Skip to content

[Elastic Agent] Require --insecure on enroll for connection to Kibana#19900

Merged
blakerouse merged 7 commits intoelastic:masterfrom
blakerouse:agent-enroll-insecure
Jul 14, 2020
Merged

[Elastic Agent] Require --insecure on enroll for connection to Kibana#19900
blakerouse merged 7 commits intoelastic:masterfrom
blakerouse:agent-enroll-insecure

Conversation

@blakerouse
Copy link
Copy Markdown
Contributor

@blakerouse blakerouse commented Jul 14, 2020
edited
Loading

What does this PR do?

Adds a --insecure option to enroll command to allow enrollment to Kibana with SSL that is insecure. Adds the requirement of using --insecure when using the HTTP protocol.

This also includes a rename of --ca_sha256 to --ca-sha256 and --certificate_authorities to --certificate-authorities. From a command line standpoint I think its best to standardize on - versus a mix of - and _.

Why is it important?

To strongly require users to use secure connection to Kibana.

Checklist

  • My code follows the style guidelines of this project
  • [ ] I have commented my code, particularly in hard-to-understand areas
  • [ ] I have made corresponding changes to the documentation
  • [ ] I have made corresponding change to the default configuration files
  • [ ] I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

How to test this PR locally

$ ./elastic-agent enroll http://localhost:5601 abcd
The Elastic Agent is currently in BETA and should not be used in production
Error: connection to Kibana is insecure, strongly recommended to use a secure connection (override with --insecure)

Related issues

@blakerouse blakerouse self-assigned this Jul 14, 2020
@botelastic botelastic bot added needs_team Indicates that the issue/PR needs a Team:* label and removed needs_team Indicates that the issue/PR needs a Team:* label labels Jul 14, 2020
@blakerouse blakerouse force-pushed the agent-enroll-insecure branch from 686d98c to 534e371 Compare July 14, 2020 15:14
@blakerouse blakerouse marked this pull request as ready for review July 14, 2020 15:14
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Jul 14, 2020

Pinging @elastic/ingest-management (Team:Ingest Management)

ph
ph approved these changes Jul 14, 2020
View reviewed changes
Copy link
Copy Markdown
Contributor

@ph ph left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, tested locally.

Could we update the documentation in https://github.com/elastic/beats/blob/master/x-pack/elastic-agent/docs/elastic-agent-command-line.asciidoc for the added flags/changes?

x-pack/elastic-agent/pkg/agent/application/enroll_cmd.go
return nil, err
}
if cfg.Protocol == kibana.ProtocolHTTP && !e.Insecure {
return nil, fmt.Errorf("connection to Kibana is insecure, strongly recommended to use a secure connection (override with --insecure)")
Copy link
Copy Markdown
Contributor

@ph ph Jul 14, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

++ nice message.

@blakerouse blakerouse merged commit 55c4534 into elastic:master Jul 14, 2020
@blakerouse blakerouse deleted the agent-enroll-insecure branch July 14, 2020 17:08
@blakerouse blakerouse mentioned this pull request Jul 14, 2020
Merged
2 tasks
blakerouse added a commit to blakerouse/beats that referenced this pull request Jul 15, 2020
@blakerouse
[Elastic Agent] Require --insecure on enroll for connection to Kibana (
0876631 
…elastic#19900)

* Add insecure option to enroll.

* Set TLS to not verify on --insecure.

* Run mage fmt

* Add changelog.

* Update enroll for certificate-authorities and ca-sha256.

* Update changelog.

* Update docstring.

(cherry picked from commit 55c4534)
blakerouse added a commit that referenced this pull request Jul 15, 2020
@blakerouse
Cherry-pick #19900 to 7.x: [Elastic Agent] Require --insecure on enro…
76c29fa 
…ll for connection to Kibana (#19910)

* [Elastic Agent] Require --insecure on enroll for connection to Kibana (#19900)

* Add insecure option to enroll.

* Set TLS to not verify on --insecure.

* Run mage fmt

* Add changelog.

* Update enroll for certificate-authorities and ca-sha256.

* Update changelog.

* Update docstring.

(cherry picked from commit 55c4534)

* Fix enroll_cmd_test.go.
mdelapenya added a commit to mdelapenya/e2e-testing that referenced this pull request Jul 15, 2020
@mdelapenya
fix: Require insecure flag when enrolling an agent over HTTP
e3dc69e 
See elastic/beats#19900
melchiormoulin pushed a commit to melchiormoulin/beats that referenced this pull request Oct 14, 2020
@blakerouse @melchiormoulin
[Elastic Agent] Require --insecure on enroll for connection to Kibana (
c1c453e 
…elastic#19900)

* Add insecure option to enroll.

* Set TLS to not verify on --insecure.

* Run mage fmt

* Add changelog.

* Update enroll for certificate-authorities and ca-sha256.

* Update changelog.

* Update docstring.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@ph ph ph approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@blakerouse blakerouse

Labels

v7.9.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Agent] Enforce TLS connection for enrolling or checking in.

3 participants

@blakerouse @elasticmachine @ph