Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Apply mTLS config from policy #4770

Merged
merged 20 commits into from
Jun 12, 2024
Merged

Apply mTLS config from policy #4770

merged 20 commits into from
Jun 12, 2024

Conversation

pchila
Copy link
Member

@pchila pchila commented May 16, 2024
edited
Loading

What does this PR do?

This PR implements reading and applying TLS configuration for Fleet client using CA, certificate and key included in Fleet policy.

This PR:

Note to reviewers: refactor of ProxyURL integration tests has been moved to PR #4813 , so for initial review you can have a look at this set of commits or wait till PR #4813 is merged and this PR rebased onto the new main
PR #4813 has been merged and this change has been rebase on top of the new main.

Why is it important?

Configuring TLS via the policy allows agent to connect to Fleet (possibly via a proxy) using custom CAs or enabling mTLS (certificate verification of both the client and the server).

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • [ ] I have made corresponding changes to the documentation
  • [ ] I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in ./changelog/fragments using the changelog tool
  • I have added an integration test or an E2E test

Disruptive User Impact

How to test this PR locally

In order to test this PR we need:

  • fleet server or proxy with TLS (or mTLS) configured using custom CAs and certificates signed by such CAs (left as exercise to the reader)
  • Make sure that the agent can connect to fleet for enrolling without custom CAs or certificates.
  • enroll agent with a simple policy
  • Add Custom CAs and or key + certificates for the agent to use along with a new URL (maybe a proxy) pointing to where TLS has been configured.
  • Verify that the agent can connect correctly using CAs (and Certificate/Key in case of mTLS)

Related issues

Questions to ask yourself

  • How are we going to support this in production?
  • How are we going to measure its adoption?
  • How are we going to debug this?
  • What are the metrics I should take care of?
  • ...

@pchila pchila added bug Something isn't working Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team Team:Elastic-Agent Label for the Agent team labels May 16, 2024
@pchila pchila self-assigned this May 16, 2024
@mergify Mergify
Copy link
Contributor

mergify bot commented May 16, 2024

This pull request does not have a backport label. Could you fix it @pchila? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-v./d./d./d is the label to automatically backport to the 8./d branch. /d is the digit

NOTE: backport-skip has been added to this pull request.

@mergify Mergify
Copy link
Contributor

mergify bot commented May 20, 2024

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b apply-mTLS-config-from-policy upstream/apply-mTLS-config-from-policy
git merge upstream/main
git push upstream apply-mTLS-config-from-policy

@pchila pchila force-pushed the apply-mTLS-config-from-policy branch 3 times, most recently from d51dcc1 to a457ba3 Compare May 23, 2024 14:37
@pchila pchila marked this pull request as ready for review May 23, 2024 14:38
@pchila pchila requested a review from a team as a code owner May 23, 2024 14:38
@elasticmachine
Copy link
Collaborator

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)

@pchila pchila requested review from cmacknz and blakerouse May 23, 2024 14:38
@pchila pchila mentioned this pull request May 24, 2024
Merged
2 tasks
@pchila pchila force-pushed the apply-mTLS-config-from-policy branch from 5b7af1a to bd9fe64 Compare May 24, 2024 11:28
@pchila pchila force-pushed the apply-mTLS-config-from-policy branch 2 times, most recently from f43e4f3 to 93760d4 Compare June 3, 2024 07:30
@pchila pchila requested a review from AndersonQ June 4, 2024 13:15
@pchila pchila added enhancement New feature or request and removed bug Something isn't working labels Jun 4, 2024
blakerouse
blakerouse approved these changes Jun 5, 2024
View reviewed changes
Copy link
Contributor

@blakerouse blakerouse left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks really good. Has good testing and code coverage.

Just a few comments, that should be cleaned up.

internal/pkg/agent/application/actions/handlers/handler_action_policy_change.go Outdated Show resolved Hide resolved
internal/pkg/agent/application/actions/handlers/handler_action_policy_change.go Outdated Show resolved Hide resolved
internal/pkg/agent/application/actions/handlers/handler_action_policy_change.go Outdated Show resolved Hide resolved
AndersonQ
AndersonQ requested changes Jun 6, 2024
View reviewed changes
testing/proxytest/proxytest.go Show resolved Hide resolved
testing/fleetservertest/checkin.go Outdated Show resolved Hide resolved
testing/fleetservertest/checkin.go Outdated Show resolved Hide resolved
testing/integration/proxy_url_test.go Show resolved Hide resolved
testing/integration/proxy_url_test.go Outdated
Comment on lines 521 to 522
// generate a certificate for elastic-agent from the same CA as the proxy
_, agentPair, err := certutil.GenerateChildCert("localhost", []net.IP{net.IPv6loopback, net.IPv6zero, net.ParseIP("127.0.0.1")}, caKey, caCert)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[Suggestion]
I like to have different CAs for the client and server/proxy just for the sake of testing it as thorough as possible.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done in 78edd2e

testing/fleetservertest/fleetserver_test.go Outdated
Copy link
Member

@AndersonQ AndersonQ Jun 6, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[Blocker]
It's missing the tests to ensure the precedence is correct:

  • enroll args with mTLS > policy with no TLS
  • policy mTLS > enroll args with mTLS

Also, tests to ensure a broken config isn't applied:

  • wrong CA
  • wrong certificate / key

right now, there is only:

  • policy mTLS > no mTLS enroll args
    which is a sub case of "policy mTLS > enroll args with mTLS"

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Another thing, ideally there should also be a test to validate the certificate, its key and the CA can be a path

@pchila pchila force-pushed the apply-mTLS-config-from-policy branch from 53b3f82 to b97e6af Compare June 10, 2024 16:57
This was referenced Jun 10, 2024
Open
Open
Closed
@AndersonQ AndersonQ mentioned this pull request Jun 12, 2024
Closed
4 tasks
@nimarezainia nimarezainia mentioned this pull request Jun 12, 2024
Closed
@pchila pchila mentioned this pull request Jun 12, 2024
Open
@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
1 New issue
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
92.2% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@pchila pchila merged commit d2d88ca into elastic:main Jun 12, 2024
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ycombinator ycombinator ycombinator left review comments

@nimarezainia nimarezainia nimarezainia left review comments

@AndersonQ AndersonQ AndersonQ approved these changes

@michalpristas michalpristas michalpristas approved these changes

@blakerouse blakerouse blakerouse approved these changes

@rdner rdner Awaiting requested review from rdner rdner is a code owner automatically assigned from elastic/elastic-agent-control-plane

@cmacknz cmacknz Awaiting requested review from cmacknz

Assignees

@pchila pchila

Labels
backport-skip enhancement New feature or request Team:Elastic-Agent Label for the Agent team Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team
Projects
None yet
Milestone
No milestone
7 participants
@pchila @elasticmachine @ycombinator @AndersonQ @michalpristas @blakerouse @nimarezainia