Connect: Refresh leaf cluster certs before fetching certs for database#12293
Connect: Refresh leaf cluster certs before fetching certs for database#12293
Conversation
| // fromProfile creates a new cluster from its profile | ||
| func (s *Storage) fromProfile(clusterName string) (*Cluster, error) { | ||
| if clusterName == "" { | ||
| func (s *Storage) fromProfile(profileName, leafClusterName string) (*Cluster, error) { |
There was a problem hiding this comment.
There's an outstanding issue in Teleport Connect where all our URIs use the proxy hostname as the cluster name (which is equivalent to a profile name, I think). I'll create a separate ticket for it soon, but in general the problem is that the proxy hostname can be different than the root cluster name.
So when Storage.GetByURI calls fromProfile, this name is actually the profile name and not the real root cluster name from the key. I changed the argument name here from clusterName to profileName to signal that for the future.
| clusterURI := uri.NewClusterURI(profileName) | ||
| if leafClusterName != "" { | ||
| clusterURI = clusterURI.AppendLeafCluster(leafClusterName) | ||
| } |
There was a problem hiding this comment.
Previously this was done in Storage.GetByURI, but I see no reason why we couldn't do it here.
| // TODO(ravicious): This should probably use leafClusterName if available, but at this point I'm | ||
| // worried that changing it might break something else in the app. | ||
| Name: profileName, |
There was a problem hiding this comment.
At the moment it doesn't cause any issues because Teleport Connect uses another code path to get names of leaf clusters.
Methods on Storage are used mostly to get a Cluster instance that lets us perform operations on the root/leaf cluster through TeleportClient.
#12293) * Storage.fromProfile: Set correct SiteName for leaf clusters * Cluster.CreateGateway: Use SiteName for CertPath * Cluster.ReissueDBCerts: Refresh leaf cluster certs
3 participants
Fixes gravitational/webapps.e#215.
tl;dr It was impossible to use Connect with databases on leaf clusters. Any attempt to create a db proxy were failing with "SSH cert not available" when Connect was trying to store reissued db certs.
Roman pointed out that the SSH key is indeed missing when looking at the tsh directory tree created by Connect. Connect was not doing the equivalent of what
tsh login <cluster>was doing.The fix is to reissue certs for the cluster first before attempting to reissue certs for the db.
Another issue I encountered is that when working with a leaf cluster, we used to create a TeleportClient instance aimed at the root cluster and only after it was created we updated
TeleportClient.SiteNameto point at the leaf cluster. This didn't update the site name inTeleportClient.LocalKeyAgent.While it wasn't causing any problems yet, I decided to fix it while I was in this part of the codebase. So the first commit in this PR actually makes sure to pass the correct
SiteNamebefore we create an instance of TeleportClient.