Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ha-autoscale-cluster: Enable proxy protocol to allow the use of IP pinning #41668

Merged
merged 8 commits into from
May 29, 2024
Merged

ha-autoscale-cluster: Enable proxy protocol to allow the use of IP pinning #41668

merged 8 commits into from
May 29, 2024

Conversation

webvictim
Copy link
Contributor

@webvictim webvictim commented May 16, 2024
edited

Changelog: Enabled the use of proxy protocol v2 for the ha-autoscale-cluster Terraform deployment example, allowing clusters deployed with this code to make use of IP pinning where needed.

Also:

  • fixed a bug with the ACM LB name used when an alias was not provided
  • made the connect.sh script more reliable by only targetting instances in running state

Fixes #34284

Test matrix:

use_acm use_tls_routing auth_service proxy_protocol proxy_service proxy_protocol LBs deployed
false false on on auth: NLB, proxy: NLB
true false on not set auth: NLB, proxy: ALB + NLB
false true on on auth: NLB, proxy: NLB
true true on not set auth: NLB, proxy: ALB

proxy_protocol does not need to be set to on when an ALB is used, as proxy_service.trust_x_forwarded_for is set to true in these situations and the client IP is derived from the X-Forwarded-For header.

The starter-cluster deployment only deploys an ALB when ACM is enabled, so remains unchanged.

@webvictim webvictim added terraform-deployment-examples Issues relating to Terraform deployment examples under examples/aws/terraform terraform Legacy Terraform label labels May 16, 2024
@webvictim webvictim self-assigned this May 16, 2024
@webvictim webvictim added this pull request to the merge queue May 29, 2024
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks May 29, 2024
@hugoShaka hugoShaka added this pull request to the merge queue May 29, 2024
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks May 29, 2024
@stevenGravy stevenGravy added this pull request to the merge queue May 29, 2024
Merged via the queue into master with commit ca292af May 29, 2024
39 checks passed
@stevenGravy stevenGravy deleted the gus/terraform/proxy-protocol branch May 29, 2024 15:00
@public-teleport-github-review-bot
Copy link

@webvictim See the table below for backport results.

Branch Result
branch/v16 Create PR

@webvictim webvictim mentioned this pull request May 29, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marcoandredinis marcoandredinis marcoandredinis approved these changes

@hugoShaka hugoShaka hugoShaka approved these changes

@stevenGravy stevenGravy stevenGravy approved these changes

Assignees

@webvictim webvictim

Labels
backport/branch/v16 size/md terraform Legacy Terraform label terraform-deployment-examples Issues relating to Terraform deployment examples under examples/aws/terraform
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Proxy endpoint returning 502 Bad Gateway when deploying HA teleport cluster on AWS using Terraform
4 participants
@webvictim @marcoandredinis @hugoShaka @stevenGravy