Allow auth server to advertise a DNS alias

[darend]

Problem:

Unable to configure auth to advertise itself using an DNS alias as advertise_ip only allows IP addresses.

Proposal

Allow auth to advertise a DNS alias or an IP address

Context

Deploying auth + proxy under kubernetes is difficult because the IP assigned to auth is dynamic. This then requires some tooling to properly configure both the advertise_ip for auth as well as the authorized_servers for proxy.

Ideally one could:

• deploy auth under kubernetes with a load balancer service and dns alias, example: teleport-auth.company.com
• have auth advertise itself as using the load balancer dns: teleport-auth.company.com:3025
• deploy proxy with auth_servers: teleport-auth.company.com:3025

[kontsevoy]

@klizhentas we solved it with public_addr didn't we?

[klizhentas]

yes fixed since 2.7

[kontsevoy]

@darend we now allow you to do this by using public_addr setting which replaces the old advertise setting

[kontsevoy]

re-assigning to myself to update the docs

[kontsevoy]

To change:

• public_addr section for auth_service
• advertise_ip can actually take FQDN:port (or just FQDN with port defaulting to 3022)
• public_addr can take an array
• public_addr can be applied to ssh_service

[sandstrom]

@kontsevoy A somewhat related question: if auth_servers is an array with a dns name teleport.org.internal:3025 which maps onto multiple underlying servers (HA), and the DNS resolves into multiple IPs, will teleport pick up on the fact that there are multiple IPs and treat them similar to an array of IPs (or FQDNs)?

[kontsevoy]

@sandstrom I am not 100% sure I understand your question. Perhaps I'll just explain what happens? If there's a single DNS name for an auth server which resolves to multiple IPs, Teleport will rely on the standard name resolution when establishing a connection which consists of the OS resolver and Golang standard library. If the 1st IP doesn't respond it should try the 2nd.

[sandstrom]

@kontsevoy Got it, maybe I haven't understood how teleport works under the hood.

It sounds like your system only try the IPs in the array one after another, and in those cases it shouldn't make a difference between:

• specifying an array with one auth-server domain, that resolve to multiple IPs or
• an array with two auth-server domains, that each resolve to one IP

If there aren't any differences with the two alternatives above, I'm very happy 😄

---

Aside: Some systems (e.g. elastic search) will load IPs from a config and then with some high-availability protocol they will ping them every X seconds making sure they're up. In such scenarios, it's great if the system will "load" all IPs that are returned from the DNS-query, not just the first one. If they only load the first one for each entry in the array and put that into the pool, you won't get any high-availability benefit from returning multiple IPs. I know this has been an issue with ElasticSearch, which is why I asked the question.

[kontsevoy]

Correct. Teleport uses round-robin internally for lists of servers and for single-server entries that resolve to multiple IPs it relies on the system resolver which should use round-robin as well (just run dig amazon.com multiple time and you should see)

[sandstrom]

@kontsevoy Awesome, thanks! 🎉