-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add custom DNS zone docs for VNet #42846
Conversation
addresses](connecting-apps.mdx/#customize-public-address). We are going to take an app available at | ||
`tcp-app.teleport.example.com` and make it available through VNet at <Var name="public_addr" initial="tcp-app.company.test"/> | ||
with <Var name="suffix" initial="company.test" /> as the custom DNS zone. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure if it's fine to use <Var />
within the introductory paragraph like this. I haven't really seen that anywhere else, maybe other than in Helm AWS docs. But even there it's not at the very top and has its own admonition box.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would make this more general in the intro paragraph. I think it would make sense to remove the text beginning "We are going to..." in this paragraph and move it further in the guide, closer to where we tell the user how to run the demo.
This comment was marked as outdated.
This comment was marked as outdated.
addresses](connecting-apps.mdx/#customize-public-address). We are going to take an app available at | ||
`tcp-app.teleport.example.com` and make it available through VNet at <Var name="public_addr" initial="tcp-app.company.test"/> | ||
with <Var name="suffix" initial="company.test" /> as the custom DNS zone. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would make this more general in the intro paragraph. I think it would make sense to remove the text beginning "We are going to..." in this paragraph and move it further in the guide, closer to where we tell the user how to run the demo.
|
||
## How it works | ||
|
||
VNet captures DNS queries for domains of Proxy Services of the cluster and its leaf clusters. Type A |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would rephrase this—if there are multiple Proxy Service instances, would this capture queries to the Web UI URL for the cluster, or would there ever be multiple Proxy Service domains?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I rephrased it and used a concrete example to make it easier to understand.
When starting, VNet fetches configs from all available clusters and arbitrarily picks a range | ||
provided by one of the clusters. This means that if you have a root cluster with multiple leaf | ||
clusters, you should update the range on each cluster. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@nklaassen I feel like this is kinda subpar in terms of "AX" (admin experience). What if VNet picked an arbitrary non-default range if present? Then instead of setting the range on each leaf cluster, an admin could set it only on the root cluster.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't believe this paragraph is entirely accurate. Each app should be assigned an address from the ipv4_cidr_range
of the cluster it's actually in
You might be referring to some code where we assign an IPv4 address to the TUN device from one range arbitrarily. That's true and maybe it's subpar, but it doesn't affect the IPs actually assigned to apps, that's just the address assigned to the interface that will be the source address
So e.g. if you have
root.example.com
with a custom range192.168.128.0/17
leaf.example.com
with the default range100.64.0.0/10
you might get
- TUN interface gets assigned
100.64.0.1
app.root.example.com
will get192.168.128.5
app.leaf.example.com
will get100.64.0.5
If you dial app.root.example.com
the source_addr will be 100.64.0.1
and the dest_addr will be 192.168.128.5
.
You're right that's probably subpar if you set the custom range on the root cluster to avoid conflicts, and then the leaf cluster, where maybe you're not even using vnet, overrides the range used to pick an IP for the TUN and stuff breaks. I'd be onboard if you want to update it to try to prefer the root cluster or any non-default range
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added an issue for changing the logic of how the address of the TUN device is picked. Based on what you said and how the code works at the moment, it shouldn't be a big issue, but I wanted it documented somewhere. #43343
The way the code is written at the moment means that VNet will always pick the range used by the first root cluster returned from api/profile.ListProfileNames
. As the majority of users are logged in only to a single root cluster, this shouldn't be an issue most of the time.
And thanks for correcting me on that. Since in every other case the IPv4 range is taken from a config of a particular cluster, it should simplify the docs as well.
This comment was marked as outdated.
This comment was marked as outdated.
0edac6d
to
5738d60
Compare
This comment was marked as outdated.
This comment was marked as outdated.
When starting, VNet fetches configs from all available clusters and arbitrarily picks a range | ||
provided by one of the clusters. This means that if you have a root cluster with multiple leaf | ||
clusters, you should update the range on each cluster. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't believe this paragraph is entirely accurate. Each app should be assigned an address from the ipv4_cidr_range
of the cluster it's actually in
You might be referring to some code where we assign an IPv4 address to the TUN device from one range arbitrarily. That's true and maybe it's subpar, but it doesn't affect the IPs actually assigned to apps, that's just the address assigned to the interface that will be the source address
So e.g. if you have
root.example.com
with a custom range192.168.128.0/17
leaf.example.com
with the default range100.64.0.0/10
you might get
- TUN interface gets assigned
100.64.0.1
app.root.example.com
will get192.168.128.5
app.leaf.example.com
will get100.64.0.5
If you dial app.root.example.com
the source_addr will be 100.64.0.1
and the dest_addr will be 192.168.128.5
.
You're right that's probably subpar if you set the custom range on the root cluster to avoid conflicts, and then the leaf cluster, where maybe you're not even using vnet, overrides the range used to pick an IP for the TUN and stuff breaks. I'd be onboard if you want to update it to try to prefer the root cluster or any non-default range
`public_addr` needs to be set in the Application Service configuration file belonging to the leaf | ||
cluster and the DNS TXT record needs to contain the name of the leaf cluster. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The app public_addr might not be in the application service config file, it could be a dynamic app
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll just remove the mention of it. I think it's clear that it needs to be set on a leaf cluster app and I couldn't find a succinct way to say that it needs to be set on an Application Service configuration or a dynamic resource.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
🤖 Vercel preview here: https://docs-iry2eq5g8-goteleport.vercel.app/docs/ver/preview |
🤖 Vercel preview here: https://docs-jh58pzq77-goteleport.vercel.app/docs/ver/preview |
@ravicious See the table below for backport results.
|
#42550 adds docs for end users, this PR adds docs for admins.
This is mostly the "Custom DNS zones" section of the RFD made into a guide.