Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Proxy HA Configuration #1174

Closed
russjones opened this issue Aug 2, 2017 · 2 comments
Closed

Proxy HA Configuration #1174

russjones opened this issue Aug 2, 2017 · 2 comments
Assignees
@gravitational-jenkins
Labels
feature-request Used for new features in Teleport, improvements to current should be #enhancements
Milestone
2.5.0 "New York"

Comments

@russjones
Copy link
Contributor

russjones commented Aug 2, 2017
edited by klizhentas
Loading

Problem

Teleport supports running multiple proxies in a highly available configuration (HA). To accomplish this you need to set nodename to be the same for all proxies and when each proxy starts up and generates a host certificate, they will all have the same canonical name listed in the list of principals on the certificate. Once all proxies report the same canonical name, you have two options:

  1. Create a A record for the canonical name that points to a layer 4 load balancer (LB) and put all the proxies behind the LB.
  2. Create multiple A records that point to the different IPs of the proxies.

The only downside is you lose access to connect to a single proxy directly because you if you create a DNS record for the specific proxy, the certificate it will present will have a different principal name and connecting to it will fail.

Proposed Solution

SSH host certificates support multiple values in the principals field. Teleport should add a parameter to the proxy_service section called ha_hostname that will be included in the list of principals. This will allow users to connect to a individual proxy directly or a proxy behind a LB.

For example suppose you had a cluster example.com and you had the following two proxies:

teleport:
  nodename: proxy1

proxy_service:
  enabled: yes

  public_addr: proxy
teleport:
  nodename: proxy2

proxy_service:
  enabled: yes

  public_addr: proxy

Then both would have proxy.example.com listed in the principals as well as proxy1.example.com and proxy2.example.com.

When updating this value, Teleport should update the certificates on disk as well the list of valid principals has changed. Otherwise users would have to throw away /var/lib/teleport each time they updated ha_hostname. This also has the side benefit of helping during DNS re-factoring.
@russjones russjones added feature-request Used for new features in Teleport, improvements to current should be #enhancements interoperability labels Aug 2, 2017
@klizhentas klizhentas added this to the 2.5.0 milestone Jan 4, 2018
@klizhentas
Copy link
Contributor

klizhentas commented Jan 4, 2018
edited
Loading

Respect public_addr when issuing principals list for proxy.

@kontsevoy
Copy link
Contributor

I am not a fan of ha_hostname. How about public_addr? It already exists, and we should use it for CLI output for tctl user add as well (or teleport status) basically any time .

IMORTANT: docs will need to be udpated for it.

@kontsevoy kontsevoy mentioned this issue Jan 9, 2018
Closed
klizhentas added a commit that referenced this issue Jan 9, 2018
@klizhentas
Merge pull request #1562 from gravitational/sasha/public
eb07aa2 
Add support for extra principals, fixes #1174
@klizhentas klizhentas mentioned this issue Feb 19, 2018
Closed
hatched pushed a commit to hatched/teleport-merge that referenced this issue Nov 30, 2022
Adds is_empty to the File System Object (gravitational#1174)
94df75b
hatched pushed a commit that referenced this issue Dec 20, 2022
Adds is_empty to the File System Object (#1174)
b887b09
hatched pushed a commit that referenced this issue Feb 1, 2023
Adds is_empty to the File System Object (#1174) (#1177)
84201ab
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gravitational-jenkins gravitational-jenkins

Labels
feature-request Used for new features in Teleport, improvements to current should be #enhancements
Projects
None yet
Milestone
2.5.0 "New York"
Development

No branches or pull requests
4 participants
@klizhentas @kontsevoy @russjones @gravitational-jenkins