Skip to content

feat(scripts): T-5.4 Bootstrap Script v2.0 with Smart Selection#102

Merged
obtFusi merged 1 commit into
mainfrom
feature/t-5.4-bootstrap-script
Jan 25, 2026
Merged

feat(scripts): T-5.4 Bootstrap Script v2.0 with Smart Selection#102
obtFusi merged 1 commit into
mainfrom
feature/t-5.4-bootstrap-script

Conversation

@obtFusi
Copy link
Copy Markdown
Collaborator

@obtFusi obtFusi commented Jan 25, 2026
edited
Loading

Summary

  • Updates bootstrap-new-client.ps1 for v3.6 Smart Certificate Selection

  • Adds security improvements: Setup-Key redaction, REVOKE warning, verification docs

  • Documentation is not needed

(Internal script update, no public API changes)

Changes

  • Smart Selection v3.6: Uses machine_cert_template_name + machine_cert_san_must_match instead of hardcoded thumbprint
  • REVOKE Warning: Prominent security box at script end reminding to revoke Setup-Key in Dashboard
  • Secret Redaction: Setup-Key shown as ****-****-****-****-XXXX (only last 4 chars visible)
  • Security Docs: Added in .NOTES section:
    • SHA256 checksum verification instructions
    • Authenticode signing instructions
    • Setup-Key handling best practices

Test Evidence (Windows VM WhatIf Mode)

Configuration:
  Domain:    test.local
  DC:        192.168.100.20
  Setup-Key: ****-****-****-****-7890
  Template:  NetBirdMachineTunnel

Step 3: Verifying DC Connectivity via Tunnel
  Testing LDAP (port 389)... [OK] OK
  Testing Kerberos (port 88)... [OK] OK
  Testing DNS (port 53)... [OK] OK
[OK] All required DC ports reachable via tunnel

Step 8: Completing Bootstrap
  SECURITY ACTION REQUIRED
  REVOKE the Setup-Key in NetBird Dashboard immediately!
  Setup-Key used: ****-****-****-****-7890

DoD Checklist

  • Script mit allen 8 Schritten
  • DC-Connectivity Prüfung vor Join
  • NTP-Sync vor Join (Kerberos)
  • Smart Selection Config (kein Thumbprint)
  • Warnung: "REVOKE setup-key!"
  • Error-Handling für jeden Schritt
  • Integration Test: WhatIf Mode auf Windows VM
  • Keine Secrets in Logs (Setup-Key redacted)
  • Script-Signatur via Authenticode (dokumentiert)
  • Checksum-Verifikation dokumentieren

Closes #50

🤖 Generated with Claude Code

@obtFusi @claude
feat(scripts): Update bootstrap-new-client.ps1 for v3.6 Smart Selection
da666f0 
- Update to v2.0.0 with Smart Cert Selection (no thumbprint needed)
- Add REVOKE Setup-Key warning at script end (Step 8)
- Redact Setup-Key in logs (show only last 4 chars: ****-****-****-****-XXXX)
- Add security documentation in .NOTES:
  - SHA256 checksum verification instructions
  - Authenticode signing instructions
  - Setup-Key handling best practices
- Step 7 now uses machine_cert_template_name + machine_cert_san_must_match
- Remove hardcoded thumbprint requirement

Tested on Windows VM in WhatIf mode - all 8 steps execute correctly.

Closes #50

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@github-actions github-actions Bot added the type:feature New feature label Jan 25, 2026
@obtFusi obtFusi mentioned this pull request Jan 25, 2026
Closed
14 tasks
@obtFusi obtFusi merged commit 30d0bdd into main Jan 25, 2026
36 of 40 checks passed
@obtFusi obtFusi mentioned this pull request Jan 30, 2026
Closed
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

type:feature New feature

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Task] T-5.4: Deploy: bootstrap-new-client.ps1 Script

1 participant

@obtFusi