Dynamic trusted clusters UX

[kontsevoy]

Currently you can create a join token for a trusted cluster dynamically:

$ tctl nodes add --roles=trustedcluster

There are two problems with it.

Problem 1

It works, but the UX makes no sense:

The invite token: 29f22439aa2083072b68bd58f0895812

Run this on the new node to join the cluster:

> teleport start --roles=trustedcluster --token=29f22439aa2083072b68bd58f0895812 --auth-server=127.0.0.1:3025

Please note:

  - This invitation token will expire in 30 minutes
  - 127.0.0.1:3025 must be reachable from the new node, see --advertise-ip server flag

Solution

We currently have tctl tokens command (with subcommands). This command must become a truly universal tool to manage invitations.

Below are the examples of how it must work:

Listing Tokens

$ tctl tokens ls
Token          Role           Expiry Time (UTC) 
-------------- -------------- ----------------- 
1d29f3c2965e9115f75a0ebc4f26ae35 Trustedcluster 20 Aug 18 19:06 UTC
crazy-token    Proxy,Node     never             
0c94532420b37ac6ae7d360f2648caef Signup         20 Aug 18 19:28 UTC
dogs-are-great Trustedcluster never             

Notes:

• How are these sorted? Can we sort by the creation date? When I create a token, I expect it to be at the top or bottom, not in the middle.
• See how the formatting gets screwed because dynamic tokens are much larger. Can we fix this?
• Lets rename "Role" column to "Type". The word role is now associated with RBAC and users will have a hard time thinking of two types of roles.
• Instead of "Signup" print "User signup".
• Instead of "Trustedcluster" it should be trusted_cluster
• Can we mark static tokens with asterisks i.e. crazy-token* and then explain in the footnote: * Static token which can be changed via configuration file only?

Creating Tokens

This is a new command I am proposing we add. Adding nodes, users and trusted clusters is actually a token creation command. Here's an example:

# These two commands should be 100% equivalent
$ tctl tokens add --type=user --roles=admin ekontsevoy
$ tctl users add --roles=admin ekontsevoy

BTW this illustrates why token must have types, not roles.
Another example:

# These two commands should be 100% equivalent
$ tctl tokens add --type=node 
$ tctl nodes add

And finally, creating a trusted cluster:

# these commands are equivalent (because we allow both values in the resource spec)
$ tctl tokens add --type=trusted_cluster
$ tctl tokens add --type=trustedcluster

Creating Tokens (Output)

See below for the output for adding nodes

• I removed the reference to advertise_ip
• Added token's TTL to the output

# Creating a token for a node invite:
$ tctl nodes add --roles=node
The node invite token: 1676d2330fce29b9952a7c7f652a64dc
This token will expire in 20 minutes

Run this on the new node to join the cluster:

> teleport start --roles=node --token=1676d2330fce29b9952a7c7f652a64dc --auth-server=10.1.1.6:3025

Please note:

  - This invitation token will expire in 30 minutes
  - 10.1.1.6:3025 must be reachable from the new node 

# Creating a token for a cluster invite:
$ tctl tokens add --type=trusted_cluster
The cluster invite token: 1676d2330fce29b9952a7c7f652a64dc
This token will expire in 20 minutes

Use this token when defining a trusted cluster resource on a remote cluster.

[kontsevoy]

Docs

Also can you please convert this ticket to "Documentation" when you're done and assign to me.