Adding changes for Fleet v4.64.2 (#26850)

Author: lukeheath

CHANGELOG.md

@@ -1,3 +1,9 @@
+## Fleet 4.64.2 (Mar 05, 2025)
+
+### Bug fixes
+
+* Improve validation handling.
+
 ## Fleet 4.64.1 (Feb 20, 2025)
 
 ### Bug fixes

changes/.keep

@@ -4,11 +4,11 @@ name: fleet
 keywords:
   - fleet
   - osquery
-version: v6.4.2
+version: v6.4.3-1
 home: https://github.com/fleetdm/fleet
 sources:
   - https://github.com/fleetdm/fleet.git
-appVersion: v4.64.1
+appVersion: v4.64.2
 dependencies:
   - name: mysql
     condition: mysql.enabled

charts/fleet/Chart.yaml

@@ -3,7 +3,7 @@
 hostName: fleet.localhost
 replicas: 3 # The number of Fleet instances to deploy
 imageRepository: fleetdm/fleet
-imageTag: v4.64.1 # Version of Fleet to deploy
+imageTag: v4.64.2 # Version of Fleet to deploy
 podAnnotations: {} # Additional annotations to add to the Fleet pod
 serviceAnnotations: {} # Additional annotations to add to the Fleet service
 serviceAccountAnnotations: {} # Additional annotations to add to the Fleet service account

charts/fleet/values.yaml

@@ -56,7 +56,7 @@ variable "database_name" {
 
 variable "fleet_image" {
   description = "the name of the container image to run"
-  default     = "fleetdm/fleet:v4.64.1"
+  default     = "fleetdm/fleet:v4.64.2"
 
 variable "software_inventory" {
   description = "enable/disable software inventory (default is enabled)"

infrastructure/dogfood/terraform/aws/variables.tf

@@ -68,7 +68,7 @@ variable "redis_mem" {
 }
 
 variable "image" {
-  default = "fleetdm/fleet:v4.64.1"
+  default = "fleetdm/fleet:v4.64.2"
 }
 
 variable "software_installers_bucket_name" {

infrastructure/dogfood/terraform/gcp/variables.tf

@@ -0,0 +1,128 @@
+variable "customer_prefix" {
+  type        = string
+  description = "customer prefix to use to namespace all resources"
+  default     = "fleet"
+}
+
+variable "ecs_cluster" {
+  type        = string
+  description = "The ARN of the ECS cluster to use"
+  nullable    = false
+}
+
+variable "vpc_id" {
+  type    = string
+  default = null
+}
+
+variable "fleet_config" {
+  type = object({
+    vuln_processing_schedule_expression  = optional(string, "rate(1 hour)")
+    vuln_data_stream_schedule_expression = optional(string, "rate(24 hours)")
+    vuln_database_path                   = optional(string, "/home/fleet/vuln_data")
+    vuln_processing_mem                  = optional(number, 4096)
+    vuln_processing_cpu                  = optional(number, 2048)
+    vuln_data_stream_mem                 = optional(number, 1024)
+    vuln_data_stream_cpu                 = optional(number, 512)
+    image                                = optional(string, "fleetdm/fleet:v4.64.2")
+    family                               = optional(string, "fleet-vuln-processing")
+    sidecars                             = optional(list(any), [])
+    extra_environment_variables          = optional(map(string), {})
+    extra_iam_policies                   = optional(list(string), [])
+    extra_execution_iam_policies         = optional(list(string), [])
+    extra_secrets                        = optional(map(string), {})
+    iam_role_arn                         = optional(string, null)
+    database = object({
+      password_secret_arn = string
+      user                = string
+      database            = string
+      address             = string
+      rr_address          = optional(string, null)
+    })
+    awslogs = optional(object({
+      name      = optional(string, null)
+      region    = optional(string, null)
+      create    = optional(bool, true)
+      prefix    = optional(string, "fleet-vuln")
+      retention = optional(number, 5)
+      }), {
+      name      = null
+      region    = null
+      prefix    = "fleet"
+      retention = 5
+    })
+    networking = object({
+      subnets         = list(string)
+      security_groups = optional(list(string), null)
+    })
+    iam = optional(object({
+      role = optional(object({
+        name        = optional(string, "fleet-vuln-processing-role")
+        policy_name = optional(string, "fleet-vuln-processing-iam-policy")
+        }), {
+        name        = "fleet-vuln-processing-role"
+        policy_name = "fleet-vuln-processing-iam-policy"
+      })
+      execution = optional(object({
+        name        = optional(string, "fleet-vuln-processing-execution-role")
+        policy_name = optional(string, "fleet-vuln-processing-execution-role")
+        }), {
+        name        = "fleet-vuln-processing-execution-role"
+        policy_name = "fleet-vuln-processing-iam-policy-execution"
+      })
+      }), {
+      name = "fleet-vuln-processing-execution-role"
+    })
+  })
+  default = {
+    vuln_processing_schedule_expression  = "rate(1 hour)"
+    vuln_data_stream_schedule_expression = "rate(24 hours)"
+    vuln_database_path                   = "/home/fleet/vuln_data"
+    vuln_processing_mem                  = 4096
+    vuln_processing_cpu                  = 2048
+    vuln_data_stream_mem                 = 1024
+    vuln_data_stream_cpu                 = 512
+    image                                = "fleetdm/fleet:v4.64.2"
+    family                               = "fleet-vuln-processing"
+    sidecars                             = []
+    extra_environment_variables          = {}
+    extra_iam_policies                   = []
+    extra_execution_iam_policies         = []
+    extra_secrets                        = {}
+    iam_role_arn                         = null
+    database = {
+      password_secret_arn = null
+      user                = null
+      database            = null
+      address             = null
+      rr_address          = null
+    }
+    awslogs = {
+      name      = null
+      region    = null
+      create    = true
+      prefix    = "fleet-vuln"
+      retention = 5
+    }
+    networking = {
+      subnets         = null
+      security_groups = null
+    }
+    iam = {
+      role = {
+        name        = "fleet-vuln-processing-role"
+        policy_name = "fleet-vuln-processing-iam-policy"
+      }
+      execution = {
+        name        = "fleet-vuln-processing-execution-role"
+        policy_name = "fleet-vuln-processing-iam-policy-execution"
+      }
+    }
+  }
+  description = "The configuration object for Fleet itself. Fields that default to null will have their respective resources created if not specified."
+  nullable    = false
+}
+
+variable "efs_root_directory" {
+  default = "/"
+}

terraform/addons/vuln-processing/variables.tf

@@ -0,0 +1,209 @@
+variable "ecs_cluster" {
+  type        = string
+  description = "The name of the ECS cluster to use"
+  nullable    = false
+}
+
+variable "vpc_id" {
+  type    = string
+  default = null
+}
+
+variable "fleet_config" {
+  type = object({
+    task_mem                     = optional(number, null)
+    task_cpu                     = optional(number, null)
+    mem                          = optional(number, 4096)
+    cpu                          = optional(number, 512)
+    pid_mode                     = optional(string, null)
+    image                        = optional(string, "fleetdm/fleet:v4.64.2")
+    family                       = optional(string, "fleet")
+    sidecars                     = optional(list(any), [])
+    depends_on                   = optional(list(any), [])
+    mount_points                 = optional(list(any), [])
+    volumes                      = optional(list(any), [])
+    extra_environment_variables  = optional(map(string), {})
+    extra_iam_policies           = optional(list(string), [])
+    extra_execution_iam_policies = optional(list(string), [])
+    extra_secrets                = optional(map(string), {})
+    security_group_name          = optional(string, "fleet")
+    iam_role_arn                 = optional(string, null)
+    repository_credentials       = optional(string, "")
+    private_key_secret_name      = optional(string, "fleet-server-private-key")
+    service = optional(object({
+      name = optional(string, "fleet")
+      }), {
+      name = "fleet"
+    })
+    database = object({
+      password_secret_arn = string
+      user                = string
+      database            = string
+      address             = string
+      rr_address          = optional(string, null)
+    })
+    redis = object({
+      address = string
+      use_tls = optional(bool, true)
+    })
+    awslogs = optional(object({
+      name      = optional(string, null)
+      region    = optional(string, null)
+      create    = optional(bool, true)
+      prefix    = optional(string, "fleet")
+      retention = optional(number, 5)
+      }), {
+      name      = null
+      region    = null
+      prefix    = "fleet"
+      retention = 5
+    })
+    loadbalancer = object({
+      arn = string
+    })
+    extra_load_balancers = optional(list(any), [])
+    networking = object({
+      subnets         = optional(list(string), null)
+      security_groups = optional(list(string), null)
+      ingress_sources = object({
+        cidr_blocks      = optional(list(string), [])
+        ipv6_cidr_blocks = optional(list(string), [])
+        security_groups  = optional(list(string), [])
+        prefix_list_ids  = optional(list(string), [])
+      })
+    })
+    autoscaling = optional(object({
+      max_capacity                 = optional(number, 5)
+      min_capacity                 = optional(number, 1)
+      memory_tracking_target_value = optional(number, 80)
+      cpu_tracking_target_value    = optional(number, 80)
+      }), {
+      max_capacity                 = 5
+      min_capacity                 = 1
+      memory_tracking_target_value = 80
+      cpu_tracking_target_value    = 80
+    })
+    iam = optional(object({
+      role = optional(object({
+        name        = optional(string, "fleet-role")
+        policy_name = optional(string, "fleet-iam-policy")
+        }), {
+        name        = "fleet-role"
+        policy_name = "fleet-iam-policy"
+      })
+      execution = optional(object({
+        name        = optional(string, "fleet-execution-role")
+        policy_name = optional(string, "fleet-execution-role")
+        }), {
+        name        = "fleet-execution-role"
+        policy_name = "fleet-iam-policy-execution"
+      })
+      }), {
+      name = "fleetdm-execution-role"
+    })
+    software_installers = optional(object({
+      create_bucket    = optional(bool, true)
+      bucket_name      = optional(string, null)
+      bucket_prefix    = optional(string, "fleet-software-installers-")
+      s3_object_prefix = optional(string, "")
+      }), {
+      create_bucket    = true
+      bucket_name      = null
+      bucket_prefix    = "fleet-software-installers-"
+      s3_object_prefix = ""
+    })
+  })
+  default = {
+    task_mem                     = null
+    task_cpu                     = null
+    mem                          = 512
+    cpu                          = 256
+    pid_mode                     = null
+    image                        = "fleetdm/fleet:v4.64.2"
+    family                       = "fleet"
+    sidecars                     = []
+    depends_on                   = []
+    mount_points                 = []
+    volumes                      = []
+    extra_environment_variables  = {}
+    extra_iam_policies           = []
+    extra_execution_iam_policies = []
+    extra_secrets                = {}
+    security_group_name          = "fleet"
+    iam_role_arn                 = null
+    repository_credentials       = ""
+    private_key_secret_name      = "fleet-server-private-key"
+    service = {
+      name = "fleet"
+    }
+    database = {
+      password_secret_arn = null
+      user                = null
+      database            = null
+      address             = null
+      rr_address          = null
+    }
+    redis = {
+      address = null
+      use_tls = true
+    }
+    awslogs = {
+      name      = null
+      region    = null
+      create    = true
+      prefix    = "fleet"
+      retention = 5
+    }
+    loadbalancer = {
+      arn = null
+    }
+    extra_load_balacners = []
+    networking = {
+      subnets         = null
+      security_groups = null
+      ingress_sources = {
+        cidr_blocks      = []
+        ipv6_cidr_blocks = []
+        security_groups  = []
+        prefix_list_ids  = []
+      }
+    }
+    autoscaling = {
+      max_capacity                 = 5
+      min_capacity                 = 1
+      memory_tracking_target_value = 80
+      cpu_tracking_target_value    = 80
+    }
+    iam = {
+      role = {
+        name        = "fleet-role"
+        policy_name = "fleet-iam-policy"
+      }
+      execution = {
+        name        = "fleet-execution-role"
+        policy_name = "fleet-iam-policy-execution"
+      }
+    }
+    software_installers = {
+      create_bucket    = true
+      bucket_name      = null
+      bucket_prefix    = "fleet-software-installers-"
+      s3_object_prefix = ""
+    }
+  }
+  description = "The configuration object for Fleet itself. Fields that default to null will have their respective resources created if not specified."
+  nullable    = false
+}
+
+variable "migration_config" {
+  type = object({
+    mem = number
+    cpu = number
+  })
+  default = {
+    mem = 2048
+    cpu = 1024
+  }
+  description = "The configuration object for Fleet's migration task."
+  nullable    = false
+}