Skip to content

Commit

Permalink
add TLS routing support to helm chart
Browse files Browse the repository at this point in the history
  • Loading branch information
Brendan Germain authored and russjones committed Dec 22, 2021
1 parent 896f64c commit 1684439
Show file tree
Hide file tree
Showing 6 changed files with 31 additions and 0 deletions.
7 changes: 7 additions & 0 deletions docs/pages/kubernetes-access/helm/reference.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,13 @@ This reference details available values for the `teleport-cluster` chart.

`authenticationType` controls the authentication scheme used by Teleport. Possible values are `local` and `github` for OSS, plus `oidc`, `saml`, and `false` for Enterprise.

## `proxyListenerMode`

| Type | Default value | Required? | `teleport.yaml` equivalent | Can be used in `custom` mode? |
| - | - | - | - | - |
| `string` | `nil` | no | `auth_service.proxy_listener_mode` ||

`proxyListenerMode` controls proxy TLS routing used by Teleport. Possible values are `multiplex`.

## `enterprise`

Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
clusterName: test-proxy-listener-mode
proxyListenerMode: multiplex
10 changes: 10 additions & 0 deletions examples/chart/teleport-cluster/templates/config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@ metadata:
{{- end }}
data:
teleport.yaml: |
{{- if eq .Values.proxyListenerMode "multiplex" }}
version: v2
{{- end }}
teleport:
log:
severity: {{ $logLevel }}
Expand Down Expand Up @@ -52,9 +55,14 @@ data:
{{- end }}
authentication:
type: {{ required "authenticationType is required in chart values" .Values.authenticationType }}
{{- if eq .Values.proxyListenerMode "multiplex" }}
proxy_listener_mode: multiplex
{{- end }}
kubernetes_service:
enabled: true
{{- if not .Values.proxyListenerMode }}
listen_addr: 0.0.0.0:3027
{{- end }}
{{- if .Values.kubeClusterName }}
kube_cluster_name: {{ .Values.kubeClusterName }}
{{- else }}
Expand All @@ -66,8 +74,10 @@ data:
{{- end }}
proxy_service:
public_addr: '{{ required "clusterName is required in chart values" .Values.clusterName }}:443'
{{- if not .Values.proxyListenerMode }}
kube_listen_addr: 0.0.0.0:3026
mysql_listen_addr: 0.0.0.0:3036
{{- end }}
enabled: true
{{- if .Values.highAvailability.certManager.enabled }}
https_keypairs:
Expand Down
2 changes: 2 additions & 0 deletions examples/chart/teleport-cluster/templates/service.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ spec:
port: 443
targetPort: 3080
protocol: TCP
{{- if not .Values.proxyListenerMode }}
- name: sshproxy
port: 3023
targetPort: 3023
Expand All @@ -42,5 +43,6 @@ spec:
port: 3036
targetPort: 3036
protocol: TCP
{{- end }}
selector:
app: {{ .Release.Name }}
5 changes: 5 additions & 0 deletions examples/chart/teleport-cluster/values.schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,11 @@
"type": "string",
"default": "local"
},
"proxyListenerMode": {
"$id": "#/properties/proxyListenerMode",
"type": "string",
"default": ""
},
"teleportVersionOverride": {
"$id": "#/properties/teleportVersionOverride",
"type": "string",
Expand Down
5 changes: 5 additions & 0 deletions examples/chart/teleport-cluster/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,11 @@ teleportVersionOverride: ""
# 'false' is required for FedRAMP / FIPS; see https://gravitational.com/teleport/docs/enterprise/ssh-kubernetes-fedramp/
authenticationType: local

# Teleport supports TLS routing. In this mode, all client connections are wrapped in TLS and multiplexed on one Teleport proxy port.
# Default mode will not utilize TLS routing and operate in backwards-compatibility mode.
# Possible values are 'multiplex'
proxyListenerMode: ""

# ACME is a protocol for getting Web X.509 certificates
# Note: ACME can only be used for single-instance clusters. It is not suitable for use in HA configurations.
# Setting acme to 'true' enables the ACME protocol and will attempt to get a free TLS certificate from Let's Encrypt.
Expand Down

0 comments on commit 1684439

Please sign in to comment.