Allow DEB and RPM packages to supply an uninstall token when upgrading with Elastic Defend installed

[cmacknz]

• Relates The elastic-agent upgrade CLI command needs to require an uninstall token when Elastic Defend is installed #6356
• Relates Add integration tests for upgrades that include endpoint security #4720

Describe the enhancement:

For Fleet managed agents that are running Elastic Defend, upgrading the RPM or DEB packages does not send a signed upgrade action to Defend which is what allows Defend to upgrade without believing it is being tampered with. The tamper protection feature of Defend is based on all operations requiring a digital signature signed by a private key in Kibana. There is no way to provide a signed token for DEB or RPM upgrades, so Defend legitimately believes it was being tampered with and orphaned from agent here.

Specifically using the CLI skips this block

elastic-agent/internal/pkg/agent/application/actions/handlers/handler_action_upgrade.go

Lines 58 to 74 in 54932dc

	if h.tamperProtectionFn() {
	// Find inputs that want to receive UPGRADE action
	// Endpoint needs to receive a signed UPGRADE action in order to be able to uncontain itself
	state := h.coord.State()
	ucs := findMatchingUnitsByActionType(state, a.Type())
	if len(ucs) > 0 {
	h.log.Debugf("handlerUpgrade: proxy/dispatch action '%+v'", a)
	err := notifyUnitsOfProxiedAction(ctx, h.log, action, ucs, h.coord.PerformAction)
	h.log.Debugf("handlerUpgrade: after action dispatched '%+v', err: %v", a, err)
	if err != nil {
	return err
	}
	} else {
	// Log and continue
	h.log.Debugf("No components running for %v action type", a.Type())
	}
	}

To make the upgrade command work with tamper protection properly we'd have to allow it to accept an uninstall token to allow endpoint to unprotect itself for a CLI upgrade.

Describe a specific use case for the enhancement or feature:

Upgrading an Elastic Agent installed with either the RPM or DEB packages when Elastic Defend is used. Without this change, the only way to upgrade in this situation is to temporarily disable tamper protection.

What is the definition of done?

• Tests exists proving that the RPM and DEB packages can be upgraded when Elastic Defend is installed without disabling tamper protection.
• These packages types can ideally indicate to users that they should supply an uninstall token when defend is installed.
• The documentation for the RPM and DEB packages is updated to indicate that an uninstall token is required in this situation.

[elasticmachine]

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)

[intxgo]

@cmacknz what about msi and Tamper Protection?

I forgot, msi accepts INSATLLARGS, example here https://discuss.elastic.co/t/installing-elastic-agent-with-gpo/364659/

Furthermore, the variables table of msi can be edited, so we can embed any argument. @gabriellandau already made a nice PS script https://gist.github.com/gabriellandau/b838192eefd81fc53816f4e973a026d0