[8.16](backport #5889) Add integration tests using a proxy with mTLS for control plane with Elastic Defend installed

NOTICE.txt

@@ -1264,11 +1264,11 @@ SOFTWARE
 
 --------------------------------------------------------------------------------
 Dependency : github.com/elastic/elastic-agent-libs
-Version: v0.13.0
+Version: v0.17.3
 Licence type (autodetected): Apache-2.0
 --------------------------------------------------------------------------------
 
-Contents of probable licence file $GOMODCACHE/github.com/elastic/elastic-agent-libs@v0.13.0/LICENSE:
+Contents of probable licence file $GOMODCACHE/github.com/elastic/elastic-agent-libs@v0.17.3/LICENSE:
 
                                  Apache License
                            Version 2.0, January 2004

go.mod

@@ -14,7 +14,7 @@ require (
 	github.com/dolmen-go/contextio v0.0.0-20200217195037-68fc5150bcd5
 	github.com/elastic/elastic-agent-autodiscover v0.9.0
 	github.com/elastic/elastic-agent-client/v7 v7.16.0
-	github.com/elastic/elastic-agent-libs v0.13.0
+	github.com/elastic/elastic-agent-libs v0.17.3
 	github.com/elastic/elastic-agent-system-metrics v0.11.3
 	github.com/elastic/elastic-transport-go/v8 v8.6.0
 	github.com/elastic/go-elasticsearch/v8 v8.15.0

go.sum

@@ -264,8 +264,8 @@ github.com/elastic/elastic-agent-autodiscover v0.9.0 h1:+iWIKh0u3e8I+CJa3FfWe9h0
 github.com/elastic/elastic-agent-autodiscover v0.9.0/go.mod h1:5iUxLHhVdaGSWYTveSwfJEY4RqPXTG13LPiFoxcpFd4=
 github.com/elastic/elastic-agent-client/v7 v7.16.0 h1:yKGq2+CxAuW8Kh0EoNl202tqAyQKfBcPRawVKs2Jve0=
 github.com/elastic/elastic-agent-client/v7 v7.16.0/go.mod h1:6h+f9QdIr3GO2ODC0Y8+aEXRwzbA5W4eV4dd/67z7nI=
-github.com/elastic/elastic-agent-libs v0.13.0 h1:I0ZKvjIqT8ka7d2gX6Ta3nXrCZKysZ+N8VIKIuqqir0=
-github.com/elastic/elastic-agent-libs v0.13.0/go.mod h1:5CR02awPrBr+tfmjBBK+JI+dMmHNQjpVY24J0wjbC7M=
+github.com/elastic/elastic-agent-libs v0.17.3 h1:q79P05dhQkc5REzieVkkD9oRKrnptKY4MC6Typ+d8bc=
+github.com/elastic/elastic-agent-libs v0.17.3/go.mod h1:5CR02awPrBr+tfmjBBK+JI+dMmHNQjpVY24J0wjbC7M=
 github.com/elastic/elastic-agent-system-metrics v0.11.3 h1:LDzRwP8kxvsYEtMDgMSKZs1TgPcSEukit+/EAP5Y28A=
 github.com/elastic/elastic-agent-system-metrics v0.11.3/go.mod h1:saqLKe9fuyuAo6IADAnnuy1kaBI7VNlxfwMo8KzSRyQ=
 github.com/elastic/elastic-transport-go/v8 v8.6.0 h1:Y2S/FBjx1LlCv5m6pWAF2kDJAHoSjSRSJCApolgfthA=

pkg/testing/define/define.go

@@ -20,12 +20,12 @@ import (
 	"github.com/gofrs/uuid/v5"
 
 	"github.com/elastic/elastic-agent-libs/kibana"
+	"github.com/elastic/elastic-agent/pkg/utils"
 	"github.com/elastic/go-elasticsearch/v8"
 	"github.com/elastic/go-sysinfo"
 	"github.com/elastic/go-sysinfo/types"
 
 	atesting "github.com/elastic/elastic-agent/pkg/testing"
-	"github.com/elastic/elastic-agent/pkg/utils"
 	semver "github.com/elastic/elastic-agent/pkg/version"
 	"github.com/elastic/elastic-agent/version"
 

pkg/testing/fixture.go

@@ -1376,8 +1376,12 @@ type AgentInspectOutput struct {
 			Threshold         int `yaml:"threshold"`
 		} `yaml:"reporting"`
 		Ssl struct {
-			Renegotiation    string `yaml:"renegotiation"`
-			VerificationMode string `yaml:"verification_mode"`
+			Renegotiation          string   `yaml:"renegotiation"`
+			VerificationMode       string   `yaml:"verification_mode"`
+			Certificate            string   `yaml:"certificate"`
+			CertificateAuthorities []string `yaml:"certificate_authorities"`
+			Key                    string   `yaml:"key"`
+			KeyPassphrasePath      string   `yaml:"key_passphrase_path"`
 		} `yaml:"ssl"`
 		Timeout string `yaml:"timeout"`
 	} `yaml:"fleet"`

pkg/testing/fixture_install.go

@@ -47,6 +47,7 @@ type EnrollOpts struct {
 	CertificateAuthorities []string // --certificate-authorities
 	Certificate            string   // --elastic-agent-cert
 	Key                    string   // --elastic-agent-cert-key
+	KeyPassphrasePath      string   // --elastic-agent-cert-key-passphrase
 }
 
 func (e EnrollOpts) toCmdArgs() []string {
@@ -65,10 +66,13 @@ func (e EnrollOpts) toCmdArgs() []string {
 	if e.Certificate != "" {
 		args = append(args, "--elastic-agent-cert="+e.Certificate)
 	}
-
 	if e.Key != "" {
 		args = append(args, "--elastic-agent-cert-key="+e.Key)
 	}
+	if e.KeyPassphrasePath != "" {
+		args = append(args, "--elastic-agent-cert-key-passphrase="+e.KeyPassphrasePath)
+	}
+
 	return args
 }
 
@@ -113,7 +117,7 @@ type InstallOpts struct {
 	FleetBootstrapOpts
 }
 
-func (i *InstallOpts) toCmdArgs(operatingSystem string) ([]string, error) {
+func (i *InstallOpts) ToCmdArgs() []string {
 	var args []string
 	if i.BasePath != "" {
 		args = append(args, "--base-path", i.BasePath)
@@ -150,7 +154,7 @@ func (i *InstallOpts) toCmdArgs(operatingSystem string) ([]string, error) {
 	args = append(args, i.EnrollOpts.toCmdArgs()...)
 	args = append(args, i.FleetBootstrapOpts.toCmdArgs()...)
 
-	return args, nil
+	return args
 }
 
 // Install installs the prepared Elastic Agent binary and registers a t.Cleanup
@@ -196,11 +200,7 @@ func (f *Fixture) installNoPkgManager(ctx context.Context, installOpts *InstallO
 	}
 
 	installArgs := []string{"install"}
-	installOptsArgs, err := installOpts.toCmdArgs(f.operatingSystem)
-	if err != nil {
-		return nil, err
-	}
-	installArgs = append(installArgs, installOptsArgs...)
+	installArgs = append(installArgs, installOpts.ToCmdArgs()...)
 	out, err := f.Exec(ctx, installArgs, opts...)
 	if err != nil {
 		f.DumpProcesses("-install")

pkg/testing/tools/tools.go

@@ -74,9 +74,10 @@ func InstallAgentWithPolicy(ctx context.Context, t *testing.T,
 	return policy, err
 }
 
-// InstallAgentForPolicy enrolls the provided agent fixture in Fleet using the
-// default Fleet Server, waits for the agent to come online, and returns either
-// an error or nil.
+// InstallAgentForPolicy enrolls the provided agent fixture with Fleet. If
+// either the enroll URL or the enrollmentToken is empty, they'll be generated
+// using the default fleet-server. Then if delay enroll isn't set it waits for
+// the agent to come online, otherwise it returns immediately.
 // If the context (ctx) has a deadline, it will wait for the agent to become
 // online until the deadline of the context, or if not, a default 5-minute
 // deadline will be applied.
@@ -92,31 +93,32 @@ func InstallAgentForPolicy(ctx context.Context, t *testing.T,
 		PolicyID: policyID,
 	}
 
-	t.Logf("Creating enrollment API key...")
-	enrollmentToken, err := kibClient.CreateEnrollmentAPIKey(ctx, createEnrollmentAPIKeyReq)
-	if err != nil {
-		return fmt.Errorf("unable to create enrollment API key: %w", err)
-	}
+	if installOpts.EnrollmentToken == "" {
+		t.Logf("Creating enrollment API key...")
+		enrollmentToken, err := kibClient.CreateEnrollmentAPIKey(ctx, createEnrollmentAPIKeyReq)
+		if err != nil {
+			return fmt.Errorf("failed creating enrollment API key: %w", err)
+		}
 
-	// Get default Fleet Server URL
-	fleetServerURL, err := fleettools.DefaultURL(ctx, kibClient)
-	if err != nil {
-		return fmt.Errorf("unable to get default Fleet Server URL: %w", err)
+		installOpts.EnrollmentToken = enrollmentToken.APIKey
 	}
 
-	// Enroll agent
-	t.Logf("Unpacking and installing Elastic Agent")
-	installOpts.EnrollOpts = atesting.EnrollOpts{
-		URL:             fleetServerURL,
-		EnrollmentToken: enrollmentToken.APIKey,
+	if installOpts.URL == "" {
+		fleetServerURL, err := fleettools.DefaultURL(ctx, kibClient)
+		if err != nil {
+			return fmt.Errorf("failed getting fleet server URL: %w", err)
+		}
+
+		installOpts.URL = fleetServerURL
 	}
 
 	output, err := agentFixture.Install(ctx, &installOpts)
 	if err != nil {
 		t.Log(string(output))
-		return fmt.Errorf("unable to enroll Elastic Agent: %w", err)
+		return fmt.Errorf("failed installing the agent: %w", err)
 	}
-	t.Logf(">>> Ran Enroll. Output: %s", output)
+
+	t.Logf(">>> Enroll succeeded. Output: %s", output)
 
 	timeout := 10 * time.Minute
 	if deadline, ok := ctx.Deadline(); ok {
@@ -136,6 +138,5 @@ func InstallAgentForPolicy(ctx context.Context, t *testing.T,
 		10*time.Second,
 		"Elastic Agent status is not online",
 	)
-
 	return nil
 }