Machine ID: Add Protos for Bound Keypair Joining#53566
Merged
timothyb89 merged 16 commits intomasterfrom May 9, 2025
Merged
Conversation
The operator's crdgen doesn't support `bytes`, so switch to SSH public key encoding.
Contributor
|
Amplify deployment status
|
Contributor
Author
|
I'm reasonably confident this is complete, but want to avoid merging this until I have a decent start on #53373 so I can make breaking proto changes without creating linter trouble; will undraft when ready. |
timothyb89
commented
Apr 14, 2025
This adds some minor proto tweaks following some implementation work: - Adds an explicit rotation ceremony phase to prompt the client to provide a new public key before issuing the 2nd challenge. Previously the design didn't include any way to inform the client that a rotation was requested. - Converts byte public keys to string. They are now encoded in ssh `authorized_keys` format.
timothyb89
commented
Apr 29, 2025
This was referenced Apr 29, 2025
github-actions
bot
requested review from
bernardjkim,
hugoShaka,
marcoandredinis,
mmcallister,
ptgott,
r0mant,
tigrato and
zmb3
timothyb89
added
the
no-changelog
bernardjkim
reviewed
Apr 29, 2025
This removes `remaining_joins` from the token status per a review recommendation, in favor of determining whether or not a join is allowed from the `join_count` field. This also adds the referenced `previous_instance_id` field to the bot instance proto. Additionally, various doc comments have been updated for clarity.
boxofrad
approved these changes
Apr 30, 2025
tigrato
reviewed
Apr 30, 2025
protoc-gen-gogo doesn't support optional fields, so reverting this change.
tigrato
approved these changes
May 1, 2025
timothyb89
commented
May 6, 2025
Contributor
Author
timothyb89
left a comment
timothyb89
left a comment
There was a problem hiding this comment.
@strideynet and I had a good discussion today and came up with a plan to further simplify all the options for this new token type, and to reduce overloaded and confusing terminology. I've left individual comments for all the changes for anyone interested.
This change will mostly consist of field renames and moves, so hopefully nothing too surprising.
This refactors a number of bound keypair terms to simplify the token and improve clarity. We now consistently use these terms to refer to various concepts in the join method: - "onboarding" to refer to the first join - "registration" to refer to the binding of a keypair to a token - "preregistration" to refer to keys added manually with the token - "registration secret" to refer to keys bound at the time of onboarding using a secret token - "recovery" to refer to joining with no or an expired identity Various fields were renamed to reflect these new terms and definitions. Additionally, the "unlimited" and "insecure" fields have been merged into an enum-style string, with values "standard", "relaxed", and "insecure".
public-teleport-github-review-bot
bot
removed request for
hugoShaka,
mmcallister,
ptgott,
r0mant and
zmb3
strideynet
approved these changes
May 8, 2025
timothyb89
added a commit
that referenced
this pull request
May 22, 2025
Backport of #53566 for branch/v17 --- Machine ID: Add Protos for Bound Keypair Joining This adds protos for the new Bound Keypair join method. Implementation will follow in additional PRs. RFD: #52546 Closes #53378 * Switch to SSH public key encoding for operator compatibility The operator's crdgen doesn't support `bytes`, so switch to SSH public key encoding. * Add generated terraform provider files * Add insecure flag * Small proto tweaks This adds some minor proto tweaks following some implementation work: - Adds an explicit rotation ceremony phase to prompt the client to provide a new public key before issuing the 2nd challenge. Previously the design didn't include any way to inform the client that a rotation was requested. - Converts byte public keys to string. They are now encoded in ssh `authorized_keys` format. * Update generated files * Fix docstring typo * Address review comments * Remove remaining_joins, add previous_instance_id, and update docs This removes `remaining_joins` from the token status per a review recommendation, in favor of determining whether or not a join is allowed from the `join_count` field. This also adds the referenced `previous_instance_id` field to the bot instance proto. Additionally, various doc comments have been updated for clarity. * Remove `new_public_key` field in favor of server-driven rotation * Make initial_join_secret optional; fix field index after field removal * Revert optional field marker protoc-gen-gogo doesn't support optional fields, so reverting this change. * Field naming refactor This refactors a number of bound keypair terms to simplify the token and improve clarity. We now consistently use these terms to refer to various concepts in the join method: - "onboarding" to refer to the first join - "registration" to refer to the binding of a keypair to a token - "preregistration" to refer to keys added manually with the token - "registration secret" to refer to keys bound at the time of onboarding using a secret token - "recovery" to refer to joining with no or an expired identity Various fields were renamed to reflect these new terms and definitions. Additionally, the "unlimited" and "insecure" fields have been merged into an enum-style string, with values "standard", "relaxed", and "insecure". * Fix doc comment typo
github-merge-queue bot
pushed a commit
that referenced
this pull request
May 22, 2025
Backport of #53566 for branch/v17 --- Machine ID: Add Protos for Bound Keypair Joining This adds protos for the new Bound Keypair join method. Implementation will follow in additional PRs. RFD: #52546 Closes #53378 * Switch to SSH public key encoding for operator compatibility The operator's crdgen doesn't support `bytes`, so switch to SSH public key encoding. * Add generated terraform provider files * Add insecure flag * Small proto tweaks This adds some minor proto tweaks following some implementation work: - Adds an explicit rotation ceremony phase to prompt the client to provide a new public key before issuing the 2nd challenge. Previously the design didn't include any way to inform the client that a rotation was requested. - Converts byte public keys to string. They are now encoded in ssh `authorized_keys` format. * Update generated files * Fix docstring typo * Address review comments * Remove remaining_joins, add previous_instance_id, and update docs This removes `remaining_joins` from the token status per a review recommendation, in favor of determining whether or not a join is allowed from the `join_count` field. This also adds the referenced `previous_instance_id` field to the bot instance proto. Additionally, various doc comments have been updated for clarity. * Remove `new_public_key` field in favor of server-driven rotation * Make initial_join_secret optional; fix field index after field removal * Revert optional field marker protoc-gen-gogo doesn't support optional fields, so reverting this change. * Field naming refactor This refactors a number of bound keypair terms to simplify the token and improve clarity. We now consistently use these terms to refer to various concepts in the join method: - "onboarding" to refer to the first join - "registration" to refer to the binding of a keypair to a token - "preregistration" to refer to keys added manually with the token - "registration secret" to refer to keys bound at the time of onboarding using a secret token - "recovery" to refer to joining with no or an expired identity Various fields were renamed to reflect these new terms and definitions. Additionally, the "unlimited" and "insecure" fields have been merged into an enum-style string, with values "standard", "relaxed", and "insecure". * Fix doc comment typo
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This adds protos for the new Bound Keypair join method. Implementation will follow in additional PRs.
RFD: #52546
Closes #53378