From 06738bc22430a8271d1e64aeb098a422e32815b1 Mon Sep 17 00:00:00 2001 From: Laurence Date: Mon, 27 Apr 2026 15:53:13 +0100 Subject: [PATCH] enhance(newt): Information about removing key --- manage/sites/configure-site.mdx | 4 ++-- manage/sites/site-provisioning.mdx | 17 ++++++++++++++++- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/manage/sites/configure-site.mdx b/manage/sites/configure-site.mdx index 6a40aa4..d4c0077 100644 --- a/manage/sites/configure-site.mdx +++ b/manage/sites/configure-site.mdx @@ -46,13 +46,13 @@ import PangolinCloudTocCta from "/snippets/pangolin-cloud-toc-cta.mdx"; - Provisioning key from Pangolin (alternative to a `provisioningKey` field inside the config file). Newt exchanges it once for site credentials, then persists `id` and `secret` to the config file and ignores the key on later runs. See [Site provisioning keys](/manage/sites/site-provisioning). + Provisioning key from Pangolin (alternative to a `provisioningKey` field inside the config file). Newt exchanges it once for site credentials, then persists `id` and `secret` to the config file and ignores the key on later runs. This flag is not written into the config file. If you want the key to exist only in the config file and then be removed by Newt after provisioning, use `provisioningKey` in the config file instead. See [Site provisioning keys](/manage/sites/site-provisioning). **Example**: `spk_...` - Path to a JSON file where Newt reads and persists settings (`endpoint`, `id`, `secret`, optional `provisioningKey`, and other options). When you use [site provisioning](/manage/sites/site-provisioning), Newt writes `id` and `secret` into this file after a successful exchange. + Path to a JSON file where Newt reads and persists settings (`endpoint`, `id`, `secret`, optional `provisioningKey`, and other options). When you use [site provisioning](/manage/sites/site-provisioning), Newt writes `id` and `secret` into this file after a successful exchange. If the file contained `provisioningKey`, Newt removes that field when it updates the file. **Example**: `/var/newt.json` diff --git a/manage/sites/site-provisioning.mdx b/manage/sites/site-provisioning.mdx index e510b80..2226a87 100644 --- a/manage/sites/site-provisioning.mdx +++ b/manage/sites/site-provisioning.mdx @@ -49,6 +49,22 @@ newt --config-file /var/newt.json --endpoint https://app.pangolin.net --provisio **After the site is provisioned**, Newt writes the new `id` and `secret` into that config file. On later runs, Newt uses those credentials and ignores the provisioning key (CLI flag or file field), because valid ID and secret are already present. If you used `provisioningKey` in JSON, that entry is removed when the file is updated, so the long-lived token is not left on disk. + +You do not need to edit the config file by hand after successful provisioning. + +- `provisioningKey` in the config file: Newt removes it after provisioning. +- `--provisioning-key`: Newt does not store it in the config file, but your bootstrap method may still leave it elsewhere on the machine. +- If you want Newt to remove the key from the config file after provisioning, put `provisioningKey` in the config file before first run. + + +### Do I need to remove the provisioning key manually? + +Usually, no. + +- In the Newt config file itself, the answer is no: Newt either removes `provisioningKey` or ignores the one-time key once `id` and `secret` are present. +- If you passed the key on the command line, there is no Newt config entry to clean up afterward. +- If you put the key in a startup script, cloud-init file, image, or other bootstrap artifact, remove it there if you do not want it reused. + From there Newt authenticates over the websocket, optionally applies a blueprint if you passed one, then brings the tunnel online. The high-level sequence is summarized below. @@ -144,4 +160,3 @@ Optionally, sites provisioned with a key can be placed into a pending state. The Pending sites listed for admin review -