teleport
teleport copied to clipboard
gravitational
VNet (epic)
Some tasks might be changed as a result of the discussion on the RFD.
- [x] #37834
We want to provide the design partner with a demo ASAP. It won't have any of the niceties listed in the Q1 list and basically any UI. What's important is that it will let them verify whether the core idea of VNet.
### Demo for the design partner
- [x] Support custom DNS zones
- [x] Share the demo by March 29th
By the end of Q1 we want to have a fully functional VNet integration in Connect and tsh. VNet itself won't be daemonized yet, so it will prompt for password on each start.
### Q1
- [x] Implement `tsh vnet` (without recent connections)
- [x] IPv6 support
- [ ] https://github.com/gravitational/teleport/pull/40526
- [ ] https://github.com/gravitational/teleport/issues/39506
- [ ] https://github.com/gravitational/teleport/pull/40889
- [ ] https://github.com/gravitational/teleport/pull/40893
- [ ] https://github.com/gravitational/teleport/pull/40972
- [ ] https://github.com/gravitational/teleport/pull/41031
- [ ] https://github.com/gravitational/teleport/pull/41032
- [ ] https://github.com/gravitational/teleport/pull/41033
- [ ] https://github.com/gravitational/teleport/pull/41542
- [x] Add `vnet_config` resource
- [ ] https://github.com/gravitational/cloud/pull/8092
- [ ] https://github.com/gravitational/teleport/pull/40995
At the start of Q2, we'll make the implementation more robust.
### Early Q2 (aiming for 16.0) (Nic + Rafal)
- [ ] Reuse API clients (Nic) https://github.com/gravitational/teleport/pull/41033
- [ ] Support multiple active profiles (Nic) https://github.com/gravitational/teleport/pull/41033
- [ ] Support custom DNS zones (Nic) https://github.com/gravitational/teleport/pull/41545
- [ ] https://github.com/gravitational/teleport/pull/41415
- [ ] https://github.com/gravitational/teleport/pull/41587
- [ ] https://github.com/gravitational/teleport/pull/41889
- [ ] Write docs (Rafal)
- [ ] Support leaf clusters (Nic)
During Q2, we'll focus on getting rid of the repeated password prompt, supporting per-session MFA, and adding more feedback to the UI.
### Q2 (Rafal)
- [ ] Turn VNet into launch daemon
- [ ] Show recent connections in the VNet panel in Connect and in `tsh vnet`
- [ ] Per-session MFA
- [ ] prevent mutiple VNet processes from running simultaneously
After Q2, we will balance customer feedback (supporting multiple ports) with expanding to new platforms (Windows, Linux, HTTP apps, etc)
### Post Q2 (Rafal)
- [ ] Windows support
- [ ] https://github.com/gravitational/teleport/issues/39507
- [ ] Linux support
- [ ] HTTP apps
- [ ] Apps with multiple ports
Tech debt to address
- [ ] When clicking "Connect" next to a TCP app, Connect needs to account for configured DNS zones and prefer them over default fqdn of apps on proxy host.
- [ ] When clicking "Connect" next to a leaf TCP app, Connect needs to somehow fall back to the proxy host of the leaf cluster if public_addr of an app points to a domain that's not configured as a custom DNS zone.
- [ ] We should respect the priority of ordered nameservers in `/etc/resolv.conf` and add a short delay for each one down the list
- [ ] Support `--bootstrap` for `vnet_config` resources
- [ ] Add `vnet_config` to the cache
- [ ] Handling expired certs if user didn't connect to app before cert expiry https://github.com/gravitational/teleport/pull/41031#discussion_r1609684247
- [ ] Empty resolvers when starting VNet with no active profiles https://github.com/gravitational/teleport/pull/41542#discussion_r1609651983
