:wave: I'm looking for help enrolling osquery agen...
# kolidec
crimsonknave
04/07/2020, 6:49 PM👋 I'm looking for help enrolling osquery agents into fleet via TLS client certificates. I filed https://github.com/kolide/fleet/issues/2208 a few weeks ago as directed in https://github.com/kolide/fleet/blob/master/docs/infrastructure/adding-hosts-to-fleet.md, but haven't heard anything.
d
DG
04/07/2020, 7:28 PMI know little - but decided to toss something that someone could correct me later on - in the tls common there is an integer that specifies how the server should behave
👍 1
DG
04/07/2020, 7:28 PMtype ClientAuthType int ClientAuthType declares the policy the server will follow for TLS Client Authentication. const ( NoClientCert ClientAuthType = iota RequestClientCert RequireAnyClientCert VerifyClientCertIfGiven RequireAndVerifyClientCert )
DG
04/07/2020, 7:28 PMthat enumeration list on ClientAuthType is taken from the go version -> src/pkg/crypto/tls/common.go
z
zwass
04/07/2020, 7:45 PM
I replied to your issue there.
d
DG
04/07/2020, 7:46 PMSo never found that file, went to mysql checked a few tables and not saved in DB as far as i can tell.. so I am glad someone else understands this better : )
DG
04/07/2020, 7:48 PMThat suggestion of a proxy is a really good option - enough trying to help for me, back to lunch. Thank you @zwass was curious of the answer.
z
zwass
04/07/2020, 7:48 PM
If someone sets it up using a proxy, please blog about it so we can all learn!
c
crimsonknave
04/07/2020, 7:56 PMThanks, I'll take a look and see if it's worth it to set the proxy up.
d
defensivedepth
04/07/2020, 7:56 PMI think you could setup the client auth with nginx somewhat easily (https://jason.whitehorn.us/blog/2019/02/01/client-certificate-auth-with-nginx/), and then reverse proxy it to Fleet --> https://defensivedepth.com/2020/04/02/kolide-fleet-breaking-out-the-osquery-api-web-ui/
c
crimsonknave
04/07/2020, 7:56 PMIt might make sense to update the doc that says to file an issue and just note that it's not supported at this time.
d
defensivedepth
04/07/2020, 7:58 PMbtw, I never trust someone who says you can do it "this way, its easy!" ---> It never ends up being "easy" 😉
🤣 1
8bitfire 2
z
zwass
04/07/2020, 8:00 PM
Put up a PR to update the docs.
d
DG
04/07/2020, 8:10 PMSee i was thinking the $$ money way - F5 + APM or iRule
DG
04/07/2020, 8:11 PMI like when open source leads to open source and the community as a whole is enriched. Been loving those in these slacks