Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not delete integration CAs on auth init #51938

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Do not delete integration CAs on auth init #51938

wants to merge 2 commits into from
+308 −36

Conversation

greedy52
Copy link
Contributor

@greedy52 greedy52 commented Feb 6, 2025
edited
Loading

Fixes #51920

changelog: Fix an issue that GitHub integration CA gets deleted during Auth restart for non-software key stores like KMS. For broken GitHub integrations, the integration resource must be deleted and recreated.

@greedy52 greedy52 added backport/branch/v17 github GitHub integration related labels Feb 6, 2025
@greedy52 greedy52 self-assigned this Feb 6, 2025
greedy52
greedy52 commented Feb 6, 2025
View reviewed changes
lib/auth/init.go
@@ -637,6 +639,22 @@ func initializeAuthorities(ctx context.Context, asrv *Server, cfg *InitConfig) e
return trace.Wrap(err)
}

// Collect CAs from integrations to avoid deleting them.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I attempted to create a UT for this but keyStore.DeleteUnusedKeys has no effect on software keys. I've also tried test with TELEPORT_TEST_AWS_KMS_ACCOUNT but keyStore.DeleteUnusedKeys does not delete keys created in the last 5 minutes. I might leave as it is without tests

greedy52
greedy52 commented Feb 6, 2025
View reviewed changes
lib/auth/integration/credentials/credentials.go
@@ -132,3 +132,38 @@ func GetIntegrationRef(ctx context.Context, integration string, igGetter Integra
}
return ref, nil
}

// GetIntegrationCertAuthorities attempts to retrieve certificate authorities
Copy link
Contributor Author

@greedy52 greedy52 Feb 6, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not new logic, moved from lib/auth/integration/integrationsv1 to here. added some extra testing tho.

@greedy52 greedy52 requested a review from dboslee February 6, 2025 21:51
zmb3
zmb3 reviewed Feb 7, 2025
View reviewed changes
lib/auth/init.go Outdated Show resolved Hide resolved
zmb3
zmb3 reviewed Feb 7, 2025
View reviewed changes
api/utils/clientutils/resources.go

// IterateResources is a helper that iterates through each resource from all
// pages and passes them one by one to the provided callback.
func IterateResources[T any](
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we make this a proper go iterator and return an iter.Seq instead of a manual loop with a callback?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zmb3 zmb3 zmb3 left review comments

@fheinecke fheinecke Awaiting requested review from fheinecke

@fspmarshall fspmarshall Awaiting requested review from fspmarshall

@dboslee dboslee Awaiting requested review from dboslee

At least 2 approving reviews are required to merge this pull request.

Assignees

@greedy52 greedy52

Labels
backport/branch/v17 github GitHub integration related size/md
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

GitHub proxy throws ssh: rejected: administratively prohibited error for KMS keys
2 participants
@greedy52 @zmb3