Correctly reissue certificates for leaf resources in tsh proxy kube

When renewing certificates the RouteToCluster was always being set to the root cluster instead of the leaf cluster. This causes issues with per session mfa because the root cluster can't find the target kubernetes cluster which causes the renewal process to fail. Now during renewal the RouteToCluster is copied from the active user certificate if it existed. Closes #41022.
gravitational · May 2, 2024 · 3f10dba · 3f10dba
1 parent 420bbf5
commit 3f10dba
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/lib/srv/alpnproxy/kube.go b/lib/srv/alpnproxy/kube.go
@@ -240,7 +240,12 @@ func (m *KubeMiddleware) reissueCertIfExpired(ctx context.Context, cert tls.Cert
 	if m.isCertReissuingRunning.CompareAndSwap(false, true) {
 		go func() {
 			defer m.isCertReissuingRunning.Store(false)
-			newCert, err := m.certReissuer(context.Background(), identity.TeleportCluster, identity.KubernetesCluster)
+
+			cluster := identity.TeleportCluster
+			if identity.RouteToCluster != "" {
+				cluster = identity.RouteToCluster
+			}
+			newCert, err := m.certReissuer(ctx, cluster, identity.KubernetesCluster)
 			if err == nil {
 				m.certsMu.Lock()
 				m.certs[serverName] = newCert