teleport
teleport copied to clipboard
Published
20 hours ago •
gravitational
gravitational
ha-autoscale-cluster: Enable proxy protocol to allow the use of IP pinning
Changelog: Enabled the use of proxy protocol v2 for the ha-autoscale-cluster Terraform deployment example, allowing clusters deployed with this code to make use of IP pinning where needed.
Also:
- fixed a bug with the ACM LB name used when an alias was not provided
- made the
connect.shscript more reliable by only targetting instances inrunningstate
Fixes https://github.com/gravitational/teleport/issues/34284
Test matrix:
use_acm |
use_tls_routing |
auth_service proxy_protocol | proxy_service proxy_protocol | LBs deployed |
|---|---|---|---|---|
| false | false | on |
on |
auth: NLB, proxy: NLB |
| true | false | on |
not set | auth: NLB, proxy: ALB + NLB |
| false | true | on |
on |
auth: NLB, proxy: NLB |
| true | true | on |
not set | auth: NLB, proxy: ALB |
proxy_protocol does not need to be set to on when an ALB is used, as proxy_service.trust_x_forwarded_for is set to true in these situations and the client IP is derived from the X-Forwarded-For header.
The starter-cluster deployment only deploys an ALB when ACM is enabled, so remains unchanged.
