Apply mTLS config from policy

[pchila]

What does this PR do?

This PR implements reading and applying TLS configuration for Fleet client using CA, certificate and key included in Fleet policy.

This PR:

• includes unit tests ported from Read and apply mTLS config from policy #4398,
• reimplements the solution of Read and apply mTLS config from policy #4398 to adapt it to the new structure of internal/pkg/agent/application/actions/handlers/handler_action_policy_change.go
• modifies mock fleet server to support SSL configuration
• Add integration tests for both TLS and mTLS usecases using custom CAs

Note to reviewers: refactor of ProxyURL integration tests has been moved to PR #4813 , so for initial review you can have a look at this set of commits or wait till PR #4813 is merged and this PR rebased onto the new main

Why is it important?

Configuring TLS via the policy allows agent to connect to Fleet (possibly via a proxy) using custom CAs or enabling mTLS (certificate verification of both the client and the server).

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• [ ] I have made corresponding changes to the documentation
• [ ] I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in ./changelog/fragments using the changelog tool
• I have added an integration test or an E2E test

Disruptive User Impact

How to test this PR locally

In order to test this PR we need:

• fleet server or proxy with TLS (or mTLS) configured using custom CAs and certificates signed by such CAs (left as exercise to the reader)
• Make sure that the agent can connect to fleet for enrolling without custom CAs or certificates.
• enroll agent with a simple policy
• Add Custom CAs and or key + certificates for the agent to use along with a new URL (maybe a proxy) pointing to where TLS has been configured.
• Verify that the agent can connect correctly using CAs (and Certificate/Key in case of mTLS)

Related issues

• Supersedes Read and apply mTLS config from policy #4398
• Requires Add TLS support for proxytest #4745
• Requires Refactor ProxyURL integration tests #4813
• Closes Load fleet.ssl.certificate_authorities from agent policy #2247
• Closes Load fleet.ssl.certificate and fleet.ssl.key from agent policy #2248

Questions to ask yourself

• How are we going to support this in production?
• How are we going to measure its adoption?
• How are we going to debug this?
• What are the metrics I should take care of?
• ...

---

[mergify]

This pull request does not have a backport label. Could you fix it @pchila? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-v./d./d./d is the label to automatically backport to the 8./d branch. /d is the digit

NOTE: backport-skip has been added to this pull request.

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b apply-mTLS-config-from-policy upstream/apply-mTLS-config-from-policy
git merge upstream/main
git push upstream apply-mTLS-config-from-policy

[elasticmachine]

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)

[elastic-sonarqube]

Quality Gate passed

Issues
2 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
93.5% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

[ycombinator]

IIUC, mTLS (Agent presenting a certificate to Fleet Server / proxy) is a new feature, so this should probably be feature or enhancement?

Suggested change

	kind: bug-fix
	kind: feature

[pchila]

Issue #2247 is flagged as bug so I put this as bug-fix... this changelog is related to reading Certificate Authorities from fleet policy, the other fragment is for presenting a certificate to Fleet server.

The other fragment is also flagged as bug-fix but that one is pointing to #2248 which is labeled as enhancement

[ycombinator]

Ha, I think both should be enhancements but this is probably best decided by @nimarezainia.

[ycombinator]

Could we rephrase this in more end-user-friendly terms?