Is it possible to use tctl auth sign --format kubernetes on a "main cluster" to generate a kubeconfig for a "trusted / leaf / remote cluster" that's connected to the main cluster tctl is being run on?
@cnelson it's not possible right now, but I agree that we should support this.
For now you'll have to run tctl auth sign on the leaf cluster.
Our roadmap for 4.4/5.0/5.1 is pretty loaded right now, we can't work on this in the near future.
A PR is always welcome though!
I guess the biggest issue is for leaf clusters that don't have an endpoint exposed to the world. We'd need to expose some logic for setting RouteToCluster in the certificate metadata.
@awly thanks for letting me know I wasn't missing something stupid here :)
@webvictim Yes this is exactly my use case here -- the leaf cluster is only accessible via the main cluster.
@awly Obviously this would need tests, docs, etc. But if I were to submit a PR to add this feature, is this generally the right approach?
https://github.com/gravitational/teleport/compare/master...cultivateai:feat/auth-sign-k8s-leaf?expand=1
@cnelson yep, that looks roughly correct.
We can polish it during review if you open a PR :ok_hand:
Most helpful comment
@cnelson yep, that looks roughly correct.
We can polish it during review if you open a PR :ok_hand: