Documentation to rotate enroll secrets appears incorrect #25755
Labels
bug
Something isn't working as documented
#g-orchestration
Orchestration product group
:release
Ready to write code. Scheduled in a release. See "Making changes" in handbook.
~released bug
This bug was found in a stable release.
Comments
getvictor
added
#g-mdm
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
https://fleetdm.com/docs/configuration/agent-configuration#options-and-command-line-flags:~:text=How%20to%20rotate%20enroll%20secrets%3A
The documentation states to run
SELECT * FROM orbit_info WHERE enrolled = falseto see if enroll secret is stale.Looking at the code, Orbit is enrolled as long as it has a valid secret-orbit-node-key.txt file, which is created at original enrollment. If that file is deleted or corrupted, Orbit will need to re-enroll. There is no way to tell whether the original enroll secret has expired. But we could add logic to check and/or update it.
Also, that brings up the question of whether we should be rotating the orbit node key.
The text was updated successfully, but these errors were encountered: