I am having an issue with elastic-agent-complete:8.16.1.

We use self-signed certs on many of the internal sites we monitor, so I have to add these certs to the nssdb, however they need to be chown'd to elastic-agent:elastic-agent for them to be used by the browser agent. This worked well for elastic-agent-complete:<8.16.0. However, starting with 8.16.0, elastic-agent appears to chown everything in /usr/share/elastic-agent to root:root on startup, which breaks the certs in the nssdb (I'm running as root:root). In this particular situation, I don't have the option to build the certs and nssdb into the image, so I need to run as root:root in order to update the image cert store.

Suggestions?

Update

When I build my updated cert store and appropriately chown everything in an initContainer, then run my agent as elastic-agent, it won't start because it can't write the agent.lock file.

If I stand up a new instance that has NEVER run as root, I get the error that the agent is not able to create /usr/share/elastic-agent/state/data.

The ONLY thing I haven't tried to resolve this so far is to mount the agent-data share in my init container and do chown -R 1000:1000 ....

PS

I'm deploying through the Elastic Operator (ECK) using a deployment, if any of this makes a difference.