## Section: Kubernetes # All settings related to how Fleet is deployed in Kubernetes hostName: fleet.localhost replicas: 3 # The number of Fleet instances to deploy imageTag: 3.6.0 # Version of Fleet to deploy createIngress: true # Whether or not to automatically create an Ingress ingressAnnotations: {} # Additional annotation to add to the Ingress podAnnotations: {} # Additional annotations to add to the Fleet pod serviceAccountAnnotations: {} # Additional annotations to add to the Fleet service account resources: limits: cpu: 1 # 1GHz memory: 1Gi requests: cpu: 0.1 # 100Mhz memory: 50Mi ## Section: Fleet # All of the settings relating to configuring the Fleet server fleet: listenPort: 8080 # Name of the Secret resource storing TLS, and S3 bucket secrets secretName: fleet # Whether or not to run `fleet db prepare` to run SQL migrations before starting Fleet # WARNING: This may cause database corruption if more than one migration is attempted at a time autoApplySQLMigrations: false tls: enabled: true compatibility: modern certSecretKey: server.cert keySecretKey: server.key auth: bcryptCost: 12 saltKeySize: 24 app: tokenKeySize: 24 inviteTokenValidityPeriod: 120h # 5 days session: keySize: 64 duration: 2160h # 90 days logging: debug: false json: false disableBanner: false carving: s3: bucketName: "" prefix: "" accessKeyID: "" secretKey: s3-bucket stsAssumeRoleARN: "" ## Section: osquery # All of the settings related to osquery's interactions with the Fleet server osquery: # Name of the secret resource containing optional secrets for AWS credentials secretName: osquery nodeKeySize: 24 labelUpdateInterval: 30m detailUpdateInterval: 30m # To change where Fleet store the logs sent from osquery, set the values below logging: statusPlugin: filesystem resultPlugin: filesystem # To congigure the filesystem logger, change the values below filesystem: statusLogFile: /tmp/osquery_status resultLogFile: /tmp/osquery_result enableRotation: "false" enableCompression: "false" # To configure the AWS Firehose logger, change the values below firehose: region: "" accessKeyID: "" secretKey: firehose stsAssumeRoleARN: "" statusStream: "" resultStream: "" # To configure the AWS Kinesis logger, change the values below kinesis: region: "" accessKeyID: "" secretKey: kinesis stsAssumeRoleARN: "" statusStream: "" resultStream: "" # To configure the GCP PubSub logger, change the values below pubsub: project: "" statusTopic: "" resultTopic: "" ## Section: MySQL # All of the connection settings for MySQL mysql: # Name of the Secret resource containing MySQL password and TLS secrets secretName: mysql address: 127.0.0.1:3306 database: fleet username: fleet passwordKey: mysql-password maxOpenConns: 50 maxIdleConns: 50 connMaxLifetime: 0 tls: enabled: true caCertKey: ca.cert certKey: client.cert keyKey: client.key config: "" serverName: "" ## Section: Redis # All of the connection settings for Redis redis: address: 127.0.0.1:6379 database: "0" usePassword: false secretName: redis passwordKey: redis-password ## Section: GKE # Settings that make running on Google Kubernetes Engine easier gke: # The CloudSQL Proxy runs as a container in the Fleet Pod that proxies connections to a Cloud SQL instance cloudSQL: enableProxy: false imageTag: 1.17-alpine verbose: true instanceName: "" # The GKE Ingress requires a few changes that other ingress controllers don't ingress: useGKEIngress: false useManagedCertificate: false # Workload Identity allows the K8s service account to assume the IAM permissions of a GCP service account workloadIdentityEmail: ""