New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Deprecate ca_signature_algo
config
#13033
Conversation
a923483
to
4e4ff7b
Compare
ca_signature_algo
config
4e4ff7b
to
4f14b89
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the cleanup, @marcoandredinis !
@@ -420,9 +414,6 @@ func (conf *FileConfig) CheckAndSetDefaults() error { | |||
return trace.BadParameter("MAC algorithm %q is not supported; supported algorithms: %q", m, sc.MACs) | |||
} | |||
} | |||
if conf.CASignatureAlgorithm != nil && !apiutils.SliceContainsStr(validCASigAlgos, *conf.CASignatureAlgorithm) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's add a deprecation notice at fileconf.go / Global.CASignatureAlgorithm too, so it's clear the field is unused and kept only for config backwards compatibility.
Is there a "Cloud"/protobuf counterpart for this setting, or just the fileconf / teleport.yaml one?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Deprecation notice added 🙏
Is there a "Cloud"/protobuf counterpart for this setting, or just the fileconf / teleport.yaml one?
CertAuthorityV2 has two methods that I'm pretty sure could be removed: Get/SetSigningAlg
My concern is having a version without those methods interacting with a version that has them
I don't know how that works out (backwards/forward compat)
I'll do some tests 🛠️
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you drop the methods and an older gRPC client tries to call them, it'll get a framework-level error saying the method doesn't exist (I don't remember the exact error, but it's something like that).
Whether it's safe to drop depends on how it's used. If you can ensure all calls are removed by version N, then it's safe to drop the method in N+1.
39f7317
to
6bb0b52
Compare
LGTM Marco, let me know if you intend to do further work in this PR, otherwise I'm happy to approve. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, but there's also a reference to ca_signature_algo
in our docs - please update that as well.
5956d4f
to
855e461
Compare
@zmb3 @codingllama I tested using teleport built from this branch against root@moon:/workspace/teleport# tsh version
Teleport v10.0.0-dev git:teleport-connect-preview-1.0.0.dev.1-252-g855e461ca go1.17.10
Proxy version: 10.0.0-dev
root@moon:/workspace/teleport# tsh ssh root@marco.mydemo
root@marco:~# exit
logout
the connection was closed on the remote side on 03 Jun 22 10:45 UTC
root@moon:/workspace/teleport# ./tsh version
Teleport v9.3.2 git:v9.3.2-0-gb3597d12a go1.17.10
root@moon:/workspace/teleport# ./tsh ssh root@marco.mydemo
root@marco:~# exit
logout
the connection was closed on the remote side on 03 Jun 22 10:45 UTC |
3ec18c5
to
c6c3a43
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
All suggestions are about removing redundant initializations. Feel free to push back/ignore as you see fit.
c6c3a43
to
6661272
Compare
53888f3
to
319d0eb
Compare
465db76
to
fa3f3d0
Compare
Co-authored-by: Zac Bergquist <zmb3@users.noreply.github.com>
fa3f3d0
to
147bed9
Compare
After the merge of #12674 we no longer use the following configuration:
As we now rely upon the
x/crypto
package to choose the signing algorithm (it defaults torsa-sha2-512
)Demo
If we set
ca_signature_algo
(the value is irrelevant) and startteleport
we get:Fixes #12905