Support ALPN websocket passthrough for all protocols

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.

https://goteleport.com

GNU Affero General Public License v3.0

17.52k stars 1.75k forks source link

Support ALPN websocket passthrough for all protocols #19975

Closed klizhentas closed 1 year ago

klizhentas commented 1 year ago

When hosting Teleport in a Kubernetes cluster, it makes sense for users to be able to expose Teleport through their existing ingress-controller (as opposed to exposing Teleport using a LoadBalancer service).

Quoting @hugoShaka

This will dramatically improve the Helm experience by removing big dependencies like cert-manager, reducing the time to value by half, and behaving like any other Kubernetes application like our users expect. Plus, we keep receiving support cases and tickets of users trying to run Teleport behind an ALB/NLB terminating TLS.

This implies implementing "ALPN behind ALPN" support for all protocols like what was done for database access: issue, PR.

webvictim commented 1 year ago

I'd like to request that this work also include a fix for IAM joining not working behind TLS terminating-load balancers as per https://github.com/gravitational/teleport/issues/20792

webvictim commented 1 year ago

This is tracked by https://github.com/gravitational/teleport/issues/21870 now.

greedy52 commented 1 year ago

https://github.com/gravitational/teleport/issues/21870#issuecomment-1679470294

Database Access - v10.2.4
App Access - v12.1.5
SSH Access, Teleport Agent - v13.0.0
Kube Access
- tsh proxy kube - v13.0.0
- tsh kube join/tsh request search --kind=pod - v13.0.2
- tsh kubectl/tsh kube exec v13.0.4
IP Pinning and remote address logging (proxy_service.trust_x_forwarded_for) - v13.2.0
Teleport Connect
- General - v13.0.2
- Kubernetes Access - v14.0.0