From d9d2536bc7a422b2300055da2c2882e4da92f5e5 Mon Sep 17 00:00:00 2001
From: rosstimothy <39066650+rosstimothy@users.noreply.github.com>
Date: Thu, 2 May 2024 16:02:28 -0400
Subject: [PATCH] Correctly reissue certificates for leaf resources in tsh
 proxy kube (#41158)

When renewing certificates the RouteToCluster was always being set
to the root cluster instead of the leaf cluster. This causes issues
with per session mfa because the root cluster can't find the target
kubernetes cluster which causes the renewal process to fail. Now
during renewal the RouteToCluster is copied from the active user
certificate if it existed.

Closes #41022.
---
 lib/srv/alpnproxy/kube.go | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/lib/srv/alpnproxy/kube.go b/lib/srv/alpnproxy/kube.go
index 93d6893595aa0..20018ecfb5a5a 100644
--- a/lib/srv/alpnproxy/kube.go
+++ b/lib/srv/alpnproxy/kube.go
@@ -240,7 +240,12 @@ func (m *KubeMiddleware) reissueCertIfExpired(ctx context.Context, cert tls.Cert
 	if m.isCertReissuingRunning.CompareAndSwap(false, true) {
 		go func() {
 			defer m.isCertReissuingRunning.Store(false)
-			newCert, err := m.certReissuer(context.Background(), identity.TeleportCluster, identity.KubernetesCluster)
+
+			cluster := identity.TeleportCluster
+			if identity.RouteToCluster != "" {
+				cluster = identity.RouteToCluster
+			}
+			newCert, err := m.certReissuer(ctx, cluster, identity.KubernetesCluster)
 			if err == nil {
 				m.certsMu.Lock()
 				m.certs[serverName] = newCert