fleet
fleet copied to clipboard
fleetdm
Move Team enrollment secrets to a fleetctl get
We had a customer say they didn't want team enrollment secrets in Git because too many people can read them / see them.
Ideally, the customer would prefer to move Team enrollment secrets to a fleetctl get which makes it clearer that secrets will get returned.
fleetctl get config doesn't return secrets and the customer believes that fleetctl get teams should either.
We did share this as well with them but it didn't seem optimal for their needs: https://fleetdm.com/docs/configuration/configuration-files#rotating-enroll-secrets
Heads up @Patagonia121, this feature request was brought to feature fest on 2024-02-15 and wasn't prioritized for the current design sprint.
@noahtalerman
Customer has created 2 very detailed videos I've watched showing their GitOps workflow. It is very standard. It is using make with custom rules to create yaml files & then using git CLI in Terminal to push those files in a branch created by a PR up to their GitHub repo for Fleet stuff.
per @ksatter the issue is that when the config is pulled from Fleet and compared to proposed changes secrets are being merged in to the local version.
This could likely be mitigated by:
- adding logic to ignore the secrets when comparing, or
- treating Teams like we do the global configuration in regard to secrets
fleetctl get config does not include the global enroll secrets
fleetctl get enroll_secrets returns the global secrets
Thanks @nonpunctual
treating Teams like we do the global configuration in regard to secrets
This seems like the best approach. I think we want to be consistent w/ fleetctl get teams
Customer has created 2 very detailed videos I've watched showing theire GitOps workflow.
When you get the chance, can you please share these videos w/ the team? (if you haven't already) I think adding them to the customer agenda Google doc makes sense. Thanks!