Skip to content

Commit

Permalink
RFD 64: Bot for certificate renewals (Machine ID) (#7986)
Browse files Browse the repository at this point in the history 
* First draft RFD for cert renewal bot

* wip

* Update design with more implementation details

* Add roles to tctl bots ls output

* Added details from findings with the cert bot dev demo

 * Detailed new UX with config file fallback for complex cases
 * Added significantly more detail on how + why we'll use
   impersonation
 * Detailed plans for preventing certificate propagation
 * Added several notes on security plans (and several unsolved
   issues)
 * Updated several TODOs
 * Added more TODOs than removed, oops

* Clarify artifacts (replaces modes). Add notes on reload notifications.

* A few last tweaks before sending off for discussion

* First batch of review feedback

* Address RFD feedback

* standardize on `destinations`
* use only directory destinations on the CLI, remove unneeded section
  on CLI syntax
* only generate one type of cert by default, allow generating both
* document new config assistant approach (auto templates + helper CLI)
* document memory-only storage backend
* add detail to config example
* use `/var/lib/teleport/bot` instead of `/var/lib/tbot`
* mostly remove discussion of webhooks and k8s secrets (still
  referenced in a "future ideas" section)
* several wording improvements

* Address feedback and resolve some TODOs

* Document plans on ACL use (`tbot init`)
* Clarify plans on automatic bot locking on cert generation conflict
* Add notes about EC2 identity documents in the future
* Add note on disallow-reissue
* Simplify plan for reload events (FS watch only + `tbot watch`
  helper)
* Remove Bot resource
* Use only gRPC endpoints

* Add notes on SIGTERM handling and bot locking

Also, remove "API Client Refresh" section

* Add internal change summary appendix, address review feedback

* Additional pass of updates

Aiming for merge readiness.

* Update rfd/0056-bot-for-cert-renewals.md

Co-authored-by: Ben Arent <[email protected]>

* Rename to RFD 64

Co-authored-by: Tim Buckley <[email protected]>
Co-authored-by: Ben Arent <[email protected]>
  • Loading branch information
@zmb3 @timothyb89 @benarent
3 people authored Apr 15, 2022
1 parent b6b01bb commit 8c887bb
Showing 1 changed file with 702 additions and 0 deletions.
Loading

0 comments on commit 8c887bb

Please sign in to comment.