[Fleet] Allow more registry proxy configuration #78968
Labels
Team:Fleet
Team label for Observability Data Collection Fleet team
Comments
jfsiii
added
the
Team:Fleet
|
Pinging @elastic/ingest-management (Team:Ingest Management) |
2 tasks
jfsiii
pushed a commit
that referenced
this issue
Oct 6, 2020
…ing Registry (#78648) ## Summary If given a `xpack.fleet.registryProxyUrl` setting, Package Manager will use it when contacting the Registry. This only affects the outbound connection Package Manager makes to the Registry to search for available packages, download assets, etc. ### Configuration <details><summary><strike>Initial PR: common environment variables</strike></summary> <p>Currently the value must come from a <a href="https://github.com/Rob--W/proxy-from-env#environment-variables">list of popular environment variables</a> which include <code>ALL_PROXY</code>, <code>HTTPS_PROXY</code>, lowercase versions of those, and many more.</p> <p>Start kibana with a proxy set in an environment variable like: <code>HTTPS_PROXY=https://localhost:8443 yarn start</code></p> </details> _update_ based on discussion in the comments, the initial environment variables approach was removed in favor of `xpack.ingestManager.registryProxyUrl` #### see #78968 for additional configuration coming later ### Checklist - [ ] ~~[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials.~~ Created #78961 to track - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios Created #78968 to track the additional configuration work refs #70710
jfsiii
pushed a commit
to jfsiii/kibana
that referenced
this issue
Oct 6, 2020
…ing Registry (elastic#78648) ## Summary If given a `xpack.fleet.registryProxyUrl` setting, Package Manager will use it when contacting the Registry. This only affects the outbound connection Package Manager makes to the Registry to search for available packages, download assets, etc. ### Configuration <details><summary><strike>Initial PR: common environment variables</strike></summary> <p>Currently the value must come from a <a href="https://github.com/Rob--W/proxy-from-env#environment-variables">list of popular environment variables</a> which include <code>ALL_PROXY</code>, <code>HTTPS_PROXY</code>, lowercase versions of those, and many more.</p> <p>Start kibana with a proxy set in an environment variable like: <code>HTTPS_PROXY=https://localhost:8443 yarn start</code></p> </details> _update_ based on discussion in the comments, the initial environment variables approach was removed in favor of `xpack.ingestManager.registryProxyUrl` #### see elastic#78968 for additional configuration coming later ### Checklist - [ ] ~~[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials.~~ Created elastic#78961 to track - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios Created elastic#78968 to track the additional configuration work refs elastic#70710
jfsiii
pushed a commit
that referenced
this issue
Oct 6, 2020
…ing Registry (#78648) (#79758) ## Summary If given a `xpack.fleet.registryProxyUrl` setting, Package Manager will use it when contacting the Registry. This only affects the outbound connection Package Manager makes to the Registry to search for available packages, download assets, etc. ### Configuration <details><summary><strike>Initial PR: common environment variables</strike></summary> <p>Currently the value must come from a <a href="https://github.com/Rob--W/proxy-from-env#environment-variables">list of popular environment variables</a> which include <code>ALL_PROXY</code>, <code>HTTPS_PROXY</code>, lowercase versions of those, and many more.</p> <p>Start kibana with a proxy set in an environment variable like: <code>HTTPS_PROXY=https://localhost:8443 yarn start</code></p> </details> _update_ based on discussion in the comments, the initial environment variables approach was removed in favor of `xpack.ingestManager.registryProxyUrl` #### see #78968 for additional configuration coming later ### Checklist - [ ] ~~[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials.~~ Created #78961 to track - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios Created #78968 to track the additional configuration work refs #70710
jen-huang
changed the title
jen-huang
changed the title
|
As our company has SSL interception in place on the proxy, we really need something to disable the certificate check or a possibility to add our CA to the cert trust chain. |
|
If you have a specific CA that you need Kibana's backend to trust, you should be able to use the |
|
@joshdover thank you for the hint. I have to check, if there is a possibility to inject such environment vars in ECE, and also the needed CA files. |
|
@horvatal I believe the runtime will also respect any system-wide installed CAs, though in the context of ECE this would mean any CAs installed into the Kibana docker images. We have documentation here about how to add custom Kibana plugins to a custom docker image and configure ECE to use your custom image. You should be able to largely follow the same process, except instead of installing a plugin, you'll need to add your CA. Our docker images use CentOS as the base image, so I believe your custom Dockerfile would look something like: FROM docker.elastic.co/cloud-assets/kibana:7.14.0-0
MAINTAINER Your Name <youremail@example.com>
ADD mycert.pem /etc/pki/ca-trust/source/anchors/mycert.pem
RUN update-ca-trust |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
#78648 added this interface for specifying proxy settings/behavior when connecting to package registry (EPR).
kibana/x-pack/plugins/ingest_manager/server/services/epm/registry/proxy.ts
Lines 14 to 18 in 243e56c
Note:
proxyRejectUnauthorizedCertificatesshould be changed to required boolean type, so that it defaults totrueinstead of undefined.Progress on exposing those values for configuration
xpack.fleet.*registryProxyUrl#78648registryProxyHeadersregistryProxyRejectUnauthorizedCertificateskibana.ymlwhen making requests to the RegistryrejectUnauthorized: truebehaviorThe text was updated successfully, but these errors were encountered: