Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
w
Wojtek
11/05/2020, 10:43 AMHello, I was trying to setup mutual TLS between osquery and fleet to setup automated deployment across hundreds of hosts only to realize this is not possible to do without giving the ossuary agent the shared secret. Is this correct understanding ? If so is it possible to setup known shared secret during fleet bootstrap so it can be used in my osquery deployment ? Thanks a lot for answers
s
sanjaykcse
11/05/2020, 11:20 AMhttps://github.com/kolide/fleet/blob/master/docs/cli/file-format.md#enroll-secrets
You can set a predefined enroll secret using fleetctl after fleet boots up .
w
Wojtek
11/05/2020, 11:32 AMSo I can create, secret.yaml for example with
apiVersion: v1
kind: enroll_secret
spec:
secrets:
- active: true
name: default
secret: RzTlxPvugG4o4O5IKS/HqEDJUmI1hwBoffff
- active: true
name: new_one
secret: reallyworks
- active: false
name: inactive_secret
secret: thissecretwontwork!fleet -c secret.yaml serve ?
Would this be additive with what I am running from env variables ?
s
sanjaykcse
11/05/2020, 11:45 AMPlease start the fleet with same set of parameters. Once the fleet is up , you can change the secret to any desired value
fleetctl config set --address <https://fleet.corp.example.com> :8080 --tls-skip-verify
fleetctl login
put the below in file and modify it
apiVersion: v1
kind: enroll_secret
spec:
secrets:
- active: true
name: default
secret: RzTlxPvugG4o4O5IKS/HqEDJUmI1hwBoffff
- active: true
name: new_one
secret: reallyworks ------->>>>>>>>
- active: false -------> true
name: inactive_secret
secret: thissecretwontwork!
fleetctl apply -f <filename>.ymlw
Wojtek
11/05/2020, 12:36 PMWell the problem is I am running fleet in docker and I am trying to make this automated and avoid running any command unless they can be put in entry point.sh script before 'fleet serve' is run.
Is there anything I can do ?
s
sundsta
11/05/2020, 4:44 PMYour deployment flow could wait until Fleet is up and reporting healthy, and then kick off a job that provisions fleet with these configurations