Skip to content

Variables in scripts and profiles: Update language#39253

Open
noahtalerman wants to merge 2 commits intomainfrom
noahtalerman-patch-73
Open

Variables in scripts and profiles: Update language#39253
noahtalerman wants to merge 2 commits intomainfrom
noahtalerman-patch-73

Conversation

@noahtalerman
Copy link
Member

@noahtalerman noahtalerman commented Feb 3, 2026

Clean up and simplify language not that we're pointing to this section of the guide from Fleet's best practice GitOps: https://github.com/fleetdm/fleet-gitops/pull/91/files#diff-391be63d86ca0541cef3ee2c9302c75c391f294e4e8466af9c15d19137480fd1R13

@noahtalerman
Variables in scripts and profiles: Update language
d9b8f88 
Clean up and simplify language not that we're pointing to this section of the guide from Fleet's best practice GitOps: https://github.com/fleetdm/fleet-gitops/pull/91/files#diff-391be63d86ca0541cef3ee2c9302c75c391f294e4e8466af9c15d19137480fd1R13
noahtalerman
noahtalerman commented Feb 3, 2026
View reviewed changes
articles/secrets-in-scripts-and-configuration-profiles.md
Variables aren't removed on GitOps runs. To remove a variable, delete it on the `Controls` > `Variables` page.
Profiles with variables are not validated during a GitOps dry run because the required variables may not exist or may be incorrect in the Fleet database. As a result, these profiles have a higher chance of failing during a non-dry run. The best practice is to test the script or profile by adding it to Fleet via the UI first.

If a variable's value changes, the profile will be resent to hosts.
Copy link
Member Author

@noahtalerman noahtalerman Feb 3, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
If a variable's value changes, the profile will be resent to hosts.
If a variable's value changes, the profile will automatically be resent to hosts.

@getvictor can you please sanity check me here? Is this accurate?

Copy link
Member

@getvictor getvictor Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The language is a little confusing to me because we have FLEET_VAR_* which I think of as variables.

But yes, If a secret variable's ($FLEET_SECRET_*) value changes, the configuration profile will be resent to hosts.

Copy link
Member Author

@noahtalerman noahtalerman Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If a FLEET_VAR_* changes, profiles are automatically resent to hosts, right?

Reason we're going with "variables" here is because that's what we call both FLEET_VAR_* and FLEET_SECET_* when talking with users/customers. That's also what both are called in the UI. "You can use a Fleet variable for secrets."

Copy link
Member

@getvictor getvictor Feb 4, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, I don't think we can make a blanket statement for all FLEET_VAR_*
I think we need a matrix for supported profiles (macOS, DDM, Windows, Android profiles, Android certificates), which ones are supported for those profiles, and which ones get resent (per host, in some cases), when they change.

noahtalerman
noahtalerman commented Feb 3, 2026
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@getvictor getvictor getvictor left review comments

@mike-j-thomas mike-j-thomas Awaiting requested review from mike-j-thomas

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@noahtalerman @getvictor