Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[v15] docs: Add disable_exec_plugin to Machine ID troubleshooting steps #43406

Merged
merged 3 commits into from
Jun 24, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 32 additions & 4 deletions docs/pages/machine-id/troubleshooting.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ backend, and embeds a copy of the counter in the certificate.

If the counter embedded in your bot certificate doesn't match the counter
stored in Teleport's Auth Server, the renewal will fail and the bot user will
be automatically [locked](../access-controls/guides/locking.mdx).
be automatically [locked](../access-controls/guides/locking.mdx).

Renewable certificates are exclusively stored in the bot's internal data
directory, by default `/var/lib/teleport/bot`. It's possible to trigger this by
Expand All @@ -52,7 +52,7 @@ with old certificates and trigger a lock.
### Resolution

Before unlocking the bot, try to determine if either of the two scenarios
described above apply. If the certificates were stolen, there may be
described above apply. If the certificates were stolen, there may be
underlying security concerns that need to be addressed.

Otherwise, first ensure only one bot instance is using the internal data
Expand Down Expand Up @@ -218,8 +218,8 @@ However, the database exists and can be seen by regular users via `tsh`:

```code
$ tsh db ls
Name Description Allowed Users Labels Connect
---------- ----------- ------------- ------- -------
Name Description Allowed Users Labels Connect
---------- ----------- ------------- ------- -------
example [alice] env=dev
```

Expand Down Expand Up @@ -292,3 +292,31 @@ flag:
$ tctl bots rm example
$ tctl bots add example --roles=foo,bar,machine-id-db
```

## Destination kubernetes_secret: `identity-output` must be a directory in exec plugin mode

By default, when outputting a Kubernetes identity, `tbot` outputs make use of a Kubernetes exec
plugin to always provide the latest version of the credentials.

When outputting a Kubernetes identity to a Kubernetes secret, however, it is important to disable
the use of the `exec` plugin by adding `disable_exec_plugin: true` to the output. This means that
a static `kubeconfig` file with embedded short-lived credentials is written instead:

```yaml
outputs:
- type: kubernetes
# Specify the name of the Kubernetes cluster you wish the credentials to
# grant access to.
kubernetes_cluster: example-k8s-cluster
# Required when outputting a Kubernetes identity to a Kubernetes secret.
disable_exec_plugin: true
destination:
type: kubernetes_secret
# For this guide, identity-output is used as the secret name.
# You may wish to customize this. Multiple outputs cannot share the same
# destination.
name: identity-output
```

Failure to add the `disable_exec_plugin` flag will result in a warning being displayed:
`Destination kubernetes_secret: identity-output must be a directory in exec plugin mode`.
Loading