Ist there a way to set the `enroll_secret` in flee...
# fleet
a
Ist there a way to set the
enroll_secret
in fleet’s helm charts? If not, suppose we want to change the
enroll_secret
for a new deployment to set it to an old one that many devices use. Is it enough to go into the mysql database and change the default one in the
enroll_secrets
database?
Just found out I can add/edit/delete them from the front-end. Was a rabbit whole that helped me understand fleet more, lol.
k
Nice! Enroll secrets can also be set using an enroll_secret yaml and `fleetctl apply`: https://fleetdm.com/docs/configuration/configuration-files#enroll-secrets
a
I’m wondering how one can retrieve old and invalid secrets that let’s say some devices are using to enrol? Following scenario: You have fleet of devices enrolled. You lose your database and setup a new one. These devices try to enrol to no avail. The fleet pod logs the errors with access denied but doesn’t say which secret is used to enrol. You want to find out this secret to add it to your fleet since you don’t want to go through the hassle of reconfiguring all the devices.
k
What I'd recommend doing in general is using that yaml to apply and track secrets. That way, if you do lose your database, you can just apply the yaml again and your secrets will carry over. Coincidentally, I do have it on my TODO list to put together a Feature Request for making it easier to identify the host when there's an issue with enrollment or communication with fleetd or osquery, partially related to this scenario. I'll make sure I work this scenario in to that as well.
a
I’ve deployed fleet per the helm charts on k8s and I haven’t found a place where one could add arbitrary. I have of course the option to use fleetctl and apply a yaml config and commit it somewhere but since the deployment is per ArgoCD where I already track all the deployment this wouldn’t be of much help. Any suggestions on how this could be done in my scenario?