Add webapi v2 endpoints for creating discovery token and enrolling eks with labels

[kimlisa]

part of #46976

• The endpoint for creating a token for discovery flow now allows user defined labels to be set as part of suggested_labels (this PR)
• The endpoint for enrolling eks clusters recently added ability to add user defined labels as extraLabels (Discover EKS: allow custom labels for Kube Server #49420)

Both scenarios if a user tries to create token/resource and provides labels, if requests goes to an older proxy, it'll look like the request succeeded but the labels will not have been set. So this PR defines v2 endpoints, so that if request goes to an older proxy, a 404 error will return, which we will assume it's because of version mismatch.

This PR also returns the version number of proxy when a route wasn't matched.

Rendered example of route not matched 404 error:

if proxyVersion is returned:

if proxyVersion is not returned:

[kimlisa]

we do set version with app hash as a etag on the response headers for app.js, but I wasn't sure how to actually extract that, so I opted for a simpler meta tag that just stores the version instead

[tigrato]

Not sure this will align well with our weird v1 auto prefix:

teleport/lib/web/apiserver.go

Lines 618 to 622 in c222030

	// request is going to the API?
	if strings.HasPrefix(r.URL.Path, apiPrefix) {
	http.StripPrefix(apiPrefix, h).ServeHTTP(w, r)
	return
	}

This /v2/ will make /v1/v2/webapi/token to work as well 😆

We need to fix the weird prefixing issue first

[tigrato]

One possible way is to inverse the handler.

Append the /v1/ to every single route h.*("/v1...".

 if strings.HasPrefix(r.URL.Path,"/webapi") { 
 	addPrefix(apiPrefix, h).ServeHTTP(w, r) 
 	return 
 } 


func addPrefix(prefix string, h Handler) Handler {
	if prefix == "" {
		return h
	}
	return http.HandlerFunc(func(w ResponseWriter, r *Request) {
		p := path.Join(prefix,r.URL.Path)
		rp := path.Join(prefix,r.URL.RawPath)
	
			r2 := new(Request)
			*r2 = *r
			r2.URL = new(url.URL)
			*r2.URL = *r.URL
			r2.URL.Path = p
			r2.URL.RawPath = rp
			h.ServeHTTP(w, r2)
		
	})
}

[kimlisa]

thanks for catching that, i completely overlooked this part

looks like @avatus already thought of that though in his RFD.

I'll apply his logic and test things out

[zmb3]

I'm not sure pulling the version from the HTML document makes sense here.

If a user runs into this error, it's because they have a newer web UI that knows how to use the new V2 endpoint with labels, but they ended up hitting an older proxy that doesn't know how to handle the request.

If you show them the version from the HTML document, you're going to show them the newer web UI version, which is actually new enough.

If we want this error message to make sense, we need to show the version of the proxy that is too old. (This means we probably need the backend to surface this information)

[kimlisa]

I ended up going with this approach to keep the old behavior the same. I could've done something stricter where regex is like ^/v(\d+)/(webapi|enterprise|scripts|.well-known|workload-identity) but once you introduce another non-prefix leading path, you have to remember to update this regex.

For cases where route is double prefixed like this /v1/v2/webapi, I do another regex match on the path after the first prefix to prevent that.

I couldn't see other issues with this approach but let me know.

[kimlisa]

The version parameter refers to this field, and from what i can tell, its only purpose is to just append the version prefix when calling this function (which we use a lot in our tests, and in auth here)

I didn't think it was necessary to define the version, since we are just going to strip it off anyways, and it wouldn't work with v2 endpoints

[gzdunek]

This won't return null but undefined.

Suggested change

	export function parseProxyVersion(json): ProxyVersion | null {
	export function parseProxyVersion(json): ProxyVersion | undefined {

[gzdunek]

This is a leftover, right?

[gzdunek]

Having proxyVersion will be probably useful in the future, but for this particular feature we won't be able to show it. Returning proxy version will land in the same version as the V2 endpoint, so we either won't show the error or show the more generic version from below.

[kimlisa]

yeah that's the plan, to make it fallback to the generic messaging for the time being

[gzdunek]

So we can remove the more specific version as we will never show it.

[kimlisa]

oh that's true! i'll remove it

[gzdunek]

Suggested change

	test('enrollEksClusters with labbels calls v2', async () => {
	test('enrollEksClusters with labels calls v2', async () => {

[gzdunek]

Suggested change

	* Used to determine out dated proxies.
	* Used to determine outdated proxies.

[gzdunek]

I think the proxyVersion in ApiError could be optional, so we wouldn't have to pass null everywhere.

[kimlisa]

i made it into an object param

[gzdunek]

Optional chaining?

[avatus]

This might get a bit unruly now that I think about it. We have the same "path" like /webapi/tokens but now each of the different http methods might go to some separate version. so this could theoretically have as many different versions as we have http methods.

I don't suggest any change here, but we should think about how to handle this in the future. perhaps we could maybe pass a version number as argument or something. or maybe this isnt a problem at al and im just overthinking it

[kimlisa]

i did mark old endpoints for deletion eg // TODO(kimlisa): DELETE IN 19.0 - replaced by /v2/webapi/token, so with clean up it wouldn't be so bad?

[kimlisa]

oh that reminds me, perhaps i can also mark it deprecated in case anyone tries to use these endpoints outside of the service/* directory

[avatus]

but we wont delete the old one in v19. because other services use this path, just not the v2. for example. GET doesnt use v2.

[kimlisa]

oh i see what you mean now. though with these specific endpoints marked for deletion, there is only one HTTP verb attached to it

but you raise a really good question... how do we want to handle same paths but with differing HTTP verbs and versions?

i think we have to start being specific about the api endpoints, something like this maybe?

// before: 
usersPath: '/v1/webapi/users'   <--- used with multiple HTTP verbs

// after:
user: {
  create: '/v1/webapi/users',
  update: '/v1/webapi/users/:username',
  delete: '/v1/webapi/users/:username',       <-- kept for backward compat
  deleteV2: '/v2/webapi/users/:username',  <-- new feature
}

we start doing something like it here

would that be a good solution? for example webapi/token, it'll look like this:

discoveryToken: {
  // TODO(kimlisa): DELETE IN 19.0 - replaced by /v2/webapi/token
  create: '/v1/webapi/token'
  createV2: '/v2/webapi/token'
}

[avatus]

yeah i think an object is best. i suggested that to ryan when he added those paths in and i think it'd be a good solution to versioning in the future as well. at least, i dont have any better suggestions yet.

[kimlisa]

ok moving forward with this, i also updated RFD #50743 with it

[avatus]

Thanks for the update!

[avatus]

i can't seem to follow this. wouldn't this catch any version prefixed api path, and if its not v1, then it replies with not found? where does it send the other version number requests to? how does it break out of this

[kimlisa]

so this entire block of code is only ran if the first attempt at routing match failed. if the routing match failed, and the path is prefixed with v1 we strip it and serve it again (so essentially each path gets a second chance)

i also added more comments to this block on the newest changes that may explain it more?

[avatus]

that makes sense, thats why its called notFound handler now. ok i like it