-
Notifications
You must be signed in to change notification settings - Fork 77
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow Fleet Server to serve the PGP key when stored on disk #2887
Comments
One key check is that Fleet Server should only serve this file if it's only writable by the We need to agree on a URL path now so that the Agent side can be implemented. For maximum flexibility in the future, I'd suggest we include the Agent version in the path so that if there is a key rotation that only applies to upgrades of a specific version, we can later support this on the server side. My suggested route is: The file on disk should probably be something like |
👍 great idea let's do this. |
Fleet ServerFleet Server needs to be updated first. We first upgrade Fleet Server on a version [8.9, 8.Y) to [8.Y,+Inf)
Elastic Agents connected to the Fleet Server
Is this step-by-step review of the flow correct? As a side note, it would be nice to include the |
That looks correct to me, thanks for that breakdown and it highlights an omitted edge case in the problem description:
In the case of an air gapped Fleet server there are two cases, one of which we can handle easily and one we can't:
|
We are currently having this issue. Our Fleet Server are on 8.9.2. Our Elastic Agents on 8.9.0. We have an air gapped systems and use custom repositories that work reliable. When trying to Upgrade the Elastic Agent from 8.9.0 to 8.9.2:
|
@cmacknz please keep me honest here but @matthiasledergerber your agent should first try to validate the binary with the signature that is bundled in the installed agent. Do you have any signature verification failure in logs? |
As a reference, this is the PR where this was introduced: elastic/elastic-agent#2980 |
To add further information possible useful for debugging: I've tried Upgrading from 8.9.0 to 8.9.2 with multiple Agents (Windows, Linux). All running in air-gapped environments. I've also cleared the cache of our custom repository. The upgrade procedure used is the one from Fleet. I've looked at the firewall logs and there was the block to https://artifacts.elastic.co/GPG-KEY-elastic-agent (air-gapped). I did not see any signature failure logs when setting the log level to debug on the failing agent. Note: I've redacted the ip and hostnames of my own systems. Windows, 8.9.0 -> 8.9.2, connection to https://artifacts.elastic.co/GPG-KEY-elastic-agent blocked, Upgrade process fails
Linux, 8.9.0 -> 8.9.2, wget https://artifacts.elastic.co/GPG-KEY-elastic-agent works from the system, Upgrade Process works
|
@matthiasledergerber the connection blocked will trigger a problem in the agent upgrade process indeed. Would that work for you? |
The embedded GPG key is still valid, that we are considering the download of the fallback key at the public URL a fatal error is a bug. elastic/elastic-agent#3368 |
yes, we can try. We have about 100 agents. Our repositories are http only for other reasons, therefore we cannot use an workaround requiring encrypted connections and certificates (requires to have an PKI Infrastructure for the user and deployment options when self signed certificates, etc.). But in the end if we are required to do DNS redirection / HTTP redirecton on every host we can also redeploy the agents. There is no pressure for us on upgrading the agents currently. |
The fix that Craig linked will not help in your case. |
I just merged this PR elastic/elastic-agent#3375 to add a doc with the workaround. |
just quick question. |
I believe we should use major.minor.patch without the snapshot flag which means that both |
Yes it is. Currently all version numbers will result in the same (default) key path being used. This key is retrieved from a single "upstream" source if it's not available on disk. |
@michel-laterman do you have some branch i can work with? |
Side note for Elastic team - this bug would have been caught if there was some testing for Air-Gapped Agent upgrades. Is this something that can be added to your automated testing regime? |
Hi @defensivedepth - I think you're referring to this bug elastic/elastic-agent#3368 which is related. This ticket is more about making it simpler for air gapped upgrades if/when our code signing key is rotated, but the change in Agent that introduced the bug shouldn't have failed upgrades before this ticket was completed. We have scheduled work to implement tests for air gapped to prevent this from happening again: elastic/elastic-agent#3403 |
Fantastic, thanks @joshdover |
@michalpristas, #2977 has the work; implementation is pretty much complete, i'm just fixing the e2e tests |
Adding this comment for others that find this post. The workaround that utilizes DNS redirection is not really workable as it also requires being able to generate a TLS certificate for the false domain, which is not possible for us to do. We were able to upgrade Fleet and the agents using the below command. All of our hosts are RHEL7/8 with agents installed via tarball. We tried to give it the pgp-path and uri flags, but none worked. The upgrade still attempted to go to the public Elastic Artifacts URL.
On RHEL7/8 this was the command we used |
Hello @thethirstyturtle - sorry I didn't manage to update this issue. |
If Elastic Agent are unable to connect with Elastic public URL to retrieve the PGP key, they will fallback to a Fleet Server URL where the public key can be hosted too.
In Fleet Server, we must define a fixed route for hosting the GPG key
downloads/signing/key.pub
to mirror the public URL and have it read the GPG key in from its configuration using the same secure mechanisms we use to read the TLS private key.Mandate HTTPS on this endpoint and let Elastic Agent call it whenever needed.
Related Elastic Agent issue - elastic/elastic-agent#3264
The text was updated successfully, but these errors were encountered: