Long lived kubeconfig for trusted clusters?

[cnelson]

Is it possible to use tctl auth sign --format kubernetes on a "main cluster" to generate a kubeconfig for a "trusted / leaf / remote cluster" that's connected to the main cluster tctl is being run on?

#2985 mentions trusted clusters, but the feature added in #2825 doesn't mention how to generate a long-lived kubeconfig for a leaf cluster.

[awly]

@cnelson it's not possible right now, but I agree that we should support this.
For now you'll have to run tctl auth sign on the leaf cluster.

Our roadmap for 4.4/5.0/5.1 is pretty loaded right now, we can't work on this in the near future.
A PR is always welcome though!

[webvictim]

I guess the biggest issue is for leaf clusters that don't have an endpoint exposed to the world. We'd need to expose some logic for setting RouteToCluster in the certificate metadata.

[cnelson]

@awly thanks for letting me know I wasn't missing something stupid here :)

@webvictim Yes this is exactly my use case here -- the leaf cluster is only accessible via the main cluster.

[cnelson]

@awly Obviously this would need tests, docs, etc. But if I were to submit a PR to add this feature, is this generally the right approach?

https://github.com/gravitational/teleport/compare/master...cultivateai:feat/auth-sign-k8s-leaf?expand=1

[awly]

@cnelson yep, that looks roughly correct.
We can polish it during review if you open a PR 👌