New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Fleet] Support preconfigured output secrets #170259
[Fleet] Support preconfigured output secrets #170259
Conversation
🤖 GitHub commentsExpand to view the GitHub comments
Just comment with:
|
… src/core/server/integration_tests/ci_checks'
… src/core/server/integration_tests/ci_checks'
Pinging @elastic/fleet (Team:Fleet) |
@elasticmachine merge upstream |
expect.anything() | ||
); | ||
expect(mockedOutputService.update).not.toBeCalled(); | ||
// expect(spyAgentPolicyServicBumpAllAgentPoliciesForOutput).not.toBeCalled(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: should this line be removed?
@@ -221,6 +338,7 @@ function isPreconfiguredOutputDifferentFromCurrent( | |||
isDifferent(existingOutput.config_yaml, preconfiguredOutput.config_yaml) || | |||
isDifferent(existingOutput.proxy_id, preconfiguredOutput.proxy_id) || | |||
isDifferent(existingOutput.allow_edit ?? [], preconfiguredOutput.allow_edit ?? []) || | |||
kafkaFieldsAreDifferent() | |||
(await kafkaFieldsAreDifferent()) || | |||
(await logstashFieldsAreDifferent()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we cover kafka and logstash output changes in unit tests?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for that @juliaElastic - your suggestion made me realise the tests were not properly testing the comparison of hashes. I pushed a commit that addresses that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, added a comment to improve test coverage.
}, | ||
"hash": { | ||
"type": "keyword", | ||
"index": false |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hash
field should be excluded from SO mappings as it is not powering any search.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I might be missing something here, maybe @juliaElastic can help me clarify.
As I understand, this means removing the hash
field from x-pack/plugins/fleet/server/saved_objects/index.ts
altogether. This makes sense as we're not searching on the hash, but I'm unsure whether we'll be able to retrieve the hash in all scenarios. FWIW I've tested the repro steps locally and it does work.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Solved via Slack - for reference, this tutorial was useful: https://github.com/elastic/kibana/blob/main/dev_docs/tutorials/saved_objects.mdx.
@elasticmachine merge upstream |
@elasticmachine merge upstream |
… src/core/server/integration_tests/ci_checks'
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks for the core-related update! changes LGTM
@elasticmachine merge upstream |
@elasticmachine merge upstream |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The logic + tests all look great to me. I did have one comment about improving some existing log messages as part of this PR, but otherwise LGTM! 🚀
x-pack/plugins/fleet/server/services/preconfiguration/outputs.ts
Outdated
Show resolved
Hide resolved
💛 Build succeeded, but was flaky
Failed CI StepsMetrics [docs]
History
To update your PR or re-run it, just comment with: |
@hop-dev I had the need to reverted this PR at 78f7b80. @pheyos found this commit was breaking tests the QA team have in place on Windows. The reason for this was that this pr added a native module as a production dependency (argon2). Is it possible for you to avoid using a native module dependency and found a replacement for it? We really like to avoid adding new ones other than the |
This reverts commit 1f7a527.
I have done a search it looks like all node argon2 libraries use the native argon2. It may be worth looking at the other hashes recomended by the security team and see if there is a better lib? |
Hey @hop-dev I'm back from PTO, taking a look at this now 👀 |
## Summary Support for outputs with secrets preconfigured in `kibana.yml`. This was already implemented in #170259, which had to be reverted as the `argon2` package was causing Windows tests to test (cf. [this comment](#170259 (comment))). The present implementation follows [option 2 in Infosec's recommendations](elastic/infosec#14853 (comment)) with the Scrypt algorithm using the following params: N=2^14 (16 MiB), r=8 (1024 bytes), p=5. Note that Scrypt is built-in within the `crypto` module (see [here](https://nodejs.org/api/crypto.html#cryptoscryptpassword-salt-keylen-options-callback) for documentation). Closes #166360 ### Testing 1. Ensure the [`outputSecretsStorage` experimental feature ](https://github.com/elastic/kibana/blob/fd4fdb01bcb011c0968a4ccab7ba739c3195016a/x-pack/plugins/fleet/common/experimental_features.ts#L26)is enabled. 2. Add the following to your kibana config: ``` xpack.fleet.outputs: - id: my-logstash-output-with-a-secret name: preconfigured logstash output with a secret type: logstash hosts: ["localhost:9999"] ssl: certificate: xxxxxxxxxx secrets: ssl: key: thisissecret ``` 3. Verify the secret has been correctly created, e.g. by issuing a `GET .fleet-secrets/_search` request in Dev Tools: the secret should be listed there. 4. Change the preconfigured value and wait for kibana to restart: the secret should be updated with the new value. --------- Co-authored-by: Mark Hopkin <mark.hopkin@elastic.co> Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Summary
This PR adds support for outputs with secrets preconfigured in the
kibana.yml
config file.As Kibana needs to compare the value of the secret to manage updates, a hash of the value is stored in the output's saved object. The implementation follows option 2 in Infosec's recommendations with the Argon2id algorithm.
See here for information about the
argon2
Node package and here for the config options. Here,argon2
was configured with the recommendedm=19456 (19 MiB), t=2, p=1
(for some reason,timeCost
cannot be set to less than 2).Closes #166360
Testing
outputSecretsStorage
experimental feature is enabled.GET .fleet-secrets/_search
request in Dev Tools: the secret should be listed there.