Open ddribeiro opened 2 months ago
Thanks for tracking this one w/ the Gong snippet @ddribeiro!
I pulled added user story above above the Gong snippet:
As an IT admin writing a script w/ a dependency (ex. cert), I want to add them as script attachments via the UI/API so that they're already on the computer when the script runs.
Today, w/o this feature, they'd have to host the certificate somewhere outside of Fleet and pull it down (via curl
or something similar) in their script. Does that sound right?
Hey @noahtalerman,
I have an update from customer-cisneros for you:
No, the certs are not hosted somewhere and pulled via curl . The reason for this is we don't have any public-facing servers that aren't behind SSO, so there is not a great mechanism to programmatically retrieve the certificates.
The way it works today is after the user authenticates via DUO, an auth token is picked up by the backend automation and used along with the CSR to request a cert from our PKI provider (Hydrant).
We then leverage the "attach" functionality within Landscape to add the cert to the script.
When the script remotely executes on the machine, the cert is made available in the /tmp/landscape_attachments/
Our scripts then look for this filename at that location and copy it onto the filesystem at /opt/omitted/certs, and its then used for configuring the network connection for the user.
Gong snippet: https://us-65885.app.gong.io/call?id=3532396675968293631&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A1662%2C%22to%22%3A2205%7D%5D
Problem
customer-cisneros
has a workflow where they run a script to deliver certificates to their host. The script has a dependency on a.pem
file existing in a specific directory on the computer when it is run.Their current management solution, Landscape, has a feature that lets them specify files as "attachments" to the script. This allows them to include the
.pem
as an attachment with the script and reference it in the script.Fleet currently does not offer the ability to deliver attachments alongside scripts, so this workflow needs to be modified to use with Fleet.
What have you tried?
The customer looked for a way to deliver dependencies as attachments to a script in the Fleet UI, but did not find the option available.
It might be possible to deliver dependencies as part of the Software installation feature, then call the script only after the software is "installed." Doing this increases complexity compared to their current solution.
Potential solutions
If Fleet had support to deliver attachments alongside scripts, the customer would be able to migrate their existing workflow to Fleet with no additional effort.
The key here is building out the script and all dependencies in a single interface for ease of use.
What is the expected workflow as a result of your proposal?
`customer-cisneros` would be able to upload their existing script they use to generate certificates on device to Fleet. In the Fleet UI, they would be able to upload a `.pem` file that the script has a dependency on. This would ensure the `.pem` is present on the host in a known location when the script runs and can generate certificates successfully. The customer would then execute the script from the Fleet UI and successfully generate certificates.