[Fleet] Provide a way to specify the CA Hash for Kibana and the Elasticsearch host.

[ph]

The agent uses certificate pinning to verify the communication to Kibana and Elasticsearch, we need a way to override the hash and host if the TLS termination is not done at our application level.

fleet:
  ca_sha256:        XXXXXXXX # SHA256 hash of CA cert

  kibana:
    publish_host:   https://domain:port/  # URL where Agent can talk to Fleet
    ca_sha256:      # defaults to fleet.ca_sha256
  
  elasticsearch:    # local ES cluster
    publish_host:   https://domain:port/  # URL where Agent can talk to ES
                                          # defaults to elasticsearch.hosts 
    ca_sha256:      # defaults to fleet.ca_sha256

[elasticmachine]

Pinging @elastic/ingest (Feature:Fleet)

[ph]

Let's wait for Agent and libbeat stuff to be implemented before doing this.

[nchaulet]

@ph do we want to be able to run fleet without certificate pinning too?

[ph]

@ph do we want to be able to run fleet without certificate pinning too?

Yes

It's not certificate pinning.. It's CA pinning, so I, in short, I do not check the provided certificate. I check that we use the right Certificate authority to validate the chain

[ph]

All the required pieces were merged on the beats side so we could move forward with this, @nchaulet @ruflin does the above configuration still works for you? I am assuming we are running Kibana behind a proxy where the TLS termination could be done at that level.

[nchaulet]

Yes we can move forward with taht

[ruflin]

@ph Good for me for now. I only wonder why you us publish_host instead of host?

[ph]

Well, publish_host might be a better wording if you look at the environment:

Agent -> Proxy (load balancer) -> Kibana.

So publish host is the visible part that the agent can connect to, I think host would be the IP or vhost that Kibana would bind to on the local hosting machine. But I am not familiar with all the option of Kibana.

[ruflin]

No strong opinion here. I'm just used that we use host. I know ES has a publish_host (not exactly same meaning as above) but KB doesn't have one I think.