[REQUEST]: Document PGP key download from Fleet Server API in air-gapped envs

[lucabelluccini]

Description

Elastic Agent attempts to download the PGP/GPG key to validate the binaries. We had an unfortunate bug where the PGP/GPG key was downloaded even if it wasn't necessary. The bug was particularly unfortunate for air-gapped environments.

For air-gapped environments we need provide instructions to explain how to use a functionality introduced in 8.10.4 which allow Elastic Agents to download the PGP/GPG key from the Fleet Server. In particular, we need to explain how to customize the server.pgp.upstream_url in Fleet Serve settings in order to benefit from this new feature.

I've not tested using server.pgp.upstream_url and in particular I do not know the behavior when:

• The URL is HTTPS and the CA cert is not in the trusted certs of the EA running as Fleet Server (does Fleet Server use the proxy_url of the Source URI? or we're obliged to use the HTTP_PROXY/HTTPS_PROXY/NO_PROXY)?
• The URL is HTTP (Fleet Server will download it even if exposed via HTTP)?
• Elastic Agent will reuse the same CA cert used to connect to Fleet Server for control plane also to trust the Fleet Server PGP API download endpoint?

Resources

https://support.elastic.dev/knowledge/view/5b5df063 (focus on Option I)

Collaboration

TBD. The docs and product team will work together to determine the best path forward.

Point of contact.

Main contact: @jlind23 / @pierrehilbert to delegate to the engineers who worked on the feature

Stakeholders: @lucabelluccini

[lucabelluccini]

Hello @kilfoyle - it is not urgent, but I think we need to add this for air-gapped envs.

[jlind23]

@michalpristas / @michel-laterman are the ones who worked on this feature.

[kilfoyle]

For reference: https://github.com/elastic/sdh-beats/issues/4496