Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User can't recover signed identities on Helm since v13 #29262

Closed
hugoShaka opened this issue Jul 18, 2023 · 4 comments
Closed

User can't recover signed identities on Helm since v13 #29262

hugoShaka opened this issue Jul 18, 2023 · 4 comments
Labels
feature-request Used for new features in Teleport, improvements to current should be #enhancements helm support-load This issue generates support load

Comments

@hugoShaka
Copy link
Contributor

hugoShaka commented Jul 18, 2023
edited
Loading

What would you like Teleport to do?

As a user, I want to be able to sign an identity for a server or a Teleport user by exec-ing in the auth pods. This was working until v13. I want tctl to support sending the signed content to stdout.

I also want the workarounds and proper way to sign identities to be documented (see workarounds).

What problem does this solve?

Trust bootstrapping. A lot of users used kubectl exec -it deployment/auth -- tctl auth sign ... to sign various things like the teleport plugin identities or db/host certs.

Until v13, we were using debian-based images, with tar in them. Now that we are using distroless-based images, we don't have tar anymore and cannot invoke kubectl cp by default.

If a workaround exists, please include it.

  • use a different image flavour (distroless-debug contains a shell and tar)
  • login using your local tctl (tsh login, then run locally tctl auth sign). This provides betters security and auditability guarantees as the actions are logged as your user and RBAC is enforced. This approach should be preferred when possible.
  • hack to send tctl's output to stdout (use -o /proc/self/fd/1 --overwrite). This doesn't work when the output of tctl auth sign is multiple files (e.g. DB certs)
@hugoShaka hugoShaka added feature-request Used for new features in Teleport, improvements to current should be #enhancements support-load This issue generates support load helm labels Jul 18, 2023
tcsc added a commit that referenced this issue Jul 19, 2023
@tcsc
Adds debian tar to distroless image
535c5d0 
Inlcudes `tar` and its transitive dependencies to the distrol image
in order to address #29262
@tcsc tcsc mentioned this issue Jul 19, 2023
Closed
@tcsc
Copy link
Contributor

tcsc commented Jul 21, 2023
edited
Loading

Is something like this what you're after?

❯ kubectl --namespace teleport exec deploy/teleport-auth -- tctl auth sign --user admin-guy --format openssh -o ssh-adminguy
The credentials have been written to ssh-adminguy, ssh-adminguy-cert.pub
❯ kubectl --namespace teleport exec deploy/teleport-auth -- tar c ssh-adminguy ssh-adminguy-cert.pub > adminguy-local.tar
❯ tar -xvf adminguy-local.tar
x ssh-adminguy
x ssh-adminguy-cert.pub

@tigrato
Copy link
Contributor

tigrato commented Jul 21, 2023

@tcsc

The goal is to be able to use kubectl cp to fetch the resources from the pod to the local machine.
Internally, kubectl cp uses tar to compress and transfer the files.

❯ kubectl --namespace teleport exec deploy/teleport-auth -- tctl auth sign --user admin-guy --format openssh -o ssh-adminguy
The credentials have been written to ssh-adminguy, ssh-adminguy-cert.pub
❯ kubectl --namespace teleport cp deploy/teleport-auth:./ssh-adminguy ./localDir

@tcsc
Copy link
Contributor

tcsc commented Jul 24, 2023
edited
Loading

OK, so I've built and tested a distroless image with tar and it's dependencies, and both of the above approaches work:

Given some files we want to extract from a pod, for the sake of an example created via

❯ kubectl -n teleport exec deploy/teleport-auth -- tctl auth sign --user admin-guy --format openssh -o adminguy
The credentials have been written to adminguy, adminguy-cert.pub

kubectl cp

❯ kubectl cp -n teleport teleport-auth-67c6844544-8jkrp:adminguy adminguy.local
❯ ls -la adminguy.local
-rw-r--r--  1 trent  staff  1679 24 Jul 11:59 adminguy.local

Write tar to stdout:

❯ mkdir local
❯ kubectl -n teleport exec deploy/teleport-auth -- tar cv adminguy adminguy-cert.pub | tar xv -C local
adminguy
adminguy-cert.pub
x adminguy
x adminguy-cert.pub
❯ ls -l local
total 16
-rw-------  1 trent  staff  1679 24 Jul 11:39 adminguy
-rw-------  1 trent  staff  2150 24 Jul 11:39 adminguy-cert.pub

Oops
So while we can get stuff out of the pod easily, this still leaves the issue of cleaning up after copying them out of the pod because the image has no rm. Given the way that the image is built, the obvious way to add rm implies adding the whole coreutils package, and at this point we may as well just use the debug image with busybox installed.

Question re: workarounds:
Are there scenarios where workaround #2 is inappropriate? Putting aside the fact that this is a breaking change and may break customer workflows; if workaround #2 is the preferred method in the first place, should we be encouraging that (and managing the breaking change) rather than making it easier to slip around access auditing and suchlike?

@tcsc
Copy link
Contributor

tcsc commented Jul 24, 2023
edited
Loading

If we do end up wanting tctl to write files to stdout, we probably want it to spit out a tar archive in cases where it generates multiple files, yes? It's pretty easy to imagine something like:

❯ kubectl  exec -n teleport deploy/auth -- tctl auth sign --user admin-guy --format openssh -o - | tar xv
x adminguy
x adminguy-cert.pub

Not sure whether handling single-file exports with tar (for consistency) or as their natural format (for immediate use) is the better user experience.

Edit: see #29451 for experimental implementation

@tcsc tcsc mentioned this issue Jul 24, 2023
Merged
tcsc added a commit that referenced this issue Jul 24, 2023
@tcsc
Proof-of-concept writing tar to stdout
9d9b7a3 
A quick and dirty experiment showing one possible approach for
writing certificates to stdout. Demonstrates a possible solution
to #29262.

DO NOT MERGE AS IS. IN NO WAY PRODUCTION READY.
github-merge-queue bot pushed a commit that referenced this issue Jul 27, 2023
@tcsc
[tctl] Adds option to write tarred tctl auth sign output to stdout (#…
02d2f8b 
…29451)

* Proof-of-concept writing tar to stdout

A quick and dirty experiment showing one possible approach for
writing certificates to stdout. Demonstrates a possible solution
to #29262.

DO NOT MERGE AS IS. IN NO WAY PRODUCTION READY.

* Fix timestamps

* Adds `--tar` option to `auth sign`

Adds an option to bundle the certificates generated by `tctl auth sign`
into a tarball and writes that tarball to stdout.

This is to facilitate extracting credentials from environments with
limited access to the filesystem and tools like a shell, tar and so
on, e.g. distroless Docker images.

Example usage:

```
$ kubectl exec ... -- tctl auth sign --user alice --format openssh -o alice --tar | tar xv
x alice-cert.pub
x alice
```

* Reroutes helper mesg to stderr when straming tar file to stdout
@tcsc tcsc mentioned this issue Jul 27, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature-request Used for new features in Teleport, improvements to current should be #enhancements helm support-load This issue generates support load
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tcsc @tigrato @hugoShaka