You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Running proxy with a kubeconfig that uses auth providers (gcp/azure/openstack/etc) will fail at startup with Original Error: *errors.errorString no Auth Provider found for name "gcp"
There are a few missing pieces:
teleport binary should import k8s.io/client-go/plugin/pkg/client/auth for support to be compiled in
lib/kube/proxy/forwarder.go should propagate their credentials (usually bearer tokens) with http.RoundTripper wrappers (instead of cfg.BearerToken, since they are dynamically generated)
note: there seem to be two separate authn plumbing code paths for exec/portforward/etc and all other requests
we should probably unify those and make connecting+authn independent from what kind of request this is (if possible)
Note: auth providers are on the path to deprecation. However, at least GCP currently still defaults to them instead of exec plugins.
What you expected to happen:
Proxy starts successfully and provisions either mTLS key/certs or bearers token from auth providers.
How to reproduce it (as minimally and precisely as possible):
gcloud container clusters create foo
teleport start with a config pointing at kubeconfig generated by gcloud
The text was updated successfully, but these errors were encountered:
Talked to @klizhentas, we will only support gcp and azure providers, but not oidc or openstack.
This gives us coverage for most popular k8s hosting providers and keeps attack surface increase small.
Exec providers (which are, confusingly, not a type of "auth provider") are supported by default without magic imports. However, we're not using http.RoundTripper wrapping correctly to support bearer tokens from exec providers (which is what AWS uses).
Description
What happened:
Running proxy with a kubeconfig that uses auth providers (
gcp
/azure
/openstack
/etc) will fail at startup withOriginal Error: *errors.errorString no Auth Provider found for name "gcp"
There are a few missing pieces:
teleport
binary should importk8s.io/client-go/plugin/pkg/client/auth
for support to be compiled inlib/kube/proxy/forwarder.go
should propagate their credentials (usually bearer tokens) withhttp.RoundTripper
wrappers (instead ofcfg.BearerToken
, since they are dynamically generated)exec/portforward/etc
and all other requestsNote: auth providers are on the path to deprecation. However, at least GCP currently still defaults to them instead of exec plugins.
What you expected to happen:
Proxy starts successfully and provisions either mTLS key/certs or bearers token from auth providers.
How to reproduce it (as minimally and precisely as possible):
gcloud container clusters create foo
teleport start
with a config pointing atkubeconfig
generated by gcloudThe text was updated successfully, but these errors were encountered: