Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Elastic Agent] Require --insecure on enroll for connection to Kibana #19900

Merged
merged 7 commits into from
Jul 14, 2020
Merged

[Elastic Agent] Require --insecure on enroll for connection to Kibana #19900

merged 7 commits into from
Jul 14, 2020

Conversation

blakerouse
Copy link
Contributor

@blakerouse blakerouse commented Jul 14, 2020
edited
Loading

What does this PR do?

Adds a --insecure option to enroll command to allow enrollment to Kibana with SSL that is insecure. Adds the requirement of using --insecure when using the HTTP protocol.

This also includes a rename of --ca_sha256 to --ca-sha256 and --certificate_authorities to --certificate-authorities. From a command line standpoint I think its best to standardize on - versus a mix of - and _.

Why is it important?

To strongly require users to use secure connection to Kibana.

Checklist

  • My code follows the style guidelines of this project
  • [ ] I have commented my code, particularly in hard-to-understand areas
  • [ ] I have made corresponding changes to the documentation
  • [ ] I have made corresponding change to the default configuration files
  • [ ] I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

How to test this PR locally

$ ./elastic-agent enroll http://localhost:5601 abcd
The Elastic Agent is currently in BETA and should not be used in production
Error: connection to Kibana is insecure, strongly recommended to use a secure connection (override with --insecure)

Related issues

@blakerouse blakerouse self-assigned this Jul 14, 2020
@botelastic botelastic bot added needs_team Indicates that the issue/PR needs a Team:* label and removed needs_team Indicates that the issue/PR needs a Team:* label labels Jul 14, 2020
@blakerouse blakerouse force-pushed the agent-enroll-insecure branch from 686d98c to 534e371 Compare July 14, 2020 15:14
@blakerouse blakerouse marked this pull request as ready for review July 14, 2020 15:14
@elasticmachine
Copy link
Collaborator

Pinging @elastic/ingest-management (Team:Ingest Management)

ph
ph approved these changes Jul 14, 2020
View reviewed changes
Copy link
Contributor

@ph ph left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, tested locally.

Could we update the documentation in https://github.com/elastic/beats/blob/master/x-pack/elastic-agent/docs/elastic-agent-command-line.asciidoc for the added flags/changes?

x-pack/elastic-agent/pkg/agent/application/enroll_cmd.go
@@ -69,6 +71,9 @@ func (e *EnrollCmdOption) kibanaConfig() (*kibana.Config, error) {
if err != nil {
return nil, err
}
if cfg.Protocol == kibana.ProtocolHTTP && !e.Insecure {
return nil, fmt.Errorf("connection to Kibana is insecure, strongly recommended to use a secure connection (override with --insecure)")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

++ nice message.

@blakerouse blakerouse merged commit 55c4534 into elastic:master Jul 14, 2020
@blakerouse blakerouse deleted the agent-enroll-insecure branch July 14, 2020 17:08
@blakerouse blakerouse mentioned this pull request Jul 14, 2020
Merged
2 tasks
blakerouse added a commit to blakerouse/beats that referenced this pull request Jul 15, 2020
@blakerouse
[Elastic Agent] Require --insecure on enroll for connection to Kibana (
0876631 
…elastic#19900)

* Add insecure option to enroll.

* Set TLS to not verify on --insecure.

* Run mage fmt

* Add changelog.

* Update enroll for certificate-authorities and ca-sha256.

* Update changelog.

* Update docstring.

(cherry picked from commit 55c4534)
blakerouse added a commit that referenced this pull request Jul 15, 2020
@blakerouse
Cherry-pick #19900 to 7.x: [Elastic Agent] Require --insecure on enro…
76c29fa 
…ll for connection to Kibana (#19910)

* [Elastic Agent] Require --insecure on enroll for connection to Kibana (#19900)

* Add insecure option to enroll.

* Set TLS to not verify on --insecure.

* Run mage fmt

* Add changelog.

* Update enroll for certificate-authorities and ca-sha256.

* Update changelog.

* Update docstring.

(cherry picked from commit 55c4534)

* Fix enroll_cmd_test.go.
mdelapenya added a commit to mdelapenya/e2e-testing that referenced this pull request Jul 15, 2020
@mdelapenya
fix: Require insecure flag when enrolling an agent over HTTP
e3dc69e 
See elastic/beats#19900
melchiormoulin pushed a commit to melchiormoulin/beats that referenced this pull request Oct 14, 2020
@blakerouse @melchiormoulin
[Elastic Agent] Require --insecure on enroll for connection to Kibana (
c1c453e 
…elastic#19900)

* Add insecure option to enroll.

* Set TLS to not verify on --insecure.

* Run mage fmt

* Add changelog.

* Update enroll for certificate-authorities and ca-sha256.

* Update changelog.

* Update docstring.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ph ph ph approved these changes

Assignees

@blakerouse blakerouse

Labels
v7.9.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Agent] Enforce TLS connection for enrolling or checking in.
3 participants
@blakerouse @elasticmachine @ph