet-server-cloud.md index 6c41761bcf..9bfb279f10 100644 --- a/reference/fleet/add-fleet-server-cloud.md +++ b/reference/fleet/add-fleet-server-cloud.md @@ -1,4 +1,5 @@ --- +navigation_title: Deploy on Elastic Cloud mapped_pages: - https://www.elastic.co/guide/en/fleet/current/add-fleet-server-cloud.html products: @@ -6,7 +7,7 @@ products: - id: elastic-agent --- -# Deploy on Elastic Cloud [add-fleet-server-cloud] +# Deploy {{fleet-server}} on {{ecloud}} [add-fleet-server-cloud] To use {{fleet}} for central management, a [{{fleet-server}}](/reference/fleet/fleet-server.md) must be running and accessible to your hosts. @@ -39,20 +40,18 @@ This approach might *not* be right for you if you have restrictions on connectiv For more information about hosting {{fleet-server}} on {{ece}}, refer to [](/deploy-manage/deploy/cloud-enterprise/manage-integrations-server.md). - ::::{note} The TLS certificates used to secure connections between {{agent}} and {{fleet-server}} are managed by {{ecloud}}. You do not need to create a private key or generate certificates. :::: - When {{es}} or {{fleet-server}} are deployed, components communicate over well-defined, pre-allocated ports. You may need to allow access to these ports. See the following table for default port assignments: | Component communication | Default port | | --- | --- | -| Elastic Agent → {{fleet-server}} | 443 | -| Elastic Agent → {{es}} | 443 | -| Elastic Agent → Logstash | 5044 | -| Elastic Agent → {{kib}} ({{fleet}}) | 443 | +| {{agent}} → {{fleet-server}} | 443 | +| {{agent}} → {{es}} | 443 | +| {{agent}} → {{ls}} | 5044 | +| {{agent}} → {{kib}} ({{fleet}}) | 443 | | {{fleet-server}} → {{kib}} ({{fleet}}) | 443 | | {{fleet-server}} → {{es}} | 443 | @@ -61,7 +60,6 @@ If you do not specify the port for {{es}} as 443, the {{agent}} defaults to 9200 :::: - ## Setup [add-fleet-server-cloud-set-up] To confirm that an {{integrations-server}} is available in your deployment: @@ -80,7 +78,6 @@ Don’t see the agent? Make sure your deployment includes an {{integrations-serv ::::: - ## Next steps [add-fleet-server-cloud-next] Now you’re ready to add {{agent}}s to your host systems. To learn how, see [Install {{fleet}}-managed {{agent}}s](/reference/fleet/install-fleet-managed-elastic-agent.md). diff --git a/reference/fleet/add-fleet-server-kubernetes.md b/reference/fleet/add-fleet-server-kubernetes.md index c6e9f0dcd3..aa09ee441c 100644 --- a/reference/fleet/add-fleet-server-kubernetes.md +++ b/reference/fleet/add-fleet-server-kubernetes.md @@ -1,4 +1,5 @@ --- +navigation_title: Deploy on Kubernetes mapped_pages: - https://www.elastic.co/guide/en/fleet/current/add-fleet-server-kubernetes.html products: @@ -6,7 +7,7 @@ products: - id: elastic-agent --- -# Deploy Fleet Server on Kubernetes [add-fleet-server-kubernetes] +# Deploy {{fleet-server}} on Kubernetes [add-fleet-server-kubernetes] ::::{note} If your {{stack}} is orchestrated by [ECK](/deploy-manage/deploy/cloud-on-k8s.md), we recommend to deploy the {{fleet-server}} through the operator. That simplifies the process, as the operator automatically handles most of the resources configuration and setup steps. @@ -29,7 +30,7 @@ You can deploy {{fleet-server}} on Kubernetes and manage it yourself. In this de To deploy a {{fleet-server}} on Kubernetes and register it into {{fleet}} you will need the following details: * The **Policy ID** of a {{fleet}} policy configured with the {{fleet-server}} integration. -* A **Service token**, used to authenticate {{fleet-server}} with Elasticsearch. +* A **Service token**, used to authenticate {{fleet-server}} with {{es}}. * For outgoing traffic: * The **{{es}} endpoint URL** where the {{fleet-server}} should connect to, configured also in the {{es}} output associated to the policy. @@ -61,7 +62,6 @@ This document walks you through the complete setup process, organized into the f * {{kib}} should be on the same minor version as {{es}}. - ## Prerequisites [add-fleet-server-kubernetes-prereq] Before deploying {{fleet-server}}, you need to: @@ -86,7 +86,6 @@ A {{fleet-server}} certificate is not required when installing the server using :::: - If your organization already uses the {{stack}}, you may have a CA certificate that could be used to generate the new cert for the {{fleet-server}}. If you do not have a CA certificate, refer to [Generate a custom certificate and private key for {{fleet-server}}](/reference/fleet/secure-connections.md#generate-fleet-server-certs) for an example to generate a CA and a server certificate using the `elasticsearch-certutil` tool. ::::{important} @@ -95,7 +94,6 @@ Before creating the certificate, you need to know and plan in advance the [hostn :::: - #### [{{fleet-server}} → {{es}} output] outbound traffic flow [add-fleet-server-kubernetes-cert-outbound] In this flow, {{fleet-server}} acts as the client and {{es}} acts as the HTTPS server. For the communication to succeed, {{fleet-server}} needs to trust the CA certificate used to sign the {{es}} certificate. If your {{es}} cluster uses certificates signed by a corporate CA or multiple intermediate CAs you will need to use them during the {{fleet-server}} setup. @@ -105,7 +103,6 @@ If your {{es}} cluster is on Elastic Cloud or if it uses a certificate signed by :::: - In summary, you need: * A **server certificate and key**, valid for the {{fleet-server}} URL. The CA used to sign this certificate will be needed by the {{agent}} clients and the {{fleet-server}} itself. @@ -122,7 +119,7 @@ When {{es}} or {{fleet-server}} are deployed, components communicate over well-d | {{fleet-server}} → {{es}} | 9200 | | {{fleet-server}} → {{kib}} (optional, for {{fleet}} setup) | 5601 | | {{agent}} → {{es}} | 9200 | -| {{agent}} → Logstash | 5044 | +| {{agent}} → {{ls}} | 5044 | | {{agent}} → {{kib}} (optional, for {{fleet}} setup) | 5601 | In Kubernetes environments, you can adapt these ports without modifying the listening ports of the {{fleet-server}} or other applications, as traffic is managed by Kubernetes `Services`. This guide includes an example where {{agent}}s connect to the {{fleet-server}} through port `443` instead of the default `8220`. @@ -142,7 +139,6 @@ The `service token` required by the {{fleet-server}} is different from the `enro :::: - 1. In {{kib}}, open **{{fleet}} → Settings** and ensure the **Elasticsearch output** that will be used by the {{fleet-server}} policy is correctly configured, paying special attention that: * The **hosts** field includes a valid URL that will be reachable by the {{fleet-server}} Pod(s). @@ -197,7 +193,6 @@ The `service token` required by the {{fleet-server}} is different from the `enro When the {{fleet-server}} installation has succeeded, the **Confirm Connection** UI will show a **Connected** status. - ### {{fleet-server}} installation [add-fleet-server-kubernetes-install] @@ -207,8 +202,8 @@ To deploy {{fleet-server}} on Kubernetes and enroll it into {{fleet}} you need t * **Policy ID** of the {{fleet}} policy configured with the {{fleet-server}} integration. * **Service token**, that you can generate following the [{{fleet}} preparations](#add-fleet-server-kubernetes-preparations) or manually using the [{{es}}-service-tokens command](elasticsearch://reference/elasticsearch/command-line-tools/service-tokens-command.md). -* **{{es}} endpoint URL**, configured in both the {{es}} output associated to the policy and in the Fleet Server as an environment variable. -* **{{es}} CA certificate file**, configured in both the {{es}} output associated to the policy and in the Fleet Server. +* **{{es}} endpoint URL**, configured in both the {{es}} output associated to the policy and in the {{fleet-server}} as an environment variable. +* **{{es}} CA certificate file**, configured in both the {{es}} output associated to the policy and in the {{fleet-server}}. * {{fleet-server}} **certificate and key** (for **Production** deployment mode only). * {{fleet-server}} **CA certificate file** (for **Production** deployment mode only). * {{fleet-server}} URL (for **Production** deployment mode only). @@ -228,12 +223,12 @@ Adapt and change the suggested manifests and deployment strategy to your needs, * CPU and memory `requests` and `limits`. Refer to [{{fleet-server}} scalability](/reference/fleet/fleet-server-scalability.md) for more information about {{fleet-server}} resources utilization. * Scheduling configuration, such as `affinity rules` or `tolerations`, if needed in your environment. -* Number of replicas, to scale the Fleet Server horizontally. +* Number of replicas, to scale the {{fleet-server}} horizontally. * Use an {{es}} CA fingerprint instead of a CA file. * Configure other [Environment variables](/reference/fleet/agent-environment-variables.md). -#### Installation Steps [add-fleet-server-kubernetes-install-steps] +#### Installation steps [add-fleet-server-kubernetes-install-steps] 1. Create the Secret for the {{fleet-server}} configuration. @@ -558,7 +553,6 @@ The following issues may occur when {{fleet-server}} settings are missing or con As a workaround, consider using `https://localhost:8220` as the `FLEET_URL` for the {{fleet-server}} configuration, and ensure that `localhost` is included in the certificate’s SAN. - ## Next steps [add-fleet-server-kubernetes-next] Now you’re ready to add {{agent}}s to your host systems. To learn how, refer to [Install {{fleet}}-managed {{agent}}s](/reference/fleet/install-fleet-managed-elastic-agent.md), or [Run {{agent}} on Kubernetes managed by {{fleet}}](/reference/fleet/running-on-kubernetes-managed-by-fleet.md) if your {{agent}}s will also run on Kubernetes. diff --git a/reference/fleet/add-fleet-server-mixed.md b/reference/fleet/add-fleet-server-mixed.md index c6c999a38e..d94f2e6ba9 100644 --- a/reference/fleet/add-fleet-server-mixed.md +++ b/reference/fleet/add-fleet-server-mixed.md @@ -6,7 +6,7 @@ products: - id: elastic-agent --- -# Deploy Fleet Server on-premises and Elasticsearch on Cloud [add-fleet-server-mixed] +# Deploy {{fleet-server}} on-premises and {{es}} on {{ecloud}} [add-fleet-server-mixed] To use {{fleet}} for central management, a [{{fleet-server}}](/reference/fleet/fleet-server.md) must be running and accessible to your hosts. @@ -44,7 +44,6 @@ To deploy a self-managed {{fleet-server}} on-premises to work with an {{ech}} de For more information about hosting {{fleet-server}} on {{ece}}, refer to [](/deploy-manage/deploy/cloud-enterprise/manage-integrations-server.md). - ## Prerequisites [add-fleet-server-mixed-prereq] Before deploying, you need to: @@ -64,17 +63,16 @@ This is not required when testing and iterating using the **Quick start** option :::: - ### Default port assignments [default-port-assignments-mixed] When {{es}} or {{fleet-server}} are deployed, components communicate over well-defined, pre-allocated ports. You may need to allow access to these ports. See the following table for default port assignments: | Component communication | Default port | | --- | --- | -| Elastic Agent → {{fleet-server}} | 8220 | -| Elastic Agent → {{es}} | 443 | -| Elastic Agent → Logstash | 5044 | -| Elastic Agent → {{kib}} ({{fleet}}) | 443 | +| {{agent}} → {{fleet-server}} | 8220 | +| {{agent}} → {{es}} | 443 | +| {{agent}} → {{ls}} | 5044 | +| {{agent}} → {{kib}} ({{fleet}}) | 443 | | {{fleet-server}} → {{kib}} ({{fleet}}) | 443 | | {{fleet-server}} → {{es}} | 443 | @@ -83,7 +81,6 @@ If you do not specify the port for {{es}} as 443, the {{agent}} defaults to 9200 :::: - ## Create a {{fleet-server}} policy [fleet-server-create-policy] First, create a {{fleet-server}} policy. The {{fleet-server}} policy manages and configures the {{agent}} running on the {{fleet-server}} host to launch a {{fleet-server}} process. @@ -105,7 +102,6 @@ To create a {{fleet-server}} policy: 2. It’s recommended that you also enter the *Max agents* you intend to support with this {{fleet-server}}. This can also be modified at a later stage. This will allow the {{fleet-server}} to handle the load and frequency of updates being sent to the agent and ensure a smooth operation in a bursty environment. - ## Add {{fleet-server}}s [fleet-server-add-server] Now that the policy exists, you can add {{fleet-server}}s. diff --git a/reference/fleet/add-fleet-server-on-prem.md b/reference/fleet/add-fleet-server-on-prem.md index 2db6e6674e..f614532fc4 100644 --- a/reference/fleet/add-fleet-server-on-prem.md +++ b/reference/fleet/add-fleet-server-on-prem.md @@ -1,4 +1,5 @@ --- +navigation_title: Deploy on-premises and self-managed mapped_pages: - https://www.elastic.co/guide/en/fleet/current/add-fleet-server-on-prem.html products: @@ -6,7 +7,7 @@ products: - id: elastic-agent --- -# Deploy on-premises and self-managed [add-fleet-server-on-prem] +# Deploy on-premises and self-managed {{fleet-server}} [add-fleet-server-on-prem] To use {{fleet}} for central management, a [{{fleet-server}}](/reference/fleet/fleet-server.md) must be running and accessible to your hosts. @@ -32,7 +33,6 @@ You can install only a single {{agent}} per host, which means you cannot run {{f :::: - ## Compatibility [add-fleet-server-on-prem-compatibility] {{fleet-server}} is compatible with the following Elastic products: @@ -50,7 +50,6 @@ You can install only a single {{agent}} per host, which means you cannot run {{f For more information about hosting {{fleet-server}} on {{ece}}, refer to [](/deploy-manage/deploy/cloud-enterprise/manage-integrations-server.md). - ## Prerequisites [add-fleet-server-on-prem-prereq] Before deploying, you need to: @@ -70,17 +69,16 @@ This is not required when testing and iterating using the **Quick start** option :::: - ### Default port assignments [default-port-assignments-on-prem] When {{es}} or {{fleet-server}} are deployed, components communicate over well-defined, pre-allocated ports. You may need to allow access to these ports. Refer to the following table for default port assignments: | Component communication | Default port | | --- | --- | -| Elastic Agent → {{fleet-server}} | 8220 | -| Elastic Agent → {{es}} | 9200 | -| Elastic Agent → Logstash | 5044 | -| Elastic Agent → {{kib}} ({{fleet}}) | 5601 | +| {{agent}} → {{fleet-server}} | 8220 | +| {{agent}} → {{es}} | 9200 | +| {{agent}} → {{ls}} | 5044 | +| {{agent}} → {{kib}} ({{fleet}}) | 5601 | | {{fleet-server}} → {{kib}} ({{fleet}}) | 5601 | | {{fleet-server}} → {{es}} | 9200 | @@ -89,7 +87,6 @@ Connectivity to {{kib}} on port 5601 is optional and not required at all times. :::: - ## Add {{fleet-server}} [add-fleet-server-on-prem-add-server] A {{fleet-server}} is an {{agent}} that is enrolled in a {{fleet-server}} policy. The policy configures the agent to operate in a special mode to serve as a {{fleet-server}} in your deployment. @@ -135,7 +132,6 @@ To add a {{fleet-server}}: :::: - At the **Install Fleet Server to a centralized host** step, the `elastic-agent install` command installs an {{agent}} as a managed service and enrolls it in a {{fleet-server}} policy. For more {{fleet-server}} commands, refer to the [{{agent}} command reference](/reference/fleet/agent-command-reference.md). 5. If installation is successful, a confirmation indicates that {{fleet-server}} is set up and connected. diff --git a/reference/fleet/fleet-agent-proxy-managed.md b/reference/fleet/fleet-agent-proxy-managed.md index 7745a9b7ed..1b98b4c9f2 100644 --- a/reference/fleet/fleet-agent-proxy-managed.md +++ b/reference/fleet/fleet-agent-proxy-managed.md @@ -6,7 +6,7 @@ products: - id: elastic-agent --- -# Fleet managed Elastic Agent connectivity using a proxy server [fleet-agent-proxy-managed] +# {{fleet}}-managed {{agent}} connectivity using a proxy server [fleet-agent-proxy-managed] Proxy settings in the {{agent}} policy override proxy settings specified by environment variables. This means you can specify proxy settings for {{agent}} that are different from host or system-level environment settings. @@ -20,7 +20,7 @@ This page describes where a proxy server is allowed in your deployment and how t :alt: Image showing connections between {{fleet}} managed {{agent}} ::: -In this scenario Fleet Server and Elasticsearch are deployed in {{ecloud}} and reachable on port 443. +In this scenario {{fleet-server}} and {{es}} are deployed in {{ecloud}} and reachable on port 443. ## Configuring proxy servers in {{fleet}} for managed agents [fleet-agent-proxy-server-managed-agents] @@ -41,30 +41,25 @@ These steps describe how to set up {{fleet}} components to use a proxy. 2. **Attach the proxy to a {{fleet-server}}.** - If the control plane traffic to/from the Fleet Server needs to also go through the proxy server, the proxy created needs to also be added to the definition of that Fleet Server. + If the control plane traffic to/from the {{fleet-server}} needs to also go through the proxy server, the proxy created needs to also be added to the definition of that {{fleet-server}}. 1. In {{fleet}}, open the **Settings** tab. - 2. In the list of **Fleet Server Hosts**, choose a host and select the edit button to configure it. + 2. In the list of **Fleet server hosts**, choose a host and select the edit button to configure it. 3. In the **Proxy** section dropdown list, select the proxy that you configured. :::{image} images/elastic-agent-proxy-edit-fleet-server.png :alt: Screen capture of the Edit Fleet Server UI ::: - In this example, All the {{agents}} in a policy that uses this {{fleet-server}} will now connect to the {{fleet-server}} through the proxy server defined in `Proxy-A`. + In this example, all the {{agents}} in a policy that uses this {{fleet-server}} will now connect to the {{fleet-server}} through the proxy server defined in `Proxy-A`. - - :::::{admonition} ::::{warning} Any invalid changes to the {{fleet-server}} definition that may cause connectivity issues between the {{agents}} and the {{fleet-server}} will cause them to disconnect. The only remedy would be to re-install the affected agents. This is because the connectivity to the {{fleet-server}} ensures policy updates reach the agents. If a policy with an invalid host address reaches the agent it will no longer be able to connect and therefore won’t receive any other updates from the {{fleet-server}} (including the corrected setting). In this regard, adding a proxy server that is not reachable by the agents will break connectivity to the {{fleet-server}}. :::: - - ::::: - 3. **Attach the proxy to the output** - Similarly, if the data plane traffic to an output is to traverse through a proxy, that proxy definition would need to be added to the output defined in the Fleet. + Similarly, if the data plane traffic to an output is to traverse through a proxy, that proxy definition would need to be added to the output defined in the {{fleet}}. 1. In {{fleet}}, open the **Settings** tab. 2. In the list of **Outputs**, choose an output and select the edit button to configure it. @@ -74,20 +69,15 @@ These steps describe how to set up {{fleet}} components to use a proxy. :alt: Screen capture of the Edit output UI in Fleet ::: - In this example, All the {{agents}} in a policy that is configured to write to the chosen output will now write to that output through the proxy server defined in `Proxy-A`. + In this example, all the {{agents}} in a policy that is configured to write to the chosen output will now write to that output through the proxy server defined in `Proxy-A`. - - :::::{admonition} ::::{warning} If agents are unable to reach the configured proxy server, they will not be able to write data to the output that has the proxy server configured. When changing the proxy of an output, ensure that the affected agents all have connectivity to the proxy itself. :::: - - ::::: - 4. **Attach the proxy to the agent download source** - Likewise, if the download traffic to or from the artifact registry needs to go through the proxy server, that proxy definition also needs to be added to the agent binary source defined in {{Fleet}}. + Likewise, if the download traffic to or from the artifact registry needs to go through the proxy server, that proxy definition also needs to be added to the agent binary source defined in {{fleet}}. 1. In {{fleet}}, open the **Settings** tab. 2. In the **Agent Binary Download** list, choose an agent binary source and select the edit button to configure it. @@ -100,14 +90,10 @@ These steps describe how to set up {{fleet}} components to use a proxy. In this example, all of the {{agents}} enrolled in a policy that is configured to download from the chosen agent download source will now download from that agent download source through the proxy server defined in `Proxy-A`. - :::::{admonition} ::::{warning} If agents are unable to reach the configured proxy server, they will not be able to download binaries from the agent download source that has the proxy server configured. When changing the proxy of an agent binary source, ensure that the affected agents all have connectivity to the proxy itself. :::: - - ::::: - 5. **Configure the {{agent}} policy** You can now configure the {{agent}} policy to use the {{fleet-server}} and the outputs that are reachable through a proxy server. @@ -120,7 +106,6 @@ These steps describe how to set up {{fleet}} components to use a proxy. Now that {{fleet}} is configured, all policy downloads will update the agent with the latest configured proxies. When the agent is first installed it needs to communicate with {{fleet}} (through {{fleet-server}}) in order to download its first policy configuration. - ### Set the proxy for retrieving agent policies from {{fleet}} [cli-proxy-settings] If there is a proxy between {{agent}} and {{fleet}}, specify proxy settings on the command line when you install {{agent}} and enroll in {{fleet}}. The settings you specify at the command line are added to the `fleet.yml` file installed on the system where the {{agent}} is running. @@ -129,19 +114,17 @@ If there is a proxy between {{agent}} and {{fleet}}, specify proxy settings on t If the initial agent communication with {{fleet}} (i.e control plane) needs to traverse the proxy server, then the agent needs to be configured to do so using the `–proxy-url` command line flag which is applied during the agent installation. Once connectivity to {{fleet}} is established, proxy server details can be managed through the UI. :::: - ::::{note} If {{kib}} is behind a proxy server, you’ll still need to [configure {{kib}} settings](/reference/fleet/epr-proxy-setting.md) to access the package registry. :::: - The `enroll` and `install` commands accept the following flags: | CLI flag | Description | | --- | --- | -| `--proxy-url ` | URL of the proxy server. The value may be either a complete URL or a`host[:port]`, in which case the `http` scheme is assumed. The URL accepts optionalusername and password settings for authenticating with the proxy. For example:`http://:@/`. | +| `--proxy-url ` | URL of the proxy server. The value may be either a complete URL or a`host[:port]`, in which case the `http` scheme is assumed. The URL accepts optional username and password settings for authenticating with the proxy. For example:`http://:@/`. | | `--proxy-disabled` | If specified, all proxy settings, including the `HTTP_PROXY` and `HTTPS_PROXY`environment variables, are ignored. | -| `--proxy-header
=` | Additional header to send to the proxy during CONNECT requests. Use the`--proxy-header` flag multiple times to add additional headers. You can usethis setting to pass keys/tokens required for authenticating with the proxy. | +| `--proxy-header
=` | Additional header to send to the proxy during CONNECT requests. Use the`--proxy-header` flag multiple times to add additional headers. You can use this setting to pass keys/tokens required for authenticating with the proxy. | For example: @@ -176,20 +159,19 @@ When {{agent}} runs, the `fleet.yml` file gets encrypted and renamed to `fleet.e :::: - ## {{agent}} connectivity using a secure proxy gateway [fleet-agent-proxy-server-secure-gateway] -Many secure proxy gateways are configured to perform mutual TLS and expect all connections to present their certificate. In these instances the Client (in this case the Elastic Agent) would need to present a certificate and key to the Server (the secure proxy). In return the client expects to see a certificate authority chain from the server to ensure it is also communicating to a trusted entity. +Many secure proxy gateways are configured to perform mutual TLS and expect all connections to present their certificate. In these instances the Client (in this case the {{agent}}) would need to present a certificate and key to the Server (the secure proxy). In return the client expects to see a certificate authority chain from the server to ensure it is also communicating to a trusted entity. :::{image} images/elastic-agent-proxy-gateway-secure.png :alt: Image showing data flow between the proxy server and the Certificate Authority ::: -If mTLs is a requirement when connecting to your proxy server, then you have the option to add the Client certificate and Client certificate key to the proxy. Once configured, all the Elastic Agents in a policy that connect to this secure proxy (via an output or fleet server), will use the nominated certificates to establish connections to the proxy server. +If mTLs is a requirement when connecting to your proxy server, then you have the option to add the Client certificate and Client certificate key to the proxy. Once configured, all the {{agents}} in a policy that connect to this secure proxy (via an output or {{fleet-server}}), will use the nominated certificates to establish connections to the proxy server. -It should be noted that the user can define a local path to the certificate and key as in many common scenarios the certificate and key will be unique for each Elastic Agent. +It should be noted that the user can define a local path to the certificate and key as in many common scenarios the certificate and key will be unique for each {{agent}}. -Equally important is the Certificate Authority that the agents need to use to validate the certificate they are receiving from the secure proxy server. This can also be added when creating the proxy definition in the Fleet settings. +Equally important is the Certificate Authority that the agents need to use to validate the certificate they are receiving from the secure proxy server. This can also be added when creating the proxy definition in the {{fleet}} settings. :::{image} images/elastic-agent-edit-proxy-secure-settings.png :alt: Screen capture of the Edit Proxy UI diff --git a/reference/fleet/fleet-agent-proxy-standalone.md b/reference/fleet/fleet-agent-proxy-standalone.md index b36ff28942..5cffcab39e 100644 --- a/reference/fleet/fleet-agent-proxy-standalone.md +++ b/reference/fleet/fleet-agent-proxy-standalone.md @@ -6,7 +6,7 @@ products: - id: elastic-agent --- -# Standalone Elastic Agent connectivity using a proxy server [fleet-agent-proxy-standalone] +# Standalone {{agent}} connectivity using a proxy server [fleet-agent-proxy-standalone] Proxy settings in the {{agent}} policy override proxy settings specified by environment variables. This means you can specify proxy settings for {{agent}} that are different from host or system-level environment settings. @@ -14,8 +14,8 @@ The following proxy settings are valid in the agent policy: | Setting | Description | | --- | --- | -| `proxy_url` | (string) URL of the proxy server. If set, the configured URL is used as aproxy for all connection attempts by the component. The value may be either acomplete URL or a `host[:port]`, in which case the `http` scheme is assumed. Ifa value is not specified through the configuration, then proxy environmentvariables are used. The URL accepts optional `username` and `password` settingsfor authenticating with the proxy. For example:`http://:@/`. | -| `proxy_headers` | (string) Additional headers to send to the proxy during CONNECT requests. Youcan use this setting to pass keys/tokens required for authenticating with theproxy. | +| `proxy_url` | (string) URL of the proxy server. If set, the configured URL is used as a proxy for all connection attempts by the component. The value may be either a complete URL or a `host[:port]`, in which case the `http` scheme is assumed. Ifa value is not specified through the configuration, then proxy environment variables are used. The URL accepts optional `username` and `password` settings for authenticating with the proxy. For example: `http://:@/`. | +| `proxy_headers` | (string) Additional headers to send to the proxy during CONNECT requests. You can use this setting to pass keys/tokens required for authenticating with the proxy. | | `proxy_disable` | (boolean) If set to `true`, all proxy settings, including the `HTTP_PROXY` and`HTTPS_PROXY` environment variables, are ignored. | @@ -33,5 +33,4 @@ outputs: type: elasticsearch ``` -For more information, refer to [*Configure standalone {{agent}}s*](/reference/fleet/configure-standalone-elastic-agents.md). - +For more information, refer to [Configure standalone {{agents}}s](/reference/fleet/configure-standalone-elastic-agents.md). diff --git a/reference/fleet/fleet-agent-proxy-support.md b/reference/fleet/fleet-agent-proxy-support.md index 4ddd51fdce..401633e52e 100644 --- a/reference/fleet/fleet-agent-proxy-support.md +++ b/reference/fleet/fleet-agent-proxy-support.md @@ -6,7 +6,7 @@ products: - id: elastic-agent --- -# Using a proxy server with Elastic Agent and Fleet [fleet-agent-proxy-support] +# Using a proxy server with {{agent}} and {{fleet}} [fleet-agent-proxy-support] Many enterprises secure their assets by placing a proxy server between them and the internet. The main role of the proxy server is to filter content and provide a single gateway through which all traffic traverses in and out of a data center. These proxy servers provide a various degree of functionality, security, and privacy. @@ -18,15 +18,8 @@ Support is available in {{agent}} and {{fleet}} for connections through HTTP Con Some environments require users to authenticate with the proxy. There are no explicit settings for proxy authentication in {{agent}} or {{fleet}}, except the ability to pass credentials in the URL or as keys/tokens in headers, as described later. :::: - Refer to [When to configure proxy settings](/reference/fleet/elastic-agent-proxy-config.md) for more detail, or jump into one of the following guides: -* [Proxy Server connectivity using default host variables](/reference/fleet/host-proxy-env-vars.md) -* [Fleet managed {{agent}} connectivity using a proxy server](/reference/fleet/fleet-agent-proxy-managed.md) +* [Proxy server connectivity using default host variables](/reference/fleet/host-proxy-env-vars.md) +* [{{fleet}}-managed {{agent}} connectivity using a proxy server](/reference/fleet/fleet-agent-proxy-managed.md) * [Standalone {{agent}} connectivity using a proxy server](/reference/fleet/fleet-agent-proxy-standalone.md) - - - - - - diff --git a/reference/fleet/fleet-agent-serverless-restrictions.md b/reference/fleet/fleet-agent-serverless-restrictions.md index 13a47e3e2d..d6008e9a07 100644 --- a/reference/fleet/fleet-agent-serverless-restrictions.md +++ b/reference/fleet/fleet-agent-serverless-restrictions.md @@ -15,7 +15,7 @@ products: If you are using {{agent}} with [{{serverless-full}}](/deploy-manage/deploy/elastic-cloud/serverless.md), note these differences from use with {{ech}} and self-managed {{es}}: -* A maximum of 10,000 {{fleet}}-managed {{agents}} can be connected to an {{serverless-full}} project. This limit does not apply to stand-alone agents. +* A maximum of 10,000 {{fleet}}-managed {{agents}} can be connected to an {{serverless-full}} project. This limit does not apply to stand-alone agents. * The minimum supported version of {{agent}} supported for use with {{serverless-full}} is 8.11.0. ### Outputs @@ -40,7 +40,7 @@ The path to get to the {{fleet}} application in {{kib}} differs across projects: ## {{fleet-server}} [fleet-server-serverless-restrictions] -Note the following restrictions with using {{fleet-server}} on {{serverless-short}}: +Note the following restrictions with using [{{fleet-server}}](/reference/fleet/fleet-server.md) on {{serverless-short}}: * On-premises {{fleet-server}} is not currently available for use in a {{serverless-short}} environment. We recommend using the hosted {{fleet-server}} that is included and configured automatically in {{serverless-short}} {{observability}} and Security projects. -* On {{serverless-short}}, you can configure {{fleet-server}} to use a proxy, with the restriction that the {{fleet-server}} host URL is fixed. Any new {{fleet-server}} hosts must use the default {{fleet-server}} host URL. +* On {{serverless-short}}, you can configure {{fleet-server}} to use a proxy, with the restriction that the {{fleet-server}} host URL is fixed. Any new {{fleet-server}} hosts must use the default {{fleet-server}} host URL. Refer to [Using a proxy server with {{agent}} and {{fleet}}](/reference/fleet/fleet-agent-proxy-support.md) for more information. diff --git a/reference/fleet/fleet-server-monitoring.md b/reference/fleet/fleet-server-monitoring.md index b5d0148328..e0f0e159dc 100644 --- a/reference/fleet/fleet-server-monitoring.md +++ b/reference/fleet/fleet-server-monitoring.md @@ -6,7 +6,7 @@ products: - id: elastic-agent --- -# Monitor a self-managed Fleet Server [fleet-server-monitoring] +# Monitor a self-managed {{fleet-server}} [fleet-server-monitoring] For self-managed {{fleet-server}}s, monitoring is key because the operation of the {{fleet-server}} is paramount to the health of the deployed agents and the services they offer. When {{fleet-server}} is not operating correctly, it may lead to delayed check-ins, status information, and updates for the agents it manages. The monitoring data will tell you when to add capacity for {{fleet-server}}, and provide error logs and information to troubleshoot other issues. diff --git a/reference/fleet/fleet-server-scalability.md b/reference/fleet/fleet-server-scalability.md index 8ec20fd47a..db3f144724 100644 --- a/reference/fleet/fleet-server-scalability.md +++ b/reference/fleet/fleet-server-scalability.md @@ -6,7 +6,7 @@ products: - id: elastic-agent --- -# Fleet Server scalability [fleet-server-scalability] +# {{fleet-server}} scalability [fleet-server-scalability] This page summarizes the resource and {{fleet-server}} configuration requirements needed to scale your deployment of {{agent}}s. To scale {{fleet-server}}, you need to modify settings in your deployment and the {{fleet-server}} agent policy. @@ -14,7 +14,6 @@ This page summarizes the resource and {{fleet-server}} configuration requirement Refer to the [Scaling recommendations](#agent-policy-scaling-recommendations) section for specific recommendations about using {{fleet-server}} at scale. :::: - First modify your {{fleet}} deployment settings in {{ecloud}}: 1. Log in to {{ecloud}} and find your deployment. @@ -31,7 +30,6 @@ First modify your {{fleet}} deployment settings in {{ecloud}}: :screenshot: ::: - Next modify the {{fleet-server}} configuration by editing the agent policy: 1. In {{fleet}}, open the **Agent policies** tab. Click the name of the **{{ecloud}} agent policy** to edit the policy. @@ -50,7 +48,6 @@ Next modify the {{fleet-server}} configuration by editing the agent policy: ::: - ## Advanced {{fleet-server}} options [fleet-server-configuration] The following advanced settings are available to fine tune your {{fleet-server}} deployment. @@ -62,7 +59,6 @@ The following advanced settings are available to fine tune your {{fleet-server}} `max_cost` : Total size of the cache. - `server.timeouts` : `checkin_timestamp` : How often {{fleet-server}} updates the "last activity" field for each agent. Defaults to `30s`. In a large-scale deployment, increasing this setting may improve performance. If this setting is higher than `2m`, most agents will be shown as "offline" in the Fleet UI. For a typical setup, it’s recommended that you set this value to less than `2m`. @@ -70,13 +66,10 @@ The following advanced settings are available to fine tune your {{fleet-server}} `checkin_long_poll` : How long {{fleet-server}} allows a long poll request from an agent before timing out. Defaults to `5m`. In a large-scale deployment, increasing this setting may improve performance. - `server.limits` : `policy_throttle` : How often a new policy is rolled out to the agents. - - -Deprecated: Use the `action_limit` settings instead. +: Deprecated: Use the `action_limit` settings instead. `action_limit.interval` : How quickly {{fleet-server}} dispatches pending actions to the agents. @@ -133,10 +126,10 @@ Deprecated: Use the `action_limit` settings instead. : Maximum size in bytes of the enroll API request body. `status_limit.max` -: Maximum number of agents that can call the status API concurrently. This setting allows the user to avoid overloading the Fleet Server from status API calls. +: Maximum number of agents that can call the status API concurrently. This setting allows the user to avoid overloading the {{fleet-server}} from status API calls. `status_limit.interval` -: How frequently agents can submit status requests to the Fleet Server. +: How frequently agents can submit status requests to the {{fleet-server}}. `status_limit.burst` : Burst of status requests to accommodate before falling back to the rate defined by interval. @@ -145,10 +138,10 @@ Deprecated: Use the `action_limit` settings instead. : Maximum size in bytes of the status API request body. `upload_start_limit.max` -: Maximum number of agents that can call the uploadStart API concurrently. This setting allows the user to avoid overloading the Fleet Server from uploadStart API calls. +: Maximum number of agents that can call the uploadStart API concurrently. This setting allows the user to avoid overloading the {{fleet-server}} from uploadStart API calls. `upload_start_limit.interval` -: How frequently agents can submit file start upload requests to the Fleet Server. +: How frequently agents can submit file start upload requests to the {{fleet-server}}. `upload_start_limit.burst` : Burst of file start upload requests to accommodate before falling back to the rate defined by interval. @@ -157,10 +150,10 @@ Deprecated: Use the `action_limit` settings instead. : Maximum size in bytes of the uploadStart API request body. `upload_end_limit.max` -: Maximum number of agents that can call the uploadEnd API concurrently. This setting allows the user to avoid overloading the Fleet Server from uploadEnd API calls. +: Maximum number of agents that can call the uploadEnd API concurrently. This setting allows the user to avoid overloading the {{fleet-server}} from uploadEnd API calls. `upload_end_limit.interval` -: How frequently agents can submit file end upload requests to the Fleet Server. +: How frequently agents can submit file end upload requests to the {{fleet-server}}. `upload_end_limit.burst` : Burst of file end upload requests to accommodate before falling back to the rate defined by interval. @@ -169,10 +162,10 @@ Deprecated: Use the `action_limit` settings instead. : Maximum size in bytes of the uploadEnd API request body. `upload_chunk_limit.max` -: Maximum number of agents that can call the uploadChunk API concurrently. This setting allows the user to avoid overloading the Fleet Server from uploadChunk API calls. +: Maximum number of agents that can call the uploadChunk API concurrently. This setting allows the user to avoid overloading the {{fleet-server}} from uploadChunk API calls. `upload_chunk_limit.interval` -: How frequently agents can submit file chunk upload requests to the Fleet Server. +: How frequently agents can submit file chunk upload requests to the {{fleet-server}}. `upload_chunk_limit.burst` : Burst of file chunk upload requests to accommodate before falling back to the rate defined by interval. @@ -183,14 +176,12 @@ Deprecated: Use the `action_limit` settings instead. ## Scaling recommendations ({{ecloud}}) [scaling-recommendations] -The following tables provide the minimum resource requirements and scaling guidelines based on the number of agents required by your deployment. It should be noted that these compute resource can be spread across multiple availability zones (for example: a 32GB RAM requirement can be satisfied with 16GB of RAM in 2 different zones). - -* [Resource requirements by number of agents](#resource-requirements-by-number-agents) +The following tables provide the minimum resource requirements and scaling guidelines based on the number of agents required by your deployment. It should be noted that these compute resource can be spread across multiple availability zones (for example, a 32GB RAM requirement can be satisfied with 16GB of RAM in 2 different zones). ### Resource requirements by number of agents [resource-requirements-by-number-agents] -| Number of Agents | {{fleet-server}} Memory | {{fleet-server}} vCPU | {{es}} Hot Tier | +| Number of agents | {{fleet-server}} memory | {{fleet-server}} vCPU | {{es}} hot tier | | --- | --- | --- | --- | | 2,000 | 2GB | up to 8 vCPU | 32GB RAM | 8 vCPU | | 5,000 | 4GB | up to 8 vCPU | 32GB RAM | 8 vCPU | diff --git a/reference/fleet/fleet-server-secrets.md b/reference/fleet/fleet-server-secrets.md index 489eaa052b..0422b690db 100644 --- a/reference/fleet/fleet-server-secrets.md +++ b/reference/fleet/fleet-server-secrets.md @@ -6,7 +6,7 @@ products: - id: elastic-agent --- -# Fleet Server Secrets [fleet-server-secrets] +# {{fleet-server}} secrets [fleet-server-secrets] {{fleet-server}} configuration can contain secret values. You may specify these values directly in the configuration or through secret files. You can use command line arguments to pass the values or file paths when you are running under {{agent}}, or you can use environment variables if {{agent}} is running in a container. @@ -17,7 +17,6 @@ Stand-alone {{fleet-server}} is under active development. :::: - ## Secret values [_secret_values] The following secret values may be used when configuring {{fleet-server}}. @@ -129,6 +128,3 @@ APM secret token ``` You may also specify the token by value using the environment variable `ELASTIC_APM_SECRET_TOKEN`. - - - diff --git a/reference/fleet/fleet-server.md b/reference/fleet/fleet-server.md index 49e94ea0eb..b1c1b7f7aa 100644 --- a/reference/fleet/fleet-server.md +++ b/reference/fleet/fleet-server.md @@ -6,11 +6,13 @@ products: - id: elastic-agent --- -# What is Fleet Server? [fleet-server] +# What is {{fleet-server}}? [fleet-server] {{fleet-server}} is a component that connects {{agent}}s to {{fleet}}. It supports many {{agent}} connections and serves as a control plane for updating agent policies, collecting status information, and coordinating actions across {{agent}}s. It also provides a scalable architecture. As the size of your agent deployment grows, you can deploy additional {{fleet-server}}s to manage the increased workload. -* On-premises {{fleet-server}} is not currently available for use in an [{{serverless-full}}](/deploy-manage/deploy/elastic-cloud/serverless.md) environment. We recommend using the hosted {{fleet-server}} that is included and configured automatically in {{serverless-short}} {{observability}} and Security projects. +:::{note} +On-premises {{fleet-server}} is not currently available for use in an [{{serverless-full}}](/deploy-manage/deploy/elastic-cloud/serverless.md) environment. We recommend using the hosted {{fleet-server}} that is included and configured automatically in {{serverless-short}} {{observability}} and Security projects. +::: The following diagram shows how {{agent}}s communicate with {{fleet-server}} to retrieve agent policies: @@ -18,7 +20,6 @@ The following diagram shows how {{agent}}s communicate with {{fleet-server}} to :alt: {{fleet-server}} Cloud deployment model ::: - 1. When a new agent policy is created, the {{fleet}} UI saves the policy to a {{fleet}} index in {{es}}. 2. To enroll in the policy, {{agent}}s send a request to {{fleet-server}}, using the enrollment key generated for authentication. 3. {{fleet-server}} monitors {{fleet}} indices, picks up the new agent policy from {{es}}, then ships the policy to all {{agent}}s enrolled in that policy. {{fleet-server}} may also write updated policies to the {{fleet}} index to manage coordination between agents. @@ -27,40 +28,39 @@ The following diagram shows how {{agent}}s communicate with {{fleet-server}} to 6. When a policy is updated, {{fleet-server}} retrieves the updated policy from {{es}} and sends it to the connected {{agent}}s. 7. To communicate with {{fleet}} about the status of {{agent}}s and the policy rollout, {{fleet-server}} writes updates to {{fleet}} indices. -::::{admonition} -**Does {{fleet-server}} run inside of {{agent}}?** +::::{admonition} Does {{fleet-server}} run inside of {{agent}}? -{{fleet-server}} is a subprocess that runs inside a deployed {{agent}}. This means the deployment steps are similar to any {{agent}}, except that you enroll the agent in a special {{fleet-Server}} policy. Typically—especially in large-scale deployments—this agent is dedicated to running {{fleet-server}} as an {{agent}} communication host and is not configured for data collection. +{{fleet-server}} is a subprocess that runs inside a deployed {{agent}}. This means the deployment steps are similar to any {{agent}}, except that you enroll the agent in a special {{fleet-server}} policy. Typically—especially in large-scale deployments—this agent is dedicated to running {{fleet-server}} as an {{agent}} communication host and is not configured for data collection. :::: - ## Service account [fleet-security-account] {{fleet-server}} uses a service token to communicate with {{es}}, which contains a `fleet-server` service account. Each {{fleet-server}} can use its own service token, and you can share it across multiple servers (not recommended). The advantage of using a separate token for each server is that you can invalidate each one separately. -You can create a service token by either using the {{fleet}} UI or the {{es}} API. For more information, refer to [Deploy {{fleet-server}} on-premises and {{es}} on Cloud](/reference/fleet/add-fleet-server-mixed.md) or [Deploy on-premises and self-managed](/reference/fleet/add-fleet-server-on-prem.md), depending on your deployment model. +You can create a service token by either using the {{fleet}} UI or the {{es}} API. For more information, refer to [Deploy {{fleet-server}} on-premises and {{es}} on {{ecloud}}](/reference/fleet/add-fleet-server-mixed.md) or [Deploy on-premises and self-managed {{fleet-server}}](/reference/fleet/add-fleet-server-on-prem.md), depending on your deployment model. -## {{fleet-server}} High-availability operations [fleet-server-HA-operations] +## {{fleet-server}} high availability [fleet-server-HA-operations] {{fleet-server}} is stateless. Connections to the {{fleet-server}} therefore can be load balanced as long as the {{fleet-server}} has capacity to accept more connections. Load balancing is done on a round-robin basis. -How you handle high-availability, fault-tolerance, and lifecycle management of {{fleet-server}} depends on the deployment model you use. +How you handle high availability, fault tolerance, and the lifecycle management of {{fleet-server}} depends on the deployment model you use. ## Learn more [_learn_more] To learn more about deploying and scaling {{fleet-server}}, refer to: -* [Deploy on {{ecloud}}](/reference/fleet/add-fleet-server-cloud.md) -* [Deploy {{fleet-server}} on-premises and {{es}} on Cloud](/reference/fleet/add-fleet-server-mixed.md) -* [Deploy on-premises and self-managed](/reference/fleet/add-fleet-server-on-prem.md) +* [Deploy {{fleet-server}} on {{ecloud}}](/reference/fleet/add-fleet-server-cloud.md) +* [Deploy {{fleet-server}} on-premises and {{es}} on {{ecloud}}](/reference/fleet/add-fleet-server-mixed.md) +* [Deploy on-premises and self-managed {{fleet-server}}](/reference/fleet/add-fleet-server-on-prem.md) * [{{fleet-server}} scalability](/reference/fleet/fleet-server-scalability.md) * [Monitor a self-managed {{fleet-server}}](/reference/fleet/fleet-server-monitoring.md) +* [Using a proxy server with {{agent}} and {{fleet}}](/reference/fleet/fleet-agent-proxy-support.md) ## {{fleet-server}} secrets configuration [fleet-server-secrets-config] -Secrets used to configure {{fleet-server}} can either be directly specified in configuration or provided through secret files. See [{{fleet-server}} Secrets](/reference/fleet/fleet-server-secrets.md) for more information. +Secrets used to configure {{fleet-server}} can either be directly specified in configuration or provided through secret files. Refer to [{{fleet-server}} secrets](/reference/fleet/fleet-server-secrets.md) for more information. diff --git a/reference/fleet/host-proxy-env-vars.md b/reference/fleet/host-proxy-env-vars.md index 3497381e68..eb12c36b50 100644 --- a/reference/fleet/host-proxy-env-vars.md +++ b/reference/fleet/host-proxy-env-vars.md @@ -6,7 +6,7 @@ products: - id: elastic-agent --- -# Proxy Server connectivity using default host variables [host-proxy-env-vars] +# Proxy server connectivity using default host variables [host-proxy-env-vars] Set environment variables on the host to configure default proxy settings. The {{agent}} uses host environment settings by default if no proxy settings are specified elsewhere. You can override host proxy settings later when you configure the {{agent}} and {{fleet}} settings. The following environment variables are available on the host: @@ -65,11 +65,8 @@ The location where you set these environment variables is platform-specific and HTTP_PROXY=http://my.proxy:8080 ``` - After adding environment variables, restart the service. ::::{note} If you use a proxy server to download new agent versions from `artifacts.elastic.co` for upgrading, configure [Agent binary download settings](/reference/fleet/fleet-settings.md#fleet-agent-binary-download-settings). :::: - - diff --git a/reference/fleet/migrate-elastic-agent.md b/reference/fleet/migrate-elastic-agent.md index 72dba2c27a..0675b3b15d 100644 --- a/reference/fleet/migrate-elastic-agent.md +++ b/reference/fleet/migrate-elastic-agent.md @@ -64,7 +64,7 @@ when the target cluster is available you’ll need to adjust a few settings. Tak 3. Open the {{fleet}} **Settings** tab. 4. Examine the configurations captured there for {{fleet}}. These settings are copied from the snapshot of the source cluster and may not have a meaning in the target cluster, so they need to be modified accordingly. - In the following example, both the **Fleet Server hosts** and the **Outputs** settings are copied over from the source cluster: + In the following example, both the **Fleet server hosts** and the **Outputs** settings are copied over from the source cluster: :::{image} images/migrate-agent-host-output-settings.png :alt: Settings tab in Fleet showing source deployment host and output settings From 35edf5692407c67594a46e6294bd981c62382e7b Mon Sep 17 00:00:00 2001 From: Visha Angelova Date: Tue, 9 Dec 2025 11:30:30 +0100 Subject: [PATCH 2/2] Address Vale suggestions --- reference/fleet/fleet-agent-proxy-managed.md | 10 +++++----- reference/fleet/fleet-agent-proxy-standalone.md | 2 +- reference/fleet/fleet-server.md | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/reference/fleet/fleet-agent-proxy-managed.md b/reference/fleet/fleet-agent-proxy-managed.md index 1b98b4c9f2..b4b3ed9092 100644 --- a/reference/fleet/fleet-agent-proxy-managed.md +++ b/reference/fleet/fleet-agent-proxy-managed.md @@ -59,7 +59,7 @@ These steps describe how to set up {{fleet}} components to use a proxy. 3. **Attach the proxy to the output** - Similarly, if the data plane traffic to an output is to traverse through a proxy, that proxy definition would need to be added to the output defined in the {{fleet}}. + Similarly, if the data plane traffic to an output is to traverse through a proxy, that proxy definition would need to be added to the output defined in {{fleet}}. 1. In {{fleet}}, open the **Settings** tab. 2. In the list of **Outputs**, choose an output and select the edit button to configure it. @@ -122,7 +122,7 @@ The `enroll` and `install` commands accept the following flags: | CLI flag | Description | | --- | --- | -| `--proxy-url ` | URL of the proxy server. The value may be either a complete URL or a`host[:port]`, in which case the `http` scheme is assumed. The URL accepts optional username and password settings for authenticating with the proxy. For example:`http://:@/`. | +| `--proxy-url ` | URL of the proxy server. The value can be either a complete URL or a`host[:port]`, in which case the `http` scheme is assumed. The URL accepts optional username and password settings for authenticating with the proxy. For example:`http://:@/`. | | `--proxy-disabled` | If specified, all proxy settings, including the `HTTP_PROXY` and `HTTPS_PROXY`environment variables, are ignored. | | `--proxy-header
=` | Additional header to send to the proxy during CONNECT requests. Use the`--proxy-header` flag multiple times to add additional headers. You can use this setting to pass keys/tokens required for authenticating with the proxy. | @@ -161,15 +161,15 @@ When {{agent}} runs, the `fleet.yml` file gets encrypted and renamed to `fleet.e ## {{agent}} connectivity using a secure proxy gateway [fleet-agent-proxy-server-secure-gateway] -Many secure proxy gateways are configured to perform mutual TLS and expect all connections to present their certificate. In these instances the Client (in this case the {{agent}}) would need to present a certificate and key to the Server (the secure proxy). In return the client expects to see a certificate authority chain from the server to ensure it is also communicating to a trusted entity. +Many secure proxy gateways are configured to perform mutual TLS and expect all connections to present their certificate. In these instances, the Client (in this case, the {{agent}}) would need to present a certificate and key to the Server (the secure proxy). In return, the client expects to receive a certificate authority chain from the server to ensure it is also communicating to a trusted entity. :::{image} images/elastic-agent-proxy-gateway-secure.png :alt: Image showing data flow between the proxy server and the Certificate Authority ::: -If mTLs is a requirement when connecting to your proxy server, then you have the option to add the Client certificate and Client certificate key to the proxy. Once configured, all the {{agents}} in a policy that connect to this secure proxy (via an output or {{fleet-server}}), will use the nominated certificates to establish connections to the proxy server. +If mTLs is a requirement when connecting to your proxy server, then you have the option to add the Client certificate and Client certificate key to the proxy. Once configured, all the {{agents}} in a policy that connect to this secure proxy (via an output or {{fleet-server}}) use the nominated certificates to establish connections to the proxy server. -It should be noted that the user can define a local path to the certificate and key as in many common scenarios the certificate and key will be unique for each {{agent}}. +You can define a local path to the certificate and key as, in many common scenarios, the certificate and key are unique for each {{agent}}. Equally important is the Certificate Authority that the agents need to use to validate the certificate they are receiving from the secure proxy server. This can also be added when creating the proxy definition in the {{fleet}} settings. diff --git a/reference/fleet/fleet-agent-proxy-standalone.md b/reference/fleet/fleet-agent-proxy-standalone.md index 5cffcab39e..b33826b9aa 100644 --- a/reference/fleet/fleet-agent-proxy-standalone.md +++ b/reference/fleet/fleet-agent-proxy-standalone.md @@ -14,7 +14,7 @@ The following proxy settings are valid in the agent policy: | Setting | Description | | --- | --- | -| `proxy_url` | (string) URL of the proxy server. If set, the configured URL is used as a proxy for all connection attempts by the component. The value may be either a complete URL or a `host[:port]`, in which case the `http` scheme is assumed. Ifa value is not specified through the configuration, then proxy environment variables are used. The URL accepts optional `username` and `password` settings for authenticating with the proxy. For example: `http://:@/`. | +| `proxy_url` | (string) URL of the proxy server. If set, the configured URL is used as a proxy for all connection attempts by the component. The value can be either a complete URL or a `host[:port]`, in which case the `http` scheme is assumed. Ifa value is not specified through the configuration, then proxy environment variables are used. The URL accepts optional `username` and `password` settings for authenticating with the proxy. For example: `http://:@/`. | | `proxy_headers` | (string) Additional headers to send to the proxy during CONNECT requests. You can use this setting to pass keys/tokens required for authenticating with the proxy. | | `proxy_disable` | (boolean) If set to `true`, all proxy settings, including the `HTTP_PROXY` and`HTTPS_PROXY` environment variables, are ignored. | diff --git a/reference/fleet/fleet-server.md b/reference/fleet/fleet-server.md index b1c1b7f7aa..cf1b8cf8fe 100644 --- a/reference/fleet/fleet-server.md +++ b/reference/fleet/fleet-server.md @@ -6,7 +6,7 @@ products: - id: elastic-agent --- -# What is {{fleet-server}}? [fleet-server] +# {{fleet-server}} [fleet-server] {{fleet-server}} is a component that connects {{agent}}s to {{fleet}}. It supports many {{agent}} connections and serves as a control plane for updating agent policies, collecting status information, and coordinating actions across {{agent}}s. It also provides a scalable architecture. As the size of your agent deployment grows, you can deploy additional {{fleet-server}}s to manage the increased workload.