Skip to content

Fix README token rotation procedure ordering#26

Merged
jdoss merged 1 commit intomasterfrom
docs/token-rotation-ordering
Apr 9, 2026
Merged

Fix README token rotation procedure ordering#26
jdoss merged 1 commit intomasterfrom
docs/token-rotation-ordering

Conversation

@jdoss
Copy link
Copy Markdown
Contributor

@jdoss jdoss commented Apr 9, 2026

Summary

Rewrite the "Token rotation" section of the README. The previous procedure caused a full secret-lookup outage on a real deployment: restarting `psi-secrets.service` first turned on auth enforcement while every existing Podman secret still had the old curl command (no `Authorization` header) baked into `Spec.Driver.Options`, so every lookup failed with 401 until the final step.

Two facts make ordering load-bearing:

  • Podman caches `containers.conf` at startup, so regenerating `psi.conf` does nothing until `podman.service` restarts.
  • Driver opts are baked into each secret at create time, so existing secrets keep using the old curl command until `psi setup` re-registers them.

The correct order:

  1. Update the config/credential
  2. Regenerate `containers.conf.d/psi.conf` (`psi install` or `--stdout` pipe for container mode)
  3. Restart `podman.service`
  4. Re-run `psi setup` to re-register workload secrets
  5. Manually re-register HSM-backed and podman-only secrets (`psi setup` only touches `config.workloads`)
  6. Restart `psi-secrets.service` last so auth enforcement flips on after every secret has been refreshed

A follow-up will add a `psi rotate-token` command that orchestrates this as a single operation.

Test plan

  • README renders cleanly; cross-reference to the container-mode install section still resolves.
  • No code changes, so no test suite run needed.

@jdoss
Fix README token rotation procedure ordering
78e092a 
The previous rotation steps caused a full secret-lookup outage on a
real deployment: restarting psi-secrets.service first turned on auth
enforcement while every existing Podman secret still had the old curl
command (no Authorization header) baked into Spec.Driver.Options, so
every lookup failed with 401 and dependent services cascade-failed.

The correct order:

1. Update the config/credential
2. Regenerate containers.conf.d/psi.conf (psi install or --stdout pipe)
3. Restart podman.service so the API picks up the new conf
4. Re-run psi setup to re-register every workload secret with the new
   driver opts
5. Manually re-register HSM-backed and podman-only secrets (psi setup
   only touches config.workloads)
6. Restart psi-secrets.service LAST so auth enforcement flips on after
   every secret has been refreshed

Document the ordering requirement explicitly and the reason (Podman
caches containers.conf at startup and secret driver opts are baked in
at create time).
@jdoss jdoss merged commit cf66cbc into master Apr 9, 2026
2 checks passed
@jdoss jdoss deleted the docs/token-rotation-ordering branch April 9, 2026 16:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jdoss