From e655a1ea1c1f1f60fd8d9d35eac8f312def2a71c Mon Sep 17 00:00:00 2001 From: Noah Stride Date: Thu, 7 Nov 2024 15:39:02 +0000 Subject: [PATCH 1/2] Document `TBOT_USE_PROXY_ADDR` --- .../machine-id/troubleshooting.mdx | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/docs/pages/enroll-resources/machine-id/troubleshooting.mdx b/docs/pages/enroll-resources/machine-id/troubleshooting.mdx index c51225c3cb4b7..5aee707a3ecdb 100644 --- a/docs/pages/enroll-resources/machine-id/troubleshooting.mdx +++ b/docs/pages/enroll-resources/machine-id/troubleshooting.mdx @@ -320,3 +320,18 @@ outputs: Failure to add the `disable_exec_plugin` flag will result in a warning being displayed: `Destination kubernetes_secret: identity-output must be a directory in exec plugin mode`. + +## Configuring `tbot` for split DNS proxies + +When you have deployed your Proxy Service in such a way that it is +accessible via two different DNS names, e.g an internal and external address, +you may find that a `tbot` that is configured to use one of these addresses may +attempt to use the other address and that this may cause connections to fail. + +This is because `tbot` queries an auto-configuration endpoint exposed by the +Proxy Service to determine the canonical address to use when connecting. + +To fix this, set a variable of `TBOT_USE_PROXY_ADDR=1` in the environment of the +`tbot` process. This configures `tbot` to prefer using the address that you have +explicitly provided. This only functions correctly in cases where TLS +routing/multiplexing is enabled for the Teleport cluster. From b1d6b3918f93497f28ee2514e681d057683c46eb Mon Sep 17 00:00:00 2001 From: Noah Stride Date: Fri, 8 Nov 2024 12:09:55 +0000 Subject: [PATCH 2/2] "1" -> "yes" --- docs/pages/enroll-resources/machine-id/troubleshooting.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/pages/enroll-resources/machine-id/troubleshooting.mdx b/docs/pages/enroll-resources/machine-id/troubleshooting.mdx index 5aee707a3ecdb..ede717d90962c 100644 --- a/docs/pages/enroll-resources/machine-id/troubleshooting.mdx +++ b/docs/pages/enroll-resources/machine-id/troubleshooting.mdx @@ -331,7 +331,7 @@ attempt to use the other address and that this may cause connections to fail. This is because `tbot` queries an auto-configuration endpoint exposed by the Proxy Service to determine the canonical address to use when connecting. -To fix this, set a variable of `TBOT_USE_PROXY_ADDR=1` in the environment of the +To fix this, set a variable of `TBOT_USE_PROXY_ADDR=yes` in the environment of the `tbot` process. This configures `tbot` to prefer using the address that you have explicitly provided. This only functions correctly in cases where TLS routing/multiplexing is enabled for the Teleport cluster.