`tsh proxy kube kube-cluster --cluster=leaf` fails to reissue certs #41022

Joerger · 2024-04-29T20:21:22Z

When connecting to a kube cluster in a leaf cluster, tsh proxy kube fails to reissue certs successfully after the kube certs expire.

Fixing this behavior is especially important when max_session_ttl is low, which is common in per-session MFA setups.

Expected behavior:

tsh proxy kube kube-cluster --cluster=leaf should reissue certs whenever the certs expire.

Current behavior:

tsh proxy kube kube-cluster --cluster=leaf fails to reissue certs.

Debug logs:

2024-04-29T15:32:56-07:00 WARN [TSH]       Failed to reissue certificate for server 6d696e696b756265.leaf.example.com error:[
ERROR REPORT:
Original Error: *interceptors.RemoteError Kubernetes cluster &#34;minikube&#34; is not registered in this Teleport cluster; you can list registered Kubernetes clusters using &#39;tsh kube ls&#39;
Stack Trace:
	github.com/gravitational/teleport/[email protected]/client/client.go:1128 github.com/gravitational/teleport/api/client.(*Client).GenerateUserCerts
	github.com/gravitational/teleport/lib/client/cluster_client.go:395 github.com/gravitational/teleport/lib/client.PerformMFACeremony
	github.com/gravitational/teleport/lib/client/client.go:561 github.com/gravitational/teleport/lib/client.(*ProxyClient).IssueUserCertsWithMFA
	github.com/gravitational/teleport/tool/tsh/common/kube_proxy.go:580 github.com/gravitational/teleport/tool/tsh/common.issueKubeCert
	github.com/gravitational/teleport/tool/tsh/common/kube_proxy.go:568 github.com/gravitational/teleport/tool/tsh/common.makeKubeLocalProxy.(*kubeLocalProxy).getCertReissuer.func1
	github.com/gravitational/teleport/lib/srv/alpnproxy/kube.go:243 github.com/gravitational/teleport/lib/srv/alpnproxy.(*KubeMiddleware).reissueCertIfExpired.func1
	runtime/asm_amd64.s:1650 runtime.goexit
User Message: Kubernetes cluster &#34;minikube&#34; is not registered in this Teleport cluster; you can list registered Kubernetes clusters using &#39;tsh kube ls&#39;] alpnproxy/kube.go:181
2024-04-29T15:32:56-07:00 DEBU             Stopped forwarding request for "root.example.com:3080". alpnproxy/forward_proxy.go:374

Notes:

Teleport version: v15.2.4, v14.0.0

The cert checker local proxy middleware added in #40857 and expanded for http middleware in #40985 may be useful for fixing this issue.

The text was updated successfully, but these errors were encountered:

When renewing certificates the RouteToCluster was always being set to the root cluster instead of the leaf cluster. This causes issues with per session mfa because the root cluster can't find the target kubernetes cluster which causes the renewal process to fail. Now during renewal the RouteToCluster is copied from the active user certificate if it existed. Closes #41022.

…41046) When renewing certificates the RouteToCluster was always being set to the root cluster instead of the leaf cluster. This causes issues with per session mfa because the root cluster can't find the target kubernetes cluster which causes the renewal process to fail. Now during renewal the RouteToCluster is copied from the active user certificate if it existed. Closes #41022.

When renewing certificates the RouteToCluster was always being set to the root cluster instead of the leaf cluster. This causes issues with per session mfa because the root cluster can't find the target kubernetes cluster which causes the renewal process to fail. Now during renewal the RouteToCluster is copied from the active user certificate if it existed. Closes #41022.

…41159) When renewing certificates the RouteToCluster was always being set to the root cluster instead of the leaf cluster. This causes issues with per session mfa because the root cluster can't find the target kubernetes cluster which causes the renewal process to fail. Now during renewal the RouteToCluster is copied from the active user certificate if it existed. Closes #41022.

…41157) When renewing certificates the RouteToCluster was always being set to the root cluster instead of the leaf cluster. This causes issues with per session mfa because the root cluster can't find the target kubernetes cluster which causes the renewal process to fail. Now during renewal the RouteToCluster is copied from the active user certificate if it existed. Closes #41022.

…41158) When renewing certificates the RouteToCluster was always being set to the root cluster instead of the leaf cluster. This causes issues with per session mfa because the root cluster can't find the target kubernetes cluster which causes the renewal process to fail. Now during renewal the RouteToCluster is copied from the active user certificate if it existed. Closes #41022.

Joerger added the bug label Apr 29, 2024

rosstimothy added the tsh tsh - Teleport's command line tool for logging into nodes running Teleport. label Apr 29, 2024

rosstimothy mentioned this issue Apr 30, 2024

Correctly reissue certificates for leaf resources in tsh proxy kube #41046

Merged

rosstimothy self-assigned this Apr 30, 2024

programmerq added the c-q7j Internal Customer Reference label Apr 30, 2024

rosstimothy closed this as completed in #41046 May 2, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

`tsh proxy kube kube-cluster --cluster=leaf` fails to reissue certs #41022

`tsh proxy kube kube-cluster --cluster=leaf` fails to reissue certs #41022

Joerger commented Apr 29, 2024 •

edited by rosstimothy

Loading

tsh proxy kube kube-cluster --cluster=leaf fails to reissue certs #41022

tsh proxy kube kube-cluster --cluster=leaf fails to reissue certs #41022

Comments

Joerger commented Apr 29, 2024 • edited by rosstimothy Loading

Expected behavior:

Current behavior:

Debug logs:

Notes:

`tsh proxy kube kube-cluster --cluster=leaf` fails to reissue certs #41022

`tsh proxy kube kube-cluster --cluster=leaf` fails to reissue certs #41022

Joerger commented Apr 29, 2024 •

edited by rosstimothy

Loading