Ist there a way to set the

enroll_secret

in fleet’s helm charts? If not, suppose we want to change the

enroll_secret

for a new deployment to set it to an old one that many devices use. Is it enough to go into the mysql database and change the default one in the

enroll_secrets

database?

Nice! Enroll secrets can also be set using an enroll_secret yaml and `fleetctl apply`: https://fleetdm.com/docs/configuration/configuration-files#enroll-secrets

I’m wondering how one can retrieve old and invalid secrets that let’s say some devices are using to enrol? Following scenario: You have fleet of devices enrolled. You lose your database and setup a new one. These devices try to enrol to no avail. The fleet pod logs the errors with access denied but doesn’t say which secret is used to enrol. You want to find out this secret to add it to your fleet since you don’t want to go through the hassle of reconfiguring all the devices.

What I'd recommend doing in general is using that yaml to apply and track secrets. That way, if you do lose your database, you can just apply the yaml again and your secrets will carry over. Coincidentally, I do have it on my TODO list to put together a Feature Request for making it easier to identify the host when there's an issue with enrollment or communication with fleetd or osquery, partially related to this scenario. I'll make sure I work this scenario in to that as well.

I’ve deployed fleet per the helm charts on k8s and I haven’t found a place where one could add arbitrary. I have of course the option to use fleetctl and apply a yaml config and commit it somewhere but since the deployment is per ArgoCD where I already track all the deployment this wouldn’t be of much help. Any suggestions on how this could be done in my scenario?