Skip to content

Best practice for using Fleet with a GitOps workflow

License

Notifications You must be signed in to change notification settings

fleetdm/fleet-gitops

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

62 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Fleet GitOps

This is the starter repository for using Fleet with a GitOps workflow.

GitHub setup

  1. Clone the GitHub repository, create your own GitHub repository, and push your clone to your new repo. Note that a workflow will run once and fail because the required variables haven't been added (step 2 and 3).

  2. Add FLEET_URL and FLEET_API_TOKEN secrets to your new repository's secrets. Learn how here. Set FLEET_URL to your Fleet instance's URL (ex. https://organization.fleet.com). Set FLEET_API_TOKEN to an API token for an API-only user in Fleet. Learn how here.

  3. Add FLEET_GLOBAL_ENROLL_SECRET secret to your new repository's secrets. The enroll secret must be an alphanumeric string of at least 32 and at most 255 characters.

    • If you have a Premium Fleet license, also add FLEET_WORKSTATIONS_ENROLL_SECRET and FLEET_WORKSTATIONS_CANARY_ENROLL_SECRET.
    • If you do not have a Premium Fleet license, delete the teams directory.
  4. In GitHub, enable the Apply latest configuration to Fleet GitHub Actions workflow, and run workflow manually. Now, when anyone pushes a new commit to the default branch, the action will run and update Fleet. For pull requests, the workflow will do a dry run only.

GitLab setup

  1. Clone the GitLab repository, create your own GitLab repository, and push your clone to your new repo. Note that a pipeline will run once and fail because the required variables haven't been added (step 2 and 3).

  2. Add FLEET_URL and FLEET_API_TOKEN as masked CI/CD variables. Learn how here. Set FLEET_URL to your Fleet instance's URL (ex. https://organization.fleet.com). Set FLEET_API_TOKEN to an API token for an API-only user in Fleet. Learn how here.

  3. Add FLEET_GLOBAL_ENROLL_SECRET secret as a masked CI/CD variable. The enroll secret must be an alphanumeric string of at least 32 and at most 255 characters.

    • If you have a Premium Fleet license, also add FLEET_WORKSTATIONS_ENROLL_SECRET and FLEET_WORKSTATIONS_CANARY_ENROLL_SECRET.
    • If you do not have a Premium Fleet license, delete the teams directory.
  4. Now, when anyone pushes a new commit to the default branch, the pipeline will run and update Fleet. For merge requests, the pipeline will do a dry run only.

Configuration options

For all configuration options, go to the YAML files reference in the Fleet docs.