Hello I was trying to setup mutual TLS between osquery and f osquery #kolide

Hello, I was trying to setup mutual TLS between os...

Wojtek

11/05/2020, 10:43 AM

Hello, I was trying to setup mutual TLS between osquery and fleet to setup automated deployment across hundreds of hosts only to realize this is not possible to do without giving the ossuary agent the shared secret. Is this correct understanding ? If so is it possible to setup known shared secret during fleet bootstrap so it can be used in my osquery deployment ? Thanks a lot for answers

sanjaykcse

11/05/2020, 11:20 AM

https://github.com/kolide/fleet/blob/master/docs/cli/file-format.md#enroll-secrets You can set a predefined enroll secret using fleetctl after fleet boots up .

Wojtek

11/05/2020, 11:32 AM

So I can create, secret.yaml for example with

Copy code

apiVersion: v1
kind: enroll_secret
spec:
  secrets:
  - active: true
    name: default
    secret: RzTlxPvugG4o4O5IKS/HqEDJUmI1hwBoffff
  - active: true
    name: new_one
    secret: reallyworks
  - active: false
    name: inactive_secret
    secret: thissecretwontwork!

and then run

Wojtek

11/05/2020, 11:32 AM

fleet -c secret.yaml serve ?

Wojtek

11/05/2020, 11:33 AM

Would this be additive with what I am running from env variables ?

sanjaykcse

11/05/2020, 11:45 AM

https://github.com/kolide/fleet/blob/master/docs/cli/setup-guide.md

sanjaykcse

11/05/2020, 11:58 AM

Please start the fleet with same set of parameters. Once the fleet is up , you can change the secret to any desired value

Copy code

fleetctl config set --address <https://fleet.corp.example.com> :8080 --tls-skip-verify

fleetctl login 
put the below  in file and  modify it  


apiVersion: v1
kind: enroll_secret
spec:
  secrets:
  - active: true
    name: default
    secret: RzTlxPvugG4o4O5IKS/HqEDJUmI1hwBoffff
  - active: true
    name: new_one
    secret: reallyworks ------->>>>>>>>
  - active: false -------> true
    name: inactive_secret
    secret: thissecretwontwork!

fleetctl apply -f <filename>.yml

Wojtek

11/05/2020, 12:36 PM

Well the problem is I am running fleet in docker and I am trying to make this automated and avoid running any command unless they can be put in entry point.sh script before 'fleet serve' is run.

Wojtek

11/05/2020, 12:36 PM

Is there anything I can do ?

sundsta

11/05/2020, 4:44 PM

Your deployment flow could wait until Fleet is up and reporting healthy, and then kick off a job that provisions fleet with these configurations

Open in Slack

Previous Next