Skip to content

Add TLS/mTLS UI configuration options for Fleet Server #2193

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
Jul 24, 2025
Merged

Add TLS/mTLS UI configuration options for Fleet Server #2193

merged 10 commits into from
Jul 24, 2025

Conversation

alexandra5000
Copy link
Contributor

This PR updates Fleet documentation pages to reflect new UI support for configuring TLS and mTLS settings.

@alexandra5000 alexandra5000 requested a review from a team as a code owner July 21, 2025 15:17
@github-actions GitHub Actions
Copy link

github-actions bot commented Jul 21, 2025
edited
Loading

🔍 Preview links for changed docs

@alexandra5000 alexandra5000 linked an issue Jul 21, 2025 that may be closed by this pull request
[REQUEST]: Document new SSL options in Fleet settings elastic/ingest-docs#1727
Closed
@alexandra5000 alexandra5000 requested a review from criamico July 21, 2025 15:20
theletterf
theletterf reviewed Jul 21, 2025
View reviewed changes
Copy link
Contributor

@theletterf theletterf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good! Added some suggestions and comments.

criamico
criamico reviewed Jul 23, 2025
View reviewed changes
reference/fleet/secure-connections.md Outdated
| **UI Field** | **CLI Flag** | **Purpose** |
|--------------------------------------------------|---------------------------------------|-------------|
| Client SSL Certificate | `--elastic-agent-cert` | {{agent}} client certificate to use with {{fleet-server}} during mTLS authentication. |
| Client SSL Certificate key | `--elastic-agent-cert-key` | {{agent}} client private key to use with {{fleet-server}} during mTLS authentication. This field uses secret storage and requires {{fleet-server}} v8.12.0 or later. You can optionally choose to store the value as plain text instead. |
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that the these should be -fleet-server-es-cert and -fleet-server-es-cert-key. The --elastic-agent-cert are the ones available under the output section of fleet settings

reference/fleet/secure-connections.md Outdated
| {{es}} Certificate Authorities (optional) | `--fleet-server-es-ca` | Path to certificate authority for {{fleet-server}} to use to communicate with {{es}}. |
| Enable client authentication | `--fleet-server-client-auth=required`| Requires {{agent}} to present a valid client certificate when connecting to {{fleet-server}}. |

The {{fleet}} UI doesn't currently allow editing the {{fleet-server}}’s own exposed TLS certificate (`--fleet-server-cert`, `--fleet-server-cert-key`). These are only configurable using the CLI either during the initial installation or later.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm confused by this sentence, I don't think it should be here. These values should be in the table above.

reference/fleet/secure-connections.md Outdated
The {{fleet}} UI doesn't currently allow editing the {{fleet-server}}’s own exposed TLS certificate (`--fleet-server-cert`, `--fleet-server-cert-key`). These are only configurable using the CLI either during the initial installation or later.
:::{warning}
Editing SSL or proxy settings for an existing {{fleet-server}} might cause agents to lose connectivity. After changing client certificate settings, you need to re-enroll the affected agents.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you need to re-enroll the affected agents - I'm not 100% sure about this. I would replace it with
you might need to re-enroll the affected agents

reference/fleet/tls-overview.md Outdated
2. Under **Fleet Server hosts**, select **Add host** or edit an existing host.
3. Expand the **SSL options** section.

### SSL options
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see where the mix up is - the elastic-agent-cert and --elastic-agent-cert-key are the ones available under Fleet settings > output . We should point the user to that section if they want to set up a mTLS connection

criamico
criamico approved these changes Jul 24, 2025
View reviewed changes
Copy link

@criamico criamico left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@alexandra5000 alexandra5000 enabled auto-merge (squash) July 24, 2025 09:53
@alexandra5000 alexandra5000 merged commit 91072f3 into elastic:main Jul 24, 2025
8 checks passed
@alexandra5000 alexandra5000 deleted the ssl branch July 24, 2025 09:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@theletterf theletterf theletterf approved these changes

@criamico criamico criamico approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[REQUEST]: Document new SSL options in Fleet settings

3 participants

@alexandra5000 @theletterf @criamico