Fix proxy protocol support for Kube access flow (#29268)

This PR allows enabling/disabling the support for proxy protocol in Kubernetes access flow.
gravitational · Jul 18, 2023 · 6189c6a · 6189c6a
1 parent 2aabdbc
commit 6189c6a
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 8 deletions.
diff --git a/lib/kube/proxy/server.go b/lib/kube/proxy/server.go
@@ -89,6 +89,8 @@ type TLSServerConfig struct {
 	CloudLabels labels.Importer
 	// IngressReporter reports new and active connections.
 	IngressReporter *ingress.Reporter
+	// EnableProxyProtocol enables proxy protocol support
+	EnableProxyProtocol bool
 }
 
 // CheckAndSetDefaults checks and sets default values
@@ -243,7 +245,7 @@ func (t *TLSServer) Serve(listener net.Listener) error {
 		Context:                     t.Context,
 		Listener:                    listener,
 		Clock:                       t.Clock,
-		EnableExternalProxyProtocol: true,
+		EnableExternalProxyProtocol: t.EnableProxyProtocol,
 		ID:                          t.Component,
 		CertAuthorityGetter:         caGetter,
 		LocalClusterName:            t.ClusterName,

diff --git a/lib/service/service.go b/lib/service/service.go
@@ -3958,13 +3958,14 @@ func (process *TeleportProcess) initProxyEndpoint(conn *Connector) error {
 				CheckImpersonationPermissions: cfg.Kube.CheckImpersonationPermissions,
 				PROXYSigner:                   proxySigner,
 			},
-			TLS:             tlsConfig,
-			LimiterConfig:   cfg.Proxy.Limiter,
-			AccessPoint:     accessPoint,
-			GetRotation:     process.GetRotation,
-			OnHeartbeat:     process.OnHeartbeat(component),
-			Log:             log,
-			IngressReporter: ingressReporter,
+			TLS:                 tlsConfig,
+			LimiterConfig:       cfg.Proxy.Limiter,
+			AccessPoint:         accessPoint,
+			GetRotation:         process.GetRotation,
+			OnHeartbeat:         process.OnHeartbeat(component),
+			Log:                 log,
+			IngressReporter:     ingressReporter,
+			EnableProxyProtocol: cfg.Proxy.EnableProxyProtocol,
 		})
 		if err != nil {
 			return trace.Wrap(err)