Skip to content

Commit

Permalink
Merge branch 'main' into 5490-pass-decrypted-cert-key-to-defend
Browse files Browse the repository at this point in the history
  • Loading branch information
AndersonQ authored Sep 20, 2024
2 parents d081a2a + fc6ed90 commit ae1e154
Show file tree
Hide file tree
Showing 19 changed files with 847 additions and 37 deletions.
9 changes: 0 additions & 9 deletions .agent-versions.json

This file was deleted.

6 changes: 3 additions & 3 deletions .github/workflows/bump-agent-versions.sh
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ set -e

package_version=$(mage integration:updatePackageVersion)
version_requirements=$(mage integration:updateVersions)
changes=$(git status -s -uno .agent-versions.json .package-version)
changes=$(git status -s -uno testing/integration/testdata/.upgrade-test-agent-versions.yml .package-version)
if [ -z "$changes" ]
then
echo "The version files didn't change, skipping..."
Expand All @@ -19,10 +19,10 @@ else
# the mage target above requires to be on a release branch
# so, the new branch should not be created before the target is run
git checkout -b update-agent-versions-$GITHUB_RUN_ID
git add .agent-versions.json .package-version
git add testing/integration/testdata/.upgrade-test-agent-versions.yml .package-version

nl=$'\n' # otherwise the new line character is not recognized properly
commit_desc="These files are used for picking agent versions in integration tests.${nl}${nl}The content is based on responses from https://www.elastic.co/api/product_versions and https://snapshots.elastic.co${nl}${nl}The current update is generated based on the following requirements:${nl}${nl}Package version: ${package_version}${nl}${nl}\`\`\`json${nl}${version_requirements}${nl}\`\`\`"
commit_desc="These files are used for picking the starting (pre-upgrade) or ending (post-upgrade) agent versions in upgrade integration tests.${nl}${nl}The content is based on responses from https://www.elastic.co/api/product_versions and https://snapshots.elastic.co${nl}${nl}The current update is generated based on the following requirements:${nl}${nl}Package version: ${package_version}${nl}${nl}\`\`\`json${nl}${version_requirements}${nl}\`\`\`"

git commit -m "[$GITHUB_REF_NAME][Automation] Update versions" -m "$commit_desc"
git push --set-upstream origin "update-agent-versions-$GITHUB_RUN_ID"
Expand Down
427 changes: 425 additions & 2 deletions NOTICE.txt

Large diffs are not rendered by default.

Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
# Kind can be one of:
# - breaking-change: a change to previously-documented behavior
# - deprecation: functionality that is being removed in a later release
# - bug-fix: fixes a problem in a previous version
# - enhancement: extends functionality but does not break or fix existing behavior
# - feature: new functionality
# - known-issue: problems that we are aware of in a given version
# - security: impacts on the security of a product or a user’s deployment.
# - upgrade: important information for someone upgrading from a prior version
# - other: does not fit into any of the other categories
kind: feature

# Change summary; a 80ish characters long description of the change.
summary: Add support for passphrase protected mTLS client certificate key during install/enroll

# Long description; in case the summary is not enough to describe the change
# this field accommodate a description without length limits.
# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment.
description: |
Adds `--elastic-agent-cert-key-passphrase` command line flag for the `install`
and `enroll` commands. The new flag accepts a absolute path for a file containing
a passphrase to be used to decrypt the mTLS client certificate key.
# Affected component; a word indicating the component this changeset affects.
component:

# PR URL; optional; the PR number that added the changeset.
# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
# Please provide it if you are adding a fragment for a different PR.
#pr: https://github.com/owner/repo/1234

# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
# If not present is automatically filled by the tooling with the issue linked to the PR number.
#issue: https://github.com/owner/repo/1234
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
# Kind can be one of:
# - breaking-change: a change to previously-documented behavior
# - deprecation: functionality that is being removed in a later release
# - bug-fix: fixes a problem in a previous version
# - enhancement: extends functionality but does not break or fix existing behavior
# - feature: new functionality
# - known-issue: problems that we are aware of in a given version
# - security: impacts on the security of a product or a user’s deployment.
# - upgrade: important information for someone upgrading from a prior version
# - other: does not fit into any of the other categories
kind: other

# Change summary; a 80ish characters long description of the change.
summary: change deprecated maintainer label in Dockerfile to org.opencontainers.image.authors

# Long description; in case the summary is not enough to describe the change
# this field accommodate a description without length limits.
# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment.
#description:

# Affected component; usually one of "elastic-agent", "fleet-server", "filebeat", "metricbeat", "auditbeat", "all", etc.
component: elastic-agent

# PR URL; optional; the PR number that added the changeset.
# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
# Please provide it if you are adding a fragment for a different PR.
pr: https://github.com/elastic/elastic-agent/pull/5527

# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
# If not present is automatically filled by the tooling with the issue linked to the PR number.
#issue: https://github.com/owner/repo/1234
32 changes: 32 additions & 0 deletions changelog/fragments/1726739016-otel-pprof-extension.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
# Kind can be one of:
# - breaking-change: a change to previously-documented behavior
# - deprecation: functionality that is being removed in a later release
# - bug-fix: fixes a problem in a previous version
# - enhancement: extends functionality but does not break or fix existing behavior
# - feature: new functionality
# - known-issue: problems that we are aware of in a given version
# - security: impacts on the security of a product or a user’s deployment.
# - upgrade: important information for someone upgrading from a prior version
# - other: does not fit into any of the other categories
kind: enhancement

# Change summary; a 80ish characters long description of the change.
summary: Add pprof extension to OTel dependencies

# Long description; in case the summary is not enough to describe the change
# this field accommodate a description without length limits.
# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment.
#description:

# Affected component; a word indicating the component this changeset affects.
component: elastic-agent

# PR URL; optional; the PR number that added the changeset.
# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
# Please provide it if you are adding a fragment for a different PR.
pr: https://github.com/elastic/elastic-agent/pull/5556

# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
# If not present is automatically filled by the tooling with the issue linked to the PR number.
#issue: https://github.com/owner/repo/1234
Original file line number Diff line number Diff line change
Expand Up @@ -108,8 +108,8 @@ LABEL \
org.opencontainers.image.licenses="{{ .License }}" \
org.opencontainers.image.title="{{ .BeatName | title }}" \
org.opencontainers.image.vendor="{{ .BeatVendor }}" \
org.opencontainers.image.authors="[email protected]" \
name="{{ .BeatName }}" \
maintainer="[email protected]" \
vendor="{{ .BeatVendor }}" \
version="{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}" \
release="1" \
Expand Down
4 changes: 3 additions & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ require (
github.com/blakesmith/ar v0.0.0-20150311145944-8bd4349a67f2
github.com/cavaliergopher/rpm v1.2.0
github.com/cenkalti/backoff/v4 v4.3.0
github.com/docker/docker v27.0.3+incompatible
github.com/docker/docker v27.2.1+incompatible
github.com/docker/go-units v0.5.0
github.com/dolmen-go/contextio v0.0.0-20200217195037-68fc5150bcd5
github.com/elastic/elastic-agent-autodiscover v0.8.2
Expand Down Expand Up @@ -40,6 +40,7 @@ require (
github.com/mitchellh/hashstructure v1.1.0
github.com/oklog/ulid/v2 v2.1.0
github.com/open-telemetry/opentelemetry-collector-contrib/extension/healthcheckextension v0.109.0
github.com/open-telemetry/opentelemetry-collector-contrib/extension/pprofextension v0.109.0
github.com/open-telemetry/opentelemetry-collector-contrib/receiver/jaegerreceiver v0.109.0
github.com/open-telemetry/opentelemetry-collector-contrib/receiver/prometheusreceiver v0.109.0
github.com/open-telemetry/opentelemetry-collector-contrib/receiver/zipkinreceiver v0.109.0
Expand Down Expand Up @@ -289,6 +290,7 @@ require (
github.com/moby/docker-image-spec v1.3.1 // indirect
github.com/moby/locker v1.0.1 // indirect
github.com/moby/spdystream v0.4.0 // indirect
github.com/moby/sys/userns v0.1.0 // indirect
github.com/moby/term v0.5.0 // indirect
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.2 // indirect
Expand Down
8 changes: 6 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -220,8 +220,8 @@ github.com/docker/cli v25.0.1+incompatible h1:mFpqnrS6Hsm3v1k7Wa/BO23oz0k121MTbT
github.com/docker/cli v25.0.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
github.com/docker/docker v27.0.3+incompatible h1:aBGI9TeQ4MPlhquTQKq9XbK79rKFVwXNUAYz9aXyEBE=
github.com/docker/docker v27.0.3+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
github.com/docker/docker v27.2.1+incompatible h1:fQdiLfW7VLscyoeYEBz7/J8soYFDZV1u6VW6gJEjNMI=
github.com/docker/docker v27.2.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A=
github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0=
github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
Expand Down Expand Up @@ -769,6 +769,8 @@ github.com/moby/sys/sequential v0.5.0 h1:OPvI35Lzn9K04PBbCLW0g4LcFAJgHsvXsRyewg5
github.com/moby/sys/sequential v0.5.0/go.mod h1:tH2cOOs5V9MlPiXcQzRC+eEyab644PWKGRYaaV5ZZlo=
github.com/moby/sys/user v0.1.0 h1:WmZ93f5Ux6het5iituh9x2zAG7NFY9Aqi49jjE1PaQg=
github.com/moby/sys/user v0.1.0/go.mod h1:fKJhFOnsCN6xZ5gSfbM6zaHGgDJMrqt9/reuj4T7MmU=
github.com/moby/sys/userns v0.1.0 h1:tVLXkFOxVu9A64/yh59slHVv9ahO9UIev4JZusOLG/g=
github.com/moby/sys/userns v0.1.0/go.mod h1:IHUYgu/kao6N8YZlp9Cf444ySSvCmDlmzUcYfDHOl28=
github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0=
github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y=
github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
Expand Down Expand Up @@ -821,6 +823,8 @@ github.com/open-telemetry/opentelemetry-collector-contrib/extension/encoding/otl
github.com/open-telemetry/opentelemetry-collector-contrib/extension/encoding/otlpencodingextension v0.109.0/go.mod h1:UKEwVBxPn/wRMKelq+9pdYlnkVFQ8h8yh5c8k2tRjNU=
github.com/open-telemetry/opentelemetry-collector-contrib/extension/healthcheckextension v0.109.0 h1:/DYYZTFiMLxmx2XKzCepDT/VDv3u9gIgdzUQvdL2gtM=
github.com/open-telemetry/opentelemetry-collector-contrib/extension/healthcheckextension v0.109.0/go.mod h1:ydMgguz0dLWUQnIK3ogZQaoFKXGeLI37KqAtpsJAI6s=
github.com/open-telemetry/opentelemetry-collector-contrib/extension/pprofextension v0.109.0 h1:LEpo+3dMUJ7cAoX2xqQXmLuCGlA5OVSQl1c/Os3ZhYk=
github.com/open-telemetry/opentelemetry-collector-contrib/extension/pprofextension v0.109.0/go.mod h1:1gBYb3ohJNGVaMD2N5GPhpKU8W9jvPI3uHPIgmUGcyM=
github.com/open-telemetry/opentelemetry-collector-contrib/extension/storage v0.109.0 h1:49eU82qM9YhubCPh4o9z+6t8sw9ytS3sfPi/1Yzf0UQ=
github.com/open-telemetry/opentelemetry-collector-contrib/extension/storage v0.109.0/go.mod h1:t+2SQm0yPa+1GYpoOg7/lzZ4cHgk3os6uqALvnBA1aU=
github.com/open-telemetry/opentelemetry-collector-contrib/extension/storage/filestorage v0.109.0 h1:g79FG4aNXwnpatYBoEfSm+ngQF6gJ7MHBL9z2uzqQa4=
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -741,6 +741,46 @@ func TestPolicyChangeHandler_handlePolicyChange_FleetClientSettings(t *testing.T
"unexpected error when applying fleet.ssl.certificate and key")
},
},
{
name: "certificate and key without passphrase clear out previous passphrase",
originalCfg: &configuration.Configuration{
Fleet: &configuration.FleetAgentConfig{
Client: remote.Config{
Host: fleetmTLSServer.URL,
Transport: httpcommon.HTTPTransportSettings{
TLS: &tlscommon.Config{
CAs: []string{string(fleetRootPair.Cert)},
Certificate: tlscommon.CertificateConfig{
Certificate: "some certificate",
Key: "some key",
Passphrase: "",
PassphrasePath: "/path/to/passphrase",
},
},
},
},
AccessAPIKey: "ignore",
},
Settings: configuration.DefaultSettingsConfig(),
},
newCfg: map[string]interface{}{
"fleet.ssl.enabled": true,
"fleet.ssl.certificate": string(agentChildPair.Cert),
"fleet.ssl.key": string(agentChildPair.Key),
},
setterCalledCount: 1,
wantCAs: []string{string(fleetRootPair.Cert)},
wantCertificateConfig: tlscommon.CertificateConfig{
Certificate: string(agentChildPair.Cert),
Key: string(agentChildPair.Key),
Passphrase: "",
PassphrasePath: "",
},
assertErr: func(t *testing.T, err error) {
assert.NoError(t, err,
"unexpected error when applying fleet.ssl.certificate and key")
},
},
{
name: "certificate and key with passphrase_path is applied when present",
originalCfg: &configuration.Configuration{
Expand Down
18 changes: 18 additions & 0 deletions internal/pkg/agent/cmd/enroll.go
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,7 @@ func addEnrollFlags(cmd *cobra.Command) {
cmd.Flags().StringP("ca-sha256", "p", "", "Comma-separated list of certificate authority hash pins for server verification used by Elastic Agent and Fleet Server")
cmd.Flags().StringP("elastic-agent-cert", "", "", "Elastic Agent client certificate to use with Fleet Server during mTLS authentication")
cmd.Flags().StringP("elastic-agent-cert-key", "", "", "Elastic Agent client private key to use with Fleet Server during mTLS authentication")
cmd.Flags().StringP("elastic-agent-cert-key-passphrase", "", "", "Path for private key passphrase file used to decrypt Elastic Agent client certificate key")
cmd.Flags().BoolP("insecure", "i", false, "Allow insecure connection made by the Elastic Agent. It's also required to use a Fleet Server on a HTTP endpoint")
cmd.Flags().StringP("staging", "", "", "Configures Elastic Agent to download artifacts from a staging build")
cmd.Flags().StringP("proxy-url", "", "", "Configures the proxy URL: when bootstrapping Fleet Server, it's the proxy used by Fleet Server to connect to Elasticsearch; when enrolling the Elastic Agent to Fleet Server, it's the proxy used by the Elastic Agent to connect to Fleet Server")
Expand Down Expand Up @@ -111,6 +112,16 @@ func validateEnrollFlags(cmd *cobra.Command) error {
if key != "" && !filepath.IsAbs(key) {
return errors.New("--elastic-agent-cert-key must be provided as an absolute path", errors.M("path", key), errors.TypeConfig)
}
keyPassphrase, _ := cmd.Flags().GetString("elastic-agent-cert-key-passphrase")
if keyPassphrase != "" {
if !filepath.IsAbs(keyPassphrase) {
return errors.New("--elastic-agent-cert-key-passphrase must be provided as an absolute path", errors.M("path", keyPassphrase), errors.TypeConfig)
}

if cert == "" || key == "" {
return errors.New("--elastic-agent-cert and --elastic-agent-cert-key must be provided when using --elastic-agent-cert-key-passphrase", errors.M("path", keyPassphrase), errors.TypeConfig)
}
}
esCa, _ := cmd.Flags().GetString("fleet-server-es-ca")
if esCa != "" && !filepath.IsAbs(esCa) {
return errors.New("--fleet-server-es-ca must be provided as an absolute path", errors.M("path", esCa), errors.TypeConfig)
Expand Down Expand Up @@ -180,6 +191,7 @@ func buildEnrollmentFlags(cmd *cobra.Command, url string, token string) []string
ca, _ := cmd.Flags().GetString("certificate-authorities")
cert, _ := cmd.Flags().GetString("elastic-agent-cert")
key, _ := cmd.Flags().GetString("elastic-agent-cert-key")
keyPassphrase, _ := cmd.Flags().GetString("elastic-agent-cert-key-passphrase")
sha256, _ := cmd.Flags().GetString("ca-sha256")
insecure, _ := cmd.Flags().GetBool("insecure")
staging, _ := cmd.Flags().GetString("staging")
Expand Down Expand Up @@ -285,6 +297,10 @@ func buildEnrollmentFlags(cmd *cobra.Command, url string, token string) []string
args = append(args, "--elastic-agent-cert-key")
args = append(args, key)
}
if keyPassphrase != "" {
args = append(args, "--elastic-agent-cert-key-passphrase")
args = append(args, keyPassphrase)
}
if sha256 != "" {
args = append(args, "--ca-sha256")
args = append(args, sha256)
Expand Down Expand Up @@ -422,6 +438,7 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command) error {
caSHA256 := cli.StringToSlice(caSHA256str)
cert, _ := cmd.Flags().GetString("elastic-agent-cert")
key, _ := cmd.Flags().GetString("elastic-agent-cert-key")
keyPassphrase, _ := cmd.Flags().GetString("elastic-agent-cert-key-passphrase")

ctx := handleSignal(context.Background())

Expand Down Expand Up @@ -449,6 +466,7 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command) error {
CASha256: caSHA256,
Certificate: cert,
Key: key,
KeyPassphrasePath: keyPassphrase,
Insecure: insecure,
UserProvidedMetadata: make(map[string]interface{}),
Staging: staging,
Expand Down
6 changes: 4 additions & 2 deletions internal/pkg/agent/cmd/enroll_cmd.go
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,7 @@ type enrollCmdOption struct {
CASha256 []string `yaml:"ca_sha256,omitempty"`
Certificate string `yaml:"certificate,omitempty"`
Key string `yaml:"key,omitempty"`
KeyPassphrasePath string `yaml:"key_passphrase_path,omitempty"`
Insecure bool `yaml:"insecure,omitempty"`
EnrollAPIKey string `yaml:"enrollment_key,omitempty"`
Staging string `yaml:"staging,omitempty"`
Expand Down Expand Up @@ -149,8 +150,9 @@ func (e *enrollCmdOption) remoteConfig() (remote.Config, error) {
}
if e.Certificate != "" || e.Key != "" {
tlsCfg.Certificate = tlscommon.CertificateConfig{
Certificate: e.Certificate,
Key: e.Key,
Certificate: e.Certificate,
Key: e.Key,
PassphrasePath: e.KeyPassphrasePath,
}
}

Expand Down
Loading

0 comments on commit ae1e154

Please sign in to comment.