The elastic-agent upgrade CLI command needs to require an uninstall token when Elastic Defend is installed #6356
Description
- Relates Add integration tests for upgrades that include endpoint security #4720
- Relates Allow DEB and RPM packages to supply an uninstall token when upgrading with Elastic Defend installed #6394
- Relates Elastic-Agents unexpectedly unenrolled after update to 8.16.x #6213
For Fleet managed agents that are running Elastic Defend, upgrading from the CLI does not send a signed upgrade action to Defend which is what allows Defend to upgrade without believing it is being tampered with. The tamper protection feature of Defend is based on all operations requiring a digital signature signed by a private key in Kibana. There is no way to provide a signed token for an upgrade on the CLI, so Defend legitimately believed it was being tampered with and orphaned from agent here.
Specifically using the CLI skips this block
To make the upgrade command work with tamper protection properly we'd have to allow it to accept an uninstall token to allow endpoint to unprotect itself for a CLI upgrade.
We could simply block CLI upgrades with endpoint, but we continue to preserve use of the upgrade CLI command as an escape hatch for when fleet upgrades are unavailable or broken for an unforeseen reason, and without making this change this escape hatch does not work properly for agents that run defend.
What is the definition of done?
- A test exists proving that the elastic-agent upgrade command can be used to upgrade Elastic Defend is installed without disabling tamper protection.
- The upgrade CLI command refuses to upgrade when defend is install and a tamper protection uninstall token is not provided.
- The documentation for the CLI is updated to indicate that an uninstall token is required in this situation.