[Fleet] Enforce production mode

[nchaulet]

Description

When running Kibana in production mode we should ensure:

• Kibana has security enabled
• Kibana is using TLS, in case of cloud we should add a config flag to disable that check
• API keys are enabled (should be checked in dev too)

If any of this conditions are not true we should not allow the user to use fleet and display an error message, and how to resolve it.

@elastic/kibana-security what is the best way to check if kibana is using TLS?

[elasticmachine]

Pinging @elastic/ingest-management (Team:Ingest Management)

[legrego]

@elastic/kibana-security what is the best way to check if kibana is using TLS?

On which interface? Browser <--> Kibana, or Kibana <--> Elasticsearch?

It's tricky because there could be TLS terminating proxies in place for either interface in on-prem setups too, which Kibana would have no way of verifying.

[nchaulet]

@legrego for the interface Browser <--> Kibana, yes for the case where kibana is running behind a proxy that terminate tls we could expose a config variable so the user can disable that check. ( I image it's going to be the case for cloud users)

[legrego]

It's not entirely straightforward to determine this today. For this interface, you'll need to inspect the following kibana.yml options:

• server.ssl.enabled must be set to true
  AND
  • server.ssl.certificate AND server.ssl.key are both set
    OR
  • server.ssl.keystore.path is set

The status of TLS on this interface might be something that @elastic/kibana-platform would want to expose as a single boolean flag though as part of its core contract.

Kibana has security enabled

This is rather complicated too. Kibana can have its security plugin enabled, but the security features themselves are mostly determined by Elasticsearch, and could change at any time. The security plugin exposes this today, but it's not something you can check once and cache.

API keys are enabled (should be checked in dev too)

I have a PR opened which will make this much easier to do. Similar to the previous answer, this could change at any time, so the result can't be cached for all that long: #63454

[pgayvallet]

The status of TLS on this interface might be something that @elastic/kibana-platform would want to expose as a single boolean flag though as part of its core contract.

Already is (even if not a boolean)

coreSetup.http.getServerInfo().protocol === 'https'. This one is based on the underlying hapi protocol, so having the https value should be sufficient to assume TLS is enabled on the server(?)

There is also coreSetup.http.isTlsEnabled but the only check for that is config.ssl.enabled === true

[mshustov]

There is also coreSetup.http.isTlsEnabled but the only check for that is config.ssl.enabled === true

other requirements that @legrego mentioned are validated in SSL config, so it suffices I believe

kibana/src/core/server/http/ssl_config.ts

Lines 77 to 79 in e5ad3da

	if (ssl.enabled && (!ssl.key || !ssl.certificate) && !ssl.keystore.path) {
	return 'must specify [certificate] and [key] -- or [keystore.path] -- when ssl is enabled';
	}

[legrego]

As usual, you’re already a step ahead of me - Thanks @restrry & @pgayvallet !

[nchaulet]

@hbharding Any idea on how to display that? fleet could be not usable because:

• API keys are not enabled
• TLS is not enabled