elastic
diff --git a/‎deploy/helm/elastic-agent/README.md‎
Lines changed: 17 additions & 1 deletion b/‎deploy/helm/elastic-agent/README.md‎
Lines changed: 17 additions & 1 deletion
diff --git a/‎deploy/helm/elastic-agent/examples/fleet-managed-certificates/README.md‎
Lines changed: 38 additions & 0 deletions b/‎deploy/helm/elastic-agent/examples/fleet-managed-certificates/README.md‎
Lines changed: 38 additions & 0 deletions
diff --git a/‎deploy/helm/elastic-agent/examples/fleet-managed-certificates/fleet-values.yaml‎
Lines changed: 41 additions & 0 deletions b/‎deploy/helm/elastic-agent/examples/fleet-managed-certificates/fleet-values.yaml‎
Lines changed: 41 additions & 0 deletions
@@ -157,9 +157,25 @@ The chart built-in [kubernetes integration](https://docs.elastic.co/integrations
 | agent.fleet.enabled | bool | `false` | enable elastic-agent managed |
 | agent.fleet.url | string | `""` | Fleet server URL |
 | agent.fleet.token | string | `""` | Fleet enrollment token |
-| agent.fleet.insecure | bool | `false` | Fleet insecure url |
+| agent.fleet.insecure | bool | `false` | Communicate with Fleet with either insecure HTTP or unverified HTTPS |
+| agent.fleet.force | bool | `false` | Enforce enrollment even if agent is already enrolled |
+| agent.fleet.ca.value | string | `""` | Value of the CA certificate for connecting to Fleet |
+| agent.fleet.ca.valueFromSecret.name | string | `""` | Secret name for the CA certificate |
+| agent.fleet.ca.valueFromSecret.key | string | `""` | Secret key for the CA certificate |
+| agent.fleet.agentCert.value | string | `""` | Value of Elastic Agent client certificate for Fleet Server mTLS |
+| agent.fleet.agentCert.valueFromSecret.name | string | `""` | Secret name for the Elastic Agent client certificate |
+| agent.fleet.agentCert.valueFromSecret.key | string | `""` | Key in the secret for the Elastic Agent client certificate |
+| agent.fleet.agentCertKey.value | string | `""` | Value of Elastic Agent client private key for Fleet Server mTLS |
+| agent.fleet.agentCertKey.valueFromSecret.name | string | `""` | Secret name for the Elastic Agent client private key |
+| agent.fleet.agentCertKey.valueFromSecret.key | string | `""` | Key in the secret for the Elastic Agent client private key |
+| agent.fleet.tokenName | string | `""` | Token name to use for fetching token from Kibana if the enrollment token is not supplied |
+| agent.fleet.policyName | string | `""` | Token policy name to use for fetching token from Kibana if the enrollment token is not supplied |
 | agent.fleet.kibanaHost | string | `""` | Kibana host to fallback if enrollment token is not supplied |
 | agent.fleet.kibanaUser | string | `""` | Kibana username to fallback if enrollment token is not supplied |
 | agent.fleet.kibanaPassword | string | `""` | Kibana password to fallback if enrollment token is not supplied |
+| agent.fleet.kibanaCA.value | string | `""` | Value of the CA certificate for Kibana if the enrollment token is not supplied |
+| agent.fleet.kibanaCA.valueFromSecret.name | string | `""` | Secret name for the Kibana CA certificate |
+| agent.fleet.kibanaCA.valueFromSecret.key | string | `""` | Key in the secret for the Kibana CA certificate |
+| agent.fleet.kibanaServiceToken | string | `""` | Service token to use when connecting to Kibana if the enrollment token is not supplied |
 | agent.fleet.preset | string | `"perNode"` | Agent preset to deploy |
 
@@ -0,0 +1,38 @@
+# Example: Managed by Fleet Elastic Agent with self-signed certificates
+
+This example demonstrates deploying an Elastic Agent that is managed by Fleet with custom fleet-related certificates, including CA certificates and client certificates for mutual TLS (mTLS).
+
+## Prerequisites:
+## Prerequisites
+
+Before deploying, you should:
+
+1. Set up an [Agent policy](https://www.elastic.co/guide/en/fleet/current/install-fleet-managed-elastic-agent.html#elastic-agent-installation-steps) in Fleet.
+2. Follow [this guide](https://www.elastic.co/guide/en/fleet/8.17/add-fleet-server-kubernetes.html#add-fleet-server-kubernetes-cert-prereq) to set up an agent policy and enroll an agent to it. Do not download any binary, from the proposed enrollment command just extract the Fleet URL (`--url=$FLEET_URL`) and Enrollment token (`--enrollment-token=$FLEET_TOKEN`).
+3. Create Kubernetes secrets holding the necessary certificates (CA certificate, client certificate, and client private key) or have the certificate files available locally to use with the `--set-file` Helm CLI argument.
+4. Build the dependencies of the Helm chart
+    ```console
+    helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
+    helm dependency build ../../
+    ```
+## Run:
+
+```console
+helm install elastic-agent ../../ \
+     --set agent.fleet.enabled=true \
+     --set agent.fleet.url=$FLEET_URL \
+     --set agent.fleet.token=$FLEET_TOKEN \
+     --set agent.fleet.preset=perNode \
+     --set-file agent.fleet.ca.value=path/to/ca.crt \
+     --set-file agent.fleet.agentCert.value=path/to/agent.crt \
+     --set-file agent.fleet.agentCertKey.value=agent.key \
+     --set-file agent.fleet.kibanaCA.value=path/to/kibanaca.crt \
+     -n kube-system
+```
+
+## Validate:
+
+1. `kube-state metrics` is installed with this command `kubectl get deployments -n kube-system kube-state-metrics`.
+2. Install Kubernetes integration to the agent policy that corresponds to the enrolled agents.
+3. The Kibana `kubernetes`-related dashboards should start showing the respective info.
+
@@ -0,0 +1,41 @@
+kubernetes:
+  enabled: true
+system:
+  enabled: true
+agent:
+  fleet:
+    enabled: true
+    url: http://localhost:8220
+    token: fleetToken
+    ca:
+      value: |-
+        -----BEGIN CERTIFICATE-----
+        MIIBaDCCARCgAWIBAgIQNJyw4xhweOFK3/FqGLQF6TAKBggqhkjOPQQDAJAVMRMw
+        EQYDVQQDEwpjbHVzdGVyLWNhMB4XDTI1MDEWODAOMDIyMFoXDTM1IMDEwNjAOMDIy
+        MFowFTETMBEGA1UEAXMKY2x1c3R1Ucil1jYTBZMBMGByqGSM49AgEGCCqGSM49AWEH
+        A0TABPcDLjOSlwAmeHbHFerT+SmTNqxckANmRPItCPRgkp2cq12a1C/ckQEebE1A
+        B7WpiRaUQQkBpmNjcAPVIdfdnbWjQjBAMA4GA1UdDWEB/wQEAwICpDAPBgNVHRMB
+        Af8EBTADAQH/MBOGA1UdDgQWBBTA5SRUKOE90/xKntDXcpZSvlL1JDBDAKBggqhkj0
+        PQQDAGNGADBDAiAFghoM1M53abi968RyR+DwVX3S92aiu7MogtnuKCgPLQIFRRza
+        Ondv3U1X2Qwo2ZELignHs3JLWucWvCIqmbW2+A==
+        -----END CERTIFICATE-----
+    agentCert:
+      valueFromSecret:
+        name: agent-cert
+        key: crt
+    agentCertKey:
+      valueFromSecret:
+        name: agent-cert
+        key: private
+    kibanaCA:
+      value: |-
+        -----BEGIN CERTIFICATE-----
+        MIIBaDCCARCgAWIBAgIQNJyw4xhweOFK3/FqGLQF6TAKBggqhkjOPQQDAJAVMRMw
+        EQYDVQQDEwpjbHVzdGVyLWNhMB4XDTI1MDEWODAOMDIyMFoXDTM1IMDEwNjAOMDIy
+        MFowFTETMBEGA1UEAXMKY2x1c3R1Ucil1jYTBZMBMGByqGSM49AgEGCCqGSM49AWEH
+        A0TABPcDLjOSlwAmeHbHFerT+SmTNqxckANmRPItCPRgkp2cq12a1C/ckQEebE1A
+        B7WpiRaUQQkBpmNjcAPVIdfdnbWjQjBAMA4GA1UdDWEB/wQEAwICpDAPBgNVHRMB
+        Af8EBTADAQH/MBOGA1UdDgQWBBTA5SRUKOE90/xKntDXcpZSvlL1JDBDAKBggqhkj0
+        PQQDAGNGADBDAiAFghoM1M53abi968RyR+DwVX3S92aiu7MogtnuKCgPLQIFRRza
+        Ondv3U1X2Qwo2ZELignHs3JLWucWvCIqmbW2+B==
+        -----END CERTIFICATE-----