Add `insecure` option to Add Server button in the web UI

[webvictim]

What would you like Teleport to do?

The "Add Server" script in the Teleport web UI is very popular and gets a lot of use during PoVs. The main complaint I hear from prospects is that it isn't possible (or at least easy) to use this script when the Teleport server is running without a fully trusted TLS cert chain i.e. certs signed by a public root CA like Let's Encrypt, ACM or similar.

Even though some prospects can figure out how to use curl -k to disable TLS cert validation for the script download itself, the installed Teleport process itself always fails to connect to the cluster because it isn't passing --insecure to teleport start inside the systemd unit.

It'd be incredibly useful to have a checkbox next to the script download link - something like:

• [ ] Check to disable TLS certificate validation (DO NOT use in production)

This checkbox should:

• automatically change the command to use curl -kfsSL... to disable TLS certificate validation during download
• pass a flag to the script itself which will make it run teleport start --insecure instead of teleport start, and propagate this down to any installed systemd unit

What problem does this solve?

Helps self-hosted prospects get their nodes onboarded easily during PoVs and more quickly shows the value of the product.

If a workaround exists, please include it.

Cludgy. Manually configure a node and set up the systemd unit (which is hard enough for people without systemd experience to grok) then edit the systemd unit file to add --insecure to the ExecStart line.

[klizhentas]

@webvictim can you ping me to discuss alternative non-ui solutions for this, when convenient for you, e.g. use mkcert for non-prod to gen trusted self-signed CA

[hugoShaka]

can you ping me to discuss alternative non-ui solutions for this, when convenient for you, e.g. use mkcert for non-prod to gen trusted self-signed CA

@klizhentas If we consider going this way, I'm very interested in the feature, and the Kubernetes deployments would greatly benefit from it. Auth joining only needs a CA-pin, but proxy joining needs certificates trusted by the client PKI. This makes proxy joining considerably harder than auth joining in scenarios where you don't have a publicly reachable cluster.

Today we are in limbo between proxy joining and auth joining. It would simplify many things only to do proxy joining and stop mentioning port 3025. (e.g. @strideynet would like to ditch auth joining from tbot to streamline the joining process and remove potential misconfiguration, but the operator relies on tbot doing auth joining)

As Teleport auth is already a glorified CA-behind-an-API, it could use its CA to issue proxy certificates. Clients would only need to know the ca-pin to join through the proxy securely. This would alleviate the need to use --insecure in most cases and significantly improve the user experience when working with local clusters. As a side effect, this would enable seamless in-cluster joining in the Helm chart and unblock https://github.com/gravitational/teleport/issues/23211.

[webvictim]

I'd also be happy to see the Teleport host CA issuing an x509 key/cert pair which could be used to secure the Teleport web UI. Providing the CA pin up front could be handled via the Add Server script link and could enable proxy joins to work in any conceivable situation.

Naturally we could still use public PKI if people were competent enough to configure it, but having the option of a CA-pin based approach to avoid the hard requirement would be great.

It would also allow TLS multiplexing to work out of the box in all environments, as Teleport would always have a valid key/cert to serve TLS and the overarching requirement to check the PKI chain would shift to a valid CA pin being provided on the client side, making TLS termination less of a requirement.

There is also some precedent for overriding client-side validation with the AWS_CA_BUNDLE environment variable, which is used to provide certificate chains for the AWS SDK.

[strideynet]

If we take hugo's approach, this ticket is related to https://github.com/gravitational/teleport/issues/20304

[abolast]

I gave up the Teleport web UI "Add Server" script because without a fully trusted TLS cert chain, I had no idea why my download was failing. now I know that and solve by add a " -k "