-
Notifications
You must be signed in to change notification settings - Fork 68
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add steps to configure a PGP key for agent upgrade #984
base: main
Are you sure you want to change the base?
Conversation
A documentation preview will be available soon. Request a new doc build by commenting
If your PR continues to fail for an unknown reason, the doc build pipeline may be broken. Elastic employees can check the pipeline status here. |
@lucabelluccini When you have a chance, please let me know if this new section looks okay. Thanks! |
@lucabelluccini trying again. Please have a look if you have a chance. Thanks! |
@michel-laterman , @michalpristas , @lucabelluccini |
@elasticmachine run docs-build |
I still think a developer should review this. |
Thanks @lucabelluccini
@michel-laterman or @michalpristas Would either of you mind taking a look at this? Please let me know if you're not the right people to ask. |
I think it looks good, do we want to add anything to explain how to use the fleet-server endpoint as an alternative when distributing gpg keys (issue elastic/fleet-server#2887)? |
@michel-laterman I've add the steps below, but I'm way out of my depth here so please let me know whatever needs fixing up. |
|
||
In an air-gapped environment, the agent won't be able to download the remote key and therefore cannot be upgraded. For versions 8.9.0 to 8.10.3, you can resolve this problem following the steps described in the associated link:https://www.elastic.co/guide/en/fleet/8.9/release-notes-8.9.0.html#known-issues-8.9.0[known issue] documentation. | ||
|
||
Starting in version 8.10.4, you can resolve this problem by configuring {agents} to download the PGP/GPG key from a custom URL specified in {fleet-server}: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think my reading comprehension on my 1st pass wasn't great.
Just to be clear fleet-server serves PGP keys at GET /api/agents/upgrades/{major}.{minor}.{patch}/pgp-public-key
It will serve the key in FLEETSERVER_BINARY_DIR/elastic-agent-upgrade-keys/default.pgp
by default, if there is no default.pgp
key in the dir it will look upstream to retrieve a key; server.pgp.upstream_url
can be used to configure to a custom URL for fleet-server to use.
IIRC agents will try to get the upstream key, then the fleet-server endpoint (@michalpristas please confirm), they do not use the url we add to fleet-server config
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
|
||
By default, {fleet-server} serves {agents} with the key located in `FLEETSERVER_BINARY_DIR/elastic-agent-upgrade-keys/default.pgp`. | ||
The key is served through the endpoint `FLEETSERVER_BINARY_DIR/elastic-agent-upgrade-keys/default.pgp`. | ||
Accessing the endpoint requires a valid API key and the endpoint is rate limited. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Accessing the endpoint requires a valid API key and the endpoint is rate limited. | |
Accessing the endpoint requires a valid API key and the endpoint is rate limited. |
I am not sure we're protecting the key via API key - can we confirm?
If yes, are Elastic Agent adding the API Key to the requests?
The key is served through the endpoint `FLEETSERVER_BINARY_DIR/elastic-agent-upgrade-keys/default.pgp`. | ||
Accessing the endpoint requires a valid API key and the endpoint is rate limited. | ||
|
||
If there isn't a `default.pgp` key in the `FLEETSERVER_BINARY_DIR/elastic-agent-upgrade-keys/default.pgp` directory, {fleet-server} instead will attempt to retrieve a PGP/GPG key from the URL that you can specify with the `server.pgp.upstream_url` setting. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If there isn't a `default.pgp` key in the `FLEETSERVER_BINARY_DIR/elastic-agent-upgrade-keys/default.pgp` directory, {fleet-server} instead will attempt to retrieve a PGP/GPG key from the URL that you can specify with the `server.pgp.upstream_url` setting. | |
If there isn't a `default.pgp` key in the `FLEETSERVER_BINARY_DIR/elastic-agent-upgrade-keys/default.pgp` directory, {fleet-server} instead will attempt to retrieve a PGP/GPG key from the URL that you can specify with the `server.pgp.upstream_url` setting. |
Few points to clarify:
- Is the
default.pgp
bundled with Fleet Server?
If it's bundled, air-gapped users are good to go with it.
- Is the
default.pgp
downloaded lazily fromhttps://artifacts.elastic.co/GPG-KEY-elastic-agent
by default?
If it is the case, then air-gapped users can grant access to it (HTTP Proxy or open the firewall).
- Is the
default.php
downloaded lazily from the URL provided viaserver.pgp.upstream_url
setting?
If it is the case, then air-gapped users can specify a URL so that it will be downloaded from there.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's a lazy download from server.pgp.upstream_url
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To be very clear:
- Is the
default.pgp
bundled with Fleet Server?
No, on install this file does not exist; but a user can add it manually write the file on the instance if there is 0 internet access in order to distribute it to the agents
- Is the
default.pgp
downloaded lazily fromhttps://artifacts.elastic.co/GPG-KEY-elastic-agent
by default?
Yes, the default value of server.pgp.upstream_url
is https://artifacts.elastic.co/GPG-KEY-elastic-agent
; if default.pgp
is not on-disk when the key is requested, fleet-server will download the file from the upstream URL, save it to disk and serve it
- Is the
default.php
downloaded lazily from the URL provided viaserver.pgp.upstream_url
setting?
yes, see above 😄
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@michel-laterman I'm sorry to bring this one up again (I lost track of it and am doing some housekeeping now).
Is there anything I need to clarify in the text above, or do you think this is okay to merge as is?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think so
Hello @kilfoyle - I've left some comments. We might need clarifications by the developers. |
Thanks @lucabelluccini I've added in your suggestions. @michel-laterman when you have time I'd appreciate if you can help with Luca's questions. I've updated the screen capture here to show the latest version. |
This adds instructions for air-gapped environments on how to set
server.pgp.upstream_url
so that Elastic Agents can access the PGP/GPG key required for upgrade.See docs preview page.
Please let me know if I've missed anything, especially in the "Note that" section under the steps.
Closes: #980
Rel: https://github.com/elastic/sdh-beats/issues/4496