Closed dmitry-mightydevops closed 9 months ago
Same issue with redis-cli 7.2.1
➜ redis-cli --version
redis-cli 7.2.1 (git:a38b05a8-dirty)
➜ tsh db connect project-prod-backend-redis
MFA is required to access database "project-prod-backend-redis"
Enter an OTP code from a device:
redis-cli: redis-cli.c:568: cliAddCommandDocArg: Assertion `flags->element[j]->type == REDIS_REPLY_STATUS' failed.
ERROR: signal: aborted (core dumped)
@dmitry-mightydevops I cannot repro this in my setup (ElastiCache 7.0.7, redis-cli 7.0.11/7.2.2).
Could you verify the version of the Database Service/agent? What's the output of tctl get db_server/project-prod-backend-redis
?
For reference: https://github.com/gravitational/teleport/issues/19240
@dmitry-mightydevops any update? Thanks!
@greedy52
here you go:
tctl get db_server/project-prod-backend-redis
kind: db_server
metadata:
expires: "2023-11-17T19:47:55Z"
id: 1699465955700391216
name: project-prod-backend-redis-elasticache-us-east-1-111111
spec:
database:
kind: db
metadata:
description: ElastiCache cluster in us-east-1 (primary endpoint)
labels:
Name: project-prod-backend-redis
account-id: "111111"
component: backend
created_at: 06/12/2023
created_by: DmitrySemenov
endpoint-type: primary
engine-version: 7.0.7
environment: prod
project: project
region: us-east-1
teleport.dev/cloud: AWS
teleport.dev/origin: cloud
teleport.internal/discovered-name: project-prod-backend-redis
terraform: "true"
name: project-prod-backend-redis-elasticache-us-east-1-111111
spec:
ad:
domain: ""
spn: ""
aws:
account_id: "111111"
elasticache:
endpoint_type: primary
replication_group_id: project-prod-backend-redis
transit_encryption_enabled: true
user_group_ids:
- projectuser-group
iam_policy_status: IAM_POLICY_STATUS_UNSPECIFIED
memorydb: {}
opensearch: {}
rds:
iam_auth: false
rdsproxy: {}
redshift: {}
redshift_serverless: {}
region: us-east-1
secret_store: {}
azure:
redis: {}
gcp: {}
mongo_atlas: {}
mysql: {}
oracle:
audit_user: ""
protocol: redis
tls:
mode: 0
uri: master.project-prod-backend-redis.bbh62t.use1.cache.amazonaws.com:6379
status:
aws:
account_id: "111111"
elasticache:
endpoint_type: primary
replication_group_id: project-prod-backend-redis
transit_encryption_enabled: true
user_group_ids:
- projectuser-group
iam_policy_status: IAM_POLICY_STATUS_FAILED
memorydb: {}
opensearch: {}
rds:
iam_auth: false
rdsproxy: {}
redshift: {}
redshift_serverless: {}
region: us-east-1
secret_store: {}
azure:
redis: {}
ca_cert: |
-----BEGIN CERTIFICATE-----
MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsF
....
-----END CERTIFICATE-----
mysql: {}
version: v3
host_id: f03526de-dc86-49b2-99f3-f1c798261484
hostname: teleport-0
rotation:
current_id: ""
last_rotated: "0001-01-01T00:00:00Z"
schedule:
standby: "0001-01-01T00:00:00Z"
update_clients: "0001-01-01T00:00:00Z"
update_servers: "0001-01-01T00:00:00Z"
started: "0001-01-01T00:00:00Z"
version: 14.1.0
version: v3
and the error:
➜ tsh db connect project-prod-backend-redis
MFA is required to access database "project-prod-backend-redis-elasticache-us-east-1-111111"
Enter an OTP code from a device:
redis-cli: redis-cli.c:585: cliAddArgument: Assertion `flags->element[j]->type == REDIS_REPLY_STATUS' failed.
ERROR: signal: aborted (core dumped)
This is a regression. The previous fix was reverted during https://github.com/gravitational/teleport/pull/30294.
Will make a new fix next week.
In the meantime, add -command
to your access string to avoid sending a response to COMMAND DOCS
by redis-cli
, e.g.:
on ~* +@all -command
@greedy52 thank you! Pls let me know when ready and I will test. What was information in the tctl output that "made it clear" it was an error on the teleport side?
@greedy52 is the fix released? If so what teleport version?
@dmitry-mightydevops The issue was automatically closed when the fix got merged to master. It's not released yet. The backport to v14 release is https://github.com/gravitational/teleport/pull/35162. I will update here once it got released
Thank you!
The fix is now released at https://github.com/gravitational/teleport/releases/tag/v14.2.1. Note that the Teleport server side (Database Service) has to be updated. Client-side (tsh
) update is not required.
Expected behavior:
tsh db connect to work properly with elasticache.
Current behavior:
It fails with:
full set of ops:
Bug details:
IAM user is created via terraform: