Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Correctly reissue certificates for leaf resources in tsh proxy kube #41046

Merged
merged 1 commit into from
May 2, 2024
Merged

Correctly reissue certificates for leaf resources in tsh proxy kube #41046

merged 1 commit into from
May 2, 2024

Conversation

rosstimothy
Copy link
Contributor

When renewing certificates the RouteToCluster was always being set to the root cluster instead of the leaf cluster. This causes issues with per session mfa because the root cluster can't find the target kubernetes cluster which causes the renewal process to fail. Now during renewal the RouteToCluster is copied from the active user certificate if it existed.

Closes #41022.

Changelog: Fix a bug that was preventing tsh proxy kube certificate renewal from working when accessing a leaf kubernetes cluster via the root.

@rosstimothy rosstimothy requested a review from Joerger April 30, 2024 12:49
@rosstimothy
Copy link
Contributor Author

@Joerger could you run through the test scenario again off this branch?

@Joerger
Copy link
Contributor

Joerger commented Apr 30, 2024

@Joerger could you run through the test scenario again off this branch?

It worked for me as well.

@rosstimothy rosstimothy marked this pull request as ready for review April 30, 2024 19:01
@rosstimothy
Copy link
Contributor Author

Friendly ping @strideynet

strideynet
strideynet approved these changes May 2, 2024
View reviewed changes
lib/srv/alpnproxy/kube.go Outdated Show resolved Hide resolved
@rosstimothy
Correctly reissue certificates for leaf resources in tsh proxy kube
fea166c 
When renewing certificates the RouteToCluster was always being set
to the root cluster instead of the leaf cluster. This causes issues
with per session mfa because the root cluster can't find the target
kubernetes cluster which causes the renewal process to fail. Now
during renewal the RouteToCluster is copied from the active user
certificate if it existed.

Closes #41022.
@rosstimothy rosstimothy force-pushed the tross/proxy_kube_reissue branch from d848a15 to fea166c Compare May 2, 2024 15:44
@rosstimothy rosstimothy enabled auto-merge May 2, 2024 15:44
@rosstimothy rosstimothy added this pull request to the merge queue May 2, 2024
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks May 2, 2024
@rosstimothy rosstimothy added this pull request to the merge queue May 2, 2024
Merged via the queue into master with commit d0e5a78 May 2, 2024
39 checks passed
@rosstimothy rosstimothy deleted the tross/proxy_kube_reissue branch May 2, 2024 16:23
@public-teleport-github-review-bot
Copy link

@rosstimothy See the table below for backport results.

Branch Result
branch/v13 Create PR
branch/v14 Create PR
branch/v15 Create PR

This was referenced May 2, 2024
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@capnspacehook capnspacehook capnspacehook approved these changes

@Joerger Joerger Joerger approved these changes

@strideynet strideynet strideynet approved these changes

Assignees
No one assigned
Labels
backport/branch/v13 backport/branch/v14 backport/branch/v15 size/sm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

tsh proxy kube kube-cluster --cluster=leaf fails to reissue certs
4 participants
@rosstimothy @Joerger @strideynet @capnspacehook