Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v9] Add new config templates to tbot for databases and identity files (#11596) #12500

Merged
merged 3 commits into from
May 10, 2022
Merged

[v9] Add new config templates to tbot for databases and identity files (#11596) #12500

merged 3 commits into from
May 10, 2022

Conversation

timothyb89
Copy link
Contributor

Backport of #11596 for branch/v9

  • Add new identityfile config template to tbot

This adds a new identityfile config template to tbot which
generates an identity file from any of the formats supported by
tctl auth sign.

It can be used by specifying one or more formats in the configuration
like so:

destinations:
  - directory: /foo
    kinds: [ssh, tls]
    configs:
      - identityfile:
          formats: [file]

It requires both SSH and TLS certificates to work properly. App,
Kubernetes, and Database certs are unlikely to work as they have
additional cert requirements that will be added in separate PRs.

Multiple formats can be specified, and each will be written to its
own subdirectory within the destination using the name of the format.
The particular files written inside this directory depend on the
particular format selected, but n the above example, this means a
file named /foo/file/identity is written.

The files all have an identity prefix at the moment. This could be
made configurable if desired.

The file format can be used in conjunction with tsh -i and
tctl -i to use those tools with a tbot-generated identity.

Fixes #10812

  • Make identityfile formats first-class config templates

This promotes most of the important identityfile formats to proper
config templates. User-facing kinds are removed to reduce confusion
and several config templates are now required.

  • The ssh_client template is now required and will be added
    automatically in all cases if not specified.
  • A new required tls_cas template is added to always export
    the current Teleport server CAs in a usable format.
  • A new required identity template is added to always export an
    identity file usable with tsh/tctl.
  • New optional cockroach, mongo, and tls templates can export
    specifically-formatted TLS certs for various databases and apps.

Additionally some other changes were caught during testing:

  • botfs now allows users to specify if files should be opened for
    reading or for writing; previously, written files were never
    truncated when opened for writing leading to garbage at the end of
    files if the length changed. Truncation isn't sane for reading so
    the two use-cases are now split.

  • Update lib/client/identityfile/identity.go

Co-authored-by: Jakub Nyckowski [email protected]

  • Address first batch of review comments

Tweaked the botfs.openStandard and botfs.openSecure functions to
accept a plain file mode, and removed a ton of boilerplate in
configtemplate.go.

  • Fix problematic nil interface check in configtemplate

  • Clarify comment about client.Key DB certs

  • Address review feedback

  • Use DatabaseCA for database specific templates; make the tls
    template's CA configurable; write the database CA alongside the
    others.
  • Simplify nil interface check
  • Fix outdated var names

Co-authored-by: Jakub Nyckowski [email protected]

@github-actions github-actions bot requested review from espadolini and jakule May 6, 2022 20:37
@timothyb89 @jakule
Add new config templates to tbot for databases and identity files (#…
7a3b728 
…11596)

* Add new `identityfile` config template to `tbot`

This adds a new `identityfile` config template to tbot which
generates an identity file from any of the formats supported by
`tctl auth sign`.

It can be used by specifying one or more formats in the configuration
like so:

```yaml
destinations:
  - directory: /foo
    kinds: [ssh, tls]
    configs:
      - identityfile:
          formats: [file]
```

It requires both SSH and TLS certificates to work properly. App,
Kubernetes, and Database certs are unlikely to work as they have
additional cert requirements that will be added in separate PRs.

Multiple formats can be specified, and each will be written to its
own subdirectory within the destination using the name of the format.
The particular files written inside this directory depend on the
particular format selected, but n the above example, this means a
file named `/foo/file/identity` is written.

The files all have an `identity` prefix at the moment. This could be
made configurable if desired.

The `file` format can be used in conjunction with `tsh -i` and
`tctl -i` to use those tools with a tbot-generated identity.

Fixes #10812

* Make identityfile formats first-class config templates

This promotes most of the important identityfile formats to proper
config templates. User-facing `kinds` are removed to reduce confusion
and several config templates are now required.

 * The `ssh_client` template is now required and will be added
   automatically in all cases if not specified.
 * A new required `tls_cas` template is added to always export
   the current Teleport server CAs in a usable format.
 * A new required `identity` template is added to always export an
   identity file usable with tsh/tctl.
 * New optional `cockroach`, `mongo`, and `tls` templates can export
   specifically-formatted TLS certs for various databases and apps.

Additionally some other changes were caught during testing:
 * `botfs` now allows users to specify if files should be opened for
   reading or for writing; previously, written files were never
   truncated when opened for writing leading to garbage at the end of
   files if the length changed. Truncation isn't sane for reading so
   the two use-cases are now split.

* Update lib/client/identityfile/identity.go

Co-authored-by: Jakub Nyckowski <[email protected]>

* Address first batch of review comments

Tweaked the `botfs.openStandard` and `botfs.openSecure` functions to
accept a plain file mode, and removed a ton of boilerplate in
`configtemplate.go`.

* Fix problematic nil interface check in configtemplate

* Clarify comment about `client.Key` DB certs

* Address review feedback

 - Use `DatabaseCA` for database specific templates; make the `tls`
   template's CA configurable; write the database CA alongside the
   others.
 - Simplify nil interface check

* Fix outdated var names

Co-authored-by: Jakub Nyckowski <[email protected]>
@timothyb89 timothyb89 force-pushed the timothyb89/v9/machineid-identityfile branch from 440cc07 to 7a3b728 Compare May 6, 2022 20:48
@timothyb89 timothyb89 enabled auto-merge (squash) May 9, 2022 23:37
@timothyb89 timothyb89 merged commit a880a39 into branch/v9 May 10, 2022
@webvictim webvictim mentioned this pull request Jun 8, 2022
Closed
@zmb3 zmb3 deleted the timothyb89/v9/machineid-identityfile branch April 26, 2023 21:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jakule jakule jakule approved these changes

@espadolini espadolini espadolini approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@timothyb89 @espadolini @jakule