From fd3e78ab5238be4e5596fdca3ee4980d1f1545df Mon Sep 17 00:00:00 2001
From: Victor Lyuboslavsky <victor@fleetdm.com>
Date: Fri, 30 Aug 2024 10:45:32 -0500
Subject: [PATCH] Adding GitLab pipeline.

---
 .github/gitops-action/action.yml |  2 +-
 .gitlab-ci.yml                   | 24 ++++++++++++++++++++++
 README.md                        | 34 ++++++++++++++++++++++++++++----
 3 files changed, 55 insertions(+), 5 deletions(-)
 create mode 100644 .gitlab-ci.yml

diff --git a/.github/gitops-action/action.yml b/.github/gitops-action/action.yml
index 27ee3ff..1f55f04 100644
--- a/.github/gitops-action/action.yml
+++ b/.github/gitops-action/action.yml
@@ -22,7 +22,7 @@ runs:
         FLEET_VERSION="$(curl "$FLEET_URL/api/v1/fleet/version" --header "Authorization: Bearer $FLEET_API_TOKEN" --fail --silent | jq --raw-output '.version')"
 
         if [[ -n "$FLEET_VERSION" ]] ; then
-          npm install -g "fleetctl@$FLEET_VERSION"
+          npm install -g "fleetctl@$FLEET_VERSION" || npm install -g fleetctl
         else
           echo "Failed to get Fleet version from $FLEET_URL, installing latest version of fleetctl"
           npm install -g fleetctl
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
new file mode 100644
index 0000000..a6723dc
--- /dev/null
+++ b/.gitlab-ci.yml
@@ -0,0 +1,24 @@
+fleet-gitops:
+  image: node:22
+  variables:
+    FLEET_DRY_RUN_ONLY: true
+  rules:
+    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+      variables:
+        FLEET_DRY_RUN_ONLY: false
+  before_script:
+    - apt-get -qq update
+    - apt-get install -y jq=1.6-2.1
+  script:
+    - >
+      FLEET_VERSION="$(curl "$FLEET_URL/api/v1/fleet/version" --header "Authorization: Bearer $FLEET_API_TOKEN" --fail --silent | jq --raw-output '.version')"
+    - >
+      if [[ -n "$FLEET_VERSION" ]] ; then
+        npm install -g "fleetctl@$FLEET_VERSION" || npm install -g fleetctl
+      else
+        echo "Failed to get Fleet version from $FLEET_URL, installing latest version of fleetctl"
+        npm install -g fleetctl
+      fi
+    - fleetctl config set --address $FLEET_URL --token $FLEET_API_TOKEN
+    - ./gitops.sh
diff --git a/README.md b/README.md
index 8e661cf..3fff2b2 100644
--- a/README.md
+++ b/README.md
@@ -10,12 +10,38 @@ How to set up your GitOps workflow:
 
 3. Make any changes to policies, queries, controls, and more defined in the files.
 
-4. Create your own GitHub repository.
+4. [Set up on GitHub](#use-github) or [set up on GitLab](#use-gitlab).
 
-5. Add `FLEET_URL` and `FLEET_API_TOKEN` secrets to your new repository's secrets. Learn how [here](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository). Set `FLEET_URL` to your Fleet instance's URL (ex. https://organization.fleet.com). Set `FLEET_API_TOKEN` to an API token for an API-only user in Fleet. Learn how [here](https://fleetdm.com/docs/using-fleet/fleetctl-cli#create-api-only-user).
+## Set up on GitHub {#use-github}
 
-6. Push your cloned and modified code to your repo.
+1. Create your own GitHub repository.
 
-7. In GitHub, enable the `Apply latest configuration to Fleet` GitHub Actions workflow, and run workflow manually. Now, when anyone pushes a new commit, the action will run and update Fleet.
+2. Add `FLEET_URL` and `FLEET_API_TOKEN` secrets to your new repository's secrets. Learn how [here](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository). Set `FLEET_URL` to your Fleet instance's URL (ex. https://organization.fleet.com). Set `FLEET_API_TOKEN` to an API token for an API-only user in Fleet. Learn how [here](https://fleetdm.com/docs/using-fleet/fleetctl-cli#create-api-only-user).
+
+3. Add `FLEET_GLOBAL_ENROLL_SECRET` secret to your new repository's secrets. The enroll secret must be an alphanumeric string of at least 32 and at most 255 characters.
+   - If you have a Premium Fleet license, also add `FLEET_WORKSTATIONS_ENROLL_SECRET` and `FLEET_WORKSTATIONS_CANARY_ENROLL_SECRET`.
+
+4. Delete `.gitlab-ci.yml`, which is for GitLab CI/CD.
+
+5. Push your cloned and modified code to your repo.
+
+6. In GitHub, enable the `Apply latest configuration to Fleet` GitHub Actions workflow, and run workflow manually. Now, when anyone pushes a new commit to the default branch, the action will run and update Fleet. For pull requests, the workflow will do a dry run only.
+
+## Set up on GitLab {#use-gitlab}
+
+1. Create your own GitLab repository.
+
+2. Add `FLEET_URL` and `FLEET_API_TOKEN` as masked CI/CD variables. Learn how [here](https://docs.gitlab.com/ee/ci/variables/#define-a-cicd-variable-in-the-ui). Set `FLEET_URL` to your Fleet instance's URL (ex. https://organization.fleet.com). Set `FLEET_API_TOKEN` to an API token for an API-only user in Fleet. Learn how [here](https://fleetdm.com/docs/using-fleet/fleetctl-cli#create-api-only-user).
+
+3. Add `FLEET_GLOBAL_ENROLL_SECRET` secret as a masked CI/CD variable. The enroll secret must be an alphanumeric string of at least 32 and at most 255 characters.
+    - If you have a Premium Fleet license, also add `FLEET_WORKSTATIONS_ENROLL_SECRET` and `FLEET_WORKSTATIONS_CANARY_ENROLL_SECRET`.
+
+4. Delete `.github` folder, which is for GitHub Actions.
+
+5. Push your cloned and modified code to your repo.
+
+6. Now, when anyone pushes a new commit to the default branch, the pipeline will run and update Fleet. For merge requests, the pipeline will do a dry run only.
+
+## Configuration options
 
 For all configuration options, go to [GitOps reference](https://fleetdm.com/docs/using-fleet/gitops) in the Fleet documentation.