Add webapi v2 endpoints for creating discovery token and enrolling eks with labels #50472
Conversation
kimlisa
changed the title
kimlisa
force-pushed
the
lisa/add-v2-endpoint
branch
from
b51dded to
0a6aebc
Compare
|
|
web/packages/teleport/src/services/webUiVersion/webUiVersion.ts
Outdated
Show resolved
Hide resolved
web/packages/teleport/src/services/webUiVersion/webUiVersion.ts
Outdated
Show resolved
Hide resolved
web/packages/teleport/src/services/webUiVersion/webUiVersion.ts
Outdated
Show resolved
Hide resolved
web/packages/teleport/src/services/webUiVersion/webUiVersion.ts
Outdated
Show resolved
Hide resolved
|
I'm not sure pulling the version from the HTML document makes sense here. If a user runs into this error, it's because they have a newer web UI that knows how to use the new V2 endpoint with labels, but they ended up hitting an older proxy that doesn't know how to handle the request. If you show them the version from the HTML document, you're going to show them the newer web UI version, which is actually new enough. If we want this error message to make sense, we need to show the version of the proxy that is too old. (This means we probably need the backend to surface this information) |
kimlisa
force-pushed
the
lisa/add-v2-endpoint
branch
from
4db33f1 to
15a7e75
Compare
kimlisa
force-pushed
the
lisa/add-v2-endpoint
branch
from
15a7e75 to
0729ad9
Compare
kimlisa
added
backport/branch/v16
no-changelog
kimlisa
force-pushed
the
lisa/add-v2-endpoint
branch
4 times, most recently
from
410b710 to
538b042
Compare
lib/client/https_client.go
Outdated
| @@ -62,7 +61,7 @@ func httpTransport(insecure bool, pool *x509.CertPool) *http.Transport { | |||
|
|
|||
| func NewWebClient(url string, opts ...roundtrip.ClientParam) (*WebClient, error) { | |||
| opts = append(opts, roundtrip.SanitizerEnabled(true)) | |||
| clt, err := roundtrip.NewClient(url, teleport.WebAPIVersion, opts...) | |||
| clt, err := roundtrip.NewClient(url, "", opts...) | |||
There was a problem hiding this comment.
The version parameter refers to this field, and from what i can tell, its only purpose is to just append the version prefix when calling this function (which we use a lot in our tests, and in auth here)
I didn't think it was necessary to define the version, since we are just going to strip it off anyways, and it wouldn't work with v2 endpoints
There was a problem hiding this comment.
If we are sure that we wont be using the version anymore, I think creating a v2 roundtrip.NewClientV2 function and then deprecating current one would be better here.
There was a problem hiding this comment.
hrm, i could, but I am not sure I see a benefit of keeping the deprecated one?
There was a problem hiding this comment.
The benefit of introducing v2 is that you wont have to refactor existing usage of roundtrip.NewClient in this PR.
Edit: I am not aware about current usage of roundtrip.NewClient so you might actually get away with that change without introducing v2 in this PR if that will be minimal, up to you.
kimlisa
force-pushed
the
lisa/add-v2-endpoint
branch
from
538b042 to
c6d7694
Compare
kimlisa
force-pushed
the
lisa/add-v2-endpoint
branch
from
67c5614 to
fb39fee
Compare
lib/client/https_client.go
Outdated
| @@ -62,7 +61,7 @@ func httpTransport(insecure bool, pool *x509.CertPool) *http.Transport { | |||
|
|
|||
| func NewWebClient(url string, opts ...roundtrip.ClientParam) (*WebClient, error) { | |||
| opts = append(opts, roundtrip.SanitizerEnabled(true)) | |||
| clt, err := roundtrip.NewClient(url, teleport.WebAPIVersion, opts...) | |||
| clt, err := roundtrip.NewClient(url, "", opts...) | |||
There was a problem hiding this comment.
If we are sure that we wont be using the version anymore, I think creating a v2 roundtrip.NewClientV2 function and then deprecating current one would be better here.
| h.POST("/webapi/sites/:site/integrations/aws-oidc/:name/enrolleksclusters", h.WithClusterAuth(h.awsOIDCEnrollEKSClusters)) | ||
| h.POST("/v2/webapi/sites/:site/integrations/aws-oidc/:name/enrolleksclusters", h.WithClusterAuth(h.awsOIDCEnrollEKSClusters)) |
There was a problem hiding this comment.
nit: from endpoint organization perspective - Instead of mixing v1 and v2 endpoints here, what do you think of creating v2 endpoint method func (h *Handler) bindV2Endpoints() {}? See https://github.com/gravitational/teleport/blob/master/lib/web/apiserver.go#L758 for current bindDefaultEndpoints method for reference.
I do not have a strong preference either way but feel like separation will make it more cleaner as number of v2 grows.
There was a problem hiding this comment.
i'll leave it as is, b/c we tend to group similar endpoints together and i think the binding method will separate them
kimlisa
force-pushed
the
lisa/add-v2-endpoint
branch
from
fb39fee to
bc43b78
Compare
lib/auth/trustedcluster.go
Outdated
| @@ -679,7 +679,7 @@ func (a *Server) sendValidateRequestToProxy(ctx context.Context, host string, va | |||
| opts = append(opts, roundtrip.HTTPClient(insecureWebClient)) | |||
| } | |||
|
|
|||
| clt, err := roundtrip.NewClient(proxyAddr.String(), teleport.WebAPIVersion, opts...) | |||
| clt, err := roundtrip.NewClient(proxyAddr.String(), "", opts...) | |||
There was a problem hiding this comment.
Umm based on discussion here #50472 (comment), I thought we are going to either add a roundtrip.NewClientV2 or update its current signature since we no longer use version field?
There was a problem hiding this comment.
recording slack discussion: agreed to not change signature since using client.go/NewWebClient introduced cyclic imports in tests, instead put comment explaining why version is empty
lib/web/apiserver_test.go
Outdated
| require.True(t, trace.IsNotFound(err)) | ||
|
|
||
| var rawObjMap map[string]*json.RawMessage | ||
| require.NoError(t, json.Unmarshal(re.Bytes(), &rawObjMap)) |
There was a problem hiding this comment.
nit: unmarshal it once, check for error and then reuse the unmarshalled object in test below in line 3519, 3523.
There was a problem hiding this comment.
i think this is what you meant below, and then access the fields?
var traceErr trace.TraceError
require.NoError(t, json.Unmarshal(re.Bytes(), &traceErr))
if so, I couldn't do it this way because the returned JSON error didn't conform exactly to TraceError type (I ran into errors unmarshaling), so I had to manually unmarshal per field I wanted to test
kimlisa
force-pushed
the
lisa/add-v2-endpoint
branch
from
98edc7c to
9ec4fbd
Compare
kimlisa
force-pushed
the
lisa/add-v2-endpoint
branch
from
9ec4fbd to
3f04271
Compare
| @@ -29,10 +29,14 @@ import ( | |||
| ) | |||
|
|
|||
| // NewDebugFileSystem returns the HTTP file system implementation | |||
| func newDebugFileSystem() (http.FileSystem, error) { | |||
| func NewDebugFileSystem(isEnterprise bool) (http.FileSystem, error) { | |||
There was a problem hiding this comment.
Does it need to be exported?
There was a problem hiding this comment.
i forgot to push the branch that required this change in enterprise: https://github.com/gravitational/teleport.e/pull/5818, i added a enterprise not found handler test there (just in case...)
lib/web/apiserver_test.go
Outdated
| Allow: types.RoleConditions{ | ||
| Rules: []types.Rule{ | ||
| types.NewRule(types.KindToken, | ||
| []string{types.VerbCreate, types.VerbRead}), |
There was a problem hiding this comment.
is types.VerbRead needed? comment above only says "Allow user to create tokens."
public-teleport-github-review-bot
bot
removed the request for review
from ryanclark
kimlisa
force-pushed
the
lisa/add-v2-endpoint
branch
2 times, most recently
from
852387b to
7518029
Compare
kimlisa
force-pushed
the
lisa/add-v2-endpoint
branch
from
7518029 to
ef0eb7c
Compare
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
part of #46976
suggested_labels(this PR)extraLabels(Discover EKS: allow custom labels for Kube Server #49420)Both scenarios if a user tries to create token/resource and provides labels, if requests goes to an older proxy, it'll look like the request succeeded but the labels will not have been set. So this PR defines
v2endpoints, so that if request goes to an older proxy, a 404 error will return, which we will assume it's because of version mismatch.This PR also returns the version number of proxy when a route wasn't matched.
Rendered example of route not matched 404 error:
if
proxyVersionis returned:if
proxyVersionis not returned: