Add support for packaging certificates

- Refactor update initialization
2026-05-24 01:18:42 +00:00 · 2021-02-25 12:38:21 -08:00 · 2021-02-25 12:38:21 -08:00 · a22eb16845
commit a22eb16845
parent bb6a785309
5 changed files with 72 additions and 39 deletions
--- a/cmd/package/package.go
+++ b/cmd/package/package.go
@ -38,6 +38,11 @@ func main() {
 			Usage:       "URL (host:port) of Fleet server",
 			Destination: &opt.FleetURL,
 		},
+		&cli.StringFlag{
+			Name:        "fleet-certificate",
+			Usage:       "Path to server cerificate bundle",
+			Destination: &opt.FleetCertificate,
+		},
 		&cli.StringFlag{
 			Name:        "identifier",
 			Usage:       "Identifier for package product",
--- a/pkg/packaging/deb.go
+++ b/pkg/packaging/deb.go
@ -9,7 +9,6 @@ import (

 	"github.com/fleetdm/orbit/pkg/constant"
 	"github.com/fleetdm/orbit/pkg/update"
-	"github.com/fleetdm/orbit/pkg/update/filestore"
 	"github.com/goreleaser/nfpm/v2"
 	"github.com/goreleaser/nfpm/v2/deb"
 	"github.com/goreleaser/nfpm/v2/files"
@ -38,28 +37,17 @@ func BuildDeb(opt Options) error {

 	// Initialize autoupdate metadata

-	localStore, err := filestore.New(filepath.Join(orbitRoot, "tuf-metadata.json"))
-	if err != nil {
-		return errors.Wrap(err, "failed to create local metadata store")
-	}
 	updateOpt := update.DefaultOptions
-	updateOpt.RootDirectory = orbitRoot
-	updateOpt.ServerURL = "https://tuf.fleetctl.com"
-	updateOpt.LocalStore = localStore
 	updateOpt.Platform = "linux"
+	updateOpt.RootDirectory = orbitRoot

-	updater, err := update.New(updateOpt)
-	if err != nil {
-		return errors.Wrap(err, "failed to init updater")
+	// TODO these should be configurable
+	updateOpt.ServerURL = "https://tuf.fleetctl.com"
+	osqueryChannel, orbitChannel := "stable", "stable"
+
+	if err := initializeUpdates(updateOpt, osqueryChannel, orbitChannel); err != nil {
+		return errors.Wrap(err, "initialize updates")
 	}
-	if err := updater.UpdateMetadata(); err != nil {
-		return errors.Wrap(err, "failed to update metadata")
-	}
-	osquerydPath, err := updater.Get("osqueryd", "stable")
-	if err != nil {
-		return errors.Wrap(err, "failed to get osqueryd")
-	}
-	log.Debug().Str("path", osquerydPath).Msg("got osqueryd")

 	// Write files

@ -161,7 +149,7 @@ After=network.service syslog.service
 [Service]
 TimeoutStartSec=0
 EnvironmentFile=/etc/default/orbit
-ExecStart=/usr/local/bin/orbit
+ExecStart=/var/lib/orbit/orbit
 Restart=on-failure
 KillMode=control-group
 KillSignal=SIGTERM
@ -181,6 +169,7 @@ WantedBy=multi-user.target
 var envTemplate = template.Must(template.New("env").Parse(`
 {{- if .Insecure }}ORBIT_INSECURE=true{{ end }}
 {{ if .FleetURL }}ORBIT_FLEET_URL={{.FleetURL}}{{ end }}
+{{ if .FleetCertificate }}ORBIT_FLEET_CERTIFICATE=/var/lib/orbit/fleet.pem{{ end }}
 {{ if .EnrollSecret }}ORBIT_ENROLL_SECRET={{.EnrollSecret}}{{ end }}
 `))

--- a/pkg/packaging/macos.go
+++ b/pkg/packaging/macos.go
@ -11,7 +11,6 @@ import (

 	"github.com/fleetdm/orbit/pkg/constant"
 	"github.com/fleetdm/orbit/pkg/update"
-	"github.com/fleetdm/orbit/pkg/update/filestore"
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog/log"
 )
@ -41,28 +40,17 @@ func BuildPkg(opt Options) error {

 	// Initialize autoupdate metadata

-	localStore, err := filestore.New(filepath.Join(orbitRoot, "tuf-metadata.json"))
-	if err != nil {
-		return errors.Wrap(err, "failed to create local metadata store")
-	}
 	updateOpt := update.DefaultOptions
-	updateOpt.RootDirectory = orbitRoot
-	updateOpt.ServerURL = "https://tuf.fleetctl.com"
-	updateOpt.LocalStore = localStore
 	updateOpt.Platform = "macos"
+	updateOpt.RootDirectory = orbitRoot

-	updater, err := update.New(updateOpt)
-	if err != nil {
-		return errors.Wrap(err, "failed to init updater")
+	// TODO these should be configurable
+	updateOpt.ServerURL = "https://tuf.fleetctl.com"
+	osqueryChannel, orbitChannel := "stable", "stable"
+
+	if err := initializeUpdates(updateOpt, osqueryChannel, orbitChannel); err != nil {
+		return errors.Wrap(err, "initialize updates")
 	}
-	if err := updater.UpdateMetadata(); err != nil {
-		return errors.Wrap(err, "failed to update metadata")
-	}
-	osquerydPath, err := updater.Get("osqueryd", "stable")
-	if err != nil {
-		return errors.Wrap(err, "failed to get osqueryd")
-	}
-	log.Debug().Str("path", osquerydPath).Msg("got osqueryd")

 	// Write files

@ -83,6 +71,11 @@ func BuildPkg(opt Options) error {
 			return errors.Wrap(err, "write launchd")
 		}
 	}
+	if opt.FleetCertificate != "" {
+		if err := writeCertificate(opt, orbitRoot); err != nil {
+			return errors.Wrap(err, "write fleet certificate")
+		}
+	}
 	if err := copyFile(
 		"./orbit",
 		filepath.Join(orbitRoot, "bin", "orbit", "macos", "current", "orbit"),
@ -210,6 +203,17 @@ func writeDistribution(opt Options, rootPath string) error {
 	return nil
 }

+func writeCertificate(opt Options, orbitRoot string) error {
+	// Fleet TLS certificate
+	dstPath := filepath.Join(orbitRoot, "fleet.pem")
+
+	if err := copyFile(opt.FleetCertificate, dstPath, 0644); err != nil {
+		return errors.Wrap(err, "write orbit")
+	}
+
+	return nil
+}
+
 // xarBom creates the actual .pkg format. It's a xar archive with a BOM (Bill of
 // materials?). See http://bomutils.dyndns.org/tutorial.html.
 func xarBom(opt Options, rootPath string) error {
--- a/pkg/packaging/macos_templates.go
+++ b/pkg/packaging/macos_templates.go
@ -70,6 +70,7 @@ var macosLaunchdTemplate = template.Must(template.New("").Option("missingkey=err
    <dict>
      {{ if .Insecure }}<key>ORBIT_INSECURE</key><string>true</string>{{ end }}
      {{ if .FleetURL }}<key>ORBIT_FLEET_URL</key><string>{{.FleetURL}}</string>{{ end }}
+      {{ if .FleetCertificate }}<key>ORBIT_FLEET_CERTIFICATE</key><string>/var/lib/orbit/fleet.pem</string>{{ end }}
      {{ if .EnrollSecret }}<key>ORBIT_ENROLL_SECRET_PATH</key><string>/var/lib/orbit/secret</string>{{ end }}
    </dict>
    <key>KeepAlive</key><true/>
--- a/pkg/packaging/packaging.go
+++ b/pkg/packaging/packaging.go
@ -6,7 +6,10 @@ import (
 	"os"
 	"path/filepath"

+	"github.com/fleetdm/orbit/pkg/update"
+	"github.com/fleetdm/orbit/pkg/update/filestore"
 	"github.com/pkg/errors"
+	"github.com/rs/zerolog/log"
 )

 // Options are the configurable options provided for the package.
@ -29,6 +32,8 @@ type Options struct {
 	SignIdentity string
 	// Notarize sets whether macOS packages should be Notarized.
 	Notarize bool
+	// FleetCertificate is a path to a server certificate to include in the package.
+	FleetCertificate string
 }

 func copyFile(srcPath, dstPath string, perm os.FileMode) error {
@ -54,3 +59,32 @@ func copyFile(srcPath, dstPath string, perm os.FileMode) error {

 	return nil
 }
+
+func initializeUpdates(updateOpt update.Options, osqueryChannel, orbitChannel string) error {
+	localStore, err := filestore.New(filepath.Join(updateOpt.RootDirectory, "tuf-metadata.json"))
+	if err != nil {
+		return errors.Wrap(err, "failed to create local metadata store")
+	}
+	updateOpt.LocalStore = localStore
+
+	updater, err := update.New(updateOpt)
+	if err != nil {
+		return errors.Wrap(err, "failed to init updater")
+	}
+	if err := updater.UpdateMetadata(); err != nil {
+		return errors.Wrap(err, "failed to update metadata")
+	}
+	osquerydPath, err := updater.Get("osqueryd", osqueryChannel)
+	if err != nil {
+		return errors.Wrap(err, "failed to get osqueryd")
+	}
+	log.Debug().Str("path", osquerydPath).Msg("got osqueryd")
+
+	orbitPath, err := updater.Get("orbit", orbitChannel)
+	if err != nil {
+		return errors.Wrap(err, "failed to get orbit")
+	}
+	log.Debug().Str("path", orbitPath).Msg("got orbit")
+
+	return nil
+}