Add support for CLI flag for mTLS client certificate key passphrase #5494

AndersonQ · 2024-09-10T14:46:08Z

What does this PR do?

It adds support for encrypted client certificate key during install/enroll, which done by the cli flag --elastic-agent-cert-key-passphrase.

Why is it important?

It enables Elastic Agent to be configured with passphrase-protected private keys for client mTLS certificates.

Checklist

My code follows the style guidelines of this project
I have commented my code, particularly in hard-to-understand areas
I have made corresponding changes to the documentation
~~[ ] I have made corresponding change to the default configuration files~~
I have added tests that prove my fix is effective or that my feature works
I have added an entry in ./changelog/fragments using the changelog tool
~~[ ] I have added an integration test or an E2E test~~

Author's checklist

Tests

Ensure --elastic-agent-cert-key-passphrase adheres to the same requirements as --fleet-server-cert-key-passphrase.
Verify that both --elastic-agent-cert-key and --elastic-agent-cert are provided when --elastic-agent-cert-key-passphrase is present.
Confirm that *enrollCmdOption.remoteConfig() accurately incorporates the passphrase into tlscommon.CertificateConfig.
Validate that fleetclient.NewWithConfig generates a valid client capable of establishing an mTLS connection to a mock server.
Ensure the policy TLS client settings take precedence over the CLI. Extend policy with SSL config to ensure the client certificate key passphrase from the cli is not left in the config when the policy's client client certificate key is not passphrase-protected.

Disruptive User Impact

None

How to test this PR locally

Build Elastic Agent with the changes from this PR.
Enroll/Install the Elastic Agent using passphrase-protected private key for the client mTLS certificate.
Start Elastic Agent and observe successful enrollment/installation with mTLS enabled.

Related issues

Closes Add support for CLI flag for mTLS client certificate key passphrase #5489

Questions to ask yourself

How are we going to support this in production?
How are we going to measure its adoption?
How are we going to debug this?
What are the metrics I should take care of?
...

mergify · 2024-09-10T14:46:49Z

This pull request does not have a backport label. Could you fix it @AndersonQ? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

backport-v./d./d./d is the label to automatically backport to the 8./d branch. /d is the digit

backport-v8.x has been added to help with the transition to the new branch 8.x.

AndersonQ · 2024-09-11T08:42:15Z

internal/pkg/agent/cmd/enroll_cmd_test.go

+		absPath, err := filepath.Abs("/path/to/token")
+		require.NoError(t, err, "could not get absolute absPath")


I honestly do not know why it was working on windows before, but it started to fail on elastic-agent-cert-key does not require key-passphrase, so I fixed all tests.

mergify · 2024-09-11T11:47:37Z

backport-v8.x has been added to help with the transition to the new branch 8.x.

elasticmachine · 2024-09-16T12:08:05Z

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)

michel-laterman

lgtm

It adds support for encrypted client certificate key during install/enroll, which done by the cli flag `--elastic-agent-cert-key-passphrase`.

elastic-sonarqube · 2024-09-20T01:21:34Z

Quality Gate passed

Issues
3 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
64.3% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

…5494) It adds support for encrypted client certificate key during install/enroll, which done by the cli flag `--elastic-agent-cert-key-passphrase`. (cherry picked from commit 346e5be)

…5494) (#5574) It adds support for encrypted client certificate key during install/enroll, which done by the cli flag `--elastic-agent-cert-key-passphrase`. (cherry picked from commit 346e5be) Co-authored-by: Anderson Queiroz <[email protected]>

…lastic#5494) It adds support for encrypted client certificate key during install/enroll, which done by the cli flag `--elastic-agent-cert-key-passphrase`.

mergify bot assigned AndersonQ Sep 10, 2024

mergify bot added the backport-v8.x label Sep 10, 2024

AndersonQ force-pushed the 5489-client-cert-key-passphrase branch 2 times, most recently from 5c9c606 to 3351e32 Compare September 11, 2024 07:43

AndersonQ changed the title ~~wip - just letting the tests run~~ Add support for CLI flag for mTLS client certificate key passphrase Sep 11, 2024

AndersonQ force-pushed the 5489-client-cert-key-passphrase branch from cd98d59 to 2c94c5b Compare September 11, 2024 08:40

AndersonQ commented Sep 11, 2024

View reviewed changes

AndersonQ marked this pull request as ready for review September 11, 2024 08:48

AndersonQ requested a review from a team as a code owner September 11, 2024 08:48

AndersonQ requested review from blakerouse and michel-laterman September 11, 2024 08:48

mergify bot added the backport-8.x Automated backport to the 8.x branch with mergify label Sep 11, 2024

v1v removed the backport-v8.x label Sep 11, 2024

AndersonQ force-pushed the 5489-client-cert-key-passphrase branch from cbdb682 to 1fa216d Compare September 12, 2024 08:54

pierrehilbert added the Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team label Sep 16, 2024

michel-laterman approved these changes Sep 17, 2024

View reviewed changes

AndersonQ enabled auto-merge (squash) September 18, 2024 06:12

add support for CLI flag for mTLS client certificate key passphrase

4d283ea

It adds support for encrypted client certificate key during install/enroll, which done by the cli flag `--elastic-agent-cert-key-passphrase`.

ycombinator force-pushed the 5489-client-cert-key-passphrase branch from c4dcbdf to 4d283ea Compare September 20, 2024 00:40

AndersonQ merged commit 346e5be into elastic:main Sep 20, 2024
13 checks passed

mergify bot mentioned this pull request Sep 20, 2024

[8.x](backport #5494) Add support for CLI flag for mTLS client certificate key passphrase #5574

Merged

10 tasks

ycombinator mentioned this pull request Oct 3, 2024

build(deps): bump github.com/elastic/elastic-agent-libs from 0.11.0 to 0.12.0 #5679

Closed

leehinman mentioned this pull request Oct 30, 2024

Add documentation for elastic-agent-cert-key-passphrase option elastic/ingest-docs#1413

Merged

This was referenced Nov 4, 2024

[8.x] Add documentation for elastic-agent-cert-key-passphrase option (backport #1413) elastic/ingest-docs#1424

Merged

[8.16] Add documentation for elastic-agent-cert-key-passphrase option (backport #1413) elastic/ingest-docs#1425

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add support for CLI flag for mTLS client certificate key passphrase #5494

Add support for CLI flag for mTLS client certificate key passphrase #5494

AndersonQ commented Sep 10, 2024 •

edited

Loading

mergify bot commented Sep 10, 2024

AndersonQ Sep 11, 2024

mergify bot commented Sep 11, 2024

elasticmachine commented Sep 16, 2024

michel-laterman left a comment

elastic-sonarqube bot commented Sep 20, 2024

		absPath, err := filepath.Abs("/path/to/token")
		require.NoError(t, err, "could not get absolute absPath")

Add support for CLI flag for mTLS client certificate key passphrase #5494

Add support for CLI flag for mTLS client certificate key passphrase #5494

Conversation

AndersonQ commented Sep 10, 2024 • edited Loading

What does this PR do?

Why is it important?

Checklist

Author's checklist

Disruptive User Impact

How to test this PR locally

Related issues

Questions to ask yourself

mergify bot commented Sep 10, 2024

AndersonQ Sep 11, 2024

Choose a reason for hiding this comment

mergify bot commented Sep 11, 2024

elasticmachine commented Sep 16, 2024

michel-laterman left a comment

Choose a reason for hiding this comment

elastic-sonarqube bot commented Sep 20, 2024

Quality Gate passed

AndersonQ commented Sep 10, 2024 •

edited

Loading