Andriy Oblivantsev
b5c22e84ec
- Replace GitHub chart-releaser with Gitea-compatible workflow - Lint job: helm lint, template validation on push to main/master - Release job: package and publish to Gitea releases on tag push (v*) - Use gitea-release-action for creating releases - Support both main and master branches Co-authored-by: Cursor <cursoragent@cursor.com>
FleetDM Stack — Flamingo DevOps Assignment
Helm chart deploying FleetDM Server with MySQL and Redis to Kubernetes. Suitable for local development (Kind/Minikube) and adaptable for production.
Prerequisites
Quick Start
# Create local cluster and deploy
make cluster
make install
# Verify deployment
make verify
Installation
1. Create local cluster
Creates a Kind or Minikube cluster and installs the nginx ingress controller (Kind) or enables ingress addon (Minikube).
# Default: Kind
make cluster
# Or use Minikube
make cluster CLUSTER_TYPE=minikube
2. Install the Helm chart
make install
This will:
- Update Helm dependencies
- Create the
fleetdmnamespace - Deploy MySQL, Redis, and FleetDM Server
- Run
fleet prepare dbautomatically on fresh install (viaautoApplySQLMigrations)
3. Access Fleet UI
Kind:
# Add to /etc/hosts (or equivalent)
echo "127.0.0.1 fleet.localhost" | sudo tee -a /etc/hosts
# Access via ingress (ensure ingress-nginx is ready)
curl -H "Host: fleet.localhost" http://localhost
# Or open http://localhost in a browser with Host: fleet.localhost
Minikube:
minikube tunnel
# Then add fleet.localhost to /etc/hosts pointing to minikube IP
Teardown
# Remove Helm release and namespace
make uninstall
# Remove cluster (Kind or Minikube)
make clean
Verification
make verify
Verification checklist:
| Component | Check |
|---|---|
| FleetDM | Pods running; ingress fleet.localhost serves Fleet UI |
| MySQL | fleetdm-stack-mysql service; Fleet connects and runs migrations |
| Redis | fleetdm-stack-redis-master service; Fleet uses it for cache |
Manual verification
# Check pods
kubectl get pods -n fleetdm
# Check Fleet migration job (fleet prepare db)
kubectl get jobs -n fleetdm
# Check services
kubectl get svc -n fleetdm
# Fleet logs
kubectl logs -n fleetdm -l app=fleet -f
Configuration
| Value | Description | Default |
|---|---|---|
mysql.auth.password |
MySQL password | fleetdm-local-dev |
fleet.replicas |
Fleet server replicas | 1 |
fleet.hostName |
Ingress host | fleet.localhost |
Override via --set or custom values file:
helm upgrade --install fleetdm-stack fleetdm-stack/ \
-n fleetdm \
--set mysql.auth.password=SECURE_PASSWORD
TLS certificates
For local development, the chart includes self-signed TLS certificates (generated on first make install). Production deployments should use cert-manager or provide proper certificates via fleet.secretName.
FleetDM agent reachability
The chart exposes Fleet via ingress so:
- Fleet UI is available at
http://fleet.localhost - Agent endpoints (
/api/v1/osquery/*,/api/fleet/orbit/*, etc.) are reachable under the same host
For production, configure TLS and ensure agents can reach the Fleet server hostname.
Enhancements implemented
- Basic CI pipeline — GitHub Actions releases new Helm chart versions (see .github/workflows/release.yaml)
- Exposed Fleet UI — Ingress with
fleet.localhostfor UI and agent enrollment fleet prepare db— Handled byautoApplySQLMigrations: truein the Fleet Helm chart
Project Structure
tech-task/
├── fleetdm-stack/ # Helm chart (FleetDM + MySQL + Redis)
│ ├── Chart.yaml
│ ├── Chart.lock
│ ├── values.yaml
│ ├── certs/ # TLS certs (generated by make install)
│ └── charts/ # Dependencies (run make deps)
├── Makefile # cluster, install, uninstall, verify, clean
├── README.md
├── .github/workflows/ # CI for Helm chart releases
└── docs/ # Theoretical part
├── architecture-design-company-inc.md
└── architecture-hld.md
Theoretical Part
The architectural design document for "Company Inc." is in docs/:
- Architecture Design Document — 1–2 page design (convert to PDF for submission)
- High-Level Diagram Reference — Mermaid source and draw.io guide for HLD