RFD - GCP VM Auto-discovery by atburke · Pull Request #23946 · gravitational/teleport

atburke · 2023-03-31T23:12:07Z

RFD for adding the ability to discover and automatically register GCP VMs, including a new gcp join method.

r0mant · 2023-04-05T18:40:23Z

+system initially supporting DEB and RPM based distros that Teleport already
+provides packages for.
+
+To run commands on a VM, the Discovery Service will create a short-lived


How long will the key be valid for and what will happen to it after we're done with installation?

Is there a way to use SSH certificate authentication with the VMs instead of key pair?

We can set an expiry on the key in the metadata (although it won't get deleted automatically).

I don't believe there's a way to use SSH cert authentication; creating key pairs is what GCP recommends.

r0mant · 2023-04-05T18:42:43Z

+ssh key pair and add the public key to the VM via its metadata. Then it will
+run the installer on the VM over SSH.
+
+> Note: GCP VMs using [OS Login](https://cloud.google.com/compute/docs/oslogin) do not support SSH keys in instance metadata.


For OS Login enabled VMs, can Teleport generate some auth token and login as the IAM user? Not saying we should do it right away, just curious if there's such an option.

AFAIK no, OS Login is only for Google accounts.

r0mant · 2023-04-05T18:43:20Z

+provides packages for.
+
+To run commands on a VM, the Discovery Service will create a short-lived
+ssh key pair and add the public key to the VM via its metadata. Then it will


Does setting key in metadata take effect immediately?

r0mant · 2023-04-05T18:53:23Z

+- [Verifying GCP VM Identity](https://cloud.google.com/compute/docs/instances/verifying-instance-identity)
+- [SSH on GCP VMs](https://cloud.google.com/compute/docs/instances/ssh#third-party-tools)
+
+## Appendix I - Example ID token payload


Can you also include IaC flows in the scope of the RFD (whether any Helm charts, Kube operator or Terraform provider changes will be needed).

zmb3 · 2023-04-07T19:47:04Z

In the future, please try to follow the branch naming conventions for RFDs:

teleport/rfd/0000-rfds.md

Lines 68 to 70 in 785fa04

    
           1. make a branch off of `master` called `rfd/$number-your-title` 
        
              In our example, it'll be branch `rfd/0018-irc-access`.

atburke · 2023-04-25T23:50:39Z

@strideynet @r0mant Mind taking another look at this?

r0mant · 2023-04-26T17:09:04Z

+state: draft
+---
+
+# RFD X - GCP auto-discovery


Don't forget to assign the number.

r0mant · 2023-04-26T17:09:33Z

+
+## Required Approvers
+
+Engineering: @jakule && @r0mant


I don't think Jakub is going to be able to review this anymore.

Suggested change

Engineering: @jakule && @r0mant

Engineering: @strideynet && @r0mant

atburke added the rfd Request for Discussion label Mar 31, 2023

atburke requested a review from strideynet March 31, 2023 23:12

github-actions Bot requested review from fspmarshall and gzdunek March 31, 2023 23:12

github-actions Bot added the size/md label Mar 31, 2023

strideynet reviewed Apr 3, 2023

View reviewed changes

Comment thread rfd/xxxx-gcp-server-discovery.md

Comment thread rfd/xxxx-gcp-server-discovery.md

Comment thread rfd/xxxx-gcp-server-discovery.md

Comment thread rfd/xxxx-gcp-server-discovery.md

Comment thread rfd/xxxx-gcp-server-discovery.md

Comment thread rfd/xxxx-gcp-server-discovery.md

r0mant self-requested a review April 5, 2023 17:02

r0mant reviewed Apr 5, 2023

View reviewed changes

strideynet reviewed Apr 8, 2023

View reviewed changes

Comment thread rfd/xxxx-gcp-server-discovery.md

This was referenced Apr 12, 2023

Add GCP join method #24493

Merged

GCP IAM joining and Auto-Discovery #22815

Closed

atburke mentioned this pull request Apr 20, 2023

Add GCP token validation #24492

Merged

strideynet self-requested a review April 26, 2023 07:49

strideynet approved these changes Apr 26, 2023

View reviewed changes

r0mant approved these changes Apr 26, 2023

View reviewed changes

public-teleport-github-review-bot Bot removed request for fspmarshall and gzdunek April 26, 2023 17:13

RFD for GCP IAM join/auto discovery.

e47c65b

atburke force-pushed the atburke/rfd-gcp-join branch from 4e4f706 to e47c65b Compare April 26, 2023 20:59

atburke enabled auto-merge April 26, 2023 20:59

atburke added this pull request to the merge queue Apr 26, 2023

Merged via the queue into master with commit 7a90a0f Apr 26, 2023

atburke deleted the atburke/rfd-gcp-join branch April 26, 2023 21:15

	Engineering: @jakule && @r0mant
	Engineering: @strideynet && @r0mant

Conversation

atburke commented Mar 31, 2023

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

zmb3 commented Apr 7, 2023

Uh oh!

Uh oh!

atburke commented Apr 25, 2023

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants