Skip to content

Fix DynamicIdentityFileCreds being incompatible with L7 Loadbalancers#36411

Merged
strideynet merged 5 commits intomasterfrom
strideynet/dyanmic-identity-creds-support-alpn-upgrade
Jan 9, 2024
Merged

Fix DynamicIdentityFileCreds being incompatible with L7 Loadbalancers#36411
strideynet merged 5 commits intomasterfrom
strideynet/dyanmic-identity-creds-support-alpn-upgrade

Conversation

@strideynet
Copy link
Copy Markdown
Contributor

@strideynet strideynet commented Jan 8, 2024
edited
Loading

Closes #36229

changelog: Fixes refresh_identity = true preventing Access Plugins connecting to Teleport using TLS routing with a L7 LB.

@strideynet strideynet requested a review from greedy52 January 8, 2024 18:06
greedy52
greedy52 approved these changes Jan 8, 2024
View reviewed changes
Comment thread api/client/contextdialer.go Outdated
@strideynet
Copy link
Copy Markdown
Contributor Author

strideynet commented Jan 8, 2024
edited
Loading

Tested locally with

package main

import (
	"context"
	glog "log"
	"os"
	"os/signal"

	"github.com/sirupsen/logrus"

	"github.com/gravitational/teleport/api/client"
	apidefaults "github.com/gravitational/teleport/api/defaults"
	"github.com/gravitational/trace"
)

func main() {
	err := run()
	glog.Fatal(err)
}

func run() error {
	ctx, cancel := signal.NotifyContext(context.Background(), os.Interrupt)
	defer cancel()

	log := logrus.StandardLogger()
	logrus.SetLevel(logrus.DebugLevel)
	log.SetLevel(logrus.DebugLevel)

	creds, err := client.NewDynamicIdentityFileCreds("./admin_identity")
	if err != nil {
		return trace.Wrap(err, "loading creds")
	}
	teleportClient, err := client.New(ctx, client.Config{
		Addrs:       []string{"leaf.tele.ottr.sh:443"},
		Credentials: []client.Credentials{creds},
	})
	if err != nil {
		return trace.Wrap(err, "connecting")
	}
	defer teleportClient.Close()

	nodes, err := teleportClient.GetNodes(ctx, apidefaults.Namespace)
	if err != nil {
		return trace.Wrap(err, "get nodes")
	}
	log.Infof("Nodes: %d", len(nodes))
	return nil
}

And Caddy configured as an L7 LB.

codingllama
codingllama approved these changes Jan 9, 2024
View reviewed changes
Comment thread api/client/credentials.go
@strideynet strideynet enabled auto-merge January 9, 2024 17:51
codingllama
codingllama approved these changes Jan 9, 2024
View reviewed changes
Comment thread api/client/credentials_test.go Outdated
strideynet and others added 2 commits January 9, 2024 18:03
@strideynet strideynet added this pull request to the merge queue Jan 9, 2024
@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to failed status checks Jan 9, 2024
@strideynet strideynet added this pull request to the merge queue Jan 9, 2024
Merged via the queue into master with commit 8480371 Jan 9, 2024
@strideynet strideynet deleted the strideynet/dyanmic-identity-creds-support-alpn-upgrade branch January 9, 2024 19:19
@public-teleport-github-review-bot
Copy link
Copy Markdown

public-teleport-github-review-bot Bot commented Jan 9, 2024

@strideynet See the table below for backport results.

Branch Result
branch/v12 Failed
branch/v13 Create PR
branch/v14 Create PR

This was referenced Jan 9, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greedy52 greedy52 greedy52 approved these changes

@codingllama codingllama codingllama approved these changes

@rudream rudream Awaiting requested review from rudream

Assignees

No one assigned

Labels

size/sm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Slack plugin fails to connect with "refresh_identity = true" to a cluster behind ALB

3 participants

@strideynet @greedy52 @codingllama