Add Machine ID support to tsh
#10812
Assignees
Labels
feature-request
Used for new features in Teleport, improvements to current should be #enhancements
machine-id
Comments
russjones
added
feature-request
timothyb89
added a commit
that referenced
this issue
Mar 30, 2022
This adds a new `identityfile` config template to tbot which
generates an identity file from any of the formats supported by
`tctl auth sign`.
It can be used by specifying one or more formats in the configuration
like so:
```yaml
destinations:
- directory: /foo
kinds: [ssh, tls]
configs:
- identityfile:
formats: [file]
```
It requires both SSH and TLS certificates to work properly. App,
Kubernetes, and Database certs are unlikely to work as they have
additional cert requirements that will be added in separate PRs.
Multiple formats can be specified, and each will be written to its
own subdirectory within the destination using the name of the format.
The particular files written inside this directory depend on the
particular format selected, but n the above example, this means a
file named `/foo/file/identity` is written.
The files all have an `identity` prefix at the moment. This could be
made configurable if desired.
The `file` format can be used in conjunction with `tsh -i` and
`tctl -i` to use those tools with a tbot-generated identity.
Fixes #10812
timothyb89
added a commit
that referenced
this issue
Apr 23, 2022
This adds a new `identityfile` config template to tbot which
generates an identity file from any of the formats supported by
`tctl auth sign`.
It can be used by specifying one or more formats in the configuration
like so:
```yaml
destinations:
- directory: /foo
kinds: [ssh, tls]
configs:
- identityfile:
formats: [file]
```
It requires both SSH and TLS certificates to work properly. App,
Kubernetes, and Database certs are unlikely to work as they have
additional cert requirements that will be added in separate PRs.
Multiple formats can be specified, and each will be written to its
own subdirectory within the destination using the name of the format.
The particular files written inside this directory depend on the
particular format selected, but n the above example, this means a
file named `/foo/file/identity` is written.
The files all have an `identity` prefix at the moment. This could be
made configurable if desired.
The `file` format can be used in conjunction with `tsh -i` and
`tctl -i` to use those tools with a tbot-generated identity.
Fixes #10812
timothyb89
added a commit
that referenced
this issue
May 6, 2022
…11596) * Add new `identityfile` config template to `tbot` This adds a new `identityfile` config template to tbot which generates an identity file from any of the formats supported by `tctl auth sign`. It can be used by specifying one or more formats in the configuration like so: ```yaml destinations: - directory: /foo kinds: [ssh, tls] configs: - identityfile: formats: [file] ``` It requires both SSH and TLS certificates to work properly. App, Kubernetes, and Database certs are unlikely to work as they have additional cert requirements that will be added in separate PRs. Multiple formats can be specified, and each will be written to its own subdirectory within the destination using the name of the format. The particular files written inside this directory depend on the particular format selected, but n the above example, this means a file named `/foo/file/identity` is written. The files all have an `identity` prefix at the moment. This could be made configurable if desired. The `file` format can be used in conjunction with `tsh -i` and `tctl -i` to use those tools with a tbot-generated identity. Fixes #10812 * Make identityfile formats first-class config templates This promotes most of the important identityfile formats to proper config templates. User-facing `kinds` are removed to reduce confusion and several config templates are now required. * The `ssh_client` template is now required and will be added automatically in all cases if not specified. * A new required `tls_cas` template is added to always export the current Teleport server CAs in a usable format. * A new required `identity` template is added to always export an identity file usable with tsh/tctl. * New optional `cockroach`, `mongo`, and `tls` templates can export specifically-formatted TLS certs for various databases and apps. Additionally some other changes were caught during testing: * `botfs` now allows users to specify if files should be opened for reading or for writing; previously, written files were never truncated when opened for writing leading to garbage at the end of files if the length changed. Truncation isn't sane for reading so the two use-cases are now split. * Update lib/client/identityfile/identity.go Co-authored-by: Jakub Nyckowski <[email protected]> * Address first batch of review comments Tweaked the `botfs.openStandard` and `botfs.openSecure` functions to accept a plain file mode, and removed a ton of boilerplate in `configtemplate.go`. * Fix problematic nil interface check in configtemplate * Clarify comment about `client.Key` DB certs * Address review feedback - Use `DatabaseCA` for database specific templates; make the `tls` template's CA configurable; write the database CA alongside the others. - Simplify nil interface check * Fix outdated var names Co-authored-by: Jakub Nyckowski <[email protected]>
timothyb89
added a commit
that referenced
this issue
May 6, 2022
…11596) * Add new `identityfile` config template to `tbot` This adds a new `identityfile` config template to tbot which generates an identity file from any of the formats supported by `tctl auth sign`. It can be used by specifying one or more formats in the configuration like so: ```yaml destinations: - directory: /foo kinds: [ssh, tls] configs: - identityfile: formats: [file] ``` It requires both SSH and TLS certificates to work properly. App, Kubernetes, and Database certs are unlikely to work as they have additional cert requirements that will be added in separate PRs. Multiple formats can be specified, and each will be written to its own subdirectory within the destination using the name of the format. The particular files written inside this directory depend on the particular format selected, but n the above example, this means a file named `/foo/file/identity` is written. The files all have an `identity` prefix at the moment. This could be made configurable if desired. The `file` format can be used in conjunction with `tsh -i` and `tctl -i` to use those tools with a tbot-generated identity. Fixes #10812 * Make identityfile formats first-class config templates This promotes most of the important identityfile formats to proper config templates. User-facing `kinds` are removed to reduce confusion and several config templates are now required. * The `ssh_client` template is now required and will be added automatically in all cases if not specified. * A new required `tls_cas` template is added to always export the current Teleport server CAs in a usable format. * A new required `identity` template is added to always export an identity file usable with tsh/tctl. * New optional `cockroach`, `mongo`, and `tls` templates can export specifically-formatted TLS certs for various databases and apps. Additionally some other changes were caught during testing: * `botfs` now allows users to specify if files should be opened for reading or for writing; previously, written files were never truncated when opened for writing leading to garbage at the end of files if the length changed. Truncation isn't sane for reading so the two use-cases are now split. * Update lib/client/identityfile/identity.go Co-authored-by: Jakub Nyckowski <[email protected]> * Address first batch of review comments Tweaked the `botfs.openStandard` and `botfs.openSecure` functions to accept a plain file mode, and removed a ton of boilerplate in `configtemplate.go`. * Fix problematic nil interface check in configtemplate * Clarify comment about `client.Key` DB certs * Address review feedback - Use `DatabaseCA` for database specific templates; make the `tls` template's CA configurable; write the database CA alongside the others. - Simplify nil interface check * Fix outdated var names Co-authored-by: Jakub Nyckowski <[email protected]>
timothyb89
added a commit
that referenced
this issue
May 10, 2022
…11596) (#12500) * Add new `identityfile` config template to `tbot` This adds a new `identityfile` config template to tbot which generates an identity file from any of the formats supported by `tctl auth sign`. It can be used by specifying one or more formats in the configuration like so: ```yaml destinations: - directory: /foo kinds: [ssh, tls] configs: - identityfile: formats: [file] ``` It requires both SSH and TLS certificates to work properly. App, Kubernetes, and Database certs are unlikely to work as they have additional cert requirements that will be added in separate PRs. Multiple formats can be specified, and each will be written to its own subdirectory within the destination using the name of the format. The particular files written inside this directory depend on the particular format selected, but n the above example, this means a file named `/foo/file/identity` is written. The files all have an `identity` prefix at the moment. This could be made configurable if desired. The `file` format can be used in conjunction with `tsh -i` and `tctl -i` to use those tools with a tbot-generated identity. Fixes #10812 * Make identityfile formats first-class config templates This promotes most of the important identityfile formats to proper config templates. User-facing `kinds` are removed to reduce confusion and several config templates are now required. * The `ssh_client` template is now required and will be added automatically in all cases if not specified. * A new required `tls_cas` template is added to always export the current Teleport server CAs in a usable format. * A new required `identity` template is added to always export an identity file usable with tsh/tctl. * New optional `cockroach`, `mongo`, and `tls` templates can export specifically-formatted TLS certs for various databases and apps. Additionally some other changes were caught during testing: * `botfs` now allows users to specify if files should be opened for reading or for writing; previously, written files were never truncated when opened for writing leading to garbage at the end of files if the length changed. Truncation isn't sane for reading so the two use-cases are now split. * Update lib/client/identityfile/identity.go Co-authored-by: Jakub Nyckowski <[email protected]> * Address first batch of review comments Tweaked the `botfs.openStandard` and `botfs.openSecure` functions to accept a plain file mode, and removed a ton of boilerplate in `configtemplate.go`. * Fix problematic nil interface check in configtemplate * Clarify comment about `client.Key` DB certs * Address review feedback - Use `DatabaseCA` for database specific templates; make the `tls` template's CA configurable; write the database CA alongside the others. - Simplify nil interface check * Fix outdated var names Co-authored-by: Jakub Nyckowski <[email protected]> Co-authored-by: Jakub Nyckowski <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
tshcurrent supports human users by reading credentials from~/.tshor an identity file with the-iflag.The Machine ID flow has been heavily geared towards supporting the OpenSSH integration with the
sshclient.Machine ID should also support
tsh, this will make use much simpler and you can use the othertshsubcommands with Machine ID as well.The text was updated successfully, but these errors were encountered: