Does the `FLEET_SERVER_CERT` config only accept pa...
# fleet
Does the
config only accept paths to the cert? Does it also accept the full cert itself set in the ENV var? Heroku does not allow persist files in their directory I think, so it is not possible to put it into a path.
It expects the path to the cert. For deploying on Heroku, I'd think you might want to have Heroku terminate TLS and run Fleet with
Alternatively, maybe you could do something like
echo $CERT_VALUE > cert.pem && fleet serve
If I do FLEET_SERVER_TLS=FALSE, then i’ll lose the security between the osqueryd and the fleet back-end?
If I do the echo approach, that would go in the Procfile?
echo approach would go in the procfile, yeah
Turning off TLS on the Fleet server would only work if Heroku can terminate TLS (which is very common to do with a load balancer).
It's a bit hard to tell from the Heroku docs, but I think you'd just be able to turn on SSL on Heroku and leave it off on the Fleet server. This would effectively have Heroku terminating TLS like a load balancer.
yeah I think all requests to a heroku server gets put through their load balancer.
cool I will try that…
I suspect their load balancer would then send plain HTTP requests to the Fleet server. If that's the case, you can turn off the TLS termination in Fleet.
yup that’s exactly it.
That's how most of our reference implementations work.