From 0f43d2781242d47316d038c393673be479076769 Mon Sep 17 00:00:00 2001 From: michel-laterman Date: Thu, 4 Jan 2024 14:29:05 -0600 Subject: [PATCH 01/13] Add mTLS flags to install and enroll commands --- ...7113-Add-mTLS-flags-to-install-enroll.yaml | 38 +++++++++++++++ internal/pkg/agent/cmd/enroll.go | 48 +++++++++++++++++++ internal/pkg/agent/cmd/enroll_cmd.go | 28 +++++++++++ 3 files changed, 114 insertions(+) create mode 100644 changelog/fragments/1704397113-Add-mTLS-flags-to-install-enroll.yaml diff --git a/changelog/fragments/1704397113-Add-mTLS-flags-to-install-enroll.yaml b/changelog/fragments/1704397113-Add-mTLS-flags-to-install-enroll.yaml new file mode 100644 index 00000000000..bf182210db3 --- /dev/null +++ b/changelog/fragments/1704397113-Add-mTLS-flags-to-install-enroll.yaml @@ -0,0 +1,38 @@ +# Kind can be one of: +# - breaking-change: a change to previously-documented behavior +# - deprecation: functionality that is being removed in a later release +# - bug-fix: fixes a problem in a previous version +# - enhancement: extends functionality but does not break or fix existing behavior +# - feature: new functionality +# - known-issue: problems that we are aware of in a given version +# - security: impacts on the security of a product or a user’s deployment. +# - upgrade: important information for someone upgrading from a prior version +# - other: does not fit into any of the other categories +kind: feature + +# Change summary; a 80ish characters long description of the change. +summary: Add mTLS flags to install/enroll + +# Long description; in case the summary is not enough to describe the change +# this field accommodate a description without length limits. +# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment. +description: | + Add mTLS flags to the install/enroll commands to allow fleet-server to + use client certs when connecting to Elasticsearch, and to allow + elastic-agent to use client certs when connecting to fleet-server. + Fleet-server will use the CAs passed in `--certificate-authorities` to + validate any client certs. Agent client certs do not influence auth in + fleet-server, an enrollment token, or API key is still required. + +# Affected component; a word indicating the component this changeset affects. +component: + +# PR URL; optional; the PR number that added the changeset. +# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added. +# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number. +# Please provide it if you are adding a fragment for a different PR. +#pr: https://github.com/owner/repo/1234 + +# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of). +# If not present is automatically filled by the tooling with the issue linked to the PR number. +#issue: https://github.com/owner/repo/1234 diff --git a/internal/pkg/agent/cmd/enroll.go b/internal/pkg/agent/cmd/enroll.go index 95a13341a87..f00bc39f91d 100644 --- a/internal/pkg/agent/cmd/enroll.go +++ b/internal/pkg/agent/cmd/enroll.go @@ -55,6 +55,8 @@ func addEnrollFlags(cmd *cobra.Command) { cmd.Flags().StringP("fleet-server-es-ca", "", "", "Path to certificate authority to use with communicate with elasticsearch") cmd.Flags().StringP("fleet-server-es-ca-trusted-fingerprint", "", "", "Elasticsearch certificate authority's SHA256 fingerprint") cmd.Flags().BoolP("fleet-server-es-insecure", "", false, "Disables validation of certificates") + cmd.Flags().StringP("fleet-server-es-cert", "", "", "Client certificate to use when connecting to Elasticsearch.") + cmd.Flags().StringP("fleet-server-es-cert-key", "", "", "Client private key to use when connecing to Elasticsearch.") cmd.Flags().StringP("fleet-server-service-token", "", "", "Service token to use for communication with elasticsearch") cmd.Flags().StringP("fleet-server-service-token-path", "", "", "Filepath for service token secret file to use for communication with elasticsearch") cmd.Flags().StringP("fleet-server-policy", "", "", "Start and run a Fleet Server on this specific policy") @@ -67,6 +69,8 @@ func addEnrollFlags(cmd *cobra.Command) { cmd.Flags().BoolP("fleet-server-insecure-http", "", false, "Expose Fleet Server over HTTP (not recommended; insecure)") cmd.Flags().StringP("certificate-authorities", "a", "", "Comma separated list of root certificate for server verifications") cmd.Flags().StringP("ca-sha256", "p", "", "Comma separated list of certificate authorities hash pins used for certificate verifications") + cmd.Flags().StringP("elastic-agent-cert", "", "", "Elastic-agent client certificate to use with fleet-server during authentication") + cmd.Flags().StringP("elastic-agent-cert-key", "", "", "Elastic-agent client certificate to use with fleet-server during authentication") cmd.Flags().BoolP("insecure", "i", false, "Allow insecure connection to fleet-server") cmd.Flags().StringP("staging", "", "", "Configures agent to download artifacts from a staging build") cmd.Flags().StringP("proxy-url", "", "", "Configures the proxy url") @@ -86,10 +90,26 @@ func validateEnrollFlags(cmd *cobra.Command) error { if ca != "" && !filepath.IsAbs(ca) { return errors.New("--certificate-authorities must be provided as an absolute path", errors.M("path", ca), errors.TypeConfig) } + cert, _ := cmd.Flags().GetString("elastic-agent-cert") + if cert != "" && !filepath.IsAbs(cert) { + return errors.New("--elastic-agent-cert must be provided as an absolute path", errors.M("path", cert), errors.TypeConfig) + } + key, _ := cmd.Flags().GetString("elastic-agent-cert-key") + if key != "" && !filepath.IsAbs(key) { + return errors.New("--elastic-agent-cert-key must be provided as an absolute path", errors.M("path", key), errors.TypeConfig) + } esCa, _ := cmd.Flags().GetString("fleet-server-es-ca") if esCa != "" && !filepath.IsAbs(esCa) { return errors.New("--fleet-server-es-ca must be provided as an absolute path", errors.M("path", esCa), errors.TypeConfig) } + esCert, _ := cmd.Flags().GetString("fleet-server-es-cert") + if esCert != "" && !filepath.IsAbs(esCert) { + return errors.New("--fleet-server-es-cert must be provided as an absolute path", errors.M("path", esCert), errors.TypeConfig) + } + esCertKey, _ := cmd.Flags().GetString("fleet-server-es-cert-key") + if esCertKey != "" && !filepath.IsAbs(esCertKey) { + return errors.New("--fleet-server-es-cert-key must be provided as an absolute path", errors.M("path", esCertKey), errors.TypeConfig) + } fCert, _ := cmd.Flags().GetString("fleet-server-cert") if fCert != "" && !filepath.IsAbs(fCert) { return errors.New("--fleet-server-cert must be provided as an absolute path", errors.M("path", fCert), errors.TypeConfig) @@ -124,6 +144,8 @@ func buildEnrollmentFlags(cmd *cobra.Command, url string, token string) []string fElasticSearchCA, _ := cmd.Flags().GetString("fleet-server-es-ca") fElasticSearchCASHA256, _ := cmd.Flags().GetString("fleet-server-es-ca-trusted-fingerprint") fElasticSearchInsecure, _ := cmd.Flags().GetBool("fleet-server-es-insecure") + fElasticSearchClientCert, _ := cmd.Flags().GetString("fleet-server-es-cert") + fElasticSearchClientCertKey, _ := cmd.Flags().GetString("fleet-server-es-cert-key") fServiceToken, _ := cmd.Flags().GetString("fleet-server-service-token") fServiceTokenPath, _ := cmd.Flags().GetString("fleet-server-service-token-path") fPolicy, _ := cmd.Flags().GetString("fleet-server-policy") @@ -135,6 +157,8 @@ func buildEnrollmentFlags(cmd *cobra.Command, url string, token string) []string fHeaders, _ := cmd.Flags().GetStringSlice("header") fInsecure, _ := cmd.Flags().GetBool("fleet-server-insecure-http") ca, _ := cmd.Flags().GetString("certificate-authorities") + cert, _ := cmd.Flags().GetString("elastic-agent-cert") + key, _ := cmd.Flags().GetString("elastic-agent-cert-key") sha256, _ := cmd.Flags().GetString("ca-sha256") insecure, _ := cmd.Flags().GetBool("insecure") staging, _ := cmd.Flags().GetString("staging") @@ -167,6 +191,14 @@ func buildEnrollmentFlags(cmd *cobra.Command, url string, token string) []string args = append(args, "--fleet-server-es-ca-trusted-fingerprint") args = append(args, fElasticSearchCASHA256) } + if fElasticSearchClientCert != "" { + args = append(args, "--fleet-server-es-cert") + args = append(args, fElasticSearchClientCert) + } + if fElasticSearchClientCertKey != "" { + args = append(args, "--fleet-server-es-cert-key") + args = append(args, fElasticSearchClientCertKey) + } if fServiceToken != "" { args = append(args, "--fleet-server-service-token") args = append(args, fServiceToken) @@ -220,6 +252,14 @@ func buildEnrollmentFlags(cmd *cobra.Command, url string, token string) []string args = append(args, "--certificate-authorities") args = append(args, ca) } + if cert != "" { + args = append(args, "--elastic-agent-cert") + args = append(args, cert) + } + if key != "" { + args = append(args, "--elastic-agent-cert-key") + args = append(args, key) + } if sha256 != "" { args = append(args, "--ca-sha256") args = append(args, sha256) @@ -328,6 +368,8 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command) error { fElasticSearchCA, _ := cmd.Flags().GetString("fleet-server-es-ca") fElasticSearchCASHA256, _ := cmd.Flags().GetString("fleet-server-es-ca-trusted-fingerprint") fElasticSearchInsecure, _ := cmd.Flags().GetBool("fleet-server-es-insecure") + fElasticSearchClientCert, _ := cmd.Flags().GetString("fleet-server-es-cert") + fElasticSearchClientCertKey, _ := cmd.Flags().GetString("fleet-server-es-cert-key") fHeaders, _ := cmd.Flags().GetStringSlice("header") fServiceToken, _ := cmd.Flags().GetString("fleet-server-service-token") fServiceTokenPath, _ := cmd.Flags().GetString("fleet-server-service-token-path") @@ -352,6 +394,8 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command) error { CAs := cli.StringToSlice(caStr) caSHA256str, _ := cmd.Flags().GetString("ca-sha256") caSHA256 := cli.StringToSlice(caSHA256str) + cert, _ := cmd.Flags().GetString("elastic-agent-cert") + key, _ := cmd.Flags().GetString("elastic-agent-cert-key") ctx := handleSignal(context.Background()) @@ -369,6 +413,8 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command) error { URL: url, CAs: CAs, CASha256: caSHA256, + Certificate: cert, + Key: key, Insecure: insecure, UserProvidedMetadata: make(map[string]interface{}), Staging: staging, @@ -385,6 +431,8 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command) error { ElasticsearchCA: fElasticSearchCA, ElasticsearchCASHA256: fElasticSearchCASHA256, ElasticsearchInsecure: fElasticSearchInsecure, + ElasticsearchCert: fElasticSearchClientCert, + ElasticsearchCertKey: fElasticSearchClientCertKey, ServiceToken: fServiceToken, ServiceTokenPath: fServiceTokenPath, PolicyID: fPolicy, diff --git a/internal/pkg/agent/cmd/enroll_cmd.go b/internal/pkg/agent/cmd/enroll_cmd.go index d3de412ba44..f19c6a2c07c 100644 --- a/internal/pkg/agent/cmd/enroll_cmd.go +++ b/internal/pkg/agent/cmd/enroll_cmd.go @@ -80,6 +80,8 @@ type enrollCmdFleetServerOption struct { ElasticsearchCA string ElasticsearchCASHA256 string ElasticsearchInsecure bool + ElasticsearchCert string + ElasticsearchCertKey string ServiceToken string ServiceTokenPath string PolicyID string @@ -101,6 +103,8 @@ type enrollCmdOption struct { InternalURL string `yaml:"-"` CAs []string `yaml:"ca,omitempty"` CASha256 []string `yaml:"ca_sha256,omitempty"` + Certificate string `yaml:"certificate,omitempty"` + Key string `yaml:"key,omitempty"` Insecure bool `yaml:"insecure,omitempty"` EnrollAPIKey string `yaml:"enrollment_key,omitempty"` Staging string `yaml:"staging,omitempty"` @@ -137,6 +141,12 @@ func (e *enrollCmdOption) remoteConfig() (remote.Config, error) { if e.Insecure { tlsCfg.VerificationMode = tlscommon.VerifyNone } + if e.Certificate != "" || e.Key != "" { + tlsCfg.Certificate = tlscommon.CertificateConfig{ + Certificate: e.Certificate, + Key: e.Key, + } + } cfg.Transport.TLS = &tlsCfg @@ -344,6 +354,7 @@ func (c *enrollCmd) fleetServerBootstrap(ctx context.Context, persistentConfig m c.options.FleetServer.PolicyID, c.options.FleetServer.Host, c.options.FleetServer.Port, c.options.FleetServer.InternalPort, c.options.FleetServer.Cert, c.options.FleetServer.CertKey, c.options.FleetServer.CertKeyPassphrasePath, c.options.FleetServer.ElasticsearchCA, c.options.FleetServer.ElasticsearchCASHA256, + c.options.FleetServer.ElasticsearchCert, c.options.FleetServer.ElasticsearchCertKey, c.options.FleetServer.Headers, c.options.ProxyURL, c.options.ProxyDisabled, @@ -570,6 +581,7 @@ func (c *enrollCmd) enroll(ctx context.Context, persistentConfig map[string]inte c.options.FleetServer.PolicyID, c.options.FleetServer.Host, c.options.FleetServer.Port, c.options.FleetServer.InternalPort, c.options.FleetServer.Cert, c.options.FleetServer.CertKey, c.options.FleetServer.CertKeyPassphrasePath, c.options.FleetServer.ElasticsearchCA, c.options.FleetServer.ElasticsearchCASHA256, + c.options.FleetServer.ElasticsearchCert, c.options.FleetServer.ElasticsearchCertKey, c.options.FleetServer.Headers, c.options.ProxyURL, c.options.ProxyDisabled, c.options.ProxyHeaders, c.options.FleetServer.ElasticsearchInsecure, @@ -921,6 +933,7 @@ func createFleetServerBootstrapConfig( connStr, serviceToken, serviceTokenPath, policyID, host string, port uint16, internalPort uint16, cert, key, passphrasePath, esCA, esCASHA256 string, + esClientCert, esClientCertKey string, headers map[string]string, proxyURL string, proxyDisabled bool, @@ -951,6 +964,21 @@ func createFleetServerBootstrapConfig( es.TLS.CATrustedFingerprint = esCASHA256 } } + if esClientCert != "" || esClientCertKey != "" { + if es.TLS == nil { + es.TLS = &tlscommon.Config{ + Certificate: tlscommon.CertificateConfig{ + Certificate: esClientCert, + Key: esClientCertKey, + }, + } + } else { + es.TLS.Certificate = tlscommon.CertificateConfig{ + Certificate: esClientCert, + Key: esClientCertKey, + } + } + } if host == "" { host = defaultFleetServerHost } From 3a63be6dcab6c6c666b1cedb80097bac9c223be3 Mon Sep 17 00:00:00 2001 From: michel-laterman Date: Fri, 5 Jan 2024 10:55:12 -0600 Subject: [PATCH 02/13] add unit test for flag passing --- internal/pkg/agent/cmd/enroll_cmd_test.go | 26 +++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/internal/pkg/agent/cmd/enroll_cmd_test.go b/internal/pkg/agent/cmd/enroll_cmd_test.go index 2d28db5a4f8..6e6ea0d4ccd 100644 --- a/internal/pkg/agent/cmd/enroll_cmd_test.go +++ b/internal/pkg/agent/cmd/enroll_cmd_test.go @@ -406,6 +406,32 @@ func TestValidateArgs(t *testing.T) { require.Contains(t, args, "--fleet-server-service-token-path") require.Contains(t, args, "/path/to/token") }) + + r.Run("fleet-es client certificates are passed", func(t *testing.T) { + cmd := newEnrollCommandWithArgs([]string{}, streams) + err := cmd.Flags().Set("fleet-server-es-cert", "/path/to/cert") + require.NoError(t, err) + err = cmd.Flags().Set("fleet-server-es-cert-key", "/path/to/key") + require.NoError(t, err) + args := buildEnrollmentFlags(cmd, url, enrolmentToken) + require.Contains(t, args, "--fleet-server-es-cert") + require.Contains(t, args, "/path/to/cert") + require.Contains(t, args, "--fleet-server-es-cert-key") + require.Contains(t, args, "/path/to/key") + }) + + r.Run("elastic-agent client certificates are passed", func(t *testing.T) { + cmd := newEnrollCommandWithArgs([]string{}, streams) + err := cmd.Flags().Set("elastic-agent-cert", "/path/to/cert") + require.NoError(t, err) + err = cmd.Flags().Set("elastic-agent-cert-key", "/path/to/key") + require.NoError(t, err) + args := buildEnrollmentFlags(cmd, url, enrolmentToken) + require.Contains(t, args, "--elastic-agent-cert") + require.Contains(t, args, "/path/to/cert") + require.Contains(t, args, "--elastic-agent-cert-key") + require.Contains(t, args, "/path/to/key") + }) } func TestValidateEnrollFlags(t *testing.T) { From cd14c90299e87c945acd8ac05509d814dfc8edad Mon Sep 17 00:00:00 2001 From: michel-laterman Date: Fri, 5 Jan 2024 11:14:24 -0600 Subject: [PATCH 03/13] fix typo --- internal/pkg/agent/cmd/enroll_cmd_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/pkg/agent/cmd/enroll_cmd_test.go b/internal/pkg/agent/cmd/enroll_cmd_test.go index 6e6ea0d4ccd..eb31e16e1b9 100644 --- a/internal/pkg/agent/cmd/enroll_cmd_test.go +++ b/internal/pkg/agent/cmd/enroll_cmd_test.go @@ -407,7 +407,7 @@ func TestValidateArgs(t *testing.T) { require.Contains(t, args, "/path/to/token") }) - r.Run("fleet-es client certificates are passed", func(t *testing.T) { + t.Run("fleet-es client certificates are passed", func(t *testing.T) { cmd := newEnrollCommandWithArgs([]string{}, streams) err := cmd.Flags().Set("fleet-server-es-cert", "/path/to/cert") require.NoError(t, err) @@ -420,7 +420,7 @@ func TestValidateArgs(t *testing.T) { require.Contains(t, args, "/path/to/key") }) - r.Run("elastic-agent client certificates are passed", func(t *testing.T) { + t.Run("elastic-agent client certificates are passed", func(t *testing.T) { cmd := newEnrollCommandWithArgs([]string{}, streams) err := cmd.Flags().Set("elastic-agent-cert", "/path/to/cert") require.NoError(t, err) From b63ceb56cb31b747093f684d593b16bab6a882f4 Mon Sep 17 00:00:00 2001 From: michel-laterman Date: Fri, 5 Jan 2024 12:40:14 -0600 Subject: [PATCH 04/13] Add --fleet-server-client-auth flag, remove ioutil from tests --- internal/pkg/agent/cmd/enroll.go | 19 ++++++++++++++++++- internal/pkg/agent/cmd/enroll_cmd.go | 12 +++++++++++- internal/pkg/agent/cmd/enroll_cmd_test.go | 3 +-- .../pkg/agent/configuration/fleet_server.go | 2 +- 4 files changed, 31 insertions(+), 5 deletions(-) diff --git a/internal/pkg/agent/cmd/enroll.go b/internal/pkg/agent/cmd/enroll.go index f00bc39f91d..3810a38831f 100644 --- a/internal/pkg/agent/cmd/enroll.go +++ b/internal/pkg/agent/cmd/enroll.go @@ -65,6 +65,7 @@ func addEnrollFlags(cmd *cobra.Command) { cmd.Flags().StringP("fleet-server-cert", "", "", "Certificate to use for exposed Fleet Server HTTPS endpoint") cmd.Flags().StringP("fleet-server-cert-key", "", "", "Private key to use for exposed Fleet Server HTTPS endpoint") cmd.Flags().StringP("fleet-server-cert-key-passphrase", "", "", "Path for private key passphrase file used to decrypt certificate key") + cmd.Flags().StringP("fleet-server-client-auth", "", "", "Fleet-server mTLS client authentication for connecting elastic-agents. Must be one of [none, optional, required]") cmd.Flags().StringSliceP("header", "", []string{}, "Headers used in communication with elasticsearch") cmd.Flags().BoolP("fleet-server-insecure-http", "", false, "Expose Fleet Server over HTTP (not recommended; insecure)") cmd.Flags().StringP("certificate-authorities", "a", "", "Comma separated list of root certificate for server verifications") @@ -82,7 +83,8 @@ func addEnrollFlags(cmd *cobra.Command) { cmd.Flags().Bool("skip-daemon-reload", false, "Skip daemon reload after enrolling") cmd.Flags().StringSliceP("tag", "", []string{}, "User set tags") - cmd.Flags().MarkHidden("skip-daemon-reload") //nolint:errcheck // an error is only returned if the flag does not exist. + cmd.Flags().MarkHidden("skip-daemon-reload") //nolint:errcheck // an error is only returned if the flag does not exist. + cmd.Flags().MarkHidden("fleet-server-client-auth") //nolint:errcheck // FIXME this is not fully implemented } func validateEnrollFlags(cmd *cobra.Command) error { @@ -130,6 +132,14 @@ func validateEnrollFlags(cmd *cobra.Command) error { if fPassphrase != "" && !filepath.IsAbs(fPassphrase) { return errors.New("--fleet-server-cert-key-passphrase must be provided as an absolute path", errors.M("path", fPassphrase), errors.TypeConfig) } + fClientAuth, _ := cmd.Flags().GetString("fleet-server-client-auth") + switch fClientAuth { + case "": + case "none", "optional", "required": + // NOTE we can split this case if we want to do additional checks when optional or required is passed. + default: + return errors.New("--fleet-server-client-auth must be one of [none, optional, required]") + } return nil } @@ -154,6 +164,7 @@ func buildEnrollmentFlags(cmd *cobra.Command, url string, token string) []string fCert, _ := cmd.Flags().GetString("fleet-server-cert") fCertKey, _ := cmd.Flags().GetString("fleet-server-cert-key") fPassphrase, _ := cmd.Flags().GetString("fleet-server-cert-key-passphrase") + fClientAuth, _ := cmd.Flags().GetString("fleet-server-client-auth") fHeaders, _ := cmd.Flags().GetStringSlice("header") fInsecure, _ := cmd.Flags().GetBool("fleet-server-insecure-http") ca, _ := cmd.Flags().GetString("certificate-authorities") @@ -231,6 +242,10 @@ func buildEnrollmentFlags(cmd *cobra.Command, url string, token string) []string args = append(args, "--fleet-server-cert-key-passphrase") args = append(args, fPassphrase) } + if fClientAuth != "" { + args = append(args, "--fleet-server-client-auth") + args = append(args, fClientAuth) + } if daemonTimeout != 0 { args = append(args, "--daemon-timeout") args = append(args, daemonTimeout.String()) @@ -380,6 +395,7 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command) error { fCert, _ := cmd.Flags().GetString("fleet-server-cert") fCertKey, _ := cmd.Flags().GetString("fleet-server-cert-key") fPassphrase, _ := cmd.Flags().GetString("fleet-server-cert-key-passphrase") + fClientAuth, _ := cmd.Flags().GetString("fleet-server-client-auth") fInsecure, _ := cmd.Flags().GetBool("fleet-server-insecure-http") proxyURL, _ := cmd.Flags().GetString("proxy-url") proxyDisabled, _ := cmd.Flags().GetBool("proxy-disabled") @@ -441,6 +457,7 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command) error { Cert: fCert, CertKey: fCertKey, CertKeyPassphrasePath: fPassphrase, + ClientAuth: fClientAuth, Insecure: fInsecure, SpawnAgent: !fromInstall, Headers: mapFromEnvList(fHeaders), diff --git a/internal/pkg/agent/cmd/enroll_cmd.go b/internal/pkg/agent/cmd/enroll_cmd.go index f19c6a2c07c..5d4c7442e5c 100644 --- a/internal/pkg/agent/cmd/enroll_cmd.go +++ b/internal/pkg/agent/cmd/enroll_cmd.go @@ -91,6 +91,7 @@ type enrollCmdFleetServerOption struct { Cert string CertKey string CertKeyPassphrasePath string + ClientAuth string Insecure bool SpawnAgent bool Headers map[string]string @@ -354,6 +355,7 @@ func (c *enrollCmd) fleetServerBootstrap(ctx context.Context, persistentConfig m c.options.FleetServer.PolicyID, c.options.FleetServer.Host, c.options.FleetServer.Port, c.options.FleetServer.InternalPort, c.options.FleetServer.Cert, c.options.FleetServer.CertKey, c.options.FleetServer.CertKeyPassphrasePath, c.options.FleetServer.ElasticsearchCA, c.options.FleetServer.ElasticsearchCASHA256, + c.options.FleetServer.ClientAuth, c.options.FleetServer.ElasticsearchCert, c.options.FleetServer.ElasticsearchCertKey, c.options.FleetServer.Headers, c.options.ProxyURL, @@ -581,6 +583,7 @@ func (c *enrollCmd) enroll(ctx context.Context, persistentConfig map[string]inte c.options.FleetServer.PolicyID, c.options.FleetServer.Host, c.options.FleetServer.Port, c.options.FleetServer.InternalPort, c.options.FleetServer.Cert, c.options.FleetServer.CertKey, c.options.FleetServer.CertKeyPassphrasePath, c.options.FleetServer.ElasticsearchCA, c.options.FleetServer.ElasticsearchCASHA256, + c.options.FleetServer.ClientAuth, c.options.FleetServer.ElasticsearchCert, c.options.FleetServer.ElasticsearchCertKey, c.options.FleetServer.Headers, c.options.ProxyURL, c.options.ProxyDisabled, c.options.ProxyHeaders, @@ -933,6 +936,7 @@ func createFleetServerBootstrapConfig( connStr, serviceToken, serviceTokenPath, policyID, host string, port uint16, internalPort uint16, cert, key, passphrasePath, esCA, esCASHA256 string, + clientAuth string, esClientCert, esClientCertKey string, headers map[string]string, proxyURL string, @@ -1016,7 +1020,7 @@ func createFleetServerBootstrapConfig( cfg.Server.Policy = &configuration.FleetServerPolicyConfig{ID: policyID} } if cert != "" || key != "" { - cfg.Server.TLS = &tlscommon.Config{ + cfg.Server.TLS = &tlscommon.ServerConfig{ Certificate: tlscommon.CertificateConfig{ Certificate: cert, Key: key, @@ -1028,6 +1032,12 @@ func createFleetServerBootstrapConfig( } } + if cfg.Server.TLS != nil && clientAuth != "" { + if err := cfg.Server.TLS.ClientAuth.Unpack(clientAuth); err != nil { + return nil, errors.New(err, "failed to unpack --fleet-server-client-auth", errors.TypeConfig) + } + } + if localFleetServer { cfg.Client.Transport.Proxy.Disable = true cfg.Server.InternalPort = internalPort diff --git a/internal/pkg/agent/cmd/enroll_cmd_test.go b/internal/pkg/agent/cmd/enroll_cmd_test.go index eb31e16e1b9..7cbec120c56 100644 --- a/internal/pkg/agent/cmd/enroll_cmd_test.go +++ b/internal/pkg/agent/cmd/enroll_cmd_test.go @@ -9,7 +9,6 @@ import ( "context" "crypto/tls" "io" - "io/ioutil" "net" "net/http" "net/http/httptest" @@ -504,7 +503,7 @@ func withTLSServer( } func bytesToTMPFile(b []byte) (string, error) { - f, err := ioutil.TempFile("", "prefix") + f, err := os.CreateTemp("", "prefix") if err != nil { return "", err } diff --git a/internal/pkg/agent/configuration/fleet_server.go b/internal/pkg/agent/configuration/fleet_server.go index 5d541ba3386..7e1290df758 100644 --- a/internal/pkg/agent/configuration/fleet_server.go +++ b/internal/pkg/agent/configuration/fleet_server.go @@ -19,7 +19,7 @@ type FleetServerConfig struct { Host string `config:"host" yaml:"host,omitempty"` Port uint16 `config:"port" yaml:"port,omitempty"` InternalPort uint16 `config:"internal_port" yaml:"internal_port,omitempty"` - TLS *tlscommon.Config `config:"ssl" yaml:"ssl,omitempty"` + TLS *tlscommon.ServerConfig `config:"ssl" yaml:"ssl,omitempty"` } // FleetServerPolicyConfig is the configuration for the policy Fleet Server should run on. From ea24d3974aebdbb8df36764ab9dbdd7e4c987f2b Mon Sep 17 00:00:00 2001 From: michel-laterman Date: Mon, 8 Jan 2024 16:26:07 -0600 Subject: [PATCH 05/13] Pass CAs --- internal/pkg/agent/cmd/enroll_cmd.go | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/internal/pkg/agent/cmd/enroll_cmd.go b/internal/pkg/agent/cmd/enroll_cmd.go index 5d4c7442e5c..1b3304ec766 100644 --- a/internal/pkg/agent/cmd/enroll_cmd.go +++ b/internal/pkg/agent/cmd/enroll_cmd.go @@ -355,7 +355,7 @@ func (c *enrollCmd) fleetServerBootstrap(ctx context.Context, persistentConfig m c.options.FleetServer.PolicyID, c.options.FleetServer.Host, c.options.FleetServer.Port, c.options.FleetServer.InternalPort, c.options.FleetServer.Cert, c.options.FleetServer.CertKey, c.options.FleetServer.CertKeyPassphrasePath, c.options.FleetServer.ElasticsearchCA, c.options.FleetServer.ElasticsearchCASHA256, - c.options.FleetServer.ClientAuth, + c.options.CAs, c.options.FleetServer.ClientAuth, c.options.FleetServer.ElasticsearchCert, c.options.FleetServer.ElasticsearchCertKey, c.options.FleetServer.Headers, c.options.ProxyURL, @@ -583,7 +583,7 @@ func (c *enrollCmd) enroll(ctx context.Context, persistentConfig map[string]inte c.options.FleetServer.PolicyID, c.options.FleetServer.Host, c.options.FleetServer.Port, c.options.FleetServer.InternalPort, c.options.FleetServer.Cert, c.options.FleetServer.CertKey, c.options.FleetServer.CertKeyPassphrasePath, c.options.FleetServer.ElasticsearchCA, c.options.FleetServer.ElasticsearchCASHA256, - c.options.FleetServer.ClientAuth, + c.options.CAs, c.options.FleetServer.ClientAuth, c.options.FleetServer.ElasticsearchCert, c.options.FleetServer.ElasticsearchCertKey, c.options.FleetServer.Headers, c.options.ProxyURL, c.options.ProxyDisabled, c.options.ProxyHeaders, @@ -936,7 +936,7 @@ func createFleetServerBootstrapConfig( connStr, serviceToken, serviceTokenPath, policyID, host string, port uint16, internalPort uint16, cert, key, passphrasePath, esCA, esCASHA256 string, - clientAuth string, + cas []string, clientAuth string, esClientCert, esClientCertKey string, headers map[string]string, proxyURL string, @@ -1032,6 +1032,10 @@ func createFleetServerBootstrapConfig( } } + if cfg.Server.TLS != nil { + cfg.Server.TLS.CAs = cas + } + if cfg.Server.TLS != nil && clientAuth != "" { if err := cfg.Server.TLS.ClientAuth.Unpack(clientAuth); err != nil { return nil, errors.New(err, "failed to unpack --fleet-server-client-auth", errors.TypeConfig) From 5575ecef6bf29e57b0bb4178f55656d181cc1912 Mon Sep 17 00:00:00 2001 From: michel-laterman Date: Mon, 15 Jan 2024 11:07:38 -0600 Subject: [PATCH 06/13] Update elastic-agent-libs, fix intialization --- go.mod | 2 +- go.sum | 4 ++-- internal/pkg/agent/cmd/enroll.go | 3 +-- internal/pkg/agent/cmd/enroll_cmd.go | 6 ++---- internal/pkg/agent/cmd/enroll_cmd_test.go | 12 +++++++++--- internal/pkg/agent/cmd/install_test.go | 7 +++---- 6 files changed, 18 insertions(+), 16 deletions(-) diff --git a/go.mod b/go.mod index 05c9b748240..3193d10eef8 100644 --- a/go.mod +++ b/go.mod @@ -14,7 +14,7 @@ require ( github.com/elastic/e2e-testing v1.1.0 github.com/elastic/elastic-agent-autodiscover v0.6.6 github.com/elastic/elastic-agent-client/v7 v7.5.0 - github.com/elastic/elastic-agent-libs v0.7.3 + github.com/elastic/elastic-agent-libs v0.7.4 github.com/elastic/elastic-agent-system-metrics v0.9.1 github.com/elastic/elastic-transport-go/v8 v8.3.0 github.com/elastic/go-elasticsearch/v8 v8.10.1 diff --git a/go.sum b/go.sum index a3f7dfc65e3..d737ffbdeb8 100644 --- a/go.sum +++ b/go.sum @@ -802,8 +802,8 @@ github.com/elastic/elastic-agent-autodiscover v0.6.6 h1:P1y0dDpbhJc7Uw/xe85irPEa github.com/elastic/elastic-agent-autodiscover v0.6.6/go.mod h1:chulyCAyZb/njMHgzkhC/yWnt8v/Y6eCRUhmFVnsA5o= github.com/elastic/elastic-agent-client/v7 v7.5.0 h1:niI3WQ+01Lnp2r5LxK8SyNhrPJe13vBiOkqrDRK2oTA= github.com/elastic/elastic-agent-client/v7 v7.5.0/go.mod h1:DYoX95xjC4BW/p2avyu724Qr2+hoUIz9eCU9CVS1d+0= -github.com/elastic/elastic-agent-libs v0.7.3 h1:tc6JDXYR+2XFMHJVv+7+M0OwAbZPxm3caLJEd943dlE= -github.com/elastic/elastic-agent-libs v0.7.3/go.mod h1:9hlSaDPm0XTrUWrZjwvckgov1pDHnsGyybzAjNe/1wA= +github.com/elastic/elastic-agent-libs v0.7.4 h1:/cmwOLwNAyJDNeR6sFIbHCDHDLPX2zAb/MAxQq7BRpo= +github.com/elastic/elastic-agent-libs v0.7.4/go.mod h1:pGMj5myawdqu+xE+WKvM5FQzKQ/MonikkWOzoFTJxaU= github.com/elastic/elastic-agent-system-metrics v0.9.1 h1:r0ofKHgPpl+W09ie7tzGcCDC0d4NZbQUv37rSgHf4FM= github.com/elastic/elastic-agent-system-metrics v0.9.1/go.mod h1:9C1UEfj0P687HAzZepHszN6zXA+2tN2Lx3Osvq1zby8= github.com/elastic/elastic-integration-corpus-generator-tool v0.5.0/go.mod h1:uf9N86y+UACGybdEhZLpwZ93XHWVhsYZAA4c2T2v6YM= diff --git a/internal/pkg/agent/cmd/enroll.go b/internal/pkg/agent/cmd/enroll.go index 3810a38831f..b56cf310a63 100644 --- a/internal/pkg/agent/cmd/enroll.go +++ b/internal/pkg/agent/cmd/enroll.go @@ -65,7 +65,7 @@ func addEnrollFlags(cmd *cobra.Command) { cmd.Flags().StringP("fleet-server-cert", "", "", "Certificate to use for exposed Fleet Server HTTPS endpoint") cmd.Flags().StringP("fleet-server-cert-key", "", "", "Private key to use for exposed Fleet Server HTTPS endpoint") cmd.Flags().StringP("fleet-server-cert-key-passphrase", "", "", "Path for private key passphrase file used to decrypt certificate key") - cmd.Flags().StringP("fleet-server-client-auth", "", "", "Fleet-server mTLS client authentication for connecting elastic-agents. Must be one of [none, optional, required]") + cmd.Flags().StringP("fleet-server-client-auth", "", "none", "Fleet-server mTLS client authentication for connecting elastic-agents. Must be one of [none, optional, required]") cmd.Flags().StringSliceP("header", "", []string{}, "Headers used in communication with elasticsearch") cmd.Flags().BoolP("fleet-server-insecure-http", "", false, "Expose Fleet Server over HTTP (not recommended; insecure)") cmd.Flags().StringP("certificate-authorities", "a", "", "Comma separated list of root certificate for server verifications") @@ -134,7 +134,6 @@ func validateEnrollFlags(cmd *cobra.Command) error { } fClientAuth, _ := cmd.Flags().GetString("fleet-server-client-auth") switch fClientAuth { - case "": case "none", "optional", "required": // NOTE we can split this case if we want to do additional checks when optional or required is passed. default: diff --git a/internal/pkg/agent/cmd/enroll_cmd.go b/internal/pkg/agent/cmd/enroll_cmd.go index 1b3304ec766..680b806c64e 100644 --- a/internal/pkg/agent/cmd/enroll_cmd.go +++ b/internal/pkg/agent/cmd/enroll_cmd.go @@ -1030,13 +1030,11 @@ func createFleetServerBootstrapConfig( if insecure { cfg.Server.TLS.VerificationMode = tlscommon.VerifyNone } - } - if cfg.Server.TLS != nil { cfg.Server.TLS.CAs = cas - } - if cfg.Server.TLS != nil && clientAuth != "" { + var cAuth tlscommon.TLSClientAuth + cfg.Server.TLS.ClientAuth = &cAuth if err := cfg.Server.TLS.ClientAuth.Unpack(clientAuth); err != nil { return nil, errors.New(err, "failed to unpack --fleet-server-client-auth", errors.TypeConfig) } diff --git a/internal/pkg/agent/cmd/enroll_cmd_test.go b/internal/pkg/agent/cmd/enroll_cmd_test.go index 7cbec120c56..d9c2f7207e4 100644 --- a/internal/pkg/agent/cmd/enroll_cmd_test.go +++ b/internal/pkg/agent/cmd/enroll_cmd_test.go @@ -351,13 +351,15 @@ func TestValidateArgs(t *testing.T) { require.NoError(t, err) args := buildEnrollmentFlags(cmd, url, enrolmentToken) require.NotNil(t, args) - require.Equal(t, len(args), 9) + require.Equal(t, len(args), 11) require.Contains(t, args, "--tag") require.Contains(t, args, "windows") require.Contains(t, args, "production") require.Contains(t, args, "--insecure") require.Contains(t, args, enrolmentToken) require.Contains(t, args, url) + require.Contains(t, args, "--fleet-server-client-auth") + require.Contains(t, args, "none") cleanedTags := cleanTags(args) require.Contains(t, cleanedTags, "windows") require.Contains(t, cleanedTags, "production") @@ -371,12 +373,14 @@ func TestValidateArgs(t *testing.T) { require.Contains(t, args, "--tag") require.Contains(t, args, "windows") require.Contains(t, args, " production") + require.Contains(t, args, "--fleet-server-client-auth") + require.Contains(t, args, "none") cleanedTags := cleanTags(args) require.Contains(t, cleanedTags, "windows") require.Contains(t, cleanedTags, "production") // Validate that we remove the duplicates - require.Equal(t, len(args), 10) - require.Equal(t, len(cleanedTags), 7) + require.Equal(t, len(args), 12) + require.Equal(t, len(cleanedTags), 9) }) t.Run("valid tag and empty tag", func(t *testing.T) { @@ -387,6 +391,8 @@ func TestValidateArgs(t *testing.T) { require.Contains(t, args, "--tag") require.Contains(t, args, "windows") require.Contains(t, args, " ") + require.Contains(t, args, "--fleet-server-client-auth") + require.Contains(t, args, "none") cleanedTags := cleanTags(args) require.Contains(t, cleanedTags, "windows") require.NotContains(t, cleanedTags, " ") diff --git a/internal/pkg/agent/cmd/install_test.go b/internal/pkg/agent/cmd/install_test.go index a94864568c8..7753322844c 100644 --- a/internal/pkg/agent/cmd/install_test.go +++ b/internal/pkg/agent/cmd/install_test.go @@ -9,7 +9,6 @@ package cmd import ( "testing" - "github.com/spf13/cobra" "github.com/stretchr/testify/require" "github.com/elastic/elastic-agent/internal/pkg/agent/application/paths" @@ -52,10 +51,10 @@ func TestInvalidBasePath(t *testing.T) { for name, test := range tests { t.Run(name, func(t *testing.T) { streams := cli.NewIOStreams() - cmd := cobra.Command{} - cmd.Flags().String(flagInstallBasePath, test.basePath, "") + cmd := newInstallCommandWithArgs([]string{}, streams) + cmd.Flags().Set(flagInstallBasePath, test.basePath) - err := installCmd(streams, &cmd) + err := installCmd(streams, cmd) if test.expectedError == "" { require.NoError(t, err) From 81b0cdedc4946e6349e43b7809c004cffade6782 Mon Sep 17 00:00:00 2001 From: Michel Laterman <82832767+michel-laterman@users.noreply.github.com> Date: Mon, 15 Jan 2024 11:10:59 -0600 Subject: [PATCH 07/13] Apply suggestions from code review Co-authored-by: Anderson Queiroz --- internal/pkg/agent/cmd/enroll.go | 2 +- internal/pkg/agent/cmd/enroll_cmd.go | 14 ++++---------- 2 files changed, 5 insertions(+), 11 deletions(-) diff --git a/internal/pkg/agent/cmd/enroll.go b/internal/pkg/agent/cmd/enroll.go index b56cf310a63..10644dc8e32 100644 --- a/internal/pkg/agent/cmd/enroll.go +++ b/internal/pkg/agent/cmd/enroll.go @@ -135,7 +135,7 @@ func validateEnrollFlags(cmd *cobra.Command) error { fClientAuth, _ := cmd.Flags().GetString("fleet-server-client-auth") switch fClientAuth { case "none", "optional", "required": - // NOTE we can split this case if we want to do additional checks when optional or required is passed. + // NOTE we can split this case if we want to do additional checks when optional or required is passed. default: return errors.New("--fleet-server-client-auth must be one of [none, optional, required]") } diff --git a/internal/pkg/agent/cmd/enroll_cmd.go b/internal/pkg/agent/cmd/enroll_cmd.go index 680b806c64e..6ab395b695d 100644 --- a/internal/pkg/agent/cmd/enroll_cmd.go +++ b/internal/pkg/agent/cmd/enroll_cmd.go @@ -970,19 +970,13 @@ func createFleetServerBootstrapConfig( } if esClientCert != "" || esClientCertKey != "" { if es.TLS == nil { - es.TLS = &tlscommon.Config{ - Certificate: tlscommon.CertificateConfig{ - Certificate: esClientCert, - Key: esClientCertKey, - }, - } - } else { - es.TLS.Certificate = tlscommon.CertificateConfig{ + es.TLS = &tlscommon.Config{} + } + + es.TLS.Certificate = tlscommon.CertificateConfig{ Certificate: esClientCert, Key: esClientCertKey, - } } - } if host == "" { host = defaultFleetServerHost } From 8297177f0d17115cd5e0dd61f305669ac267d64b Mon Sep 17 00:00:00 2001 From: michel-laterman Date: Mon, 15 Jan 2024 11:23:00 -0600 Subject: [PATCH 08/13] fix bad merge --- internal/pkg/agent/cmd/enroll_cmd.go | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/internal/pkg/agent/cmd/enroll_cmd.go b/internal/pkg/agent/cmd/enroll_cmd.go index 4214b261342..dc9f4503dac 100644 --- a/internal/pkg/agent/cmd/enroll_cmd.go +++ b/internal/pkg/agent/cmd/enroll_cmd.go @@ -971,12 +971,13 @@ func createFleetServerBootstrapConfig( if esClientCert != "" || esClientCertKey != "" { if es.TLS == nil { es.TLS = &tlscommon.Config{} - } + } es.TLS.Certificate = tlscommon.CertificateConfig{ - Certificate: esClientCert, - Key: esClientCertKey, + Certificate: esClientCert, + Key: esClientCertKey, } + } if host == "" { host = defaultFleetServerHost } From 7a2b96e437eb75cd5050083bfe882e2fdac2d4b3 Mon Sep 17 00:00:00 2001 From: michel-laterman Date: Mon, 15 Jan 2024 11:26:29 -0600 Subject: [PATCH 09/13] Fix linter --- internal/pkg/agent/cmd/install_test.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/internal/pkg/agent/cmd/install_test.go b/internal/pkg/agent/cmd/install_test.go index 7753322844c..742d4b7b761 100644 --- a/internal/pkg/agent/cmd/install_test.go +++ b/internal/pkg/agent/cmd/install_test.go @@ -52,9 +52,10 @@ func TestInvalidBasePath(t *testing.T) { t.Run(name, func(t *testing.T) { streams := cli.NewIOStreams() cmd := newInstallCommandWithArgs([]string{}, streams) - cmd.Flags().Set(flagInstallBasePath, test.basePath) + err := cmd.Flags().Set(flagInstallBasePath, test.basePath) + require.NoEror(t, err) - err := installCmd(streams, cmd) + err = installCmd(streams, cmd) if test.expectedError == "" { require.NoError(t, err) From 778756d2b642801db25c0a2b21ed630cae6042b7 Mon Sep 17 00:00:00 2001 From: michel-laterman Date: Mon, 15 Jan 2024 11:44:31 -0600 Subject: [PATCH 10/13] Fix typo --- internal/pkg/agent/cmd/install_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/pkg/agent/cmd/install_test.go b/internal/pkg/agent/cmd/install_test.go index 742d4b7b761..221fda4648d 100644 --- a/internal/pkg/agent/cmd/install_test.go +++ b/internal/pkg/agent/cmd/install_test.go @@ -53,7 +53,7 @@ func TestInvalidBasePath(t *testing.T) { streams := cli.NewIOStreams() cmd := newInstallCommandWithArgs([]string{}, streams) err := cmd.Flags().Set(flagInstallBasePath, test.basePath) - require.NoEror(t, err) + require.NoError(t, err) err = installCmd(streams, cmd) From 5bea4030b72088d057edb413938d1228c1d571c3 Mon Sep 17 00:00:00 2001 From: michel-laterman Date: Mon, 15 Jan 2024 12:20:01 -0600 Subject: [PATCH 11/13] update notice, fix windows tests --- NOTICE.txt | 4 ++-- internal/pkg/agent/cmd/install_windows_test.go | 7 ++++--- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/NOTICE.txt b/NOTICE.txt index c3c3d085bb9..1419680aebe 100644 --- a/NOTICE.txt +++ b/NOTICE.txt @@ -1166,11 +1166,11 @@ SOFTWARE -------------------------------------------------------------------------------- Dependency : github.com/elastic/elastic-agent-libs -Version: v0.7.3 +Version: v0.7.4 Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/elastic/elastic-agent-libs@v0.7.3/LICENSE: +Contents of probable licence file $GOMODCACHE/github.com/elastic/elastic-agent-libs@v0.7.4/LICENSE: Apache License Version 2.0, January 2004 diff --git a/internal/pkg/agent/cmd/install_windows_test.go b/internal/pkg/agent/cmd/install_windows_test.go index 58afb650e8b..3f02db265cd 100644 --- a/internal/pkg/agent/cmd/install_windows_test.go +++ b/internal/pkg/agent/cmd/install_windows_test.go @@ -52,10 +52,11 @@ func TestInvalidBasePath(t *testing.T) { for name, test := range tests { t.Run(name, func(t *testing.T) { streams := cli.NewIOStreams() - cmd := cobra.Command{} - cmd.Flags().String(flagInstallBasePath, test.basePath, "") + cmd := newInstallCommandWithArgs([]string{}, streams) + err := cmd.Flags().Set(flagInstallBasePath, test.basePath) + require.NoError(t, err) - err := installCmd(streams, &cmd) + err = installCmd(streams, &cmd) if test.expectedError == "" { require.NoError(t, err) From 9c6d0fbe82d34ce419be0108d5011061731cad51 Mon Sep 17 00:00:00 2001 From: michel-laterman Date: Mon, 15 Jan 2024 12:28:32 -0600 Subject: [PATCH 12/13] fix windows test --- internal/pkg/agent/cmd/install_windows_test.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/internal/pkg/agent/cmd/install_windows_test.go b/internal/pkg/agent/cmd/install_windows_test.go index 3f02db265cd..855f1107146 100644 --- a/internal/pkg/agent/cmd/install_windows_test.go +++ b/internal/pkg/agent/cmd/install_windows_test.go @@ -9,7 +9,6 @@ package cmd import ( "testing" - "github.com/spf13/cobra" "github.com/stretchr/testify/require" "github.com/elastic/elastic-agent/internal/pkg/agent/application/paths" @@ -56,7 +55,7 @@ func TestInvalidBasePath(t *testing.T) { err := cmd.Flags().Set(flagInstallBasePath, test.basePath) require.NoError(t, err) - err = installCmd(streams, &cmd) + err = installCmd(streams, cmd) if test.expectedError == "" { require.NoError(t, err) From ca983205c587a75d51d1097537638ba56ba53f73 Mon Sep 17 00:00:00 2001 From: michel-laterman Date: Mon, 15 Jan 2024 13:49:23 -0600 Subject: [PATCH 13/13] unhide client-auth flag --- internal/pkg/agent/cmd/enroll.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/internal/pkg/agent/cmd/enroll.go b/internal/pkg/agent/cmd/enroll.go index 10644dc8e32..b6cd4071578 100644 --- a/internal/pkg/agent/cmd/enroll.go +++ b/internal/pkg/agent/cmd/enroll.go @@ -83,8 +83,7 @@ func addEnrollFlags(cmd *cobra.Command) { cmd.Flags().Bool("skip-daemon-reload", false, "Skip daemon reload after enrolling") cmd.Flags().StringSliceP("tag", "", []string{}, "User set tags") - cmd.Flags().MarkHidden("skip-daemon-reload") //nolint:errcheck // an error is only returned if the flag does not exist. - cmd.Flags().MarkHidden("fleet-server-client-auth") //nolint:errcheck // FIXME this is not fully implemented + cmd.Flags().MarkHidden("skip-daemon-reload") //nolint:errcheck // an error is only returned if the flag does not exist. } func validateEnrollFlags(cmd *cobra.Command) error {