[Elastic Agent] Enroll with Fleet Server

[blakerouse]

What does this PR do?

This adds the ability to enroll the Elastic Agent with Fleet Server executed locally on the same machine. To get this work a few things needed to be added to Elastic Agent.

• Wire in the status.Controller to the socket control protocol.
• Add new bootstrap operating mode that just runs a Fleet Server.
• Add a new bootstrap of Fleet Server before the start of the Fleet Gateway (in managed mode w/ Fleet Server)

Note: This has a breaking change in the parameters to enroll. kibana_url and enrollment_token move to being parameters instead of positional arguments. This makes install and enroll take the same parameters, and closes #21897.

Why is it important?

So that Fleet Server can be bootstrapped on a machine with Fleet Server also running on that same machine.

How does it work?

The enroll command handles the coordination of controlling the running Elastic Agent daemon. The install command proxies to the enroll command so this can be ran from the install or from the DEB/RPM.

Breakdown of the steps that are completed to handle the bootstrap:

1. Enroll must be executed with --fleet-server parameter. This parameter is a connection string for Fleet Server to communicate to elasticsearch. (Example: --fleet-server http://elastic:changeme@localhost:9200)
2. Enroll ensures that it can communicate with a running Elastic Agent. (This requires that Elastic Agent to be running).
3. Enroll writes the fleet.yml with fleet.server configuration, with fleet.server.bootstrap: true.
4. Enroll triggers the Elastic Agent to restart (causing re-execution)
5. Elastic Agent is re-executed into the Fleet Server bootstrap mode.
6. Elastic Agent starts the Fleet Server passing it the configuration.
7. Enroll polls the status GRPC of the Elastic Agent until Fleet Server is started and is in degraded state (should be degraded, because the Elastic Agent is not enrolled yet).
8. Enroll performs the enrollment against newly running Fleet Server.
9. Enroll writes a new fleet.yml with enrollment information and the fleet.server information. The fleet.server.bootstrap is removed (aka. False).
10. Enroll triggers the Elastic Agent to restart (causing re-execution)
11. Elastic Agent is re-executed into the Fleet mode.
12. Elastic Agent starts up the Fleet Server before starting the Fleet Gateway communication (because fleet.server is set in the fleet.yml).
13. Elastic Agent then starts the Fleet Gateway communication
14. Elastic Agent is now executing and being controlled through the locally running Fleet Server.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• [ ] I have made corresponding changes to the documentation
• [ ] I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

• Normall enrollment without Fleet Server works as expected
• Enrollment with --fleet-server works.

How to test this PR locally

Run the latest 8.0.0-SNAPSHOT of elasticsearch and Kibana. Start Kibana with the xpack.fleet.agents.fleetServerEnabled: true.

Add the Fleet Server integration to a policy.

Look up the policy ID (as this is currently needed until a default policy for Fleet Server is added to Kibana).

Start Elastic Agent.

Run the following command to bootstrap and enroll the Elastic Agent.

./elastic-agent enroll --insecure --url http://localhost:8000 --enrollment-token {token} --fleet-server http://elastic:changeme@localhost:9200 --fleet-server-policy {policy_id}

Related issues

• Closes [Elastic Agent] Inconsistency for enroll and install command #21897

[elasticmachine]

Pinging @elastic/agent (Team:Agent)

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Build Cause: Pull request #23865 updated

• Start Time: 2021-02-16T13:54:09.912+0000

• Duration: 51 min 56 sec

• Commit: b78c551

Test stats 🧪

Test	Results
Failed	0
Passed	6534
Skipped	16
Total	6550

Trends 🧪

💚 Flaky test report

Tests succeeded.

Expand to view the summary

Test stats 🧪

Test	Results
Failed	0
Passed	6534
Skipped	16
Total	6550

[aleksmaus]

hardcoded?

[blakerouse]

Yes as it will communicate with the Fleet Server locally. There is currently not a way to setup SSL or run it on a different port through the enroll command.

Definitely things we need to look into, but not in this PR. This is just enough to get it up and running.

[aleksmaus]

nit: return nil

[aleksmaus]

nit: thought we agreed on lower-case logs. as long as it is consistent.

[blakerouse]

That was in Fleet Server repository. This is more consistent in Elastic Agent, even though I am not a fan of it.

[aleksmaus]

nit: return nil

[aleksmaus]

nit: consistency

running Elastic Agent

and

running elastic-agent

in the same file

[aleksmaus]

remove this map
and use:

func (s AgentStatusCode) String() string {
    return []string{"online", "degraded", "error"}[s]
}

it's more idiomatic

[aleksmaus]

nit: r.mx.Lock() maybe

[aleksmaus]

nit: shorter, no i++

	apps := make([]AgentApplicationStatus, 0, len(r.appReporters))
	for key, rep := range r.appReporters {
		rep.lock.Lock()
		apps = append(apps, AgentApplicationStatus{
			ID:      key,
			Name:    rep.name,
			Status:  rep.status,
			Message: rep.message,
		})
		rep.lock.Unlock()
	}
	```

[aleksmaus]

you were using locks above

rep.lock.Lock()

but not here

[aleksmaus]

once you change the enum code above, then could do just

r.log.Debugf("'%s' has status '%s'", id, s)

[elasticmachine]

Pinging @elastic/ingest-management (Team:Ingest Management)

[blakerouse]

/package

[nchaulet]

@blakerouse Do we have to specify the policy id if we use and enrollment token (the token should contain a policy id)
Also the enrollment token is optionnal if we use the default fleet server policy right?

[blakerouse]

@nchaulet At the moment you need both, if we could simplify it to only one that would be better.

[nchaulet]

@nchaulet At the moment you need both, if we could simplify it to only one that would be better.

Yes I think we can simplify it an enrollment key is always linked to a policy so it could work without the policy id