Kubernetes SNI proxy improvements, implements #2614 #2619
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@r0mant @russjones this is a non-trivial forward port of the same K8s SNI feature |
r0mant
approved these changes
Mar 21, 2019
| additionalPrincipals = utils.ReplaceInSlice( | ||
| additionalPrincipals, | ||
| defaults.AnyAddress, | ||
| defaults.Localhost, | ||
| ) | ||
|
|
||
| principalsChanged := len(additionalPrincipals) != 0 && !conn.ServerIdentity.HasPrincipals(additionalPrincipals) | ||
| principalsOrDNSNamesChanged := (len(additionalPrincipals) != 0 && !conn.ServerIdentity.HasPrincipals(additionalPrincipals)) || |
There was a problem hiding this comment.
Btw, I noticed some time ago that if you remove some additional principals (i.e. remove a public addr from config), the change won't be detected and reload will not trigger b/c this checks only for addition. Not sure if that's on purpose or a bug.
This commit hex encodes trusted cluster names in target addresses for kubernetes SNI proxy. For example, assuming public address of Teleport Kubernetes proxy is main.example.com, and trusted cluster is remote.example.com, resulting target address added to kubeconfig will look like k72656d6f74652e6578616d706c652e636f6d0a.main.example.com And Teleport Proxy's DNS Name will include wildcard: '*.main.example.com' in addition to 'main.example.com' Note that no dots are in the SNI address thanks to hex encoding. This will allow administrators to avoid manually updating list of public_addr sections every time the trusted cluster and use the wildcard DNS name. The following addr: remote.example.com.main.example.com would not have matched *.main.example.com per DNS wildcard spec.
klizhentas
force-pushed
the
sasha/ksni-forward
branch
from
21309c9 to
e0b47aa
Compare
russjones
approved these changes
Mar 21, 2019
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit hex encodes trusted cluster names
in target addresses for kubernetes SNI proxy.
For example, assuming public address of Teleport
Kubernetes proxy is main.example.com, and trusted
cluster is remote.example.com, resulting target
address added to kubeconfig will look like
k72656d6f74652e6578616d706c652e636f6d0a.main.example.com
And Teleport Proxy's DNS Name will include wildcard:
'*.main.example.com' in addition to 'main.example.com'
Note that no dots are in the SNI address thanks to hex encoding.
This will allow administrators to avoid manually updating
list of public_addr sections every time the trusted cluster and use
the wildcard DNS name.
The following addr:
remote.example.com.main.example.com would not have matched
*.main.example.com per DNS wildcard spec.