Validate trusted_cluster name #49169
Conversation
|
This pull request is automatically being deployed by Amplify Hosting (learn more). |
|
This is a strongly breaking change as we had no such limitation in the past. Most of our users TC resources are created with names not matching the trusted cluster name. I don't think we can pull this one without bumping the trusted cluster resource version. This would cause a lot of toil on both users and customer support. Have you considered other alternatives that will not break everyone's IaC? Else we can just create a new TC version with the sanity check you added. |
| // TODO(klizhentas) in 2.5.0 prohibit adding trusted cluster resource name | ||
| // different from cluster name (we had no way of checking this before x509, | ||
| // because SSH CA was a public key, not a cert with metadata) |
There was a problem hiding this comment.
Also, congrats for addressing a TODO from Sasha in v2 😅
|
paging @espadolini for the trusted cluster expertise |
|
Validating the name seemed like the simplest approach to addressing the issue, but breaking existing automation is definitely the big concern. I'll explore some alternate solutions. |
If we introduce a new resource version and run the validation only if I explored storing both the resource name and the remote cluster name in different fields, but this might also pose challenges:
|
|
Is there any automation that doesn't break horribly when a created resource gets renamed under its nose? |
Sadly, terraform can import back state. Also if you just |
|
I wouldn't be against just breaking compatibility for this, even without a (meaningless) resource version bump - but we'd only get to do that on a major version change, so it'd have to be v18-only - are we ok with that? |
|
What is the rationale behind the renaming anyway? Maybe we can/should drop that behaviour instead? |
I disagree on the version bump being meaningless: resource versions are not only here to tell us how the manifest should be parsed. We also use them to protect users against breaking changes and ensure deterministic behaviour when applying manifests. We've been doing this semi-successfully for roles to avoid breaking existing manifests. Adding a new resource version costs us close to nothing and makes the breaking change visible to the user. This allows us to backport the new behaviour to any supported Teleport version, and we can still deprecate and remove the old renaming version in v18 or v19 if we want.
Naming TC resources after the TC cluster name allows us to lookup the TC resource by:
Not naming the TC resource like the cluster name would require us to iterate over every trusted cluster each time to know if a cert is trusted (or build an in-memory map) and keep track of the cluster name anyway to know which CA might haver signed this. Also, if we were to remove the renaming logic, users who wrote TC manifests whose name don't match the cluster name will create new TCs when applying again their manifest, instead of editing the current one. |
|
Thanks for the additional insight! It sounds like introducing a v3 resource version with name validation is the more reasonable approach. I'll update the PR with the additional changes. |
|
Superseded by #49789 |
Closes #48309
Teleport now prevents the creation of a
trusted_clusterresource if the name does not match the cluster name. Users will be shown the following error message if they attempt to create ateleport_clusterwith an invalid cluster name:changelog: The trusted_cluster resource name must now match the cluster name on creation