-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Do not sync Database CA if leaf 9.0 #12040
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code lgtm but please add test coverage before merging.
lib/reversetunnel/srv.go
Outdated
@@ -1107,7 +1112,7 @@ func newRemoteSite(srv *server, domainName string, sconn ssh.Conn) (*remoteSite, | |||
return nil, err | |||
} | |||
|
|||
go remoteSite.updateCertAuthorities(caRetry) | |||
go remoteSite.updateCertAuthorities(caRetry, remoteClusterVersion) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: instead of forwarding remoteClusterVersion
from two layers it can be just saved as a member in remoteSite
struct.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was thinking about it, the remoteSite struct
is already quite huge and looks like the version is not needed anywhere. Let me look at this once again.
Does this mean that database access in a v9 leaf cluster is not going to work when the root is v10? |
@espadolini It will work. v9 is using HostCA to sign certificates in Database Access where v10 uses Database CA introduced in v10. For that reason Database CA should not be sent to v9 cluster as this one uses Host CA in database access and is not aware of Database CA. |
191e8f1
to
e346880
Compare
When in an existing trusted cluster the root cluster is being updated to v10 this warning message shows in the logs, as leaf still being in v9 doesn't know about Database CA introduced in v10:
This PR add a version check to skip the Database CA sync if the leaf is in the lower version then v10, so this warning is not being printed.