What happened: Trying to run tsh login -i identity_file.pem --proxy teleport.example.com results in error: -i flag cannot be used here - this means that a long-lived certificate (such as those generated for use with automation as per https://gravitational.com/teleport/docs/user-manual/#ssh-certificates-for-automation) can't log into a cluster to get ~/.kube/config updated with Kubernetes credentials.
What you expected to happen: To have a method available to authenticate with the Kubernetes apiserver as well as SSH.
The recommendation from @klizhentas is to implement tctl auth export --kubeconfig which will generate a kubeconfig for the specified user that can be provided to kubectl and used to run operations on the Kubernetes cluster.
How to reproduce it (as minimally and precisely as possible): tsh login -i identity_file.pem --proxy teleport.example.com
Environment:
teleport version): Teleport Enterprise v4.0.0git:v4.0.0-0-gc7f55ac3 go1.12.1tsh version): Teleport v3.2.6 git:v3.2.6-0-g67b4ddfb go1.11.5Fedora 29This would be great!
tctl auth export already has --type flag. Perhaps we should add --type=k8s (and also --type=kubernetes).
otherwise you'll end up with incompatible flags, like auth export --kubeconfig --type=host which makes no sense
Any update on when this is getting prioritized?
I noticed its been dropped off the releases. Without this or something similar Teleport is unusable for deploying to Kubernetes clusters using a CI/automation.
Looking into this.
Just a correction on above comments: tctl auth export dumps CA certs and public keys; I think @klizhentas meant tctl auth sign --format=kubernetes instead.
Most helpful comment
Any update on when this is getting prioritized?
I noticed its been dropped off the releases. Without this or something similar Teleport is unusable for deploying to Kubernetes clusters using a CI/automation.