We are looking at deploying fleet on our internal Kubernetes osquery #fleet

We are looking at deploying fleet on our internal ...

John Healy

01/18/2023, 12:27 PM

We are looking at deploying fleet on our internal Kubernetes but would like the database on AWS RDS Aurora. Has anyone done this and if so could they share how they achieved it? We are not sure how we refer fleet to the AWS database. We can use IRSA for authentication etc but we not sure how to point fleet to the AWS DB

Kathy Satterlee

01/18/2023, 4:00 PM

Hi @John Healy! You can specify your MySQL database in the Fleet configuration: https://fleetdm.com/docs/deploying/configuration#my-sql

John Healy

01/19/2023, 12:25 PM

Thanks @Kathy Satterlee Would the below likely work? Do we need to refer to the AWS RDS database besides this in our code. For example we will helm charts for the web-app and Redis but do we need to reference the AWS database as a dependency there also?

Copy code

database:
  host: <AMAZON_RDS_ENDPOINT
  port: 3306
  driverClass: 
  dbScheme:
  dbUseSSL: true
  databaseName: <RDS_DATABASE_NAME
  auth:
    database: <RDS_DATABASE_USERNAME>
    username: <RDS_DATABASE_PW>

John Healy

01/19/2023, 8:56 PM

Or perhaps I am missing something here @Kathy Satterlee

Benjamin Edwards

01/19/2023, 9:23 PM

hey @John Healy, the helm chart that defines how to deploy fleet will need RDS endpoint, username, and password added as environment variables: https://fleetdm.com/docs/deploying/server-installation#deploying-fleet-on-kubernetes notice:

Copy code

- name: FLEET_MYSQL_ADDRESS
            valueFrom:
              secretKeyRef:
                name: fleet_secrets
                key: mysql_address
          - name: FLEET_MYSQL_DATABASE
            valueFrom:
              secretKeyRef:
                name: fleet_secrets
                key: mysql_database
          - name: FLEET_MYSQL_PASSWORD
            valueFrom:
              secretKeyRef:
                name: fleet_secrets
                key: mysql_password
          - name: FLEET_MYSQL_USERNAME
            valueFrom:
              secretKeyRef:
                name: fleet_secrets
                key: mysql_username

John Healy

01/23/2023, 9:45 AM

Thanks @Benjamin Edwards So we have a charts.yaml file that defines the other chart components, so we add the RDS details on there similar to the below?

Copy code

apiVersion: v2
name: fleetdm
description: For deploying fleet to Kanopy
type: application
version: 0.1.0
appVersion: "4.19.1"

dependencies:
- name: web-app
  alias: server
  version: "4.12.0"
  repository: <https://10gen.github.io/helm-charts>

- name: redis
  alias: cache
  version: "17.0.10"
  repository: <https://charts.bitnami.com/bitnami>

- name: FLEET_MYSQL_ADDRESS
  valueFrom:
    secretKeyRef:
    name: fleet_secrets
    key: mysql_address
- name: FLEET_MYSQL_DATABASE
  valueFrom:
    secretKeyRef:
      name: fleet_secrets
      key: mysql_database
- name: FLEET_MYSQL_PASSWORD
  valueFrom:
    secretKeyRef:
      name: fleet_secrets
      key: mysql_password
- name: FLEET_MYSQL_USERNAME
   valueFrom:
      secretKeyRef:
        name: fleet_secrets
        key: mysql_username

John Healy

01/23/2023, 9:49 AM

We also have our production.yaml so can we just remove reference to the AWS SQL DB here since it is already in the charts.yaml file?

Copy code

server:
  image:
    repository: fleetdm/fleet
    tag: v4.19.1

  command:
  - /bin/sh
  - -c
  - fleet prepare --no-prompt=true db; exec fleet serve

  env:
    FLEET_MYSQL_ADDRESS: taka
    FLEET_REDIS_ADDRESS: fleetdm-cache-master:6379
    FLEET_SERVER_TLS: "false"
    FLEET_LOGGING_DEBUG: "true"

  envSecrets:
    FLEET_MYSQL_DATABASE: taka
    FLEET_MYSQL_PASSWORD: taka
    FLEET_MYSQL_USERNAME: taka
 

  ingress:
    enabled: true
    hosts:
      - <http://fleet.infosec.prod.corp.mongodb.com|fleet.infosec.prod.corp.mongodb.com>
  
  replicaCount: 1
  
  services:
  - name: http
    ingress: true
    type: ClusterIP
    port: 80
    targetPort: 8080

  resources:
    requests:
      cpu: 500m
      memory: 512Mi

database:
  auth:
    database: fleet
    username: fleet
    existingSecret: taka
    
   primary:
    persistence:
      enabled: true
      size: 20Gi
    
cache:
  architecture: standalone
  persistence:
    enabled: false
  auth:
    enabled: false

frederick ferby

01/23/2023, 3:59 PM

https://osquery.slack.com/archives/C01DXJL16D8/p1674467114543869?thread_ts=1674044872.730929&cid=C01DXJL16D8 Seems like charts.yaml doesn’t like this when deploying Error: cannot load Chart.yaml: error converting YAML to JSON: yaml: line 35: mapping values are not allowed in this context while executing *run.DepUpdate step: exit status 1 Should this be under the Dependencies section? - name: FLEET_MYSQL_ADDRESS valueFrom: secretKeyRef: name: fleet_secrets key: mysql_address - name: FLEET_MYSQL_DATABASE valueFrom: secretKeyRef: name: fleet_secrets key: mysql_database - name: FLEET_MYSQL_PASSWORD valueFrom: secretKeyRef: name: fleet_secrets key: mysql_password - name: FLEET_MYSQL_USERNAME valueFrom: secretKeyRef: name: fleet_secrets key: mysql_username

John Healy

01/24/2023, 11:21 AM

@Benjamin Edwards and @Kathy Satterlee Any advice here for this error?

John Healy

01/24/2023, 11:34 AM

Possibly indentation issue as per here?

3 Views

Open in Slack

Previous Next