Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Fleet] Allow more registry proxy configuration #78968

Open
1 of 3 tasks
jfsiii opened this issue Sep 30, 2020 · 5 comments
Open
1 of 3 tasks

[Fleet] Allow more registry proxy configuration #78968

jfsiii opened this issue Sep 30, 2020 · 5 comments
Labels
Team:Fleet Team label for Observability Data Collection Fleet team

Comments

@jfsiii
Copy link
Contributor

jfsiii commented Sep 30, 2020

#78648 added this interface for specifying proxy settings/behavior when connecting to package registry (EPR).

export interface ProxySettings {
proxyUrl: string;
proxyHeaders?: Record<string, string>;
proxyRejectUnauthorizedCertificates?: boolean;
}

Note: proxyRejectUnauthorizedCertificates should be changed to required boolean type, so that it defaults to true instead of undefined.

Progress on exposing those values for configuration

Proxy setting xpack.fleet.*
URL 💚 registryProxyUrl #78648
additional headers registryProxyHeaders
TLS behavior registryProxyRejectUnauthorizedCertificates
@jfsiii jfsiii self-assigned this Sep 30, 2020
@jfsiii jfsiii added the Team:Fleet Team label for Observability Data Collection Fleet team label Sep 30, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/ingest-management (Team:Ingest Management)

jfsiii pushed a commit that referenced this issue Oct 6, 2020
…ing Registry (#78648)

## Summary
If given a `xpack.fleet.registryProxyUrl` setting, Package Manager will use it when contacting the Registry. This only affects the outbound connection Package Manager makes to the Registry to search for available packages, download assets, etc.

### Configuration
<details><summary><strike>Initial PR: common environment variables</strike></summary>

<p>Currently the value must come from a <a href="https://github.com/Rob--W/proxy-from-env#environment-variables">list of popular environment variables</a> which include <code>ALL_PROXY</code>, <code>HTTPS_PROXY</code>, lowercase versions of those, and many more.</p>

<p>Start kibana with a proxy set in an environment variable like: <code>HTTPS_PROXY=https://localhost:8443 yarn start</code></p>

</details>

_update_ based on discussion in the comments, the initial environment variables approach was removed in favor of `xpack.ingestManager.registryProxyUrl`

#### see #78968 for additional configuration coming later

### Checklist
- [ ] ~~[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials.~~ Created #78961 to track
- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios

Created #78968 to track the additional configuration work

refs #70710
jfsiii pushed a commit that referenced this issue Oct 6, 2020
…ing Registry (#78648) (#79758)

## Summary
If given a `xpack.fleet.registryProxyUrl` setting, Package Manager will use it when contacting the Registry. This only affects the outbound connection Package Manager makes to the Registry to search for available packages, download assets, etc.

### Configuration
<details><summary><strike>Initial PR: common environment variables</strike></summary>

<p>Currently the value must come from a <a href="https://github.com/Rob--W/proxy-from-env#environment-variables">list of popular environment variables</a> which include <code>ALL_PROXY</code>, <code>HTTPS_PROXY</code>, lowercase versions of those, and many more.</p>

<p>Start kibana with a proxy set in an environment variable like: <code>HTTPS_PROXY=https://localhost:8443 yarn start</code></p>

</details>

_update_ based on discussion in the comments, the initial environment variables approach was removed in favor of `xpack.ingestManager.registryProxyUrl`

#### see #78968 for additional configuration coming later

### Checklist
- [ ] ~~[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials.~~ Created #78961 to track
- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios

Created #78968 to track the additional configuration work

refs #70710
@ph ph added the v7.12.0 label Oct 29, 2020
@jfsiii jfsiii removed the v7.12.0 label Feb 16, 2021
@jen-huang jen-huang changed the title [Ingest Manager] Allow greater proxy configuration [Fleet] Allow greater proxy configuration Apr 26, 2021
@jen-huang jen-huang changed the title [Fleet] Allow greater proxy configuration [Fleet] Allow more registry proxy configuration Apr 26, 2021
@horvatal
Copy link
Contributor

As our company has SSL interception in place on the proxy, we really need something to disable the certificate check or a possibility to add our CA to the cert trust chain.

@joshdover
Copy link
Contributor

joshdover commented Aug 30, 2021

If you have a specific CA that you need Kibana's backend to trust, you should be able to use the NODE_EXTRA_CA_CERTS environment variable to allow Kibana's runtime to trust your proxy's public certificate authority. Note that this will cause any request made from Kibana's backend to trust this CA and not only requests to the Fleet Package Registry. I imagine that may be acceptable for your use case, @horvatal?

@horvatal
Copy link
Contributor

@joshdover thank you for the hint. I have to check, if there is a possibility to inject such environment vars in ECE, and also the needed CA files.

@joshdover
Copy link
Contributor

@horvatal I believe the runtime will also respect any system-wide installed CAs, though in the context of ECE this would mean any CAs installed into the Kibana docker images.

We have documentation here about how to add custom Kibana plugins to a custom docker image and configure ECE to use your custom image. You should be able to largely follow the same process, except instead of installing a plugin, you'll need to add your CA. Our docker images use CentOS as the base image, so I believe your custom Dockerfile would look something like:

FROM docker.elastic.co/cloud-assets/kibana:7.14.0-0
MAINTAINER Your Name <youremail@example.com>

ADD mycert.pem /etc/pki/ca-trust/source/anchors/mycert.pem
RUN update-ca-trust

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Team:Fleet Team label for Observability Data Collection Fleet team
Projects
None yet
Development

No branches or pull requests

5 participants