config

package
v1.2.3-fred.4 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 18, 2022 License: Apache-2.0 Imports: 40 Imported by: 0

Documentation

Index

Constants

View Source
const (
	DefaultCertificateTTL = 60 * time.Minute
	DefaultRenewInterval  = 20 * time.Minute
	DefaultJoinMethod     = "token"
)
View Source
const (
	// TemplateSSHClientName is the config name for generating ssh client
	// config files.
	TemplateSSHClientName = "ssh_client"

	// TemplateIdentityName is the config name for Teleport identity files.
	TemplateIdentityName = "identity"

	// TemplateTLSName is the config name for TLS client certificates.
	TemplateTLSName = "tls"

	// TemplateTLSCAsName is the config name for TLS CA certificates.
	TemplateTLSCAsName = "tls_cas"

	// TemplateMongoName is the config name for MongoDB-formatted certificates.
	TemplateMongoName = "mongo"

	// TemplateCockroachName is the config name for CockroachDB-formatted
	// certificates.
	TemplateCockroachName = "cockroach"

	// TemplateKubernetesName is the config name for generating Kubernetes
	// client config files
	TemplateKubernetesName = "kubernetes"

	// TemplateSSHHostCertName is the config name for generating SSH host
	// certificates
	TemplateSSHHostCertName = "ssh_host_cert"
)

Variables

AllConfigTemplates lists all valid config templates, intended for help messages

Functions

func GetRequiredConfigs

func GetRequiredConfigs() []string

GetRequiredConfig returns the static list of all default / required config templates.

func RemainingArgs

func RemainingArgs(s kingpin.Settings) (target *[]string)

RemainingArgs returns a list of remaining arguments for the given command.

Types

type App

type App struct {
	App string `yaml:"app,omitempty"`
}

App is a cert request for app access.

func (*App) CheckAndSetDefaults

func (ac *App) CheckAndSetDefaults() error

func (*App) MarshalYAML

func (ac *App) MarshalYAML() (interface{}, error)

func (*App) UnmarshalYAML

func (ac *App) UnmarshalYAML(node *yaml.Node) error

type Bot

type Bot interface {
	// AuthPing pings the auth server and returns the (possibly cached) response.
	AuthPing(ctx context.Context) (*proto.PingResponse, error)

	// ProxyPing returns a (possibly cached) ping response from the Teleport proxy.
	// Note that it relies on the auth server being configured with a sane proxy
	// public address.
	ProxyPing(ctx context.Context) (*webclient.PingResponse, error)

	// GetCertAuthorities returns the possibly cached CAs of the given type and
	// requests them from the server if unavailable.
	GetCertAuthorities(ctx context.Context, caType types.CertAuthType) ([]types.CertAuthority, error)

	// Client retrieves the current auth client.
	Client() auth.ClientI

	// AuthenticatedUserClientFromIdentity returns a client backed by a specific
	// identity.
	AuthenticatedUserClientFromIdentity(ctx context.Context, id *identity.Identity) (auth.ClientI, error)

	// Config returns the current bot config
	Config() *BotConfig
}

Bot is an interface covering various public tbot.Bot methods to circumvent import cycle issues.

type BotConfig

type BotConfig struct {
	Onboarding   *OnboardingConfig    `yaml:"onboarding,omitempty"`
	Storage      *StorageConfig       `yaml:"storage,omitempty"`
	Destinations []*DestinationConfig `yaml:"destinations,omitempty"`

	Debug           bool          `yaml:"debug"`
	AuthServer      string        `yaml:"auth_server"`
	CertificateTTL  time.Duration `yaml:"certificate_ttl"`
	RenewalInterval time.Duration `yaml:"renewal_interval"`
	Oneshot         bool          `yaml:"oneshot"`
}

BotConfig is the bot's root config object.

func FromCLIConf

func FromCLIConf(cf *CLIConf) (*BotConfig, error)

FromCLIConf loads bot config from CLI parameters, potentially loading and merging a configuration file if specified. CheckAndSetDefaults() will be called. Note that CLI flags, if specified, will override file values.

func NewDefaultConfig

func NewDefaultConfig(authServer string) (*BotConfig, error)

NewDefaultConfig creates a new minimal bot configuration from defaults. CheckAndSetDefaults() will be called.

func ReadConfig

func ReadConfig(reader io.Reader) (*BotConfig, error)

ReadConfig parses a YAML config file from a Reader.

func ReadConfigFromFile

func ReadConfigFromFile(filePath string) (*BotConfig, error)

ReadFromFile reads and parses a YAML config from a file.

func (*BotConfig) CheckAndSetDefaults

func (conf *BotConfig) CheckAndSetDefaults() error

func (*BotConfig) GetDestinationByPath

func (conf *BotConfig) GetDestinationByPath(path string) (*DestinationConfig, error)

GetDestinationByPath attempts to fetch a destination by its filesystem path. Only valid for filesystem destinations; returns nil if no matching destination exists.

type BotConfigWriter

type BotConfigWriter struct {
	// contains filtered or unexported fields
}

BotConfigWriter is a trivial adapter to use the identityfile package with bot destinations.

func (*BotConfigWriter) Remove

func (b *BotConfigWriter) Remove(name string) error

Remove removes files. This is a dummy implementation that always returns not found.

func (*BotConfigWriter) Stat

func (b *BotConfigWriter) Stat(name string) (fs.FileInfo, error)

Stat checks file status. This implementation always returns not found.

func (*BotConfigWriter) WriteFile

func (b *BotConfigWriter) WriteFile(name string, data []byte, _ os.FileMode) error

WriteFile writes the file to the destination. Only the basename of the path is used. Specified permissions are ignored.

type CLIConf

type CLIConf struct {
	ConfigPath string

	Debug bool

	// AuthServer is a Teleport auth server address. It may either point
	// directly to an auth server, or to a Teleport proxy server in which case
	// a tunneled auth connection will be established.
	AuthServer string

	// DataDir stores the bot's internal data.
	DataDir string

	// DestinationDir stores the generated end-user certificates.
	DestinationDir string

	// CAPins is a list of pinned SKPI hashes of trusted auth server CAs, used
	// only on first connect.
	CAPins []string

	// Token is a bot join token.
	Token string

	// RenewalInterval is the interval at which certificates are renewed, as a
	// time.ParseDuration() string. It must be less than the certificate TTL.
	RenewalInterval time.Duration

	// CertificateTTL is the requested TTL of certificates. It should be some
	// multiple of the renewal interval to allow for failed renewals.
	CertificateTTL time.Duration

	// JoinMethod is the method the bot should use to exchange a token for the
	// initial certificate
	JoinMethod string

	// Oneshot controls whether the bot quits after a single renewal.
	Oneshot bool

	// InitDir specifies which destination to initialize if multiple are
	// configured.
	InitDir string

	// BotUser is a Unix username that should be given permission to write
	BotUser string

	// ReaderUser is the Unix username that will be reading the files
	ReaderUser string

	// Owner is the user:group that will own the destination files. Due to SSH
	// restrictions on key permissions, it cannot be the same as the reader
	// user. If ACL support is unused or unavailable, the reader user will own
	// files directly.
	Owner string

	// Clean is a flag that, if set, instructs `tbot init` to remove existing
	// unexpected files.
	Clean bool

	// ConfigureOutput provides a path that the generated configuration file
	// should be written to
	ConfigureOutput string

	// Proxy is the teleport proxy address. Unlike `AuthServer` this must
	// explicitly point to a Teleport proxy.
	Proxy string

	// Cluster is the name of the Teleport cluster on which resources should
	// be accessed.
	Cluster string

	// RemainingArgs is the remaining string arguments for commands that
	// require them.
	RemainingArgs []string
}

CLIConf is configuration from the CLI.

type CertAuthType

type CertAuthType types.CertAuthType

CertAuthType is a types.CertAuthType wrapper with unmarshalling support.

func (*CertAuthType) CheckAndSetDefaults

func (c *CertAuthType) CheckAndSetDefaults() error

func (*CertAuthType) UnmarshalYAML

func (c *CertAuthType) UnmarshalYAML(node *yaml.Node) error

type Database

type Database struct {
	// Service is the service name of the Teleport database. Generally this is
	// the name of the Teleport resource.
	Service string `yaml:"service,omitempty"`

	// Database is the name of the database to request access to.
	Database string `yaml:"database,omitempty"`

	// Username is the database username to request access as.
	Username string `yaml:"username,omitempty"`
}

Database is the config for a database access request.

func (*Database) CheckAndSetDefaults

func (dc *Database) CheckAndSetDefaults() error

type DestinationConfig

type DestinationConfig struct {
	DestinationMixin `yaml:",inline"`

	Roles   []string         `yaml:"roles,omitempty"`
	Configs []TemplateConfig `yaml:"configs,omitempty"`

	// Kinds is a deprecated and unused field that remains for compatibility
	// reasons.
	// DELETE IN 11.0.0: Kinds should be removed after a grace period.
	Kinds []string `yaml:"kinds,omitempty"`

	// Database is a database to request access to. Mutually exclusive with
	// `kubernetes_cluster` and other special cert requests.
	Database *Database `yaml:"database,omitempty"`

	// KubernetesCluster is a cluster to request access to. Mutually exclusive
	// with `database` and other special cert requests.
	KubernetesCluster *KubernetesCluster `yaml:"kubernetes_cluster,omitempty"`

	// App is an app access request. Mutually exclusive with `database`,
	// `kubernetes_cluster`, and other special cert requests.
	App *App `yaml:"app,omitempty"`
}

DestinationConfig configures a user certificate destination.

func (*DestinationConfig) CheckAndSetDefaults

func (dc *DestinationConfig) CheckAndSetDefaults() error

func (*DestinationConfig) GetConfigByName

func (dc *DestinationConfig) GetConfigByName(name string) Template

GetConfigByName returns the first valid template with the given name contained within this destination.

func (*DestinationConfig) ListSubdirectories

func (dc *DestinationConfig) ListSubdirectories() ([]string, error)

ListSubdirectories lists all subdirectories that should be contained within this destination. Primarily used for on-the-fly directory creation.

type DestinationDefaults

type DestinationDefaults = func(*DestinationMixin) error

type DestinationDirectory

type DestinationDirectory struct {
	Path     string             `yaml:"path,omitempty"`
	Symlinks botfs.SymlinksMode `yaml:"symlinks,omitempty"`
	ACLs     botfs.ACLMode      `yaml:"acls,omitempty"`
}

DestinationDirectory is a Destination that writes to the local filesystem

func (*DestinationDirectory) CheckAndSetDefaults

func (dd *DestinationDirectory) CheckAndSetDefaults() error

func (*DestinationDirectory) Init

func (dd *DestinationDirectory) Init(subdirs []string) error

func (*DestinationDirectory) Read

func (dd *DestinationDirectory) Read(name string) ([]byte, error)

func (*DestinationDirectory) String

func (dd *DestinationDirectory) String() string

func (*DestinationDirectory) UnmarshalYAML

func (dd *DestinationDirectory) UnmarshalYAML(node *yaml.Node) error

func (*DestinationDirectory) Verify

func (dd *DestinationDirectory) Verify(keys []string) error

func (*DestinationDirectory) Write

func (dd *DestinationDirectory) Write(name string, data []byte) error

type DestinationMemory

type DestinationMemory struct {
	// contains filtered or unexported fields
}

DestinationMemory is a memory certificate destination

func (*DestinationMemory) CheckAndSetDefaults

func (dm *DestinationMemory) CheckAndSetDefaults() error

func (*DestinationMemory) Init

func (dm *DestinationMemory) Init(subdirs []string) error

func (*DestinationMemory) Read

func (dm *DestinationMemory) Read(name string) ([]byte, error)

func (*DestinationMemory) String

func (dm *DestinationMemory) String() string

func (*DestinationMemory) UnmarshalYAML

func (dm *DestinationMemory) UnmarshalYAML(node *yaml.Node) error

func (*DestinationMemory) Verify

func (dm *DestinationMemory) Verify(keys []string) error

func (*DestinationMemory) Write

func (dm *DestinationMemory) Write(name string, data []byte) error

type DestinationMixin

type DestinationMixin struct {
	Directory *DestinationDirectory `yaml:"directory,omitempty"`
	Memory    *DestinationMemory    `yaml:"memory,omitempty"`
}

DestinationMixin is a reusable struct for all config elements that accept a destination. Note that if embedded, DestinationMixin.CheckAndSetDefaults() must be called.

func (*DestinationMixin) CheckAndSetDefaults

func (dm *DestinationMixin) CheckAndSetDefaults(applyDefaults DestinationDefaults) error

func (*DestinationMixin) GetDestination

func (dm *DestinationMixin) GetDestination() (bot.Destination, error)

GetDestination returns the first non-nil Destination set. Note that CheckAndSetDefaults() does attempt to ensure that only a single destination is set, though this may change at runtime.

type FileDescription

type FileDescription struct {
	// Name is the name of the file or directory to create.
	Name string

	// IsDir designates whether this describes a subdirectory inside the
	// destination.
	IsDir bool
}

FileDescription is a minimal spec needed to create an empty end-user-owned file with bot-writable ACLs during `tbot init`.

type KubernetesCluster

type KubernetesCluster struct {
	// ClusterName is the name of the Kubernetes cluster in Teleport.
	ClusterName string
}

KubernetesCluster is a Kubernetes cluster certificate request.

func (*KubernetesCluster) CheckAndSetDefaults

func (kc *KubernetesCluster) CheckAndSetDefaults() error

func (*KubernetesCluster) MarshalYAML

func (kc *KubernetesCluster) MarshalYAML() (interface{}, error)

func (*KubernetesCluster) UnmarshalYAML

func (kc *KubernetesCluster) UnmarshalYAML(node *yaml.Node) error

type OnboardingConfig

type OnboardingConfig struct {
	// TokenValue is either the token needed to join the auth server, or a path pointing to a file
	// that contains the token
	//
	// You should use Token() instead - this has to be an exported field for YAML unmarshalling
	// to work correctly, but this could be a path instead of a token
	TokenValue string `yaml:"token"`

	// CAPath is an optional path to a CA certificate.
	CAPath string `yaml:"ca_path"`

	// CAPins is a list of certificate authority pins, used to validate the
	// connection to the Teleport auth server.
	CAPins []string `yaml:"ca_pins"`

	// JoinMethod is the method the bot should use to exchange a token for the
	// initial certificate
	JoinMethod types.JoinMethod `yaml:"join_method"`
}

OnboardingConfig contains values only required on first connect.

func (*OnboardingConfig) HasToken

func (conf *OnboardingConfig) HasToken() bool

HasToken gives the ability to check if there has been a token value stored in the config

func (*OnboardingConfig) SetToken

func (conf *OnboardingConfig) SetToken(token string)

SetToken stores the value for --token or auth_token in the config

In the case of the token value pointing to a file, this allows us to fetch the value of the token when it's needed (when connecting for the first time) instead of trying to read the file every time that teleport is launched. This means we can allow temporary token files that are removed after teleport has successfully connected the first time.

func (*OnboardingConfig) Token

func (conf *OnboardingConfig) Token() (string, error)

Token returns token needed to join the auth server

If the value stored points to a file, it will attempt to read the token value from the file and return an error if it wasn't successful If the value stored doesn't point to a file, it'll return the value stored

type RemainingArgsList

type RemainingArgsList []string

RemainingArgs is a custom kingpin parser that consumes all remaining arguments.

func (*RemainingArgsList) IsCumulative

func (r *RemainingArgsList) IsCumulative() bool

func (*RemainingArgsList) Set

func (r *RemainingArgsList) Set(value string) error

func (*RemainingArgsList) String

func (r *RemainingArgsList) String() string

type StorageConfig

type StorageConfig struct {
	DestinationMixin `yaml:",inline"`
}

StorageConfig contains config parameters for the bot's internal certificate storage.

func (*StorageConfig) CheckAndSetDefaults

func (sc *StorageConfig) CheckAndSetDefaults() error

type Template

type Template interface {
	// Name returns the name of this config template.
	Name() string

	// Describe generates a list of all files this ConfigTemplate will generate
	// at runtime. Currently ConfigTemplates are required to know this
	// statically as this must be callable without any auth clients (or any
	// secrets) for use with `tbot init`. If an arbitrary number of files must
	// be generated, they should be placed in a subdirectory.
	Describe(destination bot.Destination) []FileDescription

	// Render writes the config template to the destination.
	Render(ctx context.Context, bot Bot, currentIdentity *identity.Identity, destination *DestinationConfig) error
}

Template defines functions for dynamically writing additional files to a Destination.

type TemplateCockroach

type TemplateCockroach struct {
	DirName string `yaml:"dir_name,omitempty"`
}

TemplateCockroach generates certificates for CockroachDB. These are standard TLS certs but have specific naming requirements. We write them to a subdirectory to ensure naming is clear.

func (*TemplateCockroach) CheckAndSetDefaults

func (t *TemplateCockroach) CheckAndSetDefaults() error

func (*TemplateCockroach) Describe

func (t *TemplateCockroach) Describe(destination bot.Destination) []FileDescription

func (*TemplateCockroach) Name

func (t *TemplateCockroach) Name() string

func (*TemplateCockroach) Render

func (t *TemplateCockroach) Render(ctx context.Context, bot Bot, currentIdentity *identity.Identity, destination *DestinationConfig) error

type TemplateConfig

type TemplateConfig struct {
	SSHClient   *TemplateSSHClient   `yaml:"ssh_client,omitempty"`
	Identity    *TemplateIdentity    `yaml:"identity,omitempty"`
	TLS         *TemplateTLS         `yaml:"tls,omitempty"`
	TLSCAs      *TemplateTLSCAs      `yaml:"tls_cas,omitempty"`
	Mongo       *TemplateMongo       `yaml:"mongo,omitempty"`
	Cockroach   *TemplateCockroach   `yaml:"cockroach,omitempty"`
	Kubernetes  *TemplateKubernetes  `yaml:"kubernetes,omitempty"`
	SSHHostCert *TemplateSSHHostCert `yaml:"ssh_host_cert,omitempty"`
}

TemplateConfig contains all possible config template variants. Exactly one variant must be set to be considered valid.

func (*TemplateConfig) CheckAndSetDefaults

func (c *TemplateConfig) CheckAndSetDefaults() error

func (*TemplateConfig) GetConfigTemplate

func (c *TemplateConfig) GetConfigTemplate() (Template, error)

GetConfigTemplate returns the first not-nil config template implementation in the struct.

func (*TemplateConfig) UnmarshalYAML

func (c *TemplateConfig) UnmarshalYAML(node *yaml.Node) error

type TemplateIdentity

type TemplateIdentity struct {
	FileName string `yaml:"file_name,omitempty"`
}

TemplateIdentity is a config template that generates a Teleport identity file that can be used by tsh and tctl.

func (*TemplateIdentity) CheckAndSetDefaults

func (t *TemplateIdentity) CheckAndSetDefaults() error

func (*TemplateIdentity) Describe

func (t *TemplateIdentity) Describe(destination bot.Destination) []FileDescription

func (*TemplateIdentity) Name

func (t *TemplateIdentity) Name() string

func (*TemplateIdentity) Render

func (t *TemplateIdentity) Render(ctx context.Context, bot Bot, currentIdentity *identity.Identity, destination *DestinationConfig) error

type TemplateKubernetes

type TemplateKubernetes struct {
	Path string `yaml:"path,omitempty"`

	// ClusterAddress may be used to override the k8s cluster address. It's
	// resolved from Teleport's ping responses if unset.
	ClusterAddress string `yaml:"cluster_addr,omitempty"`
	// contains filtered or unexported fields
}

func (*TemplateKubernetes) CheckAndSetDefaults

func (t *TemplateKubernetes) CheckAndSetDefaults() error

func (*TemplateKubernetes) Describe

func (t *TemplateKubernetes) Describe(destination bot.Destination) []FileDescription

func (*TemplateKubernetes) Name

func (t *TemplateKubernetes) Name() string

func (*TemplateKubernetes) Render

func (t *TemplateKubernetes) Render(ctx context.Context, bot Bot, currentIdentity *identity.Identity, destination *DestinationConfig) error

type TemplateMongo

type TemplateMongo struct {
	Prefix string `yaml:"prefix,omitempty"`
}

TemplateMongo is a config template that generates TLS certs formatted for use with MongoDB.

func (*TemplateMongo) CheckAndSetDefaults

func (t *TemplateMongo) CheckAndSetDefaults() error

func (*TemplateMongo) Describe

func (t *TemplateMongo) Describe(destination bot.Destination) []FileDescription

func (*TemplateMongo) Name

func (t *TemplateMongo) Name() string

func (*TemplateMongo) Render

func (t *TemplateMongo) Render(ctx context.Context, bot Bot, currentIdentity *identity.Identity, destination *DestinationConfig) error

type TemplateSSHClient

type TemplateSSHClient struct {
	ProxyPort uint16 `yaml:"proxy_port"`
	// contains filtered or unexported fields
}

TemplateSSHClient contains parameters for the ssh_config config template

func (*TemplateSSHClient) CheckAndSetDefaults

func (c *TemplateSSHClient) CheckAndSetDefaults() error

func (*TemplateSSHClient) Describe

func (c *TemplateSSHClient) Describe(destination bot.Destination) []FileDescription

func (*TemplateSSHClient) Name

func (c *TemplateSSHClient) Name() string

func (*TemplateSSHClient) Render

func (c *TemplateSSHClient) Render(ctx context.Context, bot Bot, _ *identity.Identity, destination *DestinationConfig) error

type TemplateSSHHostCert

type TemplateSSHHostCert struct {
	// Prefix is the filename prefix for the generated SSH host
	// certificates
	Prefix string `yaml:"prefix,omitempty"`

	// Principals is a list of principals to request for the host cert.
	Principals []string `yaml:"principals"`
}

TemplateSSHHostCert contains parameters for the ssh_config config template

func (*TemplateSSHHostCert) CheckAndSetDefaults

func (c *TemplateSSHHostCert) CheckAndSetDefaults() error

CheckAndSetDefaults validates a TemplateSSHHostCert.

func (*TemplateSSHHostCert) Describe

func (c *TemplateSSHHostCert) Describe(destination bot.Destination) []FileDescription

Describe lists the files to be generated by the ssh_host_cert template.

func (*TemplateSSHHostCert) Name

func (c *TemplateSSHHostCert) Name() string

Name returns the name for the ssh_host_cert template.

func (*TemplateSSHHostCert) Render

func (c *TemplateSSHHostCert) Render(ctx context.Context, bot Bot, currentIdentity *identity.Identity, destination *DestinationConfig) error

Render generates SSH host cert files.

type TemplateTLS

type TemplateTLS struct {
	// Prefix is the filename prefix for the output files.
	Prefix string `yaml:"prefix,omitempty"`

	// CACertType is the type of CA cert to be written
	CACertType CertAuthType `yaml:"ca_cert_type,omitempty"`
}

TemplateTLS is a config template that wraps identityfile's TLS writer. It's not generally needed but can be used to write out TLS certificates with alternative prefix and file extensions if needed for application compatibility reasons.

func (*TemplateTLS) CheckAndSetDefaults

func (t *TemplateTLS) CheckAndSetDefaults() error

func (*TemplateTLS) Describe

func (t *TemplateTLS) Describe(destination bot.Destination) []FileDescription

func (*TemplateTLS) Name

func (t *TemplateTLS) Name() string

func (*TemplateTLS) Render

func (t *TemplateTLS) Render(ctx context.Context, bot Bot, currentIdentity *identity.Identity, destination *DestinationConfig) error

type TemplateTLSCAs

type TemplateTLSCAs struct {
	// HostCAPath is the path to which Teleport's host CAs will be written.
	HostCAPath string `yaml:"host_ca_path,omitempty"`

	// UserCAPath is the path to which Teleport's user CAs will be written.
	UserCAPath string `yaml:"user_ca_path,omitempty"`

	// DatabaseCAPath is the path to which Teleport's database CA will be
	// written.
	DatabaseCAPath string `yaml:"database_ca_path,omitempty"`
}

TemplateTLSCAs outputs Teleport's host and user CAs for miscellaneous TLS client use.

func (*TemplateTLSCAs) CheckAndSetDefaults

func (t *TemplateTLSCAs) CheckAndSetDefaults() error

func (*TemplateTLSCAs) Describe

func (t *TemplateTLSCAs) Describe(destination bot.Destination) []FileDescription

func (*TemplateTLSCAs) Name

func (t *TemplateTLSCAs) Name() string

func (*TemplateTLSCAs) Render

func (t *TemplateTLSCAs) Render(ctx context.Context, bot Bot, currentIdentity *identity.Identity, destination *DestinationConfig) error

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL