Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow ssh_config generation to be disabled for Machine ID Identity Output #40776

Merged
merged 2 commits into from
Apr 24, 2024
Merged

Allow ssh_config generation to be disabled for Machine ID Identity Output #40776

merged 2 commits into from
Apr 24, 2024

Conversation

strideynet
Copy link
Contributor

@strideynet strideynet commented Apr 22, 2024
edited

We currently allow the Identity Output to be used to provide credentials for two main use-cases:

  • Server Access (SSH)
  • General API access (tctl, access plugins)

However, we always try to generate the ssh_config needed for SSH access. This is problematic for a few reasons:

  • It requires a proxy to be online so that it can determine the address to include in the SSH config. In some cases, a tbot instance may run close to the auth server and it may be intended for this instance to come online before proxies are available.
  • It's slower than necessary because of the time taken to generate the SSH Config.

As such, I've added an ssh_config option which can be set to on or off. If unspecified, it defaults to the behaviour we've had historically (on).

example:

- type: identity
  destination:
    type: directory
    path: /foo
  ssh_config: off # this will default to "on" if unspecified

changelog: Add the ability to control ssh_config generation in Machine ID's Identity Outputs. This allows the generation of the ssh_config to be disabled if unnecessary, improving performance and removing the dependency on the Proxy being online.

@strideynet strideynet marked this pull request as ready for review April 22, 2024 17:30
codingllama
codingllama approved these changes Apr 22, 2024
View reviewed changes
lib/tbot/config/output_identity.go Outdated Show resolved Hide resolved
@strideynet @codingllama
Update lib/tbot/config/output_identity.go
ea09c36 
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
@public-teleport-github-review-bot public-teleport-github-review-bot bot removed the request for review from atburke April 23, 2024 17:52
@strideynet strideynet added this pull request to the merge queue Apr 23, 2024
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Apr 23, 2024
@strideynet strideynet added this pull request to the merge queue Apr 24, 2024
Merged via the queue into master with commit fcdb129 Apr 24, 2024
41 checks passed
@strideynet strideynet deleted the strideynet/support-generating-identity-output-without-hitting-proxy branch April 24, 2024 07:50
@public-teleport-github-review-bot
Copy link

@strideynet See the table below for backport results.

Branch Result
branch/v14 Create PR
branch/v15 Create PR

This was referenced Apr 24, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@timothyb89 timothyb89 timothyb89 approved these changes

@codingllama codingllama codingllama approved these changes

@rosstimothy rosstimothy rosstimothy approved these changes

Assignees
No one assigned
Labels
backport/branch/v14 backport/branch/v15 machine-id size/sm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@strideynet @timothyb89 @codingllama @rosstimothy