Add new config templates to tbot for databases and identity files
#11596
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
I don't love the UX right now but it does enable a lot of new use-cases in relatively few lines of code. There'll be some growing pains (and breaking changes) if we want to more deeply integrate with I could see a few alternatives to / iterations on this:
|
timothyb89
added a commit
that referenced
this pull request
Apr 12, 2022
This adds a new destination-level config option to `tbot.yaml` that
allows users to request database access for a particular destination
certificate. Behind the scenes, this triggers generates two
impersonated certs: the first identity is generated to request the
specified roles and resolve the database config, then is replaced
with a new identity using those roles plus a fully-formed
`RouteToDatabase` request.
Database requests are made by adding a destination entry like the
following to `tbot.yaml`:
```yaml
destinations:
- directory: /foo/bar
database:
service: <teleport database name>
username: <database username>
database: <database name>
# The certs won't be very useful without TLS
kinds: [tls]
```
We currently don't support proxying or generating db-specific config
files. See #11596 for an `identityfile` implementation that can help.
Additionally, we don't currently have a `tsh proxy` equivalent so the
legacy MySQL handlers need to be enabled, which is not the case by
default in Teleport 9. However, that same PR can export a
tsh-compatible identity file for the datbase identity which can be
passed along to `tsh -i ...` and presumably used with its proxy
commands. We plan to follow-up with another PR to improve this UX.
timothyb89
added a commit
that referenced
this pull request
Apr 19, 2022
* Allow users to request database certificates in Machine ID
This adds a new destination-level config option to `tbot.yaml` that
allows users to request database access for a particular destination
certificate. Behind the scenes, this triggers generates two
impersonated certs: the first identity is generated to request the
specified roles and resolve the database config, then is replaced
with a new identity using those roles plus a fully-formed
`RouteToDatabase` request.
Database requests are made by adding a destination entry like the
following to `tbot.yaml`:
```yaml
destinations:
- directory: /foo/bar
database:
service: <teleport database name>
username: <database username>
database: <database name>
# The certs won't be very useful without TLS
kinds: [tls]
```
We currently don't support proxying or generating db-specific config
files. See #11596 for an `identityfile` implementation that can help.
Additionally, we don't currently have a `tsh proxy` equivalent so the
legacy MySQL handlers need to be enabled, which is not the case by
default in Teleport 9. However, that same PR can export a
tsh-compatible identity file for the datbase identity which can be
passed along to `tsh -i ...` and presumably used with its proxy
commands. We plan to follow-up with another PR to improve this UX.
* Try to fix flaky test
* Address review feedback
* Update tool/tbot/renew.go
Co-authored-by: Roman Tkachenko <[email protected]>
* Add special username checks for MongoDB and Redis
Co-authored-by: Roman Tkachenko <[email protected]>
This adds a new `identityfile` config template to tbot which
generates an identity file from any of the formats supported by
`tctl auth sign`.
It can be used by specifying one or more formats in the configuration
like so:
```yaml
destinations:
- directory: /foo
kinds: [ssh, tls]
configs:
- identityfile:
formats: [file]
```
It requires both SSH and TLS certificates to work properly. App,
Kubernetes, and Database certs are unlikely to work as they have
additional cert requirements that will be added in separate PRs.
Multiple formats can be specified, and each will be written to its
own subdirectory within the destination using the name of the format.
The particular files written inside this directory depend on the
particular format selected, but n the above example, this means a
file named `/foo/file/identity` is written.
The files all have an `identity` prefix at the moment. This could be
made configurable if desired.
The `file` format can be used in conjunction with `tsh -i` and
`tctl -i` to use those tools with a tbot-generated identity.
Fixes #10812
This promotes most of the important identityfile formats to proper config templates. User-facing `kinds` are removed to reduce confusion and several config templates are now required. * The `ssh_client` template is now required and will be added automatically in all cases if not specified. * A new required `tls_cas` template is added to always export the current Teleport server CAs in a usable format. * A new required `identity` template is added to always export an identity file usable with tsh/tctl. * New optional `cockroach`, `mongo`, and `tls` templates can export specifically-formatted TLS certs for various databases and apps. Additionally some other changes were caught during testing: * `botfs` now allows users to specify if files should be opened for reading or for writing; previously, written files were never truncated when opened for writing leading to garbage at the end of files if the length changed. Truncation isn't sane for reading so the two use-cases are now split.
timothyb89
force-pushed
the
timothyb89/machineid-identityfile
branch
from
162ef79 to
24d84a7
Compare
timothyb89
changed the title
identityfile config template to tbottbot for databases and identity files
|
I've been stalled for a couple of days now on trying to get tsh to accept these new identity files for database access. It's proving to more complex than expected to make that work so I'd like to at least get this PR in to deliver something and will focus on the database multiplexing situation in a follow-up PR. |
timothyb89
added a commit
that referenced
this pull request
Apr 23, 2022
* Allow users to request database certificates in Machine ID
This adds a new destination-level config option to `tbot.yaml` that
allows users to request database access for a particular destination
certificate. Behind the scenes, this triggers generates two
impersonated certs: the first identity is generated to request the
specified roles and resolve the database config, then is replaced
with a new identity using those roles plus a fully-formed
`RouteToDatabase` request.
Database requests are made by adding a destination entry like the
following to `tbot.yaml`:
```yaml
destinations:
- directory: /foo/bar
database:
service: <teleport database name>
username: <database username>
database: <database name>
# The certs won't be very useful without TLS
kinds: [tls]
```
We currently don't support proxying or generating db-specific config
files. See #11596 for an `identityfile` implementation that can help.
Additionally, we don't currently have a `tsh proxy` equivalent so the
legacy MySQL handlers need to be enabled, which is not the case by
default in Teleport 9. However, that same PR can export a
tsh-compatible identity file for the datbase identity which can be
passed along to `tsh -i ...` and presumably used with its proxy
commands. We plan to follow-up with another PR to improve this UX.
* Try to fix flaky test
* Address review feedback
* Update tool/tbot/renew.go
Co-authored-by: Roman Tkachenko <[email protected]>
* Add special username checks for MongoDB and Redis
Co-authored-by: Roman Tkachenko <[email protected]>
jakule
reviewed
Apr 25, 2022
| return trace.Wrap(err) | ||
| } | ||
|
|
||
| hostCAs, err := authClient.GetCertAuthorities(ctx, types.HostCA, false) |
There was a problem hiding this comment.
Databases should use Database CA here on Teleport 10+.
There was a problem hiding this comment.
Hmmm. This particular template is for general use so I think we'll need to make the CA configurable. The database-specific ones can set that by default, though.
I sort of wonder if we should make specific templates for MySQL / MariaDB / Postgres / etc just to mitigate any confusion.
There was a problem hiding this comment.
This is what I meant. To create a separate implementation for databases as they are using a different CA. Sorry for the confusion.
There was a problem hiding this comment.
No worries! For now I've just made this configurable:
configs:
- tls:
ca_cert_type: databaseI suspect we'll be revisiting database-specific configs in the future anyway, so dedicated database-specific configs should be okay as a follow-up PR.
Co-authored-by: Jakub Nyckowski <[email protected]>
Tweaked the `botfs.openStandard` and `botfs.openSecure` functions to accept a plain file mode, and removed a ton of boilerplate in `configtemplate.go`.
…e' into timothyb89/machineid-identityfile
espadolini
approved these changes
May 2, 2022
- Use `DatabaseCA` for database specific templates; make the `tls` template's CA configurable; write the database CA alongside the others. - Simplify nil interface check
timothyb89
added a commit
that referenced
this pull request
May 4, 2022
…12195) * Allow users to request database certificates in Machine ID This adds a new destination-level config option to `tbot.yaml` that allows users to request database access for a particular destination certificate. Behind the scenes, this triggers generates two impersonated certs: the first identity is generated to request the specified roles and resolve the database config, then is replaced with a new identity using those roles plus a fully-formed `RouteToDatabase` request. Database requests are made by adding a destination entry like the following to `tbot.yaml`: ```yaml destinations: - directory: /foo/bar database: service: <teleport database name> username: <database username> database: <database name> # The certs won't be very useful without TLS kinds: [tls] ``` We currently don't support proxying or generating db-specific config files. See #11596 for an `identityfile` implementation that can help. Additionally, we don't currently have a `tsh proxy` equivalent so the legacy MySQL handlers need to be enabled, which is not the case by default in Teleport 9. However, that same PR can export a tsh-compatible identity file for the datbase identity which can be passed along to `tsh -i ...` and presumably used with its proxy commands. We plan to follow-up with another PR to improve this UX. * Try to fix flaky test * Address review feedback * Update tool/tbot/renew.go Co-authored-by: Roman Tkachenko <[email protected]> * Add special username checks for MongoDB and Redis Co-authored-by: Roman Tkachenko <[email protected]> Co-authored-by: Roman Tkachenko <[email protected]>
jakule
approved these changes
May 4, 2022
timothyb89
added a commit
that referenced
this pull request
May 6, 2022
…11596) * Add new `identityfile` config template to `tbot` This adds a new `identityfile` config template to tbot which generates an identity file from any of the formats supported by `tctl auth sign`. It can be used by specifying one or more formats in the configuration like so: ```yaml destinations: - directory: /foo kinds: [ssh, tls] configs: - identityfile: formats: [file] ``` It requires both SSH and TLS certificates to work properly. App, Kubernetes, and Database certs are unlikely to work as they have additional cert requirements that will be added in separate PRs. Multiple formats can be specified, and each will be written to its own subdirectory within the destination using the name of the format. The particular files written inside this directory depend on the particular format selected, but n the above example, this means a file named `/foo/file/identity` is written. The files all have an `identity` prefix at the moment. This could be made configurable if desired. The `file` format can be used in conjunction with `tsh -i` and `tctl -i` to use those tools with a tbot-generated identity. Fixes #10812 * Make identityfile formats first-class config templates This promotes most of the important identityfile formats to proper config templates. User-facing `kinds` are removed to reduce confusion and several config templates are now required. * The `ssh_client` template is now required and will be added automatically in all cases if not specified. * A new required `tls_cas` template is added to always export the current Teleport server CAs in a usable format. * A new required `identity` template is added to always export an identity file usable with tsh/tctl. * New optional `cockroach`, `mongo`, and `tls` templates can export specifically-formatted TLS certs for various databases and apps. Additionally some other changes were caught during testing: * `botfs` now allows users to specify if files should be opened for reading or for writing; previously, written files were never truncated when opened for writing leading to garbage at the end of files if the length changed. Truncation isn't sane for reading so the two use-cases are now split. * Update lib/client/identityfile/identity.go Co-authored-by: Jakub Nyckowski <[email protected]> * Address first batch of review comments Tweaked the `botfs.openStandard` and `botfs.openSecure` functions to accept a plain file mode, and removed a ton of boilerplate in `configtemplate.go`. * Fix problematic nil interface check in configtemplate * Clarify comment about `client.Key` DB certs * Address review feedback - Use `DatabaseCA` for database specific templates; make the `tls` template's CA configurable; write the database CA alongside the others. - Simplify nil interface check * Fix outdated var names Co-authored-by: Jakub Nyckowski <[email protected]>
timothyb89
added a commit
that referenced
this pull request
May 10, 2022
…11596) (#12500) * Add new `identityfile` config template to `tbot` This adds a new `identityfile` config template to tbot which generates an identity file from any of the formats supported by `tctl auth sign`. It can be used by specifying one or more formats in the configuration like so: ```yaml destinations: - directory: /foo kinds: [ssh, tls] configs: - identityfile: formats: [file] ``` It requires both SSH and TLS certificates to work properly. App, Kubernetes, and Database certs are unlikely to work as they have additional cert requirements that will be added in separate PRs. Multiple formats can be specified, and each will be written to its own subdirectory within the destination using the name of the format. The particular files written inside this directory depend on the particular format selected, but n the above example, this means a file named `/foo/file/identity` is written. The files all have an `identity` prefix at the moment. This could be made configurable if desired. The `file` format can be used in conjunction with `tsh -i` and `tctl -i` to use those tools with a tbot-generated identity. Fixes #10812 * Make identityfile formats first-class config templates This promotes most of the important identityfile formats to proper config templates. User-facing `kinds` are removed to reduce confusion and several config templates are now required. * The `ssh_client` template is now required and will be added automatically in all cases if not specified. * A new required `tls_cas` template is added to always export the current Teleport server CAs in a usable format. * A new required `identity` template is added to always export an identity file usable with tsh/tctl. * New optional `cockroach`, `mongo`, and `tls` templates can export specifically-formatted TLS certs for various databases and apps. Additionally some other changes were caught during testing: * `botfs` now allows users to specify if files should be opened for reading or for writing; previously, written files were never truncated when opened for writing leading to garbage at the end of files if the length changed. Truncation isn't sane for reading so the two use-cases are now split. * Update lib/client/identityfile/identity.go Co-authored-by: Jakub Nyckowski <[email protected]> * Address first batch of review comments Tweaked the `botfs.openStandard` and `botfs.openSecure` functions to accept a plain file mode, and removed a ton of boilerplate in `configtemplate.go`. * Fix problematic nil interface check in configtemplate * Clarify comment about `client.Key` DB certs * Address review feedback - Use `DatabaseCA` for database specific templates; make the `tls` template's CA configurable; write the database CA alongside the others. - Simplify nil interface check * Fix outdated var names Co-authored-by: Jakub Nyckowski <[email protected]> Co-authored-by: Jakub Nyckowski <[email protected]>
timothyb89
added a commit
that referenced
this pull request
May 25, 2022
This re-adds the `kinds` config field with a deprecation warning. We removed the field in #11596 but due to strict YAML parsing this causes existing otherwise compatible configs to error out.
timothyb89
added a commit
that referenced
this pull request
May 27, 2022
* Re-add `kinds` config field with a deprecation warning This re-adds the `kinds` config field with a deprecation warning. We removed the field in #11596 but due to strict YAML parsing this causes existing otherwise compatible configs to error out. * Update tool/tbot/config/config_destination.go Co-authored-by: Zac Bergquist <[email protected]> * Use standardized deprecation comment formatting Co-authored-by: Zac Bergquist <[email protected]>
github-actions bot
pushed a commit
that referenced
this pull request
May 27, 2022
This re-adds the `kinds` config field with a deprecation warning. We removed the field in #11596 but due to strict YAML parsing this causes existing otherwise compatible configs to error out.
timothyb89
added a commit
that referenced
this pull request
May 27, 2022
…13000) * Re-add `kinds` config field with a deprecation warning This re-adds the `kinds` config field with a deprecation warning. We removed the field in #11596 but due to strict YAML parsing this causes existing otherwise compatible configs to error out. * Update tool/tbot/config/config_destination.go Co-authored-by: Zac Bergquist <[email protected]> * Use standardized deprecation comment formatting Co-authored-by: Zac Bergquist <[email protected]>
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds a number of new config templates building off Teleport's
identityfilepackage, adopting several of the formats supported bytctl auth sign.ssh_clienttemplate is now required and will be added automatically in all cases if not specified.tls_castemplate is added to always export the current Teleport server CAs in a usable format.identitytemplate is added to always export an identity file usable with tsh/tctl.cockroach,mongo, andtlstemplates can export specifically-formatted TLS certs for various databases and apps.Additionally, this tries to simplify the UX for end-user certificates. First, user-facing
kindsare removed to reduce confusionand several config templates are now required. Also, tbot's own formats for CA certs (
tlscacerts,sshcacerts) are no longer written at all to destination dirs since they aren't easily usable by other applications and better alternatives are now available.The
identityfile can be used in conjunction withtsh -iandtctl -ito use those tools with a tbot-generated identity. Unfortunatelytshonly supports identity files for a limited subset of functionality, though SSH use works well. Database, Kubernetes, and app access are currently unsupported through this method.Additionally some other changes were caught during testing:
botfsnow allows users to specify if files should be opened for reading or for writing; previously, written files were never truncated when opened for writing leading to garbage at the end of files if the length changed. Truncation isn't sane for reading so the two use-cases are now split.ssh_clienttemplate was usingos.WriteFile()directly instead of our filesystem wrapper. It now writes through the wrapper and shouldn't accidentally write files to disk during unit tests.Fixes #10812