-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Fleet] Allow more registry proxy configuration #78968
Comments
Pinging @elastic/ingest-management (Team:Ingest Management) |
…ing Registry (#78648) ## Summary If given a `xpack.fleet.registryProxyUrl` setting, Package Manager will use it when contacting the Registry. This only affects the outbound connection Package Manager makes to the Registry to search for available packages, download assets, etc. ### Configuration <details><summary><strike>Initial PR: common environment variables</strike></summary> <p>Currently the value must come from a <a href="https://github.com/Rob--W/proxy-from-env#environment-variables">list of popular environment variables</a> which include <code>ALL_PROXY</code>, <code>HTTPS_PROXY</code>, lowercase versions of those, and many more.</p> <p>Start kibana with a proxy set in an environment variable like: <code>HTTPS_PROXY=https://localhost:8443 yarn start</code></p> </details> _update_ based on discussion in the comments, the initial environment variables approach was removed in favor of `xpack.ingestManager.registryProxyUrl` #### see #78968 for additional configuration coming later ### Checklist - [ ] ~~[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials.~~ Created #78961 to track - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios Created #78968 to track the additional configuration work refs #70710
…ing Registry (#78648) (#79758) ## Summary If given a `xpack.fleet.registryProxyUrl` setting, Package Manager will use it when contacting the Registry. This only affects the outbound connection Package Manager makes to the Registry to search for available packages, download assets, etc. ### Configuration <details><summary><strike>Initial PR: common environment variables</strike></summary> <p>Currently the value must come from a <a href="https://github.com/Rob--W/proxy-from-env#environment-variables">list of popular environment variables</a> which include <code>ALL_PROXY</code>, <code>HTTPS_PROXY</code>, lowercase versions of those, and many more.</p> <p>Start kibana with a proxy set in an environment variable like: <code>HTTPS_PROXY=https://localhost:8443 yarn start</code></p> </details> _update_ based on discussion in the comments, the initial environment variables approach was removed in favor of `xpack.ingestManager.registryProxyUrl` #### see #78968 for additional configuration coming later ### Checklist - [ ] ~~[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials.~~ Created #78961 to track - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios Created #78968 to track the additional configuration work refs #70710
As our company has SSL interception in place on the proxy, we really need something to disable the certificate check or a possibility to add our CA to the cert trust chain. |
If you have a specific CA that you need Kibana's backend to trust, you should be able to use the |
@joshdover thank you for the hint. I have to check, if there is a possibility to inject such environment vars in ECE, and also the needed CA files. |
@horvatal I believe the runtime will also respect any system-wide installed CAs, though in the context of ECE this would mean any CAs installed into the Kibana docker images. We have documentation here about how to add custom Kibana plugins to a custom docker image and configure ECE to use your custom image. You should be able to largely follow the same process, except instead of installing a plugin, you'll need to add your CA. Our docker images use CentOS as the base image, so I believe your custom Dockerfile would look something like: FROM docker.elastic.co/cloud-assets/kibana:7.14.0-0
MAINTAINER Your Name <youremail@example.com>
ADD mycert.pem /etc/pki/ca-trust/source/anchors/mycert.pem
RUN update-ca-trust |
#78648 added this interface for specifying proxy settings/behavior when connecting to package registry (EPR).
kibana/x-pack/plugins/ingest_manager/server/services/epm/registry/proxy.ts
Lines 14 to 18 in 243e56c
Note:
proxyRejectUnauthorizedCertificates
should be changed to required boolean type, so that it defaults totrue
instead of undefined.Progress on exposing those values for configuration
xpack.fleet.*
registryProxyUrl
#78648registryProxyHeaders
registryProxyRejectUnauthorizedCertificates
kibana.yml
when making requests to the RegistryrejectUnauthorized: true
behaviorThe text was updated successfully, but these errors were encountered: