diff --git a/scripts/modules/aux_services.py b/scripts/modules/aux_services.py index e367ac9b5..1ba48334e 100644 --- a/scripts/modules/aux_services.py +++ b/scripts/modules/aux_services.py @@ -25,7 +25,7 @@ def build_candidate_manifest(self): def _content(self): self.es_urls = ",".join(self.options.get( - "logstash_elasticsearch_urls") or [self.DEFAULT_ELASTICSEARCH_HOSTS]) + "logstash_elasticsearch_urls") or [self.DEFAULT_ELASTICSEARCH_HOSTS_NO_TLS]) if self.at_least_version("7.3") \ or self.options.get("apm_server_snapshot") \ or (not self.options.get("apm_server_version") is None and diff --git a/scripts/modules/elastic_stack.py b/scripts/modules/elastic_stack.py index 38b1ce511..fd9d6d454 100644 --- a/scripts/modules/elastic_stack.py +++ b/scripts/modules/elastic_stack.py @@ -696,34 +696,55 @@ def __init__(self, **options): self.depends_on = {"kibana": {"condition": "service_healthy"}} if options.get("enable_kibana", True) else {} # build environment + # # Environment variables consumed by the Elastic Agent entrypoint - # https://github.com/elastic/beats/blob/4f4a5536b72f4a25962d56262f31e3b8533b252e/dev-tools/packaging/templates/docker/docker-entrypoint.elastic-agent.tmpl - # FLEET_ENROLLMENT_TOKEN - existing enrollment token to be used for enroll - # FLEET_ENROLL - if set to 1 enroll will be performed - # FLEET_ENROLL_INSECURE - if set to 1, agent will enroll with fleet using --insecure flag - # FLEET_SETUP - if set to 1 fleet setup will be performed - # FLEET_TOKEN_NAME - token name for a token to be created - # KIBANA_HOST - actual kibana host [http://localhost:5601] - # KIBANA_PASSWORD - password for accessing kibana API [changeme] - # KIBANA_USERNAME - username for accessing kibana API [elastic] + # ---- Preparing Kibana for Fleet + # KIBANA_FLEET_SETUP - set to 1 enables this setup + + # ---- Bootstrapping Fleet Server + # This bootstraps the Fleet Server to be run by this Elastic Agent. At least one Fleet Server is required in a Fleet + # deployment for other Elastic Agent to bootstrap. + # FLEET_SERVER_ENABLE - set to 1 enables bootstrapping of Fleet Server (forces FLEET_ENROLL enabled) + # FLEET_SERVER_POLICY_NAME - name of policy for the Fleet Server to use for itself [$FLEET_TOKEN_POLICY_NAME] + + # ---- Elastic Agent Fleet Enrollment + # This enrolls the Elastic Agent into a Fleet Server. It is also possible to have this create a new enrollment token + # for this specific Elastic Agent. + # FLEET_ENROLL - set to 1 for enrollment to occur + # FLEET_INSECURE - communicate with Fleet with either insecure HTTP or un-verified HTTPS + + # -------------- kibana_url = options.get("elastic_agent_kibana_url") if not kibana_url: kibana_scheme = "https" if self.options.get("kibana_enable_tls", False) else "http" # TODO(gr): add default elastic-agent user kibana_url = kibana_scheme + "://admin:changeme@" + self.DEFAULT_KIBANA_HOST - kibana_parsed_url = urlparse(kibana_url) + + es_url = options.get("elastic_agent_elasticsearch_url") + if not es_url: + es_scheme = "https" if self.options.get("elasticsearch_enable_tls", False) else "http" + es_url = es_scheme + "://admin:changeme@" + self.DEFAULT_ELASTICSEARCH_HOST + es_parsed_url = urlparse(es_url) + self.environment = { + "KIBANA_FLEET_SETUP": "1", + "FLEET_SERVER_ENABLE": "1", "FLEET_ENROLL": "1", - "FLEET_SETUP": "1", + "FLEET_SERVER_POLICY_NAME": "Default policy", # TODO(simitt): make configurable "KIBANA_HOST": kibana_url, + "ELASTICSEARCH_HOST": es_url } if kibana_parsed_url.password: self.environment["KIBANA_PASSWORD"] = kibana_parsed_url.password if kibana_parsed_url.username: self.environment["KIBANA_USERNAME"] = kibana_parsed_url.username if not kibana_url.startswith("https://"): - self.environment["FLEET_ENROLL_INSECURE"] = 1 + self.environment["FLEET_INSECURE"] = "1" + if es_parsed_url.password: + self.environment["ELASTICSEARCH_PASSWORD"] = es_parsed_url.password + if es_parsed_url.username: + self.environment["ELASTICSEARCH_USERNAME"] = es_parsed_url.username # set ports for defined integrations self.ports = [] @@ -752,6 +773,11 @@ def add_arguments(cls, parser): default="http://admin:changeme@" + cls.DEFAULT_KIBANA_HOST, help="Elastic Agent's Kibana URL, including username:password" ) + parser.add_argument( + "--elastic-agent-elasticsearch-url", + default="http://admin:changeme@" + cls.DEFAULT_ELASTICSEARCH_HOST, + help="Elastic Agent's Elasticsearch URL, including username:password" + ) def build_candidate_manifest(self): version = self.version diff --git a/scripts/modules/opbeans.py b/scripts/modules/opbeans.py index 49b34cae2..5d81812c9 100644 --- a/scripts/modules/opbeans.py +++ b/scripts/modules/opbeans.py @@ -24,7 +24,8 @@ def __init__(self, **options): self.agent_local_repo = options.get(self.option_name() + "_agent_local_repo") self.opbeans_branch = options.get(self.option_name() + "_branch") or "" self.opbeans_repo = options.get(self.option_name() + "_repo") or "" - self.es_urls = ",".join(self.options.get("opbeans_elasticsearch_urls") or [self.DEFAULT_ELASTICSEARCH_HOSTS]) + self.es_urls = ",".join(self.options.get("opbeans_elasticsearch_urls") + or [self.DEFAULT_ELASTICSEARCH_HOSTS_NO_TLS]) self.service_environment = \ options.get(self.option_name() + "_service_environment") or self.DEFAULT_ELASTIC_APM_ENVIRONMENT diff --git a/scripts/modules/service.py b/scripts/modules/service.py index 7bdb356c5..fd80b6792 100644 --- a/scripts/modules/service.py +++ b/scripts/modules/service.py @@ -15,10 +15,10 @@ class Service(object): """encapsulate docker-compose service definition""" - DEFAULT_ELASTICSEARCH_HOSTS = "http://elasticsearch:9200" - DEFAULT_ELASTICSEARCH_HOSTS_TLS = "https://elasticsearch:9200" DEFAULT_KIBANA_HOST = "kibana:5601" - + DEFAULT_ELASTICSEARCH_HOST = "elasticsearch:9200" + DEFAULT_ELASTICSEARCH_HOSTS_NO_TLS = "http://" + DEFAULT_ELASTICSEARCH_HOST + DEFAULT_ELASTICSEARCH_HOSTS_TLS = "https://" + DEFAULT_ELASTICSEARCH_HOST # is this a side car service for opbeans. If yes, it will automatically # start if any opbeans service starts opbeans_side_car = False @@ -63,6 +63,9 @@ def __init__(self, **options): print('ERROR: OSS distribution is ONLY supported in 7.11+/6.8.14+ for Kibana and Elasticsearch.') sys.exit(1) + self._es_tls = options.get("elasticsearch_enable_tls", False) + self._kibana_tls = options.get("kibana_enable_tls", False) + @property def bc(self): return self._bc @@ -175,7 +178,7 @@ def default_elasticsearch_hosts(self, tls=False): if tls: return self.DEFAULT_ELASTICSEARCH_HOSTS_TLS else: - return self.DEFAULT_ELASTICSEARCH_HOSTS + return self.DEFAULT_ELASTICSEARCH_HOSTS_NO_TLS @abstractmethod def _content(self): diff --git a/scripts/tests/service_tests.py b/scripts/tests/service_tests.py index b507065ba..f2faafabe 100644 --- a/scripts/tests/service_tests.py +++ b/scripts/tests/service_tests.py @@ -917,16 +917,21 @@ def test_debug(self): class ElasticAgentServiceTest(ServiceTest): def test_default(self): - ea = ElasticAgent(version="7.12.345",enable_apm_server=True,apm_server_managed=True).render()["elastic-agent"] + ea = ElasticAgent(version="7.12.345", enable_apm_server=True, apm_server_managed=True).render()["elastic-agent"] self.assertEqual( ea, {"container_name": "localtesting_7.12.345_elastic-agent", "depends_on": {"kibana": {"condition": "service_healthy"}}, - "environment": {"FLEET_ENROLL": "1", - "FLEET_ENROLL_INSECURE": 1, - "FLEET_SETUP": "1", - "KIBANA_HOST": "http://admin:changeme@kibana:5601", - "KIBANA_PASSWORD": "changeme", - "KIBANA_USERNAME": "admin"}, + 'environment': {'ELASTICSEARCH_HOST': 'http://admin:changeme@elasticsearch:9200', + 'ELASTICSEARCH_PASSWORD': 'changeme', + 'ELASTICSEARCH_USERNAME': 'admin', + 'FLEET_ENROLL': '1', + 'FLEET_SERVER_ENABLE': '1', + 'FLEET_INSECURE': '1', + 'FLEET_SERVER_POLICY_NAME': 'Default policy', + 'KIBANA_FLEET_SETUP': '1', + 'KIBANA_HOST': 'http://admin:changeme@kibana:5601', + 'KIBANA_PASSWORD': 'changeme', + 'KIBANA_USERNAME': 'admin'}, "healthcheck": {"test": ["CMD", "elastic-agent", "version"]}, "image": "docker.elastic.co/beats/elastic-agent:7.12.345-SNAPSHOT", "labels": ["co.elastic.apm.stack-version=7.12.345"],