Skip to content

Periodic infrastructure tasks

Token expiration

During the platform setup, several secrets and tokens are created. To avoid security risks and service disruptions, make sure to monitor and renew them periodically. The list includes:

  • GitLab deploy token with read_registry permission (used for container registry access)
  • Azure AD Application Registration client secret (used by pipelines)
  • InfluxDB API token
  • TLS certificates for MQTT/RabbitMQ (if using MQTT)

Depending on your setup, other tokens and secrets might be used. Be sure to also monitor them.

It is recommended to:

  1. Keep track of all token/secret creation dates and expiration dates
  2. Set calendar reminders at least 1 month before expiration
  3. Rotate tokens/secrets before they expire to avoid service interruptions
  4. Update the corresponding environment variables in GitLab after rotation
  5. Test the system after rotating any credentials to ensure everything works properly

Warning

Never set tokens without an expiration date, as this creates a security risk. Instead, use reasonable expiration periods (e.g. 1 year) and implement a proper rotation process.