mirror of
https://github.com/gravitational/teleport
synced 2024-10-22 10:13:21 +00:00
6d1c16f745
Updated services.ReverseTunnel to support type (proxy or node). For
proxy types, which represent trusted cluster connections, when a
services.ReverseTunnel is created, it's created on the remote side with
name /reverseTunnels/example.com. For node types, services.ReverseTunnel
is created on the main side as /reverseTunnels/{nodeUUID}.clusterName.
Updated services.TunnelConn to support type (proxy or node). For proxy
types, which represent trusted cluster connections, tunnel connections
are created on the main side under
/tunnelConnections/remote.example.com/{proxyUUID}-remote.example.com.
For nodes, tunnel connections are created on the main side under
/tunnelConnections/example.com/{proxyUUID}-example.com. This allows
searching for tunnel connections by cluster then allows easily creating
a set of proxies that are missing matching services.TunnelConn.
The reverse tunnel server has been updated to handle heartbeats from
proxies as well as nodes. Proxy heartbeat behavior has not changed.
Heartbeats from nodes now add remote connections to the matching local
site. In addition, the reverse tunnel server now proxies connection to
the Auth Server for requests that are already authenticated (a second
authentication to the Auth Server is required).
For registration, nodes try and connect to the Auth Server to fetch host
credentials. Upon failure, nodes now try and fallback to fetching host
credentials from the web proxy.
To establish a connection to an Auth Server, nodes first try and connect
directly, and if the connection fails, fallback to obtaining a
connection to the Auth Server through the reverse tunnel. If a
connection is established directly, node startup behavior has not
changed. If a node establishes a connection through the reverse tunnel,
it creates an AgentPool that attempts to dial back to the cluster and
establish a reverse tunnel.
When nodes heartbeat, they also heartbeat if they are connected directly
to the cluster or through a reverse tunnel. For nodes that are connected
through a reverse tunnel, the proxy subsystem now directs the reverse
tunnel server to establish a connection through the reverse tunnel
instead of directly.
When sending discovery requests, the domain field has been replaced with
tunnelID. The tunnelID field is either the cluster name (same as before)
for proxies, or {nodeUUID}.example.com for nodes.
|
||
|---|---|---|
| .. | ||
| legacy | ||
| local | ||
| suite | ||
| authentication.go | ||
| authority.go | ||
| clusterconfig.go | ||
| clustername.go | ||
| configuration.go | ||
| doc.go | ||
| events.go | ||
| github.go | ||
| github_test.go | ||
| identity.go | ||
| invite.go | ||
| license.go | ||
| license_test.go | ||
| map_test.go | ||
| migrations_test.go | ||
| namespace.go | ||
| oidc.go | ||
| oidc_test.go | ||
| parser.go | ||
| presence.go | ||
| provisioning.go | ||
| remotecluster.go | ||
| resource.go | ||
| role.go | ||
| role_test.go | ||
| saml.go | ||
| saml_test.go | ||
| server.go | ||
| servers_test.go | ||
| services.go | ||
| services_test.go | ||
| session.go | ||
| statictokens.go | ||
| trust.go | ||
| trustedcluster.go | ||
| tunnel.go | ||
| tunnelconn.go | ||
| types.pb.go | ||
| types.proto | ||
| user.go | ||
| user_test.go | ||
| wrappers.go | ||