add CA filters to CA watchers#36361
Merged
GavinFrazar merged 1 commit intomasterfrom Jan 9, 2024
Merged
Conversation
GavinFrazar
added
no-changelog
espadolini
reviewed
Jan 7, 2024
Contributor
espadolini
left a comment
espadolini
left a comment
There was a problem hiding this comment.
Can you add some test coverage for (CertAuthorityFilter).Contains?
Contributor
Author
Oh, I added tests for that to the WatchKind contains tests in 89dba54 |
espadolini
approved these changes
Jan 8, 2024
GavinFrazar
requested review from
greedy52
and removed request for
rosstimothy
greedy52
approved these changes
Jan 9, 2024
public-teleport-github-review-bot
Bot
removed request for
Tener and
fspmarshall
* fix WatchKind.Contains for ca filter * add CA filter to caCollector * require CA types in CA watcher config * apply ca filter in EventsService parser
GavinFrazar
force-pushed
the
gavinfrazar/add-ca-filters
branch
from
758e0ee to
ee3de2a
Compare
|
@GavinFrazar See the table below for backport results.
|
GavinFrazar
added a commit
that referenced
this pull request
Jan 9, 2024
Backport #36361 to branch/v13.
GavinFrazar
added a commit
that referenced
this pull request
Jan 9, 2024
Backport #36361 to branch/v12.
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Jan 10, 2024
* [v13] add CA filter for all known CAs to cache configs Backport #36361 to branch/v13. * dont backport AGPL license header
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Jan 10, 2024
Backport #36361 to branch/v12.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Related to (and a release pre-req for) the DB CA split: #35949
This PR makes CA watchers in both
CertAuthorityWatcherand the cache use filters.For the cache, all the
For<thing>setup config function will use CA filters, exceptForAuth- filtering there is pointless, and for best backwards compatibility auth should not have a CA filter. If it did have a filter, and we backported some future new CA type, then auth would reject watchers that specify the new CA type in their filter since auth's filter would notContainthe client watch's filter.The idea is that once this change is released, all Teleport components other than auth will use a CA filter when watching CAs such that they only receive
OpPutevents for CAs that they recognize, avoiding the need for any future CA filter injection hacks (hacks that we had to do for both the introduction of the Database CA and now the DB CA split).It will make the release process much easier for the DB CA split, because simultaneous release and last minute changes won't be necessary to get the filter-injection version ranges correct in each backport - instead I can just target cutoff ranges to the release versions that contain this change.