elastic-agent elasticsearch CA fingerprint support #29128
Conversation
michel-laterman
added
enhancement
backport-v8.0.0
botelastic
bot
added
needs_team
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
💚 Flaky test reportTests succeeded. 🤖 GitHub commentsTo re-run your PR in the CI, just comment with:
|
michel-laterman
force-pushed
the
agent-es-ca-fingerprint
branch
from
a0a5f09 to
8c86f4a
Compare
|
@belimawr this may be interesting for you :-) |
| @@ -51,7 +51,7 @@ func verifyCAPin(hashes []string, verifiedChains [][]*x509.Certificate) error { | |||
|
|
|||
| // Fingerprint takes a certificate and create a hash of the DER encoded public key. | |||
| func Fingerprint(certificate *x509.Certificate) string { | |||
| hash := sha256.Sum256(certificate.RawSubjectPublicKeyInfo) | |||
| hash := sha256.Sum256(certificate.Raw) | |||
There was a problem hiding this comment.
@simitt, I've tried the change you suggested here and my tests have rejected the certificate
There was a problem hiding this comment.
Could you be a bit more specific what rejected the certificate means? And did you convert the ES fingerprint from hex to base64 before configuring it?
There was a problem hiding this comment.
And since it is self-sigend, you need to also configure the CA with the current libbeat code. I mentioned this in my first comment, as it might be a problem if only the fingerprint is passed down from Fleat.
There was a problem hiding this comment.
both hex and basic should still be accepted right? Can we know if certs are hex or basic in order to avoid convertion when not needed?
|
@michel-laterman could you also perform some test with the standalone agent? Certificate should then be pass into the elastic agent configuration file. |
|
I have tested in fleet-mode and got it to work* with a custom snapshot build of the elastic-agent and fleet-server binary. The agent->ES communication is done through fleet-server. as the http.RoundTripper.TLSClientConfig when creating a go-elasticsearch client. This means that all certificate verification is currently done by libbeat instead of go-elasticsearch.
To build my test binaries I cherry-picked my current PR commits to 8.0 and built a snapshot for the elastic-agent. The binaries "worked" as fleet-server was able to connect to ES and get cluster info (the agent then failed at DNS stuff). I'll clear the fingerprint handling from this PR and let @belimawr's pr handle it. |
|
As the discussion has progress some things have changed. We should instead be using a CLI arg name called |
|
Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane) |
|
This pull request is now in conflicts. Could you fix it? 🙏 |
There was a problem hiding this comment.
You need to add support for this in the container as well.
https://github.com/elastic/beats/blob/master/x-pack/elastic-agent/pkg/agent/cmd/setup_config.go
* initial commit * Update Fingerprint method * Switch to using newly added CATrustedFingerprint attribute * rename flag * Fix broken flag * Add CHANGELOG * Add container support (cherry picked from commit fcb7b81)
* initial commit * Update Fingerprint method * Switch to using newly added CATrustedFingerprint attribute * rename flag * Fix broken flag * Add CHANGELOG * Add container support (cherry picked from commit fcb7b81) Co-authored-by: Michel Laterman <82832767+michel-laterman@users.noreply.github.com>
What does this PR do?
Add support to the elastic-agent for specifying the elasticsearch CA by fingerprint with the
--fleet-server-es-ca-trusted-fingerprintflag.Why is it important?
The elastic stack in 8.0 will turn on security by default. If no certs are provided ES will generate self-signed certs. Using the fingerprint of the CA will let components know what certs to trust.
Checklist
I have made corresponding change to the default configuration filesCHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.How to test this PR locally
elastic-agentwith the--fleet-server-es-ca-sha256flagRelated issues