teleport icon indicating copy to clipboard operation
teleport copied to clipboard

Published 20 hours ago verified publisher icon gravitational

Add support for alternative / additional names for nodes

Open jwolfe-ns opened this issue 1 year ago • 2 comments

What would you like Teleport to do? Today machines may serve multiple roles or simple by known by different names to various teams. The ability to add alternate names that map to a server would be great. This is more or less a CNAME within Teleport.

What problem does this solve? Great quality of life feature to allow servers to be referenced by multiple names

If a workaround exists, please include it. The kludge today would be adding an arbitrary label, which a wrapper script ingest and translates the call to the servers canonical name.

jwolfe-ns avatar Jan 25 '24 00:01 jwolfe-ns

Personally, I would just stick with the label approach. tsh ssh user@alt=node2 will get you to the right node.

Allowing a node to have multiple names has large implications (certificate principals, potential for duplicate names, etc) which makes it higher risk for small gain.

zmb3 avatar Jan 25 '24 15:01 zmb3

@zmb3 We have some hosts where they may have multiple alt-names. How would that work?

I would assume something like this:

labels:
  alt_names: node1,node2,node3

But it doesn't look like you can use the predicate language functions on the command line (or at least I couldn't figure out the syntax for it).

Ideally I think something like tsh ssh contains("node2") or the like.

It would however be nice if there was some kind of real standard where we could specify alt names, and tsh could check for them automatically (even if under the hood its just doing the same label lookup).

rcoxns avatar Feb 16 '24 21:02 rcoxns

As an example, I patched the following here: https://github.com/gravitational/teleport/blob/master/lib/client/api.go#L1322

		alt := &proto.ListResourcesRequest{
			ResourceType:        types.KindNode,
			Namespace:           tc.Namespace,
			Labels:              tc.Labels,
			SearchKeywords:      tc.SearchKeywords,
			PredicateExpression: fmt.Sprintf("exists(labels[\"alt_name_1\"]) && search(\"%s\")", tc.Host),
			UseSearchAsRoles:    tc.UseSearchAsRoles,
		}
		nodes, _ := client.GetAllResources[types.Server](ctx, clt, alt)
		if len(nodes) == 1 {
			return []string{fmt.Sprintf("%s:0", nodes[0].GetName())}, nil
		}

I know its an ugly hack and there are probably better ways to do it, but just testing it as a POC. It expects something along the lines of this in teleport.yaml

  labels:
    alt_name_1: my-first-altname
    alt_name_2: my-second-altname
    alt_name_3: my-third-altname
    ... etc ...

rcoxns avatar Feb 22 '24 15:02 rcoxns

@rcoxns re:

But it doesn't look like you can use the predicate language functions on the command line (or at least I couldn't figure out the syntax for it).

Both tsh and tctl support using the predicate language for filtering resources. Docs are available here. There is no need to patch lib/client.

zmb3 avatar Feb 26 '24 16:02 zmb3

Ideally I think something like tsh ssh contains("node2") or the like.

As of #40166, you can do exactly this.

contains(split(labels[alt_names], ","), "node2")

zmb3 avatar Apr 13 '24 22:04 zmb3