Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Documentation to rotate enroll secrets appears incorrect #25755

Closed
getvictor opened this issue Jan 24, 2025 · 4 comments
Closed

Documentation to rotate enroll secrets appears incorrect #25755

getvictor opened this issue Jan 24, 2025 · 4 comments
Assignees
@noahtalerman
Labels
bug Something isn't working as documented #g-orchestration Orchestration product group :product Product Design department (shows up on 🦢 Drafting board) ~released bug This bug was found in a stable release.

Comments

@getvictor
Copy link
Member

getvictor commented Jan 24, 2025
edited by noahtalerman
Loading

UPDATE: @noahtalerman: Opened a PR to remove the outdated docs here: #26999

https://fleetdm.com/docs/configuration/agent-configuration#options-and-command-line-flags:~:text=How%20to%20rotate%20enroll%20secrets%3A

The documentation states to run SELECT * FROM orbit_info WHERE enrolled = false to see if enroll secret is stale.

Looking at the code, Orbit is enrolled as long as it has a valid secret-orbit-node-key.txt file, which is created at original enrollment. If that file is deleted or corrupted, Orbit will need to re-enroll. There is no way to tell whether the original enroll secret has expired. But we could add logic to check and/or update it.

Also, that brings up the question of whether we should be rotating the orbit node key.
@getvictor getvictor added #g-mdm MDM product group #g-orchestration Orchestration product group :release Ready to write code. Scheduled in a release. See "Making changes" in handbook. bug Something isn't working as documented ~released bug This bug was found in a stable release. and removed #g-mdm MDM product group labels Jan 24, 2025
@lukeheath lukeheath added :product Product Design department (shows up on 🦢 Drafting board) and removed :release Ready to write code. Scheduled in a release. See "Making changes" in handbook. labels Feb 7, 2025
@noahtalerman
Copy link
Member

Thanks @getvictor!

Looking at the code, Orbit is enrolled as long as it has a valid secret-orbit-node-key.txt file, which is created at original enrollment. If that file is deleted or corrupted, Orbit will need to re-enroll. There is no way to tell whether the original enroll secret has expired. But we could add logic to check and/or update it.

Today, how can I tell that a host won't get updated command_line_flags? (because it enrolled using an old enroll secret)

Image

noahtalerman added a commit that referenced this issue Mar 10, 2025
@noahtalerman
Agent configuration
74ba8ca 
- Remove rotate enroll secret instructions because they're wrong: #25755
@noahtalerman noahtalerman mentioned this issue Mar 10, 2025
Merged
@noahtalerman
Copy link
Member

FYI @rachaelshaw I assigned myself this bug and the following related bug:

@getvictor
Copy link
Member Author

command_line_flags

@noahtalerman I'm not seeing the command_line_flags dependency on enroll secret in the code. I recommend trying this to confirm it works as documented (or not).

rachaelshaw added a commit that referenced this issue Mar 10, 2025
@noahtalerman @rachaelshaw
Agent configuration reference docs (#26999)
273601d 
- Remove rotate enroll secret instructions because they're wrong: #25755
- Update contributor docs to simplify: #24309

---------

Co-authored-by: Rachael Shaw <[email protected]>
@fleet-release
Copy link
Contributor

Docs corrected, bright,
Secrets rotate in the light,
No more shadowed night.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@noahtalerman noahtalerman

Labels
bug Something isn't working as documented #g-orchestration Orchestration product group :product Product Design department (shows up on 🦢 Drafting board) ~released bug This bug was found in a stable release.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@lukeheath @getvictor @rachaelshaw @noahtalerman @fleet-release