config

package
v0.0.0-...-5c79d48 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 15, 2024 License: AGPL-3.0 Imports: 57 Imported by: 0

Documentation

Overview

Package config provides facilities for configuring Teleport daemons including

  • parsing YAML configuration
  • parsing CLI flags

Index

Constants

View Source
const (
	// SystemdDefaultEnvironmentFile is the default path to the env file for the systemd unit file config
	SystemdDefaultEnvironmentFile = "/etc/default/teleport"
	// SystemdDefaultPIDFile is the default path to the PID file for the systemd unit file config
	SystemdDefaultPIDFile = "/run/teleport.pid"
	// SystemdDefaultFileDescriptorLimit is the default max number of open file descriptors for the systemd unit file config
	SystemdDefaultFileDescriptorLimit = 524288
)

Variables

This section is empty.

Functions

func ApplyFileConfig

func ApplyFileConfig(fc *FileConfig, cfg *servicecfg.Config) error

ApplyFileConfig applies configuration from a YAML file to Teleport runtime config

func Configure

func Configure(clf *CommandLineFlags, cfg *servicecfg.Config, legacyAppFlags bool) error

Configure merges command line arguments with what's in a configuration file with CLI commands taking precedence

func ConfigureOpenSSH

func ConfigureOpenSSH(clf *CommandLineFlags, cfg *servicecfg.Config) error

ConfigureOpenSSH initializes a config from the commandline flags passed

func MakeDatabaseAgentConfigString

func MakeDatabaseAgentConfigString(flags DatabaseSampleFlags) (string, error)

MakeDatabaseAgentConfigString generates a simple database agent configuration based on the flags provided. Returns the configuration as a string.

func ReadResources

func ReadResources(filePath string) ([]types.Resource, error)

ReadResources loads a set of resources from a file.

func WriteSystemdUnitFile

func WriteSystemdUnitFile(flags SystemdFlags, dest io.Writer) error

WriteSystemdUnitFile accepts flags and an io.Writer and writes the systemd unit file configuration to it

Types

type ACME

type ACME struct {
	// EnabledFlag is whether ACME should be enabled
	EnabledFlag string `yaml:"enabled,omitempty"`
	// Email is the email that will receive problems with certificate renewals
	Email string `yaml:"email,omitempty"`
	// URI is ACME server URI
	URI string `yaml:"uri,omitempty"`
}

ACME configures ACME protocol - automatic X.509 certificates

func (ACME) Parse

func (a ACME) Parse() (*servicecfg.ACME, error)

Parse parses ACME section values

type AWSKMS

type AWSKMS struct {
	// Account is the AWS account to use.
	Account string `yaml:"account"`
	// Region is the AWS region to use.
	Region string `yaml:"region"`
}

AWSKMS configures AWS Key Management Service to to be used for all CA private key crypto operations.

type AWSMatcher

type AWSMatcher struct {
	// Types are AWS database types to match, "ec2", "rds", "redshift", "elasticache",
	// or "memorydb".
	Types []string `yaml:"types,omitempty"`
	// Regions are AWS regions to query for databases.
	Regions []string `yaml:"regions,omitempty"`
	// AssumeRoleARN is the AWS role to assume for database discovery.
	AssumeRoleARN string `yaml:"assume_role_arn,omitempty"`
	// ExternalID is the AWS external ID to use when assuming a role for
	// database discovery in an external AWS account.
	ExternalID string `yaml:"external_id,omitempty"`
	// Tags are AWS tags to match.
	Tags map[string]apiutils.Strings `yaml:"tags,omitempty"`
	// InstallParams sets the join method when installing on
	// discovered EC2 nodes
	InstallParams *InstallParams `yaml:"install,omitempty"`
	// SSM provides options to use when sending a document command to
	// an EC2 node
	SSM AWSSSM `yaml:"ssm,omitempty"`
}

AWSMatcher matches AWS EC2 instances and AWS Databases

type AWSSSM

type AWSSSM struct {
	// DocumentName is the name of the document to use when executing an
	// SSM command
	DocumentName string `yaml:"document_name,omitempty"`
}

AWSSSM provides options to use when executing SSM documents

type AccessGraph

type AccessGraph struct {
	// Enabled enables the AccessGraph service.
	Enabled bool `yaml:"enabled"`
	// Endpoint is the endpoint of the AccessGraph service.
	Endpoint string `yaml:"endpoint"`
	// CA is the path to the CA certificate for the AccessGraph service.
	CA string `yaml:"ca"`
	// Insecure is true if the AccessGraph service should not verify the CA.
	Insecure bool `yaml:"insecure"`
}

AccessGraph represents the configuration for the AccessGraph service.

type AccessGraphAWSSync

type AccessGraphAWSSync struct {
	// Regions are AWS regions to poll for resources.
	Regions []string `yaml:"regions,omitempty"`
	// AssumeRoleARN is the AWS role to assume for database discovery.
	AssumeRoleARN string `yaml:"assume_role_arn,omitempty"`
	// ExternalID is the AWS external ID to use when assuming a role for
	// database discovery in an external AWS account.
	ExternalID string `yaml:"external_id,omitempty"`
}

AccessGraphAWSSync represents the configuration for the AWS AccessGraph Sync service.

type AccessGraphSync

type AccessGraphSync struct {
	// AWS is the AWS configuration for the AccessGraph Sync service.
	AWS []AccessGraphAWSSync `yaml:"aws,omitempty"`
}

AccessGraphSync represents the configuration for the AccessGraph Sync service.

type App

type App struct {
	// Name of the application.
	Name string `yaml:"name"`

	// Description is an optional free-form app description.
	Description string `yaml:"description,omitempty"`

	// URI is the internal address of the application.
	URI string `yaml:"uri"`

	// Public address of the application. This is the address users will access
	// the application at.
	PublicAddr string `yaml:"public_addr"`

	// StaticLabels is a map of static labels to apply to this application.
	StaticLabels map[string]string `yaml:"labels,omitempty"`

	// DynamicLabels is a list of commands that generate dynamic labels
	// to apply to this application.
	DynamicLabels []CommandLabel `yaml:"commands,omitempty"`

	// InsecureSkipVerify is used to skip validating the servers certificate.
	InsecureSkipVerify bool `yaml:"insecure_skip_verify"`

	// Rewrite defines a block that is used to rewrite requests and responses.
	Rewrite *Rewrite `yaml:"rewrite,omitempty"`

	// AWS contains additional options for AWS applications.
	AWS *AppAWS `yaml:"aws,omitempty"`

	// Cloud identifies the cloud instance the app represents.
	Cloud string `yaml:"cloud,omitempty"`
}

App is the specific application that will be proxied by the application service.

type AppAWS

type AppAWS struct {
	// ExternalID is the AWS External ID used when assuming roles in this app.
	ExternalID string `yaml:"external_id,omitempty"`
}

AppAWS contains additional options for AWS applications.

type Apps

type Apps struct {
	// Service contains fields common to all services like "enabled" and
	// "listen_addr".
	Service `yaml:",inline"`

	// DebugApp turns on a header debugging application.
	DebugApp bool `yaml:"debug_app"`

	// Apps is a list of applications that will be run by this service.
	Apps []*App `yaml:"apps"`

	// ResourceMatchers match cluster application resources.
	ResourceMatchers []ResourceMatcher `yaml:"resources,omitempty"`
}

Apps represents the configuration for the collection of applications this service will start. In file configuration this would be the "app_service" section.

type AssistOptions

type AssistOptions struct {
	// OpenAI is a set of options related to the OpenAI assist backend.
	OpenAI *OpenAIOptions `yaml:"openai,omitempty"`
}

AssistOptions is a set of options common to both Auth and Proxy related to the Teleport Assist feature.

type Auth

type Auth struct {
	Service `yaml:",inline"`

	// ProxyProtocol controls support for HAProxy PROXY protocol.
	// Possible values:
	// - 'on': one PROXY header is accepted and required per incoming connection.
	// - 'off': no PROXY headers are allows, otherwise connection is rejected.
	// If unspecified - one PROXY header is allowed, but not required. Connection is marked with source port set to 0
	// and IP pinning will not be allowed. It is supposed to be used only as default mode for test setups.
	// In production you should always explicitly set the mode based on your network setup - if you have L4 load balancer
	// with enabled PROXY protocol in front of Teleport you should set it to 'on', if you don't have it, set it to 'off'
	ProxyProtocol string `yaml:"proxy_protocol,omitempty"`

	// ClusterName is the name of the CA who manages this cluster
	ClusterName ClusterName `yaml:"cluster_name,omitempty"`

	// StaticTokens are pre-defined host provisioning tokens supplied via config file for
	// environments where paranoid security is not needed
	//
	// Each token string has the following format: "role1,role2,..:token",
	// for example: "auth,proxy,node:MTIzNGlvemRmOWE4MjNoaQo"
	StaticTokens StaticTokens `yaml:"tokens,omitempty"`

	// Authentication holds authentication configuration information like authentication
	// type, second factor type, specific connector information, etc.
	Authentication *AuthenticationConfig `yaml:"authentication,omitempty"`

	// SessionRecording determines where the session is recorded:
	// node, node-sync, proxy, proxy-sync, or off.
	SessionRecording string `yaml:"session_recording,omitempty"`

	// ProxyChecksHostKeys is used when the proxy is in recording mode and
	// determines if the proxy will check the host key of the client or not.
	ProxyChecksHostKeys *types.BoolOption `yaml:"proxy_checks_host_keys,omitempty"`

	// LicenseFile is a path to the license file. The path can be either absolute or
	// relative to the global data dir
	LicenseFile string `yaml:"license_file,omitempty"`

	// FOR INTERNAL USE:
	// ReverseTunnels is a list of SSH tunnels to 3rd party proxy services (used to talk
	// to 3rd party auth servers we trust)
	ReverseTunnels []ReverseTunnel `yaml:"reverse_tunnels,omitempty"`

	// PublicAddr sets SSH host principals and TLS DNS names to auth
	// server certificates
	PublicAddr apiutils.Strings `yaml:"public_addr,omitempty"`

	// ClientIdleTimeout sets global cluster default setting for client idle timeouts
	ClientIdleTimeout types.Duration `yaml:"client_idle_timeout,omitempty"`

	// DisconnectExpiredCert provides disconnect expired certificate setting -
	// if true, connections with expired client certificates will get disconnected
	DisconnectExpiredCert *types.BoolOption `yaml:"disconnect_expired_cert,omitempty"`

	// SessionControlTimeout specifies the maximum amount of time a node can be out
	// of contact with the auth server before it starts terminating controlled sessions.
	SessionControlTimeout types.Duration `yaml:"session_control_timeout,omitempty"`

	// KubeconfigFile is an optional path to kubeconfig file,
	// if specified, teleport will use API server address and
	// trusted certificate authority information from it
	KubeconfigFile string `yaml:"kubeconfig_file,omitempty"`

	// KeepAliveInterval set the keep-alive interval for server to client
	// connections.
	KeepAliveInterval types.Duration `yaml:"keep_alive_interval,omitempty"`

	// KeepAliveCountMax set the number of keep-alive messages that can be
	// missed before the server disconnects the client.
	KeepAliveCountMax int64 `yaml:"keep_alive_count_max,omitempty"`

	// ClientIdleTimeoutMessage is sent to the client when the inactivity timeout
	// expires. The empty string implies no message should be sent prior to
	// disconnection.
	ClientIdleTimeoutMessage string `yaml:"client_idle_timeout_message,omitempty"`

	// MessageOfTheDay is a banner that a user must acknowledge during a `tsh login`.
	MessageOfTheDay string `yaml:"message_of_the_day,omitempty"`

	// WebIdleTimeout sets global cluster default setting for WebUI client
	// idle timeouts
	WebIdleTimeout types.Duration `yaml:"web_idle_timeout,omitempty"`

	// CAKeyParams configures how CA private keys will be created and stored.
	CAKeyParams *CAKeyParams `yaml:"ca_key_params,omitempty"`

	// ProxyListenerMode is a listener mode user by the proxy.
	ProxyListenerMode types.ProxyListenerMode `yaml:"proxy_listener_mode,omitempty"`

	// RoutingStrategy configures the routing strategy to nodes.
	RoutingStrategy types.RoutingStrategy `yaml:"routing_strategy,omitempty"`

	// TunnelStrategy configures the tunnel strategy used by the cluster.
	TunnelStrategy *types.TunnelStrategyV1 `yaml:"tunnel_strategy,omitempty"`

	// ProxyPingInterval defines in which interval the TLS routing ping message
	// should be sent. This is applicable only when using ping-wrapped
	// connections, regular TLS routing connections are not affected.
	ProxyPingInterval types.Duration `yaml:"proxy_ping_interval,omitempty"`

	// CaseInsensitiveRouting causes proxies to use case-insensitive hostname matching.
	CaseInsensitiveRouting bool `yaml:"case_insensitive_routing,omitempty"`

	// LoadAllCAs tells tsh to load the CAs for all clusters when trying
	// to ssh into a node, instead of just the CA for the current cluster.
	LoadAllCAs bool `yaml:"load_all_cas,omitempty"`

	// HostedPlugins configures the hosted plugins runtime.
	// This is currently Cloud-specific.
	HostedPlugins HostedPlugins `yaml:"hosted_plugins,omitempty"`

	// Assist is a set of options related to the Teleport Assist feature.
	Assist *AuthAssistOptions `yaml:"assist,omitempty"`

	// AccessMonitoring is a set of options related to the Access Monitoring feature.
	AccessMonitoring *servicecfg.AccessMonitoringOptions `yaml:"access_monitoring,omitempty"`
}

Auth is 'auth_service' section of the config file

type AuthAssistOptions

type AuthAssistOptions struct {
	AssistOptions `yaml:",inline"`
	// CommandExecutionWorkers determines the number of workers that will
	// execute arbitrary remote commands on servers (e.g. through Assist) in parallel
	CommandExecutionWorkers int32 `yaml:"command_execution_workers,omitempty"`
}

AuthAssistOptions is a set of auth service options related to the Assist feature

type AuthenticationConfig

type AuthenticationConfig struct {
	Type           string                     `yaml:"type"`
	SecondFactor   constants.SecondFactorType `yaml:"second_factor,omitempty"`
	ConnectorName  string                     `yaml:"connector_name,omitempty"`
	U2F            *UniversalSecondFactor     `yaml:"u2f,omitempty"`
	Webauthn       *Webauthn                  `yaml:"webauthn,omitempty"`
	RequireMFAType types.RequireMFAType       `yaml:"require_session_mfa,omitempty"`
	LockingMode    constants.LockingMode      `yaml:"locking_mode,omitempty"`

	// LocalAuth controls if local authentication is allowed.
	LocalAuth *types.BoolOption `yaml:"local_auth"`

	// Passwordless enables/disables passwordless support.
	// Requires Webauthn to work.
	// Defaults to true if the Webauthn is configured, defaults to false
	// otherwise.
	Passwordless *types.BoolOption `yaml:"passwordless"`

	// Headless enables/disables headless support.
	// Requires Webauthn to work.
	// Defaults to true if the Webauthn is configured, defaults to false
	// otherwise.
	Headless *types.BoolOption `yaml:"headless"`

	// DeviceTrust holds settings related to trusted device verification.
	// Requires Teleport Enterprise.
	DeviceTrust *DeviceTrust `yaml:"device_trust,omitempty"`

	// DefaultSessionTTL is the default cluster max session ttl
	DefaultSessionTTL types.Duration `yaml:"default_session_ttl"`

	// Deprecated. HardwareKey.PIVSlot should be used instead.
	// TODO(Joerger): DELETE IN 17.0.0
	PIVSlot keys.PIVSlot `yaml:"piv_slot,omitempty"`

	// HardwareKey holds settings related to hardware key support.
	// Requires Teleport Enterprise.
	HardwareKey *HardwareKey `yaml:"hardware_key,omitempty"`
}

AuthenticationConfig describes the auth_service/authentication section of teleport.yaml

func (*AuthenticationConfig) Parse

Parse returns valid types.AuthPreference instance.

type AzureInstallParams

type AzureInstallParams struct {
	// ClientID is the client ID of the managed identity to use for installation.
	ClientID string `yaml:"client_id"`
}

Azure is te set of installation parameters specific to Azure.

type AzureJoinParams

type AzureJoinParams struct {
	ClientID string `yaml:"client_id"`
}

AzureJoinParams configures the parameters specific to the Azure join method.

type AzureMatcher

type AzureMatcher struct {
	// Subscriptions are Azure subscriptions to query for resources.
	Subscriptions []string `yaml:"subscriptions,omitempty"`
	// ResourceGroups are Azure resource groups to query for resources.
	ResourceGroups []string `yaml:"resource_groups,omitempty"`
	// Types are Azure types to match: "mysql", "postgres", "aks", "vm"
	Types []string `yaml:"types,omitempty"`
	// Regions are Azure locations to match for databases.
	Regions []string `yaml:"regions,omitempty"`
	// ResourceTags are Azure tags on resources to match.
	ResourceTags map[string]apiutils.Strings `yaml:"tags,omitempty"`
	// InstallParams sets the join method when installing on
	// discovered Azure nodes.
	InstallParams *InstallParams `yaml:"install,omitempty"`
}

AzureMatcher matches Azure resources.

type BPF

type BPF struct {
	// Enabled enables or disables enhanced session recording for this node.
	Enabled string `yaml:"enabled"`

	// CommandBufferSize is the size of the perf buffer for command events.
	CommandBufferSize *int `yaml:"command_buffer_size,omitempty"`

	// DiskBufferSize is the size of the perf buffer for disk events.
	DiskBufferSize *int `yaml:"disk_buffer_size,omitempty"`

	// NetworkBufferSize is the size of the perf buffer for network events.
	NetworkBufferSize *int `yaml:"network_buffer_size,omitempty"`

	// CgroupPath controls where cgroupv2 hierarchy is mounted.
	CgroupPath string `yaml:"cgroup_path"`
}

BPF is configuration for BPF-based auditing.

func (*BPF) Parse

func (b *BPF) Parse() *servicecfg.BPFConfig

Parse will parse the enhanced session recording configuration.

type CAKeyParams

type CAKeyParams struct {
	// PKCS11 configures a PKCS#11 HSM to be used for all CA private key generation and
	// storage.
	PKCS11 *PKCS11 `yaml:"pkcs11,omitempty"`
	// GoogleCloudKMS configures Google Cloud Key Management Service to to be used for
	// all CA private key crypto operations.
	GoogleCloudKMS *GoogleCloudKMS `yaml:"gcp_kms,omitempty"`
	// AWSKMS configures AWS Key Management Service to to be used for
	// all CA private key crypto operations.
	AWSKMS *AWSKMS `yaml:"aws_kms,omitempty"`
}

CAKeyParams configures how CA private keys will be created and stored.

type CachePolicy

type CachePolicy struct {
	// Type is for cache type `sqlite` or `in-memory`
	Type string `yaml:"type,omitempty"`
	// EnabledFlag enables or disables cache
	EnabledFlag string `yaml:"enabled,omitempty"`
	// TTL sets maximum TTL for the cached values
	TTL string `yaml:"ttl,omitempty"`
	// MaxBackoff sets the maximum backoff on error.
	MaxBackoff time.Duration `yaml:"max_backoff,omitempty"`
}

CachePolicy is used to control local cache

func (*CachePolicy) Enabled

func (c *CachePolicy) Enabled() bool

Enabled determines if a given "_service" section has been set to 'true'

func (*CachePolicy) Parse

func (c *CachePolicy) Parse() (*servicecfg.CachePolicy, error)

Parse parses cache policy from Teleport config

type ClaimMapping

type ClaimMapping struct {
	// Claim is OIDC claim name
	Claim string `yaml:"claim"`
	// Value is claim value to match
	Value string `yaml:"value"`
	// Roles is a list of teleport roles to match
	Roles []string `yaml:"roles,omitempty"`
}

ClaimMapping is OIDC claim mapping that maps claim name to teleport roles

type ClusterName

type ClusterName string

func (ClusterName) Parse

func (c ClusterName) Parse() (types.ClusterName, error)

type CommandLabel

type CommandLabel struct {
	Name    string        `yaml:"name"`
	Command []string      `yaml:"command,flow"`
	Period  time.Duration `yaml:"period"`
}

CommandLabel is `command` section of `ssh_service` in the config file

type CommandLineFlags

type CommandLineFlags struct {
	// --name flag
	NodeName string
	// --auth-server flag
	AuthServerAddr []string
	// --token flag
	AuthToken string
	// --join-method flag
	JoinMethod string
	// CAPins are the SKPI hashes of the CAs used to verify the Auth Server.
	CAPins []string
	// --listen-ip flag
	ListenIP net.IP
	// --advertise-ip flag
	AdvertiseIP string
	// --config flag
	ConfigFile string
	// --apply-on-startup contains the path of a YAML manifest whose resources should be
	// applied on startup. Unlike the bootstrap flag, the resources are always applied,
	// even if the cluster is already initialized. Existing resources will be updated.
	ApplyOnStartupFile string
	// Bootstrap flag contains a YAML file that defines a set of resources to bootstrap
	// a cluster.
	BootstrapFile string
	// ConfigString is a base64 encoded configuration string
	// set by --config-string or TELEPORT_CONFIG environment variable
	ConfigString string
	// --roles flag
	Roles string
	// -d flag
	Debug bool

	// --insecure-no-tls flag
	DisableTLS bool

	// --labels flag
	Labels string
	// --pid-file flag
	PIDFile string
	// DiagnosticAddr is listen address for diagnostic endpoint
	DiagnosticAddr string
	// PermitUserEnvironment enables reading of ~/.tsh/environment
	// when creating a new session.
	PermitUserEnvironment bool

	// Insecure mode is controlled by --insecure flag and in this mode
	// Teleport won't check certificates when connecting to trusted clusters
	// It's useful for learning Teleport (following quick starts, etc).
	InsecureMode bool

	// FIPS mode means Teleport starts in a FedRAMP/FIPS 140-2 compliant
	// configuration.
	FIPS bool

	// SkipVersionCheck allows Teleport to connect to auth servers that
	// have an earlier major version number.
	SkipVersionCheck bool

	// AppName is the name of the application to proxy.
	AppName string

	// AppURI is the internal address of the application to proxy.
	AppURI string

	// AppCloud is set if application is proxying Cloud API
	AppCloud string

	// AppPublicAddr is the public address of the application to proxy.
	AppPublicAddr string

	// DatabaseName is the name of the database to proxy.
	DatabaseName string
	// DatabaseDescription is a free-form database description.
	DatabaseDescription string
	// DatabaseProtocol is the type of the proxied database e.g. postgres or mysql.
	DatabaseProtocol string
	// DatabaseURI is the address to connect to the proxied database.
	DatabaseURI string
	// DatabaseCACertFile is the database CA cert path.
	DatabaseCACertFile string
	// DatabaseAWSRegion is an optional database cloud region e.g. when using AWS RDS.
	DatabaseAWSRegion string
	// DatabaseAWSAccountID is an optional AWS account ID e.g. when using Keyspaces.
	DatabaseAWSAccountID string
	// DatabaseAWSAssumeRoleARN is an optional AWS IAM role ARN to assume when accessing the database.
	DatabaseAWSAssumeRoleARN string
	// DatabaseAWSExternalID is an optional AWS external ID used to enable assuming an AWS role across accounts.
	DatabaseAWSExternalID string
	// DatabaseAWSRedshiftClusterID is Redshift cluster identifier.
	DatabaseAWSRedshiftClusterID string
	// DatabaseAWSRDSInstanceID is RDS instance identifier.
	DatabaseAWSRDSInstanceID string
	// DatabaseAWSRDSClusterID is RDS cluster (Aurora) cluster identifier.
	DatabaseAWSRDSClusterID string
	// DatabaseAWSElastiCacheGroupID is the ElastiCache replication group identifier.
	DatabaseAWSElastiCacheGroupID string
	// DatabaseAWSMemoryDBClusterName is the MemoryDB cluster name.
	DatabaseAWSMemoryDBClusterName string
	// DatabaseAWSSessionTags is the AWS STS session tags.
	DatabaseAWSSessionTags string
	// DatabaseGCPProjectID is GCP Cloud SQL project identifier.
	DatabaseGCPProjectID string
	// DatabaseGCPInstanceID is GCP Cloud SQL instance identifier.
	DatabaseGCPInstanceID string
	// DatabaseADKeytabFile is the path to Kerberos keytab file.
	DatabaseADKeytabFile string
	// DatabaseADKrb5File is the path to krb5.conf file.
	DatabaseADKrb5File string
	// DatabaseADDomain is the Active Directory domain for authentication.
	DatabaseADDomain string
	// DatabaseADSPN is the database Service Principal Name.
	DatabaseADSPN string
	// DatabaseMySQLServerVersion is the MySQL server version reported to a client
	// if the value cannot be obtained from the database.
	DatabaseMySQLServerVersion string

	// ProxyServer is the url of the proxy server to connect to.
	ProxyServer string
	// OpenSSHConfigPath is the path of the file to write agentless configuration to.
	OpenSSHConfigPath string
	// RestartOpenSSH indicates whether openssh should be restarted or not.
	RestartOpenSSH bool
	// RestartCommand is the command to use when restarting sshd
	RestartCommand string
	// CheckCommand is the command to use when checking sshd config validity
	CheckCommand string
	// Address is the ip address of the OpenSSH node.
	Address string
	// AdditionalPrincipals is a list of additional principals to include in the SSH cert.
	AdditionalPrincipals string
	// Directory to store
	DataDir string

	// IntegrationConfDeployServiceIAMArguments contains the arguments of
	// `teleport integration configure deployservice-iam` command
	IntegrationConfDeployServiceIAMArguments IntegrationConfDeployServiceIAM

	// IntegrationConfEICEIAMArguments contains the arguments of
	// `teleport integration configure eice-iam` command
	IntegrationConfEICEIAMArguments IntegrationConfEICEIAM

	// IntegrationConfEKSIAMArguments contains the arguments of
	// `teleport integration configure eks-iam` command
	IntegrationConfEKSIAMArguments IntegrationConfEKSIAM

	// IntegrationConfAWSOIDCIdPArguments contains the arguments of
	// `teleport integration configure awsoidc-idp` command
	IntegrationConfAWSOIDCIdPArguments IntegrationConfAWSOIDCIdP

	// IntegrationConfListDatabasesIAMArguments contains the arguments of
	// `teleport integration configure listdatabases-iam` command
	IntegrationConfListDatabasesIAMArguments IntegrationConfListDatabasesIAM

	// IntegrationConfExternalAuditStorageArguments contains the arguments of the
	// `teleport integration configure externalauditstorage` command
	IntegrationConfExternalAuditStorageArguments easconfig.ExternalAuditStorageConfiguration

	// IntegrationConfAccessGraphAWSSyncArguments contains the arguments of
	// `teleport integration configure access-graph aws-iam` command
	IntegrationConfAccessGraphAWSSyncArguments IntegrationConfAccessGraphAWSSync
}

CommandLineFlags stores command line flag values, it's a much simplified subset of Teleport configuration (which is fully expressed via YAML config file)

type ConnectionLimits

type ConnectionLimits struct {
	MaxConnections int64            `yaml:"max_connections"`
	MaxUsers       int              `yaml:"max_users"`
	Rates          []ConnectionRate `yaml:"rates,omitempty"`
}

ConnectionLimits sets up connection limiter

type ConnectionRate

type ConnectionRate struct {
	Period  time.Duration `yaml:"period"`
	Average int64         `yaml:"average"`
	Burst   int64         `yaml:"burst"`
}

ConnectionRate configures rate limiter

type Database

type Database struct {
	// Name is the name for the database proxy service.
	Name string `yaml:"name"`
	// Description is an optional free-form database description.
	Description string `yaml:"description,omitempty"`
	// Protocol is the database type e.g. postgres, mysql, etc.
	Protocol string `yaml:"protocol"`
	// URI is the database address to connect to.
	URI string `yaml:"uri"`
	// CACertFile is an optional path to the database CA certificate.
	// Deprecated in favor of TLS.CACertFile.
	CACertFile string `yaml:"ca_cert_file,omitempty"`
	// TLS keeps an optional TLS configuration options.
	TLS DatabaseTLS `yaml:"tls"`
	// MySQL are additional database options.
	MySQL DatabaseMySQL `yaml:"mysql"`
	// StaticLabels is a map of database static labels.
	StaticLabels map[string]string `yaml:"static_labels,omitempty"`
	// DynamicLabels is a list of database dynamic labels.
	DynamicLabels []CommandLabel `yaml:"dynamic_labels,omitempty"`
	// AWS contains AWS specific settings for AWS-hosted databases.
	AWS DatabaseAWS `yaml:"aws"`
	// GCP contains GCP specific settings for Cloud SQL databases.
	GCP DatabaseGCP `yaml:"gcp"`
	// AD contains Active Directory database configuration.
	AD DatabaseAD `yaml:"ad"`
	// Azure contains Azure database configuration.
	Azure DatabaseAzure `yaml:"azure"`
	// AdminUser describes database privileged user for auto-provisioning.
	AdminUser DatabaseAdminUser `yaml:"admin_user"`
	// Oracle is Database Oracle settings
	Oracle DatabaseOracle `yaml:"oracle,omitempty"`
}

Database represents a single database proxied by the service.

type DatabaseAD

type DatabaseAD struct {
	// KeytabFile is the path to the Kerberos keytab file.
	KeytabFile string `yaml:"keytab_file"`
	// Krb5File is the path to the Kerberos configuration file. Defaults to /etc/krb5.conf.
	Krb5File string `yaml:"krb5_file,omitempty"`
	// Domain is the Active Directory domain the database resides in.
	Domain string `yaml:"domain"`
	// SPN is the service principal name for the database.
	SPN string `yaml:"spn"`
	// LDAPCert is a certificate from Windows LDAP/AD, optional; only for x509 Authentication.
	LDAPCert string `yaml:"ldap_cert,omitempty"`
	// KDCHostName is the host name for a KDC for x509 Authentication.
	KDCHostName string `yaml:"kdc_host_name,omitempty"`
}

DatabaseAD contains database Active Directory configuration.

type DatabaseAWS

type DatabaseAWS struct {
	// Region is a cloud region for RDS/Aurora database endpoint.
	Region string `yaml:"region,omitempty"`
	// Redshift contains Redshift specific settings.
	Redshift DatabaseAWSRedshift `yaml:"redshift"`
	// RDS contains RDS specific settings.
	RDS DatabaseAWSRDS `yaml:"rds"`
	// ElastiCache contains ElastiCache specific settings.
	ElastiCache DatabaseAWSElastiCache `yaml:"elasticache"`
	// SecretStore contains settings for managing secrets.
	SecretStore SecretStore `yaml:"secret_store"`
	// MemoryDB contains MemoryDB specific settings.
	MemoryDB DatabaseAWSMemoryDB `yaml:"memorydb"`
	// AccountID is the AWS account ID.
	AccountID string `yaml:"account_id,omitempty"`
	// AssumeRoleARN is the AWS role to assume to before accessing the database.
	AssumeRoleARN string `yaml:"assume_role_arn,omitempty"`
	// ExternalID is an optional AWS external ID used to enable assuming an AWS role across accounts.
	ExternalID string `yaml:"external_id,omitempty"`
	// RedshiftServerless contains RedshiftServerless specific settings.
	RedshiftServerless DatabaseAWSRedshiftServerless `yaml:"redshift_serverless"`
	// SessionTags is a list of AWS STS session tags.
	SessionTags map[string]string `yaml:"session_tags,omitempty"`
}

DatabaseAWS contains AWS specific settings for RDS/Aurora databases.

type DatabaseAWSElastiCache

type DatabaseAWSElastiCache struct {
	// ReplicationGroupID is the ElastiCache replication group ID.
	ReplicationGroupID string `yaml:"replication_group_id,omitempty"`
}

DatabaseAWSElastiCache contains settings for ElastiCache databases.

type DatabaseAWSMemoryDB

type DatabaseAWSMemoryDB struct {
	// ClusterName is the MemoryDB cluster name.
	ClusterName string `yaml:"cluster_name,omitempty"`
}

DatabaseAWSMemoryDB contains settings for MemoryDB databases.

type DatabaseAWSRDS

type DatabaseAWSRDS struct {
	// InstanceID is the RDS instance identifier.
	InstanceID string `yaml:"instance_id,omitempty"`
	// ClusterID is the RDS cluster (Aurora) identifier.
	ClusterID string `yaml:"cluster_id,omitempty"`
}

DatabaseAWSRDS contains settings for RDS databases.

type DatabaseAWSRedshift

type DatabaseAWSRedshift struct {
	// ClusterID is the Redshift cluster identifier.
	ClusterID string `yaml:"cluster_id,omitempty"`
}

DatabaseAWSRedshift contains AWS Redshift specific settings.

type DatabaseAWSRedshiftServerless

type DatabaseAWSRedshiftServerless struct {
	// WorkgroupName is the Redshift Serverless workgroup name.
	WorkgroupName string `yaml:"workgroup_name,omitempty"`
	// EndpointName is the Redshift Serverless VPC endpoint name.
	EndpointName string `yaml:"endpoint_name,omitempty"`
}

DatabaseAWSRedshiftServerless contains AWS Redshift Serverless specific settings.

type DatabaseAdminUser

type DatabaseAdminUser struct {
	// Name is the database admin username (e.g. "postgres").
	Name string `yaml:"name"`
	// DefaultDatabase is the database that the admin user logs into by
	// default.
	//
	// Depending on the database type, this database may be used to store
	// procedures or data for managing database users.
	DefaultDatabase string `yaml:"default_database"`
}

DatabaseAdminUser describes database privileged user for auto-provisioning.

type DatabaseAzure

type DatabaseAzure struct {
	// ResourceID is the Azure fully qualified ID for the resource.
	ResourceID string `yaml:"resource_id,omitempty"`
	// IsFlexiServer is true if the database is an Azure Flexible server.
	IsFlexiServer bool `yaml:"is_flexi_server,omitempty"`
}

DatabaseAzure contains Azure database configuration.

type DatabaseGCP

type DatabaseGCP struct {
	// ProjectID is the GCP project ID where the database is deployed.
	ProjectID string `yaml:"project_id,omitempty"`
	// InstanceID is the Cloud SQL database instance ID.
	InstanceID string `yaml:"instance_id,omitempty"`
}

DatabaseGCP contains GCP specific settings for Cloud SQL databases.

type DatabaseMySQL

type DatabaseMySQL struct {
	// ServerVersion is the MySQL version reported by DB proxy instead of default Teleport string.
	ServerVersion string `yaml:"server_version,omitempty"`
}

DatabaseMySQL are an additional MySQL database options.

type DatabaseOracle

type DatabaseOracle struct {
	// AuditUser is the Oracle database user privilege to access internal Oracle audit trail.
	AuditUser string `yaml:"audit_user,omitempty"`
}

DatabaseOracle are an additional Oracle database options.

type DatabaseSampleFlags

type DatabaseSampleFlags struct {
	// DynamicResourcesRawLabels is the "raw" list of labels for dynamic "resources".
	DynamicResourcesRawLabels []string
	// DynamicResourcesLabels is the list of labels for dynamic "resources".
	DynamicResourcesLabels []map[string]string
	// StaticDatabaseName static database name provided by the user.
	StaticDatabaseName string
	// StaticDatabaseProtocol static databse protocol provided by the user.
	StaticDatabaseProtocol string
	// StaticDatabaseURI static database URI provided by the user.
	StaticDatabaseURI string
	// StaticDatabaseStaticLabels list of database static labels provided by
	// the user.
	StaticDatabaseStaticLabels map[string]string
	// StaticDatabaseDynamicLabels list of database dynamic labels provided by
	// the user.`
	StaticDatabaseDynamicLabels services.CommandLabels
	// StaticDatabaseRawLabels "raw" list of database labels provided by the
	// user.
	StaticDatabaseRawLabels string
	// NodeName `nodename` configuration.
	NodeName string
	// DataDir `data_dir` configuration.
	DataDir string
	// ProxyServer is the address of the proxy servers
	ProxyServer string
	// AuthToken auth server token.
	AuthToken string
	// CAPins are the SKPI hashes of the CAs used to verify the Auth Server.
	CAPins []string
	// AzureMySQLDiscoveryRegions is a list of regions Azure auto-discovery is
	// configured to discover MySQL servers in.
	AzureMySQLDiscoveryRegions []string
	// AzurePostgresDiscoveryRegions is a list of regions Azure auto-discovery is
	// configured to discover Postgres servers in.
	AzurePostgresDiscoveryRegions []string
	// AzureRedisDiscoveryRegions is a list of regions Azure auto-discovery is
	// configured to discover Azure Cache for Redis servers in.
	AzureRedisDiscoveryRegions []string
	// AzureSQLServerDiscoveryRegions is a list of regions Azure auto-discovery is
	// configured to discover Azure SQL servers and managed instances.
	AzureSQLServerDiscoveryRegions []string
	// AzureSubscriptions is a list of Azure subscriptions.
	AzureSubscriptions []string
	// AzureResourceGroups is a list of Azure resource groups.
	AzureResourceGroups []string
	// AzureTags is the list of the Azure resource tags used for Azure discoveries.
	AzureTags map[string]string
	// AzureRawTags is the "raw" list of Azure resource tags used for Azure discoveries.
	AzureRawTags string
	// RDSDiscoveryRegions is a list of regions the RDS auto-discovery is
	// configured.
	RDSDiscoveryRegions []string
	// RDSProxyDiscoveryRegions is a list of regions the RDS Proxy
	// auto-discovery is configured.
	RDSProxyDiscoveryRegions []string
	// RedshiftDiscoveryRegions is a list of regions the Redshift
	// auto-discovery is configured.
	RedshiftDiscoveryRegions []string
	// RedshiftServerlessDiscoveryRegions is a list of regions the Redshift
	// Serverless auto-discovery is configured.
	RedshiftServerlessDiscoveryRegions []string
	// ElastiCacheDiscoveryRegions is a list of regions the ElastiCache
	// auto-discovery is configured.
	ElastiCacheDiscoveryRegions []string
	// MemoryDBDiscoveryRegions is a list of regions the MemoryDB
	// auto-discovery is configured.
	MemoryDBDiscoveryRegions []string
	// OpenSearchDiscoveryRegions is a list of regions the OpenSearch
	// auto-discovery is configured.
	OpenSearchDiscoveryRegions []string
	// AWSTags is the list of the AWS resource tags used for AWS discoveries.
	AWSTags map[string]string
	// AWSRawTags is the "raw" list of AWS resource tags used for AWS discoveries.
	AWSRawTags string
	// DatabaseProtocols is a list of database protocols supported.
	DatabaseProtocols []string
	// DatabaseAWSRegion is an optional database cloud region e.g. when using AWS RDS.
	DatabaseAWSRegion string
	// DatabaseAWSAccountID is an optional AWS account ID e.g. when using Keyspaces or DynamoDB.
	DatabaseAWSAccountID string
	// DatabaseAWSAssumeRoleARN is an optional AWS IAM role ARN to assume when accessing the database.
	DatabaseAWSAssumeRoleARN string
	// DatabaseAWSExternalID is an optional AWS database external ID, used when assuming roles.
	DatabaseAWSExternalID string
	// DatabaseAWSRedshiftClusterID is Redshift cluster identifier.
	DatabaseAWSRedshiftClusterID string
	// DatabaseAWSRDSClusterID is the RDS Aurora cluster identifier.
	DatabaseAWSRDSClusterID string
	// DatabaseAWSRDSInstanceID is the RDS instance identifier.
	DatabaseAWSRDSInstanceID string
	// DatabaseAWSElastiCacheGroupID is the ElastiCache replication group identifier.
	DatabaseAWSElastiCacheGroupID string
	// DatabaseAWSMemoryDBClusterName is the MemoryDB cluster name.
	DatabaseAWSMemoryDBClusterName string
	// DatabaseADDomain is the Active Directory domain for authentication.
	DatabaseADDomain string
	// DatabaseADSPN is the database Service Principal Name.
	DatabaseADSPN string
	// DatabaseADKeytabFile is the path to Kerberos keytab file.
	DatabaseADKeytabFile string
	// DatabaseGCPProjectID is GCP Cloud SQL project identifier.
	DatabaseGCPProjectID string
	// DatabaseGCPInstanceID is GCP Cloud SQL instance identifier.
	DatabaseGCPInstanceID string
	// DatabaseCACertFile is the database CA cert path.
	DatabaseCACertFile string
}

DatabaseSampleFlags specifies configuration parameters for a database agent.

func (*DatabaseSampleFlags) CheckAndSetDefaults

func (f *DatabaseSampleFlags) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default values for the flags.

type DatabaseTLS

type DatabaseTLS struct {
	// Mode is a TLS verification mode. Available options are 'verify-full', 'verify-ca' or 'insecure',
	// 'verify-full' is the default option.
	Mode string `yaml:"mode"`
	// ServerName allows providing custom server name.
	// This name will override DNS name when validating certificate presented by the database.
	ServerName string `yaml:"server_name,omitempty"`
	// CACertFile is an optional path to the database CA certificate.
	CACertFile string `yaml:"ca_cert_file,omitempty"`
}

DatabaseTLS keeps TLS settings used when connecting to database.

type Databases

type Databases struct {
	// Service contains common service fields.
	Service `yaml:",inline"`
	// Databases is a list of databases proxied by the service.
	Databases []*Database `yaml:"databases"`
	// ResourceMatchers match cluster database resources.
	ResourceMatchers []ResourceMatcher `yaml:"resources,omitempty"`
	// AWSMatchers match AWS-hosted databases.
	AWSMatchers []AWSMatcher `yaml:"aws,omitempty"`
	// AzureMatchers match Azure hosted databases.
	AzureMatchers []AzureMatcher `yaml:"azure,omitempty"`
}

Databases represents the database proxy service configuration.

In the configuration file this section will be "db_service".

type DeviceTrust

type DeviceTrust struct {
	// Mode is the trusted device verification mode.
	// Mirrors types.DeviceTrust.Mode.
	Mode string `yaml:"mode,omitempty"`
	// AutoEnroll is the toggle for the device auto-enroll feature.
	AutoEnroll string `yaml:"auto_enroll,omitempty"`
	// EKCertAllowedCAs is an allow list of EKCert CAs. These may be specified
	// as a PEM encoded certificate or as a path to a PEM encoded certificate.
	//
	// If present, only TPM devices that present an EKCert that is signed by a
	// CA specified here may be enrolled (existing enrollments are
	// unchanged).
	//
	// If not present, then the CA of TPM EKCerts will not be checked during
	// enrollment, this allows any device to enroll.
	EKCertAllowedCAs []string `yaml:"ekcert_allowed_cas,omitempty"`
}

DeviceTrust holds settings related to trusted device verification. Requires Teleport Enterprise.

func (*DeviceTrust) Parse

func (dt *DeviceTrust) Parse() (*types.DeviceTrust, error)

type Discovery

type Discovery struct {
	Service `yaml:",inline"`

	// AWSMatchers are used to match EC2 instances
	AWSMatchers []AWSMatcher `yaml:"aws,omitempty"`

	// AzureMatchers are used to match Azure resources.
	AzureMatchers []AzureMatcher `yaml:"azure,omitempty"`

	// GCPMatchers are used to match GCP resources.
	GCPMatchers []GCPMatcher `yaml:"gcp,omitempty"`

	// KubernetesMatchers are used to match services inside Kubernetes cluster for auto discovery
	KubernetesMatchers []KubernetesMatcher `yaml:"kubernetes,omitempty"`

	// AccessGraph is used to configure the cloud sync into AccessGraph.
	AccessGraph *AccessGraphSync `yaml:"access_graph,omitempty"`

	// DiscoveryGroup is the name of the discovery group that the current
	// discovery service is a part of.
	// It is used to filter out discovered resources that belong to another
	// discovery services. When running in high availability mode and the agents
	// have access to the same cloud resources, this field value must be the same
	// for all discovery services. If different agents are used to discover different
	// sets of cloud resources, this field must be different for each set of agents.
	DiscoveryGroup string `yaml:"discovery_group,omitempty"`
	// PollInterval is the cadence at which the discovery server will run each of its
	// discovery cycles.
	PollInterval time.Duration `yaml:"poll_interval,omitempty"`
}

Discovery represents a discovery_service section in the config file.

type FileConfig

type FileConfig struct {
	Version string `yaml:"version,omitempty"`
	Global  `yaml:"teleport,omitempty"`
	Auth    Auth  `yaml:"auth_service,omitempty"`
	SSH     SSH   `yaml:"ssh_service,omitempty"`
	Proxy   Proxy `yaml:"proxy_service,omitempty"`
	Kube    Kube  `yaml:"kubernetes_service,omitempty"`

	// Apps is the "app_service" section in Teleport file configuration which
	// defines application access configuration.
	Apps Apps `yaml:"app_service,omitempty"`

	// Databases is the "db_service" section in Teleport configuration file
	// that defines database access configuration.
	Databases Databases `yaml:"db_service,omitempty"`

	// Metrics is the "metrics_service" section in Teleport configuration file
	// that defines the metrics service configuration
	Metrics Metrics `yaml:"metrics_service,omitempty"`

	// WindowsDesktop is the "windows_desktop_service" that defines the
	// configuration for Windows Desktop Access.
	WindowsDesktop WindowsDesktopService `yaml:"windows_desktop_service,omitempty"`

	// Tracing is the "tracing_service" section in Teleport configuration file
	Tracing TracingService `yaml:"tracing_service,omitempty"`

	// Discovery is the "discovery_service" section in the Teleport
	// configuration file
	Discovery Discovery `yaml:"discovery_service,omitempty"`

	// Okta is the "okta_service" section in the Teleport configuration file
	Okta Okta `yaml:"okta_service,omitempty"`

	// Jamf is the "jamf_service" section in the config file.
	Jamf JamfService `yaml:"jamf_service,omitempty"`

	// Plugins is the section of the config for configuring the plugin service.
	Plugins PluginService `yaml:"plugin_service,omitempty"`

	// AccessGraph is the section of the config describing AccessGraph service
	AccessGraph AccessGraph `yaml:"access_graph,omitempty"`
}

FileConfig structure represents the teleport configuration stored in a config file in YAML format (usually /etc/teleport.yaml)

Use config.ReadFromFile() to read the parsed FileConfig from a YAML file.

func MakeSampleFileConfig

func MakeSampleFileConfig(flags SampleFlags) (fc *FileConfig, err error)

MakeSampleFileConfig returns a sample config to start a standalone server

func ReadConfig

func ReadConfig(reader io.Reader) (*FileConfig, error)

ReadConfig reads Teleport configuration from reader in YAML format

func ReadConfigFile

func ReadConfigFile(cliConfigPath string) (*FileConfig, error)

ReadConfigFile reads /etc/teleport.yaml (or whatever is passed via --config flag) and overrides values in 'cfg' structure

func ReadFromFile

func ReadFromFile(filePath string) (*FileConfig, error)

ReadFromFile reads Teleport configuration from a file. Currently only YAML format is supported

func ReadFromString

func ReadFromString(configString string) (*FileConfig, error)

ReadFromString reads values from base64 encoded byte string

func (*FileConfig) CheckAndSetDefaults

func (conf *FileConfig) CheckAndSetDefaults() error

CheckAndSetDefaults sets defaults and ensures that the ciphers, kex algorithms, and mac algorithms set are supported by golang.org/x/crypto/ssh. This ensures we don't start Teleport with invalid configuration.

func (*FileConfig) DebugDumpToYAML

func (conf *FileConfig) DebugDumpToYAML() string

DebugDumpToYAML allows for quick YAML dumping of the config

type GCPMatcher

type GCPMatcher struct {
	// Types are GKE resource types to match: "gke", "gce".
	Types []string `yaml:"types,omitempty"`
	// Locations are GKE locations to search resources for.
	Locations []string `yaml:"locations,omitempty"`
	// Labels are GCP labels to match.
	Labels map[string]apiutils.Strings `yaml:"labels,omitempty"`
	// Tags are an alias for Labels, for backwards compatibility.
	Tags map[string]apiutils.Strings `yaml:"tags,omitempty"`
	// ProjectIDs are the GCP project ID where the resources are deployed.
	ProjectIDs []string `yaml:"project_ids,omitempty"`
	// ServiceAccounts are the emails of service accounts attached to VMs.
	ServiceAccounts []string `yaml:"service_accounts,omitempty"`
	// InstallParams sets the join method when installing on
	// discovered GCP VMs.
	InstallParams *InstallParams `yaml:"install,omitempty"`
}

GCPMatcher matches GCP resources.

type Global

type Global struct {
	NodeName string `yaml:"nodename,omitempty"`
	DataDir  string `yaml:"data_dir,omitempty"`
	PIDFile  string `yaml:"pid_file,omitempty"`

	JoinParams JoinParams `yaml:"join_params,omitempty"`

	// v1, v2
	AuthServers []string `yaml:"auth_servers,omitempty"`
	// AuthToken is the old way of configuring the token to be used by the
	// node to join the Teleport cluster. `JoinParams.TokenName` should be
	// used instead with `JoinParams.JoinMethod = types.JoinMethodToken`.
	AuthToken string `yaml:"auth_token,omitempty"`

	// v3
	AuthServer  string `yaml:"auth_server,omitempty"`
	ProxyServer string `yaml:"proxy_server,omitempty"`

	Limits      ConnectionLimits `yaml:"connection_limits,omitempty"`
	Logger      Log              `yaml:"log,omitempty"`
	Storage     backend.Config   `yaml:"storage,omitempty"`
	AdvertiseIP string           `yaml:"advertise_ip,omitempty"`
	CachePolicy CachePolicy      `yaml:"cache,omitempty"`

	// CipherSuites is a list of TLS ciphersuites that Teleport supports. If
	// omitted, a Teleport selected list of defaults will be used.
	CipherSuites []string `yaml:"ciphersuites,omitempty"`

	// Ciphers is a list of SSH ciphers that the server supports. If omitted,
	// the defaults will be used.
	Ciphers []string `yaml:"ciphers,omitempty"`

	// KEXAlgorithms is a list of SSH key exchange (KEX) algorithms that the
	// server supports. If omitted, the defaults will be used.
	KEXAlgorithms []string `yaml:"kex_algos,omitempty"`

	// MACAlgorithms is a list of SSH message authentication codes (MAC) that
	// the server supports. If omitted the defaults will be used.
	MACAlgorithms []string `yaml:"mac_algos,omitempty"`

	// CASignatureAlgorithm is ignored but ketp for config backwards compat
	CASignatureAlgorithm *string `yaml:"ca_signature_algo,omitempty"`

	// CAPin is the SKPI hash of the CA used to verify the Auth Server. Can be
	// a single value or a list.
	CAPin apiutils.Strings `yaml:"ca_pin"`

	// DiagAddr is the address to expose a diagnostics HTTP endpoint.
	DiagAddr string `yaml:"diag_addr"`
}

Global is 'teleport' (global) section of the config file

type GoogleCloudKMS

type GoogleCloudKMS struct {
	// KeyRing is the GCP key ring where all keys generated by this auth server
	// should be held. This must be the fully qualified resource name of the key
	// ring, including the project and location, e.g.
	// projects/teleport-project/locations/us-west1/keyRings/teleport-keyring
	KeyRing string `yaml:"keyring"`
	// ProtectionLevel specifies how cryptographic operations are performed.
	// For more information, see https://cloud.google.com/kms/docs/algorithms#protection_levels
	// Supported options are "HSM" and "SOFTWARE".
	ProtectionLevel string `yaml:"protection_level"`
}

GoogleCloudKMS configures Google Cloud Key Management Service to to be used for all CA private key crypto operations.

type HardwareKey

type HardwareKey struct {
	// PIVSlot is a PIV slot that Teleport clients should use instead of the
	// default based on private key policy. For example, "9a" or "9e".
	PIVSlot keys.PIVSlot `yaml:"piv_slot,omitempty"`

	// SerialNumberValidation contains optional settings for hardware key
	// serial number validation, including whether it is enabled.
	SerialNumberValidation *HardwareKeySerialNumberValidation `yaml:"serial_number_validation,omitempty"`
}

HardwareKey holds settings related to hardware key support. Requires Teleport Enterprise.

func (*HardwareKey) Parse

func (h *HardwareKey) Parse() (*types.HardwareKey, error)

type HardwareKeySerialNumberValidation

type HardwareKeySerialNumberValidation struct {
	// Enabled indicates whether hardware key serial number validation is enabled.
	Enabled string `yaml:"enabled"`

	// SerialNumberTraitName is an optional custom user trait name for hardware key
	// serial numbers to replace the default: "hardware_key_serial_numbers".
	SerialNumberTraitName string `yaml:"serial_number_trait_name"`
}

HardwareKeySerialNumberValidation holds settings related to hardware key serial number validation. Requires Teleport Enterprise.

func (*HardwareKeySerialNumberValidation) Parse

type HostedPlugins

type HostedPlugins struct {
	Enabled        bool                 `yaml:"enabled"`
	OAuthProviders PluginOAuthProviders `yaml:"oauth_providers,omitempty"`
}

HostedPlugins defines 'auth_service/plugins' Enterprise extension

type IdP

type IdP struct {
	// SAMLIdP represents configuratino options for the SAML identity provider.
	SAMLIdP SAMLIdP `yaml:"saml,omitempty"`
}

IdP represents the configuration for identity providers running within the proxy.

type InstallParams

type InstallParams struct {
	// JoinParams sets the token and method to use when generating
	// config on cloud instances
	JoinParams JoinParams `yaml:"join_params,omitempty"`
	// ScriptName is the name of the teleport installer script
	// resource for the cloud instance to execute
	ScriptName string `yaml:"script_name,omitempty"`
	// InstallTeleport disables agentless discovery
	InstallTeleport string `yaml:"install_teleport,omitempty"`
	// SSHDConfig provides the path to write sshd configuration changes
	SSHDConfig string `yaml:"sshd_config,omitempty"`
	// PublicProxyAddr is the address of the proxy the discovered node should use
	// to connect to the cluster.
	PublicProxyAddr string `yaml:"public_proxy_addr,omitempty"`
	// Azure is te set of installation parameters specific to Azure.
	Azure *AzureInstallParams `yaml:"azure,omitempty"`
}

InstallParams sets join method to use on discovered nodes

type IntegrationConfAWSOIDCIdP

type IntegrationConfAWSOIDCIdP struct {
	// Cluster is the teleport cluster name.
	Cluster string
	// Name is the integration name.
	Name string
	// Role is the AWS Role to associate with the Integration
	Role string
	// ProxyPublicURL is the IdP Issuer URL (Teleport Proxy Public Address).
	// Eg, https://<tenant>.teleport.sh
	ProxyPublicURL string
}

IntegrationConfAWSOIDCIdP contains the arguments of `teleport integration configure awsoidc-idp` command

type IntegrationConfAccessGraphAWSSync

type IntegrationConfAccessGraphAWSSync struct {
	// Role is the AWS Role associated with the Integration
	Role string
}

IntegrationConfAccessGraphAWSSync contains the arguments of `teleport integration configure access-graph aws-iam` command.

type IntegrationConfDeployServiceIAM

type IntegrationConfDeployServiceIAM struct {
	// Cluster is the teleport cluster name.
	Cluster string
	// Name is the integration name.
	Name string
	// Region is the AWS Region used to set up the client.
	Region string
	// Role is the AWS Role associated with the Integration
	Role string
	// TaskRole is the AWS Role to be used by the deployed service.
	TaskRole string
}

IntegrationConfDeployServiceIAM contains the arguments of `teleport integration configure deployservice-iam` command

type IntegrationConfEICEIAM

type IntegrationConfEICEIAM struct {
	// Region is the AWS Region used to set up the client.
	Region string
	// Role is the AWS Role associated with the Integration
	Role string
}

IntegrationConfEICEIAM contains the arguments of `teleport integration configure eice-iam` command

type IntegrationConfEKSIAM

type IntegrationConfEKSIAM struct {
	// Region is the AWS Region used to set up the client.
	Region string
	// Role is the AWS Role associated with the Integration
	Role string
}

IntegrationConfEKSIAM contains the arguments of `teleport integration configure eks-iam` command

type IntegrationConfListDatabasesIAM

type IntegrationConfListDatabasesIAM struct {
	// Region is the AWS Region used to set up the client.
	Region string
	// Role is the AWS Role associated with the Integration
	Role string
}

IntegrationConfListDatabasesIAM contains the arguments of `teleport integration configure listdatabases-iam` command

type JamfInventoryEntry

type JamfInventoryEntry struct {
	// FilterRSQL is a Jamf Pro API RSQL filter string.
	FilterRSQL string `yaml:"filter_rsql,omitempty"`
	// SyncPeriodPartial is the period for PARTIAL syncs.
	// Zero means "server default", negative means "disabled".
	SyncPeriodPartial time.Duration `yaml:"sync_period_partial,omitempty"`
	// SyncPeriodFull is the period for FULL syncs.
	// Zero means "server default", negative means "disabled".
	SyncPeriodFull time.Duration `yaml:"sync_period_full,omitempty"`
	// OnMissing is the trigger for devices missing from the MDM inventory view.
	// See [types.JamfInventoryEntry.OnMissing].
	OnMissing string `yaml:"on_missing,omitempty"`
}

JamfInventoryEntry is the yaml representation of a jamf_service.inventory entry. Corresponds to types.JamfInventoryEntry.

type JamfService

type JamfService struct {
	Service `yaml:",inline"`
	// Name is the name of the sync device source.
	Name string `yaml:"name,omitempty"`
	// SyncDelay is the initial sync delay.
	// Zero means "server default", negative means "immediate".
	SyncDelay time.Duration `yaml:"sync_delay,omitempty"`
	// ExitOnSync tells the service to exit immediately after the first sync.
	ExitOnSync bool `yaml:"exit_on_sync,omitempty"`
	// APIEndpoint is the Jamf Pro API endpoint.
	// Example: "https://yourtenant.jamfcloud.com/api".
	APIEndpoint string `yaml:"api_endpoint,omitempty"`
	// Username is the Jamf Pro API username.
	Username string `yaml:"username,omitempty"`
	// PasswordFile is a file containing the  Jamf Pro API password.
	// A single trailing newline is trimmed, anything else is taken literally.
	PasswordFile string `yaml:"password_file,omitempty"`
	// Inventory are the entries for inventory sync.
	Inventory []*JamfInventoryEntry `yaml:"inventory,omitempty"`
}

JamfService is the yaml representation of jamf_service. Corresponds to types.JamfSpecV1.

type JoinParams

type JoinParams struct {
	TokenName string           `yaml:"token_name"`
	Method    types.JoinMethod `yaml:"method"`
	Azure     AzureJoinParams  `yaml:"azure,omitempty"`
}

JoinParams configures the parameters for Simplified Node Joining.

type KeyPair

type KeyPair struct {
	// PrivateKey is the path on disk to a PEM encoded private key,
	PrivateKey string `yaml:"key_file"`
	// Certificate is the path on disk to a PEM encoded x509 certificate.
	Certificate string `yaml:"cert_file"`
}

KeyPair represents a path on disk to a private key and certificate.

type Kube

type Kube struct {
	// Service is a generic service configuration section
	Service `yaml:",inline"`
	// PublicAddr is a publicly advertised address of the kubernetes service
	PublicAddr apiutils.Strings `yaml:"public_addr,omitempty"`
	// KubeconfigFile is an optional path to kubeconfig file,
	// if specified, teleport will use API server address and
	// trusted certificate authority information from it
	KubeconfigFile string `yaml:"kubeconfig_file,omitempty"`
	// KubeClusterName is the name of a kubernetes cluster this service is
	// running in. If set, this proxy will handle kubernetes requests for the
	// cluster.
	KubeClusterName string `yaml:"kube_cluster_name,omitempty"`
	// StaticLabels are the static labels for RBAC on kubernetes clusters.
	StaticLabels map[string]string `yaml:"labels,omitempty"`
	// DynamicLabels are the dynamic labels for RBAC on kubernetes clusters.
	DynamicLabels []CommandLabel `yaml:"commands,omitempty"`
	// ResourceMatchers match cluster kube_cluster resources.
	ResourceMatchers []ResourceMatcher `yaml:"resources,omitempty"`
}

Kube is a `kubernetes_service`

type KubeProxy

type KubeProxy struct {
	// Service is a generic service configuration section
	Service `yaml:",inline"`
	// PublicAddr is a publicly advertised address of the kubernetes proxy
	PublicAddr apiutils.Strings `yaml:"public_addr,omitempty"`
	// KubeconfigFile is an optional path to kubeconfig file,
	// if specified, teleport will use API server address and
	// trusted certificate authority information from it
	KubeconfigFile string `yaml:"kubeconfig_file,omitempty"`
	// ClusterName is the name of a kubernetes cluster this proxy is running
	// in. If set, this proxy will handle kubernetes requests for the cluster.
	ClusterName string `yaml:"cluster_name,omitempty"`
}

KubeProxy is a `kubernetes` section in `proxy_service`.

type KubernetesMatcher

type KubernetesMatcher struct {
	// Types are Kubernetes services types to match. Currently only 'app' is supported.
	Types []string `yaml:"types,omitempty"`
	// Namespaces are Kubernetes namespaces in which to discover services
	Namespaces []string `yaml:"namespaces,omitempty"`
	// Labels are Kubernetes services labels to match.
	Labels map[string]apiutils.Strings `yaml:"labels,omitempty"`
}

KubernetesMatcher matches Kubernetes resources.

type LDAPConfig

type LDAPConfig struct {
	// Addr is the host:port of the LDAP server (typically port 389).
	Addr string `yaml:"addr"`
	// Domain is the ActiveDirectory domain name.
	Domain string `yaml:"domain"`
	// Username for LDAP authentication.
	Username string `yaml:"username"`
	// SID is the Security Identifier for the service account specified by Username.
	SID string `yaml:"sid"`
	// InsecureSkipVerify decides whether whether we skip verifying with the LDAP server's CA when making the LDAPS connection.
	InsecureSkipVerify bool `yaml:"insecure_skip_verify"`
	// ServerName is the name of the LDAP server for TLS.
	ServerName string `yaml:"server_name,omitempty"`
	// DEREncodedCAFile is the filepath to an optional DER encoded CA cert to be used for verification (if InsecureSkipVerify is set to false).
	DEREncodedCAFile string `yaml:"der_ca_file,omitempty"`
	// PEMEncodedCACert is an optional PEM encoded CA cert to be used for verification (if InsecureSkipVerify is set to false).
	PEMEncodedCACert string `yaml:"ldap_ca_cert,omitempty"`
}

LDAPConfig is the LDAP connection parameters.

type LDAPDiscoveryConfig

type LDAPDiscoveryConfig struct {
	// BaseDN is the base DN to search for desktops.
	// Use the value '*' to search from the root of the domain,
	// or leave blank to disable desktop discovery.
	BaseDN string `yaml:"base_dn"`
	// Filters are additional LDAP filters to apply to the search.
	// See: https://ldap.com/ldap-filters/
	Filters []string `yaml:"filters"`
	// LabelAttributes are LDAP attributes to apply to hosts discovered
	// via LDAP. Teleport labels hosts by prefixing the attribute with
	// "ldap/" - for example, a value of "location" here would result in
	// discovered desktops having a label with key "ldap/location" and
	// the value being the value of the "location" attribute.
	LabelAttributes []string `yaml:"label_attributes"`
}

LDAPDiscoveryConfig is LDAP discovery configuration for windows desktop discovery service.

type LegacyLog

type LegacyLog struct {
	// Output defines where logs go. It can be one of the following: "stderr", "stdout" or
	// a path to a log file
	Output string `yaml:"output,omitempty"`
	// Severity defines how verbose the log will be. Possible values are "error", "info", "warn"
	Severity string `yaml:"severity,omitempty"`
	// Format lists the output fields from KnownFormatFields. Example format: [timestamp, component, caller]
	Format []string `yaml:"format,omitempty"`
}

LegacyLog contains the old format of the 'format' field It is kept here for backwards compatibility and should always be maintained The custom yaml unmarshaler should automatically convert it into the new expected format.

type Log

type Log struct {
	// Output defines where logs go. It can be one of the following: "stderr", "stdout" or
	// a path to a log file
	Output string `yaml:"output,omitempty"`
	// Severity defines how verbose the log will be. Possible values are "error", "info", "warn"
	Severity string `yaml:"severity,omitempty"`
	// Format defines the logs output format and extra fields
	Format LogFormat `yaml:"format,omitempty"`
}

Log configures teleport logging

func (*Log) UnmarshalYAML

func (l *Log) UnmarshalYAML(unmarshal func(interface{}) error) error

type LogFormat

type LogFormat struct {
	// Output defines the output format. Possible values are 'text' and 'json'.
	Output string `yaml:"output,omitempty"`
	// ExtraFields lists the output fields from KnownFormatFields. Example format: [timestamp, component, caller]
	ExtraFields []string `yaml:"extra_fields,omitempty"`
}

LogFormat specifies the logs output format and extra fields

type Metrics

type Metrics struct {
	// Service is a generic service configuration section
	Service `yaml:",inline"`

	// KeyPairs is a list of x509 serving key pairs used for securing the metrics endpoint with mTLS.
	// mTLS will be enabled for the service if both 'keypairs' and 'ca_certs' fields are set.
	KeyPairs []KeyPair `yaml:"keypairs,omitempty"`

	// CACerts is a list of prometheus CA certificates to validate clients against.
	// mTLS will be enabled for the service if both 'keypairs' and 'ca_certs' fields are set.
	CACerts []string `yaml:"ca_certs,omitempty"`

	// GRPCServerLatency enables histogram metrics for each gRPC endpoint on the auth server
	GRPCServerLatency bool `yaml:"grpc_server_latency,omitempty"`

	// GRPCServerLatency enables histogram metrics for each gRPC endpoint on the auth server
	GRPCClientLatency bool `yaml:"grpc_client_latency,omitempty"`
}

Metrics is a `metrics_service` section of the config file:

func (*Metrics) MTLSEnabled

func (m *Metrics) MTLSEnabled() bool

MTLSEnabled returns whether mtls is enabled or not in the metrics service config.

type OAuthClientCredentials

type OAuthClientCredentials struct {
	// ClientID is the path to the file containing the Client ID
	ClientID string `yaml:"client_id"`
	// ClientSecret is the path to the file containing the Client Secret
	ClientSecret string `yaml:"client_secret"`
}

OAuthClientCredentials holds paths from which to read client credentials for Teleport's OAuth app.

func (*OAuthClientCredentials) Parse

type Okta

type Okta struct {
	Service `yaml:",inline"`

	// APIEndpoint is the Okta API endpoint to use.
	APIEndpoint string `yaml:"api_endpoint,omitempty"`

	// APITokenPath is the path to the Okta API token.
	APITokenPath string `yaml:"api_token_path,omitempty"`

	// SyncPeriod is the duration between synchronization calls for synchronizing Okta applications and groups..
	// Deprecated. Please use sync.app_group_sync_period instead.
	SyncPeriod time.Duration `yaml:"sync_period,omitempty"`

	// Import is the import settings for the Okta service.
	Sync OktaSync `yaml:"sync,omitempty"`
}

Okta represents an okta_service section in the config file.

type OktaSync

type OktaSync struct {
	// AppGroupSyncPeriod is the duration between synchronization calls for synchronizing Okta applications and groups.
	AppGroupSyncPeriod time.Duration `yaml:"app_group_sync_period,omitempty"`

	// SyncAccessLists will enable or disable the Okta importing of access lists. Defaults to false.
	SyncAccessListsFlag string `yaml:"sync_access_lists,omitempty"`

	// DefaultOwners are the default owners for all imported access lists.
	DefaultOwners []string `yaml:"default_owners,omitempty"`

	// GroupFilters are filters for which Okta groups to synchronize as access lists.
	// These are globs/regexes.
	GroupFilters []string `yaml:"group_filters,omitempty"`

	// AppFilters are filters for which Okta applications to synchronize as access lists.
	// These are globs/regexes.
	AppFilters []string `yaml:"app_filters,omitempty"`
}

OktaSync represents the import subsection of the okta_service section in the config file.

func (*OktaSync) Parse

func (o *OktaSync) Parse() (*servicecfg.OktaSyncSettings, error)

func (*OktaSync) SyncAccessLists

func (o *OktaSync) SyncAccessLists() bool

type OpenAIOptions

type OpenAIOptions struct {
	// APITokenPath is the path to a file with OpenAI API key.
	APITokenPath string `yaml:"api_token_path,omitempty"`
}

OpenAIOptions stores options related to the OpenAI assist backend.

type Opsgenie

type Opsgenie struct {
	// APIKeyFile is the path to a file containing an Opsgenie API key.
	APIKeyFile string `yaml:"api_key_file"`
}

Opsgenie represents the configuration for the Opsgenie plugin.

type PAM

type PAM struct {
	// Enabled controls if PAM will be used or not.
	Enabled string `yaml:"enabled"`

	// ServiceName is the name of the PAM policy to apply.
	ServiceName string `yaml:"service_name"`

	// UsePAMAuth specifies whether to trigger the "auth" PAM modules from the
	// policy.
	UsePAMAuth bool `yaml:"use_pam_auth"`

	// Environment represents environment variables to pass to PAM.
	// These may contain role-style interpolation syntax.
	Environment map[string]string `yaml:"environment,omitempty"`
}

PAM is configuration for Pluggable Authentication Modules (PAM).

func (*PAM) Parse

func (p *PAM) Parse() *servicecfg.PAMConfig

Parse returns a parsed PAM config.

type PKCS11

type PKCS11 struct {
	// ModulePath is the path to the PKCS#11 library.
	ModulePath string `yaml:"module_path"`
	// TokenLabel is the CKA_LABEL of the HSM token to use. Set this or
	// SlotNumber to select a token.
	TokenLabel string `yaml:"token_label,omitempty"`
	// SlotNumber is the slot number of the HSM token to use. Set this or
	// TokenLabel to select a token.
	SlotNumber *int `yaml:"slot_number,omitempty"`
	// Pin is the raw pin for connecting to the HSM. Set this or PinPath to set
	// the pin.
	Pin string `yaml:"pin,omitempty"`
	// PinPath is a path to a file containing a pin for connecting to the HSM.
	// Trailing newlines will be removed, other whitespace will be left. Set
	// this or Pin to set the pin.
	PinPath string `yaml:"pin_path,omitempty"`
}

PKCS11 configures a PKCS#11 HSM to be used for private key generation and storage.

type PluginOAuthProviders

type PluginOAuthProviders struct {
	Slack *OAuthClientCredentials `yaml:"slack,omitempty"`
}

PluginOAuthProviders holds application credentials for each 3rd party API provider.

func (*PluginOAuthProviders) Parse

type PluginService

type PluginService struct {
	Enabled bool `yaml:"enabled"`
	// Plugins is a map of matchers for enabled plugin resources.
	Plugins map[string]string `yaml:"plugins,omitempty"`
}

PluginService represents the configuration for the plugin service.

type Proxy

type Proxy struct {
	// Service is a generic service configuration section
	Service `yaml:",inline"`
	// WebAddr is a web UI listen address
	WebAddr string `yaml:"web_listen_addr,omitempty"`
	// TunAddr is a reverse tunnel address
	TunAddr string `yaml:"tunnel_listen_addr,omitempty"`
	// PeerAddr is the address this proxy will be dialed at by its peers.
	PeerAddr string `yaml:"peer_listen_addr,omitempty"`
	// PeerPublicAddr is the hostport the proxy advertises for peer proxy
	// client connections.
	PeerPublicAddr string `yaml:"peer_public_addr,omitempty"`
	// KeyFile is a TLS key file
	KeyFile string `yaml:"https_key_file,omitempty"`
	// CertFile is a TLS Certificate file
	CertFile string `yaml:"https_cert_file,omitempty"`
	// ProxyProtocol turns on support for HAProxy PROXY protocol
	// this is the option that has be turned on only by administrator,
	// as only admin knows whether service is in front of trusted load balancer
	// or not.
	ProxyProtocol string `yaml:"proxy_protocol,omitempty"`
	// KubeProxy configures kubernetes protocol support of the proxy
	Kube KubeProxy `yaml:"kubernetes,omitempty"`
	// KubeAddr is a shorthand for enabling the Kubernetes endpoint without a
	// local Kubernetes cluster.
	KubeAddr string `yaml:"kube_listen_addr,omitempty"`
	// KubePublicAddr is a public address of the kubernetes endpoint.
	KubePublicAddr apiutils.Strings `yaml:"kube_public_addr,omitempty"`

	// PublicAddr sets the hostport the proxy advertises for the HTTP endpoint.
	// The hosts in PublicAddr are included in the list of host principals
	// on the SSH certificate.
	PublicAddr apiutils.Strings `yaml:"public_addr,omitempty"`

	// SSHPublicAddr sets the hostport the proxy advertises for the SSH endpoint.
	// The hosts in PublicAddr are included in the list of host principals
	// on the SSH certificate.
	SSHPublicAddr apiutils.Strings `yaml:"ssh_public_addr,omitempty"`

	// TunnelPublicAddr sets the hostport the proxy advertises for the tunnel
	// endpoint. The hosts in PublicAddr are included in the list of host
	// principals on the SSH certificate.
	TunnelPublicAddr apiutils.Strings `yaml:"tunnel_public_addr,omitempty"`

	// KeyPairs is a list of x509 key pairs the proxy will load.
	KeyPairs []KeyPair `yaml:"https_keypairs"`

	// KeyPairsReloadInterval is the interval between attempts to reload
	// x509 key pairs. If set to 0, then periodic reloading is disabled.
	KeyPairsReloadInterval time.Duration `yaml:"https_keypairs_reload_interval"`

	// ACME configures ACME protocol support
	ACME ACME `yaml:"acme"`

	// MySQLAddr is MySQL proxy listen address.
	MySQLAddr string `yaml:"mysql_listen_addr,omitempty"`
	// MySQLPublicAddr is the hostport the proxy advertises for MySQL
	// client connections.
	MySQLPublicAddr apiutils.Strings `yaml:"mysql_public_addr,omitempty"`

	// MySQLServerVersion allow to overwrite proxy default mysql engine version reported by Teleport proxy.
	MySQLServerVersion string `yaml:"mysql_server_version,omitempty"`

	// PostgresAddr is Postgres proxy listen address.
	PostgresAddr string `yaml:"postgres_listen_addr,omitempty"`
	// PostgresPublicAddr is the hostport the proxy advertises for Postgres
	// client connections.
	PostgresPublicAddr apiutils.Strings `yaml:"postgres_public_addr,omitempty"`

	// MongoAddr is Mongo proxy listen address.
	MongoAddr string `yaml:"mongo_listen_addr,omitempty"`
	// MongoPublicAddr is the hostport the proxy advertises for Mongo
	// client connections.
	MongoPublicAddr apiutils.Strings `yaml:"mongo_public_addr,omitempty"`

	// IdP is configuration for identity providers.
	//
	//nolint:revive // Because we want this to be IdP.
	IdP IdP `yaml:"idp,omitempty"`

	// UI provides config options for the web UI
	UI *UIConfig `yaml:"ui,omitempty"`

	// Assist is a set of options related to the Teleport Assist feature.
	Assist *ProxyAssistOptions `yaml:"assist,omitempty"`

	// TrustXForwardedFor enables the service to take client source IPs from
	// the "X-Forwarded-For" headers for web APIs received from layer 7 load
	// balancers or reverse proxies.
	TrustXForwardedFor types.Bool `yaml:"trust_x_forwarded_for,omitempty"`

	// AutomaticUpgradesChannels is a map of all version channels used by the
	// proxy built-in version server to retrieve target versions. This is part
	// of the automatic upgrades.
	AutomaticUpgradesChannels automaticupgrades.Channels `yaml:"automatic_upgrades_channels,omitempty"`
}

Proxy is a `proxy_service` section of the config file:

type ProxyAssistOptions

type ProxyAssistOptions struct {
	AssistOptions `yaml:",inline"`
}

ProxyAssistOptions is a set of proxy service options related to the Assist feature

type ResourceMatcher

type ResourceMatcher struct {
	// Labels match resource labels.
	Labels map[string]apiutils.Strings `yaml:"labels,omitempty"`
	// AWS contains AWS specific settings.
	AWS ResourceMatcherAWS `yaml:"aws,omitempty"`
}

ResourceMatcher matches cluster resources.

type ResourceMatcherAWS

type ResourceMatcherAWS struct {
	// AssumeRoleARN is the AWS role to assume to before accessing the
	// database.
	AssumeRoleARN string `yaml:"assume_role_arn,omitempty"`
	// ExternalID is an optional AWS external ID used to enable assuming an AWS
	// role across accounts.
	ExternalID string `yaml:"external_id,omitempty"`
}

ResourceMatcherAWS contains AWS specific settings for resource matcher.

type RestrictedSession

type RestrictedSession struct {
	// Enabled enables or disables enforcement for this node.
	Enabled string `yaml:"enabled"`

	// EventsBufferSize is the size in bytes of the channel to report events
	// from the kernel to us.
	EventsBufferSize *int `yaml:"events_buffer_size,omitempty"`
}

RestrictedSession is a configuration for limiting access to kernel objects

type ReverseTunnel

type ReverseTunnel struct {
	DomainName string   `yaml:"domain_name"`
	Addresses  []string `yaml:"addresses"`
}

ReverseTunnel is a SSH reverse tunnel maintained by one cluster's proxy to remote Teleport proxy

func (*ReverseTunnel) ConvertAndValidate

func (t *ReverseTunnel) ConvertAndValidate() (types.ReverseTunnel, error)

ConvertAndValidate returns validated services.ReverseTunnel or nil and error otherwize

type Rewrite

type Rewrite struct {
	// Redirect is a list of hosts that should be rewritten to the public address.
	Redirect []string `yaml:"redirect"`
	// Headers is a list of extra headers to inject in the request.
	Headers []string `yaml:"headers,omitempty"`
	// JWTClaims configures whether roles/traits are included in the JWT token
	JWTClaims string `yaml:"jwt_claims,omitempty"`
}

Rewrite is a list of rewriting rules to apply to requests and responses.

type SAMLIdP

type SAMLIdP struct {
	// Enabled turns the SAML IdP on or off for this process.
	EnabledFlag string `yaml:"enabled,omitempty"`

	// BaseURL is the base URL to provide to the SAML IdP.
	BaseURL string `yaml:"base_url,omitempty"`
}

SAMLIdP represents the configuration for the SAML identity provider.

func (*SAMLIdP) Enabled

func (s *SAMLIdP) Enabled() bool

Enabled returns true if the SAML IdP is enabled or if the enabled flag is unset.

type SSH

type SSH struct {
	Service               `yaml:",inline"`
	Namespace             string            `yaml:"namespace,omitempty"`
	Labels                map[string]string `yaml:"labels,omitempty"`
	Commands              []CommandLabel    `yaml:"commands,omitempty"`
	PermitUserEnvironment bool              `yaml:"permit_user_env,omitempty"`
	PAM                   *PAM              `yaml:"pam,omitempty"`
	// PublicAddr sets SSH host principals for SSH service
	PublicAddr apiutils.Strings `yaml:"public_addr,omitempty"`

	// BPF is used to configure BPF-based auditing for this node.
	BPF *BPF `yaml:"enhanced_recording,omitempty"`

	// RestrictedSession is used to restrict access to kernel objects
	RestrictedSession *RestrictedSession `yaml:"restricted_session,omitempty"`

	// MaybeAllowTCPForwarding enables or disables TCP port forwarding. We're
	// using a pointer-to-bool here because the system default is to allow TCP
	// forwarding, we need to distinguish between an unset value and a false
	// value so we can an override unset value with `true`.
	//
	// Don't read this value directly: call the AllowTCPForwarding method
	// instead.
	MaybeAllowTCPForwarding *bool `yaml:"port_forwarding,omitempty"`

	// X11 is used to configure X11 forwarding settings
	X11 *X11 `yaml:"x11,omitempty"`

	// MaybeSSHFileCopy enables or disables remote file operations via SCP/SFTP.
	// We're using a pointer-to-bool here because the system default is to allow
	// SCP/SFTP, we need to distinguish between an unset value and a false
	// value so we can an override unset value with `true`.
	//
	// Don't read this value directly: call the SSHFileCopy method
	// instead.
	MaybeSSHFileCopy *bool `yaml:"ssh_file_copy,omitempty"`

	// DisableCreateHostUser disables automatic user provisioning on this
	// SSH node.
	DisableCreateHostUser bool `yaml:"disable_create_host_user,omitempty"`
}

SSH is 'ssh_service' section of the config file

func (*SSH) AllowTCPForwarding

func (ssh *SSH) AllowTCPForwarding() bool

AllowTCPForwarding checks whether the config file allows TCP forwarding or not.

func (*SSH) SSHFileCopy

func (ssh *SSH) SSHFileCopy() bool

SSHFileCopy checks whether the config file allows for file copying via SCP/SFTP.

func (*SSH) X11ServerConfig

func (ssh *SSH) X11ServerConfig() (*x11.ServerConfig, error)

X11ServerConfig returns the X11 forwarding server configuration.

type SampleFlags

type SampleFlags struct {
	// ClusterName is an optional cluster name
	ClusterName string
	// LicensePath adds license path to config
	LicensePath string
	// ACMEEmail is acme email
	ACMEEmail string
	// ACMEEnabled turns on ACME
	ACMEEnabled bool
	// Version is the Teleport Configuration version.
	Version string
	// PublicAddr sets the hostport the proxy advertises for the HTTP endpoint.
	PublicAddr string
	// KeyFile is a TLS key file
	KeyFile string
	// CertFile is a TLS Certificate file
	CertFile string
	// DataDir is a path to a directory where Teleport keep its data
	DataDir string
	// AuthToken is a token to register with an auth server
	AuthToken string
	// Roles is a list of comma-separated roles to create a config file with
	Roles string
	// AuthServer is the address of the auth server
	AuthServer string
	// ProxyAddress is the address of the proxy
	ProxyAddress string
	// AppName is the name of the application to start
	AppName string
	// AppURI is the internal address of the application to proxy
	AppURI string
	// NodeLabels is list of labels in the format `foo=bar,baz=bax` to add to newly created nodes.
	NodeLabels string
	// CAPin is the SKPI hash of the CA used to verify the Auth Server. Can be
	// a single value or a list.
	CAPin string
	// JoinMethod is the method that will be used to join the cluster, either "token", "iam" or "ec2"
	JoinMethod string
	// NodeName is the name of the teleport node
	NodeName string
	// Silent suppresses user hint printed after config has been generated.
	Silent bool
	// AzureClientID is the client ID of the managed identity to use when joining
	// the cluster. Only applicable for the azure join method.
	AzureClientID string
}

SampleFlags specifies standalone configuration parameters

type SecretStore

type SecretStore struct {
	// KeyPrefix specifies the secret key prefix.
	KeyPrefix string `yaml:"key_prefix,omitempty"`
	// KMSKeyID specifies the KMS key used to encrypt and decrypt the secret.
	KMSKeyID string `yaml:"kms_key_id,omitempty"`
}

SecretStore contains settings for managing secrets.

type Service

type Service struct {
	EnabledFlag   string `yaml:"enabled,omitempty"`
	ListenAddress string `yaml:"listen_addr,omitempty"`
	// contains filtered or unexported fields
}

Service is a common configuration of a teleport service

func (*Service) Configured

func (s *Service) Configured() bool

Configured determines if a given "_service" section has been specified

func (*Service) Disabled

func (s *Service) Disabled() bool

Disabled returns 'true' if the service has been deliberately turned off

func (*Service) Enabled

func (s *Service) Enabled() bool

Enabled determines if a given "_service" section has been set to 'true'

type StaticToken

type StaticToken string

func (StaticToken) Parse

func (t StaticToken) Parse() ([]types.ProvisionTokenV1, error)

Parse is applied to a string in "role,role,role:token" format. It breaks it apart and constructs a list of services.ProvisionToken which contains the token, role, and expiry (infinite). If the token string is a file path, the file may contain multiple newline delimited tokens, in which case each token is used to construct a services.ProvisionToken with the same roles.

type StaticTokens

type StaticTokens []StaticToken

func (StaticTokens) Parse

func (t StaticTokens) Parse() (types.StaticTokens, error)

type SystemdFlags

type SystemdFlags struct {
	// EnvironmentFile is the environment file path provided by the user.
	EnvironmentFile string
	// PIDFile is the process ID (PID) file path provided by the user.
	PIDFile string
	// FileDescriptorLimit is the maximum number of open file descriptors provided by the user.
	FileDescriptorLimit int
	// TeleportInstallationFile is the teleport installation path provided by the user.
	TeleportInstallationFile string
	// TeleportConfigPath is the path to the teleport config file (as set by Teleport defaults)
	TeleportConfigPath string
}

SystemdFlags specifies configuration parameters for a systemd unit file.

func (*SystemdFlags) CheckAndSetDefaults

func (f *SystemdFlags) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default values for the flags.

type TracingService

type TracingService struct {
	// Enabled turns the tracing service role on or off for this process
	EnabledFlag string `yaml:"enabled,omitempty"`

	// ExporterURL is the OTLP exporter URL to send spans to
	ExporterURL string `yaml:"exporter_url"`

	// KeyPairs is a list of x509 serving key pairs used for mTLS.
	KeyPairs []KeyPair `yaml:"keypairs,omitempty"`

	// CACerts are the exporter ca certs to use
	CACerts []string `yaml:"ca_certs,omitempty"`

	// SamplingRatePerMillion is the sampling rate for the exporter.
	// 1_000_000 means all spans will be sampled and 0 means none are sampled.
	SamplingRatePerMillion int `yaml:"sampling_rate_per_million"`
}

TracingService contains configuration for the tracing_service.

func (*TracingService) Enabled

func (s *TracingService) Enabled() bool

type TrustedCluster

type TrustedCluster struct {
	// KeyFile is a path to a remote authority (AKA "trusted cluster") public keys
	KeyFile string `yaml:"key_file,omitempty"`
	// AllowedLogins is a comma-separated list of user logins allowed from that cluster
	AllowedLogins string `yaml:"allow_logins,omitempty"`
	// TunnelAddr is a comma-separated list of reverse tunnel addresses to
	// connect to
	TunnelAddr string `yaml:"tunnel_addr,omitempty"`
}

TrustedCluster struct holds configuration values under "trusted_clusters" key

type UIConfig

type UIConfig struct {
	// ScrollbackLines is the max number of lines the UI terminal can display in its history
	ScrollbackLines int `yaml:"scrollback_lines,omitempty"`
}

UIConfig provides config options for the web UI served by the proxy service.

type UniversalSecondFactor

type UniversalSecondFactor struct {
	AppID string `yaml:"app_id"`
	// Facets kept only to avoid breakages during Teleport updates.
	// Webauthn is now used instead of U2F.
	Facets               []string `yaml:"facets"`
	DeviceAttestationCAs []string `yaml:"device_attestation_cas"`
}

func (*UniversalSecondFactor) Parse

func (u *UniversalSecondFactor) Parse() (*types.U2F, error)

type Webauthn

type Webauthn struct {
	RPID                  string   `yaml:"rp_id,omitempty"`
	AttestationAllowedCAs []string `yaml:"attestation_allowed_cas,omitempty"`
	AttestationDeniedCAs  []string `yaml:"attestation_denied_cas,omitempty"`
	// Deprecated: Disabled has no effect, it is kept solely to not break existing
	// configurations.
	Disabled bool `yaml:"disabled,omitempty"`
}

func (*Webauthn) Parse

func (w *Webauthn) Parse() (*types.Webauthn, error)

type WindowsDesktopService

type WindowsDesktopService struct {
	Service `yaml:",inline"`
	// Labels are the configured windows deesktops service labels.
	Labels map[string]string `yaml:"labels,omitempty"`
	// PublicAddr is a list of advertised public addresses of this service.
	PublicAddr apiutils.Strings `yaml:"public_addr,omitempty"`
	// ShowDesktopWallpaper determines whether desktop sessions will show a
	// user-selected wallpaper vs a system-default, single-color wallpaper.
	ShowDesktopWallpaper bool `yaml:"show_desktop_wallpaper,omitempty"`
	// LDAP is the LDAP connection parameters.
	LDAP LDAPConfig `yaml:"ldap"`
	// PKIDomain optionally configures a separate Active Directory domain
	// for PKI operations. If empty, the domain from the LDAP config is used.
	// This can be useful for cases where PKI is configured in a root domain
	// but Teleport is used to provide access to users and computers in a child
	// domain.
	PKIDomain string `yaml:"pki_domain"`
	// Discovery configures desktop discovery via LDAP.
	Discovery LDAPDiscoveryConfig `yaml:"discovery,omitempty"`
	// ADHosts is a list of static, AD-connected Windows hosts. This gives users
	// a way to specify AD-connected hosts that won't be found by the filters
	// specified in `discovery` (or if `discovery` is omitted).
	//
	// Deprecated: prefer StaticHosts instead.
	ADHosts []string `yaml:"hosts,omitempty"`
	// NonADHosts is a list of standalone Windows hosts that are not
	// jointed to an Active Directory domain.
	//
	// Deprecated: prefer StaticHosts instead.
	NonADHosts []string `yaml:"non_ad_hosts,omitempty"`
	// StaticHosts is a list of Windows hosts (both AD-connected and standalone).
	// User can specify name for each host and labels specific to it.
	StaticHosts []WindowsHost `yaml:"static_hosts,omitempty"`
	// HostLabels optionally applies labels to Windows hosts for RBAC.
	// A host can match multiple rules and will get a union of all
	// the matched labels.
	HostLabels []WindowsHostLabelRule `yaml:"host_labels,omitempty"`
}

WindowsDesktopService contains configuration for windows_desktop_service.

func (*WindowsDesktopService) Check

func (wds *WindowsDesktopService) Check() error

Check checks whether the WindowsDesktopService is valid or not

type WindowsHost

type WindowsHost struct {
	// Name of the host
	Name string `yaml:"name"`
	// Address of the host, with an optional port.
	// 10.1.103.4 or 10.1.103.4:3389, for example.
	Address string `yaml:"addr"`
	// Labels is the set of labels to apply to this host
	Labels map[string]string `yaml:"labels"`
	// AD tells if host is part of Active Directory domain
	AD bool `yaml:"ad"`
}

WindowsHost describes single host in configuration

type WindowsHostLabelRule

type WindowsHostLabelRule struct {
	// Match is a regexp that is checked against the Windows host's DNS name.
	// If the regexp matches, this rule's labels will be applied to the host.
	Match string `yaml:"match"`
	// Labels is the set of labels to apply to hosts that match this rule.
	Labels map[string]string `yaml:"labels"`
}

WindowsHostLabelRule describes how a set of labels should be applied to a Windows host.

type X11

type X11 struct {
	// Enabled controls whether X11 forwarding requests can be granted by the server.
	Enabled string `yaml:"enabled"`
	// DisplayOffset tells the server what X11 display number to start from when
	// searching for an open X11 unix socket for XServer proxies.
	DisplayOffset *uint `yaml:"display_offset,omitempty"`
	// MaxDisplay tells the server what X11 display number to stop at when
	// searching for an open X11 unix socket for XServer proxies.
	MaxDisplay *uint `yaml:"max_display,omitempty"`
}

X11 is a configuration for X11 forwarding

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL