[Fleet] Support preconfigured output secrets #170259
Conversation
🤖 GitHub commentsExpand to view the GitHub comments
Just comment with:
|
… src/core/server/integration_tests/ci_checks'
… src/core/server/integration_tests/ci_checks'
jillguyonnet
added
Team:Fleet
|
Pinging @elastic/fleet (Team:Fleet) |
|
@elasticmachine merge upstream |
| expect.anything() | ||
| ); | ||
| expect(mockedOutputService.update).not.toBeCalled(); | ||
| // expect(spyAgentPolicyServicBumpAllAgentPoliciesForOutput).not.toBeCalled(); |
There was a problem hiding this comment.
nit: should this line be removed?
| @@ -221,6 +338,7 @@ function isPreconfiguredOutputDifferentFromCurrent( | |||
| isDifferent(existingOutput.config_yaml, preconfiguredOutput.config_yaml) || | |||
| isDifferent(existingOutput.proxy_id, preconfiguredOutput.proxy_id) || | |||
| isDifferent(existingOutput.allow_edit ?? [], preconfiguredOutput.allow_edit ?? []) || | |||
| kafkaFieldsAreDifferent() | |||
| (await kafkaFieldsAreDifferent()) || | |||
| (await logstashFieldsAreDifferent()) | |||
There was a problem hiding this comment.
Could we cover kafka and logstash output changes in unit tests?
There was a problem hiding this comment.
Thanks for that @juliaElastic - your suggestion made me realise the tests were not properly testing the comparison of hashes. I pushed a commit that addresses that.
| }, | ||
| "hash": { | ||
| "type": "keyword", | ||
| "index": false |
There was a problem hiding this comment.
hash field should be excluded from SO mappings as it is not powering any search.
There was a problem hiding this comment.
I might be missing something here, maybe @juliaElastic can help me clarify.
As I understand, this means removing the hash field from x-pack/plugins/fleet/server/saved_objects/index.ts altogether. This makes sense as we're not searching on the hash, but I'm unsure whether we'll be able to retrieve the hash in all scenarios. FWIW I've tested the repro steps locally and it does work.
There was a problem hiding this comment.
Solved via Slack - for reference, this tutorial was useful: https://github.com/elastic/kibana/blob/main/dev_docs/tutorials/saved_objects.mdx.
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
… src/core/server/integration_tests/ci_checks'
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
x-pack/plugins/fleet/server/services/preconfiguration/outputs.ts
Outdated
Show resolved
Hide resolved
💛 Build succeeded, but was flaky
Failed CI StepsMetrics [docs]
History
To update your PR or re-run it, just comment with: |
|
@hop-dev I had the need to reverted this PR at 78f7b80. @pheyos found this commit was breaking tests the QA team have in place on Windows. The reason for this was that this pr added a native module as a production dependency (argon2). Is it possible for you to avoid using a native module dependency and found a replacement for it? We really like to avoid adding new ones other than the |
This reverts commit 1f7a527.
|
I have done a search it looks like all node argon2 libraries use the native argon2. It may be worth looking at the other hashes recomended by the security team and see if there is a better lib? |
|
Hey @hop-dev I'm back from PTO, taking a look at this now 👀 |
## Summary Support for outputs with secrets preconfigured in `kibana.yml`. This was already implemented in #170259, which had to be reverted as the `argon2` package was causing Windows tests to test (cf. [this comment](#170259 (comment))). The present implementation follows [option 2 in Infosec's recommendations](elastic/infosec#14853 (comment)) with the Scrypt algorithm using the following params: N=2^14 (16 MiB), r=8 (1024 bytes), p=5. Note that Scrypt is built-in within the `crypto` module (see [here](https://nodejs.org/api/crypto.html#cryptoscryptpassword-salt-keylen-options-callback) for documentation). Closes #166360 ### Testing 1. Ensure the [`outputSecretsStorage` experimental feature ](https://github.com/elastic/kibana/blob/fd4fdb01bcb011c0968a4ccab7ba739c3195016a/x-pack/plugins/fleet/common/experimental_features.ts#L26)is enabled. 2. Add the following to your kibana config: ``` xpack.fleet.outputs: - id: my-logstash-output-with-a-secret name: preconfigured logstash output with a secret type: logstash hosts: ["localhost:9999"] ssl: certificate: xxxxxxxxxx secrets: ssl: key: thisissecret ``` 3. Verify the secret has been correctly created, e.g. by issuing a `GET .fleet-secrets/_search` request in Dev Tools: the secret should be listed there. 4. Change the preconfigured value and wait for kibana to restart: the secret should be updated with the new value. --------- Co-authored-by: Mark Hopkin <mark.hopkin@elastic.co> Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Summary
This PR adds support for outputs with secrets preconfigured in the
kibana.ymlconfig file.As Kibana needs to compare the value of the secret to manage updates, a hash of the value is stored in the output's saved object. The implementation follows option 2 in Infosec's recommendations with the Argon2id algorithm.
See here for information about the
argon2Node package and here for the config options. Here,argon2was configured with the recommendedm=19456 (19 MiB), t=2, p=1(for some reason,timeCostcannot be set to less than 2).Closes #166360
Testing
outputSecretsStorageexperimental feature is enabled.GET .fleet-secrets/_searchrequest in Dev Tools: the secret should be listed there.