Adjust join/register code to try new API first and fallback to old

gravitational · Oct 23, 2024 · cf594b3 · cf594b3
1 parent f27f75f
commit cf594b3
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 8 deletions.
diff --git a/lib/auth/apiserver.go b/lib/auth/apiserver.go
@@ -141,6 +141,7 @@ func NewAPIServer(config *APIConfig) (http.Handler, error) {
 	srv.POST("/:version/trustedclusters/validate", srv.WithAuth(srv.validateTrustedCluster))
 
 	// Tokens
+	// TODO(strideynet): REMOVE IN 18.0.0 - this method is now gRPC
 	srv.POST("/:version/tokens/register", srv.WithAuth(srv.registerUsingToken))
 
 	// Namespaces
@@ -489,6 +490,7 @@ func rawMessage(data []byte, err error) (interface{}, error) {
 	return &m, nil
 }
 
+// TODO(strideynet): REMOVE IN v18.0.0
 func (s *APIServer) registerUsingToken(auth *ServerWithRoles, w http.ResponseWriter, r *http.Request, _ httprouter.Params, version string) (interface{}, error) {
 	var req types.RegisterUsingTokenRequest
 	if err := httplib.ReadJSON(r, &req); err != nil {

diff --git a/lib/auth/join/join.go b/lib/auth/join/join.go
@@ -100,6 +100,8 @@ type RegisterParams struct {
 	CAPath string
 	// GetHostCredentials is a client that can fetch host credentials.
 	// Ignored if AuthClient is provided.
+	// TODO(strideynet): REMOVE IN V18.0.0
+	// Deprecated: since v17, the API client can be used for this purpose.
 	GetHostCredentials HostCredentials
 	// Clock specifies the time provider. Will be used to override the time anchor
 	// for TLS certificate verification.
@@ -348,6 +350,9 @@ func registerThroughProxy(
 		return nil, trace.Wrap(err)
 	}
 
+	// TODO(strideynet): When the old HTTP based join RPC is completely
+	// removed, this section can be refactored to reduce duplication.
+
 	var certs *proto.Certs
 	switch params.JoinMethod {
 	case types.JoinMethodIAM, types.JoinMethodAzure, types.JoinMethodTPM:
@@ -382,16 +387,47 @@ func registerThroughProxy(
 			return nil, trace.Wrap(err)
 		}
 	default:
-		// The rest of the join methods use GetHostCredentials function passed through
-		// params to call proxy HTTP endpoint
-		var err error
-		certs, err = params.GetHostCredentials(ctx,
-			proxyAddr,
-			params.Insecure,
-			*registerUsingTokenRequestForParams(token, hostKeys, params))
+		conn, err := proxyinsecureclient.NewConnection(
+			ctx,
+			proxyinsecureclient.ConnectionConfig{
+				ProxyServer:  proxyAddr,
+				CipherSuites: params.CipherSuites,
+				Clock:        params.Clock,
+				Insecure:     params.Insecure,
+				Log:          slog.Default(),
+			},
+		)
 		if err != nil {
-			return nil, trace.Wrap(err)
+			return nil, trace.Wrap(err, "creating proxy client")
 		}
+		defer conn.Close()
+
+		joinServiceClient := client.NewJoinServiceClient(
+			proto.NewJoinServiceClient(conn),
+		)
+		certs, err = joinServiceClient.RegisterUsingToken(
+			ctx, registerUsingTokenRequestForParams(token, hostKeys, params),
+		)
+		if err != nil {
+			// The rest of the join methods use the RegisterUsingToken RPC
+			// TODO(strideynet): in V18.0.0, we can remove the fallback call to
+			// GetHostCredentials.
+			if !trace.IsNotImplemented(err) {
+				return nil, trace.Wrap(err)
+			}
+			slog.WarnContext(
+				ctx,
+				"Registration falling back to deprecated HTTP API. Your agent may be newer than the Auth Server.",
+			)
+			certs, err = params.GetHostCredentials(ctx,
+				proxyAddr,
+				params.Insecure,
+				*registerUsingTokenRequestForParams(token, hostKeys, params))
+			if err != nil {
+				return nil, trace.Wrap(err)
+			}
+		}
+
 	}
 	return &RegisterResult{
 		Certs:      certs,

diff --git a/lib/client/weblogin.go b/lib/client/weblogin.go
@@ -756,6 +756,8 @@ func newMFALoginCeremony(clt *WebClient, login SSHLoginMFA) *mfa.Ceremony {
 }
 
 // HostCredentials is used to fetch host credentials for a node.
+// TODO(noah): REMOVE IN V18.0.0
+// Deprecated: Use the RegisterUsingToken gRPC method instead.
 func HostCredentials(ctx context.Context, proxyAddr string, insecure bool, req types.RegisterUsingTokenRequest) (*proto.Certs, error) {
 	clt, _, err := initClient(proxyAddr, insecure, nil, nil)
 	if err != nil {