Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[tctl] Adds option to write tarred tctl auth sign output to stdout #29451

Merged
merged 6 commits into from
Jul 27, 2023
Merged

[tctl] Adds option to write tarred tctl auth sign output to stdout #29451

merged 6 commits into from
Jul 27, 2023

Conversation

tcsc
Copy link
Contributor

@tcsc tcsc commented Jul 24, 2023
edited by r0mant

Adds a --tar option to the tctl auth sign command that bundles
the keys, certificates & other generated files to a tarball, and streams
that tarball out to stdout.

This is to facilitate extracting credentials from environments with
limited access to the filesystem and tools like a shell, tar and so
on. The motivating example is our distroless Docker images. See
#29262 for more detail.

Example usage:

❯ kubectl exec ... -- tctl auth sign --user admin-guy --format tls --ttl 10m --tar -o admin-guy | tar xv -C local
x admin-guy.crt
x admin-guy.key
x admin-guy.cas

❯ ls -l local
total 24
-rw-------  1 trent  staff  1318 Jul 24 15:52 admin-guy.cas
-rw-------  1 trent  staff  1895 Jul 24 15:52 admin-guy.crt
-rw-------  1 trent  staff  1679 Jul 24 15:52 admin-guy.key

Using --tar also hides all of the helper messages normally
generated by tctl, as writing these messages would break
the resulting tarball.

See-Also: #29262. Also closes #27639.

@tcsc
Proof-of-concept writing tar to stdout
9d9b7a3 
A quick and dirty experiment showing one possible approach for
writing certificates to stdout. Demonstrates a possible solution
to #29262.

DO NOT MERGE AS IS. IN NO WAY PRODUCTION READY.
@tcsc tcsc mentioned this pull request Jul 24, 2023
Closed
tcsc added 2 commits July 24, 2023 15:53
@tcsc
Fix timestamps
a047540
@tcsc
Adds --tar option to auth sign
a4a9c65 
Adds an option to bundle the certificates generated by `tctl auth sign`
into a tarball and writes that tarball to stdout.

This is to facilitate extracting credentials from environments with
limited access to the filesystem and tools like a shell, tar and so
on, e.g. distroless Docker images.

Example usage:

```
$ kubectl exec ... -- tctl auth sign --user alice --format openssh -o alice --tar | tar xv
x alice-cert.pub
x alice
```
@tcsc tcsc removed the do-not-merge label Jul 25, 2023
@tcsc tcsc marked this pull request as ready for review July 25, 2023 13:14
@github-actions github-actions bot added size/md tctl tctl - Teleport admin tool labels Jul 25, 2023
@tcsc tcsc added the ux label Jul 25, 2023
@tcsc tcsc changed the title PoC - tctl auth sign write tarfile to stdout [tctl] Adds option to write tctl auth sign output to stdout Jul 25, 2023
@tcsc tcsc changed the title [tctl] Adds option to write tctl auth sign output to stdout [tctl] Adds option to write tarred tctl auth sign output to stdout Jul 25, 2023
hugoShaka
hugoShaka approved these changes Jul 25, 2023
View reviewed changes
Copy link
Contributor

@hugoShaka hugoShaka left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This sounds good to me, my only suggestion would be to send the user messages to stderr instead of suppressing them. If we do this, we could also add a message explaining to the user how to unpack the tar.

r0mant
r0mant approved these changes Jul 25, 2023
View reviewed changes
Copy link
Collaborator

@r0mant r0mant left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should also update the docs to explain the usage of this flag when running teleport-cluster Helm chart. Maybe add an FAQ entry like "How do I export certificates from distroless containers?".

@tcsc tcsc mentioned this pull request Jul 26, 2023
Closed
@tcsc tcsc added this pull request to the merge queue Jul 26, 2023
Merged via the queue into master with commit 02d2f8b Jul 27, 2023
21 checks passed
@tcsc tcsc deleted the tcsc/stdout-tar branch July 27, 2023 00:03
@tcsc tcsc mentioned this pull request Jul 27, 2023
Merged
tcsc added a commit that referenced this pull request Jul 27, 2023
@tcsc
[v13][tctl] Adds option to write tarred tctl auth sign output to st…
bf985ae 
…dout

Backports #29451
@tcsc tcsc mentioned this pull request Jul 27, 2023
Merged
github-merge-queue bot pushed a commit that referenced this pull request Jul 31, 2023
@tcsc
[v13][tctl] Adds option to write tarred tctl auth sign output to st…
a003d1f 
…dout (#29666)

Backports #29451
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@r0mant r0mant r0mant approved these changes

@hugoShaka hugoShaka hugoShaka approved these changes

Assignees
No one assigned
Labels
size/md tctl tctl - Teleport admin tool ux
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add stdout support to tctl auth sign
3 participants
@tcsc @r0mant @hugoShaka