mirror of
https://github.com/gravitational/teleport
synced 2024-10-22 02:03:24 +00:00
e987caa292
* client: set TLS certificate usage for k8s/app/db certs --- TLS usage field The certificate usage field prevents a certificate from being used for other purposes. For example, a k8s-specific certificate will not be accepted by a database service endpoint. Server-side enforcement logic was already in place for a long time, but we stopped setting the correct Usage in UserCertRequest during keystore refactoring in 5.0 (with introduction of k8s certs). --- TLS certificate overwrite As part of this, client.ReissueUserCerts will no longer write usage-restricted certificates into the top-level TLS certificate used for Teleport API authentication. For example, when generating a k8s-specific certificate, we used to overwrite both: - `~/.tsh/keys/$proxy/$user-x509.pem` - `~/.tsh/keys/$proxy/$user-kube/$cluster/$kubeCluster-x509.pem` This PR stops overwriting `~/.tsh/keys/$proxy/$user-x509.pem`. This is not a breaking change. --- Selected k8s cluster Prior to this PR, `tsh status` printed the selected k8s cluster based on the top-level TLS certificate. Since we no longer overwrite that certificate, it will not contain a k8s cluster name. Instead, we extract it from the kubeconfig, which is actually more accurate since a user could switch to a different context out-of-band. * Document UserCertRequest CertUsage enum values |
||
---|---|---|
.. | ||
client | ||
constants | ||
defaults | ||
identityfile | ||
profile | ||
types | ||
utils | ||
go.mod | ||
go.sum |