New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for Client ID in Azure VM auto-discovery #32360
Conversation
🤖 Vercel preview here: https://docs-943ksq91b-goteleport.vercel.app/docs/ver/14.x |
0464480
to
fda6e69
Compare
🤖 Vercel preview here: https://docs-a3qgfzw01-goteleport.vercel.app/docs/ver/14.x |
@@ -110,6 +114,7 @@ on_gcp() { | |||
sudo /usr/local/bin/teleport node configure \ | |||
--proxy="{{ .PublicProxyAddr }}" \ | |||
--join-method=${JOIN_METHOD} \ | |||
--join-params="${JOIN_PARAMS}" \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we not introduce a basically free-form arbitrary "join params" field that's easy to abuse IMO, and instead add a specific field for the Azure client ID?
lib/config/fileconf.go
Outdated
if err != nil { | ||
return trace.Wrap(err) | ||
} | ||
for k, v := range params { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As mentioned above, I would just create a specific flag for the Azure client ID and avoid generic "join params".
lib/srv/server/azure_installer.go
Outdated
publicProxyAddr, installerName, nonce) | ||
if clientID != "" { | ||
script = fmt.Sprintf("export AZURE_CLIENT_ID=%q ; %s", clientID, script) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we this passed to the installer web API as a parameter that would return the script with proper client ID baked in, instead of environment variable?
tool/teleport/common/usage.go
Outdated
@@ -122,4 +122,7 @@ const ( | |||
# 1. license.pem: Retrieve a license from your Teleport account https://teleport.sh | |||
# if you are an Enterprise customer. | |||
#` | |||
|
|||
joinParamsUsage = `Comma-separated list of extra join parameters. Supported values: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's not introduce a custom join params "CLI protocol" with custom parsing format, it will quickly get very messy.
fda6e69
to
df83661
Compare
🤖 Vercel preview here: https://docs-2eg5uwx3t-goteleport.vercel.app/docs/ver/14.x |
lib/config/fileconf.go
Outdated
PublicProxyAddr string `yaml:"public_proxy_addr,omitempty"` | ||
// Azure is te set of installation parameters specific to Azure. | ||
Azure *AzureInstallParams `yaml:"azure"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Azure *AzureInstallParams `yaml:"azure"` | |
Azure *AzureInstallParams `yaml:"azure,omitempty"` |
@@ -119,6 +121,7 @@ type azureInstanceFetcher struct { | |||
ResourceGroup string | |||
Labels types.Labels | |||
Parameters map[string]string | |||
ClientID string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm probably just missing something but one thing I don't understand is how is this ClientID actually being used to pick the correct Azure identity client? In this PR I see that it's being passed to the install script and then to the join config, but where is it actually being used?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Lines 697 to 708 in 492e3b3
func registerUsingAzureMethod(client joinServiceClient, token string, params RegisterParams) (*proto.Certs, error) { | |
ctx := context.Background() | |
certs, err := client.RegisterUsingAzureMethod(ctx, func(challenge string) (*proto.RegisterUsingAzureMethodRequest, error) { | |
imds := azure.NewInstanceMetadataClient() | |
if !imds.IsAvailable(ctx) { | |
return nil, trace.AccessDenied("could not reach instance metadata. Is Teleport running on an Azure VM?") | |
} | |
ad, err := imds.GetAttestedData(ctx, challenge) | |
if err != nil { | |
return nil, trace.Wrap(err) | |
} | |
accessToken, err := imds.GetAccessToken(ctx, params.AzureParams.ClientID) |
It's been supported by the Azure join method for a while, this PR just makes it work for discovered nodes too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok cool.
🤖 Vercel preview here: https://docs-fkg28baez-goteleport.vercel.app/docs/ver/14.x |
This change adds the `client_id` optio nto the Discovery Service for Azure VMs, which sets the client ID of the managed identity for discovered nodes to use when joining the cluster. This allows the discovered nodes to be discovered while having multiple managed identities assigned.
da732ac
to
40a30ab
Compare
🤖 Vercel preview here: https://docs-c6q2otdkb-goteleport.vercel.app/docs/ver/14.x |
🤖 Vercel preview here: https://docs-6a0v4xmmd-goteleport.vercel.app/docs/ver/14.x |
This PR adds the
client_id
option to the Discovery Service for Azure VMs, which sets the client ID of the managed identity for discovered nodes to use when joining the cluster. This allows the discovered nodes to be discovered while having multiple managed identities assigned.Resolves #28839.