https://github.com/osquery/osquery logo
Join Slack
Powered by
Hey :fleet: ! I am about to switch over to gitops ...
# fleet
e
Hey fleet ! I am about to switch over to gitops managed fleet and I have a couple of clarifyinf questions just before I do (don't want to break anything) - I'll put them in the 🧵!
• Agent Options: ◦ If I don't set some 
org_settings
in git, will this overwrite what is currently in config. For example: 
org_logo_url
or other 
server_settings
• Policy and Software ◦ I currently have a software install policy managed via the UI. We have decided, for private software packages we would rather manage this via the UI. ◦ If I sync my policy without the 
software_install
definition, will it overwrite the current policy? ◦ Similar note, can I write a policy in gitops and then upload and apply the automation via the UI? • Can RBAC (team access) be managed via GitOps? • Looking at the 
--dry-run
output:
Copy code
[+] applying MDM profiles for team Testing (linux)
[+] applying 0 software packages for team Testing (linux)
[+] applying 0 app store apps for team Testing (linux)
[+] would've applied 1 teams
[+] syncing 4 policies
[!] gitops dry run succeeded
â—¦ what does "would've applied 1 teams" actually mean. As I am not creating a new team. I am using the same name as one already defined.
a
• Agent Options ◦ I'm not sure without testing but the intent is that gitops is declarative so it should overwrite what is in the UI, even if you set the value in gitops as blank (indicating you want what is in the UI to be deleted). If you discover differently, please open a bug so we can track it. I've found a few pockets of this with webhooks recently that have since been addressed. • Policy and Software ◦ Curious why you want to manage via the UI. You can always set secrets in your repo so URLs and other sensitive data is not exposed. See this as an example: https://github.com/fleetdm/fleet/blob/07486aef30bfad2e0208e750d457168a07fc9e4b/it-and-security/teams/workstations.yml#L14. Otherwise, gitops is supposed to be declarative so it will overwrite or change anything in the UI that isn't defined in your yaml. • RBAC ◦ No. Any of the admin/user settings can't be managed via GitOps today. • --dry-run output ◦ The wording could be better but this is just saying its going to create the 1 team. Even though its not a new team, its highlighting how many teams are going to be created. There is a flag to prevent teams from being deleted if needed.
e
Thanks for this: • Agent Options ◦ To clarify im not setting an option as blank, I am just not adding in the other fields that show on 
org_settings
when you pull the config. I am only using the "default" examples from fleet repos. ◦ Ideally I don't want to test this in live, so I may wait until there is a clear answer or docs on what a migration to gitlops looks like. Great if you're doing this from scratch. • Policy and Software ◦ Tested, it overwrites and even deletes the software that was uploaded via teh UI ◦ Reasons: We don't want to open up access to our package store Nexus, as Fleet is internet accessible (so the hosts can communicate). ◦ This is specifically or private packages. e.g ones protected by logging into a platform. In my case, CrowdStrike Falcon. ◦ Therefore to avoid having to create a bucket to put software in, for that to just go directly to the software-installers bucket makes no sense. ◦ Given its declarative, it looks like this is a blocker to migrating to GitOps, for us. ◦ I'll raise an issue as a Feature Request - Can we not just use the current S3 bucket for software installs and point the yaml to the S3 location? This seems way more lean and streamlined. You can even still use the UI to put the package into the bucket. • --dry-run ourput ◦ So it looks like its not going to create a team if it already exists, so for sure the wording here needs updating.
2 Views
Open in Slack
PreviousNext
Powered by