Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[8.x](backport #5494) Add support for CLI flag for mTLS client certificate key passphrase #5574

Merged
merged 3 commits into from
Sep 23, 2024
Merged

[8.x](backport #5494) Add support for CLI flag for mTLS client certificate key passphrase #5574

merged 3 commits into from
Sep 23, 2024

Conversation

mergify[bot]
Copy link
Contributor

@mergify mergify bot commented Sep 20, 2024

What does this PR do?

It adds support for encrypted client certificate key during install/enroll, which done by the cli flag --elastic-agent-cert-key-passphrase.

Why is it important?

It enables Elastic Agent to be configured with passphrase-protected private keys for client mTLS certificates.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • [ ] I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in ./changelog/fragments using the changelog tool
  • [ ] I have added an integration test or an E2E test

Author's checklist

Tests

  • Ensure --elastic-agent-cert-key-passphrase adheres to the same requirements as --fleet-server-cert-key-passphrase.
  • Verify that both --elastic-agent-cert-key and --elastic-agent-cert are provided when --elastic-agent-cert-key-passphrase is present.
  • Confirm that *enrollCmdOption.remoteConfig() accurately incorporates the passphrase into tlscommon.CertificateConfig.
  • Validate that fleetclient.NewWithConfig generates a valid client capable of establishing an mTLS connection to a mock server.
  • Ensure the policy TLS client settings take precedence over the CLI. Extend policy with SSL config to ensure the client certificate key passphrase from the cli is not left in the config when the policy's client client certificate key is not passphrase-protected.

Disruptive User Impact

  • None

How to test this PR locally

  • Build Elastic Agent with the changes from this PR.
  • Enroll/Install the Elastic Agent using passphrase-protected private key for the client mTLS certificate.
  • Start Elastic Agent and observe successful enrollment/installation with mTLS enabled.

Related issues

Questions to ask yourself

  • How are we going to support this in production?
  • How are we going to measure its adoption?
  • How are we going to debug this?
  • What are the metrics I should take care of?
  • ...
This is an automatic backport of pull request #5494 done by [Mergify](https://mergify.com).

@AndersonQ @mergify
add support for CLI flag for mTLS client certificate key passphrase (#…
2815579 
…5494)

It adds support for encrypted client certificate key during install/enroll, which done by the cli flag `--elastic-agent-cert-key-passphrase`.

(cherry picked from commit 346e5be)
@mergify mergify bot requested a review from a team as a code owner September 20, 2024 03:38
@mergify mergify bot added the backport label Sep 20, 2024
@mergify mergify bot requested review from blakerouse and pchila and removed request for a team September 20, 2024 03:38
@pierrehilbert pierrehilbert requested review from AndersonQ and removed request for blakerouse and pchila September 20, 2024 08:00
@pierrehilbert pierrehilbert added the Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team label Sep 20, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
3 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
64.3% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@mergify Mergify
Copy link
Contributor Author

mergify bot commented Sep 23, 2024

This pull request has not been merged yet. Could you please review and merge it @AndersonQ? 🙏

@pierrehilbert pierrehilbert merged commit 24a1e16 into 8.x Sep 23, 2024
13 checks passed
@pierrehilbert pierrehilbert deleted the mergify/bp/8.x/pr-5494 branch September 23, 2024 06:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pierrehilbert pierrehilbert pierrehilbert approved these changes

@AndersonQ AndersonQ AndersonQ approved these changes

Assignees

@AndersonQ AndersonQ

Labels
backport Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@elasticmachine @AndersonQ @pierrehilbert