@noahtalerman: For the following bug:
- https://github.com/fleetdm/fleet/issues/43160
## Summary
- Condense and relocate the S3 `endpoint_url` override warning from the
general `## S3` section header into the individual `endpoint_url`
setting sections
- The primary warning now lives in
`s3_software_installers_endpoint_url`; the `s3_carves_endpoint_url` and
`packaging_s3_endpoint_url` sections cross-reference it
- Condense region-discovery notes similarly (primary in
`s3_software_installers_region`, cross-references elsewhere)
- Condense the Reference Architectures S3 section to a single paragraph
## Changes
**`docs/Configuration/fleet-server-configuration.md`:**
- Removed the large callout block under `## S3`
- Added concise warning to `s3_software_installers_endpoint_url` with
link to [#42349](https://github.com/fleetdm/fleet/issues/42349)
- Added concise note to `s3_software_installers_region`
- Updated `s3_carves_endpoint_url`, `s3_carves_region`,
`packaging_s3_endpoint_url`, and `packaging_s3_region` with short
cross-references
**`docs/Deploy/Reference-Architectures.md`:**
- Condensed the `S3 configuration for AWS deployments` section to a
single paragraph with link to the config reference
## Related
- Relates to #42349
---
Built for
[ntalerman](https://fleetdm.slack.com/archives/D0AEA6U4SM9/p1775051868003859?thread_ts=1775051234.724799&cid=D0AEA6U4SM9)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves #
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [ ] Timeouts are implemented and retries are limited to avoid infinite
loops
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [ ] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
## Database migrations
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
## New Fleet configuration settings
- [ ] Setting(s) is/are explicitly excluded from GitOps
If you didn't check the box above, follow this checklist for
GitOps-enabled settings:
- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled
## fleetd/orbit/Fleet Desktop
- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#38013
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
See
https://drive.google.com/file/d/1zeFNLuf_rT5FWzDiYyL2_hbIBW2neba-/view?usp=drive_link
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* GitOps variables in JSON configuration profiles (Apple DDM
declarations and Android profiles) are now automatically escaped for
JSON special characters, ensuring proper handling of sensitive values.
* **Tests**
* Added JSON configuration profile escaping validation to the enterprise
GitOps integration test suite.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
The glob/ `paths:` feature was added across PRs #40799 (scripts,
configuration_profiles) and #41141 (labels, policies, reports) but the
customer-facing YAML reference at `docs/Configuration/yaml-files.md` was
never updated to document it.
This adds documentation for:
- New `path:` vs `paths:` reference section explaining the difference
between singular (literal file) and plural (glob pattern)
- Characters to avoid in filenames when using `path:` (`*`, `?`, `[`,
`{`)
- `scripts` section: `paths:` support with `.sh`/`.ps1` filter note
- `apple_settings`/`windows_settings` section: `path:` vs `paths:` wit
examples
- `android_settings` section: `paths:` support note
- `labels`, `policies`, `reports` sections: `paths:` support notes
- `paths:` glob examples added to the controls YAML example for both
scripts, apple_settings, and windows_settings
Discovered via customer-sonet whose Windows profile filenames use
brackets as a CSP naming convention (e.g.
`[AllowSpotlightCollection].xml`), which are rejected by `path:`
validation as glob metacharacters.
See related bug report for the false positive on literal filenames.
https://github.com/fleetdm/fleet/issues/43598
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#43598
Co-authored-by: Rachael Shaw <r@rachael.wtf>
- @noahtalerman: We decided to stop calling the settings experimental
and just warn in the docs what happens if you turn it on. That way we’re
not calling them “experimental” which feels unsafe. They're not
experimental; they're just deliberately allowing custom profiles.
## Summary
- Clarifies in the MySQL docs intro that read replica configuration is
fully independent — no values are inherited from the primary config
- Adds explicit callout that `mysql_read_replica_region` must be set
separately when using IAM authentication
- Adds note to `mysql_tls_config` explaining that this setting is
typically not needed for RDS IAM auth since Fleet uses bundled RDS CA
certificates (including GovCloud regions)
These changes address real-world customer confusion where a GovCloud
deployment failed because `FLEET_MYSQL_READ_REPLICA_REGION` was not set
independently of `FLEET_MYSQL_REGION`.
Note: related to #39832
## Testing
Documentation-only change — no code impact.
Add script-only package documentation to the packages section.
Script-only packages (.sh and .ps1 files) are a supported package type
but had no example or guidance in the YAML configuration docs. This adds
a "Script-only" example after the existing URL and Hash examples,
documenting:
- Script-only packages must be configured inline in the team YAML file
- self_service, categories, labels, and icon are specified inline
- Script packages do not support install_script, uninstall_script,
post_install_script, pre_install_query, or automatic install
- Separate package YAML files are not currently supported for
script-only packages
This PR will remain in draft as a preview of upcoming documentation
changes for 4.83.0
---------
Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
Co-authored-by: Jordan Montgomery <elijah.jordan.montgomery@gmail.com>
Co-authored-by: melpike <79950145+melpike@users.noreply.github.com>
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Co-authored-by: Victor Lyuboslavsky <2685025+getvictor@users.noreply.github.com>
Co-authored-by: Scott Gress <scottmgress@gmail.com>
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Co-authored-by: Jonathan Katz <44128041+jkatz01@users.noreply.github.com>
Co-authored-by: kilo-code-bot[bot] <240665456+kilo-code-bot[bot]@users.noreply.github.com>
Co-authored-by: Carlo <1778532+cdcme@users.noreply.github.com>
## Summary
- Reverts the changes introduced by issue
[#38834](https://github.com/fleetdm/fleet/issues/38834), which changed
the Apple (macOS, iOS, iPadOS) OS update enforcement deadline from 12:00
PM (Noon) to 7:00 PM local time.
- Reverts code from [PR
#38810](https://github.com/fleetdm/fleet/pull/38810) (backend, frontend,
tests) and [PR #39185](https://github.com/fleetdm/fleet/pull/39185)
(documentation).
- Restores the original noon (12:00) deadline in the MDM declaration
payload, frontend tooltip, integration tests, REST API docs, and YAML
configuration docs.
## Changes
| File | Change |
|------|--------|
| `ee/server/service/mdm.go` | `TargetLocalDateTime` reverted from
`T19:00:00` to `T12:00:00` |
| `frontend/.../AppleOSTargetForm.tsx` | Deadline tooltip reverted from
"19:00 (7PM)" to "12:00 (Noon)" |
| `server/service/integration_enterprise_test.go` | Test assertion
reverted from `T19:00:00` to `T12:00:00` |
| `docs/Configuration/yaml-files.md` | 3 references reverted from "7PM"
to "noon" |
| `docs/REST API/rest-api.md` | 6 references reverted from "7PM" to
"noon" |
Built for
[ntalerman](https://fleetdm.slack.com/archives/D0AEA6U4SM9/p1773780763835429)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Co-authored-by: George Karr <georgekarrv@users.noreply.github.com>
## Summary
- Embeds Fleet's ["The Basics of Fleet
GitOps"](https://www.youtube.com/watch?v=wgqI_lHnGJc) YouTube video on
the [GitOps YAML files documentation
page](https://fleetdm.com/docs/configuration/yaml-files).
- The video is placed in the introduction section, right after the
opening paragraph and before the first callout, so users see it early
when landing on the page.
- Uses the existing `<div purpose="embedded-content"><iframe>` embed
pattern consistent with other Fleet docs pages (e.g.,
`articles/queries.md`, `articles/fleetctl.md`,
`articles/vulnerability-processing.md`).
### Changes
- `docs/Configuration/yaml-files.md`: Added YouTube video embed for "The
Basics of Fleet GitOps" (`wgqI_lHnGJc`).
Built for
[mikermcneil](https://fleetdm.slack.com/archives/D0AFASLRHNU/p1773338930980929)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
This PR will remain in draft as a preview of upcoming documentation
changes for 4.82.0
---------
Co-authored-by: Jordan Montgomery <elijah.jordan.montgomery@gmail.com>
Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
Co-authored-by: Magnus Jensen <magnus@fleetdm.com>
Co-authored-by: Victor Lyuboslavsky <2685025+getvictor@users.noreply.github.com>
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Co-authored-by: Dante Catalfamo <43040593+dantecatalfamo@users.noreply.github.com>
Co-authored-by: melpike <79950145+melpike@users.noreply.github.com>
Co-authored-by: Mike Thomas <78363703+mike-j-thomas@users.noreply.github.com>
Co-authored-by: Nico <32375741+nulmete@users.noreply.github.com>
Co-authored-by: Scott Gress <scottmgress@gmail.com>
Added information about silent migration enrollment profile for Apple
MDM devices.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Relates #39796
Resolves#40813
* Added configurable body size limits for the `/api/osquery/log`,
`/api/osquery/distributed/write` and `/api/osquery/config` endpoints.
* Fixed false positive `PayloadTooLargeError` errors.
---------
Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
Add documentation for enabling bootstrap packages during MDM migration.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#39634
This PR will remain in draft as a preview of upcoming documentation
changes for 4.81.0
---------
Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
Co-authored-by: Ian Littman <iansltx@gmail.com>
Co-authored-by: kitzy <kitzy@fleetdm.com>
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Co-authored-by: Victor Lyuboslavsky <2685025+getvictor@users.noreply.github.com>
Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
Co-authored-by: Zach Wasserman <zach@fleetdm.com>
Co-authored-by: melpike <79950145+melpike@users.noreply.github.com>
Co-authored-by: Jordan Montgomery <elijah.jordan.montgomery@gmail.com>
Co-authored-by: Magnus Jensen <magnus@fleetdm.com>
Co-authored-by: Dante Catalfamo <43040593+dantecatalfamo@users.noreply.github.com>
