After the device is bootstrapped successfully, the administrator must rotate the secrets every three months to ensure that the device is compliant and secure.
Before you begin
Complete the following steps:
- Ensure that you meet the laptop prerequisites.
- Complete the following actions regarding the
gdcloud
command-line interface (CLI) tools:
Rotate the network access secrets
To rotate network access secrets, complete the following steps on the bootstrapper machine:
- Connect a bootstrapper machine to port 12 of the switch.
Set up the bootstrapper IPs:
gdcloud appliance system network init \ --config CELLCONFIG\ --data-interface DATA_INTERFACE
Replace the following:
CELLCONFIG
: the path to the cellconfig generated after configuring the appliance.DATA_INTERFACE
: the network interface name on the bootstrapper connected to port 12 of the switch.
Rotate the TLS certificate on the switch:
gdcloud appliance rotate switch-certificate \ --kubeconfig KUBECONFIG
Replace
KUBECONFIG
with the path to the kubeconfig for the root admin cluster saved during the emergency credentials setup.The certificate that you generated is valid for three months and is not renewed until you manually rotate the certificate using the preceding process. Keep track of the date when you rotated the TLS certificate so that you know when to repeat this process. Generate the certificate every three months. Failing to rotate the TLS certificate every three months will result in network secret rotation failure, as well as upgrade failure.
Rotate all login passwords on the switch:
gdcloud appliance rotate switch-credentials \ --kubeconfig KUBECONFIG