Database Agent - remove Support for UserCA (#23758)

api/proto/teleport/legacy/client/proto/authservice.proto

@@ -950,11 +950,8 @@ message DatabaseCSRRequest {
   bytes CSR = 1 [(gogoproto.jsontag) = "csr"];
   // ClusterName is the name of the cluster the request is for.
   string ClusterName = 2 [(gogoproto.jsontag) = "cluster_name"];
-  // SignWithDatabaseCA if set to true will use Database CA to sign the created certificate.
-  // This flag was created to enable Database CA for new proxies and don't break old one that
-  // are still using UserCA.
-  // DELETE IN 11.0.
-  bool SignWithDatabaseCA = 3 [(gogoproto.jsontag) = "sign_with_database_ca"];
+  // SignWithDatabaseCA deprecated.
+  reserved 3;
 }
 
 // DatabaseCSRResponse contains the signed database certificate.

lib/auth/db.go

@@ -188,17 +188,9 @@ func (s *Server) SignDatabaseCSR(ctx context.Context, req *proto.DatabaseCSRRequ
 	// Get the correct cert TTL based on roles.
 	ttl := roles.AdjustSessionTTL(apidefaults.CertDuration)
 
-	caType := types.UserCA
-	if req.SignWithDatabaseCA {
-		// Field SignWithDatabaseCA was added in Teleport 10 when DatabaseCA was introduced.
-		// Previous Teleport versions used UserCA, and we still need to sign certificates with UserCA
-		// for compatibility reason. Teleport 10+ expects request signed with DatabaseCA.
-		caType = types.DatabaseCA
-	}
-
 	// Generate the TLS certificate.
 	ca, err := s.GetCertAuthority(ctx, types.CertAuthID{
-		Type:       caType,
+		Type:       types.DatabaseCA,
 		DomainName: clusterName.GetClusterName(),
 	}, true)
 	if err != nil {

lib/auth/trustedcluster.go

@@ -571,30 +571,20 @@ func getLeafClusterCAs(ctx context.Context, srv *Server, domainName string, vali
 // getCATypesForLeaf returns the list of CA certificates that should be sync in response to ValidateTrustedClusterRequest.
 func getCATypesForLeaf(validateRequest *ValidateTrustedClusterRequest) ([]types.CertAuthType, error) {
 	var (
-		err                 error
-		databaseCASupported bool
-		openSSHCASupported  bool
+		err                error
+		openSSHCASupported bool
 	)
 
 	if validateRequest.TeleportVersion != "" {
 		// (*ValidateTrustedClusterRequest).TeleportVersion was added in Teleport 10.0. If the request comes from an older
 		// cluster this field will be empty.
-		databaseCASupported, err = utils.MinVerWithoutPreRelease(validateRequest.TeleportVersion, constants.DatabaseCAMinVersion)
-		if err != nil {
-			return nil, trace.Wrap(err, "failed to parse Teleport version: %q", validateRequest.TeleportVersion)
-		}
 		openSSHCASupported, err = utils.MinVerWithoutPreRelease(validateRequest.TeleportVersion, constants.OpenSSHCAMinVersion)
 		if err != nil {
 			return nil, trace.Wrap(err, "failed to parse Teleport version: %q", validateRequest.TeleportVersion)
 		}
 	}
 
-	certTypes := []types.CertAuthType{types.HostCA, types.UserCA}
-	if databaseCASupported {
-		// Database CA was introduced in Teleport 10.0. Do not send it to older clusters
-		// as they don't understand it.
-		certTypes = append(certTypes, types.DatabaseCA)
-	}
+	certTypes := []types.CertAuthType{types.HostCA, types.UserCA, types.DatabaseCA}
 	if openSSHCASupported {
 		// OpenSSH CA was introduced in Teleport 12.0. Do not send it to older clusters
 		// as they don't understand it.

lib/auth/trustedcluster_test.go

@@ -360,7 +360,7 @@ func TestValidateTrustedCluster(t *testing.T) {
 		require.Equal(t, localClusterName, osshCAs[0].GetName())
 	})
 
-	t.Run("only Host and User CA are returned for v9", func(t *testing.T) {
+	t.Run("Host User and Database CA are returned by default", func(t *testing.T) {
 		leafClusterCA := types.CertAuthority(suite.NewTestCA(types.HostCA, "leafcluster"))
 		resp, err := a.validateTrustedCluster(ctx, &ValidateTrustedClusterRequest{
 			Token:           validToken,
@@ -369,10 +369,10 @@ func TestValidateTrustedCluster(t *testing.T) {
 		})
 		require.NoError(t, err)
 
-		require.Len(t, resp.CAs, 2)
+		require.Len(t, resp.CAs, 3)
 		require.ElementsMatch(t,
-			[]types.CertAuthType{types.HostCA, types.UserCA},
-			[]types.CertAuthType{resp.CAs[0].GetType(), resp.CAs[1].GetType()},
+			[]types.CertAuthType{types.HostCA, types.UserCA, types.DatabaseCA},
+			[]types.CertAuthType{resp.CAs[0].GetType(), resp.CAs[1].GetType(), resp.CAs[2].GetType()},
 		)
 	})
 

lib/srv/db/proxyserver.go

@@ -33,7 +33,6 @@ import (
 
 	"github.com/gravitational/teleport"
 	"github.com/gravitational/teleport/api/client/proto"
-	"github.com/gravitational/teleport/api/constants"
 	apidefaults "github.com/gravitational/teleport/api/defaults"
 	"github.com/gravitational/teleport/api/types"
 	apiutils "github.com/gravitational/teleport/api/utils"
@@ -581,18 +580,9 @@ func (s *ProxyServer) getConfigForServer(ctx context.Context, identity tlsca.Ide
 		return nil, trace.Wrap(err)
 	}
 
-	// DatabaseCA was introduced in Teleport 10. Older versions require database certificate signed
-	// with UserCA where Teleport 10+ uses DatabaseCA.
-	ver10orAbove, err := utils.MinVerWithoutPreRelease(server.GetTeleportVersion(), constants.DatabaseCAMinVersion)
-	if err != nil {
-		return nil, trace.Wrap(err, "failed to parse Teleport version: %q", server.GetTeleportVersion())
-	}
-
 	response, err := s.cfg.AuthClient.SignDatabaseCSR(ctx, &proto.DatabaseCSRRequest{
 		CSR:         csr,
 		ClusterName: identity.RouteToCluster,
-		// TODO: Remove in Teleport 11.
-		SignWithDatabaseCA: ver10orAbove,
 	})
 	if err != nil {
 		return nil, trace.Wrap(err)

lib/srv/db/server.go

@@ -380,9 +380,11 @@ func New(ctx context.Context, config Config) (*Server, error) {
 	// Update TLS config to require client certificate.
 	server.cfg.TLSConfig.ClientAuth = tls.RequireAndVerifyClientCert
 	server.cfg.TLSConfig.GetConfigForClient = getConfigForClient(
-		server.cfg.TLSConfig, server.cfg.AccessPoint, server.log,
-		// TODO: Remove UserCA in Teleport 11.
-		types.UserCA, types.DatabaseCA)
+		server.cfg.TLSConfig,
+		server.cfg.AccessPoint,
+		server.log,
+		types.DatabaseCA,
+	)
 
 	return server, nil
 }