Add support for backward compatible API Client behavior #11567
Conversation
smallinsky
force-pushed
the
smallinsky/cas_legacy_tsh_auth_client_compatibility
branch
from
5b746bc to
3329184
Compare
github-actions
bot
added
the
tsh
| // TLSCAsPath returns the path to the users's TLS CA's certificates | ||
| // for the given proxy. | ||
| // <baseDir>/keys/<proxy>/certs.pem | ||
| // DELETE IN 10.0. Deprecated |
There was a problem hiding this comment.
If this needs to be removed in 10.0 shouldn't we just fix it in 9.0? Technically this code will be deprecated the moment when is merged.
There was a problem hiding this comment.
The issue is not stricte related to any teleport tsh or tctl flow but occurs in external tools that depends on teleport/api/clientpackage like [terraform](https://github.com/gravitational/teleport-plugins/blob/master/go.mod#L20) teleport-plugin where client still uses oldtshthat generates certs.pem dir but the teleport-plugin uses a news version ofteleport/api/client` that doesn't read certs from certs.pem.
If we will be sure that all clients switched to teleport v9 where trusted certs are stored in CAS directory we will be able to drop support for certs.pem file.
smallinsky
deleted the
smallinsky/cas_legacy_tsh_auth_client_compatibility
branch
What
Add support for backward-compatible behavior in the case where tsh profile was generated by tsh version without CAS fix where trusted clusters CAs were split and moved to
casdirectory.This case occurs when a client uses an old tsh client without CAS fix and a news version of teleport plugins that try to load clusters certs from CAS directory in case of creating auth client from the
tshusers profile.