Kubeconfig with a higher TTL

[tryvin]

Hey Guys, so, I set up Teleport inside the Kubernetes cluster, everything is working fine, I can log in with my own user on my machine and access the cluster without issues, it issues the certificate with a 12h TTL, and blah blah blah.

But... I'm having issues with a "Robot" user, basically, I followed this here: https://goteleport.com/docs/access-controls/guides/impersonation/#step-13-create-a-cicd-user-and-corresponding-role and could get the kubeconfig with the generated certificates, but, even if I ask for it to issue a longer life certificate, it seems to expire within the 12h, I put the config in the CI secrets, it works for the first hours, and then, the next day, it just doesn't work again, so I have to issue another one, and round and round we go.

Any ideas?

[webvictim]

What's the max_session_ttl of your CI/CD user set to?

This may be a weird situation where if you're logged in as a user from an SSO provider, the user has a hardcoded max TTL of 12 hours - but I haven't heard of this before.

As a short term workaround, you can run tctl auth sign directly on the auth server to issue kubeconfig files with arbitrary TTLs - this method does not use impersonation and isn't subject to any TTL limitations.

[tryvin]

Hey @webvictim I set the max ttl of the ci/CD user to 1year (I know, too high of a TTL, but I'm doing some tests), but my personal user who is doing the impersonation has a max ttl of 12h