Fix Azure join method throttling #50251
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
This pull request is automatically being deployed by Amplify Hosting (learn more). |
bernardjkim
force-pushed
the
bernard/fix-azure-join-throttling
branch
from
5ee9911 to
32df16f
Compare
rosstimothy
reviewed
Dec 14, 2024
bernardjkim
force-pushed
the
bernard/fix-azure-join-throttling
branch
from
1ba9824 to
d5c1064
Compare
rosstimothy
approved these changes
Jan 9, 2025
hugoShaka
reviewed
Jan 9, 2025
hugoShaka
approved these changes
Jan 9, 2025
public-teleport-github-review-bot
bot
removed request for
creack,
zmb3 and
atburke
|
Is the TODO from the PR description still valid?
|
atburke
approved these changes
Jan 9, 2025
This todo is out of scope for this PR. But it is something we should consider implementing in the case that verification via claims is unavailable in some Azure environments. |
|
@bernardjkim See the table below for backport results.
|
bernardjkim
added a commit
that referenced
this pull request
Jan 9, 2025
bernardjkim
added a commit
that referenced
this pull request
Jan 9, 2025
* Validate Azure join using JWT claims * Add note about User-Agent
bernardjkim
added a commit
that referenced
this pull request
Jan 9, 2025
This was referenced Jan 9, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Supports https://github.com/gravitational/teleport.e/issues/2164
The current implementation of the Azure join method requires Teleport to list all VMs in an Azure subscription in order to verify the joining VM. This is problematic when there are a large number of VMs in an Azure subscription, and in some cases causes throttling due to Azure API rate limits.
This PR modifies the validation step of the Azure join method. Validation no longer requests the VM instance from the Azure API. Instead, Teleport validates the joining VM using the optional claims provided in the JWT. This removes the need to query the Azure VM API and the risk of throttling. If the validation with claims method fails, Teleport will fallback to previous validation method using the VM.
Todo: Attempt VM validation using Resource Graph API before attempting VM validation with ListAllVMs API.Changelog: Fixes an issue causing Azure join method to fail due to throttling.