Document tctl --auth-servers feature

[klizhentas]

Document implemented #1525 that adding ability to use tctl remotely with --auth-server and --identity flags.

To use it remotely, a user would first need to export identity locally on the auth server using the usual method:

auth$ tctl auth sign --user=admin --out=identity.pem

After that, the exported identity file can be used to invoke tctl from a remote node:

remote$ tctl status \
                --auth-server=192.168.99.102:3025 \
                --identity=identity.pem

remote$ tctl auth sign \
                --auth-server=192.168.99.102:3025 \
                --identity=identity.pem \
                --user=alice \
                --out=alice.pem

The --auth-server flag can be supplied multiple times.

Closes #1525.

[benarent]

@klizhentas I was just trying this on my test cluster. My auth server isn't available on the public with a public_addr of public_addr: 10.2.1.212:3025, I tried to access via my proxy but it didn't like it. To follow our best practices, it'll be good to be able to login via the proxy and not expose the auth to the public internet. If this is a known limitation, I'll document with a tip for now.

[webvictim]

I thought this just earlier too - if we could connect for this via web proxy/tunnel port a bit like Teleport IoT/node tunnelling, it'd be awesome.

[ptgott]

It looks like the CLI reference now includes most of this information except for an explicit mention of using --auth-server multiple times.

[zmb3]

I don't think we even want to mention using --auth-server multiple times - we're trying to move away from that behavior, right @rosstimothy

[ptgott]

👍 In that case, I think it's fine to close this