Open pchila opened 3 months ago
Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)
Pinging @elastic/elastic-agent (Team:Elastic-Agent)
/cc @ycombinator @AndersonQ
A flag should be required to use http://
. http://
should be heavily discouraged and so we should ensure that a flag (even if different) is required.
A test was added in https://github.com/elastic/elastic-agent/pull/4770 that needed to be skipped until this issue is resolved.
@pchila would you mind editing this comment and mentioning the name of the test? That way, whenever we get around to resolving this issue, we can tell very easily which test should be un-skipped. Thanks!
--insecure
flag is not recommended for production environments. We stipulate this in public docs as well.
A flag should be required to use
http://
.http://
should be heavily discouraged and so we should ensure that a flag (even if different) is required.
@blakerouse I understand that we may want to be explicit about discouraging http
fleet endpoints, I am not sure that requiring disabling all TLS validation is the correct way to do it by requiring --insecure
flag on the command line.
--insecure
flag is not recommended for production environments. We stipulate this in public docs as well.
@nimarezainia At this point in time we have to specify --insecure
to be able to use a mock fleet server that exposes the endpoint over http. I agree that this should not be used for production environments but I still don't see why we disable every TLS check when we have an http fleet server URL...
In the current elastic-agent implementation if an
http
Fleet URL is specified the install/enroll errors out as it requires--insecure
to be specified as well https://github.com/elastic/elastic-agent/blob/e8fefd741526c79069a7901418df8edc9ed0ed8d/internal/pkg/agent/cmd/enroll_cmd.go#L135-L137--insecure
has bigger implications than just allowing anhttp://
URL for fleet as it also disables any SSL/TLS verification https://github.com/elastic/elastic-agent/blob/e8fefd741526c79069a7901418df8edc9ed0ed8d/internal/pkg/agent/cmd/enroll_cmd.go#L146-L148While writing of test for PR #4770 it became quite apparent that it's impossible to specify an
http
fleet URL while going through anhttps
proxy and have the agent validate the proxy certificate.I am not sure why 2 concepts are depending on the same flag but it would be more logical that:
--insecure
if we want to pass anhttp
fleet server URL (or use a separateallow-http
flag that does not disable TLS verification)--insecure
to control only SSL/TLS validation so that any connection going throughhttps
(like the proxy case above) can be validated even if the Fleet URL is a simplehttp
one.