fleet/tools/ci/helm-values/logger-firehose-sts.yaml

## Section: Kubernetes
# All settings related to how Fleet is deployed in Kubernetes
hostName: fleet.localhost
replicas: 3 # The number of Fleet instances to deploy
imageTag: 3.6.0 # Version of Fleet to deploy
createIngress: true # Whether or not to automatically create an Ingress
ingressAnnotations: {} # Additional annotation to add to the Ingress
podAnnotations: {} # Additional annotations to add to the Fleet pod
serviceAccountAnnotations: {} # Additional annotations to add to the Fleet service account
resources:
  limits:
    cpu: 1 # 1GHz
    memory: 1Gi
  requests:
    cpu: 0.1 # 100Mhz
    memory: 50Mi

## Section: Fleet
# All of the settings relating to configuring the Fleet server
fleet:
  listenPort: 8080
  # Name of the Secret resource storing TLS, JWT, and S3 bucket secrets
  secretName: fleet
  # Whether or not to run `fleet db prepare` to run SQL migrations before starting Fleet
  # WARNING: This may cause database corruption if more than one migration is attempted at a time
  autoApplySQLMigrations: false
  tls:
    enabled: true
    compatibility: modern
    certSecretKey: server.cert
    keySecretKey: server.key
  auth:
    jwtSecretKey: jwt-secret
    bcryptCost: 12
    saltKeySize: 24
  app:
    tokenKeySize: 24
    inviteTokenValidityPeriod: 120h # 5 days
  session:
    keySize: 64
    duration: 2160h # 90 days
  logging:
    debug: false
    json: false
    disableBanner: false
  carving:
    s3:
      bucketName: ""
      prefix: ""
      accessKeyID: ""
      secretKey: s3-bucket
      stsAssumeRoleARN: ""

## Section: osquery
# All of the settings related to osquery's interactions with the Fleet server 
osquery:
  # Name of the secret resource containing optional secrets for AWS credentials
  secretName: osquery
  nodeKeySize: 24
  labelUpdateInterval: 30m
  detailUpdateInterval: 30m

  # To change where Fleet store the logs sent from osquery, set the values below
  logging:
    statusPlugin: firehose
    resultPlugin: firehose

    # To congigure the filesystem logger, change the values below
    filesystem:
      statusLogFile: /tmp/osquery_status
      resultLogFile: /tmp/osquery_result
      enableRotation: "false"
      enableCompression: "false"

    # To configure the AWS Firehose logger, change the values below
    firehose:
      region: "us-west1"
      accessKeyID: ""
      secretKey: firehose
      stsAssumeRoleARN: "some:arn:abc"
      statusStream: "osquery-status"
      resultStream: "osquery-result"

    # To configure the AWS Kinesis logger, change the values below
    kinesis:
      region: ""
      accessKeyID: ""
      secretKey: kinesis
      stsAssumeRoleARN: ""
      statusStream: ""
      resultStream: ""

    # To configure the GCP PubSub logger, change the values below
    pubsub:
      project: ""
      statusTopic: ""
      resultTopic: ""

## Section: MySQL
# All of the connection settings for MySQL
mysql:
  # Name of the Secret resource containing MySQL password and TLS secrets
  secretName: mysql
  address: 127.0.0.1:3306
  database: kolide
  username: kolide
  passwordKey: mysql-password
  maxOpenConns: 50
  maxIdleConns: 50
  connMaxLifetime: 0
  tls:
    enabled: false
    caCertKey: ca.cert
    certKey: client.cert
    keyKey: client.key
    config: ""
    serverName: ""

## Section: Redis
# All of the connection settings for Redis
redis:
  address: 127.0.0.1:6379
  database: "0"
  usePassword: false
  secretName: redis
  passwordKey: redis-password

## Section: GKE
# Settings that make running on Google Kubernetes Engine easier
gke:
  # The CloudSQL Proxy runs as a container in the Fleet Pod that proxies connections to a Cloud SQL instance
  cloudSQL:
    enableProxy: false
    imageTag: 1.17-alpine
    verbose: true
    instanceName: ""
  # The GKE Ingress requires a few changes that other ingress controllers don't
  ingress:
    useGKEIngress: false
    useManagedCertificate: false
  # Workload Identity allows the K8s service account to assume the IAM permissions of a GCP service account
  workloadIdentityEmail: ""
Add Helm chart (#250) Providing a Helm chart makes it easier for users to deploy to Kubernetes. I think this is good to go, and I've tested deploying to Kind and GKE using the GKE ingress, sql proxy, and managed certificate, but I haven't tested anything AWS related. 2021-02-01 23:46:01 +00:00			`## Section: Kubernetes`
			`# All settings related to how Fleet is deployed in Kubernetes`
			`hostName: fleet.localhost`
			`replicas: 3 # The number of Fleet instances to deploy`
			`imageTag: 3.6.0 # Version of Fleet to deploy`
			`createIngress: true # Whether or not to automatically create an Ingress`
			`ingressAnnotations: {} # Additional annotation to add to the Ingress`
			`podAnnotations: {} # Additional annotations to add to the Fleet pod`
			`serviceAccountAnnotations: {} # Additional annotations to add to the Fleet service account`
			`resources:`
			`limits:`
			`cpu: 1 # 1GHz`
			`memory: 1Gi`
			`requests:`
			`cpu: 0.1 # 100Mhz`
			`memory: 50Mi`

			`## Section: Fleet`
			`# All of the settings relating to configuring the Fleet server`
			`fleet:`
			`listenPort: 8080`
			`# Name of the Secret resource storing TLS, JWT, and S3 bucket secrets`
			`secretName: fleet`
			# Whether or not to run `fleet db prepare` to run SQL migrations before starting Fleet
			`# WARNING: This may cause database corruption if more than one migration is attempted at a time`
			`autoApplySQLMigrations: false`
			`tls:`
			`enabled: true`
			`compatibility: modern`
			`certSecretKey: server.cert`
			`keySecretKey: server.key`
			`auth:`
			`jwtSecretKey: jwt-secret`
			`bcryptCost: 12`
			`saltKeySize: 24`
			`app:`
			`tokenKeySize: 24`
			`inviteTokenValidityPeriod: 120h # 5 days`
			`session:`
			`keySize: 64`
			`duration: 2160h # 90 days`
			`logging:`
			`debug: false`
			`json: false`
			`disableBanner: false`
			`carving:`
			`s3:`
			`bucketName: ""`
			`prefix: ""`
			`accessKeyID: ""`
			`secretKey: s3-bucket`
			`stsAssumeRoleARN: ""`

			`## Section: osquery`
			`# All of the settings related to osquery's interactions with the Fleet server`
			`osquery:`
			`# Name of the secret resource containing optional secrets for AWS credentials`
			`secretName: osquery`
			`nodeKeySize: 24`
			`labelUpdateInterval: 30m`
			`detailUpdateInterval: 30m`

			`# To change where Fleet store the logs sent from osquery, set the values below`
			`logging:`
			`statusPlugin: firehose`
			`resultPlugin: firehose`

			`# To congigure the filesystem logger, change the values below`
			`filesystem:`
			`statusLogFile: /tmp/osquery_status`
			`resultLogFile: /tmp/osquery_result`
			`enableRotation: "false"`
			`enableCompression: "false"`

			`# To configure the AWS Firehose logger, change the values below`
			`firehose:`
			`region: "us-west1"`
			`accessKeyID: ""`
			`secretKey: firehose`
			`stsAssumeRoleARN: "some:arn:abc"`
			`statusStream: "osquery-status"`
			`resultStream: "osquery-result"`

			`# To configure the AWS Kinesis logger, change the values below`
			`kinesis:`
			`region: ""`
			`accessKeyID: ""`
			`secretKey: kinesis`
			`stsAssumeRoleARN: ""`
			`statusStream: ""`
			`resultStream: ""`

			`# To configure the GCP PubSub logger, change the values below`
			`pubsub:`
			`project: ""`
			`statusTopic: ""`
			`resultTopic: ""`

			`## Section: MySQL`
			`# All of the connection settings for MySQL`
			`mysql:`
			`# Name of the Secret resource containing MySQL password and TLS secrets`
			`secretName: mysql`
			`address: 127.0.0.1:3306`
			`database: kolide`
			`username: kolide`
			`passwordKey: mysql-password`
			`maxOpenConns: 50`
			`maxIdleConns: 50`
			`connMaxLifetime: 0`
			`tls:`
			`enabled: false`
			`caCertKey: ca.cert`
			`certKey: client.cert`
			`keyKey: client.key`
			`config: ""`
			`serverName: ""`

			`## Section: Redis`
			`# All of the connection settings for Redis`
			`redis:`
			`address: 127.0.0.1:6379`
			`database: "0"`
			`usePassword: false`
			`secretName: redis`
			`passwordKey: redis-password`

			`## Section: GKE`
			`# Settings that make running on Google Kubernetes Engine easier`
			`gke:`
			`# The CloudSQL Proxy runs as a container in the Fleet Pod that proxies connections to a Cloud SQL instance`
			`cloudSQL:`
			`enableProxy: false`
			`imageTag: 1.17-alpine`
			`verbose: true`
			`instanceName: ""`
			`# The GKE Ingress requires a few changes that other ingress controllers don't`
			`ingress:`
			`useGKEIngress: false`
			`useManagedCertificate: false`
			`# Workload Identity allows the K8s service account to assume the IAM permissions of a GCP service account`
			`workloadIdentityEmail: ""`