search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
3.15k stars 432 forks source link

Run gitops.sh with a team gitops role #24002

Open dherder opened 1 day ago

dherder commented 1 day ago
noahtalerman commented 14 hours ago

Problem

From prospect-hubble: "we wanted to setup GitOps where the action was only actioning team resources / config."

Right now, when running gitops.sh with a team specific gitops user, the following error is encountered: fleetctl gitops -f ./default.yml -f ./teams/endpoint-qa.yml -f ./teams/endpoint.yml -f ./teams/no-team.yml --dry-run Error: GET /api/latest/fleet/config received status 403 forbidden: forbidden Error: Process completed with exit code 1.

What have you tried?

Defining a global gitops role is the workaround.

Potential solutions

From prospect-hubble: it (gitops.sh) should determine which one (.yml) is global config by virtue of it being the only yml file with an org_settings top level key. order of -f xxxxx.yml shouldn't really matter. Additionally, if no file with org_settings top-level key is provided, skip configuring global scope and only configure teams. That logic makes more sense to me!

In order to support this, fleetctl would need changes in addition to the gitops actions (github and gitlab) required to not set the global config, only the team config.