Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Does the `FLEET_SERVER_CERT` config only accept paths to the cert? Does it also accept the full cert itself set in the ENV var? Heroku does not allow persist files in their directory I think, so it is not possible to put it into a path.

It expects the path to the cert. For deploying on Heroku, I'd think you might want to have Heroku terminate TLS and run Fleet with `FLEET_SERVER_TLS=FALSE`.

Alternatively, maybe you could do something like `echo $CERT_VALUE &gt; cert.pem &amp;&amp; fleet serve`?

If I do FLEET_SERVER_TLS=FALSE, then i’ll lose the security between the osqueryd and the fleet back-end?

If I do the echo approach, that would go in the Procfile?

echo approach would go in the procfile, yeah

Turning off TLS on the Fleet server would only work if Heroku can terminate TLS (which is very common to do with a load balancer).

It's a bit hard to tell from the <https://devcenter.heroku.com/articles/ssl|Heroku docs>, but I think you'd just be able to turn on SSL on Heroku and leave it off on the Fleet server. This would effectively have Heroku terminating TLS like a load balancer.

yeah I think all requests to a heroku server gets put through their load balancer.

I suspect their load balancer would then send plain HTTP requests to the Fleet server. If that's the case, you can turn off the TLS termination in Fleet.

That's how most of our reference implementations work.