Add webapi v2 endpoints for creating discovery token and enrolling eks with labels by kimlisa · Pull Request #50472 · gravitational/teleport

kimlisa · 2024-12-20T07:17:19Z

The endpoint for creating a token for discovery flow now allows user defined labels to be set as part of suggested_labels (this PR)
The endpoint for enrolling eks clusters recently added ability to add user defined labels as extraLabels (Discover EKS: allow custom labels for Kube Server #49420)

Both scenarios if a user tries to create token/resource and provides labels, if requests goes to an older proxy, it'll look like the request succeeded but the labels will not have been set. So this PR defines v2 endpoints, so that if request goes to an older proxy, a 404 error will return, which we will assume it's because of version mismatch.

This PR also returns the version number of proxy when a route wasn't matched.

Rendered example of route not matched 404 error:

if proxyVersion is returned:

if proxyVersion is not returned:

kimlisa · 2024-12-20T07:24:51Z

~~we do set version with app hash as a etag on the response headers for app.js, but I wasn't sure how to actually extract that, so I opted for a simpler meta tag that just stores the version instead~~

zmb3 · 2024-12-23T16:37:09Z

I'm not sure pulling the version from the HTML document makes sense here.

If a user runs into this error, it's because they have a newer web UI that knows how to use the new V2 endpoint with labels, but they ended up hitting an older proxy that doesn't know how to handle the request.

If you show them the version from the HTML document, you're going to show them the newer web UI version, which is actually new enough.

If we want this error message to make sense, we need to show the version of the proxy that is too old. (This means we probably need the backend to surface this information)

kimlisa · 2025-01-02T18:50:37Z

 func NewWebClient(url string, opts ...roundtrip.ClientParam) (*WebClient, error) {
 	opts = append(opts, roundtrip.SanitizerEnabled(true))
-	clt, err := roundtrip.NewClient(url, teleport.WebAPIVersion, opts...)
+	clt, err := roundtrip.NewClient(url, "", opts...)


The version parameter refers to this field, and from what i can tell, its only purpose is to just append the version prefix when calling this function (which we use a lot in our tests, and in auth here)

I didn't think it was necessary to define the version, since we are just going to strip it off anyways, and it wouldn't work with v2 endpoints

If we are sure that we wont be using the version anymore, I think creating a v2 roundtrip.NewClientV2 function and then deprecating current one would be better here.

hrm, i could, but I am not sure I see a benefit of keeping the deprecated one?

The benefit of introducing v2 is that you wont have to refactor existing usage of roundtrip.NewClient in this PR.

Edit: I am not aware about current usage of roundtrip.NewClient so you might actually get away with that change without introducing v2 in this PR if that will be minimal, up to you.

flyinghermit · 2025-01-07T14:49:34Z

 	}

-	clt, err := roundtrip.NewClient(proxyAddr.String(), teleport.WebAPIVersion, opts...)
+	clt, err := roundtrip.NewClient(proxyAddr.String(), "", opts...)


Umm based on discussion here #50472 (comment), I thought we are going to either add a roundtrip.NewClientV2 or update its current signature since we no longer use version field?

recording slack discussion: agreed to not change signature since using client.go/NewWebClient introduced cyclic imports in tests, instead put comment explaining why version is empty

flyinghermit · 2025-01-07T15:07:58Z

+				require.True(t, trace.IsNotFound(err))
+
+				var rawObjMap map[string]*json.RawMessage
+				require.NoError(t, json.Unmarshal(re.Bytes(), &rawObjMap))


nit: unmarshal it once, check for error and then reuse the unmarshalled object in test below in line 3519, 3523.

i think this is what you meant below, and then access the fields?

var traceErr trace.TraceError require.NoError(t, json.Unmarshal(re.Bytes(), &traceErr))

if so, I couldn't do it this way because the returned JSON error didn't conform exactly to TraceError type (I ran into errors unmarshaling), so I had to manually unmarshal per field I wanted to test

flyinghermit · 2025-01-07T20:38:15Z


 // NewDebugFileSystem returns the HTTP file system implementation
-func newDebugFileSystem() (http.FileSystem, error) {
+func NewDebugFileSystem(isEnterprise bool) (http.FileSystem, error) {


Does it need to be exported?

i forgot to push the branch that required this change in enterprise: https://github.com/gravitational/teleport.e/pull/5818, i added a enterprise not found handler test there (just in case...)

flyinghermit · 2025-01-07T20:51:19Z

+		Allow: types.RoleConditions{
+			Rules: []types.Rule{
+				types.NewRule(types.KindToken,
+					[]string{types.VerbCreate, types.VerbRead}),


is types.VerbRead needed? comment above only says "Allow user to create tokens."

public-teleport-github-review-bot · 2025-01-09T20:20:49Z

@kimlisa See the table below for backport results.

Branch	Result
branch/v16	Failed
branch/v17	Create PR

* Create v2 web api endpoints and required related changes (#50472) * Pass join token suggestedLabels to app server labels during install.sh (#50720) * Allow adding app server labels from join token for install.sh * Address CRs * Reduce label yaml space, improve test * Set user provided labels for aws app access create (#50975) * Fix undefined slog

…al#50472)

github-actions Bot added size/md ui labels Dec 20, 2024

github-actions Bot requested review from avatus and gzdunek December 20, 2024 07:17

kimlisa requested review from flyinghermit and removed request for avatus December 20, 2024 07:17

kimlisa changed the title ~~Lisa/add v2 endpoint~~ Add webapi v2 endpoints for creating discovery token and enrolling eks with labels Dec 20, 2024

kimlisa added the backport/branch/v17 label Dec 20, 2024

kimlisa force-pushed the lisa/add-v2-endpoint branch from b51dded to 0a6aebc Compare December 20, 2024 07:21

kimlisa requested a review from marcoandredinis December 20, 2024 07:26

tigrato reviewed Dec 20, 2024

View reviewed changes

Comment thread lib/web/apiserver.go

gzdunek reviewed Dec 23, 2024

View reviewed changes

Comment thread web/packages/teleport/src/services/webUiVersion/webUiVersion.ts Outdated

Comment thread web/packages/teleport/src/services/webUiVersion/webUiVersion.ts Outdated

Comment thread web/packages/teleport/src/services/webUiVersion/webUiVersion.ts Outdated

zmb3 reviewed Dec 23, 2024

View reviewed changes

Comment thread web/packages/teleport/src/services/webUiVersion/webUiVersion.ts Outdated

kimlisa force-pushed the lisa/add-v2-endpoint branch from 4db33f1 to 15a7e75 Compare December 30, 2024 07:57

kimlisa mentioned this pull request Dec 30, 2024

WebDiscover: allow custom labels for single resource enroll (server, kube, eks, rds) #50606

Merged

5 tasks

kimlisa force-pushed the lisa/add-v2-endpoint branch from 15a7e75 to 0729ad9 Compare December 31, 2024 22:57

kimlisa added backport/branch/v16 no-changelog Indicates that a PR does not require a changelog entry labels Dec 31, 2024

kimlisa marked this pull request as draft December 31, 2024 23:33

kimlisa force-pushed the lisa/add-v2-endpoint branch 4 times, most recently from 410b710 to 538b042 Compare January 2, 2025 18:41

kimlisa commented Jan 2, 2025

View reviewed changes

Comment thread lib/web/apiserver.go Outdated

kimlisa commented Jan 2, 2025

View reviewed changes

kimlisa force-pushed the lisa/add-v2-endpoint branch from 538b042 to c6d7694 Compare January 2, 2025 18:58

kimlisa marked this pull request as ready for review January 2, 2025 19:20

github-actions Bot requested a review from ryanclark January 2, 2025 19:21

kimlisa force-pushed the lisa/add-v2-endpoint branch from fb39fee to bc43b78 Compare January 7, 2025 09:08

kimlisa requested a review from flyinghermit January 7, 2025 09:11

flyinghermit reviewed Jan 7, 2025

View reviewed changes

kimlisa force-pushed the lisa/add-v2-endpoint branch from 98edc7c to 9ec4fbd Compare January 7, 2025 20:07

kimlisa requested a review from flyinghermit January 7, 2025 20:07

kimlisa force-pushed the lisa/add-v2-endpoint branch from 9ec4fbd to 3f04271 Compare January 7, 2025 20:36

flyinghermit approved these changes Jan 7, 2025

View reviewed changes

public-teleport-github-review-bot Bot removed the request for review from ryanclark January 7, 2025 20:58

kimlisa force-pushed the lisa/add-v2-endpoint branch 2 times, most recently from 852387b to 7518029 Compare January 9, 2025 18:34

kimlisa enabled auto-merge January 9, 2025 18:34

kimlisa disabled auto-merge January 9, 2025 18:36

Create v2 web api endpoints and required related changes

ef0eb7c

kimlisa force-pushed the lisa/add-v2-endpoint branch from 7518029 to ef0eb7c Compare January 9, 2025 19:16

kimlisa enabled auto-merge January 9, 2025 19:17

kimlisa added this pull request to the merge queue Jan 9, 2025

github-merge-queue Bot removed this pull request from the merge queue due to failed status checks Jan 9, 2025

kimlisa added this pull request to the merge queue Jan 9, 2025

Merged via the queue into master with commit d5409cb Jan 9, 2025

kimlisa deleted the lisa/add-v2-endpoint branch January 9, 2025 20:19

kimlisa mentioned this pull request Jan 9, 2025

Fix enterprise webassets path for testing #50927

Merged

kimlisa added a commit that referenced this pull request Jan 14, 2025

Create v2 web api endpoints and required related changes (#50472)

de5edda

kimlisa mentioned this pull request Jan 14, 2025

[v17] v2 webapi endpoints related to discover resource labels #51037

Merged

kimlisa added a commit that referenced this pull request Jan 15, 2025

Create v2 web api endpoints and required related changes (#50472)

4b07b5a

kimlisa mentioned this pull request Jan 22, 2025

Fixes unhandled v1 prefixed 'web/config.js' path #51364

Merged

carloscastrojumo pushed a commit to carloscastrojumo/teleport that referenced this pull request Feb 19, 2025

Create v2 web api endpoints and required related changes (gravitation…

19a4e50

…al#50472)

Conversation

kimlisa commented Dec 20, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

kimlisa commented Dec 20, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

zmb3 commented Dec 23, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

kimlisa Jan 2, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

flyinghermit Jan 7, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

public-teleport-github-review-bot Bot commented Jan 9, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

kimlisa commented Dec 20, 2024 •

edited

Loading

kimlisa commented Dec 20, 2024 •

edited

Loading

zmb3 commented Dec 23, 2024 •

edited

Loading

kimlisa Jan 2, 2025 •

edited

Loading

flyinghermit Jan 7, 2025 •

edited

Loading