Open
Description
Description
When using the action auth-k8s one can specify the name of a single k8s cluster to connect to. This action works fine, however I need to connect to multiple clusters. The way I've found to do this is as follows:
- name: Authorize against Teleport
uses: teleport-actions/auth-k8s@v1
with:
proxy: <proxy-address>
token: ${{ secrets.TELEPORT_TOKEN }}
certificate-ttl: 15m
kubernetes-cluster: cluster1
- run: "echo ROOT_KUBECONFIG=$KUBECONFIG >> $GITHUB_ENV"
- name: Authorize against Teleport
uses: teleport-actions/auth-k8s@v1
with:
proxy: <proxy-address>
token: ${{ secrets.TELEPORT_TOKEN }}
certificate-ttl: 15m
kubernetes-cluster: cluster2
- run: "echo ROOT_KUBECONFIG=$ROOT_KUBECONFIG:$KUBECONFIG >> $GITHUB_ENV"
- run: "echo KUBECONFIG=$ROOT_KUBECONFIG >> $GITHUB_ENV"
Which is ok for 2 clusters but I need to connect to 1-2 dozen of them, which definitely takes some time.
I tried using the action auth and then using tsh kube login, which is indeed successful, but when I execute any kubectl command it fails with the following error:
ERROR: access denied: identity is not allowed to reissue certificates
E0221 23:11:50.416446 1801 memcache.go:265] couldn't get current server API group list: Get "https://<teleport host>/api?timeout=32s": getting credentials: exec: executable /opt/hostedtoolcache/teleport/13.4.15-linux-amd64/x64/tsh failed with exit code 1
It would be nice if one could login to all allowed cluster for the identity, similar to tsh kube login all.
If this is possible already, it should be documented :)
Metadata
Metadata
Assignees
Labels
No labels