Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix Helm chart public_addr for proxy when using Ingress #4107

Merged
merged 4 commits into from
Jul 28, 2020
Merged

Fix Helm chart public_addr for proxy when using Ingress #4107

merged 4 commits into from
Jul 28, 2020

Conversation

webvictim
Copy link
Contributor

@webvictim webvictim commented Jul 23, 2020
edited
Loading

When using an Ingress to front your Teleport cluster in Kubernetes, access will be via port 443 (HTTPS) or 80 (HTTP - not recommended). Unfortunately, the Helm chart makes the assumption that you'll always be on port 3080 and this breaks tsh logins at the command line. This fixes that problem by specifically overriding the public_addr of proxy_service when using an Ingress.

I also changed all other public_addr settings in the main Helm chart to use the configured service port, rather than the containerPort. This means that other traffic will be directed correctly if people change the default ports in their config.

I also found a lot of random trailing spaces and blank tabs, so the PR removes all of those that I could find under our Helm charts too.

Fixes #4080

@webvictim webvictim self-assigned this Jul 23, 2020
webvictim
webvictim commented Jul 23, 2020
View reviewed changes
examples/chart/teleport/templates/config.yaml
public_addr: {{ .Values.config.public_address }}:{{ .Values.ports.proxyweb.containerPort }}
{{- if .Values.ingress.enabled }}
{{- if .Values.ingress.tls }}
public_addr: {{ .Values.config.public_address }}:443
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assumptions:

  • when TLS is configured on the Ingress it'll be using port 443
  • when TLS is not configured on the Ingress it'll be using port 80

When not using an Ingress, we change to using the host-side proxyweb port under the service definition rather than the container-side port.

@webvictim webvictim requested review from stevenGravy and awly July 23, 2020 20:00
@webvictim webvictim marked this pull request as ready for review July 23, 2020 20:00
awly
awly approved these changes Jul 24, 2020
View reviewed changes
@webvictim
Copy link
Contributor Author

@benarent Could I have an approval stamp please? I think you're code owner on *.md.

benarent
benarent approved these changes Jul 28, 2020
View reviewed changes
Copy link
Contributor

@benarent benarent left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving this to resolve customers bug , other TLS discussion has been moved to another ticket.

@webvictim webvictim merged commit 3408a7d into master Jul 28, 2020
@webvictim webvictim deleted the gus/helm-chart-public-addr branch July 28, 2020 15:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@awly awly awly approved these changes

@benarent benarent benarent approved these changes

@stevenGravy stevenGravy Awaiting requested review from stevenGravy

@russjones russjones Awaiting requested review from russjones

Assignees

@webvictim webvictim

Labels
helm kubernetes-access
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

connection refused on tsh due to port "mismatch"
3 participants
@webvictim @benarent @awly