Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-17 22:18:39 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 43
fleet/cmd/fleetctl/testdata/generateGitops/expectedOrgSettings.yaml
Scott Gress d716265641
Add "generate-gitops" command (#28555) 
For #27476

# Checklist for submitter

- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [X] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)

# Details

This PR adds a new command `generate-gitops` to the `fleetctl` tool. The
purpose of this command is to output GitOps-ready files that can then be
used with `fleetctl-gitops`.

The general usage of the command is:

```
fleectl generate-gitops --dir /path/to/dir/to/add/files/to
```

By default, the outputted files will not contain sensitive data, but
will instead add comments where the data needs to be replaced by a user.
In cases where sensitive data is redacted, the tool outputs warnings to
the user indicating which keys need to be updated.

The tool uses existing APIs to gather data for use in generating
configuration files. In some cases new API client methods needed to be
added to support the tool:

* ListConfigurationProfiles
* GetProfileContents
* GetScriptContents
* GetSoftwareTitleByID

Additionally, the response for the /api/latest/fleet/software/batch
endpoint was updated slightly to return `HashSHA256` for the software
installers. This allows policies that automatically install software to
refer to that software by hash.

Other options that we may or may not choose to document at this time:

* `--insecure`: outputs sensitive data in plaintext instead of leaving
comments
* `--print`: prints the output to stdout instead of writing files
* `--key`: outputs the value at a keypath to stdout, e.g. `--key
agent_options.config`
* `--team`: only generates config for the specified team name
* `--force`: overwrites files in the given directory (defaults to false,
which errors if the dir is not empty)

# Technical notes

The command is implemented using a `GenerateGitopsCommand` type which
holds some state (like a list of software and scripts encountered) as
well as a Fleet client instance (which may be a mock instance for tests)
and the CLI context (containing things like flags and output writers).
The actual "action" of the CLI command calls the `Run()` method of the
`GenerateGitopsCommand` var, which delegates most of the work to other
methods like `generateOrgSettings()`, `generateControls()`, etc.

Wherever possible, the subroutines use reflection to translate Go struct
fields into JSON property names. This guarantees that the correct keys
are written to config files, and protects against the unlikely event of
keys changing.

When sensitive data is encountered, the subroutines call `AddComment()`
to get a new token to add to the config files. These tokens are replaced
with comments like `# TODO - Add your enrollment secrets here` in the
final output.

# Known issues / TODOs:

* The `macos_setup` configuration is not output by this tool yet. More
planning is required for this. In the meantime, if the tool detects that
`macos_setup` is configured on the server, it outputs a key with an
invalid value and prints a warning to the user that they'll need to
configure it themselves.
* `yara_rules` are not output yet. The tool adds a warning that if you
have Yara rules (which you can only upload via GitOps right now) that
you'll have to migrate them manually. Supporting this will require a new
API that we'll have to discuss the authz for, so punting on it for now.
* Fleet maintained apps are not supported by GitOps yet (coming in
https://github.com/fleetdm/fleet/issues/24469). In the meantime, this
tool will output a `fleet_maintained_apps` key and trigger a warning,
and GitOps will fail if that key is present.

---------

Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
2025-05-06 15:25:44 -05:00

121 lines
No EOL
4 KiB
YAML
Raw Blame History

features:
enable_host_users: true
enable_software_inventory: true
additional_queries:
time: "SELECT * FROM time"
macs: "SELECT mac FROM interface_details"
detail_query_overrides:
users:
mdm: "SELECT enrolled, server_url, installed_from_dep, payload_identifier FROM mdm;"
fleet_desktop:
transparency_url: https://fleetdm.com/transparency
host_expiry_settings:
host_expiry_enabled: false
host_expiry_window: 59995
integrations:
custom_scep_proxy:
- challenge: ___GITOPS_COMMENT_5___
name: some-custom-scep-proxy-name
url: https://some-custom-scep-proxy-url.com
digicert:
- api_token: ___GITOPS_COMMENT_3___
certificate_common_name: some-digicert-certificate-common-name
certificate_seat_id: some-digicert-certificate-seat-id
certificate_user_principal_names:
- some-digicert-certificate-user-principal-name
- some-other-digicert-certificate-user-principal-name
name: some-digicert-name
profile_id: some-digicert-profile-id
url: https://some-digicert-url.com
google_calendar:
- api_key_json:
owl: hoot
private_key: ___GITOPS_COMMENT_0___
domain: fleetdm.com
jira:
- api_token: ___GITOPS_COMMENT_1___
enable_failing_policies: false
enable_software_vulnerabilities: false
project_key: some-jira-project-key
url: https://some-jira-url.com
username: some-jira-username
ndes_scep_proxy:
admin_url: https://some-ndes-admin-url.com
password: ___GITOPS_COMMENT_4___
url: https://some-ndes-scep-proxy-url.com
username: some-ndes-username
zendesk:
- api_token: ___GITOPS_COMMENT_2___
email: some-zendesk-email@example.com
enable_failing_policies: false
enable_software_vulnerabilities: false
group_id: 123456789
url: https://some-zendesk-url.com
mdm:
apple_business_manager:
- ios_team: "\U0001F4F1\U0001F3E2 Company-owned mobile devices"
ipados_team: "\U0001F4F1\U0001F3E2 Company-owned mobile devices"
macos_team: "\U0001F4BB Workstations"
organization_name: Fleet Device Management Inc.
apple_server_url: http://some-apple-server-url.com
end_user_authentication:
entity_id: some-mdm-entity-id.com
idp_name: some-other-idp-name
issuer_uri: https://some-mdm-issuer-uri.com
metadata: ___GITOPS_COMMENT_6___
metadata_url: ___GITOPS_COMMENT_7___
volume_purchasing_program:
- location: Fleet Device Management Inc.
teams:
- "\U0001F4BB Workstations"
- "\U0001F4BB\U0001F423 Workstations (canary)"
- "\U0001F4F1\U0001F3E2 Company-owned mobile devices"
- "\U0001F4F1\U0001F510 Personal mobile devices"
org_info:
contact_url: https://fleetdm.com/company/contact
org_logo_url: http://some-org-logo-url.com
org_logo_url_light_background: http://some-org-logo-url-light-background.com
org_name: Fleet
secrets:
- secret: ___GITOPS_COMMENT_8___
server_settings:
ai_features_disabled: false
debug_host_ids:
- 1
- 3
deferred_save_host: false
enable_analytics: true
live_query_disabled: false
query_report_cap: 1
query_reports_disabled: false
scripts_disabled: false
server_url: https://dogfood.fleetdm.com
sso_settings:
enable_jit_provisioning: true
enable_sso: true
enable_sso_idp_login: false
entity_id: dogfood.fleetdm.com
idp_image_url: http://some-sso-idp-image-url.com
idp_name: some-idp-name
metadata: ___GITOPS_COMMENT_9___
metadata_url: ___GITOPS_COMMENT_10___
webhook_settings:
activities_webhook:
destination_url: https://some-activities-webhook-url.com
enable_activities_webhook: true
failing_policies_webhook:
destination_url: https://some-failing-policies-webhook-url.com
enable_failing_policies_webhook: true
host_batch_size: 2
policy_ids: []
host_status_webhook:
days_count: 5
destination_url: https://some-host-status-webhook-url.com
enable_host_status_webhook: true
host_percentage: 20
interval: 6h0m0s
vulnerabilities_webhook:
destination_url: https://some-vulerabilities-webhook-url.com
enable_vulnerabilities_webhook: true
host_batch_size: 3
yara_rules: {}
Reference in a new issue View git blame Copy permalink