-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[tctl] Adds option to write tarred tctl auth sign
output to stdout
#29451
Conversation
A quick and dirty experiment showing one possible approach for writing certificates to stdout. Demonstrates a possible solution to #29262. DO NOT MERGE AS IS. IN NO WAY PRODUCTION READY.
Adds an option to bundle the certificates generated by `tctl auth sign` into a tarball and writes that tarball to stdout. This is to facilitate extracting credentials from environments with limited access to the filesystem and tools like a shell, tar and so on, e.g. distroless Docker images. Example usage: ``` $ kubectl exec ... -- tctl auth sign --user alice --format openssh -o alice --tar | tar xv x alice-cert.pub x alice ```
tctl auth sign
write tarfile to stdouttctl auth sign
output to stdout
tctl auth sign
output to stdouttctl auth sign
output to stdout
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This sounds good to me, my only suggestion would be to send the user messages to stderr instead of suppressing them. If we do this, we could also add a message explaining to the user how to unpack the tar.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should also update the docs to explain the usage of this flag when running teleport-cluster Helm chart. Maybe add an FAQ entry like "How do I export certificates from distroless containers?".
Adds a
--tar
option to thetctl auth sign
command that bundlesthe keys, certificates & other generated files to a tarball, and streams
that tarball out to
stdout
.This is to facilitate extracting credentials from environments with
limited access to the filesystem and tools like a shell,
tar
and soon. The motivating example is our distroless Docker images. See
#29262 for more detail.
Example usage:
Using
--tar
also hides all of the helper messages normallygenerated by
tctl
, as writing these messages would breakthe resulting tarball.
See-Also: #29262. Also closes #27639.