Create remote site cache based on remote auth version

[rosstimothy]

The cache policy used for a remote site is determined based on
the response from a version request. However the version response
was only returning the proxy version. If the remote site was not
running the same version for both auth and proxy, then the cache
policy chosen could be invalid.

The reverse tunnel agent now pings its auth server and reports
both the auth and proxy version in response to a version request.
To maintain backward compatibility the reverse tunnel server will
fallback to using the proxy version if the response does not
contain an auth version.

Fixes #12010

[smallinsky]

Left some comments.
@jakule Could you also take a look ?

[jakule]

@rosstimothy I was using this logic in my other PR, but this PR won't make a huge difference #12040.
But there is other thing. I assume that this PR will be backported to v9. The function checks if the cluster that you're connecting to is before v8. Technically we allow only one version different, so if this PR makes only to v9, then the only cluster that you can connect to older than v9 is v8. From what I understand this is not supported scenario in our case? Correct me if I'm wrong.

[rosstimothy]

@rosstimothy I was using this logic in my other PR, but this PR won't make a huge difference #12040. But there is other thing. I assume that this PR will be backported to v9. The function checks if the cluster that you're connecting to is before v8. Technically we allow only one version different, so if this PR makes only to v9, then the only cluster that you can connect to older than v9 is v8. From what I understand this is not supported scenario in our case? Correct me if I'm wrong.

This PR needs to be backported as far as possible. It was actually found by a customer upgrading from v6 -> v7. I don't think any of the changes introduced here really change the logic in which clusters you can connect to. It simply changes which service in the remote cluster is used to determine its version. Using the agent version is incorrect both for determining the cache policy, and for the new use case that you added in #12040. Since the cache is generated by connecting to the auth server, and the remote watchers are all created from the cache we need to know the auth version. Things only work as is if the auth version and agent version are the same.

[jakule]

@rosstimothy I was using this logic in my other PR, but this PR won't make a huge difference #12040. But there is other thing. I assume that this PR will be backported to v9. The function checks if the cluster that you're connecting to is before v8. Technically we allow only one version different, so if this PR makes only to v9, then the only cluster that you can connect to older than v9 is v8. From what I understand this is not supported scenario in our case? Correct me if I'm wrong.

This PR needs to be backported as far as possible. It was actually found by a customer upgrading from v6 -> v7. I don't think any of the changes introduced here really change the logic in which clusters you can connect to. It simply changes which service in the remote cluster is used to determine its version. Using the agent version is incorrect both for determining the cache policy, and for the new use case that you added in #12040. Since the cache is generated by connecting to the auth server, and the remote watchers are all created from the cache we need to know the auth version. Things only work as is if the auth version and agent version are the same.

In this case can we rename the function isPreV8Cluster() to something like isOldCachePolicy()? I was under the impression that this function is only needed in v9 cluster, but from what I understand is not true.

[rosstimothy]

@rosstimothy I was using this logic in my other PR, but this PR won't make a huge difference #12040. But there is other thing. I assume that this PR will be backported to v9. The function checks if the cluster that you're connecting to is before v8. Technically we allow only one version different, so if this PR makes only to v9, then the only cluster that you can connect to older than v9 is v8. From what I understand this is not supported scenario in our case? Correct me if I'm wrong.

This PR needs to be backported as far as possible. It was actually found by a customer upgrading from v6 -> v7. I don't think any of the changes introduced here really change the logic in which clusters you can connect to. It simply changes which service in the remote cluster is used to determine its version. Using the agent version is incorrect both for determining the cache policy, and for the new use case that you added in #12040. Since the cache is generated by connecting to the auth server, and the remote watchers are all created from the cache we need to know the auth version. Things only work as is if the auth version and agent version are the same.

In this case can we rename the function isPreV8Cluster() to something like isOldCachePolicy()? I was under the impression that this function is only needed in v9 cluster, but from what I understand is not true.

Yeah this could probably be named better. I believe it was initially added in v7 due to the need to support resource changes in the backend which introduced the two different remote cache policies. It looks like over the course of newer versions the name isPreXCluster has just kept incrementing the version number:

teleport/lib/reversetunnel/srv.go

Line 1069 in ec82941

ok, err := isPreV7Cluster(closeContext, sconn)

[smallinsky]

Can we increase severity level to INFO ?
In case where the ping call failed it hole addRemoteCluster operation fails so it would be nice to have insight about this.

[smallinsky]

Suggested change

	a.log.Debugf("Failed to reply to %version request: %v.", err)
	a.log.Debugf("Failed to reply to %v request: %v.", r.Type, err)

[rosstimothy]

💚 All backports created successfully

Status	Branch	Result
✅	branch/v7
✅	branch/v8
✅	branch/v9

Questions ?

Please refer to the Backport tool documentation