Skip to content

Commit

Permalink
Documentation changes for v4.62.0 (#25315)
Browse files Browse the repository at this point in the history
Co-authored-by: Marko Lisica <[email protected]>
Co-authored-by: Konstantin Sykulev <[email protected]>
Co-authored-by: George Karr <[email protected]>
Co-authored-by: Victor Lyuboslavsky <[email protected]>
Co-authored-by: Ian Littman <[email protected]>
Co-authored-by: Noah Talerman <[email protected]>
Co-authored-by: Lucas Manuel Rodriguez <[email protected]>
Co-authored-by: Eric <[email protected]>
  • Loading branch information
9 people authored Jan 10, 2025
1 parent aab3203 commit 378b404
Show file tree
Hide file tree
Showing 7 changed files with 262 additions and 28 deletions.
21 changes: 15 additions & 6 deletions articles/deploy-software-packages.md
Original file line number Diff line number Diff line change
Expand Up @@ -28,12 +28,7 @@ Learn more about automatically installing software in a separate guide [here](ht

* Choose a file to upload. `.pkg`, `.msi`, `.exe`, `.rpm`, and `.deb` files are supported.

> Software installer uploads will fail if Fleet is unable to extract information from the installer package such as bundle ID and version number.
> - [.pkg extractor code](https://github.com/fleetdm/fleet/blob/main/pkg/file/xar.go#:~:text=func%20ExtractXARMetadata)
> - [.msi extractor code](https://github.com/fleetdm/fleet/blob/main/pkg/file/msi.go#:~:text=func%20ExtractMSIMetadata)
> - [.exe extractor code](https://github.com/fleetdm/fleet/blob/main/pkg/file/pe.go#:~:text=func%20ExtractPEMetadata)
> - [.deb extractor code](https://github.com/fleetdm/fleet/blob/main/pkg/file/deb.go#:~:text=func%20ExtractDebMetadata)
> - [.rpm extractor code](https://github.com/fleetdm/fleet/blob/main/pkg/file/rpm.go#:~:text=func%20ExtractRPMMetadata)
* Select the hosts that you want to target with this software, under "Target". Select "All hosts" if you want the software to be available to all your hosts. Select "Custom" to scope the software to specific groups of hosts based on label membership. You can select "Include any", which will scope the software to hosts that have any of the labels you select, or "Exclude any", which will scope the software to hosts that do _not_ have the selected labels.

* Select the hosts that you want to target with this software, under "Target". Select "All hosts" if you want the software to be available to all your hosts. Select "Custom" to scope the software to specific groups of hosts based on label membership. You can select "Include any", which will scope the software to hosts that have any of the labels you select, or "Exclude any", which will scope the software to hosts that do _not_ have the selected labels.

Expand All @@ -43,6 +38,20 @@ Learn more about automatically installing software in a separate guide [here](ht

> After the initial package upload, all options can be modified, including the self-service setting, pre-install query, scripts, and even the software package file. When replacing an installer package, the replacement package must be the same type and for the same software as the original package.
### Package metadata extraction

The following metadata is used in uninstall scripts and policies that trigger automatic installation to check whether the software is already installed:
- bundle identifier (`.pkg`)
- product code (`.msi`)
- name (`.deb`, `.rpm`)

Software installer uploads will fail if Fleet can't extract this metadata and version number. For more details check the extractor code for each package type.
- [.pkg extractor code](https://github.com/fleetdm/fleet/blob/main/pkg/file/xar.go#:~:text=func%20ExtractXARMetadata)
- [.msi extractor code](https://github.com/fleetdm/fleet/blob/main/pkg/file/msi.go#:~:text=func%20ExtractMSIMetadata)
- [.exe extractor code](https://github.com/fleetdm/fleet/blob/main/pkg/file/pe.go#:~:text=func%20ExtractPEMetadata)
- [.deb extractor code](https://github.com/fleetdm/fleet/blob/main/pkg/file/deb.go#:~:text=func%20ExtractDebMetadata)
- [.rpm extractor code](https://github.com/fleetdm/fleet/blob/main/pkg/file/rpm.go#:~:text=func%20ExtractRPMMetadata)

### Pre-install query

A pre-install query is a valid osquery SQL statement that will be evaluated on the host before installing the software. If provided, the installation will proceed only if the query returns any value.
Expand Down
130 changes: 130 additions & 0 deletions articles/secret-variables.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,130 @@
# How to use secret variables in Fleet

Fleet [v4.62.0](https://github.com/fleetdm/fleet/releases/tag/fleet-v4.62.0) allows you to use secret variables in Fleet scripts, software install/uninstall scripts, and MDM configuration profiles. Secret variables are encrypted and stored securely in Fleet, enabling you to use sensitive information in your scripts and profiles without exposing it in plain text. Fleet secret variables cannot be retrieved via the Fleet API or UI.

Examples of sensitive information include:
- API tokens
- Passwords
- Certificates
- Private keys
- Other sensitive data

## Prerequisites

- Fleet v4.62.0

## How to specify a secret variable

A secret variable can be used in a script or MDM configuration profile by specifying the variable name in the format `$FLEET_SECRET_MYNAME` or `${FLEET_SECRET_MYNAME}`. When the script or profile is sent to the host, Fleet will replace the variable with the actual secret value. The prefix `FLEET_SECRET_` is required to indicate that the variable is a secret, and Fleet reserves this prefix for secret variables.

**Example:**

```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadDisplayName</key>
<string>Certificate PKCS12</string>
<key>PayloadIdentifier</key>
<string>com.example.certificate</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>918ee83d-ebd5-4192-bcd4-8b4feb750e4b</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadContent</key>
<array>
<dict>
<key>Password</key>
<string>$FLEET_SECRET_CERT_PASSWORD</string>
<key>PayloadContent</key>
<data>$FLEET_SECRET_CERT_BASE64</data>
<key>PayloadDisplayName</key>
<string>Certificate PKCS12</string>
<key>PayloadIdentifier</key>
<string>com.example.certificate</string>
<key>PayloadType</key>
<string>com.apple.security.pkcs12</string>
<key>PayloadUUID</key>
<string>25cdd076-f1e7-4932-aa30-1d4240534fb0</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
</dict>
</plist>
```

In the example above, we use `$FLEET_SECRET_CERT_PASSWORD` and `$FLEET_SECRET_CERT_BASE64` secret variables.

## Using secret variables with GitOps

You can configure Fleet using the [best practice GitOps workflow](https://fleetdm.com/docs/configuration/yaml-files).

You must add the secret variables to your repository's secrets to use them in GitOps.

For the GitHub GitOps flow, they must also be added to the `env` section of your workflow file, as shown below:

```yaml
env:
FLEET_URL: ${{ secrets.FLEET_URL }}
FLEET_API_TOKEN: ${{ secrets.FLEET_API_TOKEN }}
FLEET_GLOBAL_ENROLL_SECRET: ${{ secrets.FLEET_GLOBAL_ENROLL_SECRET }}
FLEET_WORKSTATIONS_ENROLL_SECRET: ${{ secrets.FLEET_WORKSTATIONS_ENROLL_SECRET }}
FLEET_WORKSTATIONS_CANARY_ENROLL_SECRET: ${{ secrets.FLEET_WORKSTATIONS_CANARY_ENROLL_SECRET }}
FLEET_SECRET_CERT_PASSWORD: ${{ secrets.FLEET_SECRET_CERT_PASSWORD }}
FLEET_SECRET_CERT_BASE64: ${{ secrets.FLEET_SECRET_CERT_BASE64 }}
```
When GitOps syncs the configuration, it looks for secret variables in scripts and profiles, extracts the secret values from the environment, and uploads them to Fleet.
On subsequent GitOps syncs, if a secret variable used by a configuration profile has been updated, the profile will be resent to the host device(s).
_Note:_ Profiles with secret variables are not entirely validated during a GitOps dry run because secret variables may not be present/correct in the database during the dry run. Hence, there is an increased chance of GitOps non-dry run failure when using a profile with a secret variable. Try uploading this profile to a test team first.
## Using secret variables with the Fleet API and UI
Before uploading a script/profile with secret variables via the Fleet API or UI, you must create the secret variables in Fleet. You can do this with the new secret variables API endpoint.
**Example:**
```bash
curl \
-H "Authorization: Bearer $FLEET_API_TOKEN" \
-H 'Content-Type: application/json' \
https://fleet.example.com/api/v1/fleet/spec/secret_variables \
-X PUT --data-binary @- << EOF
{ "secrets":
[
{
"name": "FLEET_SECRET_CERT_PASSWORD",
"value": "abc123"
},
{
"name": "FLEET_SECRET_CERT_BASE64",
"value": "SGVsbG8gV29ybGQh"
}
]
}
EOF
```

Afterward, you can upload the script/profile with secret variables via the Fleet API or UI.

_Note:_ The checksum of Apple DDM profiles with secret variables now includes the timestamp of the last secrets update.

## Known limitations and issues

- Windows profiles are currently not re-sent to the device on fleetctl gitops update: [issue #25030](https://github.com/fleetdm/fleet/issues/25030)
- Fleet does not mask the secret in script results. DO NOT print/echo your secrets to the console output.
- There is no way to explicitly delete a secret variable. Instead, you can overwrite it with any value.
- Do not use deprecated API endpoint(s) to upload profiles containing secret variables. Use endpoints documented in [Fleet's REST API](https://fleetdm.com/docs/rest-api/rest-api).

<meta name="articleTitle" value="How to use secret variables in Fleet">
<meta name="authorFullName" value="Victor Lyuboslavsky">
<meta name="authorGitHubUsername" value="getvictor">
<meta name="category" value="guides">
<meta name="publishedOn" value="2025-01-02">
<meta name="description" value="A guide on using secret variables in Fleet scripts and MDM configuration profiles.">
10 changes: 8 additions & 2 deletions docs/Configuration/yaml-files.md
Original file line number Diff line number Diff line change
Expand Up @@ -286,7 +286,7 @@ controls:

Fleet supports adding [GitHub environment variables](https://docs.github.com/en/actions/learn-github-actions/variables#defining-environment-variables-for-a-single-workflow) in your configuration profiles. Use `$ENV_VARIABLE` format. Variables beginning with `$FLEET_VAR_` are reserved for Fleet server. The server will replace these variables with the actual values when profiles are sent to hosts. See supported variables in the guide [here](https://fleetdm.com/guides/ndes-scep-proxy).

Use `labels_include_all` to only apply (scope) profiles to hosts that have all those labels, `labels_include_any` to apply profiles to hosts that have any of those labels, or `labels_exclude_any` to apply profiles to hosts that don't have any of those labels.
Use `labels_include_all` to target hosts that have all labels in the array, `labels_include_any` to target hosts that have any label in the array, or `labels_exclude_any` to target hosts that don't have any of the labels in the array. Only one of `labels_include_all`, `labels_include_any`, or `labels_exclude_any` can be specified. If none are specified, all hosts are targeted.

### macos_setup

Expand Down Expand Up @@ -329,11 +329,17 @@ Currently, one app for each of an App Store app's supported platforms are added.
software:
packages:
- path: ../lib/software-name.package.yml
- path: ../lib/software-name2.package.yml
labels_include_any:
- Engineering
- Customer Support
# path is relative to default.yml, teams/team-name.yml, or teams/no-team.yml
app_store_apps:
- app_store_id: '1091189122'
```

Use `labels_include_any` to target hosts that have any label in the array or `labels_exclude_any` to target hosts that don't have any label in the array. Only one of `labels_include_any` or `labels_exclude_any` can be specified. If neither are specified, all hosts are targeted.

### packages

- `url` specifies the URL at which the software is located. Fleet will download the software and upload it to S3 (default: `""`).
Expand Down Expand Up @@ -361,7 +367,7 @@ self_service: true

> Make sure to include only the ID itself, and not the `id` prefix shown in the URL. The ID must be wrapped in quotes as shown in the example so that it is processed as a string.

`self_service` only applies to macOS, and is ignored for other platforms. For example, if the app is supported on macOS, iOS, and iPadOS, and `self_service` is set to `true`, it will be self-service on macOS workstations but not iPhones or iPads.
- `self_service` only applies to macOS, and is ignored for other platforms. For example, if the app is supported on macOS, iOS, and iPadOS, and `self_service` is set to `true`, it will be self-service on macOS workstations but not iPhones or iPads.

## org_settings and team_settings

Expand Down
Loading

0 comments on commit 378b404

Please sign in to comment.