New best practice teams

.github/workflows/workflow.yml

@@ -39,6 +39,3 @@ jobs:
         env:
           FLEET_URL: ${{ secrets.FLEET_URL }}
           FLEET_API_TOKEN: ${{ secrets.FLEET_API_TOKEN }}
-          FLEET_GLOBAL_ENROLL_SECRET: ${{ secrets.FLEET_GLOBAL_ENROLL_SECRET }}
-          FLEET_WORKSTATIONS_ENROLL_SECRET: ${{ secrets.FLEET_WORKSTATIONS_ENROLL_SECRET }}
-          FLEET_WORKSTATIONS_CANARY_ENROLL_SECRET: ${{ secrets.FLEET_WORKSTATIONS_CANARY_ENROLL_SECRET }}

README.md

@@ -2,39 +2,25 @@
 
 This is the starter repository for using [Fleet](https://fleetdm.com) with a GitOps workflow.
 
-[Why use GitOps?](https://fleetdm.com/guides/sysadmin-diaries-gitops-a-strategic-advantage#basic-article)
+[Why use GitOps?](https://fleetdm.com/guides/sysadmin-diaries-gitops-a-strategic-advantage)
 
 ## GitHub setup
 
-1. Clone the [GitHub repository](https://github.com/fleetdm/fleet-gitops), create your own GitHub repository, and push your clone to your new repo. Note that a workflow will run once and fail because the required variables haven't been added (step 2 and 3).
+1. Clone the [GitHub repository](https://github.com/fleetdm/fleet-gitops), create your own GitHub repository, and push your clone to your new repo. Note that a workflow will run once and fail because the required variables haven't been added (step 2).
 
 2. Add `FLEET_URL` and `FLEET_API_TOKEN` secrets to your new repository's secrets. Learn how [here](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository). Set `FLEET_URL` to your Fleet instance's URL (ex. https://organization.fleet.com). [Create an API-only user](https://fleetdm.com/docs/using-fleet/fleetctl-cli#create-api-only-user) with the "GitOps" role and set `FLEET_API_TOKEN` to your user's API token. If you're using Fleet Free, set the API-only user's role to global admin.
 
-3. Add `FLEET_GLOBAL_ENROLL_SECRET` secret to your new repository's secrets. The enroll secret must be an alphanumeric string of at least 32 and at most 255 characters.
-   - If you have a Premium Fleet license, also add `FLEET_WORKSTATIONS_ENROLL_SECRET` and `FLEET_WORKSTATIONS_CANARY_ENROLL_SECRET`.
-   - If you do not have a Premium Fleet license, delete the `teams` directory.
-
-4. If you are using secrets to manage SSO metadata for Fleet SSO login or MDM SSO login, uncomment lines 22 and 23 in `gitops.sh`.
-   - If you are using different variable names for your secrets, edit the appropriate line to reflect the correct variable name. 
-
-5. In GitHub, enable the `Apply latest configuration to Fleet` GitHub Actions workflow, and run workflow manually. Now, when anyone pushes a new commit to the default branch, the action will run and update Fleet. For pull requests, the workflow will do a dry run only.
+3. In GitHub, enable the `Apply latest configuration to Fleet` GitHub Actions workflow, and run workflow manually. Now, when anyone pushes a new commit to the default branch, the action will run and update Fleet. For pull requests, the workflow will do a dry run only.
 
 ## GitLab setup
 
-1. Clone the [GitLab repository](https://gitlab.com/fleetdm/fleet-gitops), create your own GitLab repository, and push your clone to your new repo. Note that a pipeline will run once and fail because the required variables haven't been added (step 2 and 3).
+1. Clone the [GitLab repository](https://gitlab.com/fleetdm/fleet-gitops), create your own GitLab repository, and push your clone to your new repo. Note that a pipeline will run once and fail because the required variables haven't been added (step 2).
 
 2. Add `FLEET_URL` and `FLEET_API_TOKEN` as masked CI/CD variables. Learn how [here](https://docs.gitlab.com/ee/ci/variables/#define-a-cicd-variable-in-the-ui). Set `FLEET_URL` to your Fleet instance's URL (ex. https://organization.fleet.com). Set `FLEET_API_TOKEN` to an API token for an API-only user in Fleet. Learn how [here](https://fleetdm.com/docs/using-fleet/fleetctl-cli#create-api-only-user), then, grant it the `GitOps` role via the **Settings** > **Users** page so it can make changes.
 
-3. Add `FLEET_GLOBAL_ENROLL_SECRET` secret as a masked CI/CD variable. The enroll secret must be an alphanumeric string of at least 32 and at most 255 characters.
-   - If you have a Premium Fleet license, also add `FLEET_WORKSTATIONS_ENROLL_SECRET` and `FLEET_WORKSTATIONS_CANARY_ENROLL_SECRET`.
-   - If you do not have a Premium Fleet license, delete the `teams` directory.
-
-4. If you are using secrets to manage SSO metadata for Fleet SSO login or MDM SSO login, uncomment lines 22 and 23 in `gitops.sh`.
-   - If you are using different variable names for your secrets, edit the appropriate line to reflect the correct variable name. 
+3. Now, when anyone pushes a new commit to the default branch, the pipeline will run and update Fleet. For merge requests, the pipeline will do a dry run only.
 
-5. Now, when anyone pushes a new commit to the default branch, the pipeline will run and update Fleet. For merge requests, the pipeline will do a dry run only.
-
-6. (Optional) To ensure your Fleet configuration stays up to date even when there are no new commits, set up a scheduled pipeline:
+4. To ensure your Fleet configuration stays up to date even when there are no new commits, set up a scheduled pipeline:
    - In your GitLab project, go to the left sidebar and navigate to **Build > Pipeline schedules**. (In some GitLab versions, this may appear as **CI/CD > Schedules**.)
    - Click **Create a new pipeline schedule** (or **Schedule a new pipeline**).
    - Fill in the form:
@@ -48,11 +34,10 @@ This is the starter repository for using [Fleet](https://fleetdm.com) with a Git
 
 For all configuration options, go to the [YAML files reference](https://fleetdm.com/docs/using-fleet/gitops) in the Fleet docs.
 
-## Fleet UI
+## GitOps mode
 
 Once you're set up with GitOps in Fleet, you can optionally put the UI in GitOps mode. This prevents you from making changes in the UI that would be overridden by GitOps workflows. 
 
 An admin can enable GitOps mode in **Settings** > **Integrations** > **Change management**.
 
 Note that this is a UI-only setting. API permissions are restricted based on user role.
-

default.yml

@@ -1,22 +1,13 @@
-# For Fleet Free:
-# - This file updates policies, queries, agent_options, and controls for all hosts.
-
-# For Fleet Premium:
-# - This file updates policies and queries that run on all hosts ("All teams").
-# - Remove "controls" and add this to your YAML files in teams/ instead.
+# default.yml controls global settings and policies/queries that run on all hosts ("All teams").
 
 policies:
 queries:
 agent_options:
-  path: ./lib/agent-options.yml
-controls: # This cannot be set here and in no-team.yml
+controls:
 org_settings:
   server_settings:
     server_url: $FLEET_URL
   org_info:
     org_name: Fleet
   secrets:
-    - secret: "$FLEET_GLOBAL_ENROLL_SECRET"
-  features:
-    enable_host_users: true
-    enable_software_inventory: true
+    - secret: "REPLACE_WITH_ENVIRONMENT_VARIABLE"

gitops.sh

@@ -21,13 +21,14 @@ else
 	FLEET_DELETE_OTHER_TEAMS=false
 fi
 
-# Copy/pasting raw SSO metadata into GitHub secrets will result in malformed yaml. 
-# Adds spaces to all but the first line of metadata keeps the  multiline string in bounds.
-# See README for more information 
+# If you are using secrets to manage SSO metadata for Fleet SSO login or MDM SSO login, uncomment the below:
 
 # FLEET_SSO_METADATA=$( sed '2,$s/^/      /' <<<  "${FLEET_MDM_SSO_METADATA}")
 # FLEET_MDM_SSO_METADATA=$( sed '2,$s/^/        /' <<<  "${FLEET_MDM_SSO_METADATA}")
 
+# Copy/pasting raw SSO metadata into GitHub secrets will result in malformed yaml. 
+# Adds spaces to all but the first line of metadata keeps the  multiline string in bounds.
+
 if compgen -G "$FLEET_GITOPS_DIR"/teams/*.yml > /dev/null; then
   # Validate that every team has a unique name.
   # This is a limited check that assumes all team files contain the phrase: `name: <team_name>`

lib/all/agent-options/.keep

@@ -0,0 +1 @@
+Ignore this file. It only exists because git refuses to push empty directories to a remote server.

lib/all/icons/.keep

@@ -0,0 +1 @@
+Ignore this file. It only exists because git refuses to push empty directories to a remote server.

lib/all/labels/.keep

@@ -0,0 +1 @@
+Ignore this file. It only exists because git refuses to push empty directories to a remote server.

lib/all/queries/.keep

@@ -0,0 +1 @@
+Ignore this file. It only exists because git refuses to push empty directories to a remote server.

lib/ios/configuration-profiles/.keep

@@ -0,0 +1 @@
+Ignore this file. It only exists because git refuses to push empty directories to a remote server.

lib/ios/declaration-profiles/.keep

@@ -0,0 +1 @@
+Ignore this file. It only exists because git refuses to push empty directories to a remote server.

lib/ipados/configuration-profiles/.keep

@@ -0,0 +1 @@
+Ignore this file. It only exists because git refuses to push empty directories to a remote server.

lib/ipados/declaration-profiles/.keep

@@ -0,0 +1 @@
+Ignore this file. It only exists because git refuses to push empty directories to a remote server.

lib/linux/policies/.keep

@@ -0,0 +1 @@
+Ignore this file. It only exists because git refuses to push empty directories to a remote server.

lib/linux/queries/.keep

@@ -0,0 +1 @@
+Ignore this file. It only exists because git refuses to push empty directories to a remote server.

lib/linux/scripts/.keep

@@ -0,0 +1 @@
+Ignore this file. It only exists because git refuses to push empty directories to a remote server.

lib/linux/software/.keep

@@ -0,0 +1 @@
+Ignore this file. It only exists because git refuses to push empty directories to a remote server.

lib/macos/commands/.keep

@@ -0,0 +1 @@
+Ignore this file. It only exists because git refuses to push empty directories to a remote server.

lib/macos/configuration-profiles/.keep

@@ -0,0 +1 @@
+Ignore this file. It only exists because git refuses to push empty directories to a remote server.

lib/macos/declaration-profiles/.keep

@@ -0,0 +1 @@
+Ignore this file. It only exists because git refuses to push empty directories to a remote server.

lib/macos/enrollment-profiles/.keep

@@ -0,0 +1 @@
+Ignore this file. It only exists because git refuses to push empty directories to a remote server.

lib/macos/misc/.keep

@@ -0,0 +1 @@
+Ignore this file. It only exists because git refuses to push empty directories to a remote server.

lib/macos/policies/.keep

@@ -0,0 +1 @@
+Ignore this file. It only exists because git refuses to push empty directories to a remote server.

lib/macos/queries/.keep

@@ -0,0 +1 @@
+Ignore this file. It only exists because git refuses to push empty directories to a remote server.

lib/macos/scripts/.keep

@@ -0,0 +1 @@
+Ignore this file. It only exists because git refuses to push empty directories to a remote server.