Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GitOps: Remove teams #16677

Open
5 tasks
getvictor opened this issue Feb 8, 2024 · 6 comments
Open
5 tasks

GitOps: Remove teams #16677

getvictor opened this issue Feb 8, 2024 · 6 comments
Assignees
@getvictor
Labels
#g-endpoint-ops Endpoint ops product group :release Ready to write code. Scheduled in a release. See "Making changes" in handbook. story A user story defining an entire feature
Milestone
4.50.0-tentative

Comments

@getvictor
Copy link
Member

getvictor commented Feb 8, 2024
edited

Goal

User story
As an endpoint operator using Fleet's best practice GitOps,
I want to remove the teams that aren't defined in my git repo
so that the teams in Fleet reflect the teams in my git repo.

Context

Currently, best practice GitOps doesn't remove teams that are created in the UI.

After these changes are released to prod, we can update https://github.com/fleetdm/fleet-gitops to use the new switches: #18692

Product

  • GitOps changes: When the GitHub action runs, remove any teams that aren't defined in the GitHub repo.
  • Outdated documentation changes: No documentation changes needed.
  • Changes to paid features or tiers: Available in Fleet Free and Fleet Premium

Engineering

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

Context

  • Requestor(s): _________________________

QA

Risk assessment

  • Risk level: Low

Manual testing steps

Reference YAML configs can be seen at https://github.com/fleetdm/fleet-gitops

Test the new GitOps switches:

  • Added the ability to pass multiple files, like fleetctl gitops -f file1 -f file2, where the first file must be the global configuration
  • Added the ability to remove teams that were not specified in team configs using the switch --delete-other-teams

For this part of the feature:

  • When passing a global config and team config during initial configuration, the org_settings.mdm.apple_bm_default_team value can be set to match the team that will be created by the provided team config.

Test cases (using fleetctl gitops)

  • Set up a new Fleet instance, and set org_settings.mdm.apple_bm_default_team and create a new team with a single fleetctl gitops command
  • Try to set apple_bm_default_team to a non-existent team or team about to be deleted.

Testing notes

Confirmation

  1. Engineer (@getvictor): Added comment to user story confirming successful completion of QA.
  2. QA (@____): Added comment to user story confirming successful completion of QA.
@getvictor getvictor added #g-endpoint-ops Endpoint ops product group story A user story defining an entire feature ~feature fest Will be reviewed at next Feature Fest labels Feb 8, 2024
This was referenced Feb 12, 2024
Closed
Merged
@noahtalerman
Copy link
Member

Heads up @getvictor, this feature request was brought to feature fest on 2024-02-15 and wasn't prioritized for the current design sprint.

I think we'll get to it after we start dogfooding.

@noahtalerman noahtalerman removed the ~feature fest Will be reviewed at next Feature Fest label Feb 19, 2024
@noahtalerman noahtalerman added the ~feature fest Will be reviewed at next Feature Fest label Mar 27, 2024
@noahtalerman noahtalerman added :product Product Design department (shows up on 🦢 Drafting board) and removed ~feature fest Will be reviewed at next Feature Fest labels Mar 29, 2024
@noahtalerman
Copy link
Member

Hey @getvictor, heads up, we brought this into the upcoming design sprint (4.49).

@noahtalerman noahtalerman changed the title fleetctl gitops should update all teams in a single command GitOps: Update teams Apr 1, 2024
@noahtalerman
Copy link
Member

One specific setting of interest is apple_bm_default_team -- the team must exist before this setting is applied. The new flow should be able to create the team (if needed) and then apply the setting.

Hey @getvictor, I pulled this change out of the user story.

If I'm understanding correctly, currently we error if the apple_bm_default_team doesn't exist.

When we add "GitOps: Dry run before merge" (#17687) the user will see an error in this case and add the missing team or correct a typo if the team already exists.

I'm not sure we want to take this on because we don't know if the user is missing the team or made a typo.

@noahtalerman noahtalerman changed the title GitOps: Update teams GitOps: Remove teams Apr 1, 2024
@sharon-fdm
Copy link
Contributor

Estimation assumes Fleetctl does not have team handling.
Since Gitops actions are based on Fleetctl, we will need to add that to fleetctl.

@sharon-fdm sharon-fdm removed their assignment Apr 3, 2024
@getvictor
Copy link
Member Author

@noahtalerman
Is removing teams just done in the GitHub action or a core functionality of fleetctl gitops command?

If core, we can accomplish this by allowing all relevant files to be passed in at once, like:

fleetctl gitops -f default.yml -f teams/team1.yml -f teams/team2.yml --delete-other-teams

The above is easier to implement and seems like a cleaner approach.

If part of the action, then the action needs to track what has been done. This can be done by writing to a file during the previous gitops commands, then reading all teams via fleetctl get teams, and deleting the difference via fleetctl delete.

@noahtalerman
Copy link
Member

@getvictor, I think we should make it core.

That way, the teams behavior is consistent w/ queries, policies, and config profiles: full replace.

One benefit to doing it as part of the action is that users could tweak the behavior if they wanted to. However, they can't do this for queries, policies, and config profiles.

So I think let's be consistent and make it core to fleetctl gitops.

@noahtalerman noahtalerman mentioned this issue Apr 12, 2024
Merged
@sharon-fdm sharon-fdm added :release Ready to write code. Scheduled in a release. See "Making changes" in handbook. and removed :product Product Design department (shows up on 🦢 Drafting board) labels Apr 22, 2024
@sharon-fdm sharon-fdm added this to the 4.50.0-tentative milestone Apr 23, 2024
This was referenced Apr 30, 2024
Merged
Open
getvictor added a commit that referenced this issue May 3, 2024
@getvictor
GitOps remove teams (#18640)
4f4800b 
#16677 

Improvements to `fleetctl gitops` command:
- Added the ability to pass multiple files, like `fleetctl gitops -f
file1 -f file2`, where the first file must be the global configuration
- Added the ability to remove teams that were not specified in team
configs using the switch `--delete-other-teams`
- When passing a global config and team config during initial
configuration, the `org_settings.mdm.apple_bm_default_team` value can be
set to match the team that will be created by the provided team config.

After these changes are released to prod, we can update
https://github.com/fleetdm/fleet-gitops to use the new switches: #18692

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

<!-- Note that API documentation changes are now addressed by the
product design team. -->

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@getvictor getvictor

Labels
#g-endpoint-ops Endpoint ops product group :release Ready to write code. Scheduled in a release. See "Making changes" in handbook. story A user story defining an entire feature
Milestone
4.50.0-tentative
Development

No branches or pull requests
3 participants
@getvictor @noahtalerman @sharon-fdm