Re-init the cache on error: "{{ external.email }}" is not a valid matcher expression

[benarent]

Description

What happened:

User has built with master and received

WARN [NODE:1:CA] Re-init the cache on error: "{{ external.email }}" is not a valid matcher expression - no variables and transformations are allowed. cache/cache.go:333

kind: role
metadata:
  name: security-user
spec:
  allow:
    logins:
    - '{{email.local(external.email)}}'

What you expected to happen:

Need to check if {{email.local(external.email)}} is working on 4.4-rc1

[benarent]

I tested this with Okta

INFO [AUDIT]     user.login attributes:map[email:[[email protected]] groups:[Everyone okta-admin]] code:T1001I ei:0 event:user.login method:saml success:true time:2020-10-08T21:05:45.568Z uid:b0b93dd0-1046-4e06-a9d3-f1c7cc66d754 user:[email protected] events/emitter.go:202

and I was able to get the added local principle.

Going to loopback with the customer.

[awly]

User reports that this is no longer reproducible.

But if you put any {{external.X}}-style replacements in node_labels, teleport fails to start. This is a new validation added in 4.4.
We should instead log the error about invalid syntax, but interpret it as a literal string, just like older teleport versions did

[webvictim]

Did {{external.X}} in node_labels work in 4.3.7? I got the impression that was a supported use-case.

[awly]

Ugh, you are right @webvictim.
Variable interpolation happens separately from label matching, which is why I missed it.

Given that it's a bad regression and we're about to release 4.4, I'll partially revert my changes and implement it the right way in a patch release.

[awly]

This should be fixed.
#3454 track re-enabling the feature after we fix the regression.