Skip to content

MWI: Warn when including Root CA in issuer override chain#57146

Merged
strideynet merged 3 commits intomasterfrom
strideynet/tctl-check-root-ca
Jul 25, 2025
Merged

MWI: Warn when including Root CA in issuer override chain#57146
strideynet merged 3 commits intomasterfrom
strideynet/tctl-check-root-ca

Conversation

@strideynet
Copy link
Copy Markdown
Contributor

@strideynet strideynet commented Jul 24, 2025
edited
Loading

Closes #57136

Additionally, adds a --dry-run mode that outputs the resource that would have been created, without actually creating it.

changelog: tctl will now warn the user when importing a SPIFFE issuer override chain that contains the root CA

@github-actions github-actions bot added size/sm tctl tctl - Teleport admin tool labels Jul 24, 2025
@github-actions github-actions bot requested review from rosstimothy and tcsc July 24, 2025 17:09
strideynet
strideynet commented Jul 24, 2025
View reviewed changes
Comment thread tool/tctl/common/workload_identity_command.go Outdated
strideynet
strideynet commented Jul 24, 2025
View reviewed changes
Comment thread tool/tctl/common/workload_identity_command.go
espadolini
espadolini approved these changes Jul 24, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@espadolini espadolini left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we also warn if the chain isn't made of issuer-issuee pairs?

Comment thread tool/tctl/common/workload_identity_command.go Outdated
Comment thread tool/tctl/common/workload_identity_command.go Outdated
Comment thread tool/tctl/common/workload_identity_command.go
@strideynet @espadolini
Use equality of RawSubject/RawIssuer rather than string
9e24fef 
Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com>
@strideynet
Copy link
Copy Markdown
Contributor Author

strideynet commented Jul 25, 2025

Should we also warn if the chain isn't made of issuer-issuee pairs?

I'll leave that out of scope for now since I think that's a less likely "mistake" to be made - if we see more uptake of the feature we can probably think about adding a more comprehensive suite of "checks".

@strideynet strideynet added this pull request to the merge queue Jul 25, 2025
Merged via the queue into master with commit 2e3e7d7 Jul 25, 2025
40 checks passed
@strideynet strideynet deleted the strideynet/tctl-check-root-ca branch July 25, 2025 12:21
@backport-bot-workflows
Copy link
Copy Markdown
Contributor

backport-bot-workflows bot commented Jul 25, 2025

@strideynet See the table below for backport results.

Branch Result
branch/v17 Create PR
branch/v18 Create PR

This was referenced Jul 25, 2025
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@boxofrad boxofrad boxofrad approved these changes

@espadolini espadolini espadolini approved these changes

Assignees

No one assigned

Labels

backport/branch/v17 backport/branch/v18 size/sm tctl tctl - Teleport admin tool

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

MWI: External PKI tctl command should warn if Root CA is included in chain

3 participants

@strideynet @boxofrad @espadolini