teleport: fix dot_expander crash and label mapping conflicts#19343
Merged
Conversation
efd6
added
bugfix
Contributor
✅ Elastic Docs Style Checker (Vale)No issues found on modified lines! The Vale linter checks documentation changes against the Elastic Docs style guide. To use Vale locally or report issues, refer to Elastic style guide for Vale. |
Two related fixes for Teleport audit pipeline failures: 1. Stash the scalar teleport.audit.addr into a temporary field before dot_expander runs, then restore it after addr.local and addr.remote have been expanded, extracted, and removed. This prevents the crash when addr coexists with addr.local/addr.remote in port forwarding events (code T3003S). 2. Move the renames of kubernetes_labels, kube_labels, and server_labels from event-groups into default.yml so they execute unconditionally. These fields contain dotted keys (e.g. "cluster.coreweave.cloud/type") that are safe in their flattened target mapping but cause mapping conflicts under dynamic mapping if event-groups fails and the rename is skipped. The new test cases are based on existing test events: the port.local event extends the T3003I port event with addr.local/addr.remote fields added, and the kube.create event extends an existing kube_labels event with a colliding dotted label key. Fixes elastic#19239 Fixes elastic#19243
🚀 Benchmarks reportTo see the full report comment with |
efd6
changed the title
|
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
kcreddy
reviewed
Jun 4, 2026
Comment on lines
+85
to
+99
| - rename: | ||
| field: teleport.audit.kubernetes_labels | ||
| target_field: teleport.audit.kubernetes.labels | ||
| ignore_missing: true | ||
| ignore_failure: true | ||
| - rename: | ||
| field: teleport.audit.kube_labels | ||
| target_field: teleport.audit.kubernetes.labels | ||
| ignore_missing: true | ||
| ignore_failure: true | ||
| - rename: | ||
| field: teleport.audit.server_labels | ||
| target_field: teleport.audit.server.labels | ||
| ignore_missing: true | ||
| ignore_failure: true |
Contributor
There was a problem hiding this comment.
There are references to the fields teleport.audit.kubernetes_labels, teleport.audit.kube_labels, and teleport.audit.server_labels inside event-groups.yml. Should they be removed now its done inside default.yml?
|
✅ All changelog entries have the correct PR link. |
💚 Build Succeeded
History
cc @efd6 |
|
Package teleport - 1.6.2 containing this change is available at https://epr.elastic.co/package/teleport/1.6.2/ |
3 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Proposed commit message
Checklist
changelog.ymlfile.Author's Checklist
How to test this PR locally
Related issues
Screenshots