Manage internal network access compliance

After the device is bootstrapped successfully, the administrator must rotate the secrets every three months to ensure that the device is compliant and secure.

Before you begin

Complete the following steps:

  1. Ensure that you meet the laptop prerequisites.
  2. Complete the following actions regarding the gdcloud command-line interface (CLI) tools:
    1. Download the gdcloud CLI tools.
    2. Install the gdcloud CLI tools.
    3. Upgrade the gdcloud CLI tools as required.

Rotate the network access secrets

To rotate network access secrets, complete the following steps on the bootstrapper machine:

  1. Connect a bootstrapper machine to port 12 of the switch.
  2. Set up the bootstrapper IPs:

    gdcloud appliance system network init \
      --config CELLCONFIG\
      --data-interface DATA_INTERFACE
    

    Replace the following:

    • CELLCONFIG: the path to the cellconfig generated after configuring the appliance.
    • DATA_INTERFACE: the network interface name on the bootstrapper connected to port 12 of the switch.
  3. Rotate the TLS certificate on the switch:

    gdcloud appliance rotate switch-certificate \
      --kubeconfig KUBECONFIG
    

    Replace KUBECONFIG with the path to the kubeconfig for the root admin cluster saved during the emergency credentials setup.

    The certificate that you generated is valid for three months and is not renewed until you manually rotate the certificate using the preceding process. Keep track of the date when you rotated the TLS certificate so that you know when to repeat this process. Generate the certificate every three months. Failing to rotate the TLS certificate every three months will result in network secret rotation failure, as well as upgrade failure.

  4. Rotate all login passwords on the switch:

    gdcloud appliance rotate switch-credentials \
      --kubeconfig KUBECONFIG