[vnet] feat: support VNet SSH when cluster name does not match proxy public addr#55655
Merged
[vnet] feat: support VNet SSH when cluster name does not match proxy public addr#55655
Conversation
nklaassen
added
backport-required
no-changelog
nklaassen
commented
Jun 12, 2025
| } | ||
| return &api.ListDNSZonesResponse{ | ||
| DnsZones: targetOSConfig.GetDnsZones(), | ||
| DnsZones: unifiedClusterConfig.AppDNSZones(), |
Contributor
Author
There was a problem hiding this comment.
This shows up as "Proxying TCP connections to zone1, zone2" in Connect, I think for now it makes sense to only include the app DNS zones and not the cluster names (if they're different) which will only be valid for SSH connections. I'm going to update that section in Connect in a later PR.
| Ipv4CidrRanges: targetOSConfig.GetIpv4CidrRanges(), | ||
| DnsZones: targetOSConfig.GetDnsZones(), | ||
| Ipv4CidrRanges: unifiedClusterConfig.IPv4CidrRanges, | ||
| DnsZones: unifiedClusterConfig.AllDNSZones(), |
Contributor
Author
There was a problem hiding this comment.
Here in the diagnostic i think it makes sense to show all DNS zones that VNet is handling
juliaogris
approved these changes
Jun 12, 2025
Contributor
There was a problem hiding this comment.
Not quite sure why I was added as reviewer here - I definitely lack context and barely know what VNet is about, but superficially I can't find anything wrong with this PR.
PR description might be missing an of in:
to match the pattern our existing openssh client integration.
nklaassen
force-pushed
the
nklaassen/vnet-ssh-clustername
branch
from
e037c52 to
ac8dae9
Compare
nklaassen
changed the base branch from
master
to
nklaassen/vnet-ssh-leaf-clusters
nklaassen
force-pushed
the
nklaassen/vnet-ssh-clustername
branch
from
ac8dae9 to
9ad9ad1
Compare
nklaassen
force-pushed
the
nklaassen/vnet-ssh-clustername
branch
from
9ad9ad1 to
b1fa221
Compare
Contributor
Author
|
friendly ping @tigrato |
tigrato
reviewed
Jun 17, 2025
| // ClusterNames contains the name of each root or leaf cluster the user is | ||
| // logged in to. SSH hosts are reachable via VNet SSH at subdomains of | ||
| // these cluster names. | ||
| ClusterNames []string |
Contributor
There was a problem hiding this comment.
should clusterNames, ProxyPublicAddrs, CustomDNSZones and IPv4CidrRanges have the same length or all of them can have different lenghts?
Contributor
Author
There was a problem hiding this comment.
ClusterNames and ProxyPublicAddrs will generally be the same length unless there are duplicates that get deduplicated. CustomDNSZones is a configurable list per cluster so I wouldn't expect it to match the length of the others. IPv4CIDRRanges is a value configurable per cluster but I expect there would often be duplicates across clusters (the default range) that get deduplicated
Contributor
There was a problem hiding this comment.
I was wondering if we should make them
[]struct{
clustername string
proxypublicAddr string
...
}{
}
instead of sending different arrays and someone assuming they have the same size - i.e. cluster name and proxy public addrs - and cause a panic
Contributor
Author
There was a problem hiding this comment.
I guess that would be possible but all consumers of this type just want the unified deduplicated view so I'll probably leave it
tigrato
approved these changes
Jun 17, 2025
nklaassen
added a commit
that referenced
this pull request
Jun 18, 2025
…roxy public addr Backport #55655 to branch/v18
nklaassen
added a commit
that referenced
this pull request
Jun 18, 2025
…roxy public addr Backport #55655 to branch/v17
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Jul 22, 2025
* [v17][vnet] feat: TCP dial to SSH targets Backport #55087 to branch/v17 * [v17][vnet] feat: accept incoming SSH connections Backport #55155 to branch/v17 * [v17][vnet] feat: forward SSH connections to target Backport #55156 to branch/v17 * [v17][vnet] feat: write VNet SSH keys to TELEPORT_HOME Backport #55228 to branch/v17 * [v17][vnet] feat: write OpenSSH-compatible config file for VNet SSH Backport #55239 to branch/v17 * [v17][vnet] fix: support <hostname>.<leaf-cluster> for VNet SSH Backport #55688 to branch/v17 * fix BlockUntil API for backport * [v17][vnet] feat: add "Connect with VNet" button to SSH servers Backport #55623 to branch/v17 * [v17][vnet] feat: support VNet SSH when cluster name does not match proxy public addr Backport #55655 to branch/v17 * [v17][vnet] feat: add SSH configuration diagnostic Backport #55594 to branch/v17 Co-authored-by: Rafał Cieślak <rafal.cieslak@goteleport.com> * [v17][vnet] feat: show SSH status in VNet slider Backport #55755 to branch/v17 Co-authored-by: Rafał Cieślak <rafal.cieslak@goteleport.com> * [v17][vnet] feat: support proxy recording mode with VNet SSH Backport #55788 to branch/v17 * [v17][vnet] feat: support diag checks on windows Backport #55856 to branch/v17 * [v17] fix: data race in vnet.TestSSH Backport #55980 to branch/v17 * [v17][vnet] feat: mention SSH on VNet info page Backport #55973 to branch/v17 * [v17][vnet] feat: serve DNS on IPv4 Backport #55539 to branch/v17 * [v17][vnet] fix: close proxied channel only after data and requests are complete Backport #56020 to branch/v17 * [v17][vnet] feat: automatic SSH client configuration Backport #55923 to branch/v17 * VNet docs: Provide clear instructions for getting debug logs (#56068) * VNet diag notification: Do not show button to open report if there's no workspace selected (#56067) * VNet diag report: Don't show button in notification if there's no workspace * Replace deprecated MutableRefObject with RefObject * Make openReport not depend on value of rootClusterUri Otherwise the effect that uses setInterval re-runs whenever the user switches to another workspace. * [v17][vnet] feat: automatic SSH client configuration in Connect Backport #55924 to branch/v17 Co-authored-by: Rafał Cieślak <rafal.cieslak@goteleport.com> Co-authored-by: Grzegorz Zdunek <grzegorz.zdunek@goteleport.com> * [v17][vnet] fix: avoid empty host matchers in generated SSH config Backport #56103 to branch/v17 * avoid t.Context() pre go1.24 * fix cspell lint * [v17][docs] VNet SSH Backport #56147 to branch/v17 * [v17][vnet] feat: SSH usage reporting Backport #56537 to branch/v17 * [v17][vnet] fix: mask default IP route on windows Backport #56957 to branch/v17 --------- Co-authored-by: Rafał Cieślak <rafal.cieslak@goteleport.com> Co-authored-by: Grzegorz Zdunek <grzegorz.zdunek@goteleport.com>
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Jul 22, 2025
* [v18][vnet] feat: TCP dial to SSH targets Backport #55087 to branch/v18 * [v18][vnet] feat: accept incoming SSH connections Backport #55155 to branch/v18 * [v18][vnet] feat: forward SSH connections to target Backport #55156 to branch/v18 * [v18][vnet] feat: write VNet SSH keys to TELEPORT_HOME Backport #55228 to branch/v18 * [v18][vnet] feat: write OpenSSH-compatible config file for VNet SSH Backport #55239 to branch/v18 * [v18][vnet] fix: support <hostname>.<leaf-cluster> for VNet SSH Backport #55688 to branch/v18 * [v18][vnet] feat: add "Connect with VNet" button to SSH servers Backport #55623 to branch/v18 * fix test in backport * [v18][vnet] feat: support VNet SSH when cluster name does not match proxy public addr Backport #55655 to branch/v18 * [v18][vnet] feat: add SSH configuration diagnostic Backport #55594 to branch/v18 Co-authored-by: Rafał Cieślak <rafal.cieslak@goteleport.com> * [v18][vnet] feat: show SSH status in VNet slider Backport #55755 to branch/v18 Co-authored-by: Rafał Cieślak <rafal.cieslak@goteleport.com> * [v18][vnet] feat: support proxy recording mode with VNet SSH Backport #55788 to branch/v18 * [v18][vnet] feat: support diag checks on windows Backport #55856 to branch/v18 * [v18] fix: data race in vnet.TestSSH Backport #55980 to branch/v18 * [v18][vnet] feat: mention SSH on VNet info page Backport #55973 to branch/v18 * [v18][vnet] feat: serve DNS on IPv4 Backport #55539 to branch/v18 * [v18][vnet] fix: close proxied channel only after data and requests are complete Backport #56020 to branch/v18 * [v18][vnet] feat: automatic SSH client configuration Backport #55923 to branch/v18 * VNet diag notification: Do not show button to open report if there's no workspace selected (#56067) * VNet diag report: Don't show button in notification if there's no workspace * Replace deprecated MutableRefObject with RefObject * Make openReport not depend on value of rootClusterUri Otherwise the effect that uses setInterval re-runs whenever the user switches to another workspace. * [v18][vnet] feat: automatic SSH client configuration in Connect Backport #55924 to branch/v18 Co-authored-by: Rafał Cieślak <rafal.cieslak@goteleport.com> Co-authored-by: Grzegorz Zdunek <grzegorz.zdunek@goteleport.com> * [v18][vnet] fix: avoid empty host matchers in generated SSH config Backport #56103 to branch/v18 * [v18][docs] VNet SSH Backport #56147 to branch/v18 * [v18][docs] add VNet warnings Backport #56601 to branch/v18 * [v18][vnet] feat: SSH usage reporting Backport #56537 to branch/v18 * [v18][vnet] fix: mask default IP route on windows Backport #56957 to branch/v18 --------- Co-authored-by: Rafał Cieślak <rafal.cieslak@goteleport.com> Co-authored-by: Grzegorz Zdunek <grzegorz.zdunek@goteleport.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
For VNet SSH we're making SSH hosts available at
<hostname>.<clustername>to match the pattern of our existing openssh client integration. The issue is that VNet currently sets itself up as the DNS resolver for*.<proxy-public-addr>and*.<custom-dns-zone>. This means that if the cluster name does not exactly match the proxy public address (a valid but less common configuration), VNet will never see the DNS query. This PR sets up VNet to handle DNS queries for*.<clustername>as well.LocalOSConfigProviderhad a name that didn't really make sense anymore, it basically got replaced byUnifiedClusterConfigProviderbut the diff was too big for git to recognize it as a rename.remoteOSConfigProvidergot renamed to justosConfigProvidernow that the local variant is gone. They did similar but different things, the old local/remote naming was bad.