Right now Switch OS credentials are directly taken from the expected switches file, which makes them insecure (everyone can look them up). They should be replaced during ingestion with secure passwords, potentially by switch.
It looks like parts of it are already implemented in
|
async fn handle_rotate_os_password( |
- however the code so far only copies the expected-switch credentials over to Vault but doesn't modify them yet.
Related: #1852 , #1609
Right now Switch OS credentials are directly taken from the expected switches file, which makes them insecure (everyone can look them up). They should be replaced during ingestion with secure passwords, potentially by switch.
It looks like parts of it are already implemented in
infra-controller/crates/switch-controller/src/configuring.rs
Line 47 in 3c5d1af
Related: #1852 , #1609