[Elastic Agent] Require --insecure on enroll for connection to Kibana (…

…#19900) * Add insecure option to enroll. * Set TLS to not verify on --insecure. * Run mage fmt * Add changelog. * Update enroll for certificate-authorities and ca-sha256. * Update changelog. * Update docstring.
elastic · Jul 14, 2020 · 55c4534 · 55c4534
1 parent 6ae0e72
commit 55c4534
Show file tree

Hide file tree

Showing 5 changed files with 58 additions and 16 deletions.
diff --git a/x-pack/elastic-agent/CHANGELOG.asciidoc b/x-pack/elastic-agent/CHANGELOG.asciidoc
@@ -12,6 +12,8 @@
 - Rename agent to elastic-agent {pull}17391[17391]
 - Change fleet.yml structure, causes upgraded agent to register as new agent {pull}19248[19248]
 - Remove obfuscation of fleet.yml, causes re-enroll of agent to Fleet {pull}19678[19678]
+- Rename enroll --ca_sha256 to --ca-sha256 {pull}19900[19900]
+- Rename enroll --certificate_authorities to --certificate-authorities {pull}19900[19900]
 
 ==== Bugfixes
 
@@ -83,3 +85,4 @@
 - Agent now load balances across multiple Kibana instances {pull}19628[19628]
 - Configuration cleanup {pull}19848[19848]
 - Agent now sends its own logs to elasticsearch {pull}19811[19811]
+- Add --insecure option to enroll command {pull}19900[19900]
diff --git a/x-pack/elastic-agent/docs/elastic-agent-command-line.asciidoc b/x-pack/elastic-agent/docs/elastic-agent-command-line.asciidoc
@@ -7,16 +7,34 @@ experimental[]
 The `elastic-agent run` command provides flags that alter the behavior of an
 agent:
 
-`-path.home`::
+`--path.home`::
 The home directory of the {agent}. `path.home` determines the location of the
 configuration files and data directory.
++
+If not specified, {agent} uses current working directory.
 
-`-c`::
-The configuration file to load. If not specified, {agent} uses
-`{path.home}/elastic-agent.yml`.
-
-`-path.data`::
+`--path.data`::
 The data directory used by {agent} to store downloaded artifacts. Also stores
 logs for any {beats} started and managed by {agent}.
 +
 If not specified, {agent} uses `{path.home}/data`.
+
+`-c`::
+The configuration file to load.
++
+If not specified, {agent} uses `{path.home}/elastic-agent.yml`.
+
+The `elastic-agent enroll` command provides flags that alter the behaviour of
+the enrollment process.
+
+`--ca-sha256`::
+Comma separated list of certificate authorities hash pins used for certificate verifications.
+
+`--certificate-authorities`::
+Comma separated list of root certificate for server verifications.
+
+`--force`::
+Force overwrite the current and do not prompt for confirmation.
+
+`--insecure`::
+Allow insecure connection to Kibana.
diff --git a/x-pack/elastic-agent/pkg/agent/application/enroll_cmd.go b/x-pack/elastic-agent/pkg/agent/application/enroll_cmd.go
@@ -7,6 +7,7 @@ package application
 import (
 	"bytes"
 	"context"
+	"fmt"
 	"io"
 	"net/http"
 	"net/url"
@@ -60,6 +61,7 @@ type EnrollCmdOption struct {
 	URL                  string
 	CAs                  []string
 	CASha256             []string
+	Insecure             bool
 	UserProvidedMetadata map[string]interface{}
 	EnrollAPIKey         string
 }
@@ -69,6 +71,9 @@ func (e *EnrollCmdOption) kibanaConfig() (*kibana.Config, error) {
 	if err != nil {
 		return nil, err
 	}
+	if cfg.Protocol == kibana.ProtocolHTTP && !e.Insecure {
+		return nil, fmt.Errorf("connection to Kibana is insecure, strongly recommended to use a secure connection (override with --insecure)")
+	}
 
 	// Add any SSL options from the CLI.
 	if len(e.CAs) > 0 || len(e.CASha256) > 0 {
@@ -77,6 +82,11 @@ func (e *EnrollCmdOption) kibanaConfig() (*kibana.Config, error) {
 			CASha256: e.CASha256,
 		}
 	}
+	if e.Insecure {
+		cfg.TLS = &tlscommon.Config{
+			VerificationMode: tlscommon.VerifyNone,
+		}
+	}
 
 	return cfg, nil
 }
@@ -113,16 +123,16 @@ func NewEnrollCmdWithStore(
 
 	cfg, err := options.kibanaConfig()
 	if err != nil {
-		return nil, errors.New(err,
-			"invalid Kibana configuration",
+		return nil, errors.New(
+			err, "Error",
 			errors.TypeConfig,
 			errors.M(errors.MetaKeyURI, options.URL))
 	}
 
 	client, err := fleetapi.NewWithConfig(log, cfg)
 	if err != nil {
-		return nil, errors.New(err,
-			"fail to create the API client",
+		return nil, errors.New(
+			err, "Error",
 			errors.TypeNetwork,
 			errors.M(errors.MetaKeyURI, options.URL))
 	}

diff --git a/x-pack/elastic-agent/pkg/agent/cmd/enroll.go b/x-pack/elastic-agent/pkg/agent/cmd/enroll.go
@@ -38,9 +38,10 @@ func newEnrollCommandWithArgs(flags *globalFlags, _ []string, streams *cli.IOStr
 		},
 	}
 
-	cmd.Flags().StringP("certificate_authorities", "a", "", "Comma separated list of root certificate for server verifications")
-	cmd.Flags().StringP("ca_sha256", "p", "", "Comma separated list of certificate authorities hash pins used for certificate verifications")
+	cmd.Flags().StringP("certificate-authorities", "a", "", "Comma separated list of root certificate for server verifications")
+	cmd.Flags().StringP("ca-sha256", "p", "", "Comma separated list of certificate authorities hash pins used for certificate verifications")
 	cmd.Flags().BoolP("force", "f", false, "Force overwrite the current and do not prompt for confirmation")
+	cmd.Flags().BoolP("insecure", "i", false, "Allow insecure connection to Kibana")
 
 	return cmd
 }
@@ -76,6 +77,8 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command, flags *globalFlags, args
 		}
 	}
 
+	insecure, _ := cmd.Flags().GetBool("insecure")
+
 	logger, err := logger.NewFromConfig("", cfg.Settings.LoggingConfig)
 	if err != nil {
 		return err
@@ -84,10 +87,10 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command, flags *globalFlags, args
 	url := args[0]
 	enrollmentToken := args[1]
 
-	caStr, _ := cmd.Flags().GetString("certificate_authorities")
+	caStr, _ := cmd.Flags().GetString("certificate-authorities")
 	CAs := cli.StringToSlice(caStr)
 
-	caSHA256str, _ := cmd.Flags().GetString("ca_sha256")
+	caSHA256str, _ := cmd.Flags().GetString("ca-sha256")
 	caSHA256 := cli.StringToSlice(caSHA256str)
 
 	delay(defaultDelay)
@@ -98,6 +101,7 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command, flags *globalFlags, args
 		URL:                  url,
 		CAs:                  CAs,
 		CASha256:             caSHA256,
+		Insecure:             insecure,
 		UserProvidedMetadata: make(map[string]interface{}),
 	}
 

diff --git a/x-pack/elastic-agent/pkg/kibana/config.go b/x-pack/elastic-agent/pkg/kibana/config.go
@@ -27,9 +27,16 @@ type Config struct {
 // Protocol define the protocol to use to make the connection. (Either HTTPS or HTTP)
 type Protocol string
 
+const (
+	// ProtocolHTTP is HTTP protocol connection to Kibana.
+	ProtocolHTTP Protocol = "http"
+	// ProtocolHTTPS is HTTPS protocol connection to Kibana.
+	ProtocolHTTPS Protocol = "https"
+)
+
 // Unpack the protocol.
 func (p *Protocol) Unpack(from string) error {
-	if from != "https" && from != "http" {
+	if Protocol(from) != ProtocolHTTPS && Protocol(from) != ProtocolHTTP {
 		return fmt.Errorf("invalid protocol %s, accepted values are 'http' and 'https'", from)
 	}
 
@@ -40,7 +47,7 @@ func (p *Protocol) Unpack(from string) error {
 // DefaultClientConfig creates default configuration for kibana client.
 func DefaultClientConfig() *Config {
 	return &Config{
-		Protocol: Protocol("http"),
+		Protocol: ProtocolHTTP,
 		Host:     "localhost:5601",
 		Path:     "",
 		SpaceID:  "",