Andriy Oblivantsev
87ce0ec6ee
Gitea OCI registry expects host/owner/package:tag format, not host/owner/repo/package:tag. Co-authored-by: Cursor <cursoragent@cursor.com>
🦩 FleetDM Stack
Helm chart deploying FleetDM Server with MySQL and Redis to Kubernetes. Suitable for local development (Kind/Minikube) and adaptable for production.
Prerequisites
Quick Start
# Create local cluster and deploy
make cluster
make install
# Verify deployment
make verify
# Access Fleet UI at https://localhost:8585
make port-forward
Installation
1. Create local cluster
Creates a Kind or Minikube cluster and installs the nginx ingress controller (Kind) or enables ingress addon (Minikube).
# Default: Kind
make cluster
# Or use Minikube
make cluster CLUSTER_TYPE=minikube
2. Install the Helm chart
make install
This will:
- Update Helm dependencies
- Create the
fleetdmnamespace - Deploy MySQL, Redis, and FleetDM Server
- Run
fleet prepare dbautomatically on fresh install (viaautoApplySQLMigrations)
3. Access Fleet UI
# Port-forward Fleet to https://localhost:8585
make port-forward
# Or use a custom port
make port-forward FLEET_PORT=9090
Open https://localhost:8585 in your browser (accept the self-signed certificate).
Fleet setup wizard will guide you through initial configuration.
Teardown
# Remove Helm release and namespace
make uninstall
# Remove cluster (Kind or Minikube)
make clean
Verification
make verify
Verification checklist:
| Component | Check |
|---|---|
| FleetDM | Pods running; make port-forward → https://localhost:8585 |
| MySQL | fleetdm-stack-mysql service; Fleet connects and runs migrations |
| Redis | fleetdm-stack-redis-master service; Fleet uses it for cache |
Manual verification
# Check pods
kubectl get pods -n fleetdm
# Check Fleet migration job (fleet prepare db)
kubectl get jobs -n fleetdm
# Check services
kubectl get svc -n fleetdm
# Fleet logs
kubectl logs -n fleetdm -l app=fleet -f
Configuration
| Value | Description | Default |
|---|---|---|
mysql.auth.password |
MySQL password | fleetdm-local-dev |
fleet.replicas |
Fleet server replicas | 1 |
fleet.hostName |
Ingress host | fleet.localhost |
Override via --set or custom values file:
helm upgrade --install fleetdm-stack fleetdm-stack/ \
-n fleetdm \
--set mysql.auth.password=SECURE_PASSWORD
TLS certificates
For local development, the chart includes self-signed TLS certificates (generated on first make install). Production deployments should use cert-manager or provide proper certificates via fleet.secretName.
FleetDM agent reachability
Fleet is exposed via port-forward (make port-forward) or ingress:
- Fleet UI —
https://localhost:8585(via port-forward) - Agent endpoints (
/api/v1/osquery/*,/api/fleet/orbit/*) — same URL - Ingress with
fleet.localhostis also configured as a fallback
For production, configure proper TLS and a stable DNS name for agents.
Enhancements implemented
- Basic CI pipeline — Gitea Actions lint on push, release on tag (see .github/workflows/release.yaml)
- Exposed Fleet UI —
make port-forwardon port 8585 (+ ingressfleet.localhost) fleet prepare db— Handled byautoApplySQLMigrations: truein the Fleet Helm chart
Project Structure
tech-task/
├── fleetdm-stack/ # Helm chart (FleetDM + MySQL + Redis)
│ ├── Chart.yaml
│ ├── Chart.lock
│ ├── values.yaml
│ ├── certs/ # TLS certs (generated by make install)
│ └── charts/ # Dependencies (run make deps)
├── Makefile # cluster, install, uninstall, verify, port-forward, clean
├── README.md
├── .github/workflows/ # Gitea Actions CI for Helm chart lint & release
└── docs/ # Theoretical part
├── architecture-design-company-inc.md
├── architecture-hld.md
└── verification-log.md
Theoretical Part
The architectural design document for "Company Inc." is in docs/:
- Architecture Design Document — 1-2 page design (convert to PDF for submission)
- High-Level Diagram — Mermaid diagrams (infra, CI/CD, network security)