Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Machine ID: Warn when returned cert TTL is less than expected #52833

Merged
merged 3 commits into from
Mar 12, 2025
Merged

Machine ID: Warn when returned cert TTL is less than expected #52833

merged 3 commits into from
Mar 12, 2025

Conversation

timothyb89
Copy link
Contributor

@timothyb89 timothyb89 commented Mar 6, 2025
edited
Loading

This adds a warning when the returned certificate TTL is lower than requested, which can happen if max_session_ttl is set in a bot role.

changelog: Machine ID: Added warning when generated certificates will not last as long as expected

Fixes #29579

@timothyb89
Machine ID: Warn when returned cert TTL is less than expected
2ddb748 
This adds a warning when the returned certificate TTL is lower than
requested, which can happen if `max_session_ttl` is set in a bot
role.

Fixes #29579
timothyb89
timothyb89 commented Mar 6, 2025
View reviewed changes
lib/tbot/output_utils.go
Comment on lines +432 to +435
l.WarnContext(ctx, "The server returned an identity shorter than "+
"the requested TTL, probably due to a `max_session_ttl` "+
"configured on a server-side role. It may not remain valid as "+
"long as expected.")
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did some experimenting and found that bots can always fetch their own roles, so technically we could make some queries and log exactly which role caused the shortened TTL. Any thoughts on whether or not that would be worth the effort?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That'd be a really nice touch, but I think it depends on how many roles bots have in the common case. My hunch is that it's low enough that it wouldn't take users long to figure out which is the problematic role.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, and adds network calls on what's already a semi-error path, which isn't ideal. I think I'll stick with the simpler implementation for now, and maybe add a note to indicate we could improve this in the future if we see users having trouble.

boxofrad
boxofrad approved these changes Mar 6, 2025
View reviewed changes
Copy link
Contributor

@boxofrad boxofrad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great job! 👏🏻

lib/tbot/output_utils.go
Comment on lines +432 to +435
l.WarnContext(ctx, "The server returned an identity shorter than "+
"the requested TTL, probably due to a `max_session_ttl` "+
"configured on a server-side role. It may not remain valid as "+
"long as expected.")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That'd be a really nice touch, but I think it depends on how many roles bots have in the common case. My hunch is that it's low enough that it wouldn't take users long to figure out which is the problematic role.

@timothyb89 timothyb89 marked this pull request as ready for review March 11, 2025 18:55
@github-actions github-actions bot requested a review from boxofrad March 11, 2025 18:56
@timothyb89 timothyb89 added this pull request to the merge queue Mar 12, 2025
Merged via the queue into master with commit 31fe604 Mar 12, 2025
47 of 48 checks passed
@timothyb89 timothyb89 deleted the timothyb89/tbot-warn-on-early-expiration branch March 12, 2025 19:26
@public-teleport-github-review-bot
Copy link

@timothyb89 See the table below for backport results.

Branch Result
branch/v16 Failed
branch/v17 Create PR

@timothyb89 timothyb89 mentioned this pull request Mar 12, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@boxofrad boxofrad boxofrad approved these changes

@strideynet strideynet strideynet approved these changes

Assignees
No one assigned
Labels
backport/branch/v16 backport/branch/v17 machine-id size/sm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Machine ID: Add warnings when max_session_ttl is exceeded in tbot configuration
3 participants
@timothyb89 @boxofrad @strideynet