Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Fleet] Configure ca trusted fingerprint for on prem users #120549

Merged
merged 5 commits into from Dec 8, 2021
Merged

[Fleet] Configure ca trusted fingerprint for on prem users #120549

merged 5 commits into from Dec 8, 2021

Conversation

nchaulet
Copy link
Member

@nchaulet nchaulet commented Dec 6, 2021
edited

Summary

Fixes #116620 #120608

With the changes for security on by default, we need to pass a ca fingerprint to the agents to allow them to communicate with Elasticsearch.

Done in that PR:

  • Add the field ca_trusted_fingerprint on output instead of using the existing ca_sha256
  • Use that field to populate ssl.ca_trusted_fingerprint in the output part of the agent policy.
  • Add the flag --fleet-server-es-ca-trusted-fingerprint to install instructions for Fleet server.

Depends on #29128 and elastic/beats#29128

Fleet server install instruction
Screen Shot 2021-12-07 at 2 34 40 PM

.fleet-policies for the default fleet server policy

Screen Shot 2021-12-07 at 2 31 39 PM

@nchaulet nchaulet added v8.0.0 release_note:skip Skip the PR/issue when compiling release notes Team:Fleet Team label for Observability Data Collection Fleet team auto-backport Deprecated: Automatically backport this PR after it's merged v8.1.0 labels Dec 6, 2021
@nchaulet nchaulet self-assigned this Dec 6, 2021
@joshdover
Copy link
Member

joshdover commented Dec 7, 2021
edited

@nchaulet this will fix #116620 as well as update the work done in #120276, correct?

Do you also plan to cover #120608 in this as well?

@nchaulet
Copy link
Member Author

nchaulet commented Dec 7, 2021

@joshdover Yes it will cover the 3 issue you mentioned

@nchaulet nchaulet marked this pull request as ready for review December 7, 2021 19:39
@nchaulet nchaulet requested review from a team as code owners December 7, 2021 19:39
@elasticmachine
Copy link
Contributor

Pinging @elastic/fleet (Team:Fleet)

joshdover
joshdover reviewed Dec 8, 2021
View reviewed changes
src/plugins/interactive_setup/server/kibana_config_writer.ts Show resolved Hide resolved
...tions/fleet/sections/agents/agent_requirements_page/components/install_command_utils.test.ts Show resolved Hide resolved
...plications/fleet/sections/agents/agent_requirements_page/components/install_command_utils.ts
Comment on lines +45 to +50
const commandArgumentsStr = commandArguments.reduce((acc, [key, val]) => {
if (acc === '' && key === 'url') {
return `--${key}=${val}`;
}
return (acc += ` ${newLineSeparator} --${key}=${val}`);
}, '');
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice 👍

x-pack/plugins/fleet/server/services/agent_policies/full_agent_policy.ts Show resolved Hide resolved
thomheymann
thomheymann approved these changes Dec 8, 2021
View reviewed changes
Copy link
Contributor

@thomheymann thomheymann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Optional nit but otherwise LGTM.

src/plugins/interactive_setup/server/kibana_config_writer.test.ts
@@ -131,7 +132,7 @@ describe('KibanaConfigWriter', () => {
elasticsearch.hosts: [some-host]
elasticsearch.serviceAccountToken: some-value
elasticsearch.ssl.certificateAuthorities: [/data/ca_1234.crt]
xpack.fleet.outputs: [{id: fleet-default-output, name: default, is_default: true, is_default_monitoring: true, type: elasticsearch, hosts: [some-host], ca_sha256: fingerprint256}]
xpack.fleet.outputs: [{id: fleet-default-output, name: default, is_default: true, is_default_monitoring: true, type: elasticsearch, hosts: [some-host], ca_trusted_fingerprint: d486ce00ac71e41d2b70d087a555fa5dd1936cdb458079537ba3ac133e4834d6}]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Much prefer this to the previous config name but is it worth aligning this with elasticsearch-js client for consistency?
https://www.elastic.co/guide/en/elasticsearch/client/javascript-api/current/basic-config.html

caFingerprint - If configured, verify that the fingerprint of the CA certificate that has signed the certificate of the server matches the supplied fingerprint. Only accepts SHA256 digest fingerprints.

(We don't use elasticsearch.ssl.trustedCertificateAuthorities either but I don't know what Fleet conventions are)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The field is named ca_trusted_fingerprint in libbeat and the agent, so I think we probably to keep that consistent here.

@kibana-ci
Copy link
Collaborator

💛 Build succeeded, but was flaky

Metrics [docs]

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id before after diff
fleet 1144 1145 +1

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
fleet 643.4KB 643.6KB +157.0B

Saved Objects .kibana field count

Every field in each saved object type adds overhead to Elasticsearch. Kibana needs to keep the total field count below Elasticsearch's default limit of 1000 fields. Only specify field mappings for the fields you wish to search on or query. See https://www.elastic.co/guide/en/kibana/master/development-plugin-saved-objects.html#_mappings

id before after diff
ingest-outputs 11 12 +1
Unknown metric groups

API count

id before after diff
fleet 1251 1252 +1

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @nchaulet

@nchaulet nchaulet merged commit 6c81068 into elastic:main Dec 8, 2021
@nchaulet nchaulet deleted the fleet-ca-trusted-fingerprint branch December 8, 2021 15:52
@kibanamachine
Copy link
Contributor

💔 Backport failed

Status Branch Result
8.0 Commit could not be cherrypicked due to conflicts

To backport manually run:
node scripts/backport --pr 120549

@joshdover joshdover mentioned this pull request Dec 9, 2021
Closed
6 tasks
@nchaulet nchaulet mentioned this pull request Dec 9, 2021
Merged
nchaulet added a commit to nchaulet/kibana that referenced this pull request Dec 9, 2021
@nchaulet
[Fleet] Configure ca trusted fingerprint for on prem users (elastic#1…
e46e082 
…20549)
nchaulet added a commit that referenced this pull request Dec 9, 2021
@nchaulet
[Fleet] Configure ca trusted fingerprint for on prem users (#120549) (#…
ca44293 
…120984)
TinLe pushed a commit to TinLe/kibana that referenced this pull request Dec 22, 2021
@nchaulet @TinLe
[Fleet] Configure ca trusted fingerprint for on prem users (elastic#1…
66b5b94 
…20549)
gbamparop pushed a commit to gbamparop/kibana that referenced this pull request Jan 12, 2022
@nchaulet @gbamparop
[Fleet] Configure ca trusted fingerprint for on prem users (elastic#1…
498f928 
…20549)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thomheymann thomheymann thomheymann approved these changes

@joshdover joshdover joshdover approved these changes

Assignees

@nchaulet nchaulet

Labels
auto-backport Deprecated: Automatically backport this PR after it's merged release_note:skip Skip the PR/issue when compiling release notes Team:Fleet Team label for Observability Data Collection Fleet team v8.0.0 v8.1.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Fleet] Add ES certificate authority fingerprint argument to Fleet Server install command
6 participants
@nchaulet @joshdover @elasticmachine @kibana-ci @kibanamachine @thomheymann