Run gitops.sh with a team gitops role

[dherder]

• prospect-hubble: Slack thread: https://fleetdm.slack.com/archives/C0740213DPT/p1732049938290629
• @noahtalerman: User requested this because TODO
  • @username: In the interim TODO
  • @username: Eventually TODO

---

[noahtalerman]

Problem

From prospect-hubble:
"we wanted to setup GitOps where the action was only actioning team resources / config."

Right now, when running gitops.sh with a team specific gitops user, the following error is encountered:
fleetctl gitops -f ./default.yml -f ./teams/endpoint-qa.yml -f ./teams/endpoint.yml -f ./teams/no-team.yml --dry-run
Error: GET /api/latest/fleet/config received status 403 forbidden: forbidden
Error: Process completed with exit code 1.

What have you tried?

Defining a global gitops role is the workaround.

Potential solutions

From prospect-hubble:
it (gitops.sh) should determine which one (.yml) is global config by virtue of it being the only yml file with an org_settings top level key. order of -f xxxxx.yml shouldn't really matter. Additionally, if no file with org_settings top-level key is provided, skip configuring global scope and only configure teams. That logic makes more sense to me!

In order to support this, fleetctl would need changes in addition to the gitops actions (github and gitlab) required to not set the global config, only the team config.