Add support for Client ID in Azure VM auto-discovery #32360
Conversation
github-actions
bot
requested review from
capnspacehook,
kimlisa,
lsgunn-teleport,
ptgott,
r0mant,
xinding33 and
zmb3
|
🤖 Vercel preview here: https://docs-943ksq91b-goteleport.vercel.app/docs/ver/14.x |
atburke
force-pushed
the
atburke/azure-discovery-client-id
branch
from
0464480
to
fda6e69
Compare
|
🤖 Vercel preview here: https://docs-a3qgfzw01-goteleport.vercel.app/docs/ver/14.x |
| @@ -110,6 +114,7 @@ on_gcp() { | |||
| sudo /usr/local/bin/teleport node configure \ | |||
| --proxy="{{ .PublicProxyAddr }}" \ | |||
| --join-method=${JOIN_METHOD} \ | |||
| --join-params="${JOIN_PARAMS}" \ | |||
There was a problem hiding this comment.
Can we not introduce a basically free-form arbitrary "join params" field that's easy to abuse IMO, and instead add a specific field for the Azure client ID?
lib/config/fileconf.go
Outdated
| if err != nil { | ||
| return trace.Wrap(err) | ||
| } | ||
| for k, v := range params { |
There was a problem hiding this comment.
As mentioned above, I would just create a specific flag for the Azure client ID and avoid generic "join params".
lib/srv/server/azure_installer.go
Outdated
| publicProxyAddr, installerName, nonce) | ||
| if clientID != "" { | ||
| script = fmt.Sprintf("export AZURE_CLIENT_ID=%q ; %s", clientID, script) |
There was a problem hiding this comment.
Can we this passed to the installer web API as a parameter that would return the script with proper client ID baked in, instead of environment variable?
tool/teleport/common/usage.go
Outdated
| @@ -122,4 +122,7 @@ const ( | |||
| # 1. license.pem: Retrieve a license from your Teleport account https://teleport.sh | |||
| # if you are an Enterprise customer. | |||
| #` | |||
|
|
|||
| joinParamsUsage = `Comma-separated list of extra join parameters. Supported values: | |||
There was a problem hiding this comment.
Let's not introduce a custom join params "CLI protocol" with custom parsing format, it will quickly get very messy.
atburke
force-pushed
the
atburke/azure-discovery-client-id
branch
from
fda6e69
to
df83661
Compare
|
🤖 Vercel preview here: https://docs-2eg5uwx3t-goteleport.vercel.app/docs/ver/14.x |
lib/config/fileconf.go
Outdated
| PublicProxyAddr string `yaml:"public_proxy_addr,omitempty"` | ||
| // Azure is te set of installation parameters specific to Azure. | ||
| Azure *AzureInstallParams `yaml:"azure"` |
There was a problem hiding this comment.
| Azure *AzureInstallParams `yaml:"azure"` | |
| Azure *AzureInstallParams `yaml:"azure,omitempty"` |
| @@ -119,6 +121,7 @@ type azureInstanceFetcher struct { | |||
| ResourceGroup string | |||
| Labels types.Labels | |||
| Parameters map[string]string | |||
| ClientID string | |||
There was a problem hiding this comment.
I'm probably just missing something but one thing I don't understand is how is this ClientID actually being used to pick the correct Azure identity client? In this PR I see that it's being passed to the install script and then to the join config, but where is it actually being used?
There was a problem hiding this comment.
Lines 697 to 708 in 492e3b3
It's been supported by the Azure join method for a while, this PR just makes it work for discovered nodes too.
|
🤖 Vercel preview here: https://docs-fkg28baez-goteleport.vercel.app/docs/ver/14.x |
public-teleport-github-review-bot
bot
removed request for
zmb3,
capnspacehook and
xinding33
public-teleport-github-review-bot
bot
removed the request for review
from lsgunn-teleport
This change adds the `client_id` optio nto the Discovery Service for Azure VMs, which sets the client ID of the managed identity for discovered nodes to use when joining the cluster. This allows the discovered nodes to be discovered while having multiple managed identities assigned.
atburke
force-pushed
the
atburke/azure-discovery-client-id
branch
from
da732ac
to
40a30ab
Compare
atburke
changed the title
|
🤖 Vercel preview here: https://docs-c6q2otdkb-goteleport.vercel.app/docs/ver/14.x |
|
🤖 Vercel preview here: https://docs-6a0v4xmmd-goteleport.vercel.app/docs/ver/14.x |
This PR adds the
client_idoption to the Discovery Service for Azure VMs, which sets the client ID of the managed identity for discovered nodes to use when joining the cluster. This allows the discovered nodes to be discovered while having multiple managed identities assigned.Resolves #28839.