Skip to content

[v18] feat: client side impl for new join service #59839

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
nklaassen merged 1 commit into from
Oct 14, 2025
Merged

[v18] feat: client side impl for new join service #59839

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 30 additions & 24 deletions lib/auth/join/join.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ import (
"github.com/gravitational/teleport/api/client"
"github.com/gravitational/teleport/api/client/proto"
"github.com/gravitational/teleport/api/client/webclient"
joinv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/join/v1"
"github.com/gravitational/teleport/api/observability/tracing"
"github.com/gravitational/teleport/api/types"
"github.com/gravitational/teleport/api/utils/aws"
Expand Down Expand Up @@ -191,7 +192,7 @@ type RegisterParams struct {
BoundKeypairParams *BoundKeypairParams
}

func (r *RegisterParams) checkAndSetDefaults() error {
func (r *RegisterParams) CheckAndSetDefaults() error {
if r.Clock == nil {
r.Clock = clockwork.NewRealClock()
}
Expand Down Expand Up @@ -264,7 +265,7 @@ func Register(ctx context.Context, params RegisterParams) (result *RegisterResul
ctx, span := tracer.Start(ctx, "Register")
defer func() { tracing.EndSpan(span, err) }()

if err := params.checkAndSetDefaults(); err != nil {
if err := params.CheckAndSetDefaults(); err != nil {
return nil, trace.Wrap(err)
}
// Read in the token. The token can either be passed in or come from a file
Expand Down Expand Up @@ -378,7 +379,7 @@ func Register(ctx context.Context, params RegisterParams) (result *RegisterResul
if params.GetHostCredentials == nil {
slog.DebugContext(ctx, "Missing client, it is not possible to register through proxy.")
registerMethods = []registerMethod{registerThroughAuth}
} else if authServerIsProxy(params.AuthServers) {
} else if LooksLikeProxy(params.AuthServers) {
slog.DebugContext(ctx, "The first specified auth server appears to be a proxy.")
registerMethods = []registerMethod{registerThroughProxy, registerThroughAuth}
}
Expand All @@ -399,9 +400,9 @@ func Register(ctx context.Context, params RegisterParams) (result *RegisterResul
return nil, trace.NewAggregate(collectedErrs...)
}

// authServerIsProxy returns true if the first specified auth server
// LooksLikeProxy returns true if the first specified auth server
// to register with appears to be a proxy.
func authServerIsProxy(servers []utils.NetAddr) bool {
func LooksLikeProxy(servers []utils.NetAddr) bool {
if len(servers) == 0 {
return false
}
Expand Down Expand Up @@ -506,25 +507,7 @@ func registerThroughAuth(
ctx, span := tracer.Start(ctx, "registerThroughAuth")
defer func() { tracing.EndSpan(span, err) }()

var client *authclient.Client
// Build a client for the Auth Server with different certificate validation
// depending on the configured values for Insecure, CAPins and CAPath.
switch {
case params.Insecure:
slog.WarnContext(ctx, "Insecure mode enabled. Auth Server cert will not be validated and CAPins and CAPath value will be ignored.")
client, err = insecureRegisterClient(ctx, params)
case len(params.CAPins) != 0:
// CAPins takes precedence over CAPath
client, err = pinRegisterClient(ctx, params)
case params.CAPath != "":
client, err = caPathRegisterClient(ctx, params)
default:
// We fall back to insecure mode here - this is a little odd but is
// necessary to preserve the behavior of registration. At a later date,
// we may consider making this an error asking the user to provide
// Insecure, CAPins or CAPath.
client, err = insecureRegisterClient(ctx, params)
}
client, err := NewAuthClient(ctx, params)
if err != nil {
return nil, trace.Wrap(err, "building auth client")
}
Expand All @@ -540,6 +523,7 @@ type AuthJoinClient interface {
joinServiceClient
RegisterUsingToken(ctx context.Context, req *types.RegisterUsingTokenRequest) (*proto.Certs, error)
Ping(ctx context.Context) (proto.PingResponse, error)
JoinV1Client() joinv1.JoinServiceClient
}

func registerThroughAuthClient(
Expand Down Expand Up @@ -593,6 +577,28 @@ func getHostAddresses(params RegisterParams) []string {
return utils.NetAddrsToStrings(params.AuthServers)
}

// NewAuthClient returns a new auth client built according to the register
// params, preferring the authenticate the server via CA pins or a CA path and
// falling back to an insecure connection, unless insecure mode was explicitly enabled.
func NewAuthClient(ctx context.Context, params RegisterParams) (*authclient.Client, error) {
switch {
case params.Insecure:
slog.WarnContext(ctx, "Insecure mode enabled. Auth Server cert will not be validated and CAPins and CAPath value will be ignored.")
return insecureRegisterClient(ctx, params)
case len(params.CAPins) != 0:
// CAPins takes precedence over CAPath
return pinRegisterClient(ctx, params)
case params.CAPath != "":
return caPathRegisterClient(ctx, params)
default:
// We fall back to insecure mode here - this is a little odd but is
// necessary to preserve the behavior of registration. At a later date,
// we may consider making this an error asking the user to provide
// Insecure, CAPins or CAPath.
return insecureRegisterClient(ctx, params)
}
}

// insecureRegisterClient attempts to connects to the Auth Server using the
// CA on disk. If no CA is found on disk, Teleport will not verify the Auth
// Server it is connecting to.
Expand Down
7 changes: 5 additions & 2 deletions lib/client/proxy/insecure/insecure.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ import (

"github.com/gravitational/trace"
"github.com/jonboulle/clockwork"
"go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc"
"golang.org/x/net/http2"
"google.golang.org/grpc"
"google.golang.org/grpc/credentials"
Expand All @@ -35,6 +36,7 @@ import (
"github.com/gravitational/teleport/api/constants"
apidefaults "github.com/gravitational/teleport/api/defaults"
"github.com/gravitational/teleport/api/metadata"
"github.com/gravitational/teleport/api/utils/grpc/interceptors"
"github.com/gravitational/teleport/lib/srv/alpnproxy/common"
"github.com/gravitational/teleport/lib/utils"
)
Expand Down Expand Up @@ -85,9 +87,10 @@ func NewConnection(
conn, err := grpc.Dial(
params.ProxyServer,
grpc.WithContextDialer(client.GRPCContextDialer(dialer)),
grpc.WithUnaryInterceptor(metadata.UnaryClientInterceptor),
grpc.WithStreamInterceptor(metadata.StreamClientInterceptor),
grpc.WithChainUnaryInterceptor(metadata.UnaryClientInterceptor, interceptors.GRPCClientUnaryErrorInterceptor),
grpc.WithChainStreamInterceptor(metadata.StreamClientInterceptor, interceptors.GRPCClientStreamErrorInterceptor),
grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)),
grpc.WithStatsHandler(otelgrpc.NewClientHandler()),
)
return conn, trace.Wrap(err)
}
Expand Down
Loading
Loading