Download Fleet's agent (fleetd) from the UI

[rachaelshaw]

@rachaelshaw: this is copy/pasted from the original issue , so PRs, etc., will need to be revisited during drafting.

Goal

User story
As a Fleet admin,
I want to download Fleet's agent (fleetd) from the Fleet UI
so that I can generate a package without the command line.

Roadmap item

⬇️ Download signed installers in one click with no Terminal or certificates required

Original requests

• Fleet-hosted agents with easy Web UI deployment #25698

Resources

Changes

Product

• UI changes: Figma
• CLI (fleetctl) usage changes: No changes
• YAML changes: No changes
• REST API changes: PR
• Fleet's agent (fleetd) changes: No changes
• GitOps mode UI changes: No changes
• GitOps generation changes: No changes
• Activity changes: No changes
• Permissions changes: PR.
• Changes to paid features or tiers: No changes
• My device and fleetdm.com/better changes: No changes
• Usage statistics: No changes
• Other reference documentation changes:
  • Make sure instructions removed from "Advanced" tab are in docs, add them if not
  • Add note to API reference for Get Fleet certificate. What features are supported in the “closed off from the public internet” use case?
    • Android doesn’t work for sure
    • What about Apple and Windows MDM?
• First draft of test plan added
• Once shipped, requester has been notified
• Once shipped, dogfooding issue has been filed

Engineering

• Test plan is finalized
• Contributor API changes: No changes.
• Feature guide changes: No changes.
• This is a premium only feature: No.
• New server configuration: enabled/disabled (default OFF) + alternative URL to location of the service (default fleetdm.com/path/to/service)

Architecture

graph LR
    user_agent["User agent"];
    tuf["TUF<br>https://updates.fleetdm.com"];
    subgraph fleet_server[Fleet<br>Server];
        cron["Cron job"];
    end;
    agent_installer_service["Agent installer service<br>https//fleetdm.com/path/to/service"];
    s3_store[(S3-compatible object store)];
    apple["Apple servers"];

    user_agent -- GET /api/v1/fleet/agent --> fleet_server;
    fleet_server -- Get/Set cached installers --> s3_store;
    agent_installer_service -- Download fleetd components --> tuf;
    agent_installer_service -- Notarize `pkg` --> apple;
    
    cron -- POST /generate<br>GET /status<br>GET /download --> agent_installer_service;
    cron -- Check for new updates,<br>and regenerate packages if need be --> tuf;

Loading

QA

Risk assessment

• Risk level: Low
• Risk description: Low because this is additional isolated functionality; if the feature is not working well for some reason then the customers can resort to using fleetctl package.

Test plan

All scenarios must be tested on all the installers:

• macOS (pkg).
• Windows (msi)
• Ubuntu(deb).
• Fedora(rpm).
• Arch Linux (pkg.tar.zst).

IMPORTANT:

• When installing msis:
  • Make sure the msi is codesigned.
  • Make sure they don't issue warnings (because it's codesigned).
• When installing pkgs:
  • Make sure the pkg is codesigned and notarized (using package inspection tools, like "Suspicious Package" app)
  • Make sure they don't issue warnings (because it's codesigned+notarized).

Fleet Free

A. Happy path

1. After upgrading Fleet (and before the cron has run), check that attempting to download fails with the expected dialog (no installers available yet, check in 5 minutes)
2. After waiting test that you can download installers for all types using the UI after the cron has generated them.
3. Install installers to make sure they work.

B. Changing enroll secret

1. Change enroll secret
2. Right away, check that attempting to download fails with the expected dialog (no installers available yet, check in 5 minutes).
3. After waiting test that you can download installers for all types using the UI after the cron has generated them.
4. Install installers to make sure they work.

C. Changing "Fleet web address"

1. Change "Settings" > "Organization settings" > "Fleet web address".
2. Right away, check that attempting to download fails with the expected dialog (no installers available yet, check in 5 minutes)
3. After waiting test that you can download installers for all types using the UI after the cron has generated them.
4. Install installers to make sure they work.

D. Push an update to orbit (using local TUF)

1. Push an update to orbit (macOS, Windows, or Linux)
2. Right away, check that attempting to download fails with the expected dialog (no installers available yet, check in 5 minutes)
3. After waiting test that you can download installers for all types using the UI after the cron has generated them.
4. Install installers to make sure they work. Make sure the installer installed the new orbit version.

E. Push an update to desktop (using local TUF)

1. Push an update to desktop (macOS, Windows, or Linux)
2. Right away, check that attempting to download fails with the expected dialog (no installers available yet, check in 5 minutes)
3. After waiting test that you can download installers for all types using the UI after the cron has generated them.
4. Install installers to make sure they work. Make sure the installer installed the new desktop version.

E. Push an update to osqueryd (using local TUF)

1. Push an update to desktop (macOS, Windows, or Linux)
2. Right away, check that attempting to download fails with the expected dialog (no installers available yet, check in 5 minutes)
3. After waiting test that you can download installers for all types using the UI after the cron has generated them.
4. Install installers to make sure they work. Make sure the installer installed the new osqueryd version.

Fleet Premium

TODO

Testing notes

• We will need to test the feature on Fleet deployed to Render. Because Render doesn't have/use S3-compatible store, it uses the file system for storing e.g. software packages.

Confirmation

1. Engineer: Added comment to user story confirming successful completion of test plan.
2. QA: Added comment to user story confirming successful completion of test plan.