Add support for custom HTTP headers in GitLab CI#124
Merged
Conversation
Adds an optional FLEET_CUSTOM_HEADERS variable (comma-separated "Header:Value" pairs) applied to both the fleetctl version check (curl) and fleetctl (config set --custom-header, which persists to ~/.fleet/config so gitops uses them too). This enables running GitOps against a Fleet server behind a reverse proxy or zero-trust access layer that requires extra request headers, e.g. a Cloudflare Access service token (CF-Access-Client-Id / CF-Access-Client-Secret). Defaults to empty, so existing pipelines are unaffected.
avltree9798
requested review from
allenhouchins,
getvictor,
lukeheath and
noahtalerman
as code owners
There was a problem hiding this comment.
Pull request overview
Adds a configurable way to include extra HTTP headers in the GitLab CI job that runs Fleet GitOps, intended to support Fleet servers behind proxies/zero-trust layers that require additional headers.
Changes:
- Introduces a
FLEET_CUSTOM_HEADERSCI variable and documents expected formatting. - Parses
FLEET_CUSTOM_HEADERSinto argument arrays forcurlandfleetctl. - Applies the extra headers to the Fleet version check request and to
fleetctl config set.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+5
to
+14
| # Optional. Extra HTTP headers to send on every request to Fleet. They are applied to | ||
| # both the version check (curl) and all fleetctl commands (config set / gitops). | ||
| # | ||
| # Format: a comma-separated list of "Header:Value" pairs. Header values cannot contain | ||
| # commas. Leave empty to send no extra headers. | ||
| # | ||
| # Set the real value as a (masked) CI/CD variable in Settings > CI/CD > Variables, which | ||
| # overrides this default. Example for a Cloudflare Access service token: | ||
| # FLEET_CUSTOM_HEADERS: "CF-Access-Client-Id:<client-id>,CF-Access-Client-Secret:<client-secret>" | ||
| FLEET_CUSTOM_HEADERS: "" |
Comment on lines
+31
to
+37
| if [[ -n "$FLEET_CUSTOM_HEADERS" ]]; then | ||
| IFS=',' read -ra _CUSTOM_HEADERS <<< "$FLEET_CUSTOM_HEADERS" | ||
| for _header in "${_CUSTOM_HEADERS[@]}"; do | ||
| CURL_HEADER_ARGS+=(--header "$_header") | ||
| FLEETCTL_HEADER_ARGS+=(--custom-header "$_header") | ||
| done | ||
| fi |
Member
|
@avltree9798 This is a great idea. Can you also add this support for the GitHub CI? |
Mirrors the GitLab CI change for the GitHub Actions path. FLEET_CUSTOM_HEADERS (comma-separated "Header:Value" pairs) is applied to the fleetctl version check (curl) and to fleetctl (config set --custom-header, which persists the headers so gitops uses them too) across the gitops-action, gitops-action-fleets, and gitops-action-rc composite actions, and is passed through the workflow env block. This enables running GitOps against a Fleet server behind a reverse proxy or zero-trust access layer that requires extra request headers, e.g. a Cloudflare Access service token (CF-Access-Client-Id / CF-Access-Client-Secret). Unset/empty by default, so existing workflows are unaffected.
Contributor
Author
|
This is done, can you please review this? @getvictor |
Member
Hey @lukeheath can you please take a look at this PR when you get the chance? I think Victor is OOO the next several days. cc @avltree9798 |
lukeheath
reviewed
Jun 20, 2026
lukeheath
approved these changes
Jun 20, 2026
lukeheath
left a comment
lukeheath
left a comment
Member
There was a problem hiding this comment.
Thanks for your contribution!
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds an optional FLEET_CUSTOM_HEADERS variable (comma-separated "Header:Value" pairs) applied to both the fleetctl version check (curl) and fleetctl (config set --custom-header, which persists to ~/.fleet/config so gitops uses them too).
This enables running GitOps against a Fleet server behind a reverse proxy or zero-trust access layer that requires extra request headers, e.g. a Cloudflare Access service token (CF-Access-Client-Id / CF-Access-Client-Secret). Defaults to empty, so existing pipelines are unaffected.