Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add steps to configure a PGP key for agent upgrade #984

Open
wants to merge 6 commits into
base: main
Choose a base branch
from

Conversation

kilfoyle
Copy link
Contributor

@kilfoyle kilfoyle commented Mar 26, 2024

This adds instructions for air-gapped environments on how to set server.pgp.upstream_url so that Elastic Agents can access the PGP/GPG key required for upgrade.

See docs preview page.

Please let me know if I've missed anything, especially in the "Note that" section under the steps.

Closes: #980
Rel: https://github.com/elastic/sdh-beats/issues/4496

@kilfoyle kilfoyle requested a review from a team as a code owner March 26, 2024 20:35
Copy link

A documentation preview will be available soon.

Request a new doc build by commenting
  • Rebuild this PR: run docs-build
  • Rebuild this PR and all Elastic docs: run docs-build rebuild

run docs-build is much faster than run docs-build rebuild. A rebuild should only be needed in rare situations.

If your PR continues to fail for an unknown reason, the doc build pipeline may be broken. Elastic employees can check the pipeline status here.

@kilfoyle
Copy link
Contributor Author

kilfoyle commented Apr 3, 2024

@lucabelluccini When you have a chance, please let me know if this new section looks okay. Thanks!

@kilfoyle
Copy link
Contributor Author

@lucabelluccini trying again. Please have a look if you have a chance. Thanks!

@kilfoyle
Copy link
Contributor Author

@michel-laterman , @michalpristas , @lucabelluccini
Can any of you please review and confirm that these added Configure Elastic Agents to download a PGP/GPG key from Fleet Server steps are correct?

@kilfoyle
Copy link
Contributor Author

@elasticmachine run docs-build

lucabelluccini
lucabelluccini previously approved these changes Jul 29, 2024
@lucabelluccini
Copy link
Contributor

I still think a developer should review this.

@kilfoyle
Copy link
Contributor Author

Thanks @lucabelluccini

I still think a developer should review this.

@michel-laterman or @michalpristas Would either of you mind taking a look at this? Please let me know if you're not the right people to ask.

@michel-laterman
Copy link
Contributor

I think it looks good, do we want to add anything to explain how to use the fleet-server endpoint as an alternative when distributing gpg keys (issue elastic/fleet-server#2887)?

@kilfoyle
Copy link
Contributor Author

do we want to add anything to explain how to use the fleet-server endpoint as an alternative when distributing gpg keys (issue elastic/fleet-server#2887)?

@michel-laterman I've add the steps below, but I'm way out of my depth here so please let me know whatever needs fixing up.


Screenshot 2024-07-29 at 3 46 04 PM


In an air-gapped environment, the agent won't be able to download the remote key and therefore cannot be upgraded. For versions 8.9.0 to 8.10.3, you can resolve this problem following the steps described in the associated link:https://www.elastic.co/guide/en/fleet/8.9/release-notes-8.9.0.html#known-issues-8.9.0[known issue] documentation.

Starting in version 8.10.4, you can resolve this problem by configuring {agents} to download the PGP/GPG key from a custom URL specified in {fleet-server}:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think my reading comprehension on my 1st pass wasn't great.

Just to be clear fleet-server serves PGP keys at GET /api/agents/upgrades/{major}.{minor}.{patch}/pgp-public-key
It will serve the key in FLEETSERVER_BINARY_DIR/elastic-agent-upgrade-keys/default.pgp by default, if there is no default.pgp key in the dir it will look upstream to retrieve a key; server.pgp.upstream_url can be used to configure to a custom URL for fleet-server to use.

IIRC agents will try to get the upstream key, then the fleet-server endpoint (@michalpristas please confirm), they do not use the url we add to fleet-server config

Copy link
Contributor Author

@kilfoyle kilfoyle Jul 30, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @michel-laterman! That's really clear. Here's my attempt to fix things up:


Screenshot 2024-08-29 at 9 39 13 AM


By default, {fleet-server} serves {agents} with the key located in `FLEETSERVER_BINARY_DIR/elastic-agent-upgrade-keys/default.pgp`.
The key is served through the endpoint `FLEETSERVER_BINARY_DIR/elastic-agent-upgrade-keys/default.pgp`.
Accessing the endpoint requires a valid API key and the endpoint is rate limited.
Copy link
Contributor

@lucabelluccini lucabelluccini Aug 23, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Accessing the endpoint requires a valid API key and the endpoint is rate limited.
Accessing the endpoint requires a valid API key and the endpoint is rate limited.

I am not sure we're protecting the key via API key - can we confirm?
If yes, are Elastic Agent adding the API Key to the requests?

The key is served through the endpoint `FLEETSERVER_BINARY_DIR/elastic-agent-upgrade-keys/default.pgp`.
Accessing the endpoint requires a valid API key and the endpoint is rate limited.

If there isn't a `default.pgp` key in the `FLEETSERVER_BINARY_DIR/elastic-agent-upgrade-keys/default.pgp` directory, {fleet-server} instead will attempt to retrieve a PGP/GPG key from the URL that you can specify with the `server.pgp.upstream_url` setting.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
If there isn't a `default.pgp` key in the `FLEETSERVER_BINARY_DIR/elastic-agent-upgrade-keys/default.pgp` directory, {fleet-server} instead will attempt to retrieve a PGP/GPG key from the URL that you can specify with the `server.pgp.upstream_url` setting.
If there isn't a `default.pgp` key in the `FLEETSERVER_BINARY_DIR/elastic-agent-upgrade-keys/default.pgp` directory, {fleet-server} instead will attempt to retrieve a PGP/GPG key from the URL that you can specify with the `server.pgp.upstream_url` setting.

Few points to clarify:

  • Is the default.pgp bundled with Fleet Server?

If it's bundled, air-gapped users are good to go with it.

  • Is the default.pgp downloaded lazily from https://artifacts.elastic.co/GPG-KEY-elastic-agent by default?

If it is the case, then air-gapped users can grant access to it (HTTP Proxy or open the firewall).

  • Is the default.php downloaded lazily from the URL provided via server.pgp.upstream_url setting?

If it is the case, then air-gapped users can specify a URL so that it will be downloaded from there.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's a lazy download from server.pgp.upstream_url

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To be very clear:

  • Is the default.pgp bundled with Fleet Server?

No, on install this file does not exist; but a user can add it manually write the file on the instance if there is 0 internet access in order to distribute it to the agents

  • Is the default.pgp downloaded lazily from https://artifacts.elastic.co/GPG-KEY-elastic-agent by default?

Yes, the default value of server.pgp.upstream_url is https://artifacts.elastic.co/GPG-KEY-elastic-agent; if default.pgp is not on-disk when the key is requested, fleet-server will download the file from the upstream URL, save it to disk and serve it

  • Is the default.php downloaded lazily from the URL provided via server.pgp.upstream_url setting?

yes, see above 😄

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@michel-laterman I'm sorry to bring this one up again (I lost track of it and am doing some housekeeping now).

Is there anything I need to clarify in the text above, or do you think this is okay to merge as is?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think so

@lucabelluccini
Copy link
Contributor

Hello @kilfoyle - I've left some comments. We might need clarifications by the developers.
I've not taken the time to setup an environment to try it out yet.

@kilfoyle kilfoyle removed the request for review from michalpristas August 23, 2024 17:54
@kilfoyle
Copy link
Contributor Author

Thanks @lucabelluccini I've added in your suggestions. @michel-laterman when you have time I'd appreciate if you can help with Luca's questions.

I've updated the screen capture here to show the latest version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[REQUEST]: Document PGP key download from Fleet Server API in air-gapped envs
3 participants