Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: update CA rotation docs #49468

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

docs: update CA rotation docs #49468

wants to merge 3 commits into from

Conversation

nklaassen
Copy link
Contributor

This PR updates the CA rotation to mention the new interactive tctl auth rotate (#49171), and edits a few sections that I found needed to be corrected or reworded for clarity.

Copy link

🤖 Vercel preview here: https://docs-f3a9rw882-goteleport.vercel.app/docs

Copy link
Contributor

@ptgott ptgott left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left some initial feedback

[`host` CA](#host).
1. `standby`: No rotation in progress. All operations have completed.
1. `update_servers`: Any server components in the cluster that accept incoming
connections from clients should reload their identity and start serving
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What does "should" mean here? Would the sentence make sense if we removed it, or are there some situation in which cluster components that accept incoming connections do not reload their identity etc.?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, in some cases (OpenSSH servers, self-hosted databases), it's on the admin to issue a new cert and reload the identity, that's why I used "should"

1. `update_servers`: Any server components in the cluster that accept incoming
connections from clients should reload their identity and start serving
certificates issed by the new CA, but still accept certificates issued by the
original CA.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
original CA.
original CA.

Otherwise, the paragraph break won't render.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not trying to put a paragraph break here, I just like putting each sentence on its own line when writing markdown, I find it makes it easier for editing full sentences and leads to cleaner diffs


CA rotations can be **manual** or **semi-automatic**. In manual mode, admins
must instruct the Teleport Auth Service to advance from one phase to the next.
Between phases, admins can prepare their infrastructure to adjust to each
change. In semi-automatic mode, the Teleport Auth Service cycles through each
phase automatically, with a grace period between each phase.

In 17.1.0+ `tctl auth rotate` (with no arguments) starts an interactive
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In this change, we mention tctl auth rotate after the manual and semi-automatic options. Would it make sense to structure the guide around the wizard instead, and leave the documentation of the arguments for our reference guides (i.e., this guide would be the fast path)? Otherwise, while the argumentless form of tctl auth rotate is a simplification, the documentation actually becomes a little more complex.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can see some benefits to pushing the interactive command, though I worry that relying only on arguments in the reference guides might leave too much as an exercise to the reader.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ptgott i haven't been finding the time to come back to this and rewrite with an interactive-first guide. If what he have here is a net improvement do you think we can merge as-is?

Comment on lines 128 to 138
<Admonition type="note">
Any OpenSSH hosts must be issued new host certificates during the
`update_servers` phase of the `host` CA rotation.
</Admonition>

<Admonition type="note">
If you are joining Teleport processes to a cluster via the Teleport Auth
Service, each Teleport process will need a CA pin to trust the Auth Service.
The CA pin will change after each `host` CA rotation. Make sure you use the
*new* CA pin when adding Teleport services after `host` CA rotation.
Service, each Teleport process needs a CA pin to trust the Auth Service.
Teleport Agents connecting to a Proxy Service address never need a CA pin, but
new Proxy Services should always use a CA pin when joining the cluster.
During the CA rotation, `tctl status` will report that there are 2 CA pins.
The CA pin configuration can accept a list including both pins.
After the rotation is complete, only the new CA pin will be reported.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would work these Admonitions into the body text. Successive Admonitions look cluttered and difficult to read.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

made both of these normal paragraphs

Copy link

🤖 Vercel preview here: https://docs-e5day2a2e-goteleport.vercel.app/docs

Copy link

github-actions bot commented Jan 23, 2025

Amplify deployment status

Branch Commit Job ID Status Preview Updated (UTC)
nklaassen/rotate-docs HEAD 1 ✅SUCCEED nklaassen-rotate-docs 2025-01-23 22:37:54

@nklaassen nklaassen requested a review from ptgott January 23, 2025 22:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport/branch/v17 documentation no-changelog Indicates that a PR does not require a changelog entry size/sm
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants