Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GitOps: Support environment variables in configuration profiles #17309

Closed
3 of 8 tasks
getvictor opened this issue Mar 1, 2024 · 15 comments
Closed
3 of 8 tasks

GitOps: Support environment variables in configuration profiles #17309

getvictor opened this issue Mar 1, 2024 · 15 comments
Assignees
@noahtalerman
Labels
~backend Backend-related issue. ~csa Issue was created by or deemed important by the Customer Solutions Architect. customer-pingali customer-rosner #g-endpoint-ops Endpoint ops product group :product Product Design department (shows up on 🦢 Drafting board) prospect-cohen story A user story defining an entire feature
Milestone
4.51.0

Comments

@getvictor
Copy link
Member

getvictor commented Mar 1, 2024
edited by noahtalerman
Loading

Goal

User story
As an endpoint operator using Fleet's best practice GitOps,
I want to use an environment variable in my repo and use it to populate a configuration profile
so that I can hide the secrets I use in configuration profiles.

Context

The following workaround is currently used in Fleet's internal dogfood instance: https://github.com/fleetdm/fleet/blob/main/.github/workflows/dogfood-gitops.yml#L40-L45

Changes

Product

Engineering

  • Database schema migrations: TODO
  • Load testing: TODO

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

  • Requires load testing: TODO
  • Risk level: Low / High TODO
  • Risk description: TODO

Manual testing steps

  1. Step 1
  2. Step 2
  3. Step 3

Testing notes

Confirmation

  1. Engineer (@____): Added comment to user story confirming successful completion of QA.
  2. QA (@____): Added comment to user story confirming successful completion of QA.
@getvictor getvictor added story A user story defining an entire feature ~backend Backend-related issue. labels Mar 1, 2024
@getvictor getvictor mentioned this issue Mar 1, 2024
Merged
@noahtalerman noahtalerman added ~feature fest Will be reviewed at next Feature Fest customer-rosner labels Mar 1, 2024
@noahtalerman
Copy link
Member

Hey @getvictor, heads up, we didn't have the space to take this one on in the current design sprint (4.48).

Leaving the feature fest label on it so we can weigh it at the next feature fest.

@noahtalerman noahtalerman added :product Product Design department (shows up on 🦢 Drafting board) and removed ~feature fest Will be reviewed at next Feature Fest labels Mar 29, 2024
@noahtalerman noahtalerman self-assigned this Mar 29, 2024
@noahtalerman
Copy link
Member

Hey @getvictor, heads up, we brought this into the upcoming design sprint (4.49).

@noahtalerman noahtalerman changed the title fleetctl apply/gitops to support environment variables for MDM profiles GitOps: Support variables in configuration profiles Apr 1, 2024
@noahtalerman noahtalerman added the #g-endpoint-ops Endpoint ops product group label Apr 1, 2024
@dherder
Copy link
Contributor

dherder commented Apr 1, 2024

examples of variables we would want to support:
$SERIAL_NUMBER
$UDID
$USERNAME or $EMAIL_PREFIX (everything before the @ symbol)

It would be great if, at any time, a device variable that is used on a profile is updated, that profile will be re-installed on the device with the updated variable.

These are some of the variables that were supported by Profile Manager back in the day: https://support.apple.com/en-ca/guide/profile-manager/mdm53kqu8903/mac

@sharon-fdm sharon-fdm removed their assignment Apr 3, 2024
@nonpunctual nonpunctual added the ~csa Issue was created by or deemed important by the Customer Solutions Architect. label Apr 9, 2024
@nonpunctual
Copy link
Contributor

related to #16958

@getvictor
Copy link
Member Author

@noahtalerman

I assume you meant environment variables and not configuration variables. fleetctl gitops does not have direct access to GitHub configuration variables (or secrets) and they must be converted to environment variables.

The syntax mentioned in #16958 would conflict with this feature because that is the standard syntax for an environment variable: $SOMETHING. Perhaps use %SOMETHING% or something else unique?

@getvictor
Copy link
Member Author

getvictor commented Apr 22, 2024
edited
Loading

There is also a corner case bug with the current env variables support, which is due to golang/go#43482: #18467

@nonpunctual
Copy link
Contributor

@getvictor I don't think this has anything to do with environment variables. I think the idea is that when we deliver configuration profiles to devices, Fleet has the ability to populate variable strings in the configuration profile from values in the database before or at the time it's written to the device kind of like the way a here doc works in bash shell. Similar to this:
https://learn.jamf.com/en-US/bundle/jamf-pro-documentation-current/page/Computer_Configuration_Profiles.html#ariaid-title2

@noahtalerman
Copy link
Member

noahtalerman commented Apr 22, 2024
edited
Loading

@getvictor, I think I meant environment variables.

This story addresses the problem in which we want to pass the Chrome enrollment token from an environment variable to a profile w/o having the modify the bash script that the GitHub action runs.

Sorry for the confusion.

The syntax mentioned in #16958 would conflict with this feature because that is the standard syntax for an environment variable: $SOMETHING. Perhaps use %SOMETHING% or something else unique?

Thanks for pointing this out! Good to keep in mind when we address that problem.

I think the idea is that when we deliver configuration profiles to devices, Fleet has the ability to populate variable strings in the configuration profile from values in the database before or at the time it's written to the device kind of like the way a here doc works in bash shell.

@nonpunctual this is a separate problem tracked in a user story here: #16958

@nonpunctual
Copy link
Contributor

Sory for confusion.

@sharon-fdm sharon-fdm added :release Ready to write code. Scheduled in a release. See "Making changes" in handbook. and removed :product Product Design department (shows up on 🦢 Drafting board) labels Apr 22, 2024
@getvictor
Copy link
Member Author

@noahtalerman If the env var doesn't exist, should we throw an error? Currently, it just becomes blank. This is related to #18467

I suggest we throw an error for this story and for the current env var substitution we do in GitOps. This will prevent customer setting blank options, and will warn them if they are using $SOMETHING syntax without realizing that it will be substituted as env var.

@noahtalerman noahtalerman changed the title GitOps: Support variables in configuration profiles GitOps: Support variables in environment variable profiles Apr 23, 2024
@noahtalerman
Copy link
Member

If the env var doesn't exist, should we throw an error? Currently, it just becomes blank.

@getvictor, displaying an easy to understand error message makes sense to me. Nice catch.

When you land on an error message can, you please add that to the "Changes" section in this story's description?

This way, other folks can give feedback and we know to test the error message during QA.

@noahtalerman noahtalerman changed the title GitOps: Support variables in environment variable profiles GitOps: Support environment variables in configuration profiles Apr 23, 2024
@sharon-fdm sharon-fdm added this to the 4.50.0-tentative milestone Apr 23, 2024
@lucasmrod lucasmrod mentioned this issue May 9, 2024
Merged
3 tasks
@lukeheath lukeheath modified the milestones: 4.50.0, 4.51.0-tentative May 13, 2024
lucasmrod added a commit that referenced this issue May 28, 2024
@lucasmrod
Support environment variables in config profiles (#18891)
f8cee67 
#17309

I added some missing env var replacement tests for policies, queries,
etc.

- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [X] Added/updated tests
- [X] Manual QA for all new/changed functionality
@lukeheath lukeheath added :product Product Design department (shows up on 🦢 Drafting board) and removed :release Ready to write code. Scheduled in a release. See "Making changes" in handbook. labels Jun 10, 2024
@marko-lisica
Copy link
Member

TODO: docs PR #17890

@marko-lisica
Copy link
Member

Hey @dherder & @zayhanlon, this customer request is shipped.

@noahtalerman
Copy link
Member

Merging docs is still TODO: #19740

After the docs are merged we can close this user story.

@fleet-release
Copy link
Contributor

Config profiles deep,
Seeds hidden in GitOps cloud,
Fleet's secret to keep.

@noahtalerman noahtalerman mentioned this issue Jul 8, 2024
Closed
10 tasks
@marko-lisica marko-lisica mentioned this issue Nov 22, 2024
Merged
marko-lisica added a commit that referenced this issue Nov 22, 2024
@marko-lisica
Remove step to apply env variables to profiles (fleetctl gitops is do…
04d1ded 
…ing this) (#24078)

I beleive we don't need this step anymore, since `fleetctl gitops` will
replace it with real value and send to the server. This should be done
in #17309.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@noahtalerman noahtalerman

Labels
~backend Backend-related issue. ~csa Issue was created by or deemed important by the Customer Solutions Architect. customer-pingali customer-rosner #g-endpoint-ops Endpoint ops product group :product Product Design department (shows up on 🦢 Drafting board) prospect-cohen story A user story defining an entire feature
Milestone
4.51.0
Development

No branches or pull requests