elastic
diff --git a/‎changelog/fragments/1715266075-Add-unprivileged-and-privileged-switch-commands.yaml
+34 b/‎changelog/fragments/1715266075-Add-unprivileged-and-privileged-switch-commands.yaml
+34
diff --git a/‎changelog/fragments/1716490302-Load-fleet.ssl.certificate_authorities-from-agent-policy.yaml
+35 b/‎changelog/fragments/1716490302-Load-fleet.ssl.certificate_authorities-from-agent-policy.yaml
+35
diff --git a/‎changelog/fragments/1716490372-Load-fleet.ssl.certificate-and-fleet.ssl.key-from-agent-policy.yaml
+32 b/‎changelog/fragments/1716490372-Load-fleet.ssl.certificate-and-fleet.ssl.key-from-agent-policy.yaml
+32
diff --git a/‎changelog/fragments/1717516439-Capture-early-errors-on-Windows.yaml
+32 b/‎changelog/fragments/1717516439-Capture-early-errors-on-Windows.yaml
+32
diff --git a/‎changelog/fragments/1718138001-Fix-possible-crash-in-reading-component-logs.yaml
+32 b/‎changelog/fragments/1718138001-Fix-possible-crash-in-reading-component-logs.yaml
+32
diff --git a/‎internal/pkg/agent/application/actions/handlers/handler_action_policy_change.go
+73-28 b/‎internal/pkg/agent/application/actions/handlers/handler_action_policy_change.go
+73-28
@@ -0,0 +1,34 @@
+# Kind can be one of:
+# - breaking-change: a change to previously-documented behavior
+# - deprecation: functionality that is being removed in a later release
+# - bug-fix: fixes a problem in a previous version
+# - enhancement: extends functionality but does not break or fix existing behavior
+# - feature: new functionality
+# - known-issue: problems that we are aware of in a given version
+# - security: impacts on the security of a product or a user’s deployment.
+# - upgrade: important information for someone upgrading from a prior version
+# - other: does not fit into any of the other categories
+kind: feature
+
+# Change summary; a 80ish characters long description of the change.
+summary: Add unprivileged and privileged switch commands
+
+# Long description; in case the summary is not enough to describe the change
+# this field accommodate a description without length limits.
+# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment.
+description: |
+  Adds ability to switch between privileged and unprivileged mode using the privileged and unprivileged
+  subcommands respectively.
+
+# Affected component; usually one of "elastic-agent", "fleet-server", "filebeat", "metricbeat", "auditbeat", "all", etc.
+component:
+
+# PR URL; optional; the PR number that added the changeset.
+# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
+# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
+# Please provide it if you are adding a fragment for a different PR.
+pr: https://github.com/elastic/elastic-agent/pull/4621
+
+# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
+# If not present is automatically filled by the tooling with the issue linked to the PR number.
+issue: https://github.com/elastic/ingest-dev/issues/2790
@@ -0,0 +1,35 @@
+# Kind can be one of:
+# - breaking-change: a change to previously-documented behavior
+# - deprecation: functionality that is being removed in a later release
+# - bug-fix: fixes a problem in a previous version
+# - enhancement: extends functionality but does not break or fix existing behavior
+# - feature: new functionality
+# - known-issue: problems that we are aware of in a given version
+# - security: impacts on the security of a product or a user’s deployment.
+# - upgrade: important information for someone upgrading from a prior version
+# - other: does not fit into any of the other categories
+kind: enhancement
+
+# Change summary; a 80ish characters long description of the change.
+summary: Load Certificate Authorities from Fleet policy
+
+# Long description; in case the summary is not enough to describe the change
+# this field accommodate a description without length limits.
+# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment.
+description: >
+  Loads Certificate Authorities (CA) from Fleet policy's key `fleet.ssl.certificate_authorities` and pass it to
+  elastic-agent HTTP client used for connecting to Fleet server. The CAs will be used to validate server or proxy certificates
+  presented when connecting to `HTTPs` endpoints.
+
+# Affected component; a word indicating the component this changeset affects.
+component: elastic-agent
+
+# PR URL; optional; the PR number that added the changeset.
+# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
+# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
+# Please provide it if you are adding a fragment for a different PR.
+pr: https://github.com/elastic/elastic-agent/pull/4770
+
+# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
+# If not present is automatically filled by the tooling with the issue linked to the PR number.
+issue: https://github.com/elastic/elastic-agent/issues/2247
@@ -0,0 +1,32 @@
+# Kind can be one of:
+# - breaking-change: a change to previously-documented behavior
+# - deprecation: functionality that is being removed in a later release
+# - bug-fix: fixes a problem in a previous version
+# - enhancement: extends functionality but does not break or fix existing behavior
+# - feature: new functionality
+# - known-issue: problems that we are aware of in a given version
+# - security: impacts on the security of a product or a user’s deployment.
+# - upgrade: important information for someone upgrading from a prior version
+# - other: does not fit into any of the other categories
+kind: enhancement
+
+# Change summary; a 80ish characters long description of the change.
+summary: Load fleet.ssl.certificate and fleet.ssl.key from agent policy
+
+# Long description; in case the summary is not enough to describe the change
+# this field accommodate a description without length limits.
+# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment.
+#description:
+
+# Affected component; a word indicating the component this changeset affects.
+component: elastic-agent
+
+# PR URL; optional; the PR number that added the changeset.
+# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
+# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
+# Please provide it if you are adding a fragment for a different PR.
+pr: https://github.com/elastic/elastic-agent/pull/4770
+
+# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
+# If not present is automatically filled by the tooling with the issue linked to the PR number.
+issue: https://github.com/elastic/elastic-agent/issues/2248
@@ -0,0 +1,32 @@
+# Kind can be one of:
+# - breaking-change: a change to previously-documented behavior
+# - deprecation: functionality that is being removed in a later release
+# - bug-fix: fixes a problem in a previous version
+# - enhancement: extends functionality but does not break or fix existing behavior
+# - feature: new functionality
+# - known-issue: problems that we are aware of in a given version
+# - security: impacts on the security of a product or a user’s deployment.
+# - upgrade: important information for someone upgrading from a prior version
+# - other: does not fit into any of the other categories
+kind: enhancement
+
+# Change summary; a 80ish characters long description of the change.
+summary: Capture early errors on Windows in Application eventlog.
+
+# Long description; in case the summary is not enough to describe the change
+# this field accommodate a description without length limits.
+# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment.
+#description:
+
+# Affected component; a word indicating the component this changeset affects.
+component: elastic-agent
+
+# PR URL; optional; the PR number that added the changeset.
+# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
+# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
+# Please provide it if you are adding a fragment for a different PR.
+pr: https://github.com/elastic/elastic-agent/pull/4846
+
+# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
+# If not present is automatically filled by the tooling with the issue linked to the PR number.
+issue: https://github.com/elastic/elastic-agent/issues/4627
@@ -0,0 +1,32 @@
+# Kind can be one of:
+# - breaking-change: a change to previously-documented behavior
+# - deprecation: functionality that is being removed in a later release
+# - bug-fix: fixes a problem in a previous version
+# - enhancement: extends functionality but does not break or fix existing behavior
+# - feature: new functionality
+# - known-issue: problems that we are aware of in a given version
+# - security: impacts on the security of a product or a user’s deployment.
+# - upgrade: important information for someone upgrading from a prior version
+# - other: does not fit into any of the other categories
+kind: bug-fix
+
+# Change summary; a 80ish characters long description of the change.
+summary: Fix possible crash in reading component logs
+
+# Long description; in case the summary is not enough to describe the change
+# this field accommodate a description without length limits.
+# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment.
+#description:
+
+# Affected component; usually one of "elastic-agent", "fleet-server", "filebeat", "metricbeat", "auditbeat", "all", etc.
+component: elastic-agent
+
+# PR URL; optional; the PR number that added the changeset.
+# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
+# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
+# Please provide it if you are adding a fragment for a different PR.
+pr: https://github.com/elastic/elastic-agent/pull/4910
+
+# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
+# If not present is automatically filled by the tooling with the issue linked to the PR number.
+issue: https://github.com/elastic/elastic-agent/issues/4907
@@ -18,6 +18,7 @@ import (
 
 	"github.com/elastic/elastic-agent-libs/logp"
 	"github.com/elastic/elastic-agent-libs/transport/httpcommon"
+	"github.com/elastic/elastic-agent-libs/transport/tlscommon"
 	"github.com/elastic/elastic-agent/internal/pkg/agent/application/actions"
 	"github.com/elastic/elastic-agent/internal/pkg/agent/application/coordinator"
 	"github.com/elastic/elastic-agent/internal/pkg/agent/application/info"
@@ -122,23 +123,33 @@ func (h *PolicyChangeHandler) Watch() <-chan coordinator.ConfigChange {
 	return h.ch
 }
 
-func (h *PolicyChangeHandler) validateFleetServerHosts(ctx context.Context, cfg *configuration.Configuration) (*remote.Config, error) {
+func (h *PolicyChangeHandler) validateFleetServerHosts(ctx context.Context, cfg *config.Config) (*remote.Config, error) {
 	// do not update fleet-server host from policy; no setters provided with local Fleet Server
 	if len(h.setters) == 0 {
 		return nil, nil
 	}
 
-	if clientEqual(h.config.Fleet.Client, cfg.Fleet.Client) {
+	parsedConfig, err := configuration.NewPartialFromConfigNoDefaults(cfg)
+	if err != nil {
+		return nil, fmt.Errorf("parsing fleet config: %w", err)
+	}
+
+	if parsedConfig.Fleet == nil {
+		// there is no client config (weird)
+		return nil, nil
+	}
+
+	if clientEqual(h.config.Fleet.Client, parsedConfig.Fleet.Client) {
 		// already the same hosts
 		return nil, nil
 	}
 
-	// make a copy the current client config and apply the changes in place on this copy
+	// make a copy the current client config and apply the changes on this copy
 	newFleetClientConfig := h.config.Fleet.Client
-	updateFleetConfig(h.log, cfg.Fleet.Client, &newFleetClientConfig)
+	updateFleetConfig(h.log, parsedConfig.Fleet.Client, &newFleetClientConfig)
 
 	// Test new config
-	err := testFleetConfig(ctx, h.log, newFleetClientConfig, h.config.Fleet.AccessAPIKey)
+	err = testFleetConfig(ctx, h.log, newFleetClientConfig, h.config.Fleet.AccessAPIKey)
 	if err != nil {
 		return nil, fmt.Errorf("validating fleet client config: %w", err)
 	}
@@ -175,52 +186,82 @@ func testFleetConfig(ctx context.Context, log *logger.Logger, clientConfig remot
 	return nil
 }
 
-// updateFleetConfig copies the relevant Fleet client settings from src on dst. The destination struct is modified in-place
-func updateFleetConfig(log *logger.Logger, src remote.Config, dst *remote.Config) {
-	dst.Protocol = src.Protocol
-	dst.Path = src.Path
-	dst.Host = src.Host
-	dst.Hosts = src.Hosts
+// updateFleetConfig copies the relevant Fleet client settings from policyConfig on agentConfig. The destination struct is modified in-place
+func updateFleetConfig(log *logger.Logger, policyConfig remote.Config, agentConfig *remote.Config) {
+
+	// Hosts is the only connectivity field sent Fleet, let's clear everything else aside from Hosts
+	if len(policyConfig.Hosts) > 0 {
+		agentConfig.Hosts = make([]string, len(policyConfig.Hosts))
+		copy(agentConfig.Hosts, policyConfig.Hosts)
+
+		agentConfig.Host = ""
+		agentConfig.Protocol = ""
+		agentConfig.Path = ""
+	}
 
 	// Empty proxies from fleet are ignored. That way a proxy set by --proxy-url
 	// it won't be overridden by an absent or empty proxy from fleet-server.
 	// However, if there is a proxy sent by fleet-server, it'll take precedence.
 	// Therefore, it's not possible to remove a proxy once it's set.
 
-	if src.Transport.Proxy.URL == nil ||
-		src.Transport.Proxy.URL.String() == "" {
-		log.Debug("proxy from fleet is empty or null, the proxy will not be changed")
+	if policyConfig.Transport.Proxy.URL == nil ||
+		policyConfig.Transport.Proxy.URL.String() == "" {
+		log.Debugw("proxy from fleet is empty or null, the proxy will not be changed", "current_proxy", agentConfig.Transport.Proxy.URL)
 	} else {
+		log.Debugw("received proxy from fleet, applying it", "old_proxy", agentConfig.Transport.Proxy.URL, "new_proxy", policyConfig.Transport.Proxy.URL)
 		// copy the proxy struct
-		dst.Transport.Proxy = src.Transport.Proxy
+		agentConfig.Transport.Proxy = policyConfig.Transport.Proxy
 
-		// replace in dst the attributes that are passed by reference within the proxy struct
+		// replace in agentConfig the attributes that are passed by reference within the proxy struct
 
 		// Headers map
-		dst.Transport.Proxy.Headers = map[string]string{}
-		for k, v := range src.Transport.Proxy.Headers {
-			dst.Transport.Proxy.Headers[k] = v
+		agentConfig.Transport.Proxy.Headers = map[string]string{}
+		for k, v := range policyConfig.Transport.Proxy.Headers {
+			agentConfig.Transport.Proxy.Headers[k] = v
 		}
 
 		// Proxy URL
-		urlCopy := *src.Transport.Proxy.URL
-		dst.Transport.Proxy.URL = &urlCopy
+		urlCopy := *policyConfig.Transport.Proxy.URL
+		agentConfig.Transport.Proxy.URL = &urlCopy
+	}
+
+	if policyConfig.Transport.TLS != nil {
+
+		tlsCopy := tlscommon.Config{}
+		if agentConfig.Transport.TLS != nil {
+			// copy the TLS struct
+			tlsCopy = *agentConfig.Transport.TLS
+		}
+
+		if policyConfig.Transport.TLS.Certificate == emptyCertificateConfig() {
+			log.Debug("TLS certificates from fleet are empty or null, the TLS config will not be changed")
+		} else {
+			tlsCopy.Certificate = policyConfig.Transport.TLS.Certificate
+			log.Debug("received TLS certificate/key from fleet, applying it")
+		}
 
-		log.Debug("received proxy from fleet, applying it")
+		if len(policyConfig.Transport.TLS.CAs) == 0 {
+			log.Debug("TLS CAs from fleet are empty or null, the TLS config will not be changed")
+		} else {
+			tlsCopy.CAs = make([]string, len(policyConfig.Transport.TLS.CAs))
+			copy(tlsCopy.CAs, policyConfig.Transport.TLS.CAs)
+			log.Debug("received TLS CAs from fleet, applying it")
+		}
+
+		agentConfig.Transport.TLS = &tlsCopy
 	}
 }
 
-func (h *PolicyChangeHandler) handlePolicyChange(ctx context.Context, c *config.Config) (err error) {
-	cfg, err := configuration.NewFromConfig(c)
-	if err != nil {
-		return errors.New(err, "could not parse the configuration from the policy", errors.TypeConfig)
-	}
+func emptyCertificateConfig() tlscommon.CertificateConfig {
+	return tlscommon.CertificateConfig{}
+}
 
+func (h *PolicyChangeHandler) handlePolicyChange(ctx context.Context, c *config.Config) (err error) {
 	var validationErr error
 
 	// validate Fleet connectivity with the new configuration
 	var validatedConfig *remote.Config
-	validatedConfig, err = h.validateFleetServerHosts(ctx, cfg)
+	validatedConfig, err = h.validateFleetServerHosts(ctx, c)
 	if err != nil {
 		validationErr = goerrors.Join(validationErr, fmt.Errorf("validating Fleet client config: %w", err))
 	}
@@ -355,6 +396,10 @@ func clientEqual(k1 remote.Config, k2 remote.Config) bool {
 		return false
 	}
 
+	if k1.Host != k2.Host {
+		return false
+	}
+
 	sort.Strings(k1.Hosts)
 	sort.Strings(k2.Hosts)
 	if len(k1.Hosts) != len(k2.Hosts) {