# Application 연결 Application web을 teleport를 통해서 특정 domain으로 연결 ![](https://t25540965.p.clickup-attachments.com/t25540965/f61cb8a3-bf08-4135-8d0c-315ae84fb5c1/image.png) ##연결 방법 `3024 로 요청이 오기 때문에 방화벽 오픈 필요` ```yaml # 방화벽 Inbound 오픈 요청 SourceIP : Any 포트 - TCP 443 - TCP 80 - TCP 3023 ~ 3029 Destination IP : 39.115.183.131, 39.115.183.139 ``` `사용자 role 생성` ```yaml kind: role metadata: id: 1694589666259084009 name: app-connect spec: allow: app_labels: '*': '*' deny: logins: - guest options: cert_format: standard create_db_user: false create_desktop_user: false desktop_clipboard: true desktop_directory_sharing: true enhanced_recording: - command - network forward_agent: false idp: saml: enabled: true max_session_ttl: 8h0m0s pin_source_ip: false port_forwarding: true record_session: default: best_effort desktop: true ssh_file_copy: true version: v5 ``` 아래의 내용은 devops팀의 구 환경 기준 설정으로 현재는 적용 사항이 아님
현재는 `nginx proxy manager`로 변경을 하여 아래의 과정 불필요
## 외부 도메인을 이용하여 proxy를 통해 내부 도메인으로 연결 `proxy 설정` ```yaml # teleport application use_backend bk_ssl_to_nginx if { req_ssl_sni -i grafana.teleport.kr.datasaker.io } use_backend bk_teleport_kr_3024 if { req_ssl_sni -i grafana.teleport.kr.datasaker.io } use_backend bk_ssl_to_nginx if { req_ssl_sni -i cmak.teleport.kr.datasaker.io } use_backend bk_teleport_kr_3024 if { req_ssl_sni -i cmak.teleport.kr.datasaker.io } use_backend bk_ssl_to_nginx if { req_ssl_sni -i kaui.teleport.kr.datasaker.io } use_backend bk_teleport_kr_3024 if { req_ssl_sni -i kaui.teleport.kr.datasaker.io } use_backend bk_ssl_to_nginx if { req_ssl_sni -i killbill.teleport.kr.datasaker.io } use_backend bk_teleport_kr_3024 if { req_ssl_sni -i killbill.teleport.kr.datasaker.io } use_backend bk_ssl_to_nginx if { req_ssl_sni -i kafka-ui.teleport.kr.datasaker.io } use_backend bk_teleport_kr_3024 if { req_ssl_sni -i kafka-ui.teleport.kr.datasaker.io } use_backend bk_ssl_to_nginx if { req_ssl_sni -i keycloak.teleport.kr.datasaker.io } use_backend bk_teleport_kr_3024 if { req_ssl_sni -i keycloak.teleport.kr.datasaker.io } use_backend bk_ssl_to_nginx if { req_ssl_sni -i druid-router.teleport.kr.datasaker.io } use_backend bk_teleport_kr_3024 if { req_ssl_sni -i druid-router.teleport.kr.datasaker.io } # ssl > nginx backend bk_ssl_to_nginx mode tcp balance roundrobin option ssl-hello-chk server web01 127.0.0.1:8443 check inter 2s # 3024 > teleport proxy listen 3024_in bind *:3024 mode tcp balance roundrobin use_backend bk_teleport_kr_3024 backend bk_teleport_kr_3024 mode tcp balance roundrobin server teleport_server_kr_3124 10.10.43.240:30813 check ``` 2. 인증서 발급 ```plain domains=('grafana' 'cmak' 'killbill' 'kafka-ui' 'keycloak' 'druid-router') for domain in ${domains[@]} do "certbot certonly --standalone -d ${domain}.teleport.kr.datasaker.io --non-interactive --agree-tos --email havelight@ex-em.com --http-01-port=8899 -v" done ``` 3. nginx 설정 ```shell rp-grafana-teleport-kr.conf rp-kaui-teleport-kr.conf rp-kafka-ui-teleport-kr.conf rp-keycloak-teleport-kr.conf rp-cmak-teleport-kr.conf rp-druid-router-teleport-kr.conf rp-killbill-teleport-kr.conf ``` 2. agent 설치 \- token 발급 ```shell tsh login --proxy teleport.kr.dataskaer.io --user [계정명] tctl tokens add --type=app ``` \- helm chart ```shell helm repo add teleport https://charts.releases.teleport.dev helm repo update helm pull teleport/teleport-kube-agent --untar ``` \- prod\_values.yaml ```yaml authToken: "[발급받은 token]" proxyAddr: "teleport.kr.datasaker.io:443" roles: "app" #(any of: kube,db,app) apps: - name: cmak uri: http://cmak.dsk-middle.svc.cluster.local:9000 - name: kaui uri: http://dsk-kaui.dsk-middle.svc.cluster.local:8080 - name: killbill uri: http://dsk-killbill.dsk-middle.svc.cluster.local:8080/api.html - name: kafka-ui uri: http://kafka-ui.dsk-middle.svc.cluster.local - name: keycloak uri: http://keycloak.dsk-middle.svc.cluster.local - name: druid-router uri: http://druid-router.dsk-middle.svc.cluster.local:8888/unified-console.html storage: enabled: true storageClassName: "" requests: 128Mi ``` \- helm install ```shell helm -n teleport-agent install teleport-agent . -f prod_values.yaml --create-namespace ``` 3. 확인 ```yaml # kubectl -n teleport-agent get all NAME READY STATUS RESTARTS AGE pod/teleport-agent-0 1/1 Running 0 141m NAME READY AGE statefulset.apps/teleport-agent 1/1 22h # kubectl -n teleport-agent get cm teleport-agent -o yaml apiVersion: v1 data: teleport.yaml: | app_service: apps: - name: cmak uri: http://cmak.dsk-middle.svc.cluster.local:9000 - name: kaui uri: http://dsk-kaui.dsk-middle.svc.cluster.local:8080 - name: killbill uri: http://dsk-killbill.dsk-middle.svc.cluster.local:8080/api.html - name: kafka-ui uri: http://kafka-ui.dsk-middle.svc.cluster.local - name: keycloak uri: http://keycloak.dsk-middle.svc.cluster.local - name: druid-router uri: http://druid-router.dsk-middle.svc.cluster.local:8888/unified-console.html enabled: true auth_service: enabled: false db_service: enabled: false kubernetes_service: enabled: false proxy_service: enabled: false ssh_service: enabled: false teleport: join_params: method: token token_name: /etc/teleport-secrets/auth-token log: format: extra_fields: - timestamp - level - component - caller output: text output: stderr severity: INFO proxy_server: teleport.kr.datasaker.io:443 version: v3 kind: ConfigMap metadata: annotations: meta.helm.sh/release-name: teleport-agent meta.helm.sh/release-namespace: teleport-agent creationTimestamp: "2023-09-13T07:15:32Z" labels: app.kubernetes.io/managed-by: Helm name: teleport-agent namespace: teleport-agent resourceVersion: "144094053" uid: 57c4e43e-88e5-42fd-abba-bccecbdab0e1 ``` ## 검증 ### Applications ![](https://t25540965.p.clickup-attachments.com/t25540965/b9098cbd-9765-4dc5-9bf9-eb12f1d2b44d/image.png) ### Kafka UI 접속 ![](https://t25540965.p.clickup-attachments.com/t25540965/c56081a5-2759-4689-aee5-446f79be2bfd/image.png)