-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement 'tctl auth sign --type=kubernetes' #2825
Comments
This would be great! |
otherwise you'll end up with incompatible flags, like |
Any update on when this is getting prioritized? I noticed its been dropped off the releases. Without this or something similar Teleport is unusable for deploying to Kubernetes clusters using a CI/automation. |
Looking into this. |
There are two new ways you can generate a kubeconfig: - `tctl auth sign --user=foo --format=kubernetes --out=kubeconfig` for admins - `tsh login --format=kubernetes -o kubeconfig` for users This allows admins to generate long-lived kubeconfigs for e.g. CI systems. A tricky part is getting the kubernetes endpoint for a proxy in `tctl`. It does its best to guess the address, but falls back to asking user to pass `--proxy` flag. It looks like right now, the proxy info available via the auth server's API doesn't have kubernetes public_addr for proxies. Fixes #2825
There are two new ways you can generate a kubeconfig: - `tctl auth sign --user=foo --format=kubernetes --out=kubeconfig` for admins - `tsh login --format=kubernetes -o kubeconfig` for users This allows admins to generate long-lived kubeconfigs for e.g. CI systems. A tricky part is getting the kubernetes endpoint for a proxy in `tctl`. It does its best to guess the address, but falls back to asking user to pass `--proxy` flag. It looks like right now, the proxy info available via the auth server's API doesn't have kubernetes public_addr for proxies. Fixes #2825
There are two new ways you can generate a kubeconfig: - `tctl auth sign --user=foo --format=kubernetes --out=kubeconfig` for admins - `tsh login --format=kubernetes -o kubeconfig` for users This allows admins to generate long-lived kubeconfigs for e.g. CI systems. A tricky part is getting the kubernetes endpoint for a proxy in `tctl`. It does its best to guess the address, but falls back to asking user to pass `--proxy` flag. It looks like right now, the proxy info available via the auth server's API doesn't have kubernetes public_addr for proxies. Fixes #2825
There are two new ways you can generate a kubeconfig: - `tctl auth sign --user=foo --format=kubernetes --out=kubeconfig` for admins - `tsh login --format=kubernetes -o kubeconfig` for users This allows admins to generate long-lived kubeconfigs for e.g. CI systems. A tricky part is getting the kubernetes endpoint for a proxy in `tctl`. It does its best to guess the address, but falls back to asking user to pass `--proxy` flag. It looks like right now, the proxy info available via the auth server's API doesn't have kubernetes public_addr for proxies. Fixes #2825
There are two new ways you can generate a kubeconfig: - `tctl auth sign --user=foo --format=kubernetes --out=kubeconfig` for admins - `tsh login --format=kubernetes -o kubeconfig` for users This allows admins to generate long-lived kubeconfigs for e.g. CI systems. A tricky part is getting the kubernetes endpoint for a proxy in `tctl`. It does its best to guess the address, but falls back to asking user to pass `--proxy` flag. It looks like right now, the proxy info available via the auth server's API doesn't have kubernetes public_addr for proxies. Fixes #2825
What happened: Trying to run
tsh login -i identity_file.pem --proxy teleport.example.com
results inerror: -i flag cannot be used here
- this means that a long-lived certificate (such as those generated for use with automation as per https://gravitational.com/teleport/docs/user-manual/#ssh-certificates-for-automation) can't log into a cluster to get~/.kube/config
updated with Kubernetes credentials.What you expected to happen: To have a method available to authenticate with the Kubernetes apiserver as well as SSH.
The recommendation from @klizhentas is to implement
tctl auth export --kubeconfig
which will generate a kubeconfig for the specified user that can be provided tokubectl
and used to run operations on the Kubernetes cluster.How to reproduce it (as minimally and precisely as possible):
tsh login -i identity_file.pem --proxy teleport.example.com
Environment:
teleport version
):Teleport Enterprise v4.0.0git:v4.0.0-0-gc7f55ac3 go1.12.1
tsh version
):Teleport v3.2.6 git:v3.2.6-0-g67b4ddfb go1.11.5
Fedora 29
The text was updated successfully, but these errors were encountered: