Automatically import certificates into pod certificate store when running Elastic Agent in a container

[renzedj]

Describe the Enhancement

When running Elastic Agent in a container (elastic-agent or elastic-agent-complete), import certificates in /usr/local/share/ca-certificates into the pod's certificate store at startup. Additionally, for the elastic-agent-complete, import them into the browser's certificate store for browser journeys.

Use Case

As an Elastic Agent administrator, I administer a fleet of Elastic Agents in Kubernetes. A number of applications use certificates signed by a self-signed Certificate Authority, requiring the CA certificates to be added to the certificate store in the pod, as well as the browser certificate store when using elastic-agent-complete to run browser journeys. In our use case, it is not desirable to build a custom image with these certificates included, so they are mounted at run-time from a Kubernetes secret. This currently requires additional packages to be installed and a custom startup script to run.

Definition of Done

Certificates are imported from /usr/local/share/ca-certificates into the pod's certificate store (and nssdb for elastic-agent-complete) when the pod starts.

Conditions to Validate Change

Do the following to validate the change:

1. Add certificates to /usr/local/share/ca-certificates when running an elastic-agent-complete pod.
2. Validate certificates are imported into store.
3. Run the following to validate they are imported into the browser store: certutil -L -d /usr/share/elastic-agent/.pki/nssdb

Recommended Approach

elastic-agent-complete Image

For elastic-agent-complete, the following additional package must be installed: libnss3-tools.

All Image Versions

Add the following to the docker-entrypoint script. NSSDB creation only occurs if ELASTIC_AGENT_COMPLETE == true, so no errors will occur in the elastic-agent image if libnss3-tools is not installed.

#
# Update CA certificates
#
CERTIFICATE_COUNT="$(find /usr/local/share/ca-certificates -type f | wc -l)"
if [ "${CERTIFICATE_COUNT}" -gt 0 ]
then
    # Add new certificates to store
    update-ca-certificates
fi

#
# Import certificates from /usr/local/share/ca-certificates into nssdb
# in elastic-agent-complete. If NSSDB_ADDL_CERTS_DIR is defined, certs
# from this directory will also be imported. Multiple directories may
# be included by separating them with a space.
#
if [ "${ELASTIC_AGENT_COMPLETE}" = "true" ]
then
    NSSDB_CERT_DIRS="/usr/local/share/ca-certificates ${NSSDB_ADDL_CERTS_DIR}"
    CERTIFICATE_COUNT="$(find ${NSSDB_CERT_DIRS} -type f | wc -l)"

    if [ "${CERTIFICATE_COUNT}" -gt 0 ]
    then
        # Create nssdb
        mkdir -p /usr/share/elastic-agent/.pki/nssdb
        chmod -R 0700 /usr/share/elastic-agent/.pki/
        certutil -d /usr/share/elastic-agent/.pki/nssdb -N --empty-password

        # Add certs to nssdb
        for d in ${NSSDB_CERT_DIRS}
        do
            if [ -d "${d}" ]
            then
                find "${d}" -type f -name '*.crt' | sort -r | while read -r cert
                do
                    certutil -A -d "/usr/share/elastic-agent/.pki/nssdb" -i "${cert}" \
                    -n "$(basename "${cert}" '.crt' | tr '[:lower:]' '[:upper:]' | sed 's/[^A-Z0-9]/_/g')" -t "C,,"
                done
            fi
        done

        # Set correct ownership and permissions
        chown -R elastic-agent:elastic-agent /usr/share/elastic-agent/.pki/
        find /usr/share/elastic-agent/.pki/ -type d | xargs -I {} chmod 0700 {}
        find /usr/share/elastic-agent/.pki/ -type f | xargs -I {} chmod 0600 {}
    fi
fi

[elasticmachine]

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)