Edit the versions section in the config reference#23800
Edit the versions section in the config reference#23800
Conversation
Frame this as advice to users about specific features that require changing the configuration file version to opt into. This way, we can encourage users to use the latest config file version unless they specifically don't want to use one of the features we list.
github-actions
Bot
requested review from
alexfornuto,
r0mant,
xinding33 and
zmb3
|
You have successfully added a new Trivy configuration |
| Here are the features that require users to opt in by explicitly upgrading their | ||
| configuration to a newer version. | ||
|
|
||
| ### TLS Routing |
There was a problem hiding this comment.
I'm not sure this is better, TBH. My goal was to help with questions like "whats the difference between config v2 and config v3" - that information seems harder to find now that it's hidden behind a section called "TLS Routing."
Additionally, I believe TLS routing works fine with config v1, config v2 is used to opt out of running the legacy listeners.
| traffic to the correct listener rather than listening on multiple | ||
| protocol-specific ports. | ||
|
|
||
| For backwards compatibility, configuration version `v1` always disables TLS |
There was a problem hiding this comment.
No, That seems to be not right.
TLS Routing feature on the teleport proxy side is always enable - no matter if v1 or v2 configuration version was selected.
So even in v1 config version the proxy_listener_mode: multiplex can be set to tell teleport proxy clients to use TLS Routing to connect to Teleport proxy.
The difference between v1 and v2 is the behavior when the additional listeners addressed were not explicitly specified. https://github.com/gravitational/teleport/blob/master/rfd/0039-sni-alpn-teleport-proxy-routing.md#proxy-configuration
v1 config will start legacy listener by default even if the address like tunnel_listen_addr was not provided/was empty( the logic fallback to the default tunnel address).
In v2 the behavior for empty proxy listener services is different. For instance if the tunnel_listen_addr proxy setting was not provided the v2 config won't start the tunnel proxy on the default address.
This v1 - v2 behavior applies to all the proxy listener expect webport where the TLS Routing logic is implemented.
zmb3
force-pushed
the
zmb3/docs-config-versions
branch
3 times, most recently
from
c99672d to
fee266c
Compare
4 participants
Frame this as advice to users about specific features that require changing the configuration file version to opt into. This way, we can encourage users to use the latest config file version unless they specifically don't want to use one of the features we list.