Skip to content

Fix condition that guards conversion of gateway into kube gateway#58032

Merged
gzdunek merged 1 commit intomasterfrom
gzdunek/do-not-clear-certs-for-non-kube-gateways
Aug 20, 2025
Merged

Fix condition that guards conversion of gateway into kube gateway#58032
gzdunek merged 1 commit intomasterfrom
gzdunek/do-not-clear-certs-for-non-kube-gateways

Conversation

@gzdunek
Copy link
Copy Markdown
Contributor

@gzdunek gzdunek commented Aug 19, 2025

In #54410 the condition

if !(targetURI.IsKube() && targetURI.GetRootClusterURI() == cluster.URI) {

has been changed to

if !targetURI.IsKube() && targetURI.GetRootClusterURI() != cluster.URI {

It unfortunately has a different meaning - if the target is not a kube URI but still belongs to the current cluster, the new condition would not return early, whereas the original condition would.

changelog: Fixed a Teleport Connect crash that occurred when assuming an access request while an application or database connection was active

ravicious
ravicious approved these changes Aug 19, 2025
View reviewed changes
Comment thread lib/teleterm/daemon/daemon.go
kubeGw, err := gateway.AsKube(gw)
if err != nil {
s.cfg.Logger.ErrorContext(ctx, "Could not clear certs for kube when assuming request", "error", err, "target_uri", targetURI)
return trace.Wrap(err)
Copy link
Copy Markdown
Member

@ravicious ravicious Aug 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why change the semantics here though?

Copy link
Copy Markdown
Contributor Author

@gzdunek gzdunek Aug 19, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. We forgot to stop execution if the error is not nil, instead we log and still call the method which causes panic.
  2. If this error happens, it's not really a problem with clearing certs, but rather with converting one type to another which should not happen. It means a more serious issue, so I think we should surface it to the user.

Copy link
Copy Markdown
Member

@ravicious ravicious Aug 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, that makes total sense.

@gzdunek gzdunek added this pull request to the merge queue Aug 20, 2025
@ravicious ravicious mentioned this pull request Aug 20, 2025
Closed
Merged via the queue into master with commit 3726a49 Aug 20, 2025
45 checks passed
@gzdunek gzdunek deleted the gzdunek/do-not-clear-certs-for-non-kube-gateways branch August 20, 2025 09:04
@backport-bot-workflows
Copy link
Copy Markdown
Contributor

backport-bot-workflows bot commented Aug 20, 2025

@gzdunek See the table below for backport results.

Branch Result
branch/v16 Failed
branch/v17 Failed
branch/v18 Create PR

gzdunek added a commit that referenced this pull request Aug 20, 2025
@gzdunek
Fix condition that guards conversion of gateway into kube gateway (#5…
424a048 
…8032)

(cherry picked from commit 3726a49)
gzdunek added a commit that referenced this pull request Aug 20, 2025
@gzdunek
Fix condition that guards conversion of gateway into kube gateway (#5…
bc9a985 
…8032)

(cherry picked from commit 3726a49)
This was referenced Aug 20, 2025
Merged
Merged
Merged
github-merge-queue bot pushed a commit that referenced this pull request Aug 20, 2025
@gzdunek
Fix condition that guards conversion of gateway into kube gateway (#5…
0365646 
…8032) (#58111)

(cherry picked from commit 3726a49)
github-merge-queue bot pushed a commit that referenced this pull request Aug 20, 2025
@gzdunek
Fix condition that guards conversion of gateway into kube gateway (#5…
bfe24c8 
…8032) (#58110)

(cherry picked from commit 3726a49)
mmcallister pushed a commit that referenced this pull request Sep 22, 2025
@gzdunek @mmcallister
Fix condition that guards conversion of gateway into kube gateway (#5…
46cb621 
…8032)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ravicious ravicious ravicious approved these changes

@taraspos taraspos taraspos approved these changes

@rosstimothy rosstimothy rosstimothy approved these changes

Assignees

@gzdunek gzdunek

Labels

backport/branch/v17 backport/branch/v18 size/sm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@gzdunek @ravicious @taraspos @rosstimothy