Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict AutoUpdateVersion to be created/updated for cloud #49008

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Restrict AutoUpdateVersion to be created/updated for cloud #49008

wants to merge 1 commit into from
+14 −1

Conversation

vapopov
Copy link
Contributor

@vapopov vapopov commented Nov 14, 2024

In this PR added validation to restrict modify AutoUpdateVersion for cloud users

Related:

teleport/rfd/0144-client-tools-updates.md

Lines 216 to 224 in c906170

> [!NOTE]
> Client tools configuration is broken into two resources to [prevent
> updates](https://github.com/gravitational/teleport/blob/master/lib/modules/modules.go#L332-L355)
> to `autoupdate_version` on Cloud.
>
> While Cloud customers will be able to use `autoupdate_config` to
> turn client tools automatic updates `off` and self-manage updates, they will
> not be able to control the version of client tools in `autoupdate_version`.
> That will continue to be managed by the Teleport Cloud team.

@vapopov vapopov added the no-changelog Indicates that a PR does not require a changelog entry label Nov 14, 2024
@aws-amplify-us-west-2 AWS Amplify (us-west-2)
Copy link

This pull request is automatically being deployed by Amplify Hosting (learn more).

Access this pull request here: https://pr-49008.d3pp5qlev8mo18.amplifyapp.com

zmb3
zmb3 reviewed Nov 14, 2024
View reviewed changes
lib/modules/modules.go
@@ -331,7 +332,7 @@ func GetModules() Modules {
var ErrCannotDisableSecondFactor = errors.New("cannot disable multi-factor authentication")

// ValidateResource performs additional resource checks.
func ValidateResource(res types.Resource) error {
func ValidateResource(res any) error {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there any reason that AutoUpdateVersion can't implement types.Resource?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

new resources implements types.Resource153 they not compatible with each other

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps ValidateResource is trying to be too generic. Is there any reason this validation can't be applied directly within the auto update service instead?

@hugoShaka
Copy link
Contributor

hugoShaka commented Nov 14, 2024
edited
Loading

If I understand correctly, this will render any version invalid on cloud.
This means cloud themselves will not be able to set version using tctl and local admin.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rosstimothy rosstimothy rosstimothy left review comments

@zmb3 zmb3 zmb3 left review comments

@sclevine sclevine Awaiting requested review from sclevine

@hugoShaka hugoShaka Awaiting requested review from hugoShaka

@mvbrock mvbrock Awaiting requested review from mvbrock

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
no-changelog Indicates that a PR does not require a changelog entry size/sm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@vapopov @hugoShaka @zmb3 @rosstimothy