Refactoring workflow (#29)

* Updating workflow.sh * Updating workflow.yml * Rename workflow.yml to action.yml * Refactoring action so it can be used by another workflow. * Update README
fleetdm · Feb 15, 2024 · 4dee1dc · 4dee1dc
1 parent 2a616cd
commit 4dee1dc
Show file tree

Hide file tree

Showing 5 changed files with 79 additions and 49 deletions.
diff --git a/.github/gitops-action/action.yml b/.github/gitops-action/action.yml
@@ -0,0 +1,25 @@
+name: fleetctl-gitops
+description: Runs fleetctl gitops to apply configuration to Fleet
+
+inputs:
+  working-directory:
+    description: 'The working directory, which should be the root of the fleet-gitops repository.'
+    default: './'
+
+runs:
+  using: "composite"
+  steps:
+    - name: Install fleetctl
+      shell: bash
+      working-directory: ${{ inputs.working-directory }}
+      run: npm install -g fleetctl
+
+    - name: Configure fleetctl
+      shell: bash
+      working-directory: ${{ inputs.working-directory }}
+      run: fleetctl config set --address ${{ env.FLEET_URL }} --token ${{ env.FLEET_API_TOKEN }}
+
+    - name: Run fleetctl gitops commands
+      shell: bash
+      working-directory: ${{ inputs.working-directory }}
+      run: ./gitops.sh
diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml
@@ -10,26 +10,25 @@ defaults:
   run:
     shell: bash
 
-# Add FLEET_URL and FLEET_API_TOKEN to the repository secrets.
-# In addition, specify or add secrets for all the environment variables that are mentioned in the global/team YAML files.
-env:
-  FLEET_SSO_METADATA: ${{ secrets.FLEET_SSO_METADATA }}
-  FLEET_GLOBAL_ENROLL_SECRET: ${{ secrets.FLEET_GLOBAL_ENROLL_SECRET }}
-  FLEET_WORKSTATIONS_ENROLL_SECRET: ${{ secrets.FLEET_WORKSTATIONS_ENROLL_SECRET }}
-  FLEET_WORKSTATIONS_CANARY_ENROLL_SECRET: ${{ secrets.FLEET_WORKSTATIONS_CANARY_ENROLL_SECRET }}
+# Limit permissions of GITHUB_TOKEN.
+permissions:
+  contents: read
 
 jobs:
-  build-docker:
+  fleet-gitops:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout GitOps repository
         uses: actions/checkout@v4
 
-      - name: Install fleetctl
-        run: npm install -g fleetctl
-
-      - name: Configure fleetctl
-        run: fleetctl config set --address ${{ secrets.FLEET_URL }} --token ${{ secrets.FLEET_API_TOKEN }}
-
-      - name: Run fleetctl gitops commands
-        run: ./workflow.sh
+      - name: Apply latest configuration to Fleet
+        uses: ./.github/gitops-action
+        # Add FLEET_URL and FLEET_API_TOKEN to the repository secrets.
+        # In addition, specify or add secrets for all the environment variables that are mentioned in the global/team YAML files.
+        env:
+          FLEET_URL: ${{ secrets.FLEET_URL }}
+          FLEET_API_TOKEN: ${{ secrets.FLEET_API_TOKEN }}
+          FLEET_SSO_METADATA: ${{ secrets.FLEET_SSO_METADATA }}
+          FLEET_GLOBAL_ENROLL_SECRET: ${{ secrets.FLEET_GLOBAL_ENROLL_SECRET }}
+          FLEET_WORKSTATIONS_ENROLL_SECRET: ${{ secrets.FLEET_WORKSTATIONS_ENROLL_SECRET }}
+          FLEET_WORKSTATIONS_CANARY_ENROLL_SECRET: ${{ secrets.FLEET_WORKSTATIONS_CANARY_ENROLL_SECRET }}
diff --git a/README.md b/README.md
@@ -27,5 +27,6 @@ How to set up a GitOps workflow to manage Fleet:
 - `lib/` - folder for policies, queries, configuration profiles, scripts, and agent options. These files can be referenced in top level keys in the `default.yml` file and the files in the `teams/` folder.
 - `default.yml` - file that defines the queries, policies, controls, and agent options for all hosts. If you're using Fleet Premium, this file updates queries and policies that run on all hosts ("All teams"). Controls and agent options are defined for hosts on "No team."
 - `teams/` - folder for teams in Fleet. These `*.yml` files define the controls, queries, policies, and agent options for hosts assigned to the specified team.
-- `.github/workflows/workflow.yml` - the GitHub Actions workflow file that applies the latest configuration to Fleet.
-- `workflow.sh` - the bash script that applies the latest configuration to Fleet by executing `fleetctl gitops`. This script is used in the GitHub Actions workflow file. It can be run standalone during development.
+- `.github/workflows/workflow.yml` - the GitHub workflow file that applies the latest configuration to Fleet.
+- `.github/gitops-action/action.yml` - the GitHub action that runs `gitops.sh`. This action is used in the GitHub workflow file. It can also be used in other workflows.
+- `gitops.sh` - the bash script that applies the latest configuration to Fleet by executing `fleetctl gitops`. This script is used in the GitHub action file. It can be run standalone during development.
diff --git a/gitops.sh b/gitops.sh
@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+
+# -e: Immediately exit if any command has a non-zero exit status.
+# -x: Print all executed commands to the terminal.
+# -u: Exit if an undefined variable is used.
+# -o pipefail: Exit if any command in a pipeline fails.
+set -exuo pipefail
+
+FLEET_GITOPS_DIR="${FLEET_GITOPS_DIR:-./}"
+FLEET_GLOBAL_FILE="${FLEET_GLOBAL_FILE:-$FLEET_GITOPS_DIR/default.yml}"
+FLEETCTL="${FLEETCTL:-fleetctl}"
+
+# Validate that global file contains org_settings
+grep -Exq "^org_settings:.*" "$FLEET_GLOBAL_FILE"
+
+if compgen -G "$FLEET_GITOPS_DIR"/teams/*.yml > /dev/null; then
+  # Validate that every team has a unique name.
+  # This is a limited check that assumes all team files contain the phrase: `name: <team_name>`
+  ! perl -nle 'print $1 if /^name:\s*(.+)$/' "$FLEET_GITOPS_DIR"/teams/*.yml | sort | uniq -d | grep . -cq
+fi
+
+# Dry run
+$FLEETCTL gitops -f "$FLEET_GLOBAL_FILE" --dry-run
+for team_file in "$FLEET_GITOPS_DIR"/teams/*.yml; do
+  if [ -f "$team_file" ]; then
+    $FLEETCTL gitops -f "$team_file" --dry-run
+  fi
+done
+
+# Real run
+$FLEETCTL gitops -f "$FLEET_GLOBAL_FILE"
+for team_file in "$FLEET_GITOPS_DIR"/teams/*.yml; do
+  if [ -f "$team_file" ]; then
+    $FLEETCTL gitops -f "$team_file"
+  fi
+done
diff --git a/workflow.sh b/workflow.sh