`tsh kube login` by name prefix, labels, and/or query by GavinFrazar · Pull Request #30252 · gravitational/teleport

GavinFrazar · 2023-08-10T01:15:54Z

This PR allows a user to select the current context by prefix name during tsh kube login, and to filter the kube clusters for login by --labels and/or predicate --query - these flags are not allowed with --all.

changelog: tsh kube login now supports --query and --labels optional arguments.

Part of the implementation for RFD 129.

As part of the changes, I also reduced the number of API calls to list kube clusters from 3 to one - in the case of a relogin required, or an access request is auto-generated, we of course still incur unavoidable extra API calls.

Example

$ tsh kube ls
Kube Cluster Name Labels                                                         Selected
----------------- -------------------------------------------------------------- --------
test              account-id=123456789012,env=fake,origin=gavin,region=us-west-1
test-cluster      account-id=123456789012,origin=gavin,region=us-west-1

$ tsh kube login --labels env=fake
Logged into Kubernetes clusters:
test

Select a context and try 'kubectl version' to test the connection.

$ tsh kube login --query 'labels["region"] == "us-west-1" && labels["env"] != "fake"'
Logged into Kubernetes clusters:
test-cluster-eks-us-west-1-123456789012

Select a context and try 'kubectl version' to test the connection.

$ tsh kube ls
Kube Cluster Name Labels                                                         Selected
----------------- -------------------------------------------------------------- --------
test              account-id=123456789012,env=fake,origin=gavin,region=us-west-1
test-cluster      account-id=123456789012,origin=gavin,region=us-west-1

$ tsh kube login test-clus
Logged into Kubernetes cluster "test-cluster-eks-us-west-1-123456789012". Try 'kubectl version' to test the connection.

$ tsh kube login test
Logged into Kubernetes cluster "test". Try 'kubectl version' to test the connection.

$ tsh kube ls
Kube Cluster Name Labels                                                         Selected
----------------- -------------------------------------------------------------- --------
test              account-id=123456789012,env=fake,origin=gavin,region=us-west-1 *
test-cluster      account-id=123456789012,origin=gavin,region=us-west-1

$ tsh kube login test-clus
Logged into Kubernetes cluster "test-cluster-eks-us-west-1-123456789012". Try 'kubectl version' to test the connection.

$ tsh kube ls
Kube Cluster Name Labels                                                         Selected
----------------- -------------------------------------------------------------- --------
test              account-id=123456789012,env=fake,origin=gavin,region=us-west-1
test-cluster      account-id=123456789012,origin=gavin,region=us-west-1          *

$ tsh kube login te
ERROR: kubernetes cluster "te" matches multiple kubernetes clusters:

Kube Cluster Name                       Labels                                                                                                                                                                                               Selected
--------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------
test                                    account-id=123456789012,env=fake,origin=gavin,region=us-west-1,teleport.dev/cloud=AWS,teleport.dev/origin=dynamic
test-cluster-eks-us-west-1-123456789012 account-id=123456789012,origin=gavin,region=us-west-1,teleport.dev/cloud=AWS,teleport.dev/origin=cloud,teleport.internal/discovered-name=test-cluster,teleport.internal/discovery-group-name=aws-dev

Hint: use 'tsh kube ls -v' or 'tsh kube ls --format=[json|yaml]' to list all kubernetes clusters with full details.
Hint: try selecting the kubernetes cluster with a more specific name (ex: tsh kube login test).
Hint: try selecting the kubernetes cluster with additional --labels or --query predicate.

Related issue:

Add ability to differentiate auto-discovered databases #22438

smallinsky

I have tested with this with GCP audto-discover and it works fine. But wonder if we can delay backporting to v13 resource name collision CLI changes after we will finish v13 test plan regression.

@GavinFrazar
Additionally we have also the tsh proxy kube command that needs to be extended.

* fetch kube clusters once for login

public-teleport-github-review-bot · 2023-08-14T22:40:36Z

@GavinFrazar See the table below for backport results.

Branch	Result
branch/v13	Failed

backports #30252 to branch/v13. * fetch kube clusters once for login

* [v13] Fix Kubernetes selected cluster backports #30167 to branch/v13. * Fix Kubernetes selected cluster Kubeconfig context name can be customized using `--set-context-name` flag. When using it, the selected Kubernetes cluster fails to correctly identify the cluster name. * [v13] tsh kube login by prefix, query, labels (#32088) backports #30252 to branch/v13. * fetch kube clusters once for login * [v13] update `tsh proxy kube` cluster selection ux (#32089) backports #30478 to branch/v13. * select by labels, query predicate, name, and/or prefix of name. * fix --cluster flag not being propagated * [v13] simplify tsh db prefix predicate logic (#32090) backports #30531 to branch/v13. * [v13] check for discovered kube cluster name exact match (#32091) backports #31744 to branch/v13. * [v13] rework tsh database selection logic (#32092) backports #31689 to branch/v13. * disallow prefix matching * select by exact name match first, * otherwise look for unambiguous discovered name label match. * look for an active db to resolve discovered name match ambiguity. * add more predicate builder helpers * check for db name in not found error for stale cert hint * no error status on tsh db logout with no logged in dbs * remove dead code * refactor helper funcs to simplify code and make it easier to test * test complex database selection * test findActiveDatabase * test choosing one db by discovered name * add more resource selectors tests * test formatDatabaseLoginCommand * add debug logging for db selection * [v13] Fix `tsh kube login` when creds are expired or doesn't exist (#32095) Backports #31418 to branch/v13. This PR uses `client.RetryWithRelogin` helper to deal with cases where user's credentials don't exist or are already expired. Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> * remove tsh kube prefix matching (#31852) (#32097) * fix retry with relogin for ambiguous clusters * consolidate test setup for login/proxy kube selection tests * add more test cases for kube selection * remove prefix testing * add origin cloud label in tests * refactor the check for multiple cluster login into a func * [v13] remove prefix matching in tctl (#32104) Backports #31916 to branch/v13. * remove prefix matching in tctl * replace prefix matching with exact discovered name match as a fallback when no resource full name matches the name given by a user * refactor test helpers * avoid decoding yaml/json into already initialized var --------- Co-authored-by: Tiago Silva <tiago.silva@goteleport.com>

GavinFrazar added ux kubernetes-access tsh tsh - Teleport's command line tool for logging into nodes running Teleport. backport/branch/v13 labels Aug 10, 2023

GavinFrazar requested a review from tigrato August 10, 2023 01:16

github-actions Bot requested review from EdwardDowling and ryanclark August 10, 2023 01:16

github-actions Bot added the size/md label Aug 10, 2023

GavinFrazar requested a review from smallinsky August 10, 2023 02:32

smallinsky approved these changes Aug 10, 2023

View reviewed changes

Comment thread tool/tsh/common/kube.go

tigrato approved these changes Aug 14, 2023

View reviewed changes

public-teleport-github-review-bot Bot removed request for EdwardDowling and ryanclark August 14, 2023 16:21