Open gawertm opened 7 months ago
Discusssion topics:
Prometheus UI access via Teleport:
Access flow (without nginx ingress/dex in the mix):]
User -> Teleport Cluster (login)
-> Teleport App Agent (running on golem)
-> Prometheus internal svc endpoint
Route53 entry (manual for now, until we have wildcard entry *.teleport.giantswarm.io):
prometheus-golem.teleport.giantswarm.io -- points --> Teleport Cluster Proxy ALB
Here's the teleport app config:
> cat prometheus-golem-app.yaml
kind: app
version: v3
metadata:
name: prometheus-golem
description: "Prometheus - golem"
labels:
env: test
spec:
uri: http://prometheus-operated.golem-prometheus.svc.cluster.local:9090
Document explaining Prometheus access setup:
Plan B worked - grafana-golem.teleport.giantswarm.io
Plan A didn’t work, and is not backward compatible with customer, as there are breaking changes when setting up dex behind Teleport.
GF_AUTH_GENERIC_OAUTH_AUTH_URL=http://dex-golem.teleport.giantswarm.io/
for Grafana, otherwise, it will keep redirecting us to VPN accessible endpoint dex.golem.gaws.gigantic.ioLogin failed: Missing saved oauth state
.And to fix that, we need to update Grafana GF_SERVER_ROOT_URL
env to https://grafana-golem.teleport.giantswarm.io/
But, after changing GF_SERVER_ROOT_URL
we hit this issue:
To fix that, we need to update dex-operator secret to add https://grafana-golem.teleport.giantswarm.io/
to list of redirectURIs:
redirectURIs:
- https://grafana.golem.gaws.gigantic.io/login/generic_oauth
- https://grafana-golem.teleport.giantswarm.io/login/generic_oauth
name: grafana
Then, we get Grafana with Dex login behind Teleport. But, with all those changes, dex login for customer breaks.
With B, no changes needed on dex side, and normal customer dex login flow works the same. The only change happens at Grafana side by adding this to configmap:
[auth.jwt]
enabled = true
auto_sign_up = true
header_name = Teleport-Jwt-Assertion
username_claim = sub
jwk_set_url = https://teleport.giantswarm.io/.well-known/jwks.json
All request from Teleport, includes JWT token pass-through and sent directly to Grafana pod.
Grafana access via existing ingress grafana.golem.gaws.gigantic.io works the same.
Since customers dex access can not be affected by either scenario, we are unable to change settings like the OIDC issuer flags on the kubernetes API server or the oauth provider flags for grafana. (both allow only one issuer) This is not an issue in scenario B since we can use the jwt token directly and bypass dex completely. However, it is an issue in scenario A for the reasons described in Purus comment. The limitation on issuers is the reason we were using dex in the first place. We may have a bit more freedom with 1.29 structured auth config options but we have not tested this yet. As of right now, running dex inside teleport to make it available to us does not seem possible if we don't also want to make dex unavailable to customers. We already have a limitation on reproducing dex issues due to identity provider configuration on the customers side. Bypassing dex and removing the VPN will grow this limitation since dex will become unavailable to us. However, since we already need to debug in tandem with customers it may not be a huge change.
Feedback #1
- How does local setup works with Teleport?
Feedback #2
- Is there a way to get a token not from a header? Separate api endpoint maybe? the problem with the header is that we cannot access it from client side (from JS). We would need to have a server to transfer it to the client, but we don't have a server for happa.
Challenge #1
: Loki DS uses oAuth token forwardTeleport-Jwt-Assertion
header from Loki DS. Atlas is looking into it.Challenge #1
- Happa can't accept Teleport Jwt tokenPotential solution: Re-configure nginx with an endpoint /jwt
and then utilize Lua module to read the Teleport-Jwt-Assertion
header and return as response.
load_module modules/ndk_http_module.so;
load_module modules/ngx_http_lua_module.so;
location /jwt {
add_header Content-type text/plain;
content_by_lua_block {
ngx.say(ngx.req.get_headers()['Teleport-Jwt-Assertion'])
}
}
Challenge #2
- Athena /graphql
endpoint/graphql
endpoint through happa ingress and configure happa to use happa/graphql
to reach athena.Slides: https://docs.google.com/presentation/d/1OLtCijqp6VM1Xu2p0sxvyr1d2NJD6wHK0ypQ1mzRRCA/edit?usp=sharing
Action Items:
opsctl open
, where for CAPI it should go through teleport powered happa endpoint (e.g: happa-golem.teleport.giantswarm.io), and for others, dex powered happa.Attendees: Puru, Spyros, Antonia, Pawel, Dmitry
Action Items:
@gawertm It seems we can leverage the SOCKS5 proxy feature of Teleport SSH to access internal web apps. I have documented the setup process in intranet. I posted the demo in our channel.
@tuladhar thanks, I just saw that. Can you draw some network diagram how the traffic flows with the socks5 proxy? I want to fully understand :) and also about this:
Only use proxy for accessing internal web apps, because potentially, we can use it to browse other external websites.
@gawertm Here's the network diagram. Let me know if this doesn't make sense :)
Only use proxy for accessing internal web apps, because potentially, we can use it to browse other external websites.
Yes, think of SOCKS5 proxy as VPN through SSH connection. So, any network access the node where SOCKS5 is established on, we can access them too, which means access to the internet if node has access to it along with internal network access.
ok understood, thanks! lets discuss it in the refinement today :)
we came to the conclusion, that this solution is not user friendly enough and too much config is needed upfront. While it is a good emergency access solution, we will still keep the VPN for App access in private installation. to be confirmed with @alex-dabija. Also we will revisit with kubernetes 1.29 and structured auth config
We agreed in SIG Architecture to keep the the VPN for now.