Centralized Alias Management for Teleport Clients

[pnrao1983]

Use Case
The Customer operations team currently relies heavily on predefined aliases to streamline access to Kubernetes clusters, databases, and other production resources. This setup significantly improves operational efficiency, especially during high-pressure situations like incident response or production issues.

Current switch login, there are no local alias changes.
Moving forward, if Teleport can auto load a shell (e.g.: load_env.sh) in the backend:

$tsh kube login cop1r1
  above tsh login will auto load this shell
  /Users/{user_name}/.tsh/config/load_env.sh cop1r1

$tsh kube login stage
  above tsh login will auto load this shell
  /Users/{user_name}/.tsh/config/load_env.sh stage
**Notes:** Please consider support on both macOS (load_env.sh) and Windows (load_env.bat).
If the tsh program can't find the load_env.*, just skip it.
We'll prepare the load_env.sh code as:
#!/usr/bin/env bash

cluster="$1"

# Define aliases
alias k="kubectl -n $cluster"
alias k3="kubectl -n a3-$cluster"
alias kp="kubectl -n ${cluster}-portal"
alias kg="kubectl -n guest"
alias kl="kubectl -n eloc"
alias klo="kubectl -n wips"
alias kc="kubectl -n common"
alias kd="kubectl -n xcd"

# Conditional alias if cluster is "stage"
if [ "$cluster" == "stage" ]; then
  alias psqlconfigdb_1="psql -h databaseaurora-cluster.us-region-2.rds.amazonaws.com -U configuser_1 configdb_1"
fi

if [ "$cluster" == "cop1r1" ]; then
  alias psqlconfigdb_1="psql -h localhost -U configuser_1 configdb_1"
fi

# List all RDS host names for each of the clusters.

Current Workflow:

• Engineers connect to a jump server and then to a Kubernetes bastion host (Local Mac-->SSH to a node-->ssh to bastion. 30+ bastion hosts with scripts individually setup on all bastions).
• Aliases on these bastion hosts provide quick access to Kubernetes namespaces, pods, and databases, bypassing the need for lengthy commands.
• These aliases are dynamically generated and managed through Helm charts and Ansible during the deployment process, ensuring they are up-to-date and contextually relevant to the clusters and databases.

Challenges with Teleport Transition:

• Aliases are currently client-side, requiring individual engineers to maintain and update them manually on their local machines.
• Our setup involves 30+ Kubernetes clusters and corresponding bastion hosts, with around 30-50% of aliases differing across environments.
• Frequent updates to aliases (e.g., new clusters, namespace changes, database migrations) make manual maintenance unsustainable.
• Sharing and managing scripts for alias updates across 50+ engineers introduces operational overhead and potential inconsistencies.

Proposed Solution:

• Enable centralized alias management within Teleport, where aliases can be defined and managed server-side (e.g., at the Proxy or Auth Server level) and dynamically applied to clients upon connection.

Key Features:

Server-Side Alias Definitions:

• Allow defining aliases on the Teleport Proxy/Auth server, including support for dynamic variables (e.g., cluster name, database hostname).
• Centralize updates to these aliases, removing the need for local scripts.

Dynamic Variable Substitution:

• Support embedding runtime variables into aliases (e.g., Kubernetes cluster name, RDS hostname).
• Automatically resolve these variables based on the selected environment (e.g., when connecting to a specific Kubernetes cluster).

Seamless Client Integration:

• Push server-defined aliases to clients upon connection.
• Provide a consistent experience across all engineers without requiring manual updates.

Backward Compatibility:

• Retain existing client-side alias functionality for users who prefer local control.

[zmb3]

The solution we developed for this use case was a global tsh configuration file (in addition to the per-user tsh configuration file) that would allow administrators to use their enterprise device management solution to drop a tsh configuration file with predefined aliases on each employee workstation.

Is there any reason why this solution doesn't work?