eSlider/flamingo-tech-test
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 11 Wiki Activity
Files
v0.0.12
flamingo-tech-test/README.md
Andriy Oblivantsev 33ebb4af89
Helm Chart CI & Release / Lint Helm Chart (push) Successful in 10s
Details
Helm Chart CI & Release / Semantic Release (push) Successful in 2m7s
Details
Minor fixes
2026-02-20 13:38:28 +00:00

192 lines
5.6 KiB
Markdown
Raw Permalink Blame History

# 🦩 FleetDM Stack
Helm chart deploying **FleetDM Server** with **MySQL** and **Redis** to Kubernetes. Suitable for local development (Kind/Minikube) and adaptable for production.
## Prerequisites
- [Docker](https://docs.docker.com/get-docker/)
- [kubectl](https://kubernetes.io/docs/tasks/tools/)
- [Helm 3](https://helm.sh/docs/intro/install/)
- **Kind** or **Minikube** for local cluster
## Quick Start
```bash
# Create local cluster and deploy
make cluster
make install
# Verify deployment
make verify
# Access Fleet UI at https://localhost:8585
make port-forward
```
## Installation
### 1. Create local cluster
Creates a Kind or Minikube cluster and installs the nginx ingress controller (Kind) or enables ingress addon (Minikube).
```bash
# Default: Kind
make cluster
# Or use Minikube
make cluster CLUSTER_TYPE=minikube
```
### 2. Install the Helm chart
```bash
make install
```
This will:
- Update Helm dependencies
- Create the `fleetdm` namespace
- Deploy MySQL, Redis, and FleetDM Server
- Run `fleet prepare db` automatically on fresh install (via `autoApplySQLMigrations`)
### 3. Access Fleet UI
```bash
# Port-forward Fleet to https://localhost:8585
make port-forward
# Or use a custom port
make port-forward FLEET_PORT=9090
```
Open **https://localhost:8585** in your browser (accept the self-signed certificate).
Fleet setup wizard will guide you through initial configuration.
![1771534082840](assets/1771534082840.png)
## Teardown
```bash
# Remove Helm release and namespace
make uninstall
# Remove cluster (Kind or Minikube)
make clean
```
## Verification
```bash
make verify
```
Verification checklist:
| Component | Check |
| ----------- | ----------------------------------------------------------------- |
| **FleetDM** | Pods running; `make port-forward` → https://localhost:8585 |
| **MySQL** | `fleetdm-stack-mysql` service; Fleet connects and runs migrations |
| **Redis** | `fleetdm-stack-redis-master` service; Fleet uses it for cache |
### Manual verification
```bash
# Check pods
kubectl get pods -n fleetdm
# Check Fleet migration job (fleet prepare db)
kubectl get jobs -n fleetdm
# Check services
kubectl get svc -n fleetdm
# Fleet logs
kubectl logs -n fleetdm -l app=fleet -f
```
## Configuration
| Value | Description | Default |
| --------------------- | --------------------- | ------------------- |
| `mysql.auth.password` | MySQL password | `fleetdm-local-dev` |
| `fleet.replicas` | Fleet server replicas | `1` |
| `fleet.hostName` | Ingress host | `fleet.localhost` |
Override via `--set` or custom values file:
```bash
helm upgrade --install fleetdm-stack fleetdm-stack/ \
-n fleetdm \
--set mysql.auth.password=SECURE_PASSWORD
```
## TLS certificates
For local development, the chart includes self-signed TLS certificates (generated on first `make install`). Production deployments should use cert-manager or provide proper certificates via `fleet.secretName`.
## FleetDM agent reachability
Fleet is exposed via port-forward (`make port-forward`) or ingress:
- **Fleet UI** — `https://localhost:8585` (via port-forward)
- **Agent endpoints** (`/api/v1/osquery/*`, `/api/fleet/orbit/*`) — same URL
- Ingress with `fleet.localhost` is also configured as a fallback
For production, configure proper TLS and a stable DNS name for agents.
## Enhancements implemented
1. **Basic CI pipeline** — Gitea Actions lint on push, release on tag (see [.github/workflows/release.yaml](.github/workflows/release.yaml))
2. **Exposed Fleet UI**`make port-forward` on port 8585 (+ ingress `fleet.localhost`)
3. **`fleet prepare db`** — Handled by `autoApplySQLMigrations: true` in the Fleet Helm chart
4. **Container image mirroring** — CI mirrors the upstream `fleetdm/fleet` image to the [Gitea OCI registry](https://git.produktor.io/eSlider/-/packages) using `crane` (daemonless)
5. **Trivy vulnerability scan** — Each release scans the mirrored image for HIGH/CRITICAL CVEs
## Container Registry
The CI pipeline mirrors the FleetDM image to the Gitea container registry on every release.
```bash
# Pull the latest mirrored image
docker pull git.produktor.io/eslider/flamingo-tech-test:latest
# Pull a specific app version
docker pull git.produktor.io/eslider/flamingo-tech-test:4.80.1
# Pull by chart release tag
docker pull git.produktor.io/eslider/flamingo-tech-test:v0.0.10
```
Browse all available tags at [git.produktor.io/eSlider/-/packages/container/flamingo-tech-test/latest](https://git.produktor.io/eSlider/-/packages/container/flamingo-tech-test/latest).
## Project Structure
```
tech-task/
├── fleetdm-stack/ # Helm chart (FleetDM + MySQL + Redis)
│ ├── Chart.yaml
│ ├── Chart.lock
│ ├── values.yaml
│ ├── certs/ # TLS certs (generated by make install)
│ └── charts/ # Dependencies (run make deps)
├── Makefile # cluster, install, uninstall, verify, port-forward, clean
├── README.md
├── .github/workflows/ # Gitea Actions CI for Helm chart lint & release
└── docs/ # Theoretical part
├── architecture-design-company-inc.md
├── architecture-hld.md
└── verification-log.md
```
## Theoretical Part
The architectural design document for "Company Inc." is in `docs/`:
- [Architecture Design Document](docs/architecture-design-company-inc.md) — 1-2 page design (convert to PDF for submission)
- [High-Level Diagram](docs/architecture-hld.md) — Mermaid diagrams (infra, CI/CD, network security)
Reference in New Issue View Git Blame Copy Permalink