Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Fleet] Support preconfigured output secrets #166360

Closed
hop-dev opened this issue Sep 13, 2023 · 9 comments · Fixed by #170259 or #172041
Closed

[Fleet] Support preconfigured output secrets #166360

hop-dev opened this issue Sep 13, 2023 · 9 comments · Fixed by #170259 or #172041
Assignees
@jillguyonnet
Labels
QA:Validated Issue has been validated by QA Team:Fleet Team label for Observability Data Collection Fleet team

Comments

@hop-dev
Copy link
Contributor

hop-dev commented Sep 13, 2023

As part of #157458 we are adding the ability to use secrets with outputs.

Outputs can also be preconfigured in kibana.yml config. The scope of this issue is to support secrets in preconfigured outputs:

  • when a new output is detected in the config, it is created, any secrets are created and secret references are written to the output.
  • when an existing output secret is modified, the change is detected and the old secret is deleted and a new one created.

Implementation

See https://github.com/elastic/infosec/issues/14853 this has been raised with infosec.
@hop-dev hop-dev added the Team:Fleet Team label for Observability Data Collection Fleet team label Sep 13, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/fleet (Team:Fleet)

@hop-dev hop-dev mentioned this issue Sep 13, 2023
Closed
7 tasks
@hop-dev
Copy link
Contributor Author

hop-dev commented Oct 25, 2023
edited

Update: nevermind, see comment below this one

We need to decide how users will specify secrets in config.

Here is a preconfigured output as it stands:

xpack.fleet.outputs:
  - id: my-logstash-output
    name: preconfigured logstash output
    type:  logstash
    hosts: ["localhost:9999"]
    ssl:
      certificate: xxxxxxxxxx
      key: this_is_secret

We can't have it so that a user upgrades to 8.12 and all of a sudden their ssl.key secret is migrated to using secrets storage, mainly bevause they also need to upgrade their flee tserver and on prem users may not have done this, so we would break their policy

A couple options, in both of these we will need to update the docs to warn the user that using the old keys will store in plaintext:

  1. Separate secrets block
xpack.fleet.outputs:
  - id: my-logstash-output
    name: preconfigured logstash output
    type:  logstash
    hosts: ["localhost:9999"]
    ssl:
      certificate: xxxxxxxxxx
    secrets:
        ssl:
            key:this_is_secret

I think this is clean but it makes the API a bit more complicated

  1. prefix/postfix to keys
    something like key_secret or key_secure ?
xpack.fleet.outputs:
  - id: my-logstash-output
    name: preconfigured logstash output
    type:  logstash
    hosts: ["localhost:9999"]
    ssl:
      certificate: xxxxxxxxxx
      key_secret: this_is_secret

@juliaElastic @kpollich any opinions/ other ideas?

@hop-dev
Copy link
Contributor Author

hop-dev commented Oct 25, 2023
edited

Actually I've just been for a walk and realised that option 2 (Edit: I meant option 1) mirrors the HTTP API so definitely makes more sense, even if it feels less ergonomic to use

@hop-dev hop-dev mentioned this issue Oct 31, 2023
Merged
@hop-dev
Copy link
Contributor Author

hop-dev commented Oct 31, 2023

@jillguyonnet I had a DM from @ismisepaul recommending we use argon2id, so I have had a go at starting an implementation, its very rough but I think it works:

#170259

@kpollich kpollich added the QA:Needs Validation Issue needs to be validated by QA label Nov 8, 2023
@jillguyonnet jillguyonnet mentioned this issue Nov 16, 2023
Closed
2 tasks
@jillguyonnet jillguyonnet mentioned this issue Nov 16, 2023
Closed
kibanamachine added a commit to olegsu/kibana that referenced this issue Nov 23, 2023
@hop-dev @kibanamachine @jillguyonnet
[Fleet] Support preconfigured output secrets (elastic#170259)
1f7a527 
## Summary

This PR adds support for outputs with secrets preconfigured in the
`kibana.yml` config file.

As Kibana needs to compare the value of the secret to manage updates, a
hash of the value is stored in the output's saved object. The
implementation follows [option 2 in Infosec's
recommendations](elastic/infosec#14853 (comment))
with the Argon2id algorithm.

See [here](https://www.npmjs.com/package/argon2) for information about
the `argon2` Node package and
[here](https://github.com/ranisalt/node-argon2/wiki/Options) for the
config options. Here, `argon2` was configured with the recommended
`m=19456 (19 MiB), t=2, p=1 ` (for some reason, `timeCost` cannot be set
to less than 2).

Closes elastic#166360

### Testing

1. Ensure the [`outputSecretsStorage` experimental feature
](https://github.com/elastic/kibana/blob/fd4fdb01bcb011c0968a4ccab7ba739c3195016a/x-pack/plugins/fleet/common/experimental_features.ts#L26)is
enabled.
2. Add the following to your kibana config:
   ```
   xpack.fleet.outputs:
     - id: my-logstash-output-with-a-secret
       name: preconfigured logstash output with a secret
       type:  logstash
       hosts: ["localhost:9999"]
       ssl:
         certificate: xxxxxxxxxx
       secrets:
         ssl:
           key: thisissecret
   ```
3. Verify the secret has been correctly created, e.g. by issuing a `GET
.fleet-secrets/_search` request in Dev Tools: the secret should be
listed there.
4. Change the preconfigured value and wait for kibana to restart: the
secret should be updated with the new value.

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: jillguyonnet <jill.guyonnet@gmail.com>
@jillguyonnet
Copy link
Contributor

Reopening this as #170259 was reverted.

@jillguyonnet jillguyonnet reopened this Nov 27, 2023
@jillguyonnet jillguyonnet mentioned this issue Nov 28, 2023
Merged
jillguyonnet added a commit to jillguyonnet/kibana that referenced this issue Nov 28, 2023
@hop-dev @kibanamachine @jillguyonnet
[Fleet] Support preconfigured output secrets
30766a3 
This PR adds support for outputs with secrets preconfigured in the
`kibana.yml` config file.

As Kibana needs to compare the value of the secret to manage updates, a
hash of the value is stored in the output's saved object. The
implementation follows [option 2 in Infosec's
recommendations](elastic/infosec#14853 (comment))
with the Argon2id algorithm.

See [here](https://www.npmjs.com/package/argon2) for information about
the `argon2` Node package and
[here](https://github.com/ranisalt/node-argon2/wiki/Options) for the
config options. Here, `argon2` was configured with the recommended
`m=19456 (19 MiB), t=2, p=1 ` (for some reason, `timeCost` cannot be set
to less than 2).

Closes elastic#166360

1. Ensure the [`outputSecretsStorage` experimental feature
](https://github.com/elastic/kibana/blob/fd4fdb01bcb011c0968a4ccab7ba739c3195016a/x-pack/plugins/fleet/common/experimental_features.ts#L26)is
enabled.
2. Add the following to your kibana config:
   ```
   xpack.fleet.outputs:
     - id: my-logstash-output-with-a-secret
       name: preconfigured logstash output with a secret
       type:  logstash
       hosts: ["localhost:9999"]
       ssl:
         certificate: xxxxxxxxxx
       secrets:
         ssl:
           key: thisissecret
   ```
3. Verify the secret has been correctly created, e.g. by issuing a `GET
.fleet-secrets/_search` request in Dev Tools: the secret should be
listed there.
4. Change the preconfigured value and wait for kibana to restart: the
secret should be updated with the new value.

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: jillguyonnet <jill.guyonnet@gmail.com>
@kpollich
Copy link
Member

@amolnater-qasource surfacing testing instructions from Jill's second PR here since there's multiple PR's here:

Testing

  1. Ensure the outputSecretsStorage experimental feature is enabled.
  2. Add the following to your kibana config: 
    xpack.fleet.outputs:
  - id: my-logstash-output-with-a-secret
    name: preconfigured logstash output with a secret
    type:  logstash
    hosts: ["localhost:9999"]
    ssl:
      certificate: xxxxxxxxxx
    secrets:
      ssl:
        key: thisissecret
  3. Verify the secret has been correctly created, e.g. by issuing a GET .fleet-secrets/_search request in Dev Tools: the secret should be listed there.
  4. Change the preconfigured value and wait for kibana to restart: the secret should be updated with the new value.

@jillguyonnet if there's any more detail you can provide to help the QA folks test please feel free to add anything 🙂

@jillguyonnet
Copy link
Contributor

Thank you @kpollich!

It would be great to test this with the three output types that support secret values:

  • Logstash (the example you pasted)
  • Kafka (password and SSL key)
  • Remote Elasticsearch (service token)

@amolnater-qasource please let me know if you have any questions 🙂

jillguyonnet added a commit that referenced this issue Nov 30, 2023
@jillguyonnet @hop-dev @kibanamachine
[Fleet] Support preconfigured output secrets (scrypt edition) (#172041)
905dad1 
## Summary

Support for outputs with secrets preconfigured in `kibana.yml`. This was
already implemented in #170259,
which had to be reverted as the `argon2` package was causing Windows
tests to test (cf. [this
comment](#170259 (comment))).

The present implementation follows [option 2 in Infosec's
recommendations](elastic/infosec#14853 (comment))
with the Scrypt algorithm using the following params: N=2^14 (16 MiB),
r=8 (1024 bytes), p=5. Note that Scrypt is built-in within the `crypto`
module (see
[here](https://nodejs.org/api/crypto.html#cryptoscryptpassword-salt-keylen-options-callback)
for documentation).

Closes #166360

### Testing

1. Ensure the [`outputSecretsStorage` experimental feature
](https://github.com/elastic/kibana/blob/fd4fdb01bcb011c0968a4ccab7ba739c3195016a/x-pack/plugins/fleet/common/experimental_features.ts#L26)is
enabled.
2. Add the following to your kibana config:
   ```
   xpack.fleet.outputs:
     - id: my-logstash-output-with-a-secret
       name: preconfigured logstash output with a secret
       type:  logstash
       hosts: ["localhost:9999"]
       ssl:
         certificate: xxxxxxxxxx
       secrets:
         ssl:
           key: thisissecret
   ```
3. Verify the secret has been correctly created, e.g. by issuing a `GET
.fleet-secrets/_search` request in Dev Tools: the secret should be
listed there.
4. Change the preconfigured value and wait for kibana to restart: the
secret should be updated with the new value.

---------

Co-authored-by: Mark Hopkin <mark.hopkin@elastic.co>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
@jillguyonnet jillguyonnet mentioned this issue Dec 5, 2023
Closed
@harshitgupta-qasource
Copy link

Hi Team,

We have created 08 testcases under testrail for this feature under Fleet test suite at links:

Please let us know if any other scenario needs to be added from our end.

Thanks!

@harshitgupta-qasource
Copy link

harshitgupta-qasource commented Jan 2, 2024
edited

Hi Team,

We have executed 08 testcases under the Feature test run for the 8.12.0 release at the link:

Status:

PASS: 08

Build details:
VERSION: 8.12.0 BC4
BUILD: 70016
COMMIT: c2fda47
Artifact Link: https://staging.elastic.co/8.12.0-e9640208/summary-8.12.0.html

As the testing is completed on this feature, we are marking this as QA:Validated.

Please let us know if anything else is required from our end.
Thanks

@harshitgupta-qasource harshitgupta-qasource added QA:Validated Issue has been validated by QA and removed QA:Needs Validation Issue needs to be validated by QA labels Jan 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jillguyonnet jillguyonnet

Labels
QA:Validated Issue has been validated by QA Team:Fleet Team label for Observability Data Collection Fleet team
Projects
None yet
Milestone
No milestone
5 participants
@hop-dev @kpollich @elasticmachine @jillguyonnet @harshitgupta-qasource