Skip to content

Add correct IP propagation on node registration and login IP to bot certs#34454

Merged
AntonAM merged 6 commits intomasterfrom
anton/bot-ip-pinning
Nov 24, 2023
Merged

Add correct IP propagation on node registration and login IP to bot certs#34454
AntonAM merged 6 commits intomasterfrom
anton/bot-ip-pinning

Conversation

@AntonAM
Copy link
Copy Markdown
Contributor

@AntonAM AntonAM commented Nov 10, 2023
edited
Loading

This PR adds correct IP propagation when node/bot joins cluster through RegisterUsing* calls and uses this IP to add LoginIP to the certificates generated for bots.

Before we always took IP from the context (e.g. from the incoming connection) directly, but when cluster joining was performed through Proxy and not directly through Auth server, then we ended up with the Proxy IP address. In this PR we make sure that Proxy sets correct IP to the request and Auth server trusts it, if it's coming from the Proxy, otherwise it takes IP from the connection.

Changelog: Fix IP propagation for nodes/bots joining the cluster and add LoginIP to bot certificates.

Fixes #13483

@AntonAM AntonAM force-pushed the anton/bot-ip-pinning branch 5 times, most recently from 9b3a6b3 to fc3c117 Compare November 20, 2023 07:29
@AntonAM AntonAM requested a review from strideynet November 20, 2023 07:29
@AntonAM AntonAM marked this pull request as ready for review November 20, 2023 07:30
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Nov 20, 2023

The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with changelog: followed by the changelog entries for the PR.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Nov 20, 2023

The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with changelog: followed by the changelog entries for the PR.

@AntonAM
Copy link
Copy Markdown
Contributor Author

AntonAM commented Nov 22, 2023

@nklaassen @xacrimon friendly ping

nklaassen
nklaassen reviewed Nov 22, 2023
View reviewed changes
Comment thread lib/joinserver/joinserver.go Outdated
Comment thread lib/joinserver/joinserver.go Outdated
Comment thread lib/joinserver/joinserver_test.go Outdated
Comment thread lib/auth/apiserver.go Outdated
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Nov 23, 2023

The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with changelog: followed by the changelog entries for the PR.

2 similar comments
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Nov 23, 2023

The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with changelog: followed by the changelog entries for the PR.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Nov 23, 2023

The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with changelog: followed by the changelog entries for the PR.

@AntonAM
Copy link
Copy Markdown
Contributor Author

AntonAM commented Nov 23, 2023

@nklaassen addressed your comments.

@AntonAM AntonAM requested a review from nklaassen November 23, 2023 21:05
@public-teleport-github-review-bot public-teleport-github-review-bot Bot removed the request for review from xacrimon November 23, 2023 21:34
@AntonAM AntonAM added this pull request to the merge queue Nov 24, 2023
@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to failed status checks Nov 24, 2023
@AntonAM AntonAM force-pushed the anton/bot-ip-pinning branch from e05f1e3 to 550cda3 Compare November 24, 2023 07:01
@AntonAM AntonAM added this pull request to the merge queue Nov 24, 2023
Merged via the queue into master with commit 8cc440c Nov 24, 2023
@AntonAM AntonAM deleted the anton/bot-ip-pinning branch November 24, 2023 16:18
@public-teleport-github-review-bot
Copy link
Copy Markdown

public-teleport-github-review-bot Bot commented Nov 24, 2023

@AntonAM See the table below for backport results.

Branch Result
branch/v14 Create PR

@AntonAM AntonAM mentioned this pull request Nov 24, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@strideynet strideynet strideynet approved these changes

@nklaassen nklaassen nklaassen approved these changes

Assignees

No one assigned

Labels

ip-pinning machine-id size/md

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

IP-based validation for Machine ID issued certificates

3 participants

@AntonAM @strideynet @nklaassen