Remove forcing localhost for insecure bootstrap

changelog/fragments/1674766899-fix-insecure-fleet-server-bootstrap.yaml

@@ -0,0 +1,31 @@
+# Kind can be one of:
+# - breaking-change: a change to previously-documented behavior
+# - deprecation: functionality that is being removed in a later release
+# - bug-fix: fixes a problem in a previous version
+# - enhancement: extends functionality but does not break or fix existing behavior
+# - feature: new functionality
+# - known-issue: problems that we are aware of in a given version
+# - security: impacts on the security of a product or a user’s deployment.
+# - upgrade: important information for someone upgrading from a prior version
+# - other: does not fit into any of the other categories
+kind: bug-fix
+
+# Change summary; a 80ish characters long description of the change.
+summary: fix insecure fleet-server bootstrap
+
+# Long description; in case the summary is not enough to describe the change
+# this field accommodate a description without length limits.
+description: Disable passing `localhost` when bootstrapping an insecure fleet-server instance.
+
+# Affected component; a word indicating the component this changeset affects.
+component: fleet-server
+
+# PR number; optional; the PR number that added the changeset.
+# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
+# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
+# Please provide it if you are adding a fragment for a different PR.
+#pr: 1234
+
+# Issue number; optional; the GitHub issue related to this changeset (either closes or is part of).
+# If not present is automatically filled by the tooling with the issue linked to the PR number.
+issue: 2197

internal/pkg/agent/cmd/enroll_cmd.go

@@ -395,10 +395,6 @@ func (c *enrollCmd) prepareFleetTLS() error {
 	}
 	if c.options.FleetServer.Cert == "" && c.options.FleetServer.CertKey == "" {
 		if c.options.FleetServer.Insecure {
-			// running insecure, force the binding to localhost (unless specified)
-			if c.options.FleetServer.Host == "" {
-				c.options.FleetServer.Host = defaultFleetServerInternalHost
-			}
 			c.options.URL = fmt.Sprintf("http://%s:%d", host, port)
 			c.options.Insecure = true
 			return nil

internal/pkg/agent/cmd/enroll_cmd_test.go

@@ -8,6 +8,8 @@ import (
 	"bytes"
 	"context"
 	"crypto/tls"
+	"errors"
+	"fmt"
 	"io"
 	"io/ioutil"
 	"net"
@@ -18,7 +20,7 @@ import (
 	"strconv"
 	"testing"
 
-	"github.com/pkg/errors"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
 	"github.com/elastic/elastic-agent/internal/pkg/agent/configuration"
@@ -42,7 +44,7 @@ func (m *mockStore) Save(in io.Reader) error {
 	}
 
 	buf := new(bytes.Buffer)
-	io.Copy(buf, in) // nolint:errcheck //not required
+	io.Copy(buf, in) //nolint:errcheck // not required
 	m.Content = buf.Bytes()
 	return nil
 }
@@ -324,6 +326,7 @@ func TestEnroll(t *testing.T) {
 			require.False(t, store.Called)
 		},
 	))
+
 }
 
 func TestValidateArgs(t *testing.T) {
@@ -372,6 +375,62 @@ func TestValidateArgs(t *testing.T) {
 	require.NotContains(t, cleanedTags, "")
 }
 
+func TestPrepareFleetTLS(t *testing.T) {
+	log, _ := logger.New("tst", false)
+	t.Run("fleet-server insecure", func(t *testing.T) {
+		store := &mockStore{}
+		cmd, err := newEnrollCmdWithStore(
+			log,
+			&enrollCmdOption{
+				FleetServer: enrollCmdFleetServerOption{
+					ConnStr:      "https://localhost:9200",
+					ServiceToken: "test-service-token",
+					PolicyID:     "test-fleet-policy",
+					Insecure:     true,
+				},
+			},
+			"",
+			store,
+		)
+		require.NoError(t, err)
+		err = cmd.prepareFleetTLS()
+		require.NoError(t, err)
+
+		assert.True(t, cmd.options.Insecure)
+		assert.Equal(t, "http://localhost:8220", cmd.options.URL)
+
+		assert.Equal(t, "", cmd.options.FleetServer.Host)
+	})
+	t.Run("fleet-server secure", func(t *testing.T) {
+		store := &mockStore{}
+		cmd, err := newEnrollCmdWithStore(
+			log,
+			&enrollCmdOption{
+				FleetServer: enrollCmdFleetServerOption{
+					ConnStr:      "https://localhost:9200",
+					ServiceToken: "test-service-token",
+					PolicyID:     "test-fleet-policy",
+				},
+			},
+			"",
+			store,
+		)
+		require.NoError(t, err)
+		err = cmd.prepareFleetTLS()
+		require.NoError(t, err)
+
+		assert.False(t, cmd.options.Insecure)
+		assert.NotEmpty(t, cmd.options.FleetServer.Cert)
+		assert.NotEmpty(t, cmd.options.FleetServer.CertKey)
+		assert.NotEmpty(t, cmd.options.CAs)
+
+		hostname, _ := os.Hostname()
+		assert.Equal(t, fmt.Sprintf("https://%s:8220", hostname), cmd.options.URL)
+
+		assert.Equal(t, "", cmd.options.FleetServer.Host)
+	})
+}
+
 func withServer(
 	m func(t *testing.T) *http.ServeMux,
 	test func(t *testing.T, host string),
@@ -402,7 +461,7 @@ func withTLSServer(
 
 		port := listener.Addr().(*net.TCPAddr).Port
 
-		s := http.Server{
+		s := http.Server{ //nolint:gosec // test server config
 			Handler: m(t),
 			TLSConfig: &tls.Config{
 				Certificates: []tls.Certificate{serverCert},
@@ -411,7 +470,7 @@ func withTLSServer(
 		}
 
 		// Uses the X509KeyPair pair defined in the TLSConfig struct instead of file on disk.
-		go s.ServeTLS(listener, "", "") // nolint:errcheck //not required
+		go s.ServeTLS(listener, "", "") //nolint:errcheck // not required
 
 		test(t, ca.Crt(), "localhost:"+strconv.Itoa(port))
 	}
@@ -422,7 +481,7 @@ func bytesToTMPFile(b []byte) (string, error) {
 	if err != nil {
 		return "", err
 	}
-	f.Write(b) // nolint:errcheck //not required
+	f.Write(b) //nolint:errcheck // not required
 	if err := f.Close(); err != nil {
 		return "", err
 	}