Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add webapi v2 endpoints for creating discovery token and enrolling eks with labels #50472

Merged
merged 1 commit into from
Jan 9, 2025

Conversation

kimlisa
Copy link
Contributor

@kimlisa kimlisa commented Dec 20, 2024

part of #46976

  • The endpoint for creating a token for discovery flow now allows user defined labels to be set as part of suggested_labels (this PR)
  • The endpoint for enrolling eks clusters recently added ability to add user defined labels as extraLabels (Discover EKS: allow custom labels for Kube Server #49420)

Both scenarios if a user tries to create token/resource and provides labels, if requests goes to an older proxy, it'll look like the request succeeded but the labels will not have been set. So this PR defines v2 endpoints, so that if request goes to an older proxy, a 404 error will return, which we will assume it's because of version mismatch.

This PR also returns the version number of proxy when a route wasn't matched.

Rendered example of route not matched 404 error:

if proxyVersion is returned:

image

if proxyVersion is not returned:

image

@github-actions github-actions bot requested review from avatus and gzdunek December 20, 2024 07:17
@kimlisa kimlisa requested review from flyinghermit and removed request for avatus December 20, 2024 07:17
@kimlisa kimlisa changed the title Lisa/add v2 endpoint Add webapi v2 endpoints for creating discovery token and enrolling eks with labels Dec 20, 2024
@kimlisa kimlisa force-pushed the lisa/add-v2-endpoint branch from b51dded to 0a6aebc Compare December 20, 2024 07:21
@kimlisa
Copy link
Contributor Author

kimlisa commented Dec 20, 2024

we do set version with app hash as a etag on the response headers for app.js, but I wasn't sure how to actually extract that, so I opted for a simpler meta tag that just stores the version instead

@zmb3
Copy link
Collaborator

zmb3 commented Dec 23, 2024

I'm not sure pulling the version from the HTML document makes sense here.

If a user runs into this error, it's because they have a newer web UI that knows how to use the new V2 endpoint with labels, but they ended up hitting an older proxy that doesn't know how to handle the request.

If you show them the version from the HTML document, you're going to show them the newer web UI version, which is actually new enough.

If we want this error message to make sense, we need to show the version of the proxy that is too old. (This means we probably need the backend to surface this information)

@kimlisa kimlisa force-pushed the lisa/add-v2-endpoint branch from 4db33f1 to 15a7e75 Compare December 30, 2024 07:57
@kimlisa kimlisa force-pushed the lisa/add-v2-endpoint branch from 15a7e75 to 0729ad9 Compare December 31, 2024 22:57
@kimlisa kimlisa added backport/branch/v16 no-changelog Indicates that a PR does not require a changelog entry labels Dec 31, 2024
@kimlisa kimlisa marked this pull request as draft December 31, 2024 23:33
@kimlisa kimlisa force-pushed the lisa/add-v2-endpoint branch 4 times, most recently from 410b710 to 538b042 Compare January 2, 2025 18:41
lib/web/apiserver.go Outdated Show resolved Hide resolved
@@ -62,7 +61,7 @@ func httpTransport(insecure bool, pool *x509.CertPool) *http.Transport {

func NewWebClient(url string, opts ...roundtrip.ClientParam) (*WebClient, error) {
opts = append(opts, roundtrip.SanitizerEnabled(true))
clt, err := roundtrip.NewClient(url, teleport.WebAPIVersion, opts...)
clt, err := roundtrip.NewClient(url, "", opts...)
Copy link
Contributor Author

@kimlisa kimlisa Jan 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The version parameter refers to this field, and from what i can tell, its only purpose is to just append the version prefix when calling this function (which we use a lot in our tests, and in auth here)

I didn't think it was necessary to define the version, since we are just going to strip it off anyways, and it wouldn't work with v2 endpoints

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we are sure that we wont be using the version anymore, I think creating a v2 roundtrip.NewClientV2 function and then deprecating current one would be better here.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hrm, i could, but I am not sure I see a benefit of keeping the deprecated one?

Copy link
Contributor

@flyinghermit flyinghermit Jan 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The benefit of introducing v2 is that you wont have to refactor existing usage of roundtrip.NewClient in this PR.

Edit: I am not aware about current usage of roundtrip.NewClient so you might actually get away with that change without introducing v2 in this PR if that will be minimal, up to you.

@kimlisa kimlisa force-pushed the lisa/add-v2-endpoint branch from 538b042 to c6d7694 Compare January 2, 2025 18:58
@kimlisa kimlisa marked this pull request as ready for review January 2, 2025 19:20
@github-actions github-actions bot requested a review from ryanclark January 2, 2025 19:21
lib/client/https_client.go Outdated Show resolved Hide resolved
@@ -62,7 +61,7 @@ func httpTransport(insecure bool, pool *x509.CertPool) *http.Transport {

func NewWebClient(url string, opts ...roundtrip.ClientParam) (*WebClient, error) {
opts = append(opts, roundtrip.SanitizerEnabled(true))
clt, err := roundtrip.NewClient(url, teleport.WebAPIVersion, opts...)
clt, err := roundtrip.NewClient(url, "", opts...)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we are sure that we wont be using the version anymore, I think creating a v2 roundtrip.NewClientV2 function and then deprecating current one would be better here.

lib/httplib/httplib.go Outdated Show resolved Hide resolved
lib/httplib/httplib.go Outdated Show resolved Hide resolved
h.POST("/webapi/sites/:site/integrations/aws-oidc/:name/enrolleksclusters", h.WithClusterAuth(h.awsOIDCEnrollEKSClusters))
h.POST("/v2/webapi/sites/:site/integrations/aws-oidc/:name/enrolleksclusters", h.WithClusterAuth(h.awsOIDCEnrollEKSClusters))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: from endpoint organization perspective - Instead of mixing v1 and v2 endpoints here, what do you think of creating v2 endpoint method func (h *Handler) bindV2Endpoints() {}? See https://github.com/gravitational/teleport/blob/master/lib/web/apiserver.go#L758 for current bindDefaultEndpoints method for reference.

I do not have a strong preference either way but feel like separation will make it more cleaner as number of v2 grows.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i'll leave it as is, b/c we tend to group similar endpoints together and i think the binding method will separate them

lib/web/apiserver.go Outdated Show resolved Hide resolved
@kimlisa kimlisa force-pushed the lisa/add-v2-endpoint branch from fb39fee to bc43b78 Compare January 7, 2025 09:08
@kimlisa kimlisa requested a review from flyinghermit January 7, 2025 09:11
lib/httplib/httplib.go Outdated Show resolved Hide resolved
lib/httplib/httplib.go Outdated Show resolved Hide resolved
@@ -679,7 +679,7 @@ func (a *Server) sendValidateRequestToProxy(ctx context.Context, host string, va
opts = append(opts, roundtrip.HTTPClient(insecureWebClient))
}

clt, err := roundtrip.NewClient(proxyAddr.String(), teleport.WebAPIVersion, opts...)
clt, err := roundtrip.NewClient(proxyAddr.String(), "", opts...)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Umm based on discussion here #50472 (comment), I thought we are going to either add a roundtrip.NewClientV2 or update its current signature since we no longer use version field?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

recording slack discussion: agreed to not change signature since using client.go/NewWebClient introduced cyclic imports in tests, instead put comment explaining why version is empty

lib/httplib/httplib.go Outdated Show resolved Hide resolved
lib/web/apiserver.go Outdated Show resolved Hide resolved
lib/web/apiserver.go Outdated Show resolved Hide resolved
lib/web/apiserver.go Show resolved Hide resolved
require.True(t, trace.IsNotFound(err))

var rawObjMap map[string]*json.RawMessage
require.NoError(t, json.Unmarshal(re.Bytes(), &rawObjMap))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: unmarshal it once, check for error and then reuse the unmarshalled object in test below in line 3519, 3523.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i think this is what you meant below, and then access the fields?

var traceErr trace.TraceError
require.NoError(t, json.Unmarshal(re.Bytes(), &traceErr))

if so, I couldn't do it this way because the returned JSON error didn't conform exactly to TraceError type (I ran into errors unmarshaling), so I had to manually unmarshal per field I wanted to test

lib/web/apiserver_test.go Outdated Show resolved Hide resolved
@kimlisa kimlisa force-pushed the lisa/add-v2-endpoint branch from 98edc7c to 9ec4fbd Compare January 7, 2025 20:07
@kimlisa kimlisa requested a review from flyinghermit January 7, 2025 20:07
@kimlisa kimlisa force-pushed the lisa/add-v2-endpoint branch from 9ec4fbd to 3f04271 Compare January 7, 2025 20:36
lib/web/apiserver.go Outdated Show resolved Hide resolved
@@ -29,10 +29,14 @@ import (
)

// NewDebugFileSystem returns the HTTP file system implementation
func newDebugFileSystem() (http.FileSystem, error) {
func NewDebugFileSystem(isEnterprise bool) (http.FileSystem, error) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does it need to be exported?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i forgot to push the branch that required this change in enterprise: https://github.com/gravitational/teleport.e/pull/5818, i added a enterprise not found handler test there (just in case...)

Allow: types.RoleConditions{
Rules: []types.Rule{
types.NewRule(types.KindToken,
[]string{types.VerbCreate, types.VerbRead}),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is types.VerbRead needed? comment above only says "Allow user to create tokens."

@public-teleport-github-review-bot public-teleport-github-review-bot bot removed the request for review from ryanclark January 7, 2025 20:58
@kimlisa kimlisa force-pushed the lisa/add-v2-endpoint branch 2 times, most recently from 852387b to 7518029 Compare January 9, 2025 18:34
@kimlisa kimlisa enabled auto-merge January 9, 2025 18:34
@kimlisa kimlisa disabled auto-merge January 9, 2025 18:36
@kimlisa kimlisa force-pushed the lisa/add-v2-endpoint branch from 7518029 to ef0eb7c Compare January 9, 2025 19:16
@kimlisa kimlisa enabled auto-merge January 9, 2025 19:17
@kimlisa kimlisa added this pull request to the merge queue Jan 9, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Jan 9, 2025
@kimlisa kimlisa added this pull request to the merge queue Jan 9, 2025
Merged via the queue into master with commit d5409cb Jan 9, 2025
45 checks passed
@kimlisa kimlisa deleted the lisa/add-v2-endpoint branch January 9, 2025 20:19
@public-teleport-github-review-bot

@kimlisa See the table below for backport results.

Branch Result
branch/v16 Failed
branch/v17 Create PR

github-merge-queue bot pushed a commit that referenced this pull request Jan 15, 2025
* Create v2 web api endpoints and required related changes (#50472)

* Pass join token suggestedLabels to app server labels during install.sh (#50720)

* Allow adding app server labels from join token for install.sh

* Address CRs

* Reduce label yaml space, improve test

* Set user provided labels for aws app access create (#50975)

* Fix undefined slog
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport/branch/v16 backport/branch/v17 no-changelog Indicates that a PR does not require a changelog entry size/md ui
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants