search

elastic / elastic-agent

Elastic Agent - single, unified way to add monitoring for logs, metrics, and other types of data to a host.
Other
131 stars 141 forks source link

Fall back PGP download from Fleet server ignores Fleet server proxy configuration #4241

Open cmacknz opened 8 months ago

cmacknz commented 8 months ago

As described in https://github.com/elastic/elastic-agent/issues/4237 the HTTP client used in our verifier ignores the binary download proxy configuration.

https://github.com/elastic/elastic-agent/blob/main/internal/pkg/agent/application/upgrade/artifact/download/http/downloader.go#L193-L197

Resolving that issue will make the verifier client respect the agent.download proxy URL https://github.com/elastic/elastic-agent/blob/574aa5db629231d56062ab40d27ccceb02cbbe4d/elastic-agent.yml#L142

In an air gapped network where the GPG key has been rotated and artifacts.elastic.co is not available, the upgrade must download the new GPGP key from Fleet server. We currently assume that knowing the Fleet server URL is enough:

https://github.com/elastic/elastic-agent/blob/574aa5db629231d56062ab40d27ccceb02cbbe4d/internal/pkg/agent/application/upgrade/step_download.go#L138-L158

This is incorrect, because Fleet server may be behind a proxy, and in this case we are ignoring the Fleet server proxy URL and will attempt to contact Fleet server directly.

Acceptance Criteria

A test exists proving that a fallback GPG key can be downloaded from Fleet server when the binary download and Fleet proxy URLs are different values.

elasticmachine commented 8 months ago

Pinging @elastic/elastic-agent (Team:Elastic-Agent)

elasticmachine commented 5 months ago

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)