Add steps to configure a PGP key for agent upgrade #984
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -32,6 +32,51 @@ Set the following property in {kib} to enable air-gapped mode in {fleet}. This a | |||||
| xpack.fleet.isAirGapped: true | ||||||
| ---- | ||||||
|
|
||||||
| [discrete] | ||||||
| [[air-gapped-pgp-fleet]] | ||||||
| == Configure {agents} to download a PGP/GPG key from {fleet-server} | ||||||
|
|
||||||
| Starting from version 8.9.0, when {agent} tries to perform an upgrade, it first verifies the binary signature with the key bundled in the agent. This process has a backup mechanism that will use the key coming from `https://artifacts.elastic.co/GPG-KEY-elastic-agent` instead of the one it already has. | ||||||
|
|
||||||
| In an air-gapped environment, an {agent} which doesn't have access to a PGP/GPG key from `https://artifacts.elastic.co/GPG-KEY-elastic-agent` would fail to be upgraded. | ||||||
| For versions 8.9.0 to 8.10.3, you can resolve this problem following the steps described in the associated link:https://www.elastic.co/guide/en/fleet/8.9/release-notes-8.9.0.html#known-issues-8.9.0[known issue] documentation. | ||||||
|
|
||||||
| Starting in version 8.10.4, you can resolve this problem by configuring {agents} to download the PGP/GPG key from {fleet-server}. | ||||||
|
|
||||||
| Starting in version 8.10.4, {agent} will: | ||||||
|
|
||||||
| . Verify the binary signature with the key bundled in the agent. | ||||||
| . If the verification doesn't pass, the agent will download the PGP/GPG key from `https://artifacts.elastic.co/GPG-KEY-elastic-agent` and verify it. | ||||||
| . If that verification doesn't pass, the agent will download the PGP/GPG key from {fleet-server} and verify it. | ||||||
| . If that verification doesn't pass, the upgrade is blocked. | ||||||
|
|
||||||
| By default, {fleet-server} serves {agents} with the key located in `FLEETSERVER_BINARY_DIR/elastic-agent-upgrade-keys/default.pgp`. | ||||||
| The key is served through the {fleet-server} endpoint `GET /api/agents/upgrades/{major}.{minor}.{patch}/pgp-public-key`. | ||||||
|
|
||||||
| If there isn't a `default.pgp` key in the `FLEETSERVER_BINARY_DIR/elastic-agent-upgrade-keys/default.pgp` directory, {fleet-server} instead will attempt to retrieve a PGP/GPG key from the URL that you can specify with the `server.pgp.upstream_url` setting. | ||||||
|
There was a problem hiding this comment.
Suggested change
Few points to clarify:
If it's bundled, air-gapped users are good to go with it.
If it is the case, then air-gapped users can grant access to it (HTTP Proxy or open the firewall).
If it is the case, then air-gapped users can specify a URL so that it will be downloaded from there. There was a problem hiding this comment. It's a lazy download from There was a problem hiding this comment. To be very clear:
No, on install this file does not exist; but a user can add it manually write the file on the instance if there is 0 internet access in order to distribute it to the agents
Yes, the default value of
yes, see above 😄 There was a problem hiding this comment. @michel-laterman I'm sorry to bring this one up again (I lost track of it and am doing some housekeeping now). Is there anything I need to clarify in the text above, or do you think this is okay to merge as is?
kilfoyle marked this conversation as resolved.
Show resolved
Hide resolved
kilfoyle marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
|
|
||||||
| You can prevent {fleet} from downloading the PGP/GPG key from `server.pgp.upstream_url` by manually downloading it from `https://artifacts.elastic.co/GPG-KEY-elastic-agent` and storing it at `FLEETSERVER_BINARY_DIR/elastic-agent-upgrade-keys/default.pgp`. | ||||||
|
|
||||||
| To set a custom URL for {fleet-server} to access a PGP/GPG key and make it available to {agents}: | ||||||
|
|
||||||
| . In {kib}, go to *Management > {fleet} > Agent policies*. | ||||||
| . Select a policy for the agents that you want to upgrade. | ||||||
| . On the policy page, in the **Actions** menu for the {fleet-server} integration, select **Edit integration**. | ||||||
| . In the {fleet-server} settings section expand **Change defaults** and **Advanced options**. | ||||||
| . In the **Custom fleet-server configurations** field, add the setting `server.pgp.upstream_url` with the full URL where the PGP/GPG key can be accessed. For example: | ||||||
|
|
||||||
| [source,yaml] | ||||||
| ---- | ||||||
| server.pgp.upstream_url: <http://my-web-server:8080/default.pgp> | ||||||
| ---- | ||||||
|
|
||||||
| The setting `server.pgp.upstream_url` must point to a web server hosting the PGP/GPG key, which must be reachable by the host where {fleet-server} is installed. | ||||||
|
|
||||||
| Note that: | ||||||
|
|
||||||
| * `server.pgp.upstream_url` may be specified as an `http` endpoint (instead of `https`). | ||||||
| * For an `https` endpoint, the CA for {fleet-server} to connect to `server.pgp.upstream_url` must be trusted by {fleet-server} using the `--certificate-authorities` setting that is used globally for {agent}. | ||||||
|
|
||||||
| [discrete] | ||||||
| [[air-gapped-proxy-server]] | ||||||
| == Use a proxy server to access the {package-registry} | ||||||
|
|
||||||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.