Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v12] Backport IP pinning for Kube and DB access #23418

Merged
merged 6 commits into from Apr 3, 2023
Merged

[v12] Backport IP pinning for Kube and DB access #23418

merged 6 commits into from Apr 3, 2023

Conversation

AntonAM
Copy link
Contributor

@AntonAM AntonAM commented Mar 22, 2023

This PR backports enabling of IP pinning for Kube and DB access, specifically it backports #21080 #22572 #22310 #22716 and #23386

Part of #22061

@AntonAM AntonAM added kubernetes-access database-access Database access related issues and PRs backport labels Mar 22, 2023
This was referenced Mar 22, 2023
Closed
Closed
@AntonAM AntonAM force-pushed the anton/backport-21080-22572-22310-22716-23386-branch/v12 branch 2 times, most recently from 0a80140 to ea5660d Compare March 29, 2023 00:37
@AntonAM AntonAM marked this pull request as ready for review March 29, 2023 15:55
@AntonAM AntonAM mentioned this pull request Mar 29, 2023
Closed
@public-teleport-github-review-bot
Copy link

@AntonAM - this PR will require admin approval to merge due to its size. Consider breaking it up into a series smaller changes.

@AntonAM AntonAM requested a review from r0mant March 30, 2023 13:47
r0mant
r0mant approved these changes Mar 30, 2023
View reviewed changes
Copy link
Collaborator

@r0mant r0mant left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@AntonAM Approved but added do-not-merge label for now, until we publish 12.1.3.

@espadolini
Copy link
Contributor

@r0mant do-not-merge-in-patch? 🤔

@AntonAM AntonAM force-pushed the anton/backport-21080-22572-22310-22716-23386-branch/v12 branch from ea5660d to 4c5131c Compare March 31, 2023 04:50
@AntonAM
Add secure client IP propagation throughout teleport (#21080)
fd0ac93
@AntonAM
Allow node to handle old and new way of client IP propagation on same…
5232f07 
… listener

With addition of signed PROXY headers, node was listening on multiplexer, but because
 of that it couldn't processing incoming connection from older proxies
 when ProxyHelloSignature was used, because
 both ends were waiting for the other side to send data first.
 Here we integrate ability to handle PROXY headers into connection itself,
 so we can start ssh server without waiting for multiplexer to detect connection
@AntonAM
Enabled IP pinning enforcement for Kube and DB (#22310)
ce57728
@AntonAM
Don't allow different tcp version IP addresses in signed PROXY headers
1a17161
@AntonAM
Send signed proxy header to the kube service
e29dd8b 
Because it was checking version, which was empty, signed headers were not sent,
 when we contacted leaf cluster's kube service
@AntonAM AntonAM force-pushed the anton/backport-21080-22572-22310-22716-23386-branch/v12 branch from 4c5131c to e29dd8b Compare April 3, 2023 14:05
@AntonAM AntonAM added this pull request to the merge queue Apr 3, 2023
Merged via the queue into branch/v12 with commit 6519aab Apr 3, 2023
16 checks passed
@AntonAM AntonAM deleted the anton/backport-21080-22572-22310-22716-23386-branch/v12 branch April 3, 2023 15:26
@programmerq programmerq mentioned this pull request Apr 27, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@r0mant r0mant r0mant approved these changes

@espadolini espadolini espadolini approved these changes

@mdwn mdwn mdwn approved these changes

@strideynet strideynet strideynet approved these changes

@rosstimothy rosstimothy rosstimothy approved these changes

Assignees
No one assigned
Labels
backport database-access Database access related issues and PRs kubernetes-access
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@AntonAM @espadolini @r0mant @mdwn @strideynet @rosstimothy