Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement 'tctl auth sign --type=kubernetes' #2825

Closed
webvictim opened this issue Jul 3, 2019 · 4 comments · Fixed by #3614
Closed

Implement 'tctl auth sign --type=kubernetes' #2825

webvictim opened this issue Jul 3, 2019 · 4 comments · Fixed by #3614
Assignees
@benarent @awly
Labels
feature-request Used for new features in Teleport, improvements to current should be #enhancements kubernetes-access
Milestone
4.3 "Oceanside"

Comments

@webvictim
Copy link
Contributor

webvictim commented Jul 3, 2019
edited

What happened: Trying to run tsh login -i identity_file.pem --proxy teleport.example.com results in error: -i flag cannot be used here - this means that a long-lived certificate (such as those generated for use with automation as per https://gravitational.com/teleport/docs/user-manual/#ssh-certificates-for-automation) can't log into a cluster to get ~/.kube/config updated with Kubernetes credentials.

What you expected to happen: To have a method available to authenticate with the Kubernetes apiserver as well as SSH.

The recommendation from @klizhentas is to implement tctl auth export --kubeconfig which will generate a kubeconfig for the specified user that can be provided to kubectl and used to run operations on the Kubernetes cluster.

How to reproduce it (as minimally and precisely as possible): tsh login -i identity_file.pem --proxy teleport.example.com

Environment:

  • Teleport version (use teleport version): Teleport Enterprise v4.0.0git:v4.0.0-0-gc7f55ac3 go1.12.1
  • Tsh version (use tsh version): Teleport v3.2.6 git:v3.2.6-0-g67b4ddfb go1.11.5
  • OS (e.g. from /etc/os-release): Fedora 29
@webvictim webvictim added the feature-request Used for new features in Teleport, improvements to current should be #enhancements label Jul 3, 2019
@sekka1
Copy link

sekka1 commented Jul 3, 2019

This would be great!

@kontsevoy
Copy link
Contributor

tctl auth export already has --type flag. Perhaps we should add --type=k8s (and also --type=kubernetes).

otherwise you'll end up with incompatible flags, like auth export --kubeconfig --type=host which makes no sense

@klizhentas klizhentas mentioned this issue Sep 13, 2019
Closed
@klizhentas klizhentas added this to the 4.2 "Alameda" milestone Sep 13, 2019
@benarent benarent removed this from the 4.3 "Concord" milestone Dec 24, 2019
@jamesmaidment
Copy link

Any update on when this is getting prioritized?

I noticed its been dropped off the releases. Without this or something similar Teleport is unusable for deploying to Kubernetes clusters using a CI/automation.

@stevenGravy stevenGravy added the R3 label Mar 30, 2020
@russjones russjones added this to the 4.3 Kaizen "Concord" milestone Apr 7, 2020
@awly awly self-assigned this Apr 7, 2020
@awly
Copy link
Contributor

awly commented Apr 20, 2020

Looking into this.
Just a correction on above comments: tctl auth export dumps CA certs and public keys; I think @klizhentas meant tctl auth sign --format=kubernetes instead.

@awly awly mentioned this issue Apr 20, 2020
Merged
@webvictim webvictim changed the title Implement 'tctl auth export --kubeconfig' Implement 'tctl auth sign --type=kubernetes' Apr 21, 2020
@awly awly mentioned this issue Apr 21, 2020
Merged
@awly awly mentioned this issue Apr 21, 2020
Merged
awly pushed a commit that referenced this issue Apr 21, 2020
Add support for kubernetes identity file format
8fbe7e9 
There are two new ways you can generate a kubeconfig:
- `tctl auth sign --user=foo --format=kubernetes --out=kubeconfig` for
  admins
- `tsh login --format=kubernetes -o kubeconfig` for users

This allows admins to generate long-lived kubeconfigs for e.g. CI
systems.

A tricky part is getting the kubernetes endpoint for a proxy in `tctl`.
It does its best to guess the address, but falls back to asking user to
pass `--proxy` flag.
It looks like right now, the proxy info available via the auth server's
API doesn't have kubernetes public_addr for proxies.

Fixes #2825
awly pushed a commit that referenced this issue Apr 23, 2020
Add support for kubernetes identity file format
06e0e92 
There are two new ways you can generate a kubeconfig:
- `tctl auth sign --user=foo --format=kubernetes --out=kubeconfig` for
  admins
- `tsh login --format=kubernetes -o kubeconfig` for users

This allows admins to generate long-lived kubeconfigs for e.g. CI
systems.

A tricky part is getting the kubernetes endpoint for a proxy in `tctl`.
It does its best to guess the address, but falls back to asking user to
pass `--proxy` flag.
It looks like right now, the proxy info available via the auth server's
API doesn't have kubernetes public_addr for proxies.

Fixes #2825
awly pushed a commit that referenced this issue Apr 24, 2020
Add support for kubernetes identity file format
edaf65b 
There are two new ways you can generate a kubeconfig:
- `tctl auth sign --user=foo --format=kubernetes --out=kubeconfig` for
  admins
- `tsh login --format=kubernetes -o kubeconfig` for users

This allows admins to generate long-lived kubeconfigs for e.g. CI
systems.

A tricky part is getting the kubernetes endpoint for a proxy in `tctl`.
It does its best to guess the address, but falls back to asking user to
pass `--proxy` flag.
It looks like right now, the proxy info available via the auth server's
API doesn't have kubernetes public_addr for proxies.

Fixes #2825
awly pushed a commit that referenced this issue Apr 29, 2020
Add support for kubernetes identity file format
4198a65 
There are two new ways you can generate a kubeconfig:
- `tctl auth sign --user=foo --format=kubernetes --out=kubeconfig` for
  admins
- `tsh login --format=kubernetes -o kubeconfig` for users

This allows admins to generate long-lived kubeconfigs for e.g. CI
systems.

A tricky part is getting the kubernetes endpoint for a proxy in `tctl`.
It does its best to guess the address, but falls back to asking user to
pass `--proxy` flag.
It looks like right now, the proxy info available via the auth server's
API doesn't have kubernetes public_addr for proxies.

Fixes #2825
awly pushed a commit that referenced this issue Apr 30, 2020
@awly
Add support for kubernetes identity file format
2c1bf07 
There are two new ways you can generate a kubeconfig:
- `tctl auth sign --user=foo --format=kubernetes --out=kubeconfig` for
  admins
- `tsh login --format=kubernetes -o kubeconfig` for users

This allows admins to generate long-lived kubeconfigs for e.g. CI
systems.

A tricky part is getting the kubernetes endpoint for a proxy in `tctl`.
It does its best to guess the address, but falls back to asking user to
pass `--proxy` flag.
It looks like right now, the proxy info available via the auth server's
API doesn't have kubernetes public_addr for proxies.

Fixes #2825
@cnelson cnelson mentioned this issue Sep 30, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@benarent benarent

@awly awly

Labels
feature-request Used for new features in Teleport, improvements to current should be #enhancements kubernetes-access
Projects
None yet
Milestone
4.3 "Oceanside"
Development

Successfully merging a pull request may close this issue.

Add support for kubernetes identity file format gravitational/teleport
9 participants
@klizhentas @kontsevoy @benarent @sekka1 @webvictim @awly @jamesmaidment @russjones @stevenGravy