Conversation
github-actions
Bot
requested review from
alexfornuto,
r0mant,
xinding33 and
zmb3
| order to enable secure access to your Teleport cluster's infrastructure. | ||
|
|
||
| We recommend configuring your load balancer to route traffic across multiple | ||
| Neither load balancer must terminate TLS. Both load balancers must transparently |
There was a problem hiding this comment.
"Neither load balancer must" makes it sound like terminating TLS is optional and the LB doesn't have to, but can, terminate TLS.
Should we be stricter here and say "You must not terminate TLS on either of these load balancers"??
(That said, we technically do support ALBs for most protocols now..)
There was a problem hiding this comment.
If the architectural changes you would need to support ALBs aren't too different from the setup we recommend in this guide, I think it would make sense to list the protocols that support ALBs now.
How would TLS termination work with ALBs, given that if they don't terminate TLS they wouldn't know whether they're receiving HTTP messages?
There was a problem hiding this comment.
Paging @greedy52 who can answer this better than I can
There was a problem hiding this comment.
Afaik:
- Proxy -> Auth LB must not terminate TLS
- Client -> Proxy LB can terminate TLS since 13.0 if the LB supports ALPN (but this might come with additional restrictions for kube access)
There was a problem hiding this comment.
Thanks! What additional restrictions are these? Is there anything else I should know, @greedy52?
There was a problem hiding this comment.
As mentioned, it doesn't support all protocols yet and it also has some performance penalties which we may do some performance improvement in v14. So I think layer 4 LBs should still be recommended way to set up HA.
I was planning to write up a separate page for TLS Routing behind layer 7 LB preview. Maybe I can add a note here to link to that page when it's available?
There was a problem hiding this comment.
Sounds good! I'll keep the recommendation the way it is for now and we can add the note when the L7 guide is ready.
There was a problem hiding this comment.
Suggest "Both load balancers must not" as a clearer phrasing.
There was a problem hiding this comment.
I think "Both..must not" is ambiguous, since it can also mean "one can". I've suggested:
Both load balancers must transparently forward the TCP traffic they receive,
without terminating TLS. In other words, these must be Layer 4 load balances,
not Layer 7 (e.g., HTTP) load balancers.
| | `3023` | SSH port for clients connect to. | | ||
| | <nobr>`3023`</nobr> | SSH port for clients connect to. | | ||
| | `3024` | SSH port used to create reverse SSH tunnels from behind-firewall environments. | | ||
| | `443` | HTTPS connections to authenticate `tsh` users into the cluster. The same connection is used to serve a Web UI. | |
There was a problem hiding this comment.
Do we specifically tell the user to configure the Teleport proxy to listen on port 443 in this guide?
Would it make more sense to list both the frontend and backend ports here, and have the LB direct incoming traffic on port 443 to port 3080 on the proxy? (Teleport would require additional privileges to bind to 443 as opposed to 3080)
There was a problem hiding this comment.
Looks like there's no web_listen_addr example here. I'll change the LB instructions!
| load balancer to forward traffic from port `3025` to port `3025` on an available | ||
| Auth Service instance. | ||
|
|
||
| If you are running your Teleport cluster on Kubernetes, you can configure your |
There was a problem hiding this comment.
Hmm, this confuses me a bit. Auth never listens on port 3026.
There was a problem hiding this comment.
I'm basing this on the teleport-cluster chart, which enables the Kubernetes Service on Auth Service pods:
Closes #22742 Update the HA guide to reflect v12 changes in the `teleport-cluster` Helm chart, e.g., running the Auth Service and Proxy Service in separate compute pools.
Remove mentions of running the Kubernetes Service on the Auth Service hosts
ptgott
force-pushed
the
paul.gottschling/22742-ha
branch
from
1babb3a to
0a42eec
Compare
|
@zmb3 Checking to see if there is more work I should be doing on this. It looks like @greedy52 will be adding separate docs for L7 LBs, and I've removed the Kubernetes-specific language. Also paging @alexfornuto for a copy review. Thanks! |
There was a problem hiding this comment.
I suggest increasing the size of the "Developers" icon and text, I'm unable to read it when scaled into the page at my standard viewing (half a 1440 screen).
There was a problem hiding this comment.
Since we still have some time in the quarter, I think it would make sense to replace this with a Mermaid diagram. We would need to get this PR approved, though: #25173
| order to enable secure access to your Teleport cluster's infrastructure. | ||
|
|
||
| We recommend configuring your load balancer to route traffic across multiple | ||
| Neither load balancer must terminate TLS. Both load balancers must transparently |
There was a problem hiding this comment.
Suggest "Both load balancers must not" as a clearer phrasing.
Co-authored-by: STeve (Xin) Huang <xin.huang@goteleport.com>
Co-authored-by: STeve (Xin) Huang <xin.huang@goteleport.com>
5 participants
Closes #22742
Update the HA guide to reflect v12 changes in the
teleport-clusterHelm chart, e.g., running the Auth Service and Proxy Service in separate compute pools.