[Elastic-Agent] Modify output to be insecure if flag is provided (#28007

)

[Elastic-Agent] Modify output to be insecure if flag is provided (#28007)

x-pack/elastic-agent/pkg/agent/cmd/container.go

@@ -96,6 +96,7 @@ The following actions are possible and grouped based on the actions.
   FLEET_SERVER_ELASTICSEARCH_USERNAME - elasticsearch username for Fleet Server [$ELASTICSEARCH_USERNAME]
   FLEET_SERVER_ELASTICSEARCH_PASSWORD - elasticsearch password for Fleet Server [$ELASTICSEARCH_PASSWORD]
   FLEET_SERVER_ELASTICSEARCH_CA - path to certificate authority to use with communicate with elasticsearch [$ELASTICSEARCH_CA]
+  FLEET_SERVER_ELASTICSEARCH_INSECURE - disables cert validation for communication with Elasticsearch
   FLEET_SERVER_SERVICE_TOKEN - service token to use for communication with elasticsearch
   FLEET_SERVER_POLICY_ID - policy ID for Fleet Server to use for itself ("Default Fleet Server policy" used when undefined)
   FLEET_SERVER_HOST - binding host for Fleet Server HTTP (overrides the policy). By default this is 0.0.0.0.
@@ -384,6 +385,9 @@ func buildEnrollArgs(cfg setupConfig, token string, policyID string) ([]string,
 		if cfg.FleetServer.InsecureHTTP || cfg.Fleet.Insecure {
 			args = append(args, "--insecure")
 		}
+		if cfg.FleetServer.Elasticsearch.Insecure {
+			args = append(args, "--fleet-server-es-insecure")
+		}
 	} else {
 		if cfg.Fleet.URL == "" {
 			return nil, errors.New("FLEET_URL is required when FLEET_ENROLL is true without FLEET_SERVER_ENABLE")

x-pack/elastic-agent/pkg/agent/cmd/enroll.go

@@ -54,6 +54,7 @@ func addEnrollFlags(cmd *cobra.Command) {
 	cmd.Flags().StringP("enrollment-token", "t", "", "Enrollment token to use to enroll Agent into Fleet")
 	cmd.Flags().StringP("fleet-server-es", "", "", "Start and run a Fleet Server along side this Elastic Agent connecting to the provided elasticsearch")
 	cmd.Flags().StringP("fleet-server-es-ca", "", "", "Path to certificate authority to use with communicate with elasticsearch")
+	cmd.Flags().BoolP("fleet-server-es-insecure", "", false, "Disables validation of certificates")
 	cmd.Flags().StringP("fleet-server-service-token", "", "", "Service token to use for communication with elasticsearch")
 	cmd.Flags().StringP("fleet-server-policy", "", "", "Start and run a Fleet Server on this specific policy")
 	cmd.Flags().StringP("fleet-server-host", "", "", "Fleet Server HTTP binding host (overrides the policy)")
@@ -101,6 +102,7 @@ func buildEnrollmentFlags(cmd *cobra.Command, url string, token string) []string
 	}
 	fServer, _ := cmd.Flags().GetString("fleet-server-es")
 	fElasticSearchCA, _ := cmd.Flags().GetString("fleet-server-es-ca")
+	fElasticSearchInsecure, _ := cmd.Flags().GetBool("fleet-server-es-insecure")
 	fServiceToken, _ := cmd.Flags().GetString("fleet-server-service-token")
 	fPolicy, _ := cmd.Flags().GetString("fleet-server-policy")
 	fHost, _ := cmd.Flags().GetString("fleet-server-host")
@@ -201,6 +203,10 @@ func buildEnrollmentFlags(cmd *cobra.Command, url string, token string) []string
 		args = append(args, "--delay-enroll")
 	}
 
+	if fElasticSearchInsecure {
+		args = append(args, "--fleet-server-es-insecure")
+	}
+
 	return args
 }
 
@@ -268,6 +274,7 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command, args []string) error {
 	enrollmentToken, _ := cmd.Flags().GetString("enrollment-token")
 	fServer, _ := cmd.Flags().GetString("fleet-server-es")
 	fElasticSearchCA, _ := cmd.Flags().GetString("fleet-server-es-ca")
+	fElasticSearchInsecure, _ := cmd.Flags().GetBool("fleet-server-es-insecure")
 	fHeaders, _ := cmd.Flags().GetStringSlice("header")
 	fServiceToken, _ := cmd.Flags().GetString("fleet-server-service-token")
 	fPolicy, _ := cmd.Flags().GetString("fleet-server-policy")
@@ -302,17 +309,18 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command, args []string) error {
 		ProxyHeaders:         mapFromEnvList(proxyHeaders),
 		DelayEnroll:          delayEnroll,
 		FleetServer: enrollCmdFleetServerOption{
-			ConnStr:         fServer,
-			ElasticsearchCA: fElasticSearchCA,
-			ServiceToken:    fServiceToken,
-			PolicyID:        fPolicy,
-			Host:            fHost,
-			Port:            fPort,
-			Cert:            fCert,
-			CertKey:         fCertKey,
-			Insecure:        fInsecure,
-			SpawnAgent:      !fromInstall,
-			Headers:         mapFromEnvList(fHeaders),
+			ConnStr:               fServer,
+			ElasticsearchCA:       fElasticSearchCA,
+			ElasticsearchInsecure: fElasticSearchInsecure,
+			ServiceToken:          fServiceToken,
+			PolicyID:              fPolicy,
+			Host:                  fHost,
+			Port:                  fPort,
+			Cert:                  fCert,
+			CertKey:               fCertKey,
+			Insecure:              fInsecure,
+			SpawnAgent:            !fromInstall,
+			Headers:               mapFromEnvList(fHeaders),
 		},
 	}
 

x-pack/elastic-agent/pkg/agent/cmd/enroll_cmd.go

@@ -73,17 +73,18 @@ type enrollCmd struct {
 
 // enrollCmdFleetServerOption define all the supported enrollment options for bootstrapping with Fleet Server.
 type enrollCmdFleetServerOption struct {
-	ConnStr         string
-	ElasticsearchCA string
-	ServiceToken    string
-	PolicyID        string
-	Host            string
-	Port            uint16
-	Cert            string
-	CertKey         string
-	Insecure        bool
-	SpawnAgent      bool
-	Headers         map[string]string
+	ConnStr               string
+	ElasticsearchCA       string
+	ElasticsearchInsecure bool
+	ServiceToken          string
+	PolicyID              string
+	Host                  string
+	Port                  uint16
+	Cert                  string
+	CertKey               string
+	Insecure              bool
+	SpawnAgent            bool
+	Headers               map[string]string
 }
 
 // enrollCmdOption define all the supported enrollment option.
@@ -304,6 +305,7 @@ func (c *enrollCmd) fleetServerBootstrap(ctx context.Context) (string, error) {
 		c.options.ProxyURL,
 		c.options.ProxyDisabled,
 		c.options.ProxyHeaders,
+		c.options.FleetServer.ElasticsearchInsecure,
 	)
 	if err != nil {
 		return "", err
@@ -497,7 +499,9 @@ func (c *enrollCmd) enroll(ctx context.Context, persistentConfig map[string]inte
 			c.options.FleetServer.Host, c.options.FleetServer.Port,
 			c.options.FleetServer.Cert, c.options.FleetServer.CertKey, c.options.FleetServer.ElasticsearchCA,
 			c.options.FleetServer.Headers,
-			c.options.ProxyURL, c.options.ProxyDisabled, c.options.ProxyHeaders)
+			c.options.ProxyURL, c.options.ProxyDisabled, c.options.ProxyHeaders,
+			c.options.FleetServer.ElasticsearchInsecure,
+		)
 		if err != nil {
 			return err
 		}
@@ -806,16 +810,21 @@ func createFleetServerBootstrapConfig(
 	proxyURL string,
 	proxyDisabled bool,
 	proxyHeaders map[string]string,
+	insecure bool,
 ) (*configuration.FleetAgentConfig, error) {
 	localFleetServer := connStr != ""
 
-	es, err := configuration.ElasticsearchFromConnStr(connStr, serviceToken)
+	es, err := configuration.ElasticsearchFromConnStr(connStr, serviceToken, insecure)
 	if err != nil {
 		return nil, err
 	}
 	if esCA != "" {
-		es.TLS = &tlscommon.Config{
-			CAs: []string{esCA},
+		if es.TLS == nil {
+			es.TLS = &tlscommon.Config{
+				CAs: []string{esCA},
+			}
+		} else {
+			es.TLS.CAs = []string{esCA}
 		}
 	}
 	if host == "" {
@@ -857,6 +866,9 @@ func createFleetServerBootstrapConfig(
 				Key:         key,
 			},
 		}
+		if insecure {
+			cfg.Server.TLS.VerificationMode = tlscommon.VerifyNone
+		}
 	}
 
 	if localFleetServer {

x-pack/elastic-agent/pkg/agent/cmd/inspect.go

@@ -259,6 +259,7 @@ func getProgramsFromConfig(log *logger.Logger, agentInfo *info.AgentInfo, cfg *c
 	if err != nil {
 		return nil, err
 	}
+
 	composableWaiter := newWaitForCompose(composableCtrl)
 	configModifiers := &pipeline.ConfigModifiers{
 		Decorators: []pipeline.DecoratorFunc{modifiers.InjectMonitoring},

x-pack/elastic-agent/pkg/agent/cmd/setup_config.go

@@ -43,6 +43,7 @@ type elasticsearchConfig struct {
 	Username     string `config:"username"`
 	Password     string `config:"password"`
 	ServiceToken string `config:"service_token"`
+	Insecure     bool   `config:"insecure"`
 }
 
 type kibanaConfig struct {
@@ -92,6 +93,7 @@ func defaultAccessConfig() (setupConfig, error) {
 				Password:     envWithDefault("changeme", "FLEET_SERVER_ELASTICSEARCH_PASSWORD", "ELASTICSEARCH_PASSWORD"),
 				ServiceToken: envWithDefault("", "FLEET_SERVER_SERVICE_TOKEN"),
 				CA:           envWithDefault("", "FLEET_SERVER_ELASTICSEARCH_CA", "ELASTICSEARCH_CA"),
+				Insecure:     envBool("FLEET_SERVER_ELASTICSEARCH_INSECURE"),
 			},
 			Enable:       envBool("FLEET_SERVER_ENABLE"),
 			Host:         envWithDefault("", "FLEET_SERVER_HOST"),

x-pack/elastic-agent/pkg/agent/configuration/fleet_server.go

@@ -47,7 +47,7 @@ type Elasticsearch struct {
 }
 
 // ElasticsearchFromConnStr returns an Elasticsearch configuration from the connection string.
-func ElasticsearchFromConnStr(conn string, serviceToken string) (Elasticsearch, error) {
+func ElasticsearchFromConnStr(conn string, serviceToken string, insecure bool) (Elasticsearch, error) {
 	u, err := url.Parse(conn)
 	if err != nil {
 		return Elasticsearch{}, err
@@ -64,6 +64,11 @@ func ElasticsearchFromConnStr(conn string, serviceToken string) (Elasticsearch,
 		Path:     u.Path,
 		TLS:      nil,
 	}
+	if insecure {
+		cfg.TLS = &tlscommon.Config{
+			VerificationMode: tlscommon.VerifyNone,
+		}
+	}
 	if serviceToken != "" {
 		cfg.ServiceToken = serviceToken
 		return cfg, nil

x-pack/elastic-agent/pkg/agent/transpiler/ast.go

@@ -104,6 +104,11 @@ func (d *Dict) Find(key string) (Node, bool) {
 	return nil, false
 }
 
+// Insert inserts a value into a collection.
+func (d *Dict) Insert(node Node) {
+	d.value = append(d.value, node)
+}
+
 func (d *Dict) String() string {
 	var sb strings.Builder
 	for i := 0; i < len(d.value); i++ {