-
Notifications
You must be signed in to change notification settings - Fork 148
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Verifier does not honor proxy settings #4237
Comments
Pinging @elastic/elastic-agent (Team:Elastic-Agent) |
Agent/fleet has gone 889 days since GA release without fully regression tested managed proxy support. If we had deployed agent to a data centre to find it doesn’t upgrade, which we are about to do, we’d probably move to Splunk as we’ve already delayed the rollout of agent by 18 months. Using the default Go proxy environment variables is something you don’t do on a production network. It’s not maintainable on 1000’s of endpoints. It’s also a security risk as an attacker changing the value would break log collection. Customer networks are not for this Can you please set up a lab environment with a proxy to test all code changes and new releases, with both elastic/logstash outputs? Thanks |
@AndersonQ Could you please have a look as you spent time lately on the proxy setting and added tests around it? |
To make this work properly without relying on the GOPROXY environment variable there are a few things to address as part of this:
|
We are working through this. Every commit we make has automation installing the agent on VMs connected to an Elastic Cloud deployment to ensure it works as expected. There are a lot of scenarios and combinations to cover (proxies, air gapped networks, output types, soon root and non-root installs, etc) so we haven't covered everything yet but we are working on it. Should all of this have been in place earlier? Yes, but we are catching up as quickly as we can. |
@pierrehilbert sorry for the delay. I guess it wasn't caught before because not all tests check the package signature. By now we should be able to check the signature, and generate it when needed, to all your tests. I removed the option to skip the PGP signature check on #3590. However I believe we did not have a test including the check, a proxy and the fleet-server PGP fallback not available. Or at least ensuring it would not download from the fallback |
For confirmed bugs, please report:
.asc
signature file, via the proxy.Expected behavior:
Observed behavior:
.asc
signature file fails.Relevant implementation details:
This bug is almost certainly being caused because the Verifier code path does not use an HTTP client that's configured with the proxy settings, unlike the Downloader code path, which does.
Downloader code path, showing the use of a custom-configured HTTP client:
elastic-agent/internal/pkg/agent/application/upgrade/artifact/download/http/downloader.go
Lines 193 to 197 in 574aa5d
Verifier code path, showing the use of the default HTTP client:
elastic-agent/internal/pkg/agent/application/upgrade/artifact/download/http/verifier.go
Lines 174 to 178 in 574aa5d
The text was updated successfully, but these errors were encountered: