idea: Credential plugin for kubectl

[sczizzo]

This isn't really mergeable, but after chatting with Sasha last week I wanted to submit this code just to provide some ideas about UX improvements around Teleport's Kubernetes integration. Presented here is an ExecCredential plugin, which our users run in place of tsh, providing more transparent Kubernetes integration.

I imagine most users today are using tsh login to fetch credentials and rewrite their kubeconfig out-of-band. The script provided here flips this model on its head, so that kubectl executes tsh login and presents credentials without actually modifying the kubeconfig (after it's been bootstrapped).

There are three commands here:

• bootstrap: Used once to inject the appropriate kubeconfig
• logout: Used to explicitly expire credentials
• creds: Runs tsh login if necessary, outputs credentials

Using a plugin like this, users who only need Teleport for Kubernetes access can basically forget that tsh exists. There's no longer any need for us to train users on Teleport; the shim creates/rotates credentials as necessary.

It also fixes an issue we had with tsh, which mangles kubeconfigs that use ExecCredentials. My hunch here is that the client-go version used by tsh is simply old and doesn't support ExecCredentials.

The change as submitted here is likely inappropriate for most consumers, especially being written in Ruby. We've made quite a few assumptions to suit our environment, and the expiry logic is not entirely sound (thus the logout command).

That said, I think the basic idea is sound, but there would be some work to rewrite this: integrate into tsh and generalize the logic a bit.

Some relevant links around the client-go credential plugins:

• https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins
• External client-go credential providers kubernetes/enhancements#541
• proposal: external client-go auth providers kubernetes/community#1503
• client-go: add an exec-based client auth provider kubernetes/kubernetes#59495

[gravitational-jenkins]

Can one of the admins verify this patch?

[klizhentas]

Thanks! @awly can you take a look at what's the best possible way to handle this in the upcoming release?

[klizhentas]

may be 5.0?

[awly]

Great timing, we were just chatting about this with the team! cc @webvictim @benarent
I agree that it's a better way to interact with kubectl, but we should build the logic into tsh itself. It would be more convenient than asking users to download extra scripts. Will definitely read through your implementation to make sure we meet your needs.
I filed #3691 to track this.

@klizhentas agree, 5.0 seems like a good target. I have several other ideas on improving the k8s UX, we could bundle them all together for 5.0.

[awly]

Thanks again for the PR @sczizzo !
The UX is pretty much how we want it. But we should build this into the tsh binary to avoid the overhead of distributing a standalone ruby script and documenting how to install ruby on users' systems.

We'll use this implementation as inspiration for #3691.