MWI: Add documentation for bound keypair joining#56604
Conversation
This adds documentation for bound keypair joining, including a user-facing deployment guide, an admin guide (with architecture information), and the usual provision token details.
|
Amplify deployment status
|
There was a problem hiding this comment.
Curious for thoughts on this guide in general, but also about where it fits in the docs hierarchy. I want to both document the architecture of this join method somewhere, and include admin / lifecycle details, and ended up combining the two and nesting them in the Machine ID Reference section. Not sure if that's the best place for it?
There was a problem hiding this comment.
I think pending the wider docs refactor - this is in the perfect place and I think strikes a nice level of detail.
github-actions
bot
added
documentation
no-changelog
| description: "How to install and configure Machine ID with Bound Keypair joining" | ||
| --- | ||
|
|
||
| In this guide, you will install Machine ID's agent, `tbot`, on an arbitrary |
There was a problem hiding this comment.
While the title frames the guide around bound keypairs, the introduction doesn't mention this concept.
I would either:
- Add one sentence in the introduction explaining what Bound Keypair joining is
- Change the title to "Deploying Machine ID using Persistent Storage" or something similar.
There was a problem hiding this comment.
+1 for the first option - we should explain what this join method is and when you should consider using it as early as we can.
There was a problem hiding this comment.
I've tried to wordsmith things here to hopefully cover everything: it directly compares against other options and mentions recovery.
| use cases and deployment scenarios | ||
| - Ensures failed bots can be recovered without client-side intervention in most | ||
| cases | ||
|
|
There was a problem hiding this comment.
I would be clearer about what readers would expect in this guide. The introduction frames it as a general-purpose docs page on bound keypair joining, but that puts it in conflict with the how-to guide. I would consider:
- Splitting the architectural information into a separate guide with a more specific title and putting that in the Architecture section.
- Retitling this page to be more specific, e.g., Bound Keypair Joining Reference.
- Making sure each Bound Keypair Joining guide links to the other Bound Keypair Joining guides in the introduction.
There was a problem hiding this comment.
I've at least retitled the page and added a guides section to link to the main deployment guide. I'll admit it definitely doesn't fit cleanly into "just" being a reference page and is sort of a cursed hybrid of an architecture page, admin manual, and configuration reference.
I'm not opposed making additional separate pages, but I think (for example) a dedicated architecture page might be a bit light on content given the "Concepts" section as it exists now. Definitely happy to hear your thoughts on the best path forward!
There was a problem hiding this comment.
I'd definitely be keen to avoid splitting this into a third page - retitling as a reference seems like a good enough compromise and avoids splitting this information across three different places which makes maintaining it as engineers and finding it as end-users harder.
| description: "How to install and configure Machine ID with Bound Keypair joining" | ||
| --- | ||
|
|
||
| In this guide, you will install Machine ID's agent, `tbot`, on an arbitrary |
There was a problem hiding this comment.
+1 for the first option - we should explain what this join method is and when you should consider using it as early as we can.
| With Bound Keypair joining, instead of using a static token or relying solely on | ||
| renewable certificates, Machine ID bots generate a unique keypair. Teleport is | ||
| then configured to trust this public key for future joining attempts. |
There was a problem hiding this comment.
I would intro it a bit differently. Take it or leave it:
Bound keypair joining is a more secure and flexible alternative to static token joining.
Machine ID bots generate a unique keypair, registering the public key with Teleport
and keeping the private key in their own storage.Later, when the bot attempts to join the cluster, ...
There was a problem hiding this comment.
I've tried to iterate on this a bit and rewrote things a bit, the "more secure and flexible alternative" wound up getting promoted up into the intro paragraph
| duplicated | ||
| - Certificate generation counter checks to ensure regular bot certificates | ||
| cannot be usefully shared or duplicated | ||
| - Configurable limits on how often - if at all - bots may be allowed to recover |
There was a problem hiding this comment.
Do we expect readers to know what it means to "recover" at this point in the guide, or do we need to elaborate?
There was a problem hiding this comment.
I've added a reference to "automated recovery" in the introductory paragraph, hopefully that clarifies it enough?
|
|
||
| **This step is completed on your local machine.** | ||
|
|
||
| In this guide, we'll demonstrate joining a bot using a registration secret: this |
There was a problem hiding this comment.
I would mention both approaches before we narrow down on one, just so the reader knows there's another option.
Maybe:
The initial joining operation can operate in two modes. The first is by using
a registration secret, which is similar to the first join process with thetoken
join method. Alternatively, initial joining can be performed with a public key.In this guide, we will demonstrate joining using a registration secret.
There was a problem hiding this comment.
I've added an explicit reference (and a link) in the admonition, hopefully it makes the existence of the alternative clear? Trying to balance clarity with the guide only actually showing how to accomplish a single mode.
(Maybe showing both paths in the guide will be more reasonable with a tctl helper - may update this further if so)
| --- | ||
|
|
||
| Bound Keypair is a new join method designed to provide the best features of | ||
| [dynamic join methods][dynamic] join methods - like AWS, GCP, or Azure - but in |
There was a problem hiding this comment.
Should we call them delegated join methods for consistency with https://goteleport.com/docs/reference/join-methods/#secret-vs-delegated
There was a problem hiding this comment.
Hmm, that's fair. It might be good to make sure the Machine ID Architecture page adopts that terminology eventually, but probably out of scope here. I've updated references to point to the join methods reference page which uses "delegated", rather than the Machine ID Architecture page which uses "dynamic".
| use cases and deployment scenarios | ||
| - Ensures failed bots can be recovered without client-side intervention in most | ||
| cases | ||
|
|
Various bits of review feedback, and attempt to wordsmith on the introduction paragraphs.
Adds some missing references and addresses review feedback.
Adds missing detail, especially around decoupled keypair from certs.
- Retitle the reference guide - Link to preregistered keys in the guide
This removes the admin guide from this PR and replaces references to it with placeholders with commented TODOs. The admin guide will be reintroduced in a separate PR stacked onto this one.
|
Per a request from @ptgott, I've split the admin guide out into a separate PR stacked on top of this one: #56824 References and links to this guide were either commented out or replaced with a placeholder (just the root of the Machine ID reference section) and are restored in that PR. I'm happy to tweak the approach there if needed. |
| cluster) | ||
| - a Windows desktop by the desktop's name | ||
| - an [Access Request](access-requests/access-requests.mdx) by UUID | ||
| - a bot instance ID (for Machine ID bots) |
There was a problem hiding this comment.
We should either say "Bot" Or "Machine & Workload Identity Bot" or "MWI Bot" - we're deprecating the use of the "Machine ID" phraseology.
There was a problem hiding this comment.
Ah, good catch - I've updated a number of references in addition to this one. The guide itself is still named "Deploying Machine ID on..." but I'm wary of changing that phrasing given every other guide still follows the older naming scheme. I assume we'll update the terminology all at once when we're ready to do so?
public-teleport-github-review-bot
bot
removed request for
mmcallister and
r0mant
|
@timothyb89 See the table below for backport results.
|
* MWI: Add documentation for bound keypair joining This adds documentation for bound keypair joining, including a user-facing deployment guide, an admin guide (with architecture information), and the usual provision token details. * TODOs for deployment guide, add deployment guide to method list * Finish deployment guide and make small tweaks to other pages * Update tbot CLI and configuration reference * Fix docs lints * Add notes about new lock targets for bots * Bound keypair guide feedback Various bits of review feedback, and attempt to wordsmith on the introduction paragraphs. * Fix review feedback and missing references Adds some missing references and addresses review feedback. * Address review feedback, add missing detail Adds missing detail, especially around decoupled keypair from certs. * Further clarify what automatic recovery is * Consistently refer to "bot hosts" rather than nodes * Address more review feedback - Retitle the reference guide - Link to preregistered keys in the guide * Add guides section to reference page * Remove admin guide from this PR This removes the admin guide from this PR and replaces references to it with placeholders with commented TODOs. The admin guide will be reintroduced in a separate PR stacked onto this one. * Fix docs lint * Fix Machine ID -> Machine & Workload Identity naming * Update more Machine & Workload Identity references
* MWI: Add documentation for bound keypair joining (#56604) * MWI: Add documentation for bound keypair joining This adds documentation for bound keypair joining, including a user-facing deployment guide, an admin guide (with architecture information), and the usual provision token details. * TODOs for deployment guide, add deployment guide to method list * Finish deployment guide and make small tweaks to other pages * Update tbot CLI and configuration reference * Fix docs lints * Add notes about new lock targets for bots * Bound keypair guide feedback Various bits of review feedback, and attempt to wordsmith on the introduction paragraphs. * Fix review feedback and missing references Adds some missing references and addresses review feedback. * Address review feedback, add missing detail Adds missing detail, especially around decoupled keypair from certs. * Further clarify what automatic recovery is * Consistently refer to "bot hosts" rather than nodes * Address more review feedback - Retitle the reference guide - Link to preregistered keys in the guide * Add guides section to reference page * Remove admin guide from this PR This removes the admin guide from this PR and replaces references to it with placeholders with commented TODOs. The admin guide will be reintroduced in a separate PR stacked onto this one. * Fix docs lint * Fix Machine ID -> Machine & Workload Identity naming * Update more Machine & Workload Identity references * MWI: Add Bound Keypair Joining admin and reference guide (#56824) * MWI: Add Bound Keypair Joining admin and reference guide This adds an admin and reference guide for bound keypair joining, intended to explain the core architecture of the join method, provide a few minimal configuration examples, and cover various long term maintenance tasks expected to be needed for bots using the `bound_keypair` join method, like rotating keypairs, recovering broken bots, and making other config changes. * Split admin guide and concepts into separate pages Also, move the Getting Started guide to the bound keypair reference section. * Remove token examples and add preregistered key flow to guide This removes the token examples from the bound keypair overview page and instead moves the key unique information (preregistered keys) into an alternative flow section in the bound keypair guide. * Add missing redirect * Fix broken header links after reorganization * MWI: Add note about bound keypair joining only supporting bots (#57589) * MWI: Add note about bound keypair only supporting bots Bound keypair joining only supports bots right now, so this adds a note about this limitation in the overview page and join method reference. * Tweak phrasing to better define what an "agent" is * Wording tweaks
4 participants
This adds documentation for bound keypair joining, including a user-facing deployment guide, an admin guide (with architecture information), and the usual provision token details.
Closes #55598