[8.x](backport #5741) Fix internal/pkg/agent/cmd.TestEnroll
#5744
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
fix the mock fleet server used on internal/pkg/agent/cmd.TestEnroll was using the root certificate instead its own TLS certificate. As soon as elasitc-agent-libs is updated to v1.12.0+ it becomes a problem as the root certificates do not come with IPs and SANs anymore. Therefore the client cannot verify the certificate indeed belongs to the server. (cherry picked from commit ae48b95)
|
pierrehilbert
approved these changes
Oct 9, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
fix the mock fleet server used on TestEnroll. It was using the root certificate instead its own certificate.
What does this PR do?
It fixes
internal/pkg/agent/cmd.TestEnrollby starting the mock fleet-server with the intended TLS certificate istead of using the CA as its certificate.Why is it important?
The TLS server mocking fleet-server is using the root certificate as its own certificate. It has worked so far because
elasitc-agent-libswas adding SANs and IPs to the root certificates. However fromelasitc-agent-libs v1.12.0onwards the root certificates do not include IPs and SANs. This change makesinternal/pkg/agent/cmd.TestEnrollto fail as the agent cannot validate the mock fleet-server certificate as it does not contain any IP or SANs ifelasitc-agent-libsis updated. Which is happening in at least 2 PRs:Checklist
[ ] I have commented my code, particularly in hard-to-understand areas[ ] I have made corresponding changes to the documentation[ ] I have made corresponding change to the default configuration files[ ] I have added tests that prove my fix is effective or that my feature works[ ] I have added an entry in./changelog/fragmentsusing the changelog tool[ ] I have added an integration test or an E2E testDisruptive User Impact
N/A
How to test this PR locally
go get github.com/elastic/elastic-agent-libs@v0.12.0 go test -v -run TestEnroll$ ./internal/pkg/agent/cmdRelated issues
Questions to ask yourself
This is an automatic backport of pull request #5741 done by [Mergify](https://mergify.com).