update elastic-agent-libs

[AndersonQ]

What is the problem this PR solves?

fleet-server using an outdated version of elastic-agent-libs

How does this PR solve the problem?

by updating elastic-agent-libs ot its latest version

How to test this PR locally

Ensure mTLS is still working

adjust the IPs/hostnames as needed

build a fleet-server out of this PR

go build

you might need to build an 8.16 agent out of main:

AGENT_PACKAGE_VERSION=8.16.0-SNAPSHOT BEATS_VERSION=8.16.0-SNAPSHOT DEV=true SNAPSHOT=true EXTERNAL=true PLATFORMS="linux/amd64" PACKAGES="tar.gz" mage package

add your fleet server built to the agent package

tar -xf elastic-agent-8.16.0-SNAPSHOT-linux-x86_64.tar.gz
cp path/tp/your/fleet-server ./elastic-agent-8.16.0-SNAPSHOT-linux-x86_64/data/elastic-agent-*/components/fleet-server

create 2 TLS certificates

• use elastic-agent-libs/testing/certutil/cmd to create the certificates. Make sure to use elastic-agent-libs with this PR merged or use the PR branch
• either make your fleet-server reachable on fleet-server or change -name fleet-server to a valid DNS for your fleet-server.

go run main.go -prefix server -name fleet-server -noip
go run main.go -client -prefix client

you should have:

-rw------- 1 ainsoph ainsoph  312 Oct 24 16:36 client-ca_key.pem
-rw------- 1 ainsoph ainsoph  928 Oct 24 16:36 client-ca.pem
-rw------- 1 ainsoph ainsoph  312 Oct 24 16:36 client-client_key.pem
-rw------- 1 ainsoph ainsoph  895 Oct 24 16:36 client-client.pem

-rw------- 1 ainsoph ainsoph  312 Oct 24 16:37 server-ca_key.pem
-rw------- 1 ainsoph ainsoph  932 Oct 24 16:37 server-ca.pem
-rw------- 1 ainsoph ainsoph  312 Oct 24 16:37 server-fleet-server_key.pem
-rw------- 1 ainsoph ainsoph  928 Oct 24 16:37 server-fleet-server.pem

start an elastic stack (considering elastic-cloud)

add a fleet server with mTLS

elastic-agent install -nf \
--url=https://fleet-server:8220 \
--fleet-server-es=https://es.elastic-cloud.com:443 \
--fleet-server-service-token=a-service-token \
--fleet-server-policy=fleet-server-policy \
--certificate-authorities=/root/certs/server-ca.pem,/root/certs/client-ca.pem,/etc/ssl/certs/ca-certificates.crt \
--fleet-server-cert=/root/certs/server-fleet-server.pem \
--fleet-server-cert-key=/root/certs/server-fleet-server_key.pem \
--elastic-agent-cert=/root/certs/client-client.pem \
--elastic-agent-cert-key=/root/certs/client-client_key.pem \
--fleet-server-client-auth=required \
--fleet-server-port=8220

create a policy with Elastic Defend

add an agent to that policy

elastic-agent install -nf \
--url=https://fleet-server:8220 \
--enrollment-token=a-token \
--certificate-authorities=/root/certs/server-ca.pem,/etc/ssl/certs/ca-certificates.crt \
--elastic-agent-cert=/root/certs/client-client.pem \
--elastic-agent-cert-key=/root/certs/client-client_key.pem 

Design Checklist

• [ ] I have ensured my design is stateless and will work when multiple fleet-server instances are behind a load balancer.
• [ ] I have or intend to scale test my changes, ensuring it will work reliably with 100K+ agents connected.
• [ ] I have included fail safe mechanisms to limit the load on fleet-server: rate limiting, circuit breakers, caching, load shedding, etc.

Checklist

• [ ] I have commented my code, particularly in hard-to-understand areas
• [ ] I have made corresponding changes to the documentation
• [ ] I have made corresponding change to the default configuration files
• [ ] I have added tests that prove my fix is effective or that my feature works
• I have added an entry in ./changelog/fragments using the changelog tool

Related issues

• N/A

[mergify]

This pull request does not have a backport label. Could you fix it @AndersonQ? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-./d./d is the label to automatically backport to the 8./d branch. /d is the digit

[mergify]

backport-8.x has been added to help with the transition to the new branch 8.x.
If you don't need it please use backport-skip label and remove the backport-8.x label.

[cmacknz]

Needs a changelog for the mTLS certificate verification change at least, and anything else significant that has come in as part of this version bump.

[AndersonQ]

the git push didn't go through, it's there now

[AndersonQ]

/test

[cmacknz]

I don't think this is clear enough. Fleet Server's TLS certificate is a critical part of agent security. Explain why this was done and what the possible consequences are, in particular separate out the impact for mTLS and standard TLS if they are different.

[cmacknz]

The PR description here should also reflect what the actual change in elastic-agent-libs is, because there is only one elastic/elastic-agent-libs@4babafd

We should also detail what testing has or needs to happen to make sure this doesn't break anything or regress TLS security accidentally.

[elastic-sonarqube]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarQube