Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport: client: set TLS certificate usage for k8s/app/db certs #6859

Merged
merged 2 commits into from
May 13, 2021
Merged

Backport: client: set TLS certificate usage for k8s/app/db certs #6859

merged 2 commits into from
May 13, 2021

Conversation

awly
Copy link
Contributor

@awly awly commented May 13, 2021

Backport of #6824 into v6

client: set TLS certificate usage for k8s/app/db certs (#6824)
140f74d 
* client: set TLS certificate usage for k8s/app/db certs

--- TLS usage field

The certificate usage field prevents a certificate from being used for
other purposes. For example, a k8s-specific certificate will not be
accepted by a database service endpoint.

Server-side enforcement logic was already in place for a long time, but
we stopped setting the correct Usage in UserCertRequest during keystore
refactoring in 5.0 (with introduction of k8s certs).

--- TLS certificate overwrite

As part of this, client.ReissueUserCerts will no longer write
usage-restricted certificates into the top-level TLS certificate used
for Teleport API authentication.

For example, when generating a k8s-specific certificate, we used to
overwrite both:
- `~/.tsh/keys/$proxy/$user-x509.pem`
- `~/.tsh/keys/$proxy/$user-kube/$cluster/$kubeCluster-x509.pem`
This PR stops overwriting `~/.tsh/keys/$proxy/$user-x509.pem`.
This is not a breaking change.

--- Selected k8s cluster

Prior to this PR, `tsh status` printed the selected k8s cluster based on
the top-level TLS certificate. Since we no longer overwrite that
certificate, it will not contain a k8s cluster name.

Instead, we extract it from the kubeconfig, which is actually more
accurate since a user could switch to a different context out-of-band.

* Document UserCertRequest CertUsage enum values
Revert TLS cert usage for database certs
5a67846 
Database service doesn't fully support the cert usage restrictions yet
so we need an unrestricted cert again.
@awly
Copy link
Contributor Author

awly commented May 13, 2021

Cherry-picked #6860 too

@awly awly merged commit 9fdd9ca into branch/v6 May 13, 2021
@awly awly deleted the andrew/v6/tls-cert-usage branch May 13, 2021 22:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@r0mant r0mant r0mant approved these changes

@klizhentas klizhentas Awaiting requested review from klizhentas klizhentas is a code owner

@russjones russjones Awaiting requested review from russjones russjones is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@awly @r0mant