-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[heartbeat][libbeat][metricbeat][filebeat] Pass TLS options to forward proxies #15516
Conversation
Pinging @elastic/uptime (:uptime) |
@@ -138,6 +138,7 @@ func newRoundTripper(config *Config, tls *transport.TLSConfig) (*http.Transport, | |||
Proxy: proxy, | |||
Dial: dialer.Dial, | |||
DialTLS: tlsDialer.Dial, | |||
TLSClientConfig: tls.ToConfig(), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you add this change to some other packages, please?
libbeat/output/elasticsearch
metricbeat/helper
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you.
@urso should be ready for re-review, I added this setting to every other spot I saw |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Please add a changelog entry :)
…d proxies (elastic#15516) Fixes a bug where TLS options would not be passed to forward proxies. This fixes a reported issue where x509 client cert auth doesn't work due to the cert parameters not being passed in. Since this doesn't give us a full dialer we can't easily record TLS certificate expiry with proxies in heartbeat with this approach, so those fields would be missing. I think it makes sense to merge this change as-is and fix that secondary bug in a subsequent PR. I've opened a separate issue ( elastic#15797 ) to cover that. I've tested this manually against with the following config: https://github.com/elastic/uptime-contrib/tree/master/testing/configs/client-auth , note that you'll need the included client certs in that directory, and will need to alter the YAML to point at their actual path. I think in this scenario I'm fine with only having unit tests because the complexity of setting of a forward proxy + a custom TLS backend is very high. Fixes elastic#15524 (cherry picked from commit 0e57f6b)
…d proxies (elastic#15516) Fixes a bug where TLS options would not be passed to forward proxies. This fixes a reported issue where x509 client cert auth doesn't work due to the cert parameters not being passed in. Since this doesn't give us a full dialer we can't easily record TLS certificate expiry with proxies in heartbeat with this approach, so those fields would be missing. I think it makes sense to merge this change as-is and fix that secondary bug in a subsequent PR. I've opened a separate issue ( elastic#15797 ) to cover that. I've tested this manually against with the following config: https://github.com/elastic/uptime-contrib/tree/master/testing/configs/client-auth , note that you'll need the included client certs in that directory, and will need to alter the YAML to point at their actual path. I think in this scenario I'm fine with only having unit tests because the complexity of setting of a forward proxy + a custom TLS backend is very high. Fixes elastic#15524 (cherry picked from commit 0e57f6b)
Follow up on elastic/beats#15516 to pass TLS options to forward proxies.
Follow up on elastic/beats#15516 to pass TLS options to forward proxies.
Follow up on elastic/beats#15516 to pass TLS options to forward proxies.
Follow up on elastic/beats#15516 to pass TLS options to forward proxies.
Follow up on elastic/beats#15516 to pass TLS options to forward proxies.
* Update beats framework to 32f1a9e * Update TLS config for elasticsearch client (#3278) Follow up on elastic/beats#15516 to pass TLS options to forward proxies.
Fixes a bug where TLS options would not be passed to forward proxies. This fixes a reported issue where x509 client cert auth doesn't work due to the cert parameters not being passed in.
Since this doesn't give us a full dialer we can't easily record TLS certificate expiry with proxies with this approach, so those fields would be missing. I think it makes sense to merge this change as-is and fix that secondary bug in a subsequent PR. I've opened a separate issue ( #15797 ) to cover that.
I've tested this manually against with the following config: https://github.com/elastic/uptime-contrib/tree/master/testing/configs/client-auth , note that you'll need the included client certs in that directory, and will need to alter the YAML to point at their actual path.
I think in this scenario I'm fine with only having unit tests because the complexity of setting of a forward proxy + a custom TLS backend is very high.
Fixes #15524