Skip to content

Commit

Permalink
Doc to explain how to solve pgp key downloard issue in air-gapped env (
Browse files Browse the repository at this point in the history
…#3375)

* Doc to explain how to solve pgp key downloard issue in air-gapped env

* Update pgp-workaround.md

* Adding starting version

(cherry picked from commit 10d9ba2)
  • Loading branch information
pierrehilbert authored and mergify[bot] committed Sep 8, 2023
1 parent 4719666 commit 5180f21
Showing 1 changed file with 58 additions and 0 deletions.
58 changes: 58 additions & 0 deletions docs/pgp-workaround.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
# PGP fallback URL in air-gapped environment workaround

## Reminders

Starting from version 8.9.0, when Elastic Agent tries to perform an upgrade, it first verifies the binary signature with the key bundled in the Agent.
This process has a backup mechanism that will use the key coming from https://artifacts.elastic.co/GPG-KEY-elastic-agent instead of the one it already has.

In an air-gapped environment, the Agent won't be able to download the remote key and therefore cannot be upgraded.

## Workaround

To resolve this issue, we need the Agent to download the remote key from a server accessible from the air-gapped environment.
As this URL is not customizable, we will have to "trick" the system by pointing https://artifacts.elastic.co/ to another host that will have the file.

## Examples

All those examples will require a server in your air-gapped environment that will expose the key you will have downloaded from https://artifacts.elastic.co/GPG-KEY-elastic-agent.

### Manual

Edit the Agent's server hosts file to add the following content:
```bash
<YOUR_HOST_IP> artifacts.elastic.co
```

Linux hosts file path:
```bash
/etc/hosts
```

Windows hosts file path:
```bash
C:\Windows\System32\drivers\etc\hosts
```

### Puppet

```yaml
host { 'elastic-artifacts':
ensure => 'present'
comment => 'Workaround for PGP check'
ip => '<YOUR_HOST_IP>'
}
```

### Ansible

```yaml
- name : 'elastic-artifacts'
hosts : 'all'
become: 'yes'

tasks:
- name: 'Add entry to /etc/hosts'
lineinfile:
path: '/etc/hosts'
line: '<YOUR_HOST_IP> artifacts.elastic.co'
```

0 comments on commit 5180f21

Please sign in to comment.