Open hparr opened 4 years ago
Thank you for your feedback. I have added this to our internal product backlog as AUTOTOOL-2045.
There is a command that can be run on any member that will stay in the group from tmsh:
modify /cm trust-domain devices delete {
This syncs across the entire trust-domain. This command cannot remove itself from the trust domain and must be run from another device that will stay in the trust-domain.
Is your feature request related to a problem? Please describe.
Currently you can declare a device to be trusted with DO, but you cannot remove a device from the trust.
Describe the solution you'd like
A device trust declaration should allow for CRUD operations. You can remove a member from the sync group by reposting the declaration without it listed.
Original
Updated -
There does not appear to be a mechanism to remove a device from the trust
Per Schema we have these options:
Sending a declaration without the device IP listed does not remove it.
We need the ability to remove members from the sync-groups AND the trust. Perhaps
Describe alternatives you've considered
While a user could update via imperative APIs, TMUI, or TMSH - we should not force them to change methods.
Additional context
Note that even once DO has been used to remove a device from the sync group, sending a new declaration for trust with a new peer IP devices does not lead to the device being added to the trust. To repro setup devices A and B. Use DO to establish trust and cluster between A and B. Then deploy device C. Try to replace B with C. Both full declaration (Trust and Cluster) and partial (Trust) sent to A fails to add device C
When attempting to replace devices in the Trust -
"Device is already part of a trust-domain.", "Device is already part of a trust-domain."
The item that we need to project is the programatic management of the cluster and HA model. The actual data plane components should be able to be ephemeral and replaceable.