So I'm wondering what's the official recommended way to configure a Fleet-managed Elastic Agent on ECK that connects to a Fleet server that is not within the same Kubernetes cluster. I'd assume this is a pretty common case (maybe even more common than having the clients and server in the same cluster), yet I didn't find any explicit documentation.
In reality I did manage to set it up using the ENV variables recommended here, but I do have some doubts/questions:
-
Is the the canonical way of doing this? (If so, I think a more explicit documentation would be welcome.)
-
If using this method the operator gives me a warning when applying the manifest: "spec.PolicyID is empty, spec.PolicyID will become mandatory in a future release". This makes me doubt the solution a bit.
-
(Loosely related question) To avoid having verification issues, I'm using a certificate signed by a "real" CA, and have it set up for ES, Kibana and Fleet the way it's documented here. It works, however now for internal agents I have to set the
FLEET_INSECUREenv, and for the server itself I also have to set the undocumentedFLEET_SERVER_ELASTICSEARCH_INSECURE. (No surprise here, the certificate does not [cannot] include the internal service names.)Couldn't/shouldn't the operator take care of these? It would be consistent with Kibana, which decreases the verification mode so it has no issues with the ES certificate.
-
(Even more loosely related question) Out of curiosity, when the agent is "internal", why is a
kibanaRefrequired, when for "external" cases the fleet server address is sufficient for the enrollment.