Title
#kolide
w

Wojtek

11/05/2020, 10:43 AM
Hello, I was trying to setup mutual TLS between osquery and fleet to setup automated deployment across hundreds of hosts only to realize this is not possible to do without giving the ossuary agent the shared secret. Is this correct understanding ? If so is it possible to setup known shared secret during fleet bootstrap so it can be used in my osquery deployment ? Thanks a lot for answers
s

sanjaykcse

11/05/2020, 11:20 AM
https://github.com/kolide/fleet/blob/master/docs/cli/file-format.md#enroll-secrets You can set a predefined enroll secret using fleetctl  after fleet boots up .
w

Wojtek

11/05/2020, 11:32 AM
So I can create, secret.yaml for example with
apiVersion: v1
kind: enroll_secret
spec:
  secrets:
  - active: true
    name: default
    secret: RzTlxPvugG4o4O5IKS/HqEDJUmI1hwBoffff
  - active: true
    name: new_one
    secret: reallyworks
  - active: false
    name: inactive_secret
    secret: thissecretwontwork!
and then run
11:32 AM
fleet -c secret.yaml serve ?
11:33 AM
Would this be additive with what I am running from env variables ?
11:58 AM
Please start the fleet with same set of parameters. Once the fleet is up , you can change the secret to any desired value
fleetctl config set --address <https://fleet.corp.example.com> :8080 --tls-skip-verify

fleetctl login 
put the below  in file and  modify it  


apiVersion: v1
kind: enroll_secret
spec:
  secrets:
  - active: true
    name: default
    secret: RzTlxPvugG4o4O5IKS/HqEDJUmI1hwBoffff
  - active: true
    name: new_one
    secret: reallyworks ------->>>>>>>>
  - active: false -------> true
    name: inactive_secret
    secret: thissecretwontwork!

fleetctl apply -f <filename>.yml
w

Wojtek

11/05/2020, 12:36 PM
Well the problem is I am running fleet in docker and I am trying to make this automated and avoid running any command unless they can be put in entry point.sh script before 'fleet serve' is run.
12:36 PM
Is there anything I can do ?
sundsta

sundsta

11/05/2020, 4:44 PM
Your deployment flow could wait until Fleet is up and reporting healthy, and then kick off a job that provisions fleet with these configurations