Add a .tsh/config file, add support for configuring custom http headers from the config file

[lxea]

This adds a tsh config file to ~/.tsh/config/config.yaml. It includes support for configuring custom http headers as specified in #9838. Support for the aliases configuration option will be created in a seprate PR.

Current supported config file:

add_headers:
  - proxy: "*.example.com"
    headers:
      foo: bar
  - proxy: us-west-1.example.com
    headers:
      baz: qux

Also includes a change to stop tsh logout from blowing all of ~/.tsh away so config files can be retained.

[ravicious]

How can I test this myself? I wanted to see how tsh behaves when I provide invalid headers, but I wasn't able to send valid headers first.

I created a request bin on requestbin.com, I compiled tsh from your branch, then added ~/.tsh/config/config.yaml with this content:

add_headers:
  - proxy: *
    headers:
      foo: bar
  - proxy: enj0qqqty1z2.x.pipedream.net
    headers:
      baz: quux

When I do ./build/tsh login --proxy=enj0qqqty1z2.x.pipedream.net, I can see that the request to /webapi/ping doesn't include my headers. Maybe that's just an issue with this specific request.

[ravicious]

I just want to say that I'm new to both Teleport and Go, so I looked at the changes included in this PR just as GitHub shows them to me, but it'd be hard for me to say if there's a place we forgot to add the extra headers to.

Looks good in general, I just have a small question about hardcoding the path.

Also, when do we document such changes? Do other people write docs for them?

[lxea]

How can I test this myself? I wanted to see how tsh behaves when I provide invalid headers, but I wasn't able to send valid headers first.

I created a request bin on requestbin.com, I compiled tsh from your branch, then added ~/.tsh/config/config.yaml with this content:

add_headers:
  - proxy: *
    headers:
      foo: bar
  - proxy: enj0qqqty1z2.x.pipedream.net
    headers:
      baz: quux

When I do ./build/tsh login --proxy=enj0qqqty1z2.x.pipedream.net, I can see that the request to /webapi/ping doesn't include my headers. Maybe that's just an issue with this specific request.

Is there a log at the beginning of the tsh output complaining about the .yaml file format? I think '*' needs to be in quotes.

Currently it just continues, but maybe it should fail if a config file is invalid, I'm not sure which would be preferred.

[ravicious]

I scrolled up to see what was the output after running tsh and there was no log related to the error in config.

However, I did git pull and it updated your branch from ce1acad to a1c87ee and now everything works as expected: the extra headers are sent to /webapi/ping. If the config is invalid, tsh prints information about it, although I'm not sure if it should use stdout rather than stderr.

But yeah, I'm also not sure if it should fail if the config file has invalid YAML. I'd ask people more familiar with tsh than me.

In case the header itself is invalid, tsh fails only when making the actual request, but I think that's okay.

[ravicious]

If I remove the config file completely, tsh logs this message:

Failed to load tsh config: open /Users/rav/.tsh/config/config.yaml: no such file or directory

I'm pretty sure we would like to avoid logging this, right? It seems like having no config file should let tsh continue as if confOptions was nil.

We could take inspiration from kubeconfig.Load:

teleport/lib/kube/kubeconfig/kubeconfig.go

Lines 218 to 220 in 84b64fe

	// Load tries to read a kubeconfig file and if it can't, returns an error.
	// One exception, missing files result in empty configs, not an error.
	func Load(path string) (*clientcmdapi.Config, error) {

A design decision I don't agree with, but at least the behavior would be consistent across different config files. ;)

[endzyme]

Ah yes - sorry didn't see this comment. I guess it's consistent but it's a poor user experience when replacing a binary on a patch change.

[ravicious]

I'm not sure about the arg change that I pointed out, but the rest of the code looks fine to me, minus those failing tests.

Leaving an approve so that I don't obstruct your progress there after someone more familiar with the project reviews the PR.

[r0mant]

Also might be useful to share a dev build with a customer to make sure it addresses their use-case and we didn't miss any requests headers should be injected into.

[lxea]

Also might be useful to share a dev build with a customer to make sure it addresses their use-case and we didn't miss any requests headers should be injected into.

@r0mant This makes sense, I did try to be thorough while trying to find places headers could be inserted from tsh commands.

[r0mant]

Can the profile loader be updated to ignore config.yaml file instead?

[lxea]

It could be but I think this would mean clusters couldn't be named config which doesn't seem ideal

[r0mant]

This makes sense. Let me check with the product team on this. I think another option could be to just do something like ~/.tshrc which seems consistent with where e.g. shells keep their preferences and it would have another benefit that we won't have to touch ~/.tsh directory. But let's check with product first.

[r0mant]

@lxea We have decided that keeping it under ~/.tsh/config/config.yaml is ok for now. Let's merge this as-is.

[r0mant]

@lxea We have decided that keeping it under ~/.tsh/config/config.yaml is ok for now. Let's merge this as-is.

[zmb3]

@lxea please don't forget to open a docs PR documenting this new config file

[endzyme]

When this file is missing the tsh version command returns a error. I would have expected maybe a warning vs an outright failure.

[lxea]

@endzyme This is fixed here: #11495