tctl get all - stale documentation

smallinsky commented 1 year ago

Applies To

https://goteleport.com/docs/management/operations/backup-restore/#example-of-backing-up-and-restoring-a-cluster

Details

Our docs says that tctl get all --with-secrets can be triggered by teleport user : tsh login --proxy=teleport.example.com --user=myuser

Log in to your cluster with tsh so you can use tctl from your local machine. You can also run tctl on your Auth Service host without running "tsh login" first.

tsh login --proxy=teleport.example.com --user=myuser Export dynamic configuration state from old cluster

tctl get all --with-secrets > state.yaml

Where actually tctl get all can be only executed on Teleport Auth instance that has BuildIn Admin user: issues/8539

Additionally tctl get all and tctl get all --with-secrets overwrites withSecret flag to true:
So all following commands are equal: tctl get all == tctl get all --no-with-secrets == tctl get all --with-secrets https://github.com/gravitational/teleport/blob/c0c04c50e45b214cadfecc75b2f951b2fba822af/tool/tctl/common/resource_command.go#L257

tctl get all --no-with-secrets
ERROR: this request can be only executed by an admin

hugoShaka commented 8 months ago

ptgott commented 3 months ago

In terms of tctl get all, would it make sense to recommend instead:

Using an IaC tool to manage dynamic resources (including tctl itself using a directory of manifests, as recommended in the "Our recommended backup practice" section of the guide)
Backing up the IaC manifests/configs.

gravitational / teleport

tctl get all - stale documentation #31866

Applies To

Details