MWI: Default to creating bound keypair tokens for bots in tctl#63422
MWI: Default to creating bound keypair tokens for bots in tctl#63422timothyb89 merged 10 commits intomasterfrom
tctl#63422Conversation
This adjusts the default behavior in `tctl` to create bound keypair tokens when creating new bot tokens in `tctl bots add` and `tctl bots instances add`. This adds a new "V2" message template intended for use with joining URIs and bound keypair tokens, and defaults to that. The existing template is still available, with minor additive changes, using the `--legacy` flag. Additional flags to manage bound keypair token parameters (recovery mode, etc) were also added and are specific to this join method. Additionally, joining URI parsing utilities were moved into their own package to be importable from `tctl` without importing all of `lib/tbot`.
A slight control flow change introduced a dependency on a working proxy, which isn't enabled by tctl's test harness. This enables the proxy for this test, with a new test flag to support this.
The new helper unconditionally overrode cfg.Proxy.Enabled, which broke other tests that overrode the parameter in other ways. It now only toggles it on explicitly.
| @@ -252,7 +306,9 @@ func bold(text string) string { | |||
|
|
|||
| var startMessageTemplate = template.Must(template.New("node").Funcs(template.FuncMap{ | |||
There was a problem hiding this comment.
I debated keeping the old message at all and have so far just kept it (with some minor additive changes, e.g. including the joining URI) behind a --legacy flag. I figured that was the safest approach but if anyone thinks we should handle this differently I'm happy to try another approach.
There's a lot of random parameters in the rendered token templates which caused failures in the golden-style tests. This plumbs through a few static parameters along with adding a template parameter mutator to override some parameters to ensure test consistency.
tool/tctl/common/bots_command.go
Outdated
| c.botsList.Flag("format", "Output format, 'text' or 'json'").Hidden().Default(teleport.Text).EnumVar(&c.format, teleport.Text, teleport.JSON) | ||
|
|
||
| c.botsAdd = bots.Command("add", "Add a new certificate renewal bot to the cluster.") | ||
| c.botsAdd = bots.Command("add", "Add a new Machine & Workload Identity bot to the cluster.") |
There was a problem hiding this comment.
Long-term, I wonder if we ought to decouple bot creation from token creation here and instead force people to call tctl bots add and then tctl bot instances add? My main worry is growing complexity in the number of CLI flags.
There was a problem hiding this comment.
I've gone and moved all the shared flags into a helper function, at least, so hopefully the flag complexity issue is alleviated? I'm a bit wary of making larger UX changes to simplify our impl, but if we want to make more meaningful changes the flow here (especially if it helps with docs) I'm not opposed to further follow-up work.
There was a problem hiding this comment.
I'm a bit wary of making larger UX changes to simplify our impl, but if we want to make more meaningful changes the flow here (especially if it helps with docs) I'm not opposed to further follow-up work.
Yep - I'm not sure a change that's appropriate here - more thinking long term. Less worried about implementation complexity, but actual UX complexity - someone listing the command flags for tctl bots add sees a mixture of flags: some pertaining to the configuration of the bot, and some pertaining to the configuration of joining. For someone newer to the product, it feels like a missed opportunity to clarify how the two parts of the process are seperate.
Moves bot token flag initialization into a shared `initSharedBotTokenFlags()` helper.
|
While writing up docs I figured it would be useful to mention I also made a separate PR to include this new functionality in the help template for |
This includes some examples of using new `tctl` support for adding bound keypair tokens via `tctl bots add`, which is added in #63422.
* MWI: Add tctl examples to `tctl keypair create` This includes some examples of using new `tctl` support for adding bound keypair tokens via `tctl bots add`, which is added in #63422. * Improve insecure template rendering * Fix missing newline at EOF
This adjusts the default behavior in
tctlto create bound keypair tokens when creating new bot tokens intctl bots addandtctl bots instances add.This adds a new "V2" message template intended for use with joining URIs and bound keypair tokens, and defaults to that. The existing template is still available, with minor additive changes, using the
--legacyflag. Additional flags to manage bound keypair token parameters (recovery mode, etc) were also added and are specific to this join method.Additionally, joining URI parsing utilities were moved into their own package to be importable from
tctlwithout importing all oflib/tbot.changelog: MWI:
tctl bots addnow generates bound keypair tokens instead of legacy tokensCloses #59999
Command example: