Add custom DNS zone docs for VNet #42846
Conversation
ravicious
added
no-changelog
| addresses](connecting-apps.mdx/#customize-public-address). We are going to take an app available at | ||
| `tcp-app.teleport.example.com` and make it available through VNet at <Var name="public_addr" initial="tcp-app.company.test"/> | ||
| with <Var name="suffix" initial="company.test" /> as the custom DNS zone. |
There was a problem hiding this comment.
I'm not sure if it's fine to use <Var /> within the introductory paragraph like this. I haven't really seen that anywhere else, maybe other than in Helm AWS docs. But even there it's not at the very top and has its own admonition box.
There was a problem hiding this comment.
I would make this more general in the intro paragraph. I think it would make sense to remove the text beginning "We are going to..." in this paragraph and move it further in the guide, closer to where we tell the user how to run the demo.
github-actions
bot
requested review from
kimlisa,
mmcallister,
ptgott,
r0mant,
xinding33 and
zmb3
ravicious
requested review from
nklaassen
and removed request for
r0mant and
kimlisa
This comment was marked as outdated.
This comment was marked as outdated.
| addresses](connecting-apps.mdx/#customize-public-address). We are going to take an app available at | ||
| `tcp-app.teleport.example.com` and make it available through VNet at <Var name="public_addr" initial="tcp-app.company.test"/> | ||
| with <Var name="suffix" initial="company.test" /> as the custom DNS zone. |
There was a problem hiding this comment.
I would make this more general in the intro paragraph. I think it would make sense to remove the text beginning "We are going to..." in this paragraph and move it further in the guide, closer to where we tell the user how to run the demo.
|
|
||
| ## How it works | ||
|
|
||
| VNet captures DNS queries for domains of Proxy Services of the cluster and its leaf clusters. Type A |
There was a problem hiding this comment.
I would rephrase this—if there are multiple Proxy Service instances, would this capture queries to the Web UI URL for the cluster, or would there ever be multiple Proxy Service domains?
There was a problem hiding this comment.
I rephrased it and used a concrete example to make it easier to understand.
| When starting, VNet fetches configs from all available clusters and arbitrarily picks a range | ||
| provided by one of the clusters. This means that if you have a root cluster with multiple leaf | ||
| clusters, you should update the range on each cluster. |
There was a problem hiding this comment.
@nklaassen I feel like this is kinda subpar in terms of "AX" (admin experience). What if VNet picked an arbitrary non-default range if present? Then instead of setting the range on each leaf cluster, an admin could set it only on the root cluster.
There was a problem hiding this comment.
I don't believe this paragraph is entirely accurate. Each app should be assigned an address from the ipv4_cidr_range of the cluster it's actually in
You might be referring to some code where we assign an IPv4 address to the TUN device from one range arbitrarily. That's true and maybe it's subpar, but it doesn't affect the IPs actually assigned to apps, that's just the address assigned to the interface that will be the source address
So e.g. if you have
root.example.comwith a custom range192.168.128.0/17leaf.example.comwith the default range100.64.0.0/10
you might get
- TUN interface gets assigned
100.64.0.1 app.root.example.comwill get192.168.128.5app.leaf.example.comwill get100.64.0.5
If you dial app.root.example.com the source_addr will be 100.64.0.1 and the dest_addr will be 192.168.128.5.
You're right that's probably subpar if you set the custom range on the root cluster to avoid conflicts, and then the leaf cluster, where maybe you're not even using vnet, overrides the range used to pick an IP for the TUN and stuff breaks. I'd be onboard if you want to update it to try to prefer the root cluster or any non-default range
There was a problem hiding this comment.
I added an issue for changing the logic of how the address of the TUN device is picked. Based on what you said and how the code works at the moment, it shouldn't be a big issue, but I wanted it documented somewhere. #43343
The way the code is written at the moment means that VNet will always pick the range used by the first root cluster returned from api/profile.ListProfileNames. As the majority of users are logged in only to a single root cluster, this shouldn't be an issue most of the time.
And thanks for correcting me on that. Since in every other case the IPv4 range is taken from a config of a particular cluster, it should simplify the docs as well.
This comment was marked as outdated.
This comment was marked as outdated.
ravicious
force-pushed
the
r7s/vnet-admin-docs
branch
from
0edac6d
to
5738d60
Compare
This comment was marked as outdated.
This comment was marked as outdated.
| When starting, VNet fetches configs from all available clusters and arbitrarily picks a range | ||
| provided by one of the clusters. This means that if you have a root cluster with multiple leaf | ||
| clusters, you should update the range on each cluster. |
There was a problem hiding this comment.
I don't believe this paragraph is entirely accurate. Each app should be assigned an address from the ipv4_cidr_range of the cluster it's actually in
You might be referring to some code where we assign an IPv4 address to the TUN device from one range arbitrarily. That's true and maybe it's subpar, but it doesn't affect the IPs actually assigned to apps, that's just the address assigned to the interface that will be the source address
So e.g. if you have
root.example.comwith a custom range192.168.128.0/17leaf.example.comwith the default range100.64.0.0/10
you might get
- TUN interface gets assigned
100.64.0.1 app.root.example.comwill get192.168.128.5app.leaf.example.comwill get100.64.0.5
If you dial app.root.example.com the source_addr will be 100.64.0.1 and the dest_addr will be 192.168.128.5.
You're right that's probably subpar if you set the custom range on the root cluster to avoid conflicts, and then the leaf cluster, where maybe you're not even using vnet, overrides the range used to pick an IP for the TUN and stuff breaks. I'd be onboard if you want to update it to try to prefer the root cluster or any non-default range
| `public_addr` needs to be set in the Application Service configuration file belonging to the leaf | ||
| cluster and the DNS TXT record needs to contain the name of the leaf cluster. |
There was a problem hiding this comment.
The app public_addr might not be in the application service config file, it could be a dynamic app
There was a problem hiding this comment.
I'll just remove the mention of it. I think it's clear that it needs to be set on a leaf cluster app and I couldn't find a succinct way to say that it needs to be set on an Application Service configuration or a dynamic resource.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
|
🤖 Vercel preview here: https://docs-iry2eq5g8-goteleport.vercel.app/docs/ver/preview |
public-teleport-github-review-bot
bot
removed request for
mmcallister,
xinding33 and
zmb3
|
🤖 Vercel preview here: https://docs-jh58pzq77-goteleport.vercel.app/docs/ver/preview |
|
@ravicious See the table below for backport results.
|
#42550 adds docs for end users, this PR adds docs for admins.
This is mostly the "Custom DNS zones" section of the RFD made into a guide.