Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix agent connection to proxy behind l7 lb #48242

Merged
merged 1 commit into from
Nov 1, 2024
Merged

fix agent connection to proxy behind l7 lb #48242

merged 1 commit into from
Nov 1, 2024

Conversation

greedy52
Copy link
Contributor

@greedy52 greedy52 commented Oct 31, 2024
edited
Loading

fixes #48238

Integration test could not catch this since they run in insecure mode.

Also note that ALPNDialer does call GetClusterCAs on each dial so no need for the VerifyConnection hack:

teleport/api/client/alpn.go

Lines 126 to 131 in c1f368e

// DialContext implements ContextDialer.
func (d *ALPNDialer) DialContext(ctx context.Context, network, addr string) (net.Conn, error) {
tlsConfig, err := d.getTLSConfig(ctx, addr)
if err != nil {
return nil, trace.Wrap(err)
}

@greedy52 greedy52 added no-changelog Indicates that a PR does not require a changelog entry backport/branch/v17 labels Oct 31, 2024
@greedy52 greedy52 requested a review from espadolini October 31, 2024 19:27
@greedy52 greedy52 self-assigned this Oct 31, 2024
@aws-amplify-us-west-2 AWS Amplify (us-west-2)
Copy link

This pull request is automatically being deployed by Amplify Hosting (learn more).

Access this pull request here: https://pr-48242.d3pp5qlev8mo18.amplifyapp.com

espadolini
espadolini approved these changes Oct 31, 2024
View reviewed changes
Copy link
Contributor

@espadolini espadolini left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I missed this when I changed things to start using dynamic sources of trust, thank you for the fix!

Is it practical to change the tests to not rely on insecure mode?

@greedy52
Copy link
Contributor Author

greedy52 commented Oct 31, 2024
edited
Loading

Is it practical to change the tests to not rely on insecure mode?

let me look into that

--- update
it's no easy task. all web clients cannot verify proxy. will leave it as a separate change.

@greedy52 greedy52 added this pull request to the merge queue Nov 1, 2024
Merged via the queue into master with commit 2bcdcf6 Nov 1, 2024
42 of 46 checks passed
@greedy52 greedy52 deleted the STeve/48238_fix_upgrade_root_verification branch November 1, 2024 14:20
@public-teleport-github-review-bot
Copy link

@greedy52 See the table below for backport results.

Branch Result
branch/v17 Create PR

@greedy52 greedy52 mentioned this pull request Nov 1, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rosstimothy rosstimothy rosstimothy approved these changes

@espadolini espadolini espadolini approved these changes

Assignees

@greedy52 greedy52

Labels
backport/branch/v17 no-changelog Indicates that a PR does not require a changelog entry size/sm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

TLS error when agent joins Proxy behind L7 load balancer
3 participants
@greedy52 @espadolini @rosstimothy