Ability to set `--fleet-desktop-alternative-browser-host` in org settings

[noahtalerman]

Goal

User story
As an IT admin,
I want to set an alternative browser host for Fleet Desktop via Fleet's UI, API, or GitOps (YAML)
so that I can ensure Fleet Desktop traffic goes through a custom proxy for an extra layer of security without having to deploy a custom fleetd with the --fleet-desktop-alternative-browser-host flag.

Roadmap item

None

Original requests

• Ability to set --fleet-desktop-alternative-browser-host in org settings #28553

Context

• Product Designer: Mel Pike
• Engineer: _________________________

Changes

Product

• UI changes: Figma
• CLI (fleetctl) usage changes: No changes
• YAML changes: https://github.com/fleetdm/fleet/pull/37351/files
• REST API changes: https://github.com/fleetdm/fleet/pull/37351/files
  • Add alternative_browser_host to fleet_desktop in GET /api/v1/fleet/config
  • Example:

  •  "fleet_desktop": {
       "transparency_url": "https://fleetdm.com/better",
       "alternative_browser_host": "fleet-desktop.example.com"
     }

• Fleet's agent (fleetd) changes: No changes
• GitOps mode UI changes: No changes
• GitOps generation changes: No changes
• Activity changes: No changes
• Permissions changes: No changes
• Changes to paid features or tiers: No changes
• My device and fleetdm.com/better changes: No changes
• Usage statistics: No changes
• Other reference documentation changes: No changes
• First draft of test plan added
• Once shipped, requester has been notified
• Once shipped, dogfooding issue has been filed

Engineering

• Test plan is finalized
• Feature guide changes: https://github.com/fleetdm/fleet/pull/37351/files
• This is a premium only feature: Yes.

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

• Requires load testing: No.
• Risk level: Low

Test plan

Happy path (existing devices after Orbit and Fleet upgrades)

Settings > Organization Settings > Fleet Desktop:

1. Confirm when /config is called we now get alternative_browser_host in fleet_desktop.
2. Confirm new sub text is updated: "Customize the default transparency URL and browser host to customize Fleet Desktop experience."
3. Confirm new tooltip is added to Custom transparency URL: "By default, end users who click “About Fleet” in the Fleet Desktop menu are taken to https://fleetdm.com/transparency."
4. Confirm new field "Browser host" is there, along with tooltip copy: "If you are using mTLS for your agent-server communication, you can specify an alternative host to direct Fleet Desktop through. Learn more about browser host"
5. Add and save an Alternative browser host. Ensure new value shows up in Alternative browser host field.
6. Open Fleet Desktop to confirm alternate browser host is being used.
7. Change hostname to something else.
8. Open Fleet Desktop to confirm the new alternate browser host url is being used.

The above happy path needs to be tested with the following scenarios:

A. Old version of fleet with new fleetd installed without --fleet-desktop-alternative-browser-host (Fleet Desktop should just use the "Fleet web address").
B. Old version of fleet with new fleetd installed with --fleet-desktop-alternative-browser-host (Fleet Desktop should continue to use the configured URL in the installer).

C. New version of fleet without new config set with new fleetd installed without --fleet-desktop-alternative-browser-host (Fleet Desktop should use for URL the --fleet-url set when generating the package).
D. New version of fleet without new config set with new fleetd installed with --fleet-desktop-alternative-browser-host (Fleet Desktop should use for URL the --fleet-desktop-alternative-browser-host set when generating the package).

E. New version of fleet with new config set with new fleetd installed without --fleet-desktop-alternative-browser-host (Fleet Desktop should just use the new value configured by Fleet).
F. New version of fleet with new config set with new fleetd installed with --fleet-desktop-alternative-browser-host (Fleet Desktop should just use the value configured by Fleet, takes precedence over --fleet-desktop-alternative-browser-host).

The above scenarios need to be tested with setting the configuration existing devices AND installing new devices after the configuration is set.

G. Test Fleet Desktop when Fleet server is unreachable and/or device is offline. Then bring it online.

H. Test installing fleetd while device is offline. Then bring it online.

Testing notes

• Must be tested on Windows, Linux and macOS.
• After changing the URL in the UI, you need to wait for 1 minute or so (so that orbit can get the new URL from Fleet).
• For existing devices during the configuration change, we expect the Fleet Desktop icon to disappear and appear back in shortly with the new URL to connect to Fleet.

Confirmation

1. Engineer: Added comment to user story confirming successful completion of test plan.
2. QA: Added comment to user story confirming successful completion of test plan.