config

package
v0.0.0-...-5c79d48 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 15, 2024 License: AGPL-3.0 Imports: 52 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	DefaultCertificateTTL = 60 * time.Minute
	DefaultRenewInterval  = 20 * time.Minute
)
View Source 
const (
	// TemplateSSHClientName is the config name for generating ssh client
	// config files.
	TemplateSSHClientName = "ssh_client"

	// TemplateIdentityName is the config name for Teleport identity files.
	TemplateIdentityName = "identity"

	// TemplateTLSName is the config name for TLS client certificates.
	TemplateTLSName = "tls"

	// TemplateTLSCAsName is the config name for TLS CA certificates.
	TemplateTLSCAsName = "tls_cas"

	// TemplateMongoName is the config name for MongoDB-formatted certificates.
	TemplateMongoName = "mongo"

	// TemplateCockroachName is the config name for CockroachDB-formatted
	// certificates.
	TemplateCockroachName = "cockroach"

	// TemplateKubernetesName is the config name for generating Kubernetes
	// client config files
	TemplateKubernetesName = "kubernetes"

	// TemplateSSHHostCertName is the config name for generating SSH host
	// certificates
	TemplateSSHHostCertName = "ssh_host_cert"
)
View Source 
const (
	// HostCAPath is the default filename for the host CA certificate
	HostCAPath = "teleport-host-ca.crt"

	// UserCAPath is the default filename for the user CA certificate
	UserCAPath = "teleport-user-ca.crt"

	// DatabaseCAPath is the default filename for the database CA
	// certificate
	DatabaseCAPath = "teleport-database-ca.crt"
)
View Source 
const ApplicationOutputType = "application"
View Source 
const DatabaseOutputType = "database"
View Source 
const DestinationDirectoryType = "directory"
View Source 
const DestinationKubernetesSecretType = "kubernetes_secret"
View Source 
const DestinationMemoryType = "memory"
View Source 
const DestinationNopType = "nop"
View Source 
const ExampleServiceType = "example"
View Source 
const IdentityFilePath = "identity"
View Source 
const IdentityOutputType = "identity"
View Source 
const KubernetesOutputType = "kubernetes"
View Source 
const SSHHostOutputType = "ssh_host"
View Source 
const UnstableClientCredentialOutputType = "unstable_client_credential"

Variables

View Source 
var SupportedJoinMethods = []string{
	string(types.JoinMethodAzure),
	string(types.JoinMethodCircleCI),
	string(types.JoinMethodGCP),
	string(types.JoinMethodGitHub),
	string(types.JoinMethodGitLab),
	string(types.JoinMethodIAM),
	string(types.JoinMethodKubernetes),
	string(types.JoinMethodSpacelift),
	string(types.JoinMethodToken),
}

Functions

func RemainingArgs 

func RemainingArgs(s kingpin.Settings) (target *[]string)

RemainingArgs returns a list of remaining arguments for the given command.

Types

type ApplicationOutput 

type ApplicationOutput struct {
	// Destination is where the credentials should be written to.
	Destination bot.Destination `yaml:"destination"`
	// Roles is the list of roles to request for the generated credentials.
	// If empty, it defaults to all the bot's roles.
	Roles []string `yaml:"roles,omitempty"`

	AppName string `yaml:"app_name"`

	// SpecificTLSExtensions creates additional outputs named `tls.crt`,
	// `tls.key` and `tls.cas`. This is unneeded for most clients which can
	// be configured with specific paths to use, but exists for compatibility.
	SpecificTLSExtensions bool `yaml:"specific_tls_naming"`
}

func (*ApplicationOutput) CheckAndSetDefaults 

func (o *ApplicationOutput) CheckAndSetDefaults() error

func (*ApplicationOutput) Describe 

func (o *ApplicationOutput) Describe() []FileDescription

func (*ApplicationOutput) GetDestination 

func (o *ApplicationOutput) GetDestination() bot.Destination

func (*ApplicationOutput) GetRoles 

func (o *ApplicationOutput) GetRoles() []string

func (*ApplicationOutput) Init 

func (o *ApplicationOutput) Init(ctx context.Context) error

func (*ApplicationOutput) MarshalYAML 

func (o *ApplicationOutput) MarshalYAML() (interface{}, error)

func (*ApplicationOutput) Render 

func (o *ApplicationOutput) Render(ctx context.Context, p provider, ident *identity.Identity) error

func (*ApplicationOutput) String 

func (o *ApplicationOutput) String() string

func (*ApplicationOutput) UnmarshalYAML 

func (o *ApplicationOutput) UnmarshalYAML(node *yaml.Node) error

type AzureOnboardingConfig 

type AzureOnboardingConfig struct {
	// ClientID of the managed identity to use. Required if the VM has more
	// than one assigned identity.
	ClientID string `yaml:"client_id,omitempty"`
}

AzureOnboardingConfig holds configuration relevant to the "azure" join method.

type BotConfig 

type BotConfig struct {
	Version    Version          `yaml:"version"`
	Onboarding OnboardingConfig `yaml:"onboarding,omitempty"`
	Storage    *StorageConfig   `yaml:"storage,omitempty"`
	Outputs    Outputs          `yaml:"outputs,omitempty"`
	Services   Services         `yaml:"services,omitempty"`

	Debug           bool          `yaml:"debug"`
	AuthServer      string        `yaml:"auth_server"`
	CertificateTTL  time.Duration `yaml:"certificate_ttl"`
	RenewalInterval time.Duration `yaml:"renewal_interval"`
	Oneshot         bool          `yaml:"oneshot"`
	// FIPS instructs `tbot` to run in a mode designed to comply with FIPS
	// regulations. This means the bot should:
	// - Refuse to run if not compiled with boringcrypto
	// - Use FIPS relevant endpoints for cloud providers (e.g AWS)
	// - Restrict TLS / SSH cipher suites and TLS version
	// - RSA2048 should be used for private key generation
	FIPS bool `yaml:"fips"`
	// DiagAddr is the address the diagnostics http service should listen on.
	// If not set, no diagnostics listener is created.
	DiagAddr string `yaml:"diag_addr,omitempty"`

	// ReloadCh allows a channel to be injected into the bot to trigger a
	// renewal.
	ReloadCh <-chan struct{} `yaml:"-"`

	// Insecure configures the bot to trust the certificates from the Auth Server or Proxy on first connect without verification.
	// Do not use in production.
	Insecure bool `yaml:"insecure,omitempty"`
}

BotConfig is the bot's root config object. This is currently at version "v2".

func FromCLIConf 

func FromCLIConf(cf *CLIConf) (*BotConfig, error)

FromCLIConf loads bot config from CLI parameters, potentially loading and merging a configuration file if specified. CheckAndSetDefaults() will be called. Note that CLI flags, if specified, will override file values.

func ReadConfig 

func ReadConfig(reader io.ReadSeeker, manualMigration bool) (*BotConfig, error)

ReadConfig parses a YAML config file from a Reader.

func ReadConfigFromFile 

func ReadConfigFromFile(filePath string, manualMigration bool) (*BotConfig, error)

ReadConfigFromFile reads and parses a YAML config from a file.

func (*BotConfig) CheckAndSetDefaults 

func (conf *BotConfig) CheckAndSetDefaults() error

func (*BotConfig) CipherSuites 

func (conf *BotConfig) CipherSuites() []uint16

func (*BotConfig) GetOutputByPath 

func (conf *BotConfig) GetOutputByPath(path string) (Output, error)

GetOutputByPath attempts to fetch a Destination by its filesystem path. Only valid for filesystem destinations; returns nil if no matching Destination exists.

type BotConfigWriter 

type BotConfigWriter struct {
	// contains filtered or unexported fields
}

BotConfigWriter is a trivial adapter to use the identityfile package with bot destinations.

func (*BotConfigWriter) ReadFile 

func (b *BotConfigWriter) ReadFile(name string) ([]byte, error)

ReadFile reads a given file. This implementation always returns not found.

func (*BotConfigWriter) Remove 

func (b *BotConfigWriter) Remove(name string) error

Remove removes files. This is a dummy implementation that always returns not found.

func (*BotConfigWriter) Stat 

func (b *BotConfigWriter) Stat(name string) (fs.FileInfo, error)

Stat checks file status. This implementation always returns not found.

func (*BotConfigWriter) WriteFile 

func (b *BotConfigWriter) WriteFile(name string, data []byte, _ os.FileMode) error

WriteFile writes the file to the Destination. Only the basename of the path is used. Specified permissions are ignored.

type CLIConf 

type CLIConf struct {
	ConfigPath string

	Debug bool

	// LogFormat controls the format of logging. Can be either `json` or `text`.
	// By default, this is `text`.
	LogFormat string

	// AuthServer is a Teleport auth server address. It may either point
	// directly to an auth server, or to a Teleport proxy server in which case
	// a tunneled auth connection will be established.
	AuthServer string

	// DataDir stores the bot's internal data.
	DataDir string

	// DestinationDir stores the generated end-user certificates.
	DestinationDir string

	// CAPins is a list of pinned SKPI hashes of trusted auth server CAs, used
	// only on first connect.
	CAPins []string

	// Token is a bot join token.
	Token string

	// RenewalInterval is the interval at which certificates are renewed, as a
	// time.ParseDuration() string. It must be less than the certificate TTL.
	RenewalInterval time.Duration

	// CertificateTTL is the requested TTL of certificates. It should be some
	// multiple of the renewal interval to allow for failed renewals.
	CertificateTTL time.Duration

	// JoinMethod is the method the bot should use to exchange a token for the
	// initial certificate
	JoinMethod string

	// Oneshot controls whether the bot quits after a single renewal.
	Oneshot bool

	// InitDir specifies which Destination to initialize if multiple are
	// configured.
	InitDir string

	// BotUser is a Unix username that should be given permission to write
	BotUser string

	// ReaderUser is the Unix username that will be reading the files
	ReaderUser string

	// Owner is the user:group that will own the Destination files. Due to SSH
	// restrictions on key permissions, it cannot be the same as the reader
	// user. If ACL support is unused or unavailable, the reader user will own
	// files directly.
	Owner string

	// Clean is a flag that, if set, instructs `tbot init` to remove existing
	// unexpected files.
	Clean bool

	// ConfigureOutput provides a path that the generated configuration file
	// should be written to
	ConfigureOutput string

	// Proxy is the teleport proxy address. Unlike `AuthServer` this must
	// explicitly point to a Teleport proxy.
	Proxy string

	// Cluster is the name of the Teleport cluster on which resources should
	// be accessed.
	Cluster string

	// RemainingArgs is the remaining string arguments for commands that
	// require them.
	RemainingArgs []string

	// FIPS instructs `tbot` to run in a mode designed to comply with FIPS
	// regulations. This means the bot should:
	// - Refuse to run if not compiled with boringcrypto
	// - Use FIPS relevant endpoints for cloud providers (e.g AWS)
	// - Restrict TLS / SSH cipher suites and TLS version
	// - RSA2048 should be used for private key generation
	FIPS bool

	// DiagAddr is the address the diagnostics http service should listen on.
	// If not set, no diagnostics listener is created.
	DiagAddr string

	// Insecure instructs `tbot` to trust the Auth Server without verifying the CA.
	Insecure bool

	// Trace indicates whether tracing should be enabled.
	Trace bool

	// TraceExporter is a manually provided URI to send traces to instead of
	// forwarding them to the Auth service.
	TraceExporter string
}

CLIConf is configuration from the CLI.

type DatabaseFormat 

type DatabaseFormat string

DatabaseFormat specifies if any special behavior should be invoked when producing artifacts. This allows for databases/clients that require unique formats or paths to be used. 

const (
	// UnspecifiedDatabaseFormat is the unset value and the default. This
	// should work for most databases.
	UnspecifiedDatabaseFormat DatabaseFormat = ""
	// TLSDatabaseFormat is for databases that require specifically named
	// outputs: tls.key, tls.crt and tls.cas
	TLSDatabaseFormat DatabaseFormat = "tls"
	// MongoDatabaseFormat indicates credentials should be generated which
	// are compatible with MongoDB.
	// This outputs `mongo.crt` and `mongo.cas`.
	MongoDatabaseFormat DatabaseFormat = "mongo"
	// CockroachDatabaseFormat indicates credentials should be generated which
	// are compatible with CockroachDB.
	// This outputs `cockroach/node.key`, `cockroach/node.crt` and
	// `cockroach/ca.crt`.
	CockroachDatabaseFormat DatabaseFormat = "cockroach"
)

type DatabaseOutput 

type DatabaseOutput struct {
	// Destination is where the credentials should be written to.
	Destination bot.Destination `yaml:"destination"`
	// Roles is the list of roles to request for the generated credentials.
	// If empty, it defaults to all the bot's roles.
	Roles []string `yaml:"roles,omitempty"`

	// Formats specifies if any special behavior should be invoked when
	// producing artifacts. An empty value is supported by most database,
	// but CockroachDB and MongoDB require this value to be set to
	// `mongo` and `cockroach` respectively.
	Format DatabaseFormat `yaml:"format,omitempty"`
	// Service is the service name of the Teleport database. Generally this is
	// the name of the Teleport resource. This field is required for all types
	// of database.
	Service string `yaml:"service"`
	// Database is the name of the database to request access to.
	Database string `yaml:"database,omitempty"`
	// Username is the database username to request access as.
	Username string `yaml:"username,omitempty"`
}

DatabaseOutput produces credentials which can be used to connect to a database through teleport.

func (*DatabaseOutput) CheckAndSetDefaults 

func (o *DatabaseOutput) CheckAndSetDefaults() error

func (*DatabaseOutput) Describe 

func (o *DatabaseOutput) Describe() []FileDescription

func (*DatabaseOutput) GetDestination 

func (o *DatabaseOutput) GetDestination() bot.Destination

func (*DatabaseOutput) GetRoles 

func (o *DatabaseOutput) GetRoles() []string

func (*DatabaseOutput) Init 

func (o *DatabaseOutput) Init(ctx context.Context) error

func (*DatabaseOutput) MarshalYAML 

func (o *DatabaseOutput) MarshalYAML() (interface{}, error)

func (*DatabaseOutput) Render 

func (o *DatabaseOutput) Render(ctx context.Context, p provider, ident *identity.Identity) error

func (*DatabaseOutput) String 

func (o *DatabaseOutput) String() string

func (*DatabaseOutput) UnmarshalYAML 

func (o *DatabaseOutput) UnmarshalYAML(node *yaml.Node) error

type DestinationDirectory 

type DestinationDirectory struct {
	Path     string             `yaml:"path,omitempty"`
	Symlinks botfs.SymlinksMode `yaml:"symlinks,omitempty"`
	ACLs     botfs.ACLMode      `yaml:"acls,omitempty"`
}

DestinationDirectory is a Destination that writes to the local filesystem

func (*DestinationDirectory) CheckAndSetDefaults 

func (dd *DestinationDirectory) CheckAndSetDefaults() error

func (*DestinationDirectory) Init 

func (dd *DestinationDirectory) Init(_ context.Context, subdirs []string) error

func (*DestinationDirectory) MarshalYAML 

func (dm *DestinationDirectory) MarshalYAML() (interface{}, error)

func (*DestinationDirectory) Read 

func (dd *DestinationDirectory) Read(ctx context.Context, name string) ([]byte, error)

func (*DestinationDirectory) String 

func (dd *DestinationDirectory) String() string

func (*DestinationDirectory) TryLock 

func (dd *DestinationDirectory) TryLock() (func() error, error)

func (*DestinationDirectory) UnmarshalYAML 

func (dd *DestinationDirectory) UnmarshalYAML(node *yaml.Node) error

func (*DestinationDirectory) Verify 

func (dd *DestinationDirectory) Verify(keys []string) error

func (*DestinationDirectory) Write 

func (dd *DestinationDirectory) Write(ctx context.Context, name string, data []byte) error

type DestinationKubernetesSecret 

type DestinationKubernetesSecret struct {
	// Name is the name the Kubernetes Secret that should be created and written
	// to.
	Name string `yaml:"name"`
	// contains filtered or unexported fields
}

func (*DestinationKubernetesSecret) CheckAndSetDefaults 

func (dks *DestinationKubernetesSecret) CheckAndSetDefaults() error

func (*DestinationKubernetesSecret) Init 

func (dks *DestinationKubernetesSecret) Init(ctx context.Context, subdirs []string) error

func (*DestinationKubernetesSecret) MarshalYAML 

func (dks *DestinationKubernetesSecret) MarshalYAML() (interface{}, error)

func (*DestinationKubernetesSecret) Read 

func (dks *DestinationKubernetesSecret) Read(ctx context.Context, name string) ([]byte, error)

func (*DestinationKubernetesSecret) String 

func (dks *DestinationKubernetesSecret) String() string

func (*DestinationKubernetesSecret) TryLock 

func (dks *DestinationKubernetesSecret) TryLock() (func() error, error)

func (*DestinationKubernetesSecret) Verify 

func (dks *DestinationKubernetesSecret) Verify(_ []string) error

func (*DestinationKubernetesSecret) Write 

func (dks *DestinationKubernetesSecret) Write(ctx context.Context, name string, data []byte) error

type DestinationMemory 

type DestinationMemory struct {
	// contains filtered or unexported fields
}

DestinationMemory is a memory certificate Destination

func (*DestinationMemory) CheckAndSetDefaults 

func (dm *DestinationMemory) CheckAndSetDefaults() error

func (*DestinationMemory) Init 

func (dm *DestinationMemory) Init(_ context.Context, subdirs []string) error

func (*DestinationMemory) MarshalYAML 

func (dm *DestinationMemory) MarshalYAML() (interface{}, error)

func (*DestinationMemory) Read 

func (dm *DestinationMemory) Read(ctx context.Context, name string) ([]byte, error)

func (*DestinationMemory) String 

func (dm *DestinationMemory) String() string

func (*DestinationMemory) TryLock 

func (dm *DestinationMemory) TryLock() (func() error, error)

func (*DestinationMemory) UnmarshalYAML 

func (dm *DestinationMemory) UnmarshalYAML(node *yaml.Node) error

func (*DestinationMemory) Verify 

func (dm *DestinationMemory) Verify(keys []string) error

func (*DestinationMemory) Write 

func (dm *DestinationMemory) Write(ctx context.Context, name string, data []byte) error

type DestinationNop 

type DestinationNop struct{}

DestinationNop does nothing! Useful for odd scenarios where a destination has to be returned but there is none to return.

func (*DestinationNop) CheckAndSetDefaults 

func (dm *DestinationNop) CheckAndSetDefaults() error

CheckAndSetDefaults does nothing! It is necessary to implement the Destination interface.

func (*DestinationNop) Init 

func (dm *DestinationNop) Init(_ context.Context, subdirs []string) error

Init does nothing! It is necessary to implement the Destination interface.

func (*DestinationNop) MarshalYAML 

func (dm *DestinationNop) MarshalYAML() (interface{}, error)

MarshalYAML enables the yaml package to correctly marshal the Destination as YAML including the type header.

func (*DestinationNop) Read 

func (dm *DestinationNop) Read(_ context.Context, name string) ([]byte, error)

Read does nothing, it behaves as if the requested artifact could not be found! It is necessary to implement the Destination interface.

func (*DestinationNop) String 

func (dm *DestinationNop) String() string

String returns a human-readable string that describes this instance.

func (*DestinationNop) TryLock 

func (dm *DestinationNop) TryLock() (func() error, error)

TryLock does nothing! It is necessary to implement the Destination interface.

func (*DestinationNop) Verify 

func (dm *DestinationNop) Verify(keys []string) error

Verify does nothing! It is necessary to implement the Destination interface.

func (*DestinationNop) Write 

func (dm *DestinationNop) Write(_ context.Context, name string, data []byte) error

Write does nothing! It is necessary to implement the Destination interface.

type ExampleService 

type ExampleService struct {
	Message string `yaml:"message"`
}

ExampleService is a temporary example service for testing purposes. It is not intended to be used and exists to demonstrate how a user configurable service integrates with the tbot service manager.

func (*ExampleService) MarshalYAML 

func (s *ExampleService) MarshalYAML() (interface{}, error)

func (*ExampleService) Run 

func (s *ExampleService) Run(ctx context.Context) error

func (*ExampleService) String 

func (s *ExampleService) String() string

func (*ExampleService) Type 

func (s *ExampleService) Type() string

func (*ExampleService) UnmarshalYAML 

func (s *ExampleService) UnmarshalYAML(node *yaml.Node) error

type FileDescription 

type FileDescription struct {
	// Name is the name of the file or directory to create.
	Name string

	// IsDir designates whether this describes a subdirectory inside the
	// Destination.
	IsDir bool
}

FileDescription is a minimal spec needed to create an empty end-user-owned file with bot-writable ACLs during `tbot init`.

type IdentityOutput 

type IdentityOutput struct {
	// Destination is where the credentials should be written to.
	Destination bot.Destination `yaml:"destination"`
	// Roles is the list of roles to request for the generated credentials.
	// If empty, it defaults to all the bot's roles.
	Roles []string `yaml:"roles,omitempty"`

	// Cluster allows certificates to be generated for a leaf cluster of the
	// cluster that the bot is connected to. These certificates can be used
	// to directly connect to a Teleport proxy of that leaf cluster, or used
	// with the root cluster's proxy which will forward the request to the
	// leaf cluster.
	// For now, only SSH is supported.
	Cluster string `yaml:"cluster,omitempty"`
	// contains filtered or unexported fields
}

IdentityOutput produces credentials which can be used with `tsh`, `tctl`, `openssh` and most SSH compatible tooling. It can also be used with the Teleport API and things which use the API client (e.g the terraform provider)

It cannot be used to connect to Applications, Databases or Kubernetes Clusters.

func (*IdentityOutput) CheckAndSetDefaults 

func (o *IdentityOutput) CheckAndSetDefaults() error

func (*IdentityOutput) Describe 

func (o *IdentityOutput) Describe() []FileDescription

func (*IdentityOutput) GetDestination 

func (o *IdentityOutput) GetDestination() bot.Destination

func (*IdentityOutput) GetRoles 

func (o *IdentityOutput) GetRoles() []string

func (*IdentityOutput) Init 

func (o *IdentityOutput) Init(ctx context.Context) error

func (*IdentityOutput) MarshalYAML 

func (o *IdentityOutput) MarshalYAML() (interface{}, error)

func (*IdentityOutput) Render 

func (o *IdentityOutput) Render(ctx context.Context, p provider, ident *identity.Identity) error

func (*IdentityOutput) String 

func (o *IdentityOutput) String() string

func (*IdentityOutput) UnmarshalYAML 

func (o *IdentityOutput) UnmarshalYAML(node *yaml.Node) error

type KubernetesOutput 

type KubernetesOutput struct {
	// Destination is where the credentials should be written to.
	Destination bot.Destination `yaml:"destination"`
	// Roles is the list of roles to request for the generated credentials.
	// If empty, it defaults to all the bot's roles.
	Roles []string `yaml:"roles,omitempty"`

	// KubernetesCluster is the name of the Kubernetes cluster in Teleport.
	// This is named a little more verbosely to avoid conflicting with the
	// name of the Teleport cluster to use.
	KubernetesCluster string `yaml:"kubernetes_cluster"`
}

KubernetesOutput produces credentials which can be used to connect to a Kubernetes Cluster through teleport.

func (*KubernetesOutput) CheckAndSetDefaults 

func (o *KubernetesOutput) CheckAndSetDefaults() error

func (*KubernetesOutput) Describe 

func (o *KubernetesOutput) Describe() []FileDescription

func (*KubernetesOutput) GetDestination 

func (o *KubernetesOutput) GetDestination() bot.Destination

func (*KubernetesOutput) GetRoles 

func (o *KubernetesOutput) GetRoles() []string

func (*KubernetesOutput) Init 

func (o *KubernetesOutput) Init(ctx context.Context) error

func (*KubernetesOutput) MarshalYAML 

func (o *KubernetesOutput) MarshalYAML() (interface{}, error)

func (*KubernetesOutput) Render 

func (o *KubernetesOutput) Render(ctx context.Context, p provider, ident *identity.Identity) error

func (*KubernetesOutput) String 

func (o *KubernetesOutput) String() string

func (*KubernetesOutput) UnmarshalYAML 

func (o *KubernetesOutput) UnmarshalYAML(node *yaml.Node) error

type OnboardingConfig 

type OnboardingConfig struct {
	// TokenValue is either the token needed to join the auth server, or a path pointing to a file
	// that contains the token
	//
	// You should use Token() instead - this has to be an exported field for YAML unmarshaling
	// to work correctly, but this could be a path instead of a token
	TokenValue string `yaml:"token,omitempty"`

	// CAPath is an optional path to a CA certificate.
	CAPath string `yaml:"ca_path,omitempty"`

	// CAPins is a list of certificate authority pins, used to validate the
	// connection to the Teleport auth server.
	CAPins []string `yaml:"ca_pins,omitempty"`

	// JoinMethod is the method the bot should use to exchange a token for the
	// initial certificate
	JoinMethod types.JoinMethod `yaml:"join_method"`

	// Azure holds configuration relevant to the azure joining method.
	Azure AzureOnboardingConfig `yaml:"azure,omitempty"`
}

OnboardingConfig contains values relevant to how the bot authenticates with the Teleport cluster.

func (*OnboardingConfig) HasToken 

func (conf *OnboardingConfig) HasToken() bool

HasToken gives the ability to check if there has been a token value stored in the config

func (*OnboardingConfig) RenewableJoinMethod 

func (conf *OnboardingConfig) RenewableJoinMethod() bool

RenewableJoinMethod indicates that certificate renewal should be used with this join method rather than rejoining each time.

func (*OnboardingConfig) SetToken 

func (conf *OnboardingConfig) SetToken(token string)

SetToken stores the value for --token or auth_token in the config

In the case of the token value pointing to a file, this allows us to fetch the value of the token when it's needed (when connecting for the first time) instead of trying to read the file every time that teleport is launched. This means we can allow temporary token files that are removed after teleport has successfully connected the first time.

func (*OnboardingConfig) Token 

func (conf *OnboardingConfig) Token() (string, error)

Token returns token needed to join the auth server

If the value stored points to a file, it will attempt to read the token value from the file and return an error if it wasn't successful If the value stored doesn't point to a file, it'll return the value stored

type Output 

type Output interface {
	// GetDestination returns the bot.Destination that the Output writing to.
	//
	// This can be useful for extracting content that has been written in
	// tests or as part of the `tbot init` command.
	GetDestination() bot.Destination
	// CheckAndSetDefaults validates the configuration and sets any defaults.
	//
	// This must be called before other methods on Output can be called as the
	// implementations may depend on the default values.
	CheckAndSetDefaults() error
	// GetRoles returns the roles configured for that Output so that the
	// tbot.Bot the Output belongs to knows what impersonated identity to pass
	// to Render.
	//
	// This will eventually be removed as we move more logic into the Outputs.
	GetRoles() []string
	// Render executes the Output with the given identity and provider, causing
	// the Output to write to the configured bot.Destination.
	Render(context.Context, provider, *identity.Identity) error
	// Init instructs the Output to initialize its underlying bot.Destination.
	// Typical Init activities include creating any necessary folders or
	// initializing in-memory maps.
	//
	// This must be called before Render.
	Init(ctx context.Context) error
	// MarshalYAML enables the yaml package to correctly marshal the Output as
	// YAML.
	MarshalYAML() (interface{}, error)
	// Describe returns a list of all files that will be created by an Output,
	// this enables commands like `tbot init` to pre-create and configure these
	// files with the correct permissions
	Describe() []FileDescription
}

Output is an interface that represents configurable Outputs for a bot. These outputs are the core unit of generating artifacts in tbot and are the element users configure to control what is output.

type Outputs 

type Outputs []Output

Outputs assists polymorphic unmarshaling of a slice of Outputs

func (*Outputs) UnmarshalYAML 

func (o *Outputs) UnmarshalYAML(node *yaml.Node) error

type RemainingArgsList 

type RemainingArgsList []string

RemainingArgsList is a custom kingpin parser that consumes all remaining arguments.

func (*RemainingArgsList) IsCumulative 

func (r *RemainingArgsList) IsCumulative() bool

func (*RemainingArgsList) Set 

func (r *RemainingArgsList) Set(value string) error

func (*RemainingArgsList) String 

func (r *RemainingArgsList) String() string

type SSHHostOutput 

type SSHHostOutput struct {
	// Destination is where the credentials should be written to.
	Destination bot.Destination `yaml:"destination"`
	// Roles is the list of roles to request for the generated credentials.
	// If empty, it defaults to all the bot's roles.
	Roles []string `yaml:"roles,omitempty"`

	// Principals is a list of principals to request for the host cert.
	Principals []string `yaml:"principals"`
}

SSHHostOutput generates a host certificate signed by the Teleport CA. This can be used to allow OpenSSH server to be trusted by Teleport SSH clients.

func (*SSHHostOutput) CheckAndSetDefaults 

func (o *SSHHostOutput) CheckAndSetDefaults() error

func (*SSHHostOutput) Describe 

func (o *SSHHostOutput) Describe() []FileDescription

func (*SSHHostOutput) GetDestination 

func (o *SSHHostOutput) GetDestination() bot.Destination

func (*SSHHostOutput) GetRoles 

func (o *SSHHostOutput) GetRoles() []string

func (*SSHHostOutput) Init 

func (o *SSHHostOutput) Init(ctx context.Context) error

func (*SSHHostOutput) MarshalYAML 

func (o *SSHHostOutput) MarshalYAML() (interface{}, error)

func (*SSHHostOutput) Render 

func (o *SSHHostOutput) Render(ctx context.Context, p provider, ident *identity.Identity) error

func (*SSHHostOutput) String 

func (o *SSHHostOutput) String() string

func (*SSHHostOutput) UnmarshalYAML 

func (o *SSHHostOutput) UnmarshalYAML(node *yaml.Node) error

type Services 

type Services []bot.Service

Services assists polymorphic unmarshaling of a slice of Services.

func (*Services) UnmarshalYAML 

func (o *Services) UnmarshalYAML(node *yaml.Node) error

type StorageConfig 

type StorageConfig struct {
	// Destination's yaml is handled by MarshalYAML/UnmarshalYAML
	Destination bot.Destination
}

StorageConfig contains config parameters for the bot's internal certificate storage.

func (*StorageConfig) CheckAndSetDefaults 

func (sc *StorageConfig) CheckAndSetDefaults() error

func (*StorageConfig) MarshalYAML 

func (sc *StorageConfig) MarshalYAML() (interface{}, error)

func (*StorageConfig) UnmarshalYAML 

func (sc *StorageConfig) UnmarshalYAML(node *yaml.Node) error

type UnstableClientCredentialOutput 

type UnstableClientCredentialOutput struct {
	// contains filtered or unexported fields
}

UnstableClientCredentialOutput is an experimental tbot output which is compatible with the client.Credential interface. This allows tbot to be used as an in-memory source of credentials for the Teleport API client and removes the need to write credentials to a filesystem.

Unstable: no API stability promises are made for this struct and its methods. Available configuration options may change and the signatures of methods may be modified. This output is currently part of an experiment and could be removed in a future release.

func (*UnstableClientCredentialOutput) CheckAndSetDefaults 

func (o *UnstableClientCredentialOutput) CheckAndSetDefaults() error

CheckAndSetDefaults implements the Destination interface and does nothing in this implementation.

func (*UnstableClientCredentialOutput) Describe 

func (o *UnstableClientCredentialOutput) Describe() []FileDescription

Describe implements the Destination interface and returns no file descriptions in this implementation, this is because no files are written.

func (*UnstableClientCredentialOutput) Dialer 

func (o *UnstableClientCredentialOutput) Dialer(c client.Config) (client.ContextDialer, error)

Dialer implements the client.Credential interface. It does nothing.

func (*UnstableClientCredentialOutput) GetDestination 

func (o *UnstableClientCredentialOutput) GetDestination() bot.Destination

GetDestination implements the Destination interface and does nothing in this implementation.

func (*UnstableClientCredentialOutput) GetRoles 

func (o *UnstableClientCredentialOutput) GetRoles() []string

GetRoles implements the Destination interface and returns an empty slice in this implementation. This causes all available roles to be used with the identity.

func (*UnstableClientCredentialOutput) Init 

func (o *UnstableClientCredentialOutput) Init(ctx context.Context) error

Init implements the Destination interface and does nothing in this implementation.

func (*UnstableClientCredentialOutput) MarshalYAML 

func (o *UnstableClientCredentialOutput) MarshalYAML() (interface{}, error)

MarshalYAML enables the yaml package to correctly marshal the Destination as YAML including the type header.

func (*UnstableClientCredentialOutput) Ready 

func (o *UnstableClientCredentialOutput) Ready() <-chan struct{}

Ready returns a channel which closes when the Output is ready to be used as a client credential. Using this as a credential before Ready closes is unsupported.

func (*UnstableClientCredentialOutput) Render 

func (o *UnstableClientCredentialOutput) Render(ctx context.Context, _ provider, ident *identity.Identity) error

Render implements the Destination interface and is called regularly by the bot with new credentials. Render passes these credentials down to the underlying facade so that they can be used in TLS/SSH configs.

func (*UnstableClientCredentialOutput) SSHClientConfig 

func (o *UnstableClientCredentialOutput) SSHClientConfig() (*ssh.ClientConfig, error)

SSHClientConfig implements the client.Credential interface and return the ssh.ClientConfig from the underlying identity.Facade.

func (*UnstableClientCredentialOutput) String 

func (o *UnstableClientCredentialOutput) String() string

String returns a human readable description of this output.

func (*UnstableClientCredentialOutput) TLSConfig 

func (o *UnstableClientCredentialOutput) TLSConfig() (*tls.Config, error)

TLSConfig implements the client.Credential interface and return the tls.Config from the underlying identity.Facade.

type Version 

type Version string
var (
	V1 Version = "v1"
	V2 Version = "v2"
)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.