Allow to configure the Fleet Server internal host

[AndersonQ]

Describe the enhancement:

Allow to configure the Fleet Server host used by the Elastic Agent when bootstrapping Fleet Server

Describe a specific use case for the enhancement or feature:

When using mTLS the Elastic Agent and Fleet Server should be able to use TLS certificate issued to unique names/IPs, without the need to have either certificate issued to localhost

What is the definition of done?

It's possible to bootstrap a Fleet Server using mTLS where neither Fleet Server's certificate nor the Elastic Agent's certificate are issued to localhost

[elasticmachine]

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)

[cmacknz]

I don't think we should require users to think about the connection between agent and the fleet-server it supervises. It should be an internal implementation detail, especially because it is only on localhost.

To keep this connection secure in an automatic way, we could instead use the same self-generated and signed mTLS configuration we are already using for the control protocol on this connection.

We could lock this down even further by not using localhost and instead using unix sockets/named pipes which have explicit access control, which is also something we want to do for the control protocol.

Basically if we just did everything we did for the control protocol checkins for this special case of a checkin with a supervised fleet server this would work out much nicer, and the the encryption and security story is the same for all of our connections to supervised processes.

[nimarezainia]

If there are other options, please avoid having the user add yet another certificate here.

[AndersonQ]

Yeah, also the fix o how fleet-server validates client certificate should cover what this issue intended to fix

[AndersonQ]

Basically if we just did everything we did for the control protocol checkins for this special case of a checkin with a supervised fleet server this would work out much nicer, and the the encryption and security story is the same for all of our connections to supervised processes.

I agree it'd be the best end goal. fleet-server would need to be changed to receive another set of certificate/ca but it'd be an internal thing, the users would not have to deal with it.

As I said, since elastic/fleet-server#4042 has been merged, changing the internal host isn't necessary anymore to have the certificates being valid for the internal host. So it's less pressing to have those changes implemented.

Do you wanna me to go ahead and create the issues?

[AndersonQ]

here it's:

• Agent bootstrapping fleet-server should use its own set of TLS certificates when consenting to fleet-server's "internal host" #6129

[pierrehilbert]

Thanks @AndersonQ.
Should we close this issue then?

[pierrehilbert]

Closing for now and I will let you reopen if that shouldn't be closed.
cc @AndersonQ