[Agent] Enforce TLS connection for enrolling or checking in.

[ph]

Currently, it's possible to enroll the Agent without using a TLS connection, you only need to use the "HTTP" protocol when enrolling. Since the Agent can be effectively controlled by a remote kibana instance we want to enforce the requirement of TLS and refuse to enroll if the Kibana endpoint doesn't have TLS enabled.

It should fail when using the following to enroll

agent enroll http://localhost:5901 <enroll_key>

You can disable the TLS requirement by using the -insecure, using this flag should warn the user that the connection is insecure and this flag should not be used in production.

agent enroll -insecure http://localhost:5901 <enroll_key>

[elasticmachine]

Pinging @elastic/ingest (Project:fleet)

[michalpristas]

are we verifying cert in any way? like we have process defined elsewhere comparing cert hash? or will we rely on standard ways

[ph]

@michalpristas We actually rely on the standard way, the ca_sha256 pins check when provided is done as a callback after the chain was created.

What we want to do is without the -insecure flag set we refuse to connect to the remote host if TLS is not used. I think it will be used in two scenario:

1. For us as developper, because dealing with TLS in testing is kinda a pain.
2. Someone that wants to try Fleet/Agent but not in production.

This is why when the -insecure flag is used we want to be noisy in the terminal to inform them about the risk. I believe on the Kibana side they wanted to add a banner to warn if fleet was enabled without TLS.

[elasticmachine]

Pinging @elastic/ingest-management (Team:ingest-management)

[ph]

@blakerouse could you take a look at this to unblock our integration tests?

[ph]

@blakerouse Could you take a look?

[blakerouse]

@ph looking into it