servicecfg

package
v0.0.0-...-f25915c Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 26, 2025 License: AGPL-3.0 Imports: 55 Imported by: 0

Documentation

Overview

Package servicecfg contains the runtime configuration for Teleport services

Index

Constants

This section is empty.

Variables

AllTLSModes keeps all possible database TLS modes for easy access.

Functions

func ApplyDefaults

func ApplyDefaults(cfg *Config)

ApplyDefaults applies default values to the existing config structure

func ApplyFIPSDefaults

func ApplyFIPSDefaults(cfg *Config)

ApplyFIPSDefaults updates default configuration to be FedRAMP/FIPS 140-2 compliant.

func DisableLongRunningServices

func DisableLongRunningServices(cfg *Config)

DisableLongRunningServices disables all services but OpenSSH

func ValidateConfig

func ValidateConfig(cfg *Config) error

Types

type ACME

type ACME struct {
	// Enabled enables or disables ACME support
	Enabled bool
	// Email receives notifications from ACME server
	Email string
	// URI is ACME server URI
	URI string
}

ACME configures ACME automatic certificate renewal

type AccessGraphConfig

type AccessGraphConfig struct {
	// Enabled Access Graph reporting enabled
	Enabled bool

	// Addr of the Access Graph service addr
	Addr string

	// CA is the path to the CA certificate file
	CA string

	// Insecure is true if the connection to the Access Graph service should be insecure
	Insecure bool
}

AccessGraphConfig represents TAG server config

type AccessMonitoringOptions

type AccessMonitoringOptions struct {
	// EnabledString is the string representation of the Enabled field.
	EnabledString string `yaml:"enabled"`
	// Enabled is true if access monitoring is enabled.
	Enabled bool `yaml:"-"`

	// RoleARN is the ARN of the IAM role to assume when accessing Athena.
	RoleARN string `yaml:"role_arn,omitempty"`
	// RoleTags are the tags to use when assuming the IAM role.
	RoleTags map[string]string `yaml:"role_tags,omitempty"`

	// DataLimitString is the string representation of the DataLimit field.
	DataLimitString string `yaml:"data_limit,omitempty"`
	// DataLimit is the maximum amount of data that can be returned by a query.
	DataLimit uint64 `yaml:"-"`

	// Database is the name of the database to use.
	Database string `yaml:"database,omitempty"`
	// Table is the name of the table to use.
	Table string `yaml:"table,omitempty"`
	// Workgroup is the name of the Athena workgroup to use.
	Workgroup string `yaml:"workgroup,omitempty"`
	// QueryResults is the S3 bucket to use for query results.
	QueryResults string `yaml:"query_results,omitempty"`
	// ReportResults is the S3 bucket to use for report results.
	ReportResults string `yaml:"report_results,omitempty"`
}

AccessMonitoringOptions configures access monitoring.

func (*AccessMonitoringOptions) CheckAndSetDefaults

func (a *AccessMonitoringOptions) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default values for any missing fields.

type App

type App struct {
	// Name of the application.
	Name string

	// Description is the app description.
	Description string

	// URI is the internal address of the application.
	URI string

	// Public address of the application. This is the address users will access
	// the application at.
	PublicAddr string

	// StaticLabels is a map of static labels to apply to this application.
	StaticLabels map[string]string

	// DynamicLabels is a list of dynamic labels to apply to this application.
	DynamicLabels services.CommandLabels

	// InsecureSkipVerify is used to skip validating the server's certificate.
	InsecureSkipVerify bool

	// Rewrite defines a block that is used to rewrite requests and responses.
	Rewrite *Rewrite

	// AWS contains additional options for AWS applications.
	AWS *AppAWS

	// Cloud identifies the cloud instance the app represents.
	Cloud string
}

App is the specific application that will be proxied by the application service. This needs to exist because if the "config" package tries to directly create a services.App it will get into circular imports.

func (*App) CheckAndSetDefaults

func (a *App) CheckAndSetDefaults() error

CheckAndSetDefaults validates an application.

type AppAWS

type AppAWS struct {
	// ExternalID is the AWS External ID used when assuming roles in this app.
	ExternalID string
}

AppAWS contains additional options for AWS applications.

type AppsConfig

type AppsConfig struct {
	// Enabled enables application proxying service.
	Enabled bool

	// DebugApp enabled a header dumping debugging application.
	DebugApp bool

	// Apps is the list of applications that are being proxied.
	Apps []App

	// ResourceMatchers match cluster database resources.
	ResourceMatchers []services.ResourceMatcher

	// MonitorCloseChannel will be signaled when a monitor closes a connection.
	// Used only for testing. Optional.
	MonitorCloseChannel chan struct{}
}

AppsConfig configures application proxy service.

type AuthConfig

type AuthConfig struct {
	// Enabled turns auth role on or off for this process
	Enabled bool

	// PROXYProtocolMode controls behavior related to unsigned PROXY protocol headers.
	PROXYProtocolMode multiplexer.PROXYProtocolMode

	// ListenAddr is the listening address of the auth service
	ListenAddr utils.NetAddr

	// Authorities is a set of trusted certificate authorities
	// that will be added by this auth server on the first start
	Authorities []types.CertAuthority

	// BootstrapResources is a set of previously backed up resources
	// used to bootstrap backend state on the first start.
	BootstrapResources []types.Resource

	// ApplyOnStartupResources is a set of resources that should be applied
	// on each Teleport start.
	ApplyOnStartupResources []types.Resource

	// Roles is a set of roles to pre-provision for this cluster
	Roles []types.Role

	// ClusterName is a name that identifies this authority and all
	// host nodes in the cluster that will share this authority domain name
	// as a base name, e.g. if authority domain name is example.com,
	// all nodes in the cluster will have UUIDs in the form: <uuid>.example.com
	ClusterName types.ClusterName

	// StaticTokens are pre-defined host provisioning tokens supplied via config file for
	// environments where paranoid security is not needed
	StaticTokens types.StaticTokens

	// StorageConfig contains configuration settings for the storage backend.
	StorageConfig backend.Config

	Limiter limiter.Config

	// NoAudit, when set to true, disables session recording and event audit
	NoAudit bool

	// Preference defines the authentication preference (type and second factor) for
	// the auth server.
	Preference types.AuthPreference

	// AuditConfig stores cluster audit configuration.
	AuditConfig types.ClusterAuditConfig

	// NetworkingConfig stores cluster networking configuration.
	NetworkingConfig types.ClusterNetworkingConfig

	// SessionRecordingConfig stores session recording configuration.
	SessionRecordingConfig types.SessionRecordingConfig

	// LicenseFile is a full path to the license file
	LicenseFile string

	// PublicAddrs affects the SSH host principals and DNS names added to the SSH and TLS certs.
	PublicAddrs []utils.NetAddr

	// KeyStore configuration. Handles CA private keys which may be held in a HSM.
	KeyStore keystore.Config

	// LoadAllCAs sends the host CAs of all clusters to SSH clients logging in when enabled,
	// instead of just the host CA for the current cluster.
	LoadAllCAs bool

	// HostedPlugins configures the Enterprise hosted plugin runtime
	HostedPlugins HostedPluginsConfig

	// Clock is the clock instance auth uses. Typically you'd only want to set
	// this during testing.
	Clock clockwork.Clock

	// HTTPClientForAWSSTS overwrites the default HTTP client used for making
	// STS requests. Used in test.
	HTTPClientForAWSSTS utils.HTTPDoClient

	// AssistAPIKey is the OpenAI API key.
	// TODO: This key will be moved to a plugin once support for plugins is implemented.
	AssistAPIKey string

	// AccessMonitoring configures access monitoring.
	AccessMonitoring *AccessMonitoringOptions
}

AuthConfig is a configuration of the auth server

func (*AuthConfig) IsAccessMonitoringEnabled

func (a *AuthConfig) IsAccessMonitoringEnabled() bool

IsAccessMonitoringEnabled returns true if access monitoring is enabled.

type AzureJoinParams

type AzureJoinParams struct {
	ClientID string
}

AzureJoinParams is the parameters specific to the azure join method.

type BPFConfig

type BPFConfig struct {
	// Enabled is if this service will try and install BPF programs on this system.
	Enabled bool

	// CommandBufferSize is the size of the perf buffer for command events.
	CommandBufferSize *int

	// DiskBufferSize is the size of the perf buffer for disk events.
	DiskBufferSize *int

	// NetworkBufferSize is the size of the perf buffer for network events.
	NetworkBufferSize *int

	// CgroupPath is where the cgroupv2 hierarchy is mounted.
	CgroupPath string
}

BPFConfig holds configuration for the BPF service.

func (*BPFConfig) CheckAndSetDefaults

func (c *BPFConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks BPF configuration.

type CachePolicy

type CachePolicy struct {
	// Enabled enables or disables caching
	Enabled bool
	// MaxRetryPeriod is maximum period cache waits before retrying on failure.
	MaxRetryPeriod time.Duration
}

CachePolicy sets caching policy for proxies and nodes

func (*CachePolicy) CheckAndSetDefaults

func (c *CachePolicy) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default values

func (CachePolicy) String

func (c CachePolicy) String() string

String returns human-friendly representation of the policy

type Config

type Config struct {
	// Teleport configuration version.
	Version string
	// DataDir is the directory where teleport stores its permanent state
	// (in case of auth server backed by BoltDB) or local state, e.g. keys
	DataDir string

	// Hostname is a node host name
	Hostname string

	// JoinMethod is the method the instance will use to join the auth server
	JoinMethod types.JoinMethod

	// JoinParams is a set of extra parameters for joining the auth server.
	JoinParams JoinParams

	// ProxyServer is the address of the proxy
	ProxyServer utils.NetAddr

	// Identities is an optional list of pre-generated key pairs
	// for teleport roles, this is helpful when server is preconfigured
	Identities []*auth.Identity

	// AdvertiseIP is used to "publish" an alternative IP address or hostname this node
	// can be reached on, if running behind NAT
	AdvertiseIP string

	// CachePolicy sets caching policy for nodes and proxies
	// in case if they lose connection to auth servers
	CachePolicy CachePolicy

	// Auth service configuration. Manages cluster state and configuration.
	Auth AuthConfig

	// Proxy service configuration. Manages incoming and outbound
	// connections to the cluster.
	Proxy ProxyConfig

	// SSH service configuration. Manages SSH servers running within the cluster.
	SSH SSHConfig

	// App service configuration. Manages applications running within the cluster.
	Apps AppsConfig

	// Databases defines database proxy service configuration.
	Databases DatabasesConfig

	// Metrics defines the metrics service configuration.
	Metrics MetricsConfig

	// WindowsDesktop defines the Windows desktop service configuration.
	WindowsDesktop WindowsDesktopConfig

	// Discovery defines the discovery service configuration.
	Discovery DiscoveryConfig

	// OpenSSH defines the configuration for an openssh node
	OpenSSH OpenSSHConfig

	// Okta defines the okta service configuration.
	Okta OktaConfig

	// Jamf defines the Jamf MDM service configuration.
	Jamf JamfConfig

	// Tracing defines the tracing service configuration.
	Tracing TracingConfig

	// Keygen points to a key generator implementation
	Keygen sshca.Authority

	// HostUUID is a unique UUID of this host (it will be known via this UUID within
	// a teleport cluster). It's automatically generated on 1st start
	HostUUID string

	// Console writer to speak to a user
	Console io.Writer

	// ReverseTunnels is a list of reverse tunnels to create on the
	// first cluster start
	ReverseTunnels []types.ReverseTunnel

	// OIDCConnectors is a list of trusted OpenID Connect identity providers
	OIDCConnectors []types.OIDCConnector

	// PidFile is a full path of the PID file for teleport daemon
	PIDFile string

	// Trust is a service that manages certificate authorities
	Trust services.Trust

	// Presence service is a discovery and heartbeat tracker
	Presence services.PresenceInternal

	// Events is events service
	Events types.Events

	// Provisioner is a service that keeps track of provisioning tokens
	Provisioner services.Provisioner

	// Identity is a service that manages users and credentials
	Identity services.Identity

	// Access is a service that controls access
	Access services.Access

	// UsageReporter is a service that reports usage events.
	UsageReporter usagereporter.UsageReporter
	// ClusterConfiguration is a service that provides cluster configuration
	ClusterConfiguration services.ClusterConfiguration

	// CipherSuites is a list of TLS ciphersuites that Teleport supports. If
	// omitted, a Teleport selected list of defaults will be used.
	CipherSuites []uint16

	// Ciphers is a list of SSH ciphers that the server supports. If omitted,
	// the defaults will be used.
	Ciphers []string

	// KEXAlgorithms is a list of SSH key exchange (KEX) algorithms that the
	// server supports. If omitted, the defaults will be used.
	KEXAlgorithms []string

	// MACAlgorithms is a list of SSH message authentication codes (MAC) that
	// the server supports. If omitted the defaults will be used.
	MACAlgorithms []string

	// DiagnosticAddr is an address for diagnostic and healthz endpoint service
	DiagnosticAddr utils.NetAddr

	// Debug sets debugging mode, results in diagnostic address
	// endpoint extended with additional /debug handlers
	Debug bool

	// FileDescriptors is an optional list of file descriptors for the process
	// to inherit and use for listeners, used for in-process updates.
	FileDescriptors []*FileDescriptor

	// PollingPeriod is set to override default internal polling periods
	// of sync agents, used to speed up integration tests.
	PollingPeriod time.Duration

	// CAPins are the SKPI hashes of the CAs used to verify the Auth Server.
	CAPins []string

	// Clock is used to control time in tests.
	Clock clockwork.Clock

	// FIPS means FedRAMP/FIPS 140-2 compliant configuration was requested.
	FIPS bool

	// SkipVersionCheck means the version checking between server and client
	// will be skipped.
	SkipVersionCheck bool

	// BPFConfig holds configuration for the BPF service.
	BPFConfig *BPFConfig

	// Kube is a Kubernetes API gateway using Teleport client identities.
	Kube KubeConfig

	// Log optionally specifies the logger.
	// Deprecated: use Logger instead.
	Log utils.Logger
	// Logger outputs messages using slog. The underlying handler respects
	// the user supplied logging config.
	Logger *slog.Logger

	// PluginRegistry allows adding enterprise logic to Teleport services
	PluginRegistry plugin.Registry

	// RotationConnectionInterval is the interval between connection
	// attempts as used by the rotation state service
	RotationConnectionInterval time.Duration

	// MaxRetryPeriod is the maximum period between reconnection attempts to auth
	MaxRetryPeriod time.Duration

	// TeleportHome is the path to tsh configuration and data, used
	// for loading profiles when TELEPORT_HOME is set
	TeleportHome string

	// CircuitBreakerConfig configures the auth client circuit breaker.
	CircuitBreakerConfig breaker.Config

	// AdditionalExpectedRoles are additional roles to attach to the Teleport instances.
	AdditionalExpectedRoles []RoleAndIdentityEvent

	// AdditionalReadyEvents are additional events to watch for to consider the Teleport instance ready.
	AdditionalReadyEvents []string

	// InstanceMetadataClient specifies the instance metadata client.
	InstanceMetadataClient cloud.InstanceMetadata

	// Testing is a group of properties that are used in tests.
	Testing ConfigTesting

	// AccessGraph represents AccessGraph server config
	AccessGraph AccessGraphConfig
	// contains filtered or unexported fields
}

Config contains the configuration for all services that Teleport can run. Some settings are global, while others are grouped into separate sections.

func MakeDefaultConfig

func MakeDefaultConfig() (config *Config)

MakeDefaultConfig creates a new Config structure and populates it with defaults

func (*Config) ApplyCAPins

func (cfg *Config) ApplyCAPins(caPins []string) error

ApplyCAPins assigns the given CA pin(s), filtering out empty pins. If a pin is specified as a path to a file, that file must not be empty.

func (*Config) AuthServerAddresses

func (cfg *Config) AuthServerAddresses() []utils.NetAddr

AuthServerAddresses returns the value of authServers for config versions v1 and v2 and will return just the first (as only one should be set) address for config versions v3 onwards.

func (*Config) DebugDumpToYAML

func (cfg *Config) DebugDumpToYAML() string

DebugDumpToYAML is useful for debugging: it dumps the Config structure into a string

func (*Config) HasToken

func (cfg *Config) HasToken() bool

HasToken gives the ability to check if there has been a token value stored in the config

func (*Config) SetAuthServerAddress

func (cfg *Config) SetAuthServerAddress(addr utils.NetAddr)

SetAuthServerAddress sets the value of authServers to a single value

func (*Config) SetAuthServerAddresses

func (cfg *Config) SetAuthServerAddresses(addrs []utils.NetAddr) error

SetAuthServerAddresses sets the value of authServers If the config version is v1 or v2, it will set the value to all the given addresses (as multiple can be specified). If the config version is v3 or onwards, it'll error if more than one address is given.

func (*Config) SetToken

func (cfg *Config) SetToken(token string)

SetToken stores the value for --token or auth_token in the config

This can be either the token or an absolute path to a file containing the token.

func (*Config) Token

func (cfg *Config) Token() (string, error)

Token returns token needed to join the auth server

If the value stored points to a file, it will attempt to read the token value from the file and return an error if it wasn't successful If the value stored doesn't point to a file, it'll return the value stored If the token hasn't been set, an empty string will be returned

type ConfigTesting

type ConfigTesting struct {
	// ConnectFailureC is a channel to notify of failures to connect to auth (used in tests).
	ConnectFailureC chan time.Duration

	// UploadEventsC is a channel for upload events used in tests
	UploadEventsC chan events.UploadEvent `json:"-"`

	// ClientTimeout is set to override default client timeouts
	// used by internal clients, used to speed up integration tests.
	ClientTimeout time.Duration

	// ShutdownTimeout is set to override default shutdown timeout.
	ShutdownTimeout time.Duration

	// TeleportVersion is used to control the Teleport version in tests.
	TeleportVersion string

	// KubeMultiplexerIgnoreSelfConnections signals that Proxy TLS server's listener should
	// require PROXY header if 'proxyProtocolMode: true' even from self connections. Used in tests as all connections are self
	// connections there.
	KubeMultiplexerIgnoreSelfConnections bool

	// OpenAIConfig contains the optional OpenAI client configuration used by
	// auth and proxy. When it's not set (the default, we don't offer a way to
	// set it when executing the regular Teleport binary) we use the default
	// configuration with auth tokens passed from Auth.AssistAPIKey or
	// Proxy.AssistAPIKey. We set this only when testing to avoid calls to reach
	// the real OpenAI API.
	// Note: When set, this overrides Auth and Proxy's AssistAPIKey settings.
	OpenAIConfig *openai.ClientConfig
}

type Database

type Database struct {
	// Name is the database name, used to refer to in CLI.
	Name string
	// Description is a free-form database description.
	Description string
	// Protocol is the database type, e.g. postgres or mysql.
	Protocol string
	// URI is the database endpoint to connect to.
	URI string
	// StaticLabels is a map of database static labels.
	StaticLabels map[string]string
	// MySQL are additional MySQL database options.
	MySQL MySQLOptions
	// DynamicLabels is a list of database dynamic labels.
	DynamicLabels services.CommandLabels
	// TLS keeps database connection TLS configuration.
	TLS DatabaseTLS
	// AWS contains AWS specific settings for RDS/Aurora/Redshift databases.
	AWS DatabaseAWS
	// GCP contains GCP specific settings for Cloud SQL databases.
	GCP DatabaseGCP
	// AD contains Active Directory configuration for database.
	AD DatabaseAD
	// Azure contains Azure database configuration.
	Azure DatabaseAzure
	// AdminUser contains information about database admin user.
	AdminUser DatabaseAdminUser
	// Oracle are additional Oracle database options.
	Oracle OracleOptions
}

Database represents a single database that's being proxied.

func (*Database) CheckAndSetDefaults

func (d *Database) CheckAndSetDefaults() error

CheckAndSetDefaults validates the database proxy configuration.

func (*Database) ToDatabase

func (d *Database) ToDatabase() (types.Database, error)

ToDatabase converts Database to types.Database.

type DatabaseAD

type DatabaseAD struct {
	// KeytabFile is the path to the Kerberos keytab file.
	KeytabFile string
	// Krb5File is the path to the Kerberos configuration file. Defaults to /etc/krb5.conf.
	Krb5File string
	// Domain is the Active Directory domain the database resides in.
	Domain string
	// SPN is the service principal name for the database.
	SPN string
	// LDAPCert is the Active Directory LDAP Certificate.
	LDAPCert string
	// KDCHostName is the Key Distribution Center Hostname for x509 authentication
	KDCHostName string
}

DatabaseAD contains database Active Directory configuration.

func (*DatabaseAD) CheckAndSetDefaults

func (d *DatabaseAD) CheckAndSetDefaults(name string) error

CheckAndSetDefaults validates database Active Directory configuration.

func (*DatabaseAD) IsEmpty

func (d *DatabaseAD) IsEmpty() bool

IsEmpty returns true if the database AD configuration is empty.

type DatabaseAWS

type DatabaseAWS struct {
	// Region is the cloud region database is running in when using AWS RDS.
	Region string
	// Redshift contains Redshift specific settings.
	Redshift DatabaseAWSRedshift
	// RDS contains RDS specific settings.
	RDS DatabaseAWSRDS
	// ElastiCache contains ElastiCache specific settings.
	ElastiCache DatabaseAWSElastiCache
	// MemoryDB contains MemoryDB specific settings.
	MemoryDB DatabaseAWSMemoryDB
	// SecretStore contains settings for managing secrets.
	SecretStore DatabaseAWSSecretStore
	// AccountID is the AWS account ID.
	AccountID string
	// AssumeRoleARN is the AWS role to assume to before accessing the database.
	AssumeRoleARN string
	// ExternalID is an optional AWS external ID used to enable assuming an AWS role across accounts.
	ExternalID string
	// RedshiftServerless contains AWS Redshift Serverless specific settings.
	RedshiftServerless DatabaseAWSRedshiftServerless
	// SessionTags is a list of AWS STS session tags.
	SessionTags map[string]string
}

DatabaseAWS contains AWS specific settings for RDS/Aurora databases.

type DatabaseAWSElastiCache

type DatabaseAWSElastiCache struct {
	// ReplicationGroupID is the ElastiCache replication group ID.
	ReplicationGroupID string
}

DatabaseAWSElastiCache contains settings for ElastiCache databases.

type DatabaseAWSMemoryDB

type DatabaseAWSMemoryDB struct {
	// ClusterName is the MemoryDB cluster name.
	ClusterName string
}

DatabaseAWSMemoryDB contains settings for MemoryDB databases.

type DatabaseAWSRDS

type DatabaseAWSRDS struct {
	// InstanceID is the RDS instance identifier.
	InstanceID string
	// ClusterID is the RDS cluster (Aurora) identifier.
	ClusterID string
}

DatabaseAWSRDS contains AWS RDS specific settings.

type DatabaseAWSRedshift

type DatabaseAWSRedshift struct {
	// ClusterID is the Redshift cluster identifier.
	ClusterID string
}

DatabaseAWSRedshift contains AWS Redshift specific settings.

type DatabaseAWSRedshiftServerless

type DatabaseAWSRedshiftServerless struct {
	// WorkgroupName is the Redshift Serverless workgroup name.
	WorkgroupName string
	// EndpointName is the Redshift Serverless VPC endpoint name.
	EndpointName string
}

DatabaseAWSRedshiftServerless contains AWS Redshift Serverless specific settings.

type DatabaseAWSSecretStore

type DatabaseAWSSecretStore struct {
	// KeyPrefix specifies the secret key prefix.
	KeyPrefix string
	// KMSKeyID specifies the AWS KMS key for encryption.
	KMSKeyID string
}

DatabaseAWSSecretStore contains secret store configurations.

type DatabaseAdminUser

type DatabaseAdminUser struct {
	// Name is the database admin username (e.g. "postgres").
	Name string
	// DefaultDatabase is the database that the admin user logs into by
	// default.
	//
	// Depending on the database type, this database may be used to store
	// procedures or data for managing database users.
	DefaultDatabase string
}

DatabaseAdminUser contains information about database admin user.

type DatabaseAzure

type DatabaseAzure struct {
	// ResourceID is the Azure fully qualified ID for the resource.
	ResourceID string
	// IsFlexiServer is true if the database is an Azure Flexible server.
	IsFlexiServer bool
}

DatabaseAzure contains Azure database configuration.

type DatabaseGCP

type DatabaseGCP struct {
	// ProjectID is the GCP project ID where the database is deployed.
	ProjectID string
	// InstanceID is the Cloud SQL instance ID.
	InstanceID string
}

DatabaseGCP contains GCP specific settings for Cloud SQL databases.

type DatabaseTLS

type DatabaseTLS struct {
	// Mode is the TLS connection mode. See TLSMode for more details.
	Mode TLSMode
	// ServerName allows providing custom server name.
	// This name will override DNS name when validating certificate presented by the database.
	ServerName string
	// CACert is an optional database CA certificate.
	CACert []byte
}

DatabaseTLS keeps TLS settings used when connecting to database.

type DatabasesConfig

type DatabasesConfig struct {
	// Enabled enables the database proxy service.
	Enabled bool
	// Databases is a list of databases proxied by this service.
	Databases []Database
	// ResourceMatchers match cluster database resources.
	ResourceMatchers []services.ResourceMatcher
	// AWSMatchers match AWS hosted databases.
	AWSMatchers []types.AWSMatcher
	// AzureMatchers match Azure hosted databases.
	AzureMatchers []types.AzureMatcher
	// Limiter limits the connection and request rates.
	Limiter limiter.Config
}

DatabasesConfig configures the database proxy service.

type DiscoveryConfig

type DiscoveryConfig struct {
	Enabled bool
	// AWSMatchers are used to match EC2 instances for auto enrollment.
	AWSMatchers []types.AWSMatcher
	// AzureMatchers are used to match resources for auto enrollment.
	AzureMatchers []types.AzureMatcher
	// GCPMatchers are used to match GCP resources for auto discovery.
	GCPMatchers []types.GCPMatcher
	// KubernetesMatchers are used to match services inside Kubernetes cluster for auto discovery
	KubernetesMatchers []types.KubernetesMatcher
	// DiscoveryGroup is the name of the discovery group that the current
	// discovery service is a part of.
	// It is used to filter out discovered resources that belong to another
	// discovery services. When running in high availability mode and the agents
	// have access to the same cloud resources, this field value must be the same
	// for all discovery services. If different agents are used to discover different
	// sets of cloud resources, this field must be different for each set of agents.
	DiscoveryGroup string
	// PollInterval is the cadence at which the discovery server will run each of its
	// discovery cycles.
	PollInterval time.Duration
}

func (DiscoveryConfig) IsEmpty

func (d DiscoveryConfig) IsEmpty() bool

IsEmpty validates if the Discovery Service config has no matchers and no discovery group. DiscoveryGroup is used to dynamically load Matchers when changing DiscoveryConfig resources.

type FileDescriptor

type FileDescriptor struct {

	// Type is a listener type, e.g. auth:ssh
	Type string
	// Address is an address of the listener, e.g. 127.0.0.1:3025
	Address string
	// File is a file descriptor associated with the listener
	File *os.File
	// contains filtered or unexported fields
}

FileDescriptor is a file descriptor associated with a listener

func (*FileDescriptor) Close

func (fd *FileDescriptor) Close() error

func (*FileDescriptor) ToListener

func (fd *FileDescriptor) ToListener() (net.Listener, error)
type Header struct {
	// Name is the http header name.
	Name string
	// Value is the http header value.
	Value string
}

Header represents a single http header passed over to the proxied application.

func ParseHeader

func ParseHeader(header string) (*Header, error)

ParseHeader parses the provided string as a http header.

func ParseHeaders

func ParseHeaders(headers []string) (headersOut []Header, err error)

ParseHeaders parses the provided list as http headers.

type HostLabelRule

type HostLabelRule struct {
	Regexp *regexp.Regexp
	Labels map[string]string
}

HostLabelRule specifies a set of labels that should be applied to hosts matching the provided regexp.

type HostLabelRules

type HostLabelRules struct {
	// contains filtered or unexported fields
}

HostLabelRules is a collection of rules describing how to apply labels to hosts.

func NewHostLabelRules

func NewHostLabelRules(rules ...HostLabelRule) HostLabelRules

func (HostLabelRules) LabelsForHost

func (h HostLabelRules) LabelsForHost(host string) map[string]string

LabelsForHost returns the set of all labels that should be applied to the specified host. If multiple rules match and specify the same label keys, the value will be that of the last matching rule.

type HostedPluginsConfig

type HostedPluginsConfig struct {
	Enabled        bool
	OAuthProviders PluginOAuthProviders
}

HostedPluginsConfig configures the hosted plugin runtime.

type IdP

type IdP struct {
	// SAMLIdP is configuration options for the SAML identity provider.
	SAMLIdP SAMLIdP
}

IdP configures identity providers.

type ImpersonationPermissionsChecker

type ImpersonationPermissionsChecker func(ctx context.Context, clusterName string,
	sarClient authztypes.SelfSubjectAccessReviewInterface) error

ImpersonationPermissionsChecker describes a function that can be used to check for the required impersonation permissions on a Kubernetes cluster. Return nil to indicate success.

type JamfConfig

type JamfConfig struct {
	// Spec is the configuration spec.
	Spec *types.JamfSpecV1
	// ExitOnSync controls whether the service performs a single sync operation
	// before exiting.
	ExitOnSync bool
}

JamfConfig is the configuration for the Jamf MDM service.

func (*JamfConfig) Enabled

func (j *JamfConfig) Enabled() bool

type JoinParams

type JoinParams struct {
	Azure AzureJoinParams
}

JoinParams is a set of extra parameters for joining the auth server.

type KeyPairPath

type KeyPairPath struct {
	// PrivateKey is the path to a PEM encoded private key.
	PrivateKey string
	// Certificate is the path to a PEM encoded certificate.
	Certificate string
}

KeyPairPath are paths to a key and certificate file.

type KubeConfig

type KubeConfig struct {
	// Enabled turns kubernetes service role on or off for this process
	Enabled bool

	// ListenAddr is the address to listen on for incoming kubernetes requests.
	// Optional.
	ListenAddr *utils.NetAddr

	// PublicAddrs is a list of the public addresses the Teleport kubernetes
	// service can be reached by the proxy service.
	PublicAddrs []utils.NetAddr

	// KubeClusterName is the name of a kubernetes cluster this proxy is running
	// in. If empty, defaults to the Teleport cluster name.
	KubeClusterName string

	// KubeconfigPath is a path to kubeconfig
	KubeconfigPath string

	// Labels are used for RBAC on clusters.
	StaticLabels  map[string]string
	DynamicLabels services.CommandLabels

	// Limiter limits the connection and request rates.
	Limiter limiter.Config

	// CheckImpersonationPermissions is an optional override to the default
	// impersonation permissions check, for use in testing.
	CheckImpersonationPermissions ImpersonationPermissionsChecker

	// ResourceMatchers match dynamic kube_cluster resources.
	ResourceMatchers []services.ResourceMatcher
}

KubeConfig specifies configuration for Teleport's Kubernetes service

type KubeProxyConfig

type KubeProxyConfig struct {
	// Enabled turns kubernetes proxy role on or off for this process
	Enabled bool

	// ListenAddr is the address to listen on for incoming kubernetes requests.
	ListenAddr utils.NetAddr

	// ClusterOverride causes all traffic to go to a specific remote
	// cluster, used only in tests
	ClusterOverride string

	// PublicAddrs is a list of the public addresses the Teleport Kube proxy can be accessed by,
	// it also affects the host principals and routing logic
	PublicAddrs []utils.NetAddr

	// KubeconfigPath is a path to kubeconfig
	KubeconfigPath string

	// LegacyKubeProxy specifies that this proxy was configured using the
	// legacy kubernetes section.
	LegacyKubeProxy bool
}

KubeProxyConfig specifies the Kubernetes configuration for Teleport's proxy service

type LDAPConfig

type LDAPConfig struct {
	// Addr is the address:port of the LDAP server (typically port 389).
	Addr string
	// Domain is the ActiveDirectory domain name.
	Domain string
	// Username for LDAP authentication.
	Username string
	// SID is the SID for the user specified by Username.
	SID string
	// InsecureSkipVerify decides whether whether we skip verifying with the LDAP server's CA when making the LDAPS connection.
	InsecureSkipVerify bool
	// ServerName is the name of the LDAP server for TLS.
	ServerName string
	// CA is an optional CA cert to be used for verification if InsecureSkipVerify is set to false.
	CA *x509.Certificate
}

LDAPConfig is the LDAP connection parameters.

type LDAPDiscoveryConfig

type LDAPDiscoveryConfig struct {
	// BaseDN is the base DN to search for desktops.
	// Use the value '*' to search from the root of the domain,
	// or leave blank to disable desktop discovery.
	BaseDN string
	// Filters are additional LDAP filters to apply to the search.
	// See: https://ldap.com/ldap-filters/
	Filters []string
	// LabelAttributes are LDAP attributes to apply to hosts discovered
	// via LDAP. Teleport labels hosts by prefixing the attribute with
	// "ldap/" - for example, a value of "location" here would result in
	// discovered desktops having a label with key "ldap/location" and
	// the value being the value of the "location" attribute.
	LabelAttributes []string
}

LDAPDiscoveryConfig is LDAP discovery configuration for windows desktop discovery service.

type MetricsConfig

type MetricsConfig struct {
	// Enabled turns the metrics service role on or off for this process
	Enabled bool

	// ListenAddr is the address to listen on for incoming metrics requests.
	// Optional.
	ListenAddr *utils.NetAddr

	// MTLS turns mTLS on the metrics service on or off
	MTLS bool

	// KeyPairs are the key and certificate pairs that the metrics service will
	// use for mTLS.
	// Used in conjunction with MTLS = true
	KeyPairs []KeyPairPath

	// CACerts are prometheus ca certs
	// use for mTLS.
	// Used in conjunction with MTLS = true
	CACerts []string

	// GRPCServerLatency enables histogram metrics for each grpc endpoint on the auth server
	GRPCServerLatency bool

	// GRPCServerLatency enables histogram metrics for each grpc endpoint on the auth server
	GRPCClientLatency bool
}

MetricsConfig specifies configuration for the metrics service

type MySQLOptions

type MySQLOptions struct {
	// ServerVersion is the version reported by Teleport DB Proxy on initial handshake.
	ServerVersion string
}

MySQLOptions are additional MySQL options.

type OktaConfig

type OktaConfig struct {
	// Enabled turns the Okta service on or off for this process
	Enabled bool

	// APIEndpoint is the Okta API endpoint to use.
	APIEndpoint string

	// APITokenPath is the path to the Okta API token.
	APITokenPath string

	// SyncPeriod is the duration between synchronization calls.
	SyncPeriod time.Duration
}

OktaConfig specifies configuration for the Okta service.

type OpenSSHConfig

type OpenSSHConfig struct {
	Enabled bool
	// SSHDConfigPath is the path to the OpenSSH config file.
	SSHDConfigPath string
	// RestartSSHD is true if sshd should be restarted after config updates.
	RestartSSHD bool
	// RestartCommand is the command to use when restarting sshd.
	RestartCommand string
	// CheckCommand is the command to use when validating sshd config.
	CheckCommand string
	// AdditionalPrincipals is a list of additional principals to be included.
	AdditionalPrincipals []string
	// InstanceAddr is the connectable address of the OpenSSh instance.
	InstanceAddr string
	// ProxyServer is the address of the teleport proxy.
	ProxyServer *utils.NetAddr
	// Labels are labels to set on the instance.
	Labels map[string]string
}

type OracleOptions

type OracleOptions struct {
	// AuditUser is the Oracle database user privilege to access internal Oracle audit trail.
	AuditUser string
}

OracleOptions are additional Oracle options.

type PAMConfig

type PAMConfig struct {
	// Enabled controls if PAM checks will occur or not.
	Enabled bool

	// ServiceName is the name of the policy to apply typically in /etc/pam.d/
	ServiceName string

	// Login is the *nix login that that is being used.
	Login string `json:"login"`

	// Env is a list of extra environment variables to pass to the PAM modules.
	Env map[string]string

	// Stdin is the input stream which the conversation function will use to
	// obtain data from the user.
	Stdin io.Reader

	// Stdout is the output stream which the conversation function will use to
	// show data to the user.
	Stdout io.Writer

	// Stderr is the output stream which the conversation function will use to
	// report errors to the user.
	Stderr io.Writer

	// UsePAMAuth specifies whether to trigger the "auth" PAM modules from the
	// policy.
	UsePAMAuth bool

	// Environment represents environment variables to pass to PAM.
	// These may contain role-style interpolation syntax.
	Environment map[string]string
}

PAMConfig holds the configuration used by Teleport when creating a PAM context and executing PAM transactions.

func (*PAMConfig) CheckDefaults

func (c *PAMConfig) CheckDefaults() error

CheckDefaults makes sure the PAMConfig structure has minimum required values.

type PluginOAuthProviders

type PluginOAuthProviders struct {
	Slack *oauth2.ClientCredentials
}

PluginOAuthProviders holds application credentials for each 3rd party API provider

type ProxyConfig

type ProxyConfig struct {
	// Enabled turns proxy role on or off for this process
	Enabled bool

	// DisableTLS is enabled if we don't want self-signed certs
	DisableTLS bool

	// DisableWebInterface allows turning off serving the Web UI interface
	DisableWebInterface bool

	// DisableWebService turns off serving web service completely, including web UI
	DisableWebService bool

	// DisableReverseTunnel disables reverse tunnel on the proxy
	DisableReverseTunnel bool

	// DisableDatabaseProxy disables database access proxy listener
	DisableDatabaseProxy bool

	// ReverseTunnelListenAddr is address where reverse tunnel dialers connect to
	ReverseTunnelListenAddr utils.NetAddr

	// PROXYProtocolMode controls behavior related to unsigned PROXY protocol headers.
	PROXYProtocolMode multiplexer.PROXYProtocolMode

	// WebAddr is address for web portal of the proxy
	WebAddr utils.NetAddr

	// SSHAddr is address of ssh proxy
	SSHAddr utils.NetAddr

	// MySQLAddr is address of MySQL proxy.
	MySQLAddr utils.NetAddr

	// MySQLServerVersion  allows to override the default MySQL Engine Version propagated by Teleport Proxy.
	MySQLServerVersion string

	// PostgresAddr is address of Postgres proxy.
	PostgresAddr utils.NetAddr

	// MongoAddr is address of Mongo proxy.
	MongoAddr utils.NetAddr

	// PeerAddress is the proxy peering address.
	PeerAddress utils.NetAddr

	// PeerPublicAddr is the public address the proxy advertises for proxy
	// peering clients.
	PeerPublicAddr utils.NetAddr

	Limiter limiter.Config

	// PublicAddrs is a list of the public addresses the proxy advertises
	// for the HTTP endpoint. The hosts in PublicAddr are included in the
	// list of host principals on the TLS and SSH certificate.
	PublicAddrs []utils.NetAddr

	// SSHPublicAddrs is a list of the public addresses the proxy advertises
	// for the SSH endpoint. The hosts in PublicAddr are included in the
	// list of host principals on the TLS and SSH certificate.
	SSHPublicAddrs []utils.NetAddr

	// TunnelPublicAddrs is a list of the public addresses the proxy advertises
	// for the tunnel endpoint. The hosts in PublicAddr are included in the
	// list of host principals on the TLS and SSH certificate.
	TunnelPublicAddrs []utils.NetAddr

	// PostgresPublicAddrs is a list of the public addresses the proxy
	// advertises for Postgres clients.
	PostgresPublicAddrs []utils.NetAddr

	// MySQLPublicAddrs is a list of the public addresses the proxy
	// advertises for MySQL clients.
	MySQLPublicAddrs []utils.NetAddr

	// MongoPublicAddrs is a list of the public addresses the proxy
	// advertises for Mongo clients.
	MongoPublicAddrs []utils.NetAddr

	// Kube specifies kubernetes proxy configuration
	Kube KubeProxyConfig

	// KeyPairs are the key and certificate pairs that the proxy will load.
	KeyPairs []KeyPairPath

	// KeyPairsReloadInterval is the interval between attempts to reload
	// x509 key pairs. If set to 0, then periodic reloading is disabled.
	KeyPairsReloadInterval time.Duration

	// ACME is ACME protocol support config
	ACME ACME

	// IdP is the identity provider config
	//
	//nolint:revive // Because we want this to be IdP.
	IdP IdP

	// DisableALPNSNIListener allows turning off the ALPN Proxy listener. Used in tests.
	DisableALPNSNIListener bool

	// UI provides config options for the web UI
	UI webclient.UIConfig

	// AssistAPIKey is the OpenAI API key.
	// TODO: This key will be moved to a plugin once support for plugins is implemented.
	AssistAPIKey string

	// TrustXForwardedFor enables the service to take client source IPs from
	// the "X-Forwarded-For" headers for web APIs recevied from layer 7 load
	// balancers or reverse proxies.
	TrustXForwardedFor bool

	// ProxyGroupID is the reverse tunnel group ID, advertised as a label and
	// used by reverse tunnel agents in proxy peering mode. The empty group ID
	// is a valid group ID.
	ProxyGroupID string

	// ProxyGroupGeneration is the reverse tunnel group generation, advertised
	// as a label and used by reverse tunnel agents in proxy peering mode. Zero
	// is a valid generation.
	ProxyGroupGeneration uint64

	// AutomaticUpgradesChannels is a map of all version channels used by the
	// proxy built-in version server to retrieve target versions. This is part
	// of the automatic upgrades.
	AutomaticUpgradesChannels automaticupgrades.Channels
}

ProxyConfig specifies the configuration for Teleport's Proxy Service

func (ProxyConfig) KubeAddr

func (c ProxyConfig) KubeAddr() (string, error)

KubeAddr returns the address for the Kubernetes endpoint on this proxy that can be reached by clients.

func (ProxyConfig) PeerAddr

func (c ProxyConfig) PeerAddr() (*utils.NetAddr, error)

PeerAddr returns the address the proxy advertises for proxy peering clients.

func (ProxyConfig) PublicPeerAddr

func (c ProxyConfig) PublicPeerAddr() (*utils.NetAddr, error)

PublicPeerAddr attempts to returns the public address the proxy advertises for proxy peering clients if available. It falls back to PeerAddr othewise.

func (ProxyConfig) WebPublicAddr

func (c ProxyConfig) WebPublicAddr() (string, error)

WebPublicAddr returns the address for the web endpoint on this proxy that can be reached by clients.

type RestrictedSessionConfig

type RestrictedSessionConfig struct {
	// Enabled if this service will try and install BPF programs on this system.
	Enabled bool

	// EventsBufferSize is the size (in pages) of the perf buffer for events.
	EventsBufferSize *int
}

RestrictedSessionConfig holds configuration for the RestrictedSession service.

func (*RestrictedSessionConfig) CheckAndSetDefaults

func (c *RestrictedSessionConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks BPF configuration.

type Rewrite

type Rewrite struct {
	// Redirect is a list of hosts that should be rewritten to the public address.
	Redirect []string
	// Headers is a list of extra headers to inject in the request.
	Headers []Header
	// JWTClaims configures whether roles/traits are included in the JWT token.
	JWTClaims string
}

Rewrite is a list of rewriting rules to apply to requests and responses.

type RoleAndIdentityEvent

type RoleAndIdentityEvent struct {
	// Role is a system role.
	Role types.SystemRole

	// IdentityEvent is the identity event associated with the above role.
	IdentityEvent string
}

RoleAndIdentityEvent is a role and its corresponding identity event.

type SAMLIdP

type SAMLIdP struct {
	// Enabled enables or disables the identity provider.
	Enabled bool
	// BaseURL is the base URL for the identity provider.
	BaseURL string
}

SAMLIdP configures SAML identity providers

type SSHConfig

type SSHConfig struct {
	Enabled               bool
	Addr                  utils.NetAddr
	Namespace             string
	Shell                 string
	Limiter               limiter.Config
	Labels                map[string]string
	CmdLabels             services.CommandLabels
	PermitUserEnvironment bool

	// PAM holds PAM configuration for Teleport.
	PAM *PAMConfig

	// PublicAddrs affects the SSH host principals and DNS names added to the SSH and TLS certs.
	PublicAddrs []utils.NetAddr

	// BPF holds BPF configuration for Teleport.
	BPF *BPFConfig

	// RestrictedSession holds kernel objects restrictions for Teleport.
	RestrictedSession *RestrictedSessionConfig

	// AllowTCPForwarding indicates that TCP port forwarding is allowed on this node
	AllowTCPForwarding bool

	// IdleTimeoutMessage is sent to the client when a session expires due to
	// the inactivity timeout expiring. The empty string indicates that no
	// timeout message will be sent.
	IdleTimeoutMessage string

	// X11 holds x11 forwarding configuration for Teleport.
	X11 *x11.ServerConfig

	// AllowFileCopying indicates whether this node is allowed to handle
	// remote file operations via SCP or SFTP.
	AllowFileCopying bool

	// DisableCreateHostUser disables automatic user provisioning on this
	// SSH node.
	DisableCreateHostUser bool
}

SSHConfig configures Teleport's SSH service.

type TLSMode

type TLSMode string

TLSMode defines all possible database verification modes.

const (
	// VerifyFull is the strictest. Verifies certificate and server name.
	VerifyFull TLSMode = "verify-full"
	// VerifyCA checks the certificate, but skips the server name verification.
	VerifyCA TLSMode = "verify-ca"
	// Insecure accepts any certificate.
	Insecure TLSMode = "insecure"
)

func (*TLSMode) CheckAndSetDefaults

func (m *TLSMode) CheckAndSetDefaults() error

CheckAndSetDefaults check if TLSMode holds a correct value. If the value is not set VerifyFull is set as a default. BadParameter error is returned if value set is incorrect.

func (TLSMode) ToProto

func (m TLSMode) ToProto() types.DatabaseTLSMode

ToProto returns a matching protobuf type or VerifyFull for empty value.

type TracingConfig

type TracingConfig struct {
	// Enabled turns the tracing service role on or off for this process.
	Enabled bool

	// ExporterURL is the OTLP exporter URL to send spans to.
	ExporterURL string

	// KeyPairs are the paths for key and certificate pairs that the tracing
	// service will use for outbound TLS connections.
	KeyPairs []KeyPairPath

	// CACerts are the paths to the CA certs used to validate the collector.
	CACerts []string

	// SamplingRate is the sampling rate for the exporter.
	// 1.0 will record and export all spans and 0.0 won't record any spans.
	SamplingRate float64
}

TracingConfig specifies the configuration for the tracing service

func (TracingConfig) Config

func (t TracingConfig) Config(attrs ...attribute.KeyValue) (*tracing.Config, error)

Config generates a tracing.Config that is populated from the values provided to the tracing_service

type WindowsDesktopConfig

type WindowsDesktopConfig struct {
	Enabled bool
	// ListenAddr is the address to listed on for incoming desktop connections.
	ListenAddr utils.NetAddr
	// PublicAddrs is a list of advertised public addresses of the service.
	PublicAddrs []utils.NetAddr
	// ShowDesktopWallpaper determines whether desktop sessions will show a
	// user-selected wallpaper vs a system-default, single-color wallpaper.
	ShowDesktopWallpaper bool
	// LDAP is the LDAP connection parameters.
	LDAP LDAPConfig
	// PKIDomain optionally configures a separate Active Directory domain
	// for PKI operations. If empty, the domain from the LDAP config is used.
	// This can be useful for cases where PKI is configured in a root domain
	// but Teleport is used to provide access to users and computers in a child
	// domain.
	PKIDomain string

	// Discovery configures automatic desktop discovery via LDAP.
	Discovery LDAPDiscoveryConfig

	// StaticHosts is an optional list of static Windows hosts to expose through this
	// service.
	StaticHosts []WindowsHost

	// ConnLimiter limits the connection and request rates.
	ConnLimiter limiter.Config
	// HostLabels specifies rules that are used to apply labels to Windows hosts.
	HostLabels HostLabelRules
	Labels     map[string]string
}

WindowsDesktopConfig specifies the configuration for the Windows Desktop Access service.

type WindowsHost

type WindowsHost struct {
	// Name that will be used in the Teleport UI
	Name string
	// Address of the remote Windows host
	Address utils.NetAddr
	// AD is true if the host is part of the Active Directory domain
	AD bool
	// Labels to be applied to the host
	Labels map[string]string
}

WindowsHost is configuration for single Windows desktop host

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL