Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fall back PGP download from Fleet server ignores Fleet server proxy configuration #4241

Open
cmacknz opened this issue Feb 12, 2024 · 2 comments
Open

Fall back PGP download from Fleet server ignores Fleet server proxy configuration #4241

cmacknz opened this issue Feb 12, 2024 · 2 comments
Assignees
@michel-laterman
Labels
Team:Elastic-Agent Label for the Agent team Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team

Comments

@cmacknz
Copy link
Member

cmacknz commented Feb 12, 2024

As described in #4237 the HTTP client used in our verifier ignores the binary download proxy configuration.

https://github.com/elastic/elastic-agent/blob/main/internal/pkg/agent/application/upgrade/artifact/download/http/downloader.go#L193-L197

Resolving that issue will make the verifier client respect the agent.download proxy URL

elastic-agent/elastic-agent.yml

Line 142 in 574aa5d

# agent.download:

In an air gapped network where the GPG key has been rotated and artifacts.elastic.co is not available, the upgrade must download the new GPGP key from Fleet server. We currently assume that knowing the Fleet server URL is enough:

elastic-agent/internal/pkg/agent/application/upgrade/step_download.go

Lines 138 to 158 in 574aa5d

// add a secondary fallback if fleet server is configured
u.log.Debugf("Considering fleet server uri for pgp check fallback %q", u.fleetServerURI)
if u.fleetServerURI != "" {
tpv, err := agtversion.ParseVersion(targetVersion)
if err != nil {
// best effort, log failure
u.log.Warnf("failed to parse agent version (%q) for secondary GPG fallback: %v", targetVersion, err)
} else {
secondaryPath, err := url.JoinPath(
u.fleetServerURI,
fmt.Sprintf(fleetUpgradeFallbackPGPFormat, tpv.Major(), tpv.Minor(), tpv.Patch()),
)
if err != nil {
u.log.Warnf("failed to compose Fleet Server URI: %v", err)
} else {
secondaryFallback := download.PgpSourceURIPrefix + secondaryPath
pgpBytes = append(pgpBytes, secondaryFallback)
}
}
}

This is incorrect, because Fleet server may be behind a proxy, and in this case we are ignoring the Fleet server proxy URL and will attempt to contact Fleet server directly.

Acceptance Criteria

A test exists proving that a fallback GPG key can be downloaded from Fleet server when the binary download and Fleet proxy URLs are different values.
@cmacknz cmacknz added the Team:Elastic-Agent Label for the Agent team label Feb 12, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/elastic-agent (Team:Elastic-Agent)

@cmacknz cmacknz mentioned this issue Feb 12, 2024
Closed
@cmacknz cmacknz mentioned this issue Feb 22, 2024
Open
@ycombinator ycombinator added the Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team label May 17, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@michel-laterman michel-laterman

Labels
Team:Elastic-Agent Label for the Agent team Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ycombinator @cmacknz @elasticmachine @michel-laterman