UX improvements for tbot

[timothyb89]

A last batch of UX tweaks for 9.0:

• rename --renew-interval to --renewal-interval
• add --oneshot mode to fetch one set of certs and exit (client side only, no server enforcement yet)
• add tbot version (fixes tbot version returns an error #10782)
• add unix signal handling: graceful exit on SIGINT, reload on SIGHUP/SIGUSR1
• make auth server an optional config option and check it only when needed (i.e. tbot start)
• add cut workaround to allow SSH to work without DNS (fixes Add support for cut to ProxyCommand #10813)
• fix product name in CLI help (fixes Update tbot name in CLI  #10926)
• add --format=json to tctl bots add (fixes Add support for --format=json flag to tctl bots add #10783)
• check SSH version and exclude the RSA deprecation workaround for older SSH clients (fixes Machine ID ssh_config generation for older versions of OpenSSH #10781)

[timothyb89]

I know there's a few other renames being discussed in #10030

I do like the -lifetime suffix and can still make that change tctl/tbot if we'd like.

For context, here's the tbot start syntax as of this PR:

$ ./tbot start --help
usage: tbot start [<flags>]

Starts the renewal bot, writing certificates to the data dir at a set interval.

Flags:
  -d, --debug             Verbose logging to stdout
  -c, --config            tbot.yaml path
  -a, --auth-server       Specify the Teleport auth server host
      --token             A bot join token, if attempting to onboard a new bot; used on first connect.
      --ca-pin            A repeatable auth server CA hash to pin; used on first connect.
      --data-dir          Directory to store internal bot data.
      --destination-dir   Directory to write generated certificates
      --certificate-ttl   TTL of generated certificates
      --renewal-interval  Interval at which certificates are renewed; must be less than the certificate TTL.
      --join-method       Method to use to join the cluster.
      --oneshot           If set, quit after the first renewal.

tbot init:

usage: tbot init --bot-user=BOT-USER [<flags>]

Initialize a certificate destination directory for writes from a separate bot user.

Flags:
  -d, --debug            Verbose logging to stdout
  -c, --config           tbot.yaml path
      --destination-dir  If NOT using a config file, specify the destination directory.
      --init-dir         If using a config file and multiple destinations are configured, specify which to initialize
      --clean            If set, remove unexpected files and directories from the destination
      --bot-user         Name of the bot Unix user which should have write access to the destination.

Aliases:

tctl bots add:

usage: tctl bots add --roles=ROLES [<flags>] <name>

Add a new certificate renewal bot to the cluster.

Flags:
  -d, --debug        Enable verbose logging to stderr
  -c, --config       Path to a configuration file [/etc/teleport.yaml]. Can also be set via the TELEPORT_CONFIG_FILE environment variable.
      --auth-server  Attempts to connect to specific auth/proxy address(es) instead of local auth [127.0.0.1:3025]
  -i, --identity     Path to an identity file. Must be provided to make remote connections to auth. An identity file can be exported with 'tctl auth sign'
      --insecure     When specifying a proxy address in --auth-server, do not verify its TLS certificate. Danger: any data you send can be intercepted or modified by an attacker.
      --roles        Roles the bot is able to assume.
      --ttl          TTL for the bot join token.
      --token        Name of an existing token to use.

Args:
  <name>  A name to uniquely identify this bot in the cluster.

Aliases:

[benarent]

@timothyb89 When trying the above, I'm unable to use --token when using tctl bots add

tctl bots add --roles=access --token=blah terminator
ERROR: unknown long flag '--token'

[timothyb89]

@timothyb89 When trying the above, I'm unable to use --token when using tctl bots add

tctl bots add --roles=access --token=blah terminator
ERROR: unknown long flag '--token'

Hmm, that definitely should work. My initial guess is that you might have an outdated tctl, but I'll dig into this more tomorrow.

[zmb3]

Are there any docs that need to be updated for this rename?

[timothyb89]

Looks like the docs PR (#10775) doesn't refer to this config parameter at all, luckily.

[zmb3]

Do we support tunneling through proxy? If so, I recommend we change the wording to mention that it can be an auth or proxy server.

[timothyb89]

Good point, will reword.

[zmb3]

Can you remove this TODO

[codingllama]

89 commits and 2.7k+ added lines is a tough review. Any chance we could split this into reasonably-sized parts?

[timothyb89]

89 commits and 2.7k+ added lines is a tough review. Any chance we could split this into reasonably-sized parts?

Hrm, GitHub got confused over the merge base change, it's supposed to be just +300 or so. I'll try to fix it.

[timothyb89]

Alright, apologies for confusion, the diff should now be back under control. Hopefully +230/-50 is a little more sane 🙂

[codingllama]

nit: prefer BadParameter to Errorf?

Suggested change

	return nil, trace.Errorf("invalid version string: %s", versionString)
	return nil, trace.BadParameter("invalid version string: %s", versionString)

Same for others.

[codingllama]

What is the RSA workaround? Do we have it explained somewhere?

[timothyb89]

I'll add an explainer comment to the IncludeRSAWorkaround docstring:

IncludeRSAWorkaround controls whether the RSA deprecation workaround is included in the generated configuration. Newer versions of OpenSSH deprecate RSA certificates and, due to a bug in golang's ssh package, Teleport wrongly advertises its unaffected certificates as a now-deprecated certificate type. The workaround includes a config override to re-enable RSA certs for just Teleport hosts, however it is only supported on OpenSSH 8.5 and later.

[codingllama]

Not for this PR, but we should consider refactoring the bulk of this logic outside of package main and test it.

[timothyb89]

Yeah, there's a lot of cleanup and refactoring needed here. Hoping to prioritize that sooner rather than later 🙂

[codingllama]

Alright, apologies for confusion, the diff should now be back under control. Hopefully +230/-50 is a little more sane 🙂

Much better :)