Take the following configuration as an example reference:
fleet:
...
server:
host: 0.0.0.0
internal_port: 8221
output:
elasticsearch:
hosts:
- 192.168.122.196:9200
protocol: https
proxy_disable: false
proxy_headers: null
service_token: <REDACTED>
ssl:
certificate: <REDACTED>
certificate_authorities:
- <REDACTED>
key: <REDACTED>
renegotiation: never
verification_mode: full
policy:
id: fleet-server-policy
port: 8220
ssl:
certificate: <REDACTED>
certificate_authorities:
- <REDACTED>
client_authentication: <REDACTED>
key: <REDACTED>
ssl:
certificate: <REDACTED>
certificate_authorities:
- <REDACTED>
key: <REDACTED>
renegotiation: never
verification_mode: certificate
timeout: 10m0s
Setting fleet.server.output.elasticsearch.ssl.verification_mode to full is quite the easy endeavor, the Kibana API for configuring the output (config_yaml in the output API) allows you to write custom YAML that is appended onto this item. However, for fine controlling fleet.server.ssl.verification_mode (if such an option exists), as well as fleet.ssl.verification_mode, I am currently unsure of how to approach configuring these items.
My first thought was to write options as an appending item to elastic-agent.yml, but it appears that this wipes out the rest of the configuration and I am attempting to avoid having to write the full elastic-agent.yml configuration for each agent for this purpose as it removes a lot of the benefit of Fleet Server's SSL configuration options.
My second thought was the Agent policy YAML configuration, but that appears to be rooted in agent: much like how the YAML configuration in output is rooted in output.
What are the available avenues to set these two configuration options for fine-controlling mTLS trust? Is such an option available? I am writing this in an automated manner, so writing files isn't out of the question.