From f073e39a0c2257a718f777170faa65758e9517fa Mon Sep 17 00:00:00 2001 From: David Kilfoyle Date: Fri, 27 Sep 2024 10:51:34 -0400 Subject: [PATCH 1/7] Add missing environment variables for container setup --- .../configuration/env/container-envs.asciidoc | 17 +++- .../configuration/env/shared-env.asciidoc | 90 ++++++++++++++++--- 2 files changed, 91 insertions(+), 16 deletions(-) diff --git a/docs/en/ingest-management/elastic-agent/configuration/env/container-envs.asciidoc b/docs/en/ingest-management/elastic-agent/configuration/env/container-envs.asciidoc index 74d9e4cda..4d9681c6f 100644 --- a/docs/en/ingest-management/elastic-agent/configuration/env/container-envs.asciidoc +++ b/docs/en/ingest-management/elastic-agent/configuration/env/container-envs.asciidoc @@ -66,8 +66,6 @@ Settings used to prepare the {fleet} plugin in {kib}. |=== | Settings | Description -include::shared-env.asciidoc[tag=kibana-fleet-setup] - include::shared-env.asciidoc[tag=kibana-fleet-host] include::shared-env.asciidoc[tag=kibana-fleet-username] @@ -92,12 +90,20 @@ At least one {fleet-server} is required in a deployment. |=== | Settings | Description +include::shared-env.asciidoc[tag=fleet-force] + +include::shared-env.asciidoc[tag=fleet-server-client-auth] + include::shared-env.asciidoc[tag=fleet-server-enable] include::shared-env.asciidoc[tag=fleet-server-elasticsearch-host] include::shared-env.asciidoc[tag=fleet-server-elasticsearch-ca] +include::shared-env.asciidoc[tag=fleet-server-es-cert] + +include::shared-env.asciidoc[tag=fleet-server-es-cert-key] + include::shared-env.asciidoc[tag=fleet-server-service-token] include::shared-env.asciidoc[tag=fleet-server-service-token-path] @@ -133,10 +139,17 @@ Settings used to enroll an {agent} into a {fleet-server}. |=== | Settings | Description + +include::shared-env.asciidoc[tag=elastic-agent-cert] + +include::shared-env.asciidoc[tag=elastic-agent-cert-key] + include::shared-env.asciidoc[tag=elastic-agent-tag] include::shared-env.asciidoc[tag=fleet-enroll] +include::shared-env.asciidoc[tag=fleet-force] + include::shared-env.asciidoc[tag=fleet-url] include::shared-env.asciidoc[tag=fleet-enrollment-token] diff --git a/docs/en/ingest-management/elastic-agent/configuration/env/shared-env.asciidoc b/docs/en/ingest-management/elastic-agent/configuration/env/shared-env.asciidoc index 3a6174dfb..f6c3334d2 100644 --- a/docs/en/ingest-management/elastic-agent/configuration/env/shared-env.asciidoc +++ b/docs/en/ingest-management/elastic-agent/configuration/env/shared-env.asciidoc @@ -17,30 +17,37 @@ OPTIONAL INFO AND EXAMPLE // ============================================================================= -// tag::elastic-agent-tag[] +// tag::elastic-agent-cert[] | -[id="env-{type}-elastic-agent-tag"] -`ELASTIC_AGENT_TAGS` +[id="env-{type}-elastic-agent-cert"] +`ELASTIC_AGENT_CERT` -| (string) A comma-separated list of tags to apply to {fleet}-managed {agent}s. -You can use these tags to filter the list of agents in {fleet}. +| (string) The path to the mutual TLS client certificate that that {agent} will use to connect to {fleet-server}. -// end::elastic-agent-tag[] +// end::elastic-agent-cert[] // ============================================================================= -// tag::kibana-fleet-setup[] +// tag::elastic-agent-cert-key[] | -[id="env-{type}-kibana-fleet-setup"] -`KIBANA_FLEET_SETUP` +[id="env-{type}-elastic-agent-cert-key"] +`ELASTIC_AGENT_CERT_KEY` -| (int) Set to `1` to enable {fleet} setup. -Enabling {fleet} is required before {fleet-server} will start. -When this action is not performed, a user must manually log in to {kib} and visit the {fleet} page to enable setup. +| (string) The path to the mutual TLS private key that that {agent} will use to connect to {fleet-server}. -*Default:* none +// end::elastic-agent-cert-key[] -// end::kibana-fleet-setup[] +// ============================================================================= + +// tag::elastic-agent-tag[] +| +[id="env-{type}-elastic-agent-tag"] +`ELASTIC_AGENT_TAGS` + +| (string) A comma-separated list of tags to apply to {fleet}-managed {agent}s. +You can use these tags to filter the list of agents in {fleet}. + +// end::elastic-agent-tag[] // ============================================================================= @@ -105,6 +112,20 @@ contains your CA's certificate. // ============================================================================= +// tag::fleet-force[] +| +[id="env-{type}-fleet-force"] +`FLEET_FORCE` + +| (int) Set to `1` to force overwrite of the current configuration without prompting for confirmation. +This flag is helpful when using automation software or scripted deployments. + +*Default:* none + +// end::fleet-force[] + +// ============================================================================= + // tag::fleet-server-enable[] | [id="env-{type}-fleet-server-enable"] @@ -273,6 +294,21 @@ Overrides the port defined in the policy. // ============================================================================= +// tag::fleet-server-client-auth[] +| +[id="env-{type}-fleet-server-client-auth"] +`FLEET_SERVER_CLIENT_AUTH` + +| (string) One of `none`, `optional`, or `required`. +{fleet-server}'s client authentication option for client mTLS connections. +If `optional` or `required` is specified, client certificates are verified using CAs. + +*Default:* none + +// end::fleet-server-client-auth[] + +// ============================================================================= + // tag::fleet-server-es-ca-trusted-fingerprint[] | [id="env-{type}-fleet-server-es-ca-trusted-fingerprint"] @@ -288,6 +324,32 @@ by {agent} for communication. This flag is required when using self-signed certi // ============================================================================= +// tag::fleet-server-es-cert[] +| +[id="env-{type}-fleet-server-es-cert"] +`FLEET_SERVER_ES_CERT` + +| (string) The path to the mutual TLS client certificate that that {fleet-server} will use to connect to {es}. + +*Default:* `""` + +// end::fleet-server-es-cert[] + +// ============================================================================= + +// tag::fleet-server-es-cert-key[] +| +[id="env-{type}-fleet-server-es-cert-key"] +`FLEET_SERVER_ES_CERT_KEY` + +| (string) The path to the mutual TLS private key that that {fleet-server} will use to connect to {es}. + +*Default:* `""` + +// end::fleet-server-es-cert-key[] + +// ============================================================================= + // tag::fleet-enroll[] | [id="env-{type}-fleet-enroll"] From e2ee31249bdc7b06a9c1d20ba9279519a203cd9d Mon Sep 17 00:00:00 2001 From: David Kilfoyle Date: Fri, 27 Sep 2024 12:26:56 -0400 Subject: [PATCH 2/7] Add more missing settings --- .../configuration/env/container-envs.asciidoc | 10 +++ .../configuration/env/shared-env.asciidoc | 66 ++++++++++++++++++- 2 files changed, 74 insertions(+), 2 deletions(-) diff --git a/docs/en/ingest-management/elastic-agent/configuration/env/container-envs.asciidoc b/docs/en/ingest-management/elastic-agent/configuration/env/container-envs.asciidoc index 4d9681c6f..99b2d1dcd 100644 --- a/docs/en/ingest-management/elastic-agent/configuration/env/container-envs.asciidoc +++ b/docs/en/ingest-management/elastic-agent/configuration/env/container-envs.asciidoc @@ -92,6 +92,10 @@ At least one {fleet-server} is required in a deployment. include::shared-env.asciidoc[tag=fleet-force] +include::shared-env.asciidoc[tag=fleet-header] + +include::shared-env.asciidoc[tag=fleet-kibana-header] + include::shared-env.asciidoc[tag=fleet-server-client-auth] include::shared-env.asciidoc[tag=fleet-server-enable] @@ -104,6 +108,8 @@ include::shared-env.asciidoc[tag=fleet-server-es-cert] include::shared-env.asciidoc[tag=fleet-server-es-cert-key] +include::shared-env.asciidoc[tag=fleet-server-insecure-http] + include::shared-env.asciidoc[tag=fleet-server-service-token] include::shared-env.asciidoc[tag=fleet-server-service-token-path] @@ -124,6 +130,10 @@ include::shared-env.asciidoc[tag=fleet-server-cert-key-passphrase] include::shared-env.asciidoc[tag=fleet-server-es-ca-trusted-fingerprint] +include::shared-env.asciidoc[tag=fleet-daemon-timeout] + +include::shared-env.asciidoc[tag=fleet-server-timeout] + |=== [discrete] diff --git a/docs/en/ingest-management/elastic-agent/configuration/env/shared-env.asciidoc b/docs/en/ingest-management/elastic-agent/configuration/env/shared-env.asciidoc index f6c3334d2..da1e679cd 100644 --- a/docs/en/ingest-management/elastic-agent/configuration/env/shared-env.asciidoc +++ b/docs/en/ingest-management/elastic-agent/configuration/env/shared-env.asciidoc @@ -117,15 +117,41 @@ contains your CA's certificate. [id="env-{type}-fleet-force"] `FLEET_FORCE` -| (int) Set to `1` to force overwrite of the current configuration without prompting for confirmation. +| (bool) Set to `true` to force overwrite of the current {agent} configuration without prompting for confirmation. This flag is helpful when using automation software or scripted deployments. -*Default:* none +*Default:* `false` // end::fleet-force[] // ============================================================================= +// tag::fleet-header[] +| +[id="env-{type}-fleet-header"] +`FLEET_HEADER` + +| (string) Specify any headers that that {agent} should send to {fleet-server} during enrollment. + +*Default:* none + +// end::fleet-header[] + +// ============================================================================= + +// tag::fleet-kibana-header[] +| +[id="env-{type}-fleet-kibana-header"] +`FLEET_KIBANA_HEADER` + +| (string) Specify any headers that that {agent} should send when contacting {kib}. + +*Default:* none + +// end::fleet-kibana-header[] + +// ============================================================================= + // tag::fleet-server-enable[] | [id="env-{type}-fleet-server-enable"] @@ -350,6 +376,42 @@ by {agent} for communication. This flag is required when using self-signed certi // ============================================================================= +// tag::fleet-server-insecure-http[] +| +[id="env-{type}-fleet-server-insecure-http"] +`FLEET_SERVER_INSECURE_HTTP` + +| (bool) When `true`, {fleet-server} is exposed over insecure or unverified HTTP. +Setting this to `true` is not recommended. + +*Default:* `false` + +// end::fleet-server-insecure-http[] + +// ============================================================================= + +// tag::fleet-daemon-timeout[] +| +[id="env-{type}-fleet-daemon-timeout"] +`FLEET_DAEMON_TIMEOUT` + +| (duration) Set to indicate how long {fleet-server} will wait during the bootstrap process for {elastic-agent}. + +// end::fleet-daemon-timeout[] + +// ============================================================================= + +// tag::fleet-server-timeout[] +| +[id="env-{type}-fleet-server-timeout"] +`FLEET_SERVER_TIMEOUT` + +| (duration) Set to indicate how long {agent} will wait for {fleet-server} to check in as healthy. + +// end::fleet-server-timeout[] + +// ============================================================================= + // tag::fleet-enroll[] | [id="env-{type}-fleet-enroll"] From b5cbbab6b0c764e12262138b1e238eb83a5ca57b Mon Sep 17 00:00:00 2001 From: David Kilfoyle Date: Fri, 27 Sep 2024 12:44:39 -0400 Subject: [PATCH 3/7] fixup --- .../configuration/env/container-envs.asciidoc | 19 ++++++------------- 1 file changed, 6 insertions(+), 13 deletions(-) diff --git a/docs/en/ingest-management/elastic-agent/configuration/env/container-envs.asciidoc b/docs/en/ingest-management/elastic-agent/configuration/env/container-envs.asciidoc index 99b2d1dcd..27a7940f3 100644 --- a/docs/en/ingest-management/elastic-agent/configuration/env/container-envs.asciidoc +++ b/docs/en/ingest-management/elastic-agent/configuration/env/container-envs.asciidoc @@ -90,14 +90,6 @@ At least one {fleet-server} is required in a deployment. |=== | Settings | Description -include::shared-env.asciidoc[tag=fleet-force] - -include::shared-env.asciidoc[tag=fleet-header] - -include::shared-env.asciidoc[tag=fleet-kibana-header] - -include::shared-env.asciidoc[tag=fleet-server-client-auth] - include::shared-env.asciidoc[tag=fleet-server-enable] include::shared-env.asciidoc[tag=fleet-server-elasticsearch-host] @@ -128,8 +120,14 @@ include::shared-env.asciidoc[tag=fleet-server-cert-key] include::shared-env.asciidoc[tag=fleet-server-cert-key-passphrase] +include::shared-env.asciidoc[tag=fleet-server-client-auth] + include::shared-env.asciidoc[tag=fleet-server-es-ca-trusted-fingerprint] +include::shared-env.asciidoc[tag=fleet-header] + +include::shared-env.asciidoc[tag=fleet-kibana-header] + include::shared-env.asciidoc[tag=fleet-daemon-timeout] include::shared-env.asciidoc[tag=fleet-server-timeout] @@ -149,11 +147,6 @@ Settings used to enroll an {agent} into a {fleet-server}. |=== | Settings | Description - -include::shared-env.asciidoc[tag=elastic-agent-cert] - -include::shared-env.asciidoc[tag=elastic-agent-cert-key] - include::shared-env.asciidoc[tag=elastic-agent-tag] include::shared-env.asciidoc[tag=fleet-enroll] From e78e7402f8270f5390d9669f31b23a1a12ee7fc1 Mon Sep 17 00:00:00 2001 From: David Kilfoyle Date: Fri, 27 Sep 2024 13:20:55 -0400 Subject: [PATCH 4/7] fixup --- .../elastic-agent/configuration/env/container-envs.asciidoc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/en/ingest-management/elastic-agent/configuration/env/container-envs.asciidoc b/docs/en/ingest-management/elastic-agent/configuration/env/container-envs.asciidoc index 27a7940f3..d4e5af035 100644 --- a/docs/en/ingest-management/elastic-agent/configuration/env/container-envs.asciidoc +++ b/docs/en/ingest-management/elastic-agent/configuration/env/container-envs.asciidoc @@ -147,6 +147,10 @@ Settings used to enroll an {agent} into a {fleet-server}. |=== | Settings | Description +include::shared-env.asciidoc[tag=elastic-agent-cert] + +include::shared-env.asciidoc[tag=elastic-agent-cert-key] + include::shared-env.asciidoc[tag=elastic-agent-tag] include::shared-env.asciidoc[tag=fleet-enroll] From 32952cd614eea7de195d9f40c2a6a4c55440241d Mon Sep 17 00:00:00 2001 From: David Kilfoyle Date: Fri, 27 Sep 2024 13:23:58 -0400 Subject: [PATCH 5/7] fixup --- .../elastic-agent/configuration/env/shared-env.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/en/ingest-management/elastic-agent/configuration/env/shared-env.asciidoc b/docs/en/ingest-management/elastic-agent/configuration/env/shared-env.asciidoc index da1e679cd..5e613ff42 100644 --- a/docs/en/ingest-management/elastic-agent/configuration/env/shared-env.asciidoc +++ b/docs/en/ingest-management/elastic-agent/configuration/env/shared-env.asciidoc @@ -329,7 +329,7 @@ Overrides the port defined in the policy. {fleet-server}'s client authentication option for client mTLS connections. If `optional` or `required` is specified, client certificates are verified using CAs. -*Default:* none +*Default:* `none` // end::fleet-server-client-auth[] From 58d7c189fc61541e275f7f187c1e096a636c41da Mon Sep 17 00:00:00 2001 From: David Kilfoyle Date: Fri, 27 Sep 2024 13:53:46 -0400 Subject: [PATCH 6/7] fixup --- .../configuration/env/shared-env.asciidoc | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/en/ingest-management/elastic-agent/configuration/env/shared-env.asciidoc b/docs/en/ingest-management/elastic-agent/configuration/env/shared-env.asciidoc index 5e613ff42..9d35b1878 100644 --- a/docs/en/ingest-management/elastic-agent/configuration/env/shared-env.asciidoc +++ b/docs/en/ingest-management/elastic-agent/configuration/env/shared-env.asciidoc @@ -22,7 +22,7 @@ OPTIONAL INFO AND EXAMPLE [id="env-{type}-elastic-agent-cert"] `ELASTIC_AGENT_CERT` -| (string) The path to the mutual TLS client certificate that that {agent} will use to connect to {fleet-server}. +| (string) The path to the mutual TLS client certificate that {agent} will use to connect to {fleet-server}. // end::elastic-agent-cert[] @@ -33,7 +33,7 @@ OPTIONAL INFO AND EXAMPLE [id="env-{type}-elastic-agent-cert-key"] `ELASTIC_AGENT_CERT_KEY` -| (string) The path to the mutual TLS private key that that {agent} will use to connect to {fleet-server}. +| (string) The path to the mutual TLS private key that {agent} will use to connect to {fleet-server}. // end::elastic-agent-cert-key[] @@ -131,7 +131,7 @@ This flag is helpful when using automation software or scripted deployments. [id="env-{type}-fleet-header"] `FLEET_HEADER` -| (string) Specify any headers that that {agent} should send to {fleet-server} during enrollment. +| (string) Specify any headers that {agent} should send to {fleet-server} during enrollment. *Default:* none @@ -144,7 +144,7 @@ This flag is helpful when using automation software or scripted deployments. [id="env-{type}-fleet-kibana-header"] `FLEET_KIBANA_HEADER` -| (string) Specify any headers that that {agent} should send when contacting {kib}. +| (string) Specify any headers that {agent} should send when contacting {kib}. *Default:* none @@ -355,7 +355,7 @@ by {agent} for communication. This flag is required when using self-signed certi [id="env-{type}-fleet-server-es-cert"] `FLEET_SERVER_ES_CERT` -| (string) The path to the mutual TLS client certificate that that {fleet-server} will use to connect to {es}. +| (string) The path to the mutual TLS client certificate that {fleet-server} will use to connect to {es}. *Default:* `""` @@ -368,7 +368,7 @@ by {agent} for communication. This flag is required when using self-signed certi [id="env-{type}-fleet-server-es-cert-key"] `FLEET_SERVER_ES_CERT_KEY` -| (string) The path to the mutual TLS private key that that {fleet-server} will use to connect to {es}. +| (string) The path to the mutual TLS private key that {fleet-server} will use to connect to {es}. *Default:* `""` From 166cfbbf29daa0d75c8e87d5955848e476656974 Mon Sep 17 00:00:00 2001 From: David Kilfoyle Date: Fri, 27 Sep 2024 15:26:06 -0400 Subject: [PATCH 7/7] Remove FLEET_HEADER & FLEET_KIBANA_HEADER --- .../configuration/env/container-envs.asciidoc | 4 --- .../configuration/env/shared-env.asciidoc | 26 ------------------- 2 files changed, 30 deletions(-) diff --git a/docs/en/ingest-management/elastic-agent/configuration/env/container-envs.asciidoc b/docs/en/ingest-management/elastic-agent/configuration/env/container-envs.asciidoc index d4e5af035..a7dd71154 100644 --- a/docs/en/ingest-management/elastic-agent/configuration/env/container-envs.asciidoc +++ b/docs/en/ingest-management/elastic-agent/configuration/env/container-envs.asciidoc @@ -124,10 +124,6 @@ include::shared-env.asciidoc[tag=fleet-server-client-auth] include::shared-env.asciidoc[tag=fleet-server-es-ca-trusted-fingerprint] -include::shared-env.asciidoc[tag=fleet-header] - -include::shared-env.asciidoc[tag=fleet-kibana-header] - include::shared-env.asciidoc[tag=fleet-daemon-timeout] include::shared-env.asciidoc[tag=fleet-server-timeout] diff --git a/docs/en/ingest-management/elastic-agent/configuration/env/shared-env.asciidoc b/docs/en/ingest-management/elastic-agent/configuration/env/shared-env.asciidoc index 9d35b1878..b1346fe71 100644 --- a/docs/en/ingest-management/elastic-agent/configuration/env/shared-env.asciidoc +++ b/docs/en/ingest-management/elastic-agent/configuration/env/shared-env.asciidoc @@ -126,32 +126,6 @@ This flag is helpful when using automation software or scripted deployments. // ============================================================================= -// tag::fleet-header[] -| -[id="env-{type}-fleet-header"] -`FLEET_HEADER` - -| (string) Specify any headers that {agent} should send to {fleet-server} during enrollment. - -*Default:* none - -// end::fleet-header[] - -// ============================================================================= - -// tag::fleet-kibana-header[] -| -[id="env-{type}-fleet-kibana-header"] -`FLEET_KIBANA_HEADER` - -| (string) Specify any headers that {agent} should send when contacting {kib}. - -*Default:* none - -// end::fleet-kibana-header[] - -// ============================================================================= - // tag::fleet-server-enable[] | [id="env-{type}-fleet-server-enable"]