Skip to content

Commit

Permalink
Correctly reissue certificates for leaf resources in tsh proxy kube (#…
Browse files Browse the repository at this point in the history 
…41158)

When renewing certificates the RouteToCluster was always being set
to the root cluster instead of the leaf cluster. This causes issues
with per session mfa because the root cluster can't find the target
kubernetes cluster which causes the renewal process to fail. Now
during renewal the RouteToCluster is copied from the active user
certificate if it existed.

Closes #41022.
  • Loading branch information
@rosstimothy
rosstimothy authored May 2, 2024
1 parent d3cbc79 commit d9d2536
Showing 1 changed file with 6 additions and 1 deletion.
7 changes: 6 additions & 1 deletion lib/srv/alpnproxy/kube.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -240,7 +240,12 @@ func (m *KubeMiddleware) reissueCertIfExpired(ctx context.Context, cert tls.Cert
if m.isCertReissuingRunning.CompareAndSwap(false, true) {
go func() {
defer m.isCertReissuingRunning.Store(false)
newCert, err := m.certReissuer(context.Background(), identity.TeleportCluster, identity.KubernetesCluster)

cluster := identity.TeleportCluster
if identity.RouteToCluster != "" {
cluster = identity.RouteToCluster
}
newCert, err := m.certReissuer(ctx, cluster, identity.KubernetesCluster)
if err == nil {
m.certsMu.Lock()
m.certs[serverName] = newCert
Expand Down

0 comments on commit d9d2536

Please sign in to comment.