From 2ae7844ab2ef3543e463a747e24a56a39b9454a3 Mon Sep 17 00:00:00 2001
From: Andriy Oblivantsev <eslider@gmail.com>
Date: Thu, 19 Feb 2026 19:40:02 +0000
Subject: [PATCH] Expose Fleet via port-forward on port 8585 instead of
 fleet.localhost

- Add make port-forward target (default: https://0.0.0.0:8585)
- FLEET_PORT variable for custom port
- Update README with port-forward instructions

Co-authored-by: Cursor <cursoragent@cursor.com>
---
 Makefile  | 18 ++++++++++--------
 README.md | 35 ++++++++++++++++-------------------
 2 files changed, 26 insertions(+), 27 deletions(-)

diff --git a/Makefile b/Makefile
index 134145b..29abf0d 100644
--- a/Makefile
+++ b/Makefile
@@ -4,8 +4,9 @@
 RELEASE_NAME ?= fleetdm-stack
 NAMESPACE ?= fleetdm
 CLUSTER_TYPE ?= kind
+FLEET_PORT ?= 8585
 
-.PHONY: cluster install uninstall deps verify clean
+.PHONY: cluster install uninstall deps verify clean port-forward
 
 cluster:
 	@echo "Creating local Kubernetes cluster ($(CLUSTER_TYPE))..."
@@ -48,6 +49,11 @@ uninstall:
 	kubectl delete namespace $(NAMESPACE) --timeout=120s || true
 	@echo "Uninstall complete."
 
+port-forward:
+	@echo "Forwarding Fleet UI to https://0.0.0.0:$(FLEET_PORT) ..."
+	@echo "Press Ctrl+C to stop."
+	kubectl port-forward --address 0.0.0.0 svc/fleetdm-stack-service $(FLEET_PORT):8080 -n $(NAMESPACE)
+
 verify:
 	@echo "Verifying FleetDM, MySQL, and Redis..."
 	@echo ""
@@ -58,15 +64,11 @@ verify:
 	kubectl get svc -n $(NAMESPACE)
 	@echo ""
 	@echo "=== Ingress ==="
-	kubectl get ingress -n $(NAMESPACE)
+	kubectl get ingress -n $(NAMESPACE) 2>/dev/null || echo "  (no ingress)"
 	@echo ""
 	@echo "Access Fleet UI:"
-ifeq ($(CLUSTER_TYPE),kind)
-	@echo "  Add to /etc/hosts: 127.0.0.1 fleet.localhost"
-	@echo "  Then: curl -H 'Host: fleet.localhost' http://localhost"
-else
-	@echo "  minikube tunnel (if needed) then: http://fleet.localhost (add to /etc/hosts)"
-endif
+	@echo "  make port-forward    # then open https://localhost:$(FLEET_PORT)"
+	@echo "  (or change port: make port-forward FLEET_PORT=9090)"
 
 clean: uninstall
 ifeq ($(CLUSTER_TYPE),kind)
diff --git a/README.md b/README.md
index 1d1bde6..d60edcd 100644
--- a/README.md
+++ b/README.md
@@ -18,6 +18,9 @@ make install
 
 # Verify deployment
 make verify
+
+# Access Fleet UI at https://localhost:8585
+make port-forward
 ```
 
 ## Installation
@@ -49,23 +52,16 @@ This will:
 
 ### 3. Access Fleet UI
 
-**Kind:**
-
 ```bash
-# Add to /etc/hosts (or equivalent)
-echo "127.0.0.1 fleet.localhost" | sudo tee -a /etc/hosts
+# Port-forward Fleet to https://localhost:8585
+make port-forward
 
-# Access via ingress (ensure ingress-nginx is ready)
-curl -H "Host: fleet.localhost" http://localhost
-# Or open http://localhost in a browser with Host: fleet.localhost
+# Or use a custom port
+make port-forward FLEET_PORT=9090
 ```
 
-**Minikube:**
-
-```bash
-minikube tunnel
-# Then add fleet.localhost to /etc/hosts pointing to minikube IP
-```
+Open **https://localhost:8585** in your browser (accept the self-signed certificate).  
+Fleet setup wizard will guide you through initial configuration.
 
 ## Teardown
 
@@ -87,7 +83,7 @@ Verification checklist:
 
 | Component   | Check                                                             |
 | ----------- | ----------------------------------------------------------------- |
-| **FleetDM** | Pods running; ingress `fleet.localhost` serves Fleet UI           |
+| **FleetDM** | Pods running; `make port-forward` → https://localhost:8585       |
 | **MySQL**   | `fleetdm-stack-mysql` service; Fleet connects and runs migrations |
 | **Redis**   | `fleetdm-stack-redis-master` service; Fleet uses it for cache     |
 
@@ -129,17 +125,18 @@ For local development, the chart includes self-signed TLS certificates (generate
 
 ## FleetDM agent reachability
 
-The chart exposes Fleet via ingress so:
+Fleet is exposed via port-forward (`make port-forward`) or ingress:
 
-- **Fleet UI** is available at `http://fleet.localhost`
-- **Agent endpoints** (`/api/v1/osquery/*`, `/api/fleet/orbit/*`, etc.) are reachable under the same host
+- **Fleet UI** — `https://localhost:8585` (via port-forward)
+- **Agent endpoints** (`/api/v1/osquery/*`, `/api/fleet/orbit/*`) — same URL
+- Ingress with `fleet.localhost` is also configured as a fallback
 
-For production, configure TLS and ensure agents can reach the Fleet server hostname.
+For production, configure proper TLS and a stable DNS name for agents.
 
 ## Enhancements implemented
 
 1. **Basic CI pipeline** — GitHub Actions releases new Helm chart versions (see [.github/workflows/release.yaml](.github/workflows/release.yaml))
-2. **Exposed Fleet UI** — Ingress with `fleet.localhost` for UI and agent enrollment
+2. **Exposed Fleet UI** — `make port-forward` on port 8585 (+ ingress `fleet.localhost`)
 3. **`fleet prepare db`** — Handled by `autoApplySQLMigrations: true` in the Fleet Helm chart
 
 ## Project Structure