As described in #4237 the HTTP client used in our verifier ignores the binary download proxy configuration.
https://github.com/elastic/elastic-agent/blob/main/internal/pkg/agent/application/upgrade/artifact/download/http/downloader.go#L193-L197
Resolving that issue will make the verifier client respect the agent.download proxy URL
In an air gapped network where the GPG key has been rotated and artifacts.elastic.co is not available, the upgrade must download the new GPGP key from Fleet server. We currently assume that knowing the Fleet server URL is enough:
|
// add a secondary fallback if fleet server is configured |
|
u.log.Debugf("Considering fleet server uri for pgp check fallback %q", u.fleetServerURI) |
|
if u.fleetServerURI != "" { |
|
tpv, err := agtversion.ParseVersion(targetVersion) |
|
if err != nil { |
|
// best effort, log failure |
|
u.log.Warnf("failed to parse agent version (%q) for secondary GPG fallback: %v", targetVersion, err) |
|
} else { |
|
secondaryPath, err := url.JoinPath( |
|
u.fleetServerURI, |
|
fmt.Sprintf(fleetUpgradeFallbackPGPFormat, tpv.Major(), tpv.Minor(), tpv.Patch()), |
|
) |
|
if err != nil { |
|
u.log.Warnf("failed to compose Fleet Server URI: %v", err) |
|
} else { |
|
secondaryFallback := download.PgpSourceURIPrefix + secondaryPath |
|
pgpBytes = append(pgpBytes, secondaryFallback) |
|
} |
|
} |
|
} |
|
|
This is incorrect, because Fleet server may be behind a proxy, and in this case we are ignoring the Fleet server proxy URL and will attempt to contact Fleet server directly.
Acceptance Criteria
A test exists proving that a fallback GPG key can be downloaded from Fleet server when the binary download and Fleet proxy URLs are different values.
As described in #4237 the HTTP client used in our verifier ignores the binary download proxy configuration.
https://github.com/elastic/elastic-agent/blob/main/internal/pkg/agent/application/upgrade/artifact/download/http/downloader.go#L193-L197
Resolving that issue will make the verifier client respect the
agent.downloadproxy URLelastic-agent/elastic-agent.yml
Line 142 in 574aa5d
In an air gapped network where the GPG key has been rotated and artifacts.elastic.co is not available, the upgrade must download the new GPGP key from Fleet server. We currently assume that knowing the Fleet server URL is enough:
elastic-agent/internal/pkg/agent/application/upgrade/step_download.go
Lines 138 to 158 in 574aa5d
This is incorrect, because Fleet server may be behind a proxy, and in this case we are ignoring the Fleet server proxy URL and will attempt to contact Fleet server directly.
Acceptance Criteria
A test exists proving that a fallback GPG key can be downloaded from Fleet server when the binary download and Fleet proxy URLs are different values.