Skip to content

Elastic Agent doesn't update the enrollment token in Kubernetes Deployment statefile #3586

New issue
New issue
Closed
#6568
Closed
Elastic Agent doesn't update the enrollment token in Kubernetes Deployment statefile#3586
#6568
Assignees
pkoutsovasilis
Labels
Team:Elastic-AgentLabel for the Agent teamTeam:Elastic-Agent-Control-PlaneLabel for the Agent Control Plane teambugSomething isn't working
@ch9hn

Description

@ch9hn
ch9hn
opened on Oct 11, 2023

When a new enrollment token is updated as env or envFrom in Kubernetes Manifest, this new token is not reflected in Elastic Agent.
Reason for that is probably the fact, that Elastic Agent saves the state locally on every Kubernetes Node and doesn't update the new token.
This leads to Unauthorised issues on the Agent - a redeploy with a new token is not possible anymore.

For confirmed bugs, please report:

  • Version: 8.10

  • Operating System: Ubuntu Linux / Kubernetes 1.27

  • Discuss Forum URL:

  • Steps to Reproduce:

  1. Install Elastic Agent on Kubernetes Cluster as described in the docs with enrollment-token "ABC"
  2. Expire "ABC" and add new token "DEF"
  3. Restart Elastic Agent Daemonset
  4. Result: Old token "ABC" is persisted and used for the communication to Elastic Fleet Server

Error logs:

"Failed to connect to backoff(elasticsearch(https://xxxx.xxxx.cloud.es.io:443)): 401 Unauthorized: {\"error\":{\"root_cause\":[{\"type\":\"security_exception\",\"reason\":\"unable to authenticate with provided credentials and anonymous access is not allowed for this request\",\"additional_unsuccessful_credentials\":\"API key: api key [xxxxxxx] has been invalidated\",\"header\":{\"WWW-Authenticate\":[\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\",\"Bearer

How to temporary fix:
When using Kustomize deployment, the hostPath can be overwritten quite easily with the following DaemonSet overwrite:

apiVersion: apps/v1 kind: DaemonSet metadata: name: elastic-agent namespace: kube-system spec: selector: matchLabels: app: elastic-agent template: metadata: labels: app: elastic-agent spec: containers: - name: elastic-agent env: - name: FLEET_URL $patch: delete - name: FLEET_ENROLLMENT_TOKEN $patch: delete - name: FLEET_INSECURE value: "false" - name: KIBANA_HOST $patch: delete - name: KIBANA_FLEET_USERNAME $patch: delete - name: KIBANA_FLEET_PASSWORD $patch: delete envFrom: - secretRef: name: elastic-agent-token volumeMounts: - name: elastic-agent-state mountPath: /usr/share/elastic-agent/state volumes: - name: elastic-agent-state hostPath: # Change path here to your deployment namespace or use another name path: /var/lib/elastic-agent-managed/monitoring/state. type: DirectoryOrCreate

Metadata

Metadata

Assignees

Labels

Team:Elastic-AgentLabel for the Agent teamTeam:Elastic-Agent-Control-PlaneLabel for the Agent Control Plane teambugSomething isn't working

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions