Backport elastic-agent#1867

Backport elastic-agent#1867 that forces the agent use use certificate verification instead of full verification when connecting to a local fleet-server instance. This change should resolve fleet-server#3435 which is a change in how certificates are verified when the beats lib in 7.17 is updated in fleet-server. Also fix linter issues
elastic · Apr 9, 2024 · 21cff7d · 21cff7d
1 parent d53d1a8
commit 21cff7d
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 9 deletions.
diff --git a/x-pack/elastic-agent/CHANGELOG.next.asciidoc b/x-pack/elastic-agent/CHANGELOG.next.asciidoc
@@ -97,6 +97,7 @@
 - Allow the - char to appear as part of variable names in eql expressions. {pull}32350[32350]
 - Allow the / char to appear as part of variable names in eql expressions. {pull}32528{32528}
 - Fix add_fields processor on Docker provider {pull}33269{33269}
+- Change local fleet-server connection to localhost:8221. {pull}38785[38785]
 
 ==== New features
 

diff --git a/x-pack/elastic-agent/pkg/agent/cmd/enroll_cmd.go b/x-pack/elastic-agent/pkg/agent/cmd/enroll_cmd.go
@@ -9,7 +9,6 @@ import (
 	"context"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"math/rand"
 	"os"
 	"os/exec"
@@ -269,7 +268,7 @@ func (c *enrollCmd) writeDelayEnroll(streams *cli.IOStreams) error {
 			errors.TypeConfig,
 			errors.M("path", enrollPath))
 	}
-	err = ioutil.WriteFile(enrollPath, data, 0600)
+	err = os.WriteFile(enrollPath, data, 0600)
 	if err != nil {
 		return errors.New(
 			err,
@@ -284,6 +283,9 @@ func (c *enrollCmd) writeDelayEnroll(streams *cli.IOStreams) error {
 func (c *enrollCmd) fleetServerBootstrap(ctx context.Context, persistentConfig map[string]interface{}) (string, error) {
 	c.log.Debug("verifying communication with running Elastic Agent daemon")
 	agentRunning := true
+	if c.options.FleetServer.InternalPort == 0 {
+		c.options.FleetServer.InternalPort = defaultFleetServerInternalPort
+	}
 	_, err := getDaemonStatus(ctx)
 	if err != nil {
 		if !c.options.FleetServer.SpawnAgent {
@@ -321,6 +323,7 @@ func (c *enrollCmd) fleetServerBootstrap(ctx context.Context, persistentConfig m
 	if err != nil {
 		return "", err
 	}
+	c.options.FleetServer.InternalPort = fleetConfig.Server.InternalPort
 
 	configToStore := map[string]interface{}{
 		"agent": agentConfig,
@@ -360,7 +363,7 @@ func (c *enrollCmd) fleetServerBootstrap(ctx context.Context, persistentConfig m
 func (c *enrollCmd) prepareFleetTLS() error {
 	host := c.options.FleetServer.Host
 	if host == "" {
-		host = "localhost"
+		host = defaultFleetServerInternalHost
 	}
 	port := c.options.FleetServer.Port
 	if port == 0 {
@@ -376,7 +379,7 @@ func (c *enrollCmd) prepareFleetTLS() error {
 		if c.options.FleetServer.Insecure {
 			// running insecure, force the binding to localhost (unless specified)
 			if c.options.FleetServer.Host == "" {
-				c.options.FleetServer.Host = "localhost"
+				c.options.FleetServer.Host = defaultFleetServerInternalHost
 			}
 			c.options.URL = fmt.Sprintf("http://%s:%d", host, port)
 			c.options.Insecure = true
@@ -531,6 +534,9 @@ func (c *enrollCmd) enroll(ctx context.Context, persistentConfig map[string]inte
 		// use internal URL for future requests
 		if c.options.InternalURL != "" {
 			fleetConfig.Client.Host = c.options.InternalURL
+			// fleet-server will bind the internal listenter to localhost:8221
+			// InternalURL is localhost:8221, however cert uses $HOSTNAME, so we need to disable hostname verification.
+			fleetConfig.Client.Transport.TLS.VerificationMode = tlscommon.VerifyCertificate
 		}
 	}
 
@@ -602,7 +608,7 @@ func (c *enrollCmd) startAgent(ctx context.Context) (<-chan *os.ProcessState, er
 
 func (c *enrollCmd) stopAgent() {
 	if c.agentProc != nil {
-		c.agentProc.StopWait()
+		_ = c.agentProc.StopWait()
 		c.agentProc = nil
 	}
 }
@@ -664,7 +670,7 @@ func waitForAgent(ctx context.Context, timeout time.Duration) error {
 		for {
 			backOff.Wait()
 			_, err := getDaemonStatus(innerCtx)
-			if err == context.Canceled {
+			if errors.Is(err, context.Canceled) {
 				resChan <- waitResult{err: err}
 				return
 			}
@@ -714,7 +720,7 @@ func waitForFleetServer(ctx context.Context, agentSubproc <-chan *os.ProcessStat
 		for {
 			backExp.Wait()
 			status, err := getDaemonStatus(innerCtx)
-			if err == context.Canceled {
+			if errors.Is(err, context.Canceled) {
 				resChan <- waitResult{err: err}
 				return
 			}
@@ -827,7 +833,7 @@ func safelyStoreAgentInfo(s saver, reader io.Reader) error {
 	for i := 0; i <= maxRetriesstoreAgentInfo; i++ {
 		backExp.Wait()
 		err = storeAgentInfo(s, reader)
-		if err != filelock.ErrAppAlreadyRunning {
+		if !errors.Is(err, filelock.ErrAppAlreadyRunning) {
 			break
 		}
 	}
@@ -841,7 +847,9 @@ func storeAgentInfo(s saver, reader io.Reader) error {
 	if err := fileLock.TryLock(); err != nil {
 		return err
 	}
-	defer fileLock.Unlock()
+	defer func() {
+		_ = fileLock.Unlock()
+	}()
 
 	if err := s.Save(reader); err != nil {
 		return errors.New(err, "could not save enrollment information", errors.TypeFilesystem)

diff --git a/x-pack/elastic-agent/pkg/remote/client.go b/x-pack/elastic-agent/pkg/remote/client.go
@@ -175,6 +175,7 @@ func (c *Client) Send(
 	if err != nil {
 		return nil, errors.Wrapf(err, "fail to create HTTP request using method %s to %s", method, path)
 	}
+	c.log.Debugf("Creating new request to request URL %s", req.URL.String())
 
 	// Add generals headers to the request, we are dealing exclusively with JSON.
 	// Content-Type / Accepted type can be override from the called.