Teleport: Long lived kubeconfig for trusted clusters?

Created on 30 Sep 2020  路  5Comments  路  Source: gravitational/teleport

Is it possible to use tctl auth sign --format kubernetes on a "main cluster" to generate a kubeconfig for a "trusted / leaf / remote cluster" that's connected to the main cluster tctl is being run on?

2985 mentions trusted clusters, but the feature added in #2825 doesn't mention how to generate a long-lived kubeconfig for a leaf cluster.

kubernetes

Most helpful comment

@cnelson yep, that looks roughly correct.
We can polish it during review if you open a PR :ok_hand:

All 5 comments

@cnelson it's not possible right now, but I agree that we should support this.
For now you'll have to run tctl auth sign on the leaf cluster.

Our roadmap for 4.4/5.0/5.1 is pretty loaded right now, we can't work on this in the near future.
A PR is always welcome though!

I guess the biggest issue is for leaf clusters that don't have an endpoint exposed to the world. We'd need to expose some logic for setting RouteToCluster in the certificate metadata.

@awly thanks for letting me know I wasn't missing something stupid here :)

@webvictim Yes this is exactly my use case here -- the leaf cluster is only accessible via the main cluster.

@awly Obviously this would need tests, docs, etc. But if I were to submit a PR to add this feature, is this generally the right approach?

https://github.com/gravitational/teleport/compare/master...cultivateai:feat/auth-sign-k8s-leaf?expand=1

@cnelson yep, that looks roughly correct.
We can polish it during review if you open a PR :ok_hand:

Was this page helpful?
0 / 5 - 0 ratings

Related issues

kimlisa picture kimlisa  路  4Comments

webvictim picture webvictim  路  3Comments

tomberek picture tomberek  路  5Comments

aashley picture aashley  路  4Comments

binoue picture binoue  路  3Comments