Documentation ¶
Index ¶
- func ApplyFileConfig(fc *FileConfig, cfg *service.Config) error
- func Configure(clf *CommandLineFlags, cfg *service.Config) error
- type Auth
- type Authority
- type CommandLabel
- type CommandLineFlags
- type ConnectionLimits
- type ConnectionRate
- type FileConfig
- func MakeAuthPeerFileConfig(domainName string, token string) (fc *FileConfig)
- func MakeSampleFileConfig() (fc *FileConfig)
- func ReadConfig(reader io.Reader) (*FileConfig, error)
- func ReadConfigFile(cliConfigPath string) (*FileConfig, error)
- func ReadFromFile(filePath string) (*FileConfig, error)
- func ReadFromString(configString string) (*FileConfig, error)
- type Global
- type KeyPair
- type Log
- type OIDCConnector
- type Proxy
- type ReverseTunnel
- type SSH
- type Service
- type StaticToken
- type TrustedCluster
- type U2F
- type YAMLMap
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ApplyFileConfig ¶
func ApplyFileConfig(fc *FileConfig, cfg *service.Config) error
ApplyFileConfig applies confniguration from a YAML file to Teleport runtime config
Types ¶
type Auth ¶
type Auth struct { Service `yaml:",inline"` // DomainName is the name of the CA who manages this cluster DomainName string `yaml:"cluster_name,omitempty"` // TrustedClustersFile is a file path to a file containing public CA keys // of clusters we trust. One key per line, those starting with '#' are comments TrustedClusters []TrustedCluster `yaml:"trusted_clusters,omitempty"` // FOR INTERNAL USE: // Authorities : 3rd party certificate authorities (CAs) this auth service trusts. Authorities []Authority `yaml:"authorities,omitempty"` // FOR INTERNAL USE: // ReverseTunnels is a list of SSH tunnels to 3rd party proxy services (used to talk // to 3rd party auth servers we trust) ReverseTunnels []ReverseTunnel `yaml:"reverse_tunnels,omitempty"` // OIDCConnectors is a list of trusted OpenID Connect Identity providers OIDCConnectors []OIDCConnector `yaml:"oidc_connectors"` // StaticTokens are pre-defined host provisioning tokens supplied via config file for // environments where paranoid security is not needed // // Each token string has the following format: "role1,role2,..:token", // for exmple: "auth,proxy,node:MTIzNGlvemRmOWE4MjNoaQo" StaticTokens []StaticToken `yaml:"tokens,omitempty"` U2F U2F `yaml:"u2f,omitempty"` }
Auth is 'auth_service' section of the config file
type Authority ¶
type Authority struct { // Type is either user or host certificate authority Type services.CertAuthType `yaml:"type"` // DomainName identifies domain name this authority serves, // for host authorities that means base hostname of all servers, // for user authorities that means organization name DomainName string `yaml:"domain_name"` // Checkers is a list of SSH public keys that can be used to check // certificate signatures in OpenSSH authorized keys format CheckingKeys []string `yaml:"checking_keys"` // CheckingKeyFiles is a list of files CheckingKeyFiles []string `yaml:"checking_key_files"` // SigningKeys is a list of PEM-encoded private keys used for signing SigningKeys []string `yaml:"signing_keys"` // SigningKeyFiles is a list of paths to PEM encoded private keys used for signing SigningKeyFiles []string `yaml:"signing_key_files"` // AllowedLogins is a list of allowed logins for users within // this certificate authority AllowedLogins []string `yaml:"allowed_logins"` }
Authority is a host or user certificate authority that can check and if it has private key stored as well, sign it too
type CommandLabel ¶
type CommandLabel struct { Name string `yaml:"name"` Command []string `yaml:"command,flow"` Period time.Duration `yaml:"period"` }
CommandLabel is `command` section of `ssh_service` in the config file
type CommandLineFlags ¶
type CommandLineFlags struct { // --name flag NodeName string // --auth-server flag AuthServerAddr string // --token flag AuthToken string // --listen-ip flag ListenIP net.IP // --advertise-ip flag AdvertiseIP net.IP // --config flag ConfigFile string // ConfigString is a base64 encoded configuration string // set by --config-string or TELEPORT_CONFIG environment variable ConfigString string // --roles flag Roles string // -d flag Debug bool // --labels flag Labels string // --httpprofile hidden flag HTTPProfileEndpoint bool // --pid-file flag PIDFile string }
CommandLineFlags stores command line flag values, it's a much simplified subset of Teleport configuration (which is fully expressed via YAML config file)
type ConnectionLimits ¶
type ConnectionLimits struct { MaxConnections int64 `yaml:"max_connections"` MaxUsers int `yaml:"max_users"` Rates []ConnectionRate `yaml:"rates,omitempty"` }
ConnectionLimits sets up connection limiter
type ConnectionRate ¶
type ConnectionRate struct { Period time.Duration `yaml:"period"` Average int64 `yaml:"average"` Burst int64 `yaml:"burst"` }
ConnectionRate configures rate limiter
type FileConfig ¶
type FileConfig struct { Global `yaml:"teleport,omitempty"` Auth Auth `yaml:"auth_service,omitempty"` SSH SSH `yaml:"ssh_service,omitempty"` Proxy Proxy `yaml:"proxy_service,omitempty"` }
FileConfig structre represents the teleport configuration stored in a config file in YAML format (usually /etc/teleport.yaml)
Use config.ReadFromFile() to read the parsed FileConfig from a YAML file.
func MakeAuthPeerFileConfig ¶
func MakeAuthPeerFileConfig(domainName string, token string) (fc *FileConfig)
MakeAuthPeerFileConfig returns a sample configuration for auth server peer that shares etcd backend
func MakeSampleFileConfig ¶
func MakeSampleFileConfig() (fc *FileConfig)
MakeSampleFileConfig returns a sample config structure populated by defaults, useful to generate sample configuration files
func ReadConfig ¶
func ReadConfig(reader io.Reader) (*FileConfig, error)
ReadConfig reads Teleport configuration from reader in YAML format
func ReadConfigFile ¶
func ReadConfigFile(cliConfigPath string) (*FileConfig, error)
readConfigFile reads /etc/teleport.yaml (or whatever is passed via --config flag) and overrides values in 'cfg' structure
func ReadFromFile ¶
func ReadFromFile(filePath string) (*FileConfig, error)
ReadFromFile reads Teleport configuration from a file. Currently only YAML format is supported
func ReadFromString ¶
func ReadFromString(configString string) (*FileConfig, error)
ReadFromString reads values from base64 encoded byte string
func (*FileConfig) DebugDumpToYAML ¶
func (conf *FileConfig) DebugDumpToYAML() string
DebugDumpToYAML allows for quick YAML dumping of the config
type Global ¶
type Global struct { NodeName string `yaml:"nodename,omitempty"` PIDFile string `yaml:"pid_file,omitempty"` AuthToken string `yaml:"auth_token,omitempty"` AuthServers []string `yaml:"auth_servers,omitempty"` Limits ConnectionLimits `yaml:"connection_limits,omitempty"` Logger Log `yaml:"log,omitempty"` Storage backend.Config `yaml:"storage,omitempty"` AdvertiseIP net.IP `yaml:"advertise_ip,omitempty"` DataDir string `yaml:"data_dir,omitempty"` // Keys holds the list of SSH key/cert pairs used by all services // Each service (like proxy, auth, node) can find the key it needs // by looking into certificate Keys []KeyPair `yaml:"keys,omitempty"` // SeedConfig [GRAVITATIONAL USE] when set to true, Teleport treats // its configuration file simply as a seed data on initial start-up. // For OSS Teleport it should always be 'false' by default. SeedConfig bool `yaml:"seed_config,omitempty"` }
Global is 'teleport' (global) section of the config file
type KeyPair ¶
type KeyPair struct { // PrivateKeyFile is a path to file with private key PrivateKeyFile string `yaml:"private_key_file"` // CertFile is a path to file with OpenSSH certificate CertFile string `yaml:"cert_file"` // PrivateKey is PEM encoded OpenSSH private key PrivateKey string `yaml:"private_key"` // Cert is certificate in OpenSSH authorized keys format Cert string `yaml:"cert"` }
KeyPair is a pair of private key and certificates
type Log ¶
type Log struct { // Output defines where logs go. It can be one of the following: "stderr", "stdout" or // a path to a log file Output string `yaml:"output,omitempty"` // Severity defines how verbose the log will be. Possible valus are "error", "info", "warn" Severity string `yaml:"severity,omitempty"` }
Log configures teleport logging
type OIDCConnector ¶
type OIDCConnector struct { // ID is a provider id, 'e.g.' google, used internally ID string `yaml:"id"` // Issuer URL is the endpoint of the provider, e.g. https://accounts.google.com IssuerURL string `yaml:"issuer_url"` // ClientID is id for authentication client (in our case it's our Auth server) ClientID string `yaml:"client_id"` // ClientSecret is used to authenticate our client and should not // be visible to end user ClientSecret string `yaml:"client_secret"` // RedirectURL - Identity provider will use this URL to redirect // client's browser back to it after successfull authentication // Should match the URL on Provider's side RedirectURL string `yaml:"redirect_url"` Display string `yaml:"display"` }
OIDCConnector specifies configuration fo Open ID Connect compatible external identity provider, e.g. google in some organisation
func (*OIDCConnector) Parse ¶
func (o *OIDCConnector) Parse() (*services.OIDCConnector, error)
Parse parses config struct into services connector and checks if it's valid
type Proxy ¶
type Proxy struct { Service `yaml:",inline"` WebAddr string `yaml:"web_listen_addr,omitempty"` TunAddr string `yaml:"tunnel_listen_addr,omitempty"` KeyFile string `yaml:"https_key_file,omitempty"` CertFile string `yaml:"https_cert_file,omitempty"` }
Proxy is `proxy_service` section of the config file:
type ReverseTunnel ¶
type ReverseTunnel struct { DomainName string `yaml:"domain_name"` Addresses []string `yaml:"addresses"` }
ReverseTunnel is a SSH reverse tunnel mantained by one cluster's proxy to remote Teleport proxy
func (*ReverseTunnel) ConvertAndValidate ¶
func (t *ReverseTunnel) ConvertAndValidate() (*services.ReverseTunnel, error)
ConvertAndValidate returns validated services.ReverseTunnel or nil and error otherwize
type SSH ¶
type SSH struct { Service `yaml:",inline"` Labels map[string]string `yaml:"labels,omitempty"` Commands []CommandLabel `yaml:"commands,omitempty"` }
SSH is 'ssh_service' section of the config file
type Service ¶
type Service struct { EnabledFlag string `yaml:"enabled,omitempty"` ListenAddress string `yaml:"listen_addr,omitempty"` }
Service is a common configuration of a teleport service
func (*Service) Configured ¶
Configured determines if a given "_service" section has been specified
type StaticToken ¶
type StaticToken string
type TrustedCluster ¶
type TrustedCluster struct { // KeyFile is a path to a remote authority (AKA "trusted cluster") public keys KeyFile string `yaml:"key_file,omitempty"` // AllowedLogins is a comma-separated list of user logins allowed from that cluster AllowedLogins string `yaml:"allow_logins,omitempty"` // TunnelAddr is a comma-separated list of reverse tunnel addressess to // connect to TunnelAddr string `yaml:"tunnel_addr,omitempty"` }
TrustedCluster struct holds configuration values under "trusted_clusters" key