search

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.
https://goteleport.com
GNU Affero General Public License v3.0
17.62k stars 1.76k forks source link

Provide a command line option for teleport.yaml validation #3248

Open jkendzorra opened 4 years ago

jkendzorra commented 4 years ago

It would be great to have a command line option that allows to test a config file for validity (and whether or not Teleport will start using that config file), especially when scripting config file changes remotely. Ideally, when invoked using this additional switch (e.g. teleport start -c /etc/teleport.yaml -t, it would report on invalid entries/format.

Environment:

webvictim commented 4 years ago

100% agree - we really need to do this. With YAML being so finicky and fussy about spacing in files, plus our config files having a number of different sections, it's essential to have a way to validate that a given config file will parse and be interpreted correctly following changes.

kgtw commented 4 years ago

I've just reached out to the support team about this as well.

Our use-case differs slightly from this and is more aimed at the manifests (roles/trusted clusters) that are being applied automatically from our in-house tooling.

With changes introduced in 4.3 (https://github.com/gravitational/teleport/pull/3615), teleport requires you to delete trusted clusters and re-create them if there were any changes. This poses obvious problems from an automation point of view where the automation deletes the existing manifest, goes to apply the new one which fails because of either typos, syntax or schema changes.

If in the case that a trusted cluster fails to get re-created we are now in a state with an orphaned leaf cluster which will require manual intervention (break-glass SSH) to fix it in to a working state again.

One potential & untested fix for this at the moment is using --bootstrap and restarting the affected instance, if that bootstrap contains trusted cluster information.

webvictim commented 3 years ago

Huge +1 for this, you should be able to run teleport start -c /etc/teleport.yaml --check-config or similar and get a definitive yes/no.

russjones commented 3 years ago

We have a command called teleport configure --test. It does some of this, but we should expand it to cover services like auth_service, proxy_service, ssh_service, etc.