feat: update tctl status to show key algorithms and storage (#47175)

gravitational · Oct 4, 2024 · d045c7d · d045c7d
1 parent 2b778a9
commit d045c7d
Show file tree

Hide file tree

Showing 8 changed files with 289 additions and 112 deletions.
diff --git a/api/constants/constants.go b/api/constants/constants.go
@@ -72,7 +72,7 @@ const (
 	Github = "github"
 
 	// HumanDateFormatSeconds is a human readable date formatting with seconds
-	HumanDateFormatSeconds = "Jan _2 2006 15:04:05 UTC"
+	HumanDateFormatSeconds = "Jan 2 2006 15:04:05 UTC"
 
 	// MaxLeases serves as an identifying error string indicating that the
 	// semaphore system is rejecting an acquisition attempt due to max

diff --git a/api/types/authority.go b/api/types/authority.go
@@ -463,16 +463,20 @@ func (r *Rotation) String() string {
 	switch r.State {
 	case "", RotationStateStandby:
 		if r.LastRotated.IsZero() {
-			return "never updated"
+			return "standby (never rotated)"
 		}
-		return fmt.Sprintf("rotated %v", r.LastRotated.Format(constants.HumanDateFormatSeconds))
+		return fmt.Sprintf("standby (last rotated: %v)", r.LastRotated.Format(constants.HumanDateFormatSeconds))
 	case RotationStateInProgress:
-		return fmt.Sprintf("%v (mode: %v, started: %v, ending: %v)",
-			r.PhaseDescription(),
-			r.Mode,
-			r.Started.Format(constants.HumanDateFormatSeconds),
-			r.Started.Add(r.GracePeriod.Duration()).Format(constants.HumanDateFormatSeconds),
-		)
+		switch r.Mode {
+		case RotationModeManual:
+			return fmt.Sprintf("in progress (mode: manual, phase: %s)", r.Phase)
+		default:
+			return fmt.Sprintf("in progress (mode: automatic, phase: %s, started: %v, ending: %v)",
+				r.Phase,
+				r.Started.Format(constants.HumanDateFormatSeconds),
+				r.Started.Add(r.GracePeriod.Duration()).Format(constants.HumanDateFormatSeconds),
+			)
+		}
 	default:
 		return "unknown"
 	}

diff --git a/constants.go b/constants.go
@@ -402,12 +402,6 @@ const (
 	// Syslog is a mode for syslog logging
 	Syslog = "syslog"
 
-	// HumanDateFormat is a human readable date formatting
-	HumanDateFormat = "Jan _2 15:04 UTC"
-
-	// HumanDateFormatMilli is a human readable date formatting with milliseconds
-	HumanDateFormatMilli = "Jan _2 15:04:05.000 UTC"
-
 	// DebugLevel is a debug logging level name
 	DebugLevel = "debug"
 

diff --git a/docs/pages/admin-guides/deploy-a-cluster/aws-kms.mdx b/docs/pages/admin-guides/deploy-a-cluster/aws-kms.mdx
@@ -168,6 +168,10 @@ KMS keys, read on to
 After starting up your Auth Service with the `aws_kms` configuration, you can
 confirm that Teleport has generated AWS KMS keys in your account by viewing them
 in the AWS Console.
+
+`tctl status` should also show `AWS KMS` as the `storage` method for all
+Certificate Authority keys.
+
 You can also run the following `tctl` commands to find the ARN of each key.
 
 ```code

diff --git a/docs/pages/admin-guides/deploy-a-cluster/gcp-kms.mdx b/docs/pages/admin-guides/deploy-a-cluster/gcp-kms.mdx
@@ -231,6 +231,9 @@ $ gcloud kms keys list --keyring "<Var name="teleport-keyring"/>" --location <Va
 Try logging in to the cluster with a Teleport user to make sure that new
 certificates can be signed without error.
 
+`tctl status` should also show `GCP KMS` as the `storage` method for all
+Certificate Authority keys.
+
 ## Migrating an existing cluster
 
 If you have an existing Teleport cluster it will have already created software

diff --git a/docs/pages/admin-guides/deploy-a-cluster/hsm.mdx b/docs/pages/admin-guides/deploy-a-cluster/hsm.mdx
@@ -333,6 +333,10 @@ All CAs listed in the output of `tctl status` must be rotated.
 
 ## Step 5/5. Confirm that Teleport is using your HSM
 
-You are all set! Check the teleport logs for `Creating new HSM key pair` to
-confirm that the feature is working. You can also check that keys were created
-in your HSM using your HSM's admin tool.
+You are all set! You can confirm that HSM keys are being used a few different
+ways:
+
+1. `tctl status` will show `PKCS#11 HSM` as the `storage` method for all
+   Certificate Authority keys.
+1. Teleport Auth service logs will contain `Creating new HSM key pair`.
+1. Your HSM's admin tool should show the newly created keys.
diff --git a/docs/pages/reference/cli/tctl.mdx b/docs/pages/reference/cli/tctl.mdx
@@ -779,7 +779,7 @@ $ tctl inventory list [<flags>]
 | `--older-than` | none | string | Filter for older teleport versions |
 | `--exact-version` | none | string | Filter output by teleport version |
 | `--services` | none | string | Filter output by service (node,kube,proxy,etc) |
-| `--upgrader` | none | `none`, `kube`, or `unit` | Filter output by upgrader (kube,unit,none) |   
+| `--upgrader` | none | `none`, `kube`, or `unit` | Filter output by upgrader (kube,unit,none) |
 
 ### Global flags
 
@@ -791,7 +791,7 @@ These flags are available for all commands `--debug, --config` . Run
 List inventory
 
 ```code
-$ tctl inventory ls 
+$ tctl inventory ls
 Server ID                            Hostname                        Services                   Agent Version Upgrader Upgrader Version
 ------------------------------------ ------------------------------- -------------------------- ------------- -------- ----------------
 00c3a1f7-5f24-47f9-b866-14401fbb5685 teleport-proxy-77df88c69        Proxy                      (=teleport.version=)       none     none
@@ -825,8 +825,8 @@ $ tctl inventory status [<flags>]
 | Name | Default Value(s) | Allowed Value(s) | Description |
 | - | - | - | - |
 | `--format` | `text` | `yaml, json` or `text` | Output format |
-| `--[no-]connected` | `--no-connected` | none | Show locally connected instances summary |  
-        
+| `--[no-]connected` | `--no-connected` | none | Show locally connected instances summary |
+
 ### Global flags
 
 These are available for all commands `--debug, --config` . Run
@@ -863,10 +863,10 @@ allows seeing connected instances on a specific Auth service.
 
 ```code
 $ tctl inventory status --connected
-Server ID                            Services               Version Upgrader 
------------------------------------- ---------------------- ------- -------- 
-b48e6e81-63e0-498f-834b-1a8adea09d95 Auth                   (=teleport.version=)  none     
-178d9301-2873-4020-895a-014edf067204 Node                   (=teleport.version=)  unit     
+Server ID                            Services               Version Upgrader
+------------------------------------ ---------------------- ------- --------
+b48e6e81-63e0-498f-834b-1a8adea09d95 Auth                   (=teleport.version=)  none
+178d9301-2873-4020-895a-014edf067204 Node                   (=teleport.version=)  unit
 ```
 
  </TabItem>
@@ -1422,7 +1422,7 @@ $ tctl get saml/your-connector-name --with-secrets | tctl sso test
 
 ## tctl status
 
-Report cluster status:
+Report cluster and Certificate Authority status:
 
 ```code
 $ tctl status
@@ -1432,9 +1432,26 @@ $ tctl status
 
 ```code
 # Checks status of cluster.
-$ tctl status Cluster  grav-00 User CA  never updated Host CA  never updated CA
-# pin   sha256:1146cdd2b887772dcc2e879232c8f60012a839f7958724ce5744005474b15b9d
-# Checks remote auth status using exported identity.
+$ tctl status
+Cluster: example.teleport.sh
+Version: 17.0.0
+CA pins: sha256:a5322b9f89cb94fff13da4bc9c7b2e633626e35161a75f7662a179a01be84ccc
+
+authority rotation                                        protocol status algorithm   storage
+--------- ----------------------------------------------- -------- ------ ----------- --------
+host      standby (never rotated)                         SSH      active Ed25519     software
+                                                          TLS      active ECDSA P-256 software
+user      standby (last rotated: Oct 3 2024 22:12:09 UTC) SSH      active ECDSA P-256 AWS KMS
+                                                          TLS      active ECDSA P-256 AWS KMS
+db        standby (never rotated)                         TLS      active RSA 2048    software
+db_client standby (never rotated)                         TLS      active RSA 2048    software
+openssh   standby (never rotated)                         SSH      active Ed25519     software
+jwt       standby (never rotated)                         JWT      active ECDSA P-256 software
+saml_idp  standby (never rotated)                         TLS      active RSA 2048    software
+oidc_idp  standby (never rotated)                         JWT      active RSA 2048    software
+spiffe    standby (never rotated)                         JWT      active ECDSA P-256 software
+                                                          TLS      active ECDSA P-256 software
+okta      standby (never rotated)                         JWT      active ECDSA P-256 software
 $ tctl status \
     --auth-server=192.168.99.102:3025 \
     --identity=identity.pem