Skip to content

[RORDEV-1368] PoC: Fleet support (8.19.7 example) #61

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
coutoPL wants to merge 51 commits into from
Closed

[RORDEV-1368] PoC: Fleet support (8.19.7 example) #61

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
51 commits
Select commit Hold shift + click to select a range
3134e10
RORDEV-888 reproduction
Dzuming Jun 11, 2024
ffd1f18
Wip
coutoPL Aug 24, 2024
80b3320
Wip
coutoPL Aug 25, 2024
0163054
wip
coutoPL Aug 26, 2024
2267a08
wip
coutoPL Aug 26, 2024
21e11cf
wip
coutoPL Aug 26, 2024
71fa744
update image
Dzuming Aug 27, 2024
c901441
update ROR kbn image
Dzuming Sep 9, 2024
90469b8
update ROR kbn image
Dzuming Nov 27, 2024
561a474
wip
coutoPL Nov 27, 2024
a5654d5
update ROR kbn image
Dzuming Nov 28, 2024
4c7e081
disable kbn ssl
coutoPL Nov 28, 2024
8f4291f
disable es ssl
coutoPL Nov 28, 2024
49e8ecd
wip
coutoPL Nov 29, 2024
cf117d8
wip
coutoPL Dec 4, 2024
db85790
wip
coutoPL Dec 15, 2024
9f6594d
wip
coutoPL Dec 16, 2024
9dd3f56
wip
coutoPL Dec 18, 2024
b2c8f05
wip
coutoPL Dec 18, 2024
da9e8b4
wip
coutoPL Dec 18, 2024
b162b0d
wip
coutoPL Dec 18, 2024
e91a76c
wip
coutoPL Dec 19, 2024
e592792
test
coutoPL Dec 19, 2024
ab1f4fe
wip
coutoPL Dec 20, 2024
24be9c6
RORDEV-1348 add new image
Dzuming Dec 21, 2024
d623491
works
coutoPL Dec 21, 2024
7ee50b7
Merge remote-tracking branch 'origin/master' into RORDEV-1348
coutoPL Dec 21, 2024
a84b06b
wip
coutoPL Dec 21, 2024
8a92c4f
wip
coutoPL Nov 7, 2025
ed98126
wip
coutoPL Nov 10, 2025
af02a87
update KBN images
Dzuming Nov 11, 2025
3136c2f
fix
coutoPL Nov 12, 2025
5e88818
wip
coutoPL Nov 17, 2025
5bcfce5
wip
coutoPL Nov 18, 2025
096e693
wip
coutoPL Nov 19, 2025
d3991fd
wip
coutoPL Nov 19, 2025
d78724a
wip
coutoPL Nov 19, 2025
0e956fd
wip
coutoPL Nov 19, 2025
4a462ec
wip
coutoPL Nov 19, 2025
6e00282
wip
coutoPL Nov 19, 2025
de6d236
wip
coutoPL Nov 20, 2025
698334a
Merge remote-tracking branch 'origin/master' into RORDEV-1348
coutoPL Nov 20, 2025
57b7b80
rollback
coutoPL Nov 20, 2025
492a67b
rollback
coutoPL Nov 20, 2025
aac3816
clean up
coutoPL Nov 20, 2025
001f3be
clean up
coutoPL Nov 20, 2025
3e11849
Merge branch 'master' into RORDEV-1348
coutoPL Jan 6, 2026
131a076
Merge branch 'master' into RORDEV-1348
coutoPL Mar 3, 2026
6febca1
temp
coutoPL Jan 7, 2026
ca29db6
final version
coutoPL Mar 3, 2026
b9ca172
wip
coutoPL Mar 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,4 +7,5 @@ ror-cluster-elastic-cloud-demo/certs-generator/output
ror-cluster-elastic-cloud-demo/certs-generator/input
ror-cluster-elastic-cloud-demo/certs
**/.env
**/subst-xpack
**/__pycache__/**
**/subst-xpack
6 changes: 6 additions & 0 deletions ror-fleet-example/.env_showcase
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
ES_VERSION=8.19.7
ES_DOCKERFILE=Dockerfile-use-ror-binaries-from-file
ES_ROR_FILE=readonlyrest-1.69.0-pre7_es8.19.7.zip
KBN_VERSION=8.19.7
KBN_DOCKERFILE=Dockerfile-use-ror-binaries-from-api
ROR_KBN_VERSION=1.68.0
12 changes: 12 additions & 0 deletions ror-fleet-example/agent1/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
FROM docker.elastic.co/elastic-agent/elastic-agent:8.15.0

USER root

RUN apt-get update && \
apt-get install -y curl jq net-tools

COPY entrypoint.sh /entrypoint.sh

USER elastic

ENTRYPOINT [ "/entrypoint.sh" ]
24 changes: 24 additions & 0 deletions ror-fleet-example/agent1/entrypoint.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
#!/bin/bash -ex

echo "=== Agent1 Environment Variables ==="
echo "KIBANA_HOST: $KIBANA_HOST"
echo "KIBANA_FLEET_CA: $KIBANA_FLEET_CA"
echo "FLEET_URL: $FLEET_URL"
echo "FLEET_CA: $FLEET_CA"
echo "FLEET_ENROLL: $FLEET_ENROLL"
echo "===================================="

POLICY_ID="elastic-policy"
FLEET_ENROLLMENT_TOKEN=$(curl -k -s \
-u kibana:kibana \
https://kibana:5601/api/fleet/enrollment_api_keys | \
jq -r '.items[] | select(any(.; .policy_id == "'$POLICY_ID'")) | .api_key')
Comment thread
coutoPL marked this conversation as resolved.
Comment thread
coutoPL marked this conversation as resolved.

if [[ -z "$FLEET_ENROLLMENT_TOKEN" ]]; then
echo "Failed to retrieve enrollment token for policy_id: $POLICY_ID" >&2
exit 1
fi

export FLEET_ENROLLMENT_TOKEN

/usr/local/bin/docker-entrypoint
33 changes: 33 additions & 0 deletions ror-fleet-example/ca/ca.crt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
-----BEGIN CERTIFICATE-----
MIIFqTCCA5GgAwIBAgIUSBHERCB+3f8x+A/0YYx6FPCs0KYwDQYJKoZIhvcNAQEL
BQAwZDELMAkGA1UEBhMCUFQxDzANBgNVBAgMBkxpc2JvbjEPMA0GA1UEBwwGTGlz
Ym9uMRIwEAYDVQQKDAlNYXJpb25ldGUxCzAJBgNVBAsMAklUMRIwEAYDVQQDDAlt
YXJpb25ldGUwHhcNMjQxMjAxMTAxOTAyWhcNMzQxMTI5MTAxOTAyWjBkMQswCQYD
VQQGEwJQVDEPMA0GA1UECAwGTGlzYm9uMQ8wDQYDVQQHDAZMaXNib24xEjAQBgNV
BAoMCU1hcmlvbmV0ZTELMAkGA1UECwwCSVQxEjAQBgNVBAMMCW1hcmlvbmV0ZTCC
AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMxJcWSbqyzMZC2ayaOSlcf1
lzZW1CKqFFEfM3IHP0neenZVD859nEQ9S12VpC29o2rM+aQfUKo4ZNIpXi1OT6kW
/uyholI/VOP9TAZqIyawUg/1l6onRiJ5DqSyqg7YTUMLsHupzXZ8+mIvx7aTrzzH
+DQ3rXuv/zc2Bkwu78q7HbItu2AujCF0KALxsu8BAMpcNs9lVulVnPHtGF00pRxF
wqBlw8/1Rzx+STnKxwwWCQ7SHXc3CmxIMzern15bBay2vF5hGCflKsAJLuuMWJAH
L2MD0GAynVhnKymz+b2RVlRrBbLn/1+XjLCsWLPmda+6K7wrR8TRgx53FLTSp6dN
gtnLkjGR9HY8T8ebPYL8Pb5P9wLLGLwADkSScmMwaeUK/xWZLQwqtOzF6R/cpkXd
t9ji1vjKZ8bvTDNj4DuqHwn4qeDk4bngfD0dyCj3r8Y3gfwQf237J0QUfUFeA3WK
AeFF4fKjjWvX15MWV4tIk0Mg3GhL9eUubYKtnsBEqYDhmiFSrVW2TfGTjXZhJBqn
xrlGCLT1aKFY6sVrbCaEn+SJ/jQDx+rBZiYMY7iz1+vqq4ie6q7LDmCZuUe4+Rlw
3u9ChA+avv95Y4lgqz+HQiWP9ejq2c21cb5pQIfs8QjKD5jPJr8+3XuGoIpo1lLY
GMRN9PzokkD1ARkMB4v5AgMBAAGjUzBRMB0GA1UdDgQWBBRSda45xZ5lPn0cpSjJ
IKfBmFcLyDAfBgNVHSMEGDAWgBRSda45xZ5lPn0cpSjJIKfBmFcLyDAPBgNVHRMB
Af8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQCvlKTppi+HxqRF2riaJ7LvxEde
M+qLHWzvRwcWlb3MdpTq7uZjQG2YEZY6YeyN+8AwKbUPSavS6+dUe8hfM2HgwtBb
zYaZiS2JdRnCPKQMRz+xEGlcyvXzEb5M99+zqU/5NYOOeFX5odT/nwIToWw82G61
LXTY6WTmjQ1oRAabUdhMRyQTqL0pGYkBkLzusgh0ENWDVe0/tz/mCzi/DQD6agHy
ADaM6iqqUOIFzHXsI/N9iMNbJKSrllFy4v0AfCDpzgz4mbbUq6zV/E0KIpB/Tojh
xdl+a4Sw4tuIi8vU0TtVRs0UXCBd4I6yqrPDooIYfkh6w4OwSg07yZejuSq/dzo6
04s8boJKQNZQo8RqVOXUG47vCZMwIj7dJEVXxM9aRkfLPWhK9iG8skh8WwcsG8mu
wL2h4FqH1IVOTv+RxhvUDY74ooUBd8eCywvS4k0iDssznQ7TbtZjTIJr54oTLiK9
qrPVT+/eL+qFzSKVyFiDiKW+6rKdHO0KYQDXkkhGH1QqBP5rxIJiHl8drYilEw/Y
a9uWuGZZK0YFJA5RSKrIzuX10iQL80B7CXiH++zGE8KGkzxw55R9zjdWLXAsmxyr
vz1CbUsC9YXXqg4P/h4P5FYnqQyR1LWJjwhfPk1F+6POJBiwgeYtxFDlag/QGr6R
C6uLuBpvA9hPSOt4Ng==
-----END CERTIFICATE-----
52 changes: 52 additions & 0 deletions ror-fleet-example/ca/ca.key
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
-----BEGIN PRIVATE KEY-----
MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDMSXFkm6sszGQt
msmjkpXH9Zc2VtQiqhRRHzNyBz9J3np2VQ/OfZxEPUtdlaQtvaNqzPmkH1CqOGTS
KV4tTk+pFv7soaJSP1Tj/UwGaiMmsFIP9ZeqJ0YieQ6ksqoO2E1DC7B7qc12fPpi
L8e2k688x/g0N617r/83NgZMLu/Kux2yLbtgLowhdCgC8bLvAQDKXDbPZVbpVZzx
7RhdNKUcRcKgZcPP9Uc8fkk5yscMFgkO0h13NwpsSDM3q59eWwWstrxeYRgn5SrA
CS7rjFiQBy9jA9BgMp1YZysps/m9kVZUawWy5/9fl4ywrFiz5nWvuiu8K0fE0YMe
dxS00qenTYLZy5IxkfR2PE/Hmz2C/D2+T/cCyxi8AA5EknJjMGnlCv8VmS0MKrTs
xekf3KZF3bfY4tb4ymfG70wzY+A7qh8J+Kng5OG54Hw9Hcgo96/GN4H8EH9t+ydE
FH1BXgN1igHhReHyo41r19eTFleLSJNDINxoS/XlLm2CrZ7ARKmA4ZohUq1Vtk3x
k412YSQap8a5Rgi09WihWOrFa2wmhJ/kif40A8fqwWYmDGO4s9fr6quInuquyw5g
mblHuPkZcN7vQoQPmr7/eWOJYKs/h0Ilj/Xo6tnNtXG+aUCH7PEIyg+Yzya/Pt17
hqCKaNZS2BjETfT86JJA9QEZDAeL+QIDAQABAoICACg1/J/1FEiJIt7nLPGJlPn7
GXyUssTv/XfKUHINgyOjKy/HpojaqLu15PPS1LI8NcJ7/leT4mjfGNlVUzhPxdZe
tGcXmb/ev3LxFNneYnTnGAAUM3pGqMN4WK2KjXbGlM6xqldtIQhFqXNSPFlv0HqC
UhTVMMy749yWQb8VLhYVps6/ubZA80xSdN2/fZ0V8XXjmNZR+D2NoIruRHF0P1vF
T34LCfQRL6h0oy1BANUcMUQ9j5c7uk1+GLbIjWIhQIiyn3lkW0DfFv8dz6KFyZjw
ER/ITGfjDp2sEQ7wYiQyS2/qcQC6McY7KnJMOlmO73NbjehIDKRtKQYCIo1FOcKW
rtnemTyg8DghfghtQc4gxuNFOqEWPuDTu3u0LU/vrDSm6GEuFTWCZVl6cU7K6F6b
eHFNcFVD5RcxbRzv30XsoyRna37l/Kx+r7QTprK+E9buq/Fd2ns3e3jSZOwZdzTV
z7jcdac96IwBsYoq4sJ/2fpwQ5VdxUeMiCOX5cxCEYUzTV0MePTd5wVTXGogttaX
tYE8Pi6YCUqZzVkQwNTxT4KLMc+hK8ExOQdPEiwPjfhc38wPJs2Wz9cKZr96/fNt
v1w8Gf99kB7hNKuMtRyYPX6KRHN6ErQrtmcwXOyOUfrtTYMbMG2ynOhlu/JZcAWu
j8/m4+/g1oDzwHfDdU9RAoIBAQDpjEUybvWkohAp4Ies58O0C7uM5hCCfbqNXu7v
aevJWNsZpzE98n1ot2mDZKuUSG+U0+nzRmQ7AcKPUWY1z6ijd71f8HP7l2PDa8Ak
rGu8vuMQQIlQCjY5raPDGp7nfpfBV5IDow+1YnG6QahR3AmU5pNo/SR6qHbCwNaS
JmV+NWeCVg0m8VFsbo2D/2mCpIpZ2jdINcsj5JiVlR/mah61WkQGXUKPSrUWWXKE
7UfKH9GLH8zaaCxeSZXIzBVhDkTlM6WQElqnZeErW3ySjV70icVGsWhkinkim3Fu
KImn6FAkvVBhP6O/b+QfowSAnzUROtmKwVh/Pa0HF4vGYj3nAoIBAQDf7Qs+Bv19
xr+UGSn09WRrlB+TFUQvrlA4afe8u2LnLszCK9WfSgt4qnvhsrVKXh/ffictxB+h
Da93yZ5ThyHVBRsDQQoiIoSQPZm4rR2U/GCaYPYW/CRtcBg5THArCuSrcUMH2gAm
nHPCqj22BFR7n3bCJsD5BO5sohy/H68onHBG2G7JQ33XfQ33Ouj3kCr3FJNrniYa
Y4P6gStP8c2pPXQqowfH7fYlF3yEVmOK+our06IRxNs4CDp1hlzG8PlN74PkpbVv
gYORMhs5lXoRIX/OAr2tKajoCjynL95LaduB/RmpIR3RnSjaZtvEw8t870CZDeHB
tlaadLbeWesfAoIBAQCCfQ4YjKiQ8L/JNht4PxI4YanLoquszSTTYixr9il4mT3p
ymGX9Amf3YKFmFTJh+NYK0L22uibk3MqcleCT2Ew3HEhzo5vDvn9sRFtLC0SCzGA
3h4aa2o6tcre8tvAChouO4hooc3gEX3rjE3IVwG/gUjxiya7pa6dR/NbOzrP1nTb
/MpibMiKpgZJrwY7qUVnyKXEodG7XzjlsqldKwO3XhTN3YOX3izprNZwcMcApuCE
NCNYEIZhtAmNZIG5daiGy2GA6tBd4W16tSYYGAbq6KMhyXPDYR8nd+RboSiwePt2
W5QykcUi7BhwmLumRc33r4LmpPqWNVactMoy8KcXAoIBAFFNbL6JpTIsnlR0SoKR
MnPI5SnvF8HEJYZGG1fgJYnQuTFq3vYl2UJni/EnhKFKyYHI+Qqp4d4E7QeuIZks
QEFqyCMHU1mPdNg2NYETAeGdPKnwuIkh5UwC3hi3wyYtn1cMGY1ZPqLGPVWZoCxd
KBt2i5T0oy4G91ZkCdHu/BbfrfhbDuZuZdt+oTp5nip8oszxIJF7a1Q7e6jRi1tM
bSKcmHf+l42kvbE79M7L2vqT+3BYt8iB1CJlAmy3ayokRjBg3V+ANv8UZCOssKvY
tOhRZGj1H88miBgv11PQkoKJHdT1g4Kf7oaz7ChYHkUz3ccvyyGHI8fEn28XH2pd
9XsCggEAAfcPmOvEd6UVgxM89q8c7WOkAOSgcZS+jtvzPrRGq1PGG/b6xoFJ11j4
UwZCA0j+8wbf7UGXUl8YhRUewnh3wccrhkDYAEixHOqAkqO2sL65g8bvUDrC9M57
QXqXyAXzebnTLB4UKkBz65Bwg9+X3CYX1C+pan6NiJIBEPuA9aT6CMwr8ibpcSuY
OOXwvUA1j/QZbHs6P68eNxObpkLhMH6aHkpyR7K4KDg9ckemkH8o6yoWSboGNJTD
N+6zz/TYFJRh//S1BVNOS7PrqElmX8hknCh2VJ0WELK2qx0zrNv26ZV4aW3LPjC6
Cqbq08317ZRzKwafJ9i2aIMGDdJ3lA==
-----END PRIVATE KEY-----
Comment on lines +1 to +52
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

CA private key committed to repository - ensure test-only usage is documented.

The static analysis tool correctly flagged this CA private key as a security concern. While this appears to be for a sandbox/example environment, CA keys are particularly sensitive as they can sign arbitrary certificates.

Recommendations:

  1. Add a prominent README in the ca/ directory warning that this CA is for testing only
  2. Consider adding the CA key to .gitignore and documenting how to generate it locally using the gen-cert.sh script
  3. If keeping it committed for convenience, ensure it's never reused outside this sandbox environment

Based on the static analysis hints.

🧰 Tools
🪛 Gitleaks (8.28.0)

[high] 1-52: Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.

(private-key)

🤖 Prompt for AI Agents 
In ror-fleet-example/ca/ca.key (lines 1-52) the CA private key is committed;
remove the sensitive key file from the repository, add a prominent README.md in
the ca/ directory stating this CA is test-only and must never be reused, add
ca/ca.key to .gitignore, commit a placeholder example file (e.g.,
ca/README_KEY_PLACEHOLDER) referencing gen-cert.sh, and update the repo README
to include exact commands to generate the CA key locally with gen-cert.sh;
optionally remove the key from history (or coordinate rotation) if retention is
a concern.

1 change: 1 addition & 0 deletions ror-fleet-example/ca/ca.srl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
1172B84EC84A3D4FB10B00D71B21EC1BAEBC35AD
29 changes: 29 additions & 0 deletions ror-fleet-example/certs/agent1.crt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
-----BEGIN CERTIFICATE-----
MIIE4TCCAsmgAwIBAgIUEXK4TshKPU+xCwDXGyHsG668NakwDQYJKoZIhvcNAQEL
BQAwZDELMAkGA1UEBhMCUFQxDzANBgNVBAgMBkxpc2JvbjEPMA0GA1UEBwwGTGlz
Ym9uMRIwEAYDVQQKDAlNYXJpb25ldGUxCzAJBgNVBAsMAklUMRIwEAYDVQQDDAlt
YXJpb25ldGUwHhcNMjQxMjAzMjEwNTQxWhcNMzQxMjAxMjEwNTQxWjBhMQswCQYD
VQQGEwJQVDEPMA0GA1UECAwGTGlzYm9uMQ8wDQYDVQQHDAZMaXNib24xEjAQBgNV
BAoMCU1hcmlvbmV0ZTELMAkGA1UECwwCSVQxDzANBgNVBAMMBmFnZW50MTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKrc7eaofRRY8hDZ/xHjDxage3js
RQhDBRVx1hYORRrCOOpNX71ukNOXbBGn9uv4EKzXkVpw2C4tbK45EMabhNziiiCc
ZvyW+HbxpeF5+y9l0P77EMHWrsyaavG7i72srwICA4WvgBpWzewrmNfWSOb1L2Be
iXmVOGIUpHQ4A2GksgvRioHxJvbGoYgrE5n0qgrZQLQwxggaea+T32NKQWzsuBLq
hxJnm32zHnGaS9DYs1IADN8mgxknAVeuJCIYTz5JE2losSCb4yT1galxlpw4nR39
9rfOESG2Tes9ZFwu6gv91a7CX8kRmeqChPfkSF/bey2yjiXKPgeNffSLImUCAwEA
AaOBjTCBijAcBgNVHREEFTATggZhZ2VudDGCCWxvY2FsaG9zdDAdBgNVHSUEFjAU
BggrBgEFBQcDAQYIKwYBBQUHAwIwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRC9T95
4NRmN9zhMZ6UxyDp5bCs6zAfBgNVHSMEGDAWgBRSda45xZ5lPn0cpSjJIKfBmFcL
yDANBgkqhkiG9w0BAQsFAAOCAgEAXYOKSziZApfPEuDeghfjWACF/Se5YiQu9cln
uEyhqOx9jkOmL8GH8bjDD+hE7B92EO4Ci5vmy1Nupm9JXjnjnLZSUz25IJGQzqUI
2rjcZcGDnsqG+QYvDF/1HRgD7Nz2jERsBp+Ep1+e5kYFa0BAgwM6BTftokGXYq2M
yUw/m0eibqMA2PnX/bJq3oNVCoyXzZfUomwpmCIAcuvu+dcZk04GYFpqa7riXoh9
qaCsjTMHc8pWONRROwmhFnBpHUDBMG8UWwBPVAzwsyagHS7E9xTF6Ou/R9AibCEZ
FYP8b04NpU3DGii2GKEtrk+sWtIkPHdMI4SgKwaTJBOmpplkhP4BzRH0CKRpKHVW
G90XZWeDJJkgeUrLQAPNSHVyVOZarYFz1dusWcH9gnixR4MC1eotLeh8Nw6Qd3OY
k3JdtcroQOu7Z0/fGtjwx3rR/d0BnvgfVrQKi6KF09ROKTbWuEIlYV4JOe6svhIY
TuZ2MQ5Q9GJUQX49i+9v3pg0/KGIfPdmR7Qbo/px5dOY0Jj7iIk9iG+eUSbobm7+
im5RYxrbx4rgXKXknyaUuQfvki/l9l5rhYVUtSTQPfrx84K54cYPOXCTaP/7K7Vm
k+4dAym1l2bVlX5wwwpPw1JnKe75n2Z/O2ut2GmlhrdoPoZZe4HQyackkF4uQFhz
sYIMW+o=
-----END CERTIFICATE-----
17 changes: 17 additions & 0 deletions ror-fleet-example/certs/agent1.csr
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
-----BEGIN CERTIFICATE REQUEST-----
MIICpjCCAY4CAQAwYTELMAkGA1UEBhMCUFQxDzANBgNVBAgMBkxpc2JvbjEPMA0G
A1UEBwwGTGlzYm9uMRIwEAYDVQQKDAlNYXJpb25ldGUxCzAJBgNVBAsMAklUMQ8w
DQYDVQQDDAZhZ2VudDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCq
3O3mqH0UWPIQ2f8R4w8WoHt47EUIQwUVcdYWDkUawjjqTV+9bpDTl2wRp/br+BCs
15FacNguLWyuORDGm4Tc4oognGb8lvh28aXhefsvZdD++xDB1q7Mmmrxu4u9rK8C
AgOFr4AaVs3sK5jX1kjm9S9gXol5lThiFKR0OANhpLIL0YqB8Sb2xqGIKxOZ9KoK
2UC0MMYIGnmvk99jSkFs7LgS6ocSZ5t9sx5xmkvQ2LNSAAzfJoMZJwFXriQiGE8+
SRNpaLEgm+Mk9YGpcZacOJ0d/fa3zhEhtk3rPWRcLuoL/dWuwl/JEZnqgoT35Ehf
23stso4lyj4HjX30iyJlAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAmfyY1gYK
4GxGy+/IWIuutkG8jiT498tB5g1/AwaUgnNfxRzMLCebWvCKoGwcMKGMNerdeOYx
5Cu2j1Sk4CLuKO6ZYDXeKxTuFzUujpd/1Jg+chWxqcbgs3VdxE6kfvhWLjbZXzUi
a9oGvRBYBmTUpmeRkyfnvrHW6X0C2egTgCcq+ZptLlqwOuRQgetH2NHRHeAXu0KZ
/fOutLLAkOhSH3g2nukLCtRDz/3nCC9BZP4exD5+dOqxrmMY1TF+0USH4OqvMHh1
j+vabYKLeIknnVG2IMP94TFH51ZwOpNMKjENlv2CbSEt330/NozVWr+YQSiUFkrf
emNtuOK5gPPjXw==
-----END CERTIFICATE REQUEST-----
28 changes: 28 additions & 0 deletions ror-fleet-example/certs/agent1.key
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCq3O3mqH0UWPIQ
2f8R4w8WoHt47EUIQwUVcdYWDkUawjjqTV+9bpDTl2wRp/br+BCs15FacNguLWyu
ORDGm4Tc4oognGb8lvh28aXhefsvZdD++xDB1q7Mmmrxu4u9rK8CAgOFr4AaVs3s
K5jX1kjm9S9gXol5lThiFKR0OANhpLIL0YqB8Sb2xqGIKxOZ9KoK2UC0MMYIGnmv
k99jSkFs7LgS6ocSZ5t9sx5xmkvQ2LNSAAzfJoMZJwFXriQiGE8+SRNpaLEgm+Mk
9YGpcZacOJ0d/fa3zhEhtk3rPWRcLuoL/dWuwl/JEZnqgoT35Ehf23stso4lyj4H
jX30iyJlAgMBAAECggEAFv4skI/nZxvSFWT0n4BV+TZG716iKoq0Ti63v9eTQpbU
6GjZo6kTmbnEi/q1ror/GXdX4tsRKGOp/qcExClM/5mHu3w4mrCpRn5d04IiBH6X
2ZxJJMCiXLvB/P4/P5rToTpKpYyYuVKpmujCBHecb2IaykXmi6NCR2aeO9qGz/aM
x1R8rFCvX6QMWHDRTxsy4DK56ASbnVz1ceECM+nllxEGvGJiZ0/Bvu2TnoTPhWxk
Nj2qsFxdy/B6dg1u+lgML9JAEOZ4qOH3MFmhJtNzS6rwj4PvQ6+QwdvBW1RjLZnu
k+7nDgETD2foBAL42p3rWc9HMkmy4N4pVXKW+Pb5uQKBgQDVTG2grTjfolywhQD3
MTXOHiO9qvGbSG2xfNYcxaknPW3MVhnIZYhIhlvTjBeVB4/6zj+JSROOjiXjmucD
+O3MOpP/5rJYsCdOiS6ZxCnDtWyMF7vv5LLiiTOyU0pDMhzyeCP7zSuy3d77+Eg4
Zj0OGe8JCoIdBQo1U8ytX85N3QKBgQDNEazfq3nbYcETK7JQmkfVK+fvy3RIhkGv
B2W9TlSuJYWAVNuFKLaRZDpbrcmKK+3TIt6JozyCu225oNPWuHz4ctzEaBJAc83u
myh9GuYDL2q5RMTCDEX6MjtTIaQ0K5zZznym1PrL4IYb/ixA9JXRwrOS3wdVkly9
aL3GxoGyKQKBgHN1OoZWHcoYJho69KnZzmkzMV+Sr9PBYfdIPtI2QHkILG4GUVCD
fUDc0cnyNDWscUhu6j+S+e4ZjfLlP5WL4pTBRKmpo/KT78L4SOxdHcpdY1N16XpS
jm5HnF8z7Kfw8XBijf/YMIZSyUgVPmqhFP2UFisLsCCrQLpbERjsGk1VAoGAYSUM
ZfDPizOlyTUcBb7wZHWmLByPe4POPeIdOi6PQugXdBG+5DfDNODsHF4ZaVEiGrEc
BsvDcJLlidg8Qi2nVfLjzk8Wxl2VooDyD0Hc0Il330hKhTpXNAzzuY/oP6ahaTS+
LDIclNRJ85zWzfaPuoynkN4ClXD+aePicvW6nvECgYAPbHwPew7VSz9I+z6Ud8l0
jWAu7mohSG0rX5JaNWQPDEu/TVrrnJJ0NGCMrC9edJ0zmplJZ/O6h2iKraj/+tQ0
qB2S67Wq5H3zrJYf+D5kRzE416v08FuTYE564u9epFe4f/fbj0MNZnS+ikayQGf3
PZM4xKSVh2zQ4iHoJ5MT3g==
-----END PRIVATE KEY-----
33 changes: 33 additions & 0 deletions ror-fleet-example/certs/ca.crt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
-----BEGIN CERTIFICATE-----
MIIFqTCCA5GgAwIBAgIUSBHERCB+3f8x+A/0YYx6FPCs0KYwDQYJKoZIhvcNAQEL
BQAwZDELMAkGA1UEBhMCUFQxDzANBgNVBAgMBkxpc2JvbjEPMA0GA1UEBwwGTGlz
Ym9uMRIwEAYDVQQKDAlNYXJpb25ldGUxCzAJBgNVBAsMAklUMRIwEAYDVQQDDAlt
YXJpb25ldGUwHhcNMjQxMjAxMTAxOTAyWhcNMzQxMTI5MTAxOTAyWjBkMQswCQYD
VQQGEwJQVDEPMA0GA1UECAwGTGlzYm9uMQ8wDQYDVQQHDAZMaXNib24xEjAQBgNV
BAoMCU1hcmlvbmV0ZTELMAkGA1UECwwCSVQxEjAQBgNVBAMMCW1hcmlvbmV0ZTCC
AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMxJcWSbqyzMZC2ayaOSlcf1
lzZW1CKqFFEfM3IHP0neenZVD859nEQ9S12VpC29o2rM+aQfUKo4ZNIpXi1OT6kW
/uyholI/VOP9TAZqIyawUg/1l6onRiJ5DqSyqg7YTUMLsHupzXZ8+mIvx7aTrzzH
+DQ3rXuv/zc2Bkwu78q7HbItu2AujCF0KALxsu8BAMpcNs9lVulVnPHtGF00pRxF
wqBlw8/1Rzx+STnKxwwWCQ7SHXc3CmxIMzern15bBay2vF5hGCflKsAJLuuMWJAH
L2MD0GAynVhnKymz+b2RVlRrBbLn/1+XjLCsWLPmda+6K7wrR8TRgx53FLTSp6dN
gtnLkjGR9HY8T8ebPYL8Pb5P9wLLGLwADkSScmMwaeUK/xWZLQwqtOzF6R/cpkXd
t9ji1vjKZ8bvTDNj4DuqHwn4qeDk4bngfD0dyCj3r8Y3gfwQf237J0QUfUFeA3WK
AeFF4fKjjWvX15MWV4tIk0Mg3GhL9eUubYKtnsBEqYDhmiFSrVW2TfGTjXZhJBqn
xrlGCLT1aKFY6sVrbCaEn+SJ/jQDx+rBZiYMY7iz1+vqq4ie6q7LDmCZuUe4+Rlw
3u9ChA+avv95Y4lgqz+HQiWP9ejq2c21cb5pQIfs8QjKD5jPJr8+3XuGoIpo1lLY
GMRN9PzokkD1ARkMB4v5AgMBAAGjUzBRMB0GA1UdDgQWBBRSda45xZ5lPn0cpSjJ
IKfBmFcLyDAfBgNVHSMEGDAWgBRSda45xZ5lPn0cpSjJIKfBmFcLyDAPBgNVHRMB
Af8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQCvlKTppi+HxqRF2riaJ7LvxEde
M+qLHWzvRwcWlb3MdpTq7uZjQG2YEZY6YeyN+8AwKbUPSavS6+dUe8hfM2HgwtBb
zYaZiS2JdRnCPKQMRz+xEGlcyvXzEb5M99+zqU/5NYOOeFX5odT/nwIToWw82G61
LXTY6WTmjQ1oRAabUdhMRyQTqL0pGYkBkLzusgh0ENWDVe0/tz/mCzi/DQD6agHy
ADaM6iqqUOIFzHXsI/N9iMNbJKSrllFy4v0AfCDpzgz4mbbUq6zV/E0KIpB/Tojh
xdl+a4Sw4tuIi8vU0TtVRs0UXCBd4I6yqrPDooIYfkh6w4OwSg07yZejuSq/dzo6
04s8boJKQNZQo8RqVOXUG47vCZMwIj7dJEVXxM9aRkfLPWhK9iG8skh8WwcsG8mu
wL2h4FqH1IVOTv+RxhvUDY74ooUBd8eCywvS4k0iDssznQ7TbtZjTIJr54oTLiK9
qrPVT+/eL+qFzSKVyFiDiKW+6rKdHO0KYQDXkkhGH1QqBP5rxIJiHl8drYilEw/Y
a9uWuGZZK0YFJA5RSKrIzuX10iQL80B7CXiH++zGE8KGkzxw55R9zjdWLXAsmxyr
vz1CbUsC9YXXqg4P/h4P5FYnqQyR1LWJjwhfPk1F+6POJBiwgeYtxFDlag/QGr6R
C6uLuBpvA9hPSOt4Ng==
-----END CERTIFICATE-----
Comment on lines +1 to +33
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

CA certificate committed to repository requires special attention.

This CA certificate is particularly sensitive as it establishes the trust chain for all other certificates. Committing CA certificates and their private keys to version control is a significant security risk.

For development/demo environments:

  • Document that this CA is for local testing only
  • Provide scripts to regenerate the entire certificate chain
  • Consider using short-lived certificates (hours/days, not years)

For production environments:

  • Use a proper PKI infrastructure or managed certificate service
  • Store CA private keys in hardware security modules (HSMs) or secure key management systems
  • Never commit production CA materials to version control

I'll verify the review comment by investigating the repository structure and certificate-related files.

🏁 Script executed:

#!/bin/bash
# Find all certificate and key files in the repository
echo "=== Certificate and key files ==="
fd -e crt -e key -e pem -e cert 2>/dev/null | head -20

echo -e "\n=== Checking for ca.crt and related files ==="
fd "ca\." 2>/dev/null

echo -e "\n=== Repository structure around certs directory ==="
fd --type f "certs/" 2>/dev/null | head -20

echo -e "\n=== Checking .gitignore for certificate rules ==="
if [ -f .gitignore ]; then
  echo "=== .gitignore content ===" 
  cat .gitignore
fi

echo -e "\n=== README or documentation files ==="
fd -e md -e txt "(README|SECURITY|CERTIFICATE|cert)" 2>/dev/null | head -10

Length of output: 1595

🏁 Script executed:

#!/bin/bash
# Check repository purpose and documentation

echo "=== Main README.md content (first 100 lines) ==="
if [ -f README.md ]; then
  head -100 README.md
else
  echo "No README.md in root"
fi

echo -e "\n=== SECURITY.md or similar security docs ==="
fd -i security -e md -e txt 2>/dev/null

echo -e "\n=== Certificate generation scripts ==="
fd -i "cert|gen" -e sh -e py -e bash 2>/dev/null | grep -i "cert\|gen" | head -15

echo -e "\n=== Check repo directory structure ==="
ls -la | head -20

echo -e "\n=== Look for any certs generation docs or scripts in example dirs ==="
fd --type f "certs" 2>/dev/null | xargs -I {} sh -c 'ls -la {} 2>/dev/null | head -5'

Length of output: 1736

🏁 Script executed:

#!/bin/bash
# Gather more context about the repository

echo "=== readme.md content ==="
cat readme.md

echo -e "\n=== gen-cert.sh in ror-fleet-example ==="
cat ror-fleet-example/gen-cert.sh

echo -e "\n=== gen-cert.sh in xpack-fleet-example ==="
cat xpack-fleet-example/gen-cert.sh

Length of output: 5491

Update committed certificate regeneration guidance and add security documentation.

This sandbox repository legitimately includes certificates for development/testing, but the infrastructure is incomplete. While gen-cert.sh exists to regenerate service certificates, it relies on a committed CA private key with no regeneration script. Additionally, the repository lacks documentation warning users that these are development-only certificates.

Recommendations:

  • Add a gen-ca.sh script to allow regeneration of the entire CA certificate chain (demonstrating best practices)
  • Add a SECURITY.md or section in readme.md explicitly stating: "These certificates are for local development/testing only. Do not use in production."
  • Consider shortening certificate lifespans in regeneration scripts (currently 10 years) to reflect development/testing context
  • Update .gitignore to exclude *.key files by default, with documented exceptions only for demo purposes
🤖 Prompt for AI Agents 
In ror-fleet-example/certs/ca.crt around lines 1-33, the repository commits a CA
certificate without a regeneration script and lacks security guidance; add a
gen-ca.sh script that generates a new CA private key and CA cert (with
configurable short lifespan for dev), update gen-cert.sh to optionally chain to
the CA and use shorter lifetimes by default, add SECURITY.md (or a readme
section) stating these certs are for local development/testing only and must not
be used in production, update .gitignore to exclude *.key while documenting any
intentional demo exceptions, and remove/rotate any committed CA private key from
the repo with instructions for secure local storage.

29 changes: 29 additions & 0 deletions ror-fleet-example/certs/elasticsearch.crt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
-----BEGIN CERTIFICATE-----
MIIE6zCCAtOgAwIBAgIUEXK4TshKPU+xCwDXGyHsG668NaowDQYJKoZIhvcNAQEL
BQAwZDELMAkGA1UEBhMCUFQxDzANBgNVBAgMBkxpc2JvbjEPMA0GA1UEBwwGTGlz
Ym9uMRIwEAYDVQQKDAlNYXJpb25ldGUxCzAJBgNVBAsMAklUMRIwEAYDVQQDDAlt
YXJpb25ldGUwHhcNMjQxMjE4MTAyMDU4WhcNMzQxMjE2MTAyMDU4WjBkMQswCQYD
VQQGEwJHQjEPMA0GA1UECAwGTG9uZG9uMQ8wDQYDVQQHDAZMb25kb24xDjAMBgNV
BAoMBUJlc2h1MQswCQYDVQQLDAJJVDEWMBQGA1UEAwwNZWxhc3RpY3NlYXJjaDCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANoRfc1RJ7tCtbx4aBC8rO6N
bD3YGtUX0vn9TIqiz8vgPshJXzOtU16++wJ7z/hd6G5zStL4Js/2v8L3kvZO2k/r
u9NxBNpTFoOry6G5GfuxurJdAHv0/go01y+EO1DWgQ04xie1ia8o21UUVdShhq2Y
ip8vYZu1DggLkMA6yfdzv3qNBEQs8eqrGlk5+1QYl919YQ6MfQ8INkw+IICl/yrv
NVxVhYzqzCU47s7O1Yn7CHwZbTii9QI+qV04YDnLG5RUQKnP+1WL7KaEUSjdw2Gk
NVYFrfbVj1pY9TJJKe4xRssWgQGtu1kV/mZ2T4hhqv9N1IKbeS0BbwrJvvBTx9sC
AwEAAaOBlDCBkTAjBgNVHREEHDAagg1lbGFzdGljc2VhcmNogglsb2NhbGhvc3Qw
HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAsGA1UdDwQEAwIDqDAdBgNV
HQ4EFgQU7hNF4y6M9w8zOZfEksKFKJYGZ8QwHwYDVR0jBBgwFoAUUnWuOcWeZT59
HKUoySCnwZhXC8gwDQYJKoZIhvcNAQELBQADggIBABc0+0vlE+y89Tf0LFBde9dy
e9Xbi7DFVOqggOBnaXbWNweoD8awYVmecCV+TRg7Gcgz7hXvpFh/EZvdb3TxvK9P
b6WN33cX/+IzDmByqFWN61FF2uz6FNlN/Je6fcHVWCV9tfvT1lo8sP8yw8lAiNBw
vH1ieW1hhhRXRMgkMTtjIvNZk54768RJIzBFTKJvG/Bnyv9G8fY/y9Q5dEI/zL3V
wbqYyPLCtZQSIKUe1ouNWhbe32RkJH6PW9XSv235mwKOGVzRWHaINMTO1+WOBsdL
fpKRuyg/pvjUesA/GnEIOApOlVC/MhefyP2cdQsm8RMm19MXhxhw0ltur2X8jG+z
w5jxQqxI5tn1cE5nKucAtMOk4MpChGzFVttBLIDbsz4JApDVZn+/Yh89fXq1vPs2
U6nweb8mVGHnFdFOng5bvpGroG0kL3dFkTIJ7TURd/voMTe7xY5i/6WPQV1Wmoe9
G8TGeOxTl+J5J7MLOcof8qmTdmFZj9us37RYkJ0U0w0HQCieVAfp4mv2CMhrwAlm
WRJwGmt9hSUNKt38NcJTuK5m81NeSbznfBzXI1NC+hEAfkVHoVgrtciJvKTNvRlW
OyyCWlNndcGZS8vZsz579fLIxPrbTuZmg0p7w3HF1JKEZVANvA5jYdZjm3cPkeED
ZMQNQLO+lZw1JjUbApoZ
-----END CERTIFICATE-----
Comment on lines +1 to +29
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion | 🟠 Major

🧩 Analysis chain

Verify that this certificate is for development/demo purposes only and document accordingly.

Committing TLS certificates to version control poses security risks, even for development environments. If these certificates are meant for local development or demos only, ensure they are:

  1. Clearly documented as example/test certificates
  2. Not used in production environments
  3. Ideally regenerated at runtime using certificate generation scripts

If this is production-intended infrastructure, certificates should be managed through a secrets management system (e.g., HashiCorp Vault, AWS Secrets Manager) and excluded from version control.

Consider adding a README in the certs/ directory explaining the purpose and regeneration process for these certificates. Also verify that production deployments use different certificates.

I'll verify the review comment by examining the repository structure and certificate context.

🏁 Script executed:

#!/bin/bash

# Check for documentation in the certs directory
echo "=== Checking certs directory for documentation ==="
find ror-fleet-example/certs -type f \( -name "README*" -o -name "*.md" -o -name "*.txt" \) 2>/dev/null || echo "No documentation files found"

# List all files in certs directory
echo -e "\n=== Files in certs directory ==="
ls -la ror-fleet-example/certs/ 2>/dev/null || echo "certs directory not found"

# Check repository root for README that might explain certificates
echo -e "\n=== Checking repository structure ==="
ls -la ror-fleet-example/ | head -20

# Search for any production or secrets management references
echo -e "\n=== Searching for production environment configs ==="
rg -i "production|secret.*manager|vault|aws.*secret" ror-fleet-example --type-list | head -20

Length of output: 3513

🏁 Script executed:

#!/bin/bash

# Extract certificate metadata to confirm development/demo nature
echo "=== Certificate Subject and SAN Analysis ==="
cd ror-fleet-example/certs

# Look for certificate details in filenames or comments
grep -i "localhost\|example\|test\|demo" elasticsearch.crt || echo "No explicit test markers in cert"

# Check git history or comments about certificate purpose
echo -e "\n=== Checking for certificate documentation in root README ==="
if [ -f ../README.md ]; then
  grep -A 5 -B 5 -i "certificate\|certs\|tls\|ssl" ../README.md || echo "No certificate documentation in README"
fi

# Search for any .env, .env.example, or configuration files that might document certificates
echo -e "\n=== Checking for configuration/environment documentation ==="
find .. -maxdepth 2 -type f \( -name ".env*" -o -name "*.env.example" -o -name "docker-compose*" -o -name "Dockerfile*" \) 2>/dev/null | head -10

Length of output: 332

I'll gather more information about the certificate generation and project documentation.

🏁 Script executed:

#!/bin/bash

# Check gen-cert.sh script content
echo "=== Certificate Generation Script (gen-cert.sh) ==="
cat ror-fleet-example/gen-cert.sh

# Check main README
echo -e "\n=== Main README.md ==="
head -50 ror-fleet-example/README.md 2>/dev/null || echo "No main README.md found"

# Check docker-compose.yml for certificate usage
echo -e "\n=== Docker-compose certificate references ==="
grep -n "certificate\|certs\|tls\|ssl" ror-fleet-example/docker-compose.yml -i | head -20

Length of output: 2138

🏁 Script executed:

#!/bin/bash

# Check if project README indicates this is demo/example
echo "=== Searching for 'example', 'demo', 'test' in project docs ==="
find ror-fleet-example -maxdepth 2 -name "README*" -o -name "*.md" | xargs grep -l "example\|demo\|development" 2>/dev/null || echo "No project-level documentation found"

# Check if any production deployment scripts exist
echo -e "\n=== Checking for production deployment patterns ==="
find ror-fleet-example -maxdepth 2 -type f \( -name "*prod*" -o -name "*production*" -o -name "deploy*" \) 2>/dev/null || echo "No production deployment files found"

# Look at run.sh to understand project purpose
echo -e "\n=== Project run.sh script ==="
cat ror-fleet-example/run.sh

Length of output: 2007

Add README.md to certs/ directory documenting certificate purpose and regeneration.

This is a demo/example project (evident from folder name, run.sh messaging, and docker-compose setup), but the certs/ directory lacks documentation. While the gen-cert.sh script demonstrates certificate generation and the localhost SANs confirm development-only use, new developers would benefit from explicit guidance:

  1. Create certs/README.md explaining these are example certificates for local development only
  2. Document the regeneration process: ./gen-cert.sh <service-name>
  3. Add warning that these certificates must not be used in production

The gen-cert.sh script already exists and is sufficient for regeneration; it only needs to be documented alongside a clear statement about the demo-only nature of these certificates.

🤖 Prompt for AI Agents 
In ror-fleet-example/certs/ (referencing elasticsearch.crt lines 1-29), there is
no README documenting these example certificates; add a certs/README.md that
states these are demo/local-development-only certificates (do not use in
production), documents how to regenerate using the existing script (e.g.,
./gen-cert.sh <service-name> and any required env/args), mentions the localhost
SANs used here, and points to gen-cert.sh for details and troubleshooting.

17 changes: 17 additions & 0 deletions ror-fleet-example/certs/elasticsearch.csr
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
-----BEGIN CERTIFICATE REQUEST-----
MIICqTCCAZECAQAwZDELMAkGA1UEBhMCR0IxDzANBgNVBAgMBkxvbmRvbjEPMA0G
A1UEBwwGTG9uZG9uMQ4wDAYDVQQKDAVCZXNodTELMAkGA1UECwwCSVQxFjAUBgNV
BAMMDWVsYXN0aWNzZWFyY2gwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDaEX3NUSe7QrW8eGgQvKzujWw92BrVF9L5/UyKos/L4D7ISV8zrVNevvsCe8/4
Xehuc0rS+CbP9r/C95L2TtpP67vTcQTaUxaDq8uhuRn7sbqyXQB79P4KNNcvhDtQ
1oENOMYntYmvKNtVFFXUoYatmIqfL2GbtQ4IC5DAOsn3c796jQRELPHqqxpZOftU
GJfdfWEOjH0PCDZMPiCApf8q7zVcVYWM6swlOO7OztWJ+wh8GW04ovUCPqldOGA5
yxuUVECpz/tVi+ymhFEo3cNhpDVWBa321Y9aWPUySSnuMUbLFoEBrbtZFf5mdk+I
Yar/TdSCm3ktAW8Kyb7wU8fbAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAcOiM
XEBC9QNyFMO5DvU12moVjsge+I5DWHVbDHgha0puRLoJkzNVNT4ReaMXlX2nuaSy
dvk339m/irru7XpgYSVOBnbIyJq1TpE0P0c0pI0DCkFlP9n8utEPRS+2ZlW0rcWu
PySRxWxfdhUz+oMXjKDQ9Y7PR7AqSq5SAtOwRzQGWv0lRlfHS5aAnD7qrwcYhcBJ
gE/v7laHZUDgbgQsw1JZC7TPo0L84vTxOxUapl8Uy73z84MlQpaI2JO7bVSBWher
kP6A3HK1+L0YLVP9TXBtBStyI17+Ih/XlozZaw4k/HbedXopwnx3Hc93Z08TGxkq
3MmGB5A1Q4Cu1FZTsg==
-----END CERTIFICATE REQUEST-----
Comment thread
coutoPL marked this conversation as resolved.
28 changes: 28 additions & 0 deletions ror-fleet-example/certs/elasticsearch.key
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDaEX3NUSe7QrW8
eGgQvKzujWw92BrVF9L5/UyKos/L4D7ISV8zrVNevvsCe8/4Xehuc0rS+CbP9r/C
95L2TtpP67vTcQTaUxaDq8uhuRn7sbqyXQB79P4KNNcvhDtQ1oENOMYntYmvKNtV
FFXUoYatmIqfL2GbtQ4IC5DAOsn3c796jQRELPHqqxpZOftUGJfdfWEOjH0PCDZM
PiCApf8q7zVcVYWM6swlOO7OztWJ+wh8GW04ovUCPqldOGA5yxuUVECpz/tVi+ym
hFEo3cNhpDVWBa321Y9aWPUySSnuMUbLFoEBrbtZFf5mdk+IYar/TdSCm3ktAW8K
yb7wU8fbAgMBAAECggEAY0+8+cEAdbVbW+KADkNHBHtOtNmS2sI3WJdlgOvF88UE
AqX7n+bLRaZ3XTmyzJtD6+1AwdS2pFZtHacvfFIL9YLXruNVQPK/GacnHVdVwH1A
F9PoEQvRmCdZaq/vbZDLBBD7mYEBG87hGJ2iuyv20F9cnkNvUgDCS6KswQblDPaH
2krrI/WLQgjjXOXGtUUv3lUiFLq4h63KSggBWCid60Iz8SCpr0t52kj1GeTot8Cy
2CnCVG/6E9ysgwLDaGRXHuECbu9P0emzza4uGXDiEgUKE0dBqD877sCF+efQpPIO
lQfr5oi0y0ZRV2MFVAhuRsaJRaxWE4ctueHk1Zf+BQKBgQD4ySMT6ikt1LOxsqaS
EZ6doTaD4HC9mgQ98Ec3zOwmx3Chg0AIwwsIGBBkeOKLX1xecmudys9syvQapTVg
e6hNd94Xjr+MfkJi75bf/zRaAH2Ek3F2++IK1Wi5g/WJKfmiClT8mcR+RCbLTZXK
hyfLDyP1j+EXfb8WwQmP4T/V/QKBgQDgZFLgE9AYTPH2kAigZd8LxGJpFH1sTCnr
mz+9PoF2Vb5+RgA4ywNzOMMlT2QwkP5w3y+/I6F2YqSENuNMXJf7kqZ2/MNX0ED1
eJ9qvd0Ilh5qu6Dp9PGe3CxkTIs6ua/lXUkvBjuYIQ6sNt9sknZAXrvulSdopWxW
Nj2lLzoQtwKBgQCnaYpeS1N8kMZ/DG4EmzC2eBacNbsIC41RNNBn31EGY20Kcqzz
eHSC9NaLFcG08e3RbIO4ghKE7inHiGbbzzqZLtFX3upNG2WG+Bz6DNzot62/Ogy/
eY5JpgQ72m2u6H0gqn04Ii1Unn3Qjxv+VmbTwRN8ml5pFWgyYqIRnQz87QKBgBpQ
6b9J04/mBkKKZdiZ2ezBXWFBe+wlio0NKg6BtCEysSKSBxiiBoeO0qQfiXqApraK
FkluXlNKAk1XOpUMDu78JfWycx5rWBLx0JBuL+v/3xVZZ+fISEX/QF2K9JEwkcZu
iFSxgG+5AMWFsfJDwwaNlbDHYVXOgMQjnFsxDLhFAoGBANrPzTOz7mWHVRus8y55
cd19IqKuxt9L+mfhdF91Wqi44YK4Pt1vSb2FGhJvN+qgYj4jPHvUzUJibKKoJNRx
R6lbK3O+cWjFcDaD9OTTiTuOLlcBby/9Ew7b/RaeYgDpDgviEvVYpKoPBxNnu8+G
XZZHb7SsYO88UYl8YqiGc3pO
-----END PRIVATE KEY-----
Comment thread
coutoPL marked this conversation as resolved.
29 changes: 29 additions & 0 deletions ror-fleet-example/certs/fleet-server.crt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
-----BEGIN CERTIFICATE-----
MIIE7TCCAtWgAwIBAgIUEXK4TshKPU+xCwDXGyHsG668NagwDQYJKoZIhvcNAQEL
BQAwZDELMAkGA1UEBhMCUFQxDzANBgNVBAgMBkxpc2JvbjEPMA0GA1UEBwwGTGlz
Ym9uMRIwEAYDVQQKDAlNYXJpb25ldGUxCzAJBgNVBAsMAklUMRIwEAYDVQQDDAlt
YXJpb25ldGUwHhcNMjQxMjAxMTAyMzE4WhcNMzQxMTI5MTAyMzE4WjBnMQswCQYD
VQQGEwJQVDEPMA0GA1UECAwGTGlzYm9uMQ8wDQYDVQQHDAZMaXNib24xEjAQBgNV
BAoMCU1hcmlvbmV0ZTELMAkGA1UECwwCSVQxFTATBgNVBAMMDGZsZWV0LXNlcnZl
cjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJNv3e+7HtPg6ShWuFz4
f8K70VjWTKLgwuXW3VO4VbIg2+x5pMT29dwfeyMwwP7ZCQrGxoyR65JHH+mnGygP
/axxxpkduxSMqTdQrRdUQ30gXTWbmhf33mOLQ5sMBYUVmaXy6V7eNsFHDlD5WuN/
6ro/MC2eyg7g9eAuFMKPmnaEWMBYGPY/iXGWC5O+r3JyyzGaVAfWzSJdMyJ/WmqO
2heBt5p8z2eUqM7uNorl7nKq4L2p4fczOYvjbiw94vwWd3n7OpKL85Y4Bs3PaHoG
bJWf3kjXnrREh7iOHzk4wMzb1URxuasWIau3vT6V7IwrFgLUdiaAkBOsAbgV5ib3
DA0CAwEAAaOBkzCBkDAiBgNVHREEGzAZggxmbGVldC1zZXJ2ZXKCCWxvY2FsaG9z
dDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwCwYDVR0PBAQDAgOoMB0G
A1UdDgQWBBTxU9yWEFMble7G8EPxm38YfdPd7jAfBgNVHSMEGDAWgBRSda45xZ5l
Pn0cpSjJIKfBmFcLyDANBgkqhkiG9w0BAQsFAAOCAgEAfIHR6rIuVpTeQRwB3ry/
TUjZ8hSQ/3NnDOTrOOCW0kkkJm1VVFgk6SSXXdFG1f3OFNESikKQscl9Oh4G3eUJ
Cek8l8haDoPmDnuYrwBj3nOB9OJfLKfaKQY44YKd6VRYC8QFewMlH9wwh7xzfiQc
Bh5Gm3QNIc1kOwVy12EIPFH7AE4z4yQA3PyHZvSIFXn7y7e/TCcRK7Q1d6hQMtXP
KQEA0fHADnGK4SWfJwOD+kx6S3HQHV995i14PyITs0N29ZYwC/y3DRP98Wbw7gzA
RUBld6WzNAXTjNqRiQq6hHdvzn3Cdqgi1NnPs0jSqIGFs9Wjyj/EzAHMj0MzxXTK
kN7Dakx6uZ0zxHaK2d7A7P1LpCSioQ9S1erVRt6UBi0ybCm9OAsRcuanVDj25lc2
z5qGla24aIHn3Op3JDaSOD/hZoanLK2P+EFS564dWDnK8lyjQnPlEMXRKnWHepgD
IhnmoOvBiKA8xkaIAqSAUtFpgFNa8ndLPTPDfyzd93XHwEesXhLO1Yc/enOJW+GX
L31rTxQ42U4y/LkDD6DAOHBK341rrY57NlZwqAWKPzyKZ3XCoeWOmoVoXGJLWC4b
pEnGGJ2Q/F82dYnnED0Nt9rzefQrMo2fq75gNcodKI3m8m8fBaGEZ/9bTZDqvL3H
95xkHgpW2k9aqdCI9MMsOUY=
-----END CERTIFICATE-----
Loading