-
Notifications
You must be signed in to change notification settings - Fork 143
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Doc to explain how to solve pgp key downloard issue in air-gapped env (…
…#3375) * Doc to explain how to solve pgp key downloard issue in air-gapped env * Update pgp-workaround.md * Adding starting version (cherry picked from commit 10d9ba2)
- Loading branch information
1 parent
4719666
commit 5180f21
Showing
1 changed file
with
58 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
# PGP fallback URL in air-gapped environment workaround | ||
|
||
## Reminders | ||
|
||
Starting from version 8.9.0, when Elastic Agent tries to perform an upgrade, it first verifies the binary signature with the key bundled in the Agent. | ||
This process has a backup mechanism that will use the key coming from https://artifacts.elastic.co/GPG-KEY-elastic-agent instead of the one it already has. | ||
|
||
In an air-gapped environment, the Agent won't be able to download the remote key and therefore cannot be upgraded. | ||
|
||
## Workaround | ||
|
||
To resolve this issue, we need the Agent to download the remote key from a server accessible from the air-gapped environment. | ||
As this URL is not customizable, we will have to "trick" the system by pointing https://artifacts.elastic.co/ to another host that will have the file. | ||
|
||
## Examples | ||
|
||
All those examples will require a server in your air-gapped environment that will expose the key you will have downloaded from https://artifacts.elastic.co/GPG-KEY-elastic-agent. | ||
|
||
### Manual | ||
|
||
Edit the Agent's server hosts file to add the following content: | ||
```bash | ||
<YOUR_HOST_IP> artifacts.elastic.co | ||
``` | ||
|
||
Linux hosts file path: | ||
```bash | ||
/etc/hosts | ||
``` | ||
|
||
Windows hosts file path: | ||
```bash | ||
C:\Windows\System32\drivers\etc\hosts | ||
``` | ||
|
||
### Puppet | ||
|
||
```yaml | ||
host { 'elastic-artifacts': | ||
ensure => 'present' | ||
comment => 'Workaround for PGP check' | ||
ip => '<YOUR_HOST_IP>' | ||
} | ||
``` | ||
|
||
### Ansible | ||
|
||
```yaml | ||
- name : 'elastic-artifacts' | ||
hosts : 'all' | ||
become: 'yes' | ||
|
||
tasks: | ||
- name: 'Add entry to /etc/hosts' | ||
lineinfile: | ||
path: '/etc/hosts' | ||
line: '<YOUR_HOST_IP> artifacts.elastic.co' | ||
``` |