Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backend support policies for "No team" #21467

Closed
lucasmrod opened this issue Aug 21, 2024 · 4 comments
Closed

Backend support policies for "No team" #21467

lucasmrod opened this issue Aug 21, 2024 · 4 comments
Assignees
@lucasmrod
Labels
~backend Backend-related issue. #g-endpoint-ops Endpoint ops product group P2 Prioritize as urgent :release Ready to write code. Scheduled in a release. See "Making changes" in handbook. ~sub-task A technical sub-task that is part of a story. (Not QA'd. Not estimated.)
Milestone
4.57.0

Comments

@lucasmrod
Copy link
Member

lucasmrod commented Aug 21, 2024
edited
Loading

Epic: #19551

Currently we support "Global policies" and "Team policies". "Global policies" run on "All hosts" and "Team policies" run on hosts that belong to the corresponding teams. We currently don't support creating policies that run only on hosts that are in "No team".

This is needed to implement automatic triggering of software installation #19551 for hosts in "No team".

This issue is to track the backend changes.

We'll also need to define GitOps for policies for "No team".

QA notes

Apart from testing "No team" policies (and associating packages uploaded to "No team") on the UI we need to QA the GitOps part of this story.

Here are the GitOps "no-team.yml" designs: https://www.figma.com/design/4pfUOYy7IyMIrjMH2fuCdU/%2319551-Policy-automations%3A-install-software?node-id=0-1&node-type=canvas&t=ufWiCYl3niY2PvZx-0.

GitOps now supports a teams/no-team.yml file with name: No team. Such file with name: No team must have the no-team.yml name (it errors out if it doesn't have that filename).
In the no-team.yml currently you can only specify name:, policies: and software:. Here's a sample:

teams/no-team.yml:

name: No team
policies:
  - path: ../lib/macos-device-health.policies.yml
  - path: ../lib/firefox-msi-installed-and-up-to-date.yml
controls:
software:
  packages:
    - path: ../lib/software/firefox.msi.software.yml

lib/firefox-msi-installed-and-up-to-date.yml:

- name: Firefox on Windows installed and up to date
  platform: windows
  description: "Foobar"
  resolution: ""
  query: "SELECT 1 FROM programs WHERE name = 'Mozilla Firefox (x64 en-US)' AND version_compare(version, '129.0.2') >= 0; "
  install_software:
    package_path: "../lib/software/firefox.msi.software.yml"

lib/software/firefox.msi.software.yml:

url: https://ftp.mozilla.org/pub/firefox/releases/129.0.2/win64/en-US/Firefox%20Setup%20129.0.2.msi
self_service: true

Also, a breaking change is that you cannot specify software on the main default.yml; you can set it as "empty" software: but cannot be defined with contents. This is because the software for "No team" goes in teams/no-team.yml.
@lucasmrod lucasmrod added #g-endpoint-ops Endpoint ops product group :release Ready to write code. Scheduled in a release. See "Making changes" in handbook. labels Aug 21, 2024
@lucasmrod lucasmrod changed the title Support policies for "No team" Backend support policies for "No team" Aug 21, 2024
@lucasmrod lucasmrod added the ~backend Backend-related issue. label Aug 21, 2024
@lucasmrod lucasmrod added this to the 4.57.0-tentative milestone Aug 21, 2024
@lucasmrod lucasmrod added the P2 Prioritize as urgent label Aug 21, 2024
@sharon-fdm sharon-fdm added the ~sub-task A technical sub-task that is part of a story. (Not QA'd. Not estimated.) label Aug 21, 2024
@sharon-fdm
Copy link
Collaborator

Hey team! Please add your planning poker estimate with Zenhub @getvictor @iansltx @lucasmrod @mostlikelee

This was referenced Sep 10, 2024
Closed
Merged
lucasmrod added a commit that referenced this issue Sep 12, 2024
@lucasmrod
Add policies for "No team" (#21972)
4c24729 
#21467

- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [X] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [X] Added/updated tests
- [X] If database migrations are included, checked table schema to
confirm autoupdate
- For database migrations:
- [X] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [X] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [X] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
- [X] Manual QA for all new/changed functionality
This was referenced Sep 12, 2024
Merged
Merged
lucasmrod added a commit that referenced this issue Sep 12, 2024
@lucasmrod
Fix breaking changes tests (#22054)
92c4c52 
Related to #21467 and #20320
@lucasmrod
Copy link
Member Author

@xpkoala Will write QA notes tomorrow.

@lucasmrod
Copy link
Member Author

@xpkoala Added QA notes for the new no-team.yml.

@fleet-release
Copy link
Contributor

"No team" now shines,
Tools for all, like rain on leaves,
GitOps aligns.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lucasmrod lucasmrod

Labels
~backend Backend-related issue. #g-endpoint-ops Endpoint ops product group P2 Prioritize as urgent :release Ready to write code. Scheduled in a release. See "Making changes" in handbook. ~sub-task A technical sub-task that is part of a story. (Not QA'd. Not estimated.)
Projects
None yet
Milestone
4.57.0
Development

No branches or pull requests
4 participants
@lucasmrod @lukeheath @fleet-release @sharon-fdm