search

elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.73k stars 8.14k forks source link

[Fleet] A proxy configured at agent installation time cannot be managed from Fleet #154482

Open cmacknz opened 1 year ago

cmacknz commented 1 year ago

In the 8.7.0 release there were several reported issues with the agent proxy configuration logic because the agent cannot easily distinguish between a proxy URL that is empty because it was never configured and a proxy URL that is empty because the user is attempting to remove the proxy configuration.

Examples:

In the short term we are going to apply the following precedence rules (from https://github.com/elastic/elastic-agent/issues/2304#issuecomment-1497944166):

  1. Prefer the proxy URL from Fleet only if it is a valid IP/host and is not the empty string.
  2. Fall back to the proxy configured when the agent was installed with --proxy-url.

This will ensure that agents configured with a proxy at installation time continue to work while still allowing for the proxy to be changed from Fleet. This has the caveat that a proxy that was configured at installation time cannot be removed via Fleet.

If we want Fleet to be able to manage all configured proxies then we will need a way for the agent to communicate the proxy that it was configured with at installation time (via the --proxy-url command line argument) back to Fleet. Fleet will need to account for the fact that an agent could have two possible proxy configurations available at the same time, the one in the Fleet UI and the one the agent was installed with.

We will also need a way for the agent to clearly distinguish between a Fleet proxy URL that is empty because it was never configured, and an attempt to delete that proxy configuration.

elasticmachine commented 1 year ago

Pinging @elastic/fleet (Team:Fleet)

jlind23 commented 1 year ago

@kpollich Does it make sense to have the tech def done by Sprint 12? 11 being mainly focused on testing and quality

kpollich commented 1 year ago

Yes that makes sense to me @jlind23

lucabelluccini commented 1 year ago

Question/confirmation

The --proxy-url parameter should only affect the Elastic Agent to Fleet Server communication.

I do not fully get "Prefer the proxy URL from Fleet" - From where this proxy URL is configurable? We only allow to configure the output proxy (https://www.elastic.co/guide/en/fleet/current/fleet-agent-proxy-support.html#_set_the_proxy_for_communicating_with_elasticsearch) but not a global proxy setting. Or it is something only on the main branch which I wasn't aware of as it's unreleased?

cmacknz commented 1 year ago

In 8.7.0 beta support for configuring the Fleet proxy settings was added to the Fleet UI. When we say "Prefer the proxy URL from Fleet" these are the settings we want to prefer.

Screen Shot 2023-04-24 at 3 11 11 PM

@jen-huang was anything added to the official docs about this feature? I couldn't find it if so, and neither could Luca it seems.

jen-huang commented 1 year ago

@cmacknz I believe the proxy documentation is still on @nimarezainia's list to do with the docs team: https://github.com/elastic/ingest-docs/issues/101

nimarezainia commented 1 year ago

@jen-huang @cmacknz the documentations was completed sometime ago: https://docs.google.com/document/d/1UszO1L0G1kiRyD_tnKrb1j7GxiA8tZ7mmIClxtQC2dQ/edit?usp=sharing but it seems as though needs to be merged with the existing docs which I think are all complementary https://www.elastic.co/guide/en/fleet/8.6/fleet-agent-proxy-support.html

I'll follow up with the team on this and get it into the docs.