Implement targeted certificate patching in fleetd #21330
Conversation
**NOT TO BE MERGED** This is to help out a customer who has deployed fleetd agents with a single certificate that is expiring. We look for that certificate and replace it with the default cert bundle. This will be pushed to an orbit release tag that the customer will configure on their Fleet server, so that it only affects their deployment.
zwass
requested review from
lucasmrod,
getvictor,
roperzh and
gillespi314
as code owners
|
(Please convert to draft to not affect PR metrics :) |
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #21330 +/- ##
===========================================
+ Coverage 52.91% 64.69% +11.77%
===========================================
Files 444 1487 +1043
Lines 11030 120701 +109671
Branches 3349 3349
===========================================
+ Hits 5837 78088 +72251
- Misses 5170 35486 +30316
- Partials 23 7127 +7104
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
LGTM!
IIRC one of the issues is that the plists are cached and probably the reason why the unload+load are needed.
PS: Such complexity is one of the reasons I implemented the "update channels" feature with a separate "overrides" file (cross-platform) instead of going this route. That said, it's good to know that there is a way to programmatically do the self-change of plist config :)
NOT TO BE MERGED
This is to help out a customer who has deployed fleetd agents with a single certificate that is expiring. We look for that certificate and replace it with the default cert bundle. This will be pushed to an orbit release tag that the customer will configure on their Fleet server, so that it only affects their deployment.
It also enables Fleet Desktop for these installations, as discussed with the customer.