Documentation
¶
Overview ¶
Package 'config' provides facilities for configuring Teleport daemons including
- parsing YAML configuration
- parsing CLI flags
Index ¶
- func ApplyFileConfig(fc *FileConfig, cfg *service.Config) error
- func Configure(clf *CommandLineFlags, cfg *service.Config) error
- type Auth
- type Authority
- type ClaimMapping
- type CommandLabel
- type CommandLineFlags
- type ConnectionLimits
- type ConnectionRate
- type FileConfig
- type Global
- type KeyPair
- type Log
- type OIDCConnector
- type Proxy
- type ReverseTunnel
- type SSH
- type Service
- type StaticToken
- type TrustedCluster
- type U2F
- type YAMLMap
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ApplyFileConfig ¶
func ApplyFileConfig(fc *FileConfig, cfg *service.Config) error
ApplyFileConfig applies confniguration from a YAML file to Teleport runtime config
Types ¶
type Auth ¶
type Auth struct {
Service `yaml:",inline"`
// DomainName is the name of the CA who manages this cluster
DomainName string `yaml:"cluster_name,omitempty"`
// TrustedClustersFile is a file path to a file containing public CA keys
// of clusters we trust. One key per line, those starting with '#' are comments
TrustedClusters []TrustedCluster `yaml:"trusted_clusters,omitempty"`
// FOR INTERNAL USE:
// Authorities : 3rd party certificate authorities (CAs) this auth service trusts.
Authorities []Authority `yaml:"authorities,omitempty"`
// FOR INTERNAL USE:
// ReverseTunnels is a list of SSH tunnels to 3rd party proxy services (used to talk
// to 3rd party auth servers we trust)
ReverseTunnels []ReverseTunnel `yaml:"reverse_tunnels,omitempty"`
// OIDCConnectors is a list of trusted OpenID Connect Identity providers
OIDCConnectors []OIDCConnector `yaml:"oidc_connectors"`
// StaticTokens are pre-defined host provisioning tokens supplied via config file for
// environments where paranoid security is not needed
//
// Each token string has the following format: "role1,role2,..:token",
// for exmple: "auth,proxy,node:MTIzNGlvemRmOWE4MjNoaQo"
StaticTokens []StaticToken `yaml:"tokens,omitempty"`
// Configuration for "universal 2nd factor"
U2F U2F `yaml:"u2f,omitempty"`
}
Auth is 'auth_service' section of the config file
type Authority ¶
type Authority struct {
// Type is either user or host certificate authority
Type services.CertAuthType `yaml:"type"`
// DomainName identifies domain name this authority serves,
// for host authorities that means base hostname of all servers,
// for user authorities that means organization name
DomainName string `yaml:"domain_name"`
// Checkers is a list of SSH public keys that can be used to check
// certificate signatures in OpenSSH authorized keys format
CheckingKeys []string `yaml:"checking_keys"`
// CheckingKeyFiles is a list of files
CheckingKeyFiles []string `yaml:"checking_key_files"`
// SigningKeys is a list of PEM-encoded private keys used for signing
SigningKeys []string `yaml:"signing_keys"`
// SigningKeyFiles is a list of paths to PEM encoded private keys used for signing
SigningKeyFiles []string `yaml:"signing_key_files"`
// AllowedLogins is a list of allowed logins for users within
// this certificate authority
AllowedLogins []string `yaml:"allowed_logins"`
}
Authority is a host or user certificate authority that can check and if it has private key stored as well, sign it too
type ClaimMapping ¶
type ClaimMapping struct {
// Claim is OIDC claim name
Claim string `yaml:"claim"`
// Value is claim value to match
Value string `yaml:"value"`
// Roles is a list of teleport roles to match
Roles []string `yaml:"roles"`
}
ClaimMapping is OIDC claim mapping that maps claim name to teleport roles
type CommandLabel ¶
type CommandLabel struct {
Name string `yaml:"name"`
Command []string `yaml:"command,flow"`
Period time.Duration `yaml:"period"`
}
CommandLabel is `command` section of `ssh_service` in the config file
type CommandLineFlags ¶
type CommandLineFlags struct {
// --name flag
NodeName string
// --auth-server flag
AuthServerAddr string
// --token flag
AuthToken string
// --listen-ip flag
ListenIP net.IP
// --advertise-ip flag
AdvertiseIP net.IP
// --config flag
ConfigFile string
// ConfigString is a base64 encoded configuration string
// set by --config-string or TELEPORT_CONFIG environment variable
ConfigString string
// --roles flag
Roles string
// -d flag
Debug bool
// --labels flag
Labels string
// --httpprofile hidden flag
HTTPProfileEndpoint bool
// --pid-file flag
PIDFile string
}
CommandLineFlags stores command line flag values, it's a much simplified subset of Teleport configuration (which is fully expressed via YAML config file)
type ConnectionLimits ¶
type ConnectionLimits struct {
MaxConnections int64 `yaml:"max_connections"`
MaxUsers int `yaml:"max_users"`
Rates []ConnectionRate `yaml:"rates,omitempty"`
}
ConnectionLimits sets up connection limiter
type ConnectionRate ¶
type ConnectionRate struct {
Period time.Duration `yaml:"period"`
Average int64 `yaml:"average"`
Burst int64 `yaml:"burst"`
}
ConnectionRate configures rate limiter
type FileConfig ¶
type FileConfig struct {
Global `yaml:"teleport,omitempty"`
Auth Auth `yaml:"auth_service,omitempty"`
SSH SSH `yaml:"ssh_service,omitempty"`
Proxy Proxy `yaml:"proxy_service,omitempty"`
}
FileConfig structre represents the teleport configuration stored in a config file in YAML format (usually /etc/teleport.yaml)
Use config.ReadFromFile() to read the parsed FileConfig from a YAML file.
func MakeSampleFileConfig ¶
func MakeSampleFileConfig() (fc *FileConfig)
MakeSampleFileConfig returns a sample config structure populated by defaults, useful to generate sample configuration files
func ReadConfig ¶
func ReadConfig(reader io.Reader) (*FileConfig, error)
ReadConfig reads Teleport configuration from reader in YAML format
func ReadConfigFile ¶
func ReadConfigFile(cliConfigPath string) (*FileConfig, error)
readConfigFile reads /etc/teleport.yaml (or whatever is passed via --config flag) and overrides values in 'cfg' structure
func ReadFromFile ¶
func ReadFromFile(filePath string) (*FileConfig, error)
ReadFromFile reads Teleport configuration from a file. Currently only YAML format is supported
func ReadFromString ¶
func ReadFromString(configString string) (*FileConfig, error)
ReadFromString reads values from base64 encoded byte string
func (*FileConfig) DebugDumpToYAML ¶
func (conf *FileConfig) DebugDumpToYAML() string
DebugDumpToYAML allows for quick YAML dumping of the config
type Global ¶
type Global struct {
NodeName string `yaml:"nodename,omitempty"`
DataDir string `yaml:"data_dir,omitempty"`
PIDFile string `yaml:"pid_file,omitempty"`
AuthToken string `yaml:"auth_token,omitempty"`
AuthServers []string `yaml:"auth_servers,omitempty"`
Limits ConnectionLimits `yaml:"connection_limits,omitempty"`
Logger Log `yaml:"log,omitempty"`
Storage backend.Config `yaml:"storage,omitempty"`
AdvertiseIP net.IP `yaml:"advertise_ip,omitempty"`
// Keys holds the list of SSH key/cert pairs used by all services
// Each service (like proxy, auth, node) can find the key it needs
// by looking into certificate
Keys []KeyPair `yaml:"keys,omitempty"`
// SeedConfig [GRAVITATIONAL USE] when set to true, Teleport treats
// its configuration file simply as a seed data on initial start-up.
// For OSS Teleport it should always be 'false' by default.
SeedConfig bool `yaml:"seed_config,omitempty"`
}
Global is 'teleport' (global) section of the config file
type KeyPair ¶
type KeyPair struct {
// PrivateKeyFile is a path to file with private key
PrivateKeyFile string `yaml:"private_key_file"`
// CertFile is a path to file with OpenSSH certificate
CertFile string `yaml:"cert_file"`
// PrivateKey is PEM encoded OpenSSH private key
PrivateKey string `yaml:"private_key"`
// Cert is certificate in OpenSSH authorized keys format
Cert string `yaml:"cert"`
}
KeyPair is a pair of private key and certificates
type Log ¶
type Log struct {
// Output defines where logs go. It can be one of the following: "stderr", "stdout" or
// a path to a log file
Output string `yaml:"output,omitempty"`
// Severity defines how verbose the log will be. Possible valus are "error", "info", "warn"
Severity string `yaml:"severity,omitempty"`
}
Log configures teleport logging
type OIDCConnector ¶
type OIDCConnector struct {
// ID is a provider id, 'e.g.' google, used internally
ID string `yaml:"id"`
// Issuer URL is the endpoint of the provider, e.g. https://accounts.google.com
IssuerURL string `yaml:"issuer_url"`
// ClientID is id for authentication client (in our case it's our Auth server)
ClientID string `yaml:"client_id"`
// ClientSecret is used to authenticate our client and should not
// be visible to end user
ClientSecret string `yaml:"client_secret"`
// RedirectURL - Identity provider will use this URL to redirect
// client's browser back to it after successfull authentication
// Should match the URL on Provider's side
RedirectURL string `yaml:"redirect_url"`
// Display controls how this connector is displayed
Display string `yaml:"display"`
// Scope is a list of additional scopes to request from OIDC
// note that oidc and email scopes are always requested
Scope []string `yaml:"scope"`
// ClaimsToRoles is a list of mappings of claims to roles
ClaimsToRoles []ClaimMapping `yaml:"claims_to_roles"`
}
OIDCConnector specifies configuration fo Open ID Connect compatible external identity provider, e.g. google in some organisation
func (*OIDCConnector) Parse ¶
func (o *OIDCConnector) Parse() (services.OIDCConnector, error)
Parse parses config struct into services connector and checks if it's valid
type Proxy ¶
type Proxy struct {
Service `yaml:",inline"`
WebAddr string `yaml:"web_listen_addr,omitempty"`
TunAddr string `yaml:"tunnel_listen_addr,omitempty"`
KeyFile string `yaml:"https_key_file,omitempty"`
CertFile string `yaml:"https_cert_file,omitempty"`
}
Proxy is `proxy_service` section of the config file:
type ReverseTunnel ¶
type ReverseTunnel struct {
DomainName string `yaml:"domain_name"`
Addresses []string `yaml:"addresses"`
}
ReverseTunnel is a SSH reverse tunnel mantained by one cluster's proxy to remote Teleport proxy
func (*ReverseTunnel) ConvertAndValidate ¶
func (t *ReverseTunnel) ConvertAndValidate() (services.ReverseTunnel, error)
ConvertAndValidate returns validated services.ReverseTunnel or nil and error otherwize
type SSH ¶
type SSH struct {
Service `yaml:",inline"`
Namespace string `yaml:"namespace,omitempty"`
Labels map[string]string `yaml:"labels,omitempty"`
Commands []CommandLabel `yaml:"commands,omitempty"`
}
SSH is 'ssh_service' section of the config file
type Service ¶
type Service struct {
EnabledFlag string `yaml:"enabled,omitempty"`
ListenAddress string `yaml:"listen_addr,omitempty"`
}
Service is a common configuration of a teleport service
func (*Service) Configured ¶
Configured determines if a given "_service" section has been specified
type StaticToken ¶
type StaticToken string
type TrustedCluster ¶
type TrustedCluster struct {
// KeyFile is a path to a remote authority (AKA "trusted cluster") public keys
KeyFile string `yaml:"key_file,omitempty"`
// AllowedLogins is a comma-separated list of user logins allowed from that cluster
AllowedLogins string `yaml:"allow_logins,omitempty"`
// TunnelAddr is a comma-separated list of reverse tunnel addressess to
// connect to
TunnelAddr string `yaml:"tunnel_addr,omitempty"`
}
TrustedCluster struct holds configuration values under "trusted_clusters" key
Source Files