In an air gapped network where the GPG key has been rotated and artifacts.elastic.co is not available, the upgrade must download the new GPGP key from Fleet server. We currently assume that knowing the Fleet server URL is enough:
This is incorrect, because Fleet server may be behind a proxy, and in this case we are ignoring the Fleet server proxy URL and will attempt to contact Fleet server directly.
Acceptance Criteria
A test exists proving that a fallback GPG key can be downloaded from Fleet server when the binary download and Fleet proxy URLs are different values.
As described in https://github.com/elastic/elastic-agent/issues/4237 the HTTP client used in our verifier ignores the binary download proxy configuration.
https://github.com/elastic/elastic-agent/blob/main/internal/pkg/agent/application/upgrade/artifact/download/http/downloader.go#L193-L197
Resolving that issue will make the verifier client respect the
agent.download
proxy URL https://github.com/elastic/elastic-agent/blob/574aa5db629231d56062ab40d27ccceb02cbbe4d/elastic-agent.yml#L142In an air gapped network where the GPG key has been rotated and artifacts.elastic.co is not available, the upgrade must download the new GPGP key from Fleet server. We currently assume that knowing the Fleet server URL is enough:
https://github.com/elastic/elastic-agent/blob/574aa5db629231d56062ab40d27ccceb02cbbe4d/internal/pkg/agent/application/upgrade/step_download.go#L138-L158
This is incorrect, because Fleet server may be behind a proxy, and in this case we are ignoring the Fleet server proxy URL and will attempt to contact Fleet server directly.
Acceptance Criteria
A test exists proving that a fallback GPG key can be downloaded from Fleet server when the binary download and Fleet proxy URLs are different values.