improve tctl config loading ux #42469
Conversation
github-actions
bot
requested review from
espadolini,
gabrielcorado,
ptgott,
r0mant and
xinding33
github-actions
bot
added
documentation
size/md
tsh
|
🤖 Vercel preview here: https://docs-ptot57dgq-goteleport.vercel.app/docs/ver/preview |
|
Nice! |
|
🤖 Vercel preview here: https://docs-14mjru27i-goteleport.vercel.app/docs/ver/preview |
|
🤖 Vercel preview here: https://docs-6cujf3h0g-goteleport.vercel.app/docs/ver/preview |
|
🤖 Vercel preview here: https://docs-hawsu40ok-goteleport.vercel.app/docs/ver/preview |
|
🤖 Vercel preview here: https://docs-ff6ocna1b-goteleport.vercel.app/docs/ver/preview |
|
🤖 Vercel preview here: https://docs-eny3l0st9-goteleport.vercel.app/docs/ver/preview |
|
@gabrielcorado this needs G2 |
public-teleport-github-review-bot
bot
removed the request for review
from gabrielcorado
GavinFrazar
force-pushed
the
gavinfrazar/update-tctl-config-loading
branch
from
e19b377 to
d61866b
Compare
|
🤖 Vercel preview here: https://docs-qmg2sapb9-goteleport.vercel.app/docs/ver/preview |
GavinFrazar
force-pushed
the
gavinfrazar/update-tctl-config-loading
branch
from
d61866b to
6b6ebde
Compare
|
🤖 Vercel preview here: https://docs-nrqbcsk33-goteleport.vercel.app/docs/ver/preview |
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
|
🤖 Vercel preview here: https://docs-npjndv4vh-goteleport.vercel.app/docs/ver/preview |
|
🤖 Vercel preview here: https://docs-ozurok71t-goteleport.vercel.app/docs/ver/preview |
|
@GavinFrazar See the table below for backport results.
|
|
Would it be worthwhile to backport it to v15 as well? I think people are hitting this issue pretty often. |
|
Nice! |
changelog: tctl will now ignore any configuration file if the auth_service section is disabled, and prefer loading credentials from a given identity file or tsh profile instead.
Fixes #25620
This issue frequently trips customers (and me) up - see the linked issue and the issues linking to it.
This PR checks the config file that tctl finds and ignores it if the auth service section is not enabled.
That makes it far more friendly to use tctl on a host where a teleport agent is running (or even just configured).
I also updated the docs and error messages to hint towards tsh/identity file credential loading.
I'm not sure if this is a "breaking" change, but it seems that tctl only loads the config file to get an auth server address + credentials, both of which are provided by identity file (we already require the address flag be provided with an id file) and tsh profile already, so it seems fine to me.