From 14676bc4bfb7e04bbaf3bc077d132c1f2df8de52 Mon Sep 17 00:00:00 2001 From: Anderson Queiroz Date: Mon, 19 Aug 2024 14:15:37 +0200 Subject: [PATCH] Add a diagram for CAs and Certs usage between agent, fleet-server and ES (#5263) * add a diagram for CAs and Certs usage --- ...-fleet-server-ES-CAs-certificates-usage.md | 146 ++++++++++++++++++ 1 file changed, 146 insertions(+) create mode 100644 docs/agent-fleet-server-ES-CAs-certificates-usage.md diff --git a/docs/agent-fleet-server-ES-CAs-certificates-usage.md b/docs/agent-fleet-server-ES-CAs-certificates-usage.md new file mode 100644 index 00000000000..34580e66923 --- /dev/null +++ b/docs/agent-fleet-server-ES-CAs-certificates-usage.md @@ -0,0 +1,146 @@ +# TLS between Elastic AGent <-> Fleet Server <-> Elasticsearch + +This shows the different certificates and certificate authorities used by the Elastic Agent, Fleet Server and Elasticsearch for the control plane communication and their respective cli flags when installing the Elastic Agent. + + - Elastic Agent (client) makes HTTPS requests to Fleet Server (server) + - Fleet Server (client) makes HTTPS requests to Elasticsearch (server) + +## TLS + +For the TLS case, the following is used: + - fleet-ca: the certificate authority for the certificate presented by Fleet Server + - fleet-cert: the TLS certificate Fleet Server presents when a client makes an HTTPS request + - fleet-cert-key: the private key for Fleet Server's TLS certificate (not shown in the diagram) + - es-ca: the certificate authority for the certificate presented by Elasticsearch + +```shell +elastic-agent install --url=https://your-fleet-server.elastic.co:443 \ +--certificate-authorities=/path/to/fleet-ca \ +--fleet-server-es=https://es.elastic.com:443 \ +--fleet-server-es-ca=/path/to/es-ca \ +--fleet-server-cert=/path/to/fleet-cert \ +--fleet-server-cert-key=/path/to/fleet-cert-key \ +--fleet-server-service-token=FLEET-SERVER-SERVICE-TOKEN \ +--fleet-server-policy=FLEET-SERVER-POLICY-ID \ +--fleet-server-port=8220 +``` +```mermaid +flowchart LR + subgraph TLS + elastic-agent + fleet-server + elasticsearch + end + + + fleet-server --> |**fleet-server: presents fleet-cert** + --fleet-server-cert=fleet-cert| elastic-agent + + elastic-agent --> |**agent validates fleet-ca:** + --certificate-authorities=/path/to/fleet-ca| fleet-server + + fleet-server --> | **fleet-server es-ca validates es-cert:** + --fleet-server-es-ca=es-ca| elasticsearch + + elasticsearch --> | **elasticsearch presents es-cert**| fleet-server + + + subgraph elasticsearch + es-cert + end + subgraph fleet-server + fleet-cert + es-ca + end + subgraph elastic-agent + fleet-ca + end +``` + +## mTLS + +For the mTLS case, the following is used: +- agent-ca: the certificate authority for the certificate presented by the Elastic Agent +- agent-cert: the client TLS certificate Elastic Agent presents to Fleet Server +- agent-cert-key: the private key for the Elastic Agent's TLS certificate (not shown in the diagram) + +- fleet-ca: the certificate authority for the certificate presented by Fleet Server +- fleet-cert: the TLS certificate Fleet Server presents when a client makes an HTTPS request +- fleet-cert-key: the private key for Fleet Server's TLS certificate (not shown in the diagram) + +- fleet-es-ca: the certificate authority for the client TLS certificate presented by Fleet Server to Elasticsearch +- fleet-es-cert: the client TLS certificate Fleet Server presents to Elasticsearch +- fleet-es-cert-key: the private key for Fleet Server's client TLS certificate (not shown in the diagram) + +- es-ca: the certificate authority for the certificate presented by Elasticsearch +- es-cert: the TLS certificate Elasticsearch presents when a client makes an HTTPS request + +```shell +elastic-agent install --url=https://your-fleet-server.elastic.co:443 \ +--certificate-authorities=/path/to/fleet-ca,/path/to/agent-ca \ +--elastic-agent-cert=/path/to/agent-cert \ +--elastic-agent-cert-key=/path/to/agent-cert-key \ +--fleet-server-es=https://es.elastic.com:443 \ +--fleet-server-es-ca=/path/to/es-ca \ +--fleet-server-es-cert=/path/to/fleet-es-cert \ +--fleet-server-es-cert-key=/path/to/fleet-es-cert-key \ +--fleet-server-cert=/path/to/fleet-cert \ +--fleet-server-cert-key=/path/to/fleet-cert-key \ +--fleet-server-client-auth=required \ +--fleet-server-service-token=FLEET-SERVER-SERVICE-TOKEN \ +--fleet-server-policy=FLEET-SERVER-POLICY-ID \ +--fleet-server-port=8220 +``` +```mermaid +flowchart LR + subgraph mTLS + elastic-agent((elastic-agent)) + + fleet-server((fleet-server)) + elasticsearch((elasticsearch)) + + end + + + elastic-agent --> |**agent: fleet-ca validates fleet-cert:** + --certificate-authorities=/path/to/fleet-ca| fleet-server + + elastic-agent --> |**agent presents agent-cert:** + --elastic-agent-cert=agent-cert| fleet-server + + + fleet-server --> |**fleet-server: presents fleet-cert** + --fleet-server-cert=fleet-cert| elastic-agent + + fleet-server --> |**fleet-server: agent-ca validates agent-cert** + --certificate-authorities=fleet-ca,agent-ca| elastic-agent + + + fleet-server --> | **fleet-server es-ca validates es-cert:** + --fleet-server-es-ca=es-ca| elasticsearch + + fleet-server --> | **fleet-server presents fleet-es-cert:** + --fleet-server-es-cert=fleet-es-cert| elasticsearch + + + elasticsearch --> | **elasticsearch presents es-cert**| fleet-server + elasticsearch --> | **elasticsearch: fleet-es-ca validates fleet-es-cert**| fleet-server + + + subgraph elastic-agent + fleet-ca + agent-cert + end + subgraph fleet-server + fleet-cert + fleet-es-cert + agent-ca + es-ca + end + subgraph elasticsearch + es-cert + fleet-es-ca + end +``` + +