-
Notifications
You must be signed in to change notification settings - Fork 82
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update beats import to v7.17.20 #3473
Conversation
Update beats import to v7.17.20 and fix how the api tls server is initiated to prevent issue/3435.
What was the explanation for why this broke self-signed certificates? Why this fixes it still isn't clear to me even though the change is small. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, could the changes be tested locally?
@juliaElastic, I've tested by running fleet-server under agent in a VM against a QA snapshot deployment, do you think that is sufficient or should I run with a locally managed instance of ES as well? |
@michel-laterman I think we should test that fleet-server can bootstrap with self-signed certificates, did you test cover that? If so, that should be good. |
Yes,I tested and also got @kaanyalti to test locally as well |
if err != nil { | ||
return err | ||
} | ||
server.TLSConfig = commonTlsCfg.ToConfig() | ||
server.TLSConfig = commonTLSCfg.BuildServerConfig(cfg.Host) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is now the same as main so 👍
commonTLSCfg, err := tlscommon.LoadTLSServerConfig(cfg.TLS)
if err != nil {
return err
}
server.TLSConfig = commonTLSCfg.BuildServerConfig(cfg.Host)
// Must enable http/2 in the configuration explicitly.
// (see https://golang.org/pkg/net/http/#Server.Serve)
server.TLSConfig.NextProtos = []string{"h2", "http/1.1"}
ln = tls.NewListener(ln, server.TLSConfig)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
BuildServerConfig
function was introduced in beats 7.12.x when we updated the required version of go to 1.15.x
It specifies a custom VerifyConnection
attribute that is need for the changes with certificate verification introduced in that version of go
What is the problem this PR solves?
beats v7.12.0 introduces major changes to how TLS is handled and upgrading causes bootstapping to fail
How does this PR solve the problem?
Update beats import to v7.17.20 and fix how the api tls server is initiated to prevent #3435.
How to test this PR locally
bootstrap fleet-server built from this pr with an elastic-agent + cluster running v7.17.21-SNAPSHOT
Related issues