mirror of
https://github.com/gravitational/teleport
synced 2024-10-22 02:03:24 +00:00
e987caa292
* client: set TLS certificate usage for k8s/app/db certs --- TLS usage field The certificate usage field prevents a certificate from being used for other purposes. For example, a k8s-specific certificate will not be accepted by a database service endpoint. Server-side enforcement logic was already in place for a long time, but we stopped setting the correct Usage in UserCertRequest during keystore refactoring in 5.0 (with introduction of k8s certs). --- TLS certificate overwrite As part of this, client.ReissueUserCerts will no longer write usage-restricted certificates into the top-level TLS certificate used for Teleport API authentication. For example, when generating a k8s-specific certificate, we used to overwrite both: - `~/.tsh/keys/$proxy/$user-x509.pem` - `~/.tsh/keys/$proxy/$user-kube/$cluster/$kubeCluster-x509.pem` This PR stops overwriting `~/.tsh/keys/$proxy/$user-x509.pem`. This is not a breaking change. --- Selected k8s cluster Prior to this PR, `tsh status` printed the selected k8s cluster based on the top-level TLS certificate. Since we no longer overwrite that certificate, it will not contain a k8s cluster name. Instead, we extract it from the kubeconfig, which is actually more accurate since a user could switch to a different context out-of-band. * Document UserCertRequest CertUsage enum values |
||
|---|---|---|
| .. | ||
| client | ||
| constants | ||
| defaults | ||
| identityfile | ||
| profile | ||
| types | ||
| utils | ||
| go.mod | ||
| go.sum | ||