[Synthetics] Fix MTLS settings for synthetics service in Kibana

[lucasfcosta]

Summary

This PR fixes the MTLS settings for the service in Kibana which broke due to recent changes in how we used devUrl and other settings to decide how to send requests.

Now, we'll always rejectUnauthorized certs unless users are sending requests to localhost and in dev mode, it doesn't matter whether they serve their own manifests or use devUrl.

Risk Matrix

• Please review the certificate settings carefully to see if there's anything I missed here which would allow for unauthorised certs out of dev and localhost.

How to test this PR

1. Checkout the latest version of the service (make sure it contains the recent changes to DX due to Makefile updates)

2. Run the service as per the instructions on "how to run it locally" that are present in the docs

3. Setup Kibana to use the service using devUrl and basicAuth. Ensure you can create and run monitors (try to use run-once as it's easier to test).

4. Setup Kibana to use the service using devUrl and certificates by copying the crt and key in the service's folder to the Kibana config folder and using it in the Kibana config. For example:

   # Make sure you do NOT have username and password setup for basic auth
   xpack.uptime.service.devUrl: https://localhost:10001
   xpack.uptime.service.tls.certificate: config/123-client.pem
   xpack.uptime.service.tls.key: config/123-client.key

   Ensure you can create and run monitors (try to use run-once as it's easier to test).

5. Setup Kibana to use a local manifest by creating a manifest file like the one below and serving it on port 8081 using npx http-server --port 8081.

   {
     "throttling": {
       "download": 20,
       "upload": 10
     },
     "locations": {
       "local": {
         "url": "https://localhost:10001",
         "geo": {
           "name": "My Test [local]",
           "location": {"lat": 41.25, "lon": -95.86}
         },
         "status": "ga"
       }
     }
   }

   Then update Kibana configs to use the served manifest:

   # Comment the devUrl!
   # xpack.uptime.service.devUrl: https://localhost:10001
   
   xpack.uptime.service.manifestUrl: http://localhost:8081/manifest.json
   
   # Make sure you do NOT have username and password setup for basic auth
   xpack.uptime.service.tls.certificate: config/123-client.pem
   xpack.uptime.service.tls.key: config/123-client.key

   Ensure you can create and run monitors (try to use run-once as it's easier to test).

For maintainers

• This was checked for breaking API changes and was labeled appropriately

[elasticmachine]

Pinging @elastic/uptime (Team:uptime)

[justinkambic]

Tested locally following provided instructions and it worked without a hitch, both run-once and cron monitors. Thanks for the fix. LGTM.

[shahzad31]

i think this will prevent us from using basic auth in staging environment against qa or staging env. which is probably fine.

[lucasfcosta]

Thanks for adding this. I think it's a good think to clarify:

-> We couldn't use basic auth on those environments anyway because the server itself (service) will refuse basic auth.

The only environment in which basic auth should be enabled is dev.

Therefore this doesn't change the behaviour of the client.

[lucasfcosta]

@elasticmachine merge upstream

[kibana-ci]

💚 Build Succeeded

• Buildkite Build
• Commit: 1cbeb7c
• Storybooks Preview

Metrics [docs]

✅ unchanged

History

• 💚 Build #57339 succeeded 24bfa0d
• 💔 Build #57324 failed 8ebc486

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

[awahab07]

Post FF Testing

The connection to the service works via basic auth and via MTLS.