UX improvements for tbot #10833
UX improvements for tbot #10833
Conversation
|
I know there's a few other renames being discussed in #10030 I do like the For context, here's the
|
timothyb89
force-pushed
the
timothyb89/tbot-ux
branch
3 times, most recently
from
2e2f690 to
5f8a8db
Compare
|
@timothyb89 When trying the above, I'm unable to use --token when using |
Hmm, that definitely should work. My initial guess is that you might have an outdated tctl, but I'll dig into this more tomorrow. |
timothyb89
force-pushed
the
timothyb89/tbot-ux
branch
from
5f8a8db to
fccb456
Compare
timothyb89
force-pushed
the
timothyb89/tbot-ux
branch
from
9c7e9a0 to
a635966
Compare
| const exampleConfigFile = ` | ||
| auth_server: auth.example.com | ||
| renew_interval: 5m | ||
| renewal_interval: 5m |
There was a problem hiding this comment.
Are there any docs that need to be updated for this rename?
There was a problem hiding this comment.
Looks like the docs PR (#10775) doesn't refer to this config parameter at all, luckily.
tool/tbot/main.go
Outdated
| @@ -144,6 +155,10 @@ func onWatch(botConfig *config.BotConfig) error { | |||
| } | |||
|
|
|||
| func onStart(botConfig *config.BotConfig) error { | |||
| if botConfig.AuthServer == "" { | |||
| return trace.BadParameter("An auth server must be set via --auth-server or configuration") | |||
There was a problem hiding this comment.
Do we support tunneling through proxy? If so, I recommend we change the wording to mention that it can be an auth or proxy server.
There was a problem hiding this comment.
Good point, will reword.
tool/tbot/main.go
Outdated
| @@ -158,9 +173,12 @@ func onStart(botConfig *config.BotConfig) error { | |||
| var authClient auth.ClientI | |||
|
|
|||
| // TODO: graceful shutdown via signal; see #7066 | |||
timothyb89
force-pushed
the
timothyb89/tbot-ux
branch
2 times, most recently
from
fa50d20 to
0e8c901
Compare
|
89 commits and 2.7k+ added lines is a tough review. Any chance we could split this into reasonably-sized parts? |
Hrm, GitHub got confused over the merge base change, it's supposed to be just +300 or so. I'll try to fix it. |
A last batch of UX tweaks for 9.0: - rename --renew-interval -> renewal-interval - add `--oneshot` mode to fetch one set of certs and exit (client side only, no server enforcement yet) - add `tbot version` - add unix signal handling: graceful exit on SIGINT, reload on SIGHUP/SIGUSR1 - make auth server an optional config option and check it only when needed (i.e. `tbot start`)
Co-authored-by: Zac Bergquist <[email protected]>
timothyb89
force-pushed
the
timothyb89/tbot-ux
branch
from
0e8c901 to
82d1dee
Compare
|
Alright, apologies for confusion, the diff should now be back under control. Hopefully +230/-50 is a little more sane 🙂 |
| func parseSSHVersion(versionString string) (*semver.Version, error) { | ||
| versionTokens := strings.Split(versionString, " ") | ||
| if len(versionTokens) == 0 { | ||
| return nil, trace.Errorf("invalid version string: %s", versionString) |
There was a problem hiding this comment.
nit: prefer BadParameter to Errorf?
| return nil, trace.Errorf("invalid version string: %s", versionString) | |
| return nil, trace.BadParameter("invalid version string: %s", versionString) |
Same for others.
| @@ -111,18 +175,31 @@ func (c *TemplateSSHClient) Render(ctx context.Context, authClient auth.ClientI, | |||
| return trace.Wrap(err) | |||
| } | |||
|
|
|||
| // Default to including the RSA deprecation workaround. | |||
There was a problem hiding this comment.
What is the RSA workaround? Do we have it explained somewhere?
There was a problem hiding this comment.
I'll add an explainer comment to the IncludeRSAWorkaround docstring:
IncludeRSAWorkaround controls whether the RSA deprecation workaround is included in the generated configuration. Newer versions of OpenSSH deprecate RSA certificates and, due to a bug in golang's ssh package, Teleport wrongly advertises its unaffected certificates as a now-deprecated certificate type. The workaround includes a config override to re-enable RSA certs for just Teleport hosts, however it is only supported on OpenSSH 8.5 and later.
| @@ -144,6 +155,10 @@ func onWatch(botConfig *config.BotConfig) error { | |||
| } | |||
|
|
|||
| func onStart(botConfig *config.BotConfig) error { | |||
There was a problem hiding this comment.
Not for this PR, but we should consider refactoring the bulk of this logic outside of package main and test it.
There was a problem hiding this comment.
Yeah, there's a lot of cleanup and refactoring needed here. Hoping to prioritize that sooner rather than later 🙂
Much better :) |
Co-authored-by: Alan Parra <[email protected]>
* UX improvements for tbot A last batch of UX tweaks for 9.0: - rename --renew-interval -> renewal-interval - add `--oneshot` mode to fetch one set of certs and exit (client side only, no server enforcement yet) - add `tbot version` - add unix signal handling: graceful exit on SIGINT, reload on SIGHUP/SIGUSR1 - make auth server an optional config option and check it only when needed (i.e. `tbot start`) * Remove `--auth-server` flag from `tbot init` example * Add `cut` workaround to allow connecting to nodes without DNS * Update product name in tbot CLI help * Add `--format=json` support to `tctl bots add` * Detect OpenSSH version and conditionally remove the RSA deprecation workaround * Fix failing unit test after rename * Update tool/tbot/config/configtemplate_ssh.go Co-authored-by: Zac Bergquist <[email protected]> * Address review feedback * Apply suggestions from code review Co-authored-by: Alan Parra <[email protected]> * Document IncludeRSAWorkaround and address review comments Co-authored-by: Zac Bergquist <[email protected]> Co-authored-by: Alan Parra <[email protected]>
* UX improvements for tbot A last batch of UX tweaks for 9.0: - rename --renew-interval -> renewal-interval - add `--oneshot` mode to fetch one set of certs and exit (client side only, no server enforcement yet) - add `tbot version` - add unix signal handling: graceful exit on SIGINT, reload on SIGHUP/SIGUSR1 - make auth server an optional config option and check it only when needed (i.e. `tbot start`) * Remove `--auth-server` flag from `tbot init` example * Add `cut` workaround to allow connecting to nodes without DNS * Update product name in tbot CLI help * Add `--format=json` support to `tctl bots add` * Detect OpenSSH version and conditionally remove the RSA deprecation workaround * Fix failing unit test after rename * Update tool/tbot/config/configtemplate_ssh.go Co-authored-by: Zac Bergquist <[email protected]> * Address review feedback * Apply suggestions from code review Co-authored-by: Alan Parra <[email protected]> * Document IncludeRSAWorkaround and address review comments Co-authored-by: Zac Bergquist <[email protected]> Co-authored-by: Alan Parra <[email protected]> Co-authored-by: Zac Bergquist <[email protected]> Co-authored-by: Alan Parra <[email protected]>
A last batch of UX tweaks for 9.0:
--renew-intervalto--renewal-interval--oneshotmode to fetch one set of certs and exit (client side only, no server enforcement yet)tbot version(fixestbot versionreturns an error #10782)tbot start)cutworkaround to allow SSH to work without DNS (fixes Add support forcuttoProxyCommand#10813)--format=jsontotctl bots add(fixes Add support for--format=jsonflag totctl bots add#10783)ssh_configgeneration for older versions of OpenSSH #10781)