Teleport: Implement 'tctl auth sign --type=kubernetes'

Created on 3 Jul 2019  路  4Comments  路  Source: gravitational/teleport

What happened: Trying to run tsh login -i identity_file.pem --proxy teleport.example.com results in error: -i flag cannot be used here - this means that a long-lived certificate (such as those generated for use with automation as per https://gravitational.com/teleport/docs/user-manual/#ssh-certificates-for-automation) can't log into a cluster to get ~/.kube/config updated with Kubernetes credentials.

What you expected to happen: To have a method available to authenticate with the Kubernetes apiserver as well as SSH.

The recommendation from @klizhentas is to implement tctl auth export --kubeconfig which will generate a kubeconfig for the specified user that can be provided to kubectl and used to run operations on the Kubernetes cluster.

How to reproduce it (as minimally and precisely as possible): tsh login -i identity_file.pem --proxy teleport.example.com

Environment:

  • Teleport version (use teleport version): Teleport Enterprise v4.0.0git:v4.0.0-0-gc7f55ac3 go1.12.1
  • Tsh version (use tsh version): Teleport v3.2.6 git:v3.2.6-0-g67b4ddfb go1.11.5
  • OS (e.g. from /etc/os-release): Fedora 29
R3 feature-request kubernetes

Most helpful comment

Any update on when this is getting prioritized?

I noticed its been dropped off the releases. Without this or something similar Teleport is unusable for deploying to Kubernetes clusters using a CI/automation.

All 4 comments

This would be great!

tctl auth export already has --type flag. Perhaps we should add --type=k8s (and also --type=kubernetes).

otherwise you'll end up with incompatible flags, like auth export --kubeconfig --type=host which makes no sense

Any update on when this is getting prioritized?

I noticed its been dropped off the releases. Without this or something similar Teleport is unusable for deploying to Kubernetes clusters using a CI/automation.

Looking into this.
Just a correction on above comments: tctl auth export dumps CA certs and public keys; I think @klizhentas meant tctl auth sign --format=kubernetes instead.

Was this page helpful?
0 / 5 - 0 ratings