Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cherry-pick #20293 to 7.x: Add certificate TLS verification mode #21024

Merged
merged 2 commits into from
Sep 14, 2020
Merged

Cherry-pick #20293 to 7.x: Add certificate TLS verification mode #21024

merged 2 commits into from
Sep 14, 2020

Conversation

urso
Copy link

@urso urso commented Sep 8, 2020
edited by zube bot
Loading

Cherry-pick of PR #20293 to 7.x branch. Original message:

What does this PR do?

Adds certificate TLS verification mode similar to Kibana and Elasticsearch, essentially skipping the hostname match.

Why is it important?

This is especially useful in k8s-like environments where users may have a certificate in use for their publicly accessible host name, but use a different host name for intra cluster communication. For environments like this in Beats today our only option is to disable TLS verification entirely, but this allows us to keep the majority of verifications enabled without disabling it entirely.

We had to implement essentially the same functionality in ECK for reference, the main difference is that beats also implements cert pinning so there's a little bit of extra logic to combine the two custom verifications: https://github.com/elastic/cloud-on-k8s/blob/master/pkg/utils/cryptutil/tls_verify.go#L18

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

  • [ ]

How to test this PR locally

This is something I had difficulty with since it wasn't clear to me how to build a new beat and then use it. I imagine we will want to add additional tests, but I added unit test coverage to start. This is my first libbeat PR and could definitely use guidance here.

Related issues

Closes #8164

Use cases

Screenshots

Logs

@urso urso requested review from a team as code owners September 8, 2020 17:24
@urso urso added [zube]: In Review backport Team:Services (Deprecated) Label for the former Integrations-Services team labels Sep 8, 2020
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Sep 8, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/integrations-services (Team:Services)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Sep 8, 2020
@elasticmachine
Copy link
Collaborator

elasticmachine commented Sep 8, 2020
edited by jenkins-beats-ci bot
Loading

💚 Build Succeeded

Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: [Pull request #21024 updated]

  • Start Time: 2020-09-10T10:41:52.477+0000

  • Duration: 73 min 4 sec

Test stats 🧪

Test Results
Failed 0
Passed 20150
Skipped 1863
Total 22013

@urso urso merged commit 6babd7f into elastic:7.x Sep 14, 2020
@urso urso deleted the backport_20293_7.x branch September 14, 2020 14:32
@zube zube bot removed the [zube]: Done label Dec 14, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@faec faec faec approved these changes

Assignees
No one assigned
Labels
backport Team:Services (Deprecated) Label for the former Integrations-Services team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@urso @elasticmachine @faec