Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v14] Perform server version validation before using clients #38465

Merged
merged 1 commit into from
Feb 21, 2024
Merged

[v14] Perform server version validation before using clients #38465

merged 1 commit into from
Feb 21, 2024

Conversation

rosstimothy
Copy link
Contributor

Backport #38016 to branch/v14

@rosstimothy
Perform server version validation before using clients (#38016)
ec1c803 
Agents performed the following steps when creating an auth client:

1) Create an auth gRPC client
2) Call proto.AuthService/GetDomainName to force gRPC to dial the
   auth server in order to validate the connection since gRPC only
   dials on the first RPC
3) Call proto.AuthService/GetCertAuthority to get the HostCA
4) Call proto.AuthService/Ping to get the server version to determine
   if the connection should be aborted unless --skip-version-check
   was provided

On the surface this seems fine, however, the skip version check
did not happen until after two RPCs to auth had already been issued.
If either of those RPCs has changed the agent could perpetually fail
to connect to the cluster even though it should have never tried
due to version differences.

The order of the steps was changed to the following such that the
version check happens first.

1) Create an auth gRPC client
2) Call proto.AuthService/Ping to force gRPC to dial AND to get the
   server version information
3) Run the server version check and abort unless --skip-version-check
   was provided
4) Call proto.AuthService/GetCertAuthority to get the HostCA

An added benefit to this is agents now require one less RPC when
joining.
@rosstimothy rosstimothy added backport no-changelog Indicates that a PR does not require a changelog entry labels Feb 20, 2024
@rosstimothy rosstimothy marked this pull request as ready for review February 20, 2024 22:26
@rosstimothy rosstimothy added this pull request to the merge queue Feb 21, 2024
Merged via the queue into branch/v14 with commit 9c1a6e9 Feb 21, 2024
30 checks passed
@rosstimothy rosstimothy deleted the tross/backport-38016/v14 branch February 21, 2024 16:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AntonAM AntonAM AntonAM approved these changes

@espadolini espadolini espadolini approved these changes

Assignees
No one assigned
Labels
backport no-changelog Indicates that a PR does not require a changelog entry size/sm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rosstimothy @espadolini @AntonAM