Documentation ¶
Overview ¶
Package config provides facilities for configuring Teleport daemons including
- parsing YAML configuration
- parsing CLI flags
Index ¶
- Constants
- func ApplyFileConfig(fc *FileConfig, cfg *service.Config) error
- func Configure(clf *CommandLineFlags, cfg *service.Config) error
- func MakeDatabaseAgentConfigString(flags DatabaseSampleFlags) (string, error)
- func ReadResources(filePath string) ([]types.Resource, error)
- func WriteSystemdUnitFile(flags SystemdFlags, dest io.Writer) error
- type ACME
- type AWSMatcher
- type AWSSSM
- type App
- type AppAWS
- type Apps
- type Auth
- type AuthenticationConfig
- type AzureMatcher
- type BPF
- type CAKeyParams
- type CachePolicy
- type ClaimMapping
- type ClusterName
- type CommandLabel
- type CommandLineFlags
- type ConnectionLimits
- type ConnectionRate
- type Database
- type DatabaseAD
- type DatabaseAWS
- type DatabaseAWSElastiCache
- type DatabaseAWSMemoryDB
- type DatabaseAWSRDS
- type DatabaseAWSRedshift
- type DatabaseAzure
- type DatabaseGCP
- type DatabaseMySQL
- type DatabaseSampleFlags
- type DatabaseTLS
- type Databases
- type Discovery
- type FileConfig
- func MakeSampleFileConfig(flags SampleFlags) (fc *FileConfig, err error)
- func ReadConfig(reader io.Reader) (*FileConfig, error)
- func ReadConfigFile(cliConfigPath string) (*FileConfig, error)
- func ReadFromFile(filePath string) (*FileConfig, error)
- func ReadFromString(configString string) (*FileConfig, error)
- type GCPMatcher
- type Global
- type GoogleCloudKMS
- type InstallParams
- type JoinParams
- type KeyPair
- type Kube
- type KubeProxy
- type LDAPConfig
- type LegacyLog
- type Log
- type LogFormat
- type Metrics
- type PAM
- type PKCS11
- type Proxy
- type ResourceMatcher
- type RestrictedSession
- type ReverseTunnel
- type Rewrite
- type SSH
- type SampleFlags
- type SecretStore
- type Service
- type StaticToken
- type StaticTokens
- type SystemdFlags
- type TracingService
- type TrustedCluster
- type UniversalSecondFactor
- type Webauthn
- type WindowsDesktopService
- type WindowsHostLabelRule
- type X11
Constants ¶
const ( // SystemdDefaultEnvironmentFile is the default path to the env file for the systemd unit file config SystemdDefaultEnvironmentFile = "/etc/default/teleport" // SystemdDefaultPIDFile is the default path to the PID file for the systemd unit file config SystemdDefaultPIDFile = "/run/teleport.pid" // SystemdDefaultFileDescriptorLimit is the default max number of open file descriptors for the systemd unit file config SystemdDefaultFileDescriptorLimit = 524288 )
Variables ¶
This section is empty.
Functions ¶
func ApplyFileConfig ¶
func ApplyFileConfig(fc *FileConfig, cfg *service.Config) error
ApplyFileConfig applies configuration from a YAML file to Teleport runtime config
func Configure ¶
func Configure(clf *CommandLineFlags, cfg *service.Config) error
Configure merges command line arguments with what's in a configuration file with CLI commands taking precedence
func MakeDatabaseAgentConfigString ¶
func MakeDatabaseAgentConfigString(flags DatabaseSampleFlags) (string, error)
MakeDatabaseAgentConfigString generates a simple database agent configuration based on the flags provided. Returns the configuration as a string.
func ReadResources ¶
ReadResources loads a set of resources from a file.
func WriteSystemdUnitFile ¶
func WriteSystemdUnitFile(flags SystemdFlags, dest io.Writer) error
WriteSystemdUnitFile accepts flags and an io.Writer and writes the systemd unit file configuration to it
Types ¶
type ACME ¶
type ACME struct { // EnabledFlag is whether ACME should be enabled EnabledFlag string `yaml:"enabled,omitempty"` // Email is the email that will receive problems with certificate renewals Email string `yaml:"email,omitempty"` // URI is ACME server URI URI string `yaml:"uri,omitempty"` }
ACME configures ACME protocol - automatic X.509 certificates
type AWSMatcher ¶
type AWSMatcher struct { // Types are AWS database types to match, "ec2", "rds", "redshift", "elasticache", // or "memorydb". Types []string `yaml:"types,omitempty"` // Regions are AWS regions to query for databases. Regions []string `yaml:"regions,omitempty"` // Tags are AWS tags to match. Tags map[string]apiutils.Strings `yaml:"tags,omitempty"` // InstallParams sets the join method when installing on // discovered EC2 nodes InstallParams *InstallParams `yaml:"install,omitempty"` // SSM provides options to use when sending a document command to // an EC2 node SSM AWSSSM `yaml:"ssm,omitempty"` }
AWSMatcher matches AWS EC2 instances and AWS Databases
type AWSSSM ¶
type AWSSSM struct { // DocumentName is the name of the document to use when executing an // SSM command DocumentName string `yaml:"document_name,omitempty"` }
AWSSSM provides options to use when executing SSM documents
type App ¶
type App struct { // Name of the application. Name string `yaml:"name"` // Description is an optional free-form app description. Description string `yaml:"description,omitempty"` // URI is the internal address of the application. URI string `yaml:"uri"` // Public address of the application. This is the address users will access // the application at. PublicAddr string `yaml:"public_addr"` // StaticLabels is a map of static labels to apply to this application. StaticLabels map[string]string `yaml:"labels,omitempty"` // DynamicLabels is a list of commands that generate dynamic labels // to apply to this application. DynamicLabels []CommandLabel `yaml:"commands,omitempty"` // InsecureSkipVerify is used to skip validating the servers certificate. InsecureSkipVerify bool `yaml:"insecure_skip_verify"` // Rewrite defines a block that is used to rewrite requests and responses. Rewrite *Rewrite `yaml:"rewrite,omitempty"` // AWS contains additional options for AWS applications. AWS *AppAWS `yaml:"aws,omitempty"` }
App is the specific application that will be proxied by the application service.
type AppAWS ¶
type AppAWS struct { // ExternalID is the AWS External ID used when assuming roles in this app. ExternalID string `yaml:"external_id,omitempty"` }
AppAWS contains additional options for AWS applications.
type Apps ¶
type Apps struct { // Service contains fields common to all services like "enabled" and // "listen_addr". Service `yaml:",inline"` // DebugApp turns on a header debugging application. DebugApp bool `yaml:"debug_app"` // Apps is a list of applications that will be run by this service. Apps []*App `yaml:"apps"` // ResourceMatchers match cluster application resources. ResourceMatchers []ResourceMatcher `yaml:"resources,omitempty"` }
Apps represents the configuration for the collection of applications this service will start. In file configuration this would be the "app_service" section.
type Auth ¶
type Auth struct { Service `yaml:",inline"` // ProxyProtocol enables support for HAProxy proxy protocol version 1 when it is turned 'on'. // Verify whether the service is in front of a trusted load balancer. // The default value is 'on'. ProxyProtocol string `yaml:"proxy_protocol,omitempty"` // ClusterName is the name of the CA who manages this cluster ClusterName ClusterName `yaml:"cluster_name,omitempty"` // StaticTokens are pre-defined host provisioning tokens supplied via config file for // environments where paranoid security is not needed // // Each token string has the following format: "role1,role2,..:token", // for exmple: "auth,proxy,node:MTIzNGlvemRmOWE4MjNoaQo" StaticTokens StaticTokens `yaml:"tokens,omitempty"` // Authentication holds authentication configuration information like authentication // type, second factor type, specific connector information, etc. Authentication *AuthenticationConfig `yaml:"authentication,omitempty"` // SessionRecording determines where the session is recorded: // node, node-sync, proxy, proxy-sync, or off. SessionRecording string `yaml:"session_recording,omitempty"` // ProxyChecksHostKeys is used when the proxy is in recording mode and // determines if the proxy will check the host key of the client or not. ProxyChecksHostKeys *types.BoolOption `yaml:"proxy_checks_host_keys,omitempty"` // LicenseFile is a path to the license file. The path can be either absolute or // relative to the global data dir LicenseFile string `yaml:"license_file,omitempty"` // FOR INTERNAL USE: // ReverseTunnels is a list of SSH tunnels to 3rd party proxy services (used to talk // to 3rd party auth servers we trust) ReverseTunnels []ReverseTunnel `yaml:"reverse_tunnels,omitempty"` // PublicAddr sets SSH host principals and TLS DNS names to auth // server certificates PublicAddr apiutils.Strings `yaml:"public_addr,omitempty"` // ClientIdleTimeout sets global cluster default setting for client idle timeouts ClientIdleTimeout types.Duration `yaml:"client_idle_timeout,omitempty"` // DisconnectExpiredCert provides disconnect expired certificate setting - // if true, connections with expired client certificates will get disconnected DisconnectExpiredCert *types.BoolOption `yaml:"disconnect_expired_cert,omitempty"` // SessionControlTimeout specifies the maximum amount of time a node can be out // of contact with the auth server before it starts terminating controlled sessions. SessionControlTimeout types.Duration `yaml:"session_control_timeout,omitempty"` // KubeconfigFile is an optional path to kubeconfig file, // if specified, teleport will use API server address and // trusted certificate authority information from it KubeconfigFile string `yaml:"kubeconfig_file,omitempty"` // KeepAliveInterval set the keep-alive interval for server to client // connections. KeepAliveInterval types.Duration `yaml:"keep_alive_interval,omitempty"` // KeepAliveCountMax set the number of keep-alive messages that can be // missed before the server disconnects the client. KeepAliveCountMax int64 `yaml:"keep_alive_count_max,omitempty"` // ClientIdleTimeoutMessage is sent to the client when the inactivity timeout // expires. The empty string implies no message should be sent prior to // disconnection. ClientIdleTimeoutMessage string `yaml:"client_idle_timeout_message,omitempty"` // MessageOfTheDay is a banner that a user must acknowledge during a `tsh login`. MessageOfTheDay string `yaml:"message_of_the_day,omitempty"` // WebIdleTimeout sets global cluster default setting for WebUI client // idle timeouts WebIdleTimeout types.Duration `yaml:"web_idle_timeout,omitempty"` // CAKeyParams configures how CA private keys will be created and stored. CAKeyParams *CAKeyParams `yaml:"ca_key_params,omitempty"` // ProxyListenerMode is a listener mode user by the proxy. ProxyListenerMode types.ProxyListenerMode `yaml:"proxy_listener_mode,omitempty"` // RoutingStrategy configures the routing strategy to nodes. RoutingStrategy types.RoutingStrategy `yaml:"routing_strategy,omitempty"` // TunnelStrategy configures the tunnel strategy used by the cluster. TunnelStrategy *types.TunnelStrategyV1 `yaml:"tunnel_strategy,omitempty"` // ProxyPingInterval defines in which interval the TLS routing ping message // should be sent. This is applicable only when using ping-wrapped // connections, regular TLS routing connections are not affected. ProxyPingInterval types.Duration `yaml:"proxy_ping_interval,omitempty"` // LoadAllCAs tells tsh to load the CAs for all clusters when trying // to ssh into a node, instead of just the CA for the current cluster. LoadAllCAs bool `yaml:"load_all_cas,omitempty"` }
Auth is 'auth_service' section of the config file
type AuthenticationConfig ¶
type AuthenticationConfig struct { Type string `yaml:"type"` SecondFactor constants.SecondFactorType `yaml:"second_factor,omitempty"` ConnectorName string `yaml:"connector_name,omitempty"` U2F *UniversalSecondFactor `yaml:"u2f,omitempty"` Webauthn *Webauthn `yaml:"webauthn,omitempty"` RequireMFAType types.RequireMFAType `yaml:"require_session_mfa,omitempty"` LockingMode constants.LockingMode `yaml:"locking_mode,omitempty"` // LocalAuth controls if local authentication is allowed. LocalAuth *types.BoolOption `yaml:"local_auth"` // Passwordless enables/disables passwordless support. // Requires Webauthn to work. // Defaults to true if the Webauthn is configured, defaults to false // otherwise. Passwordless *types.BoolOption `yaml:"passwordless"` }
AuthenticationConfig describes the auth_service/authentication section of teleport.yaml
func (*AuthenticationConfig) Parse ¶
func (a *AuthenticationConfig) Parse() (types.AuthPreference, error)
Parse returns a types.AuthPreference (type, second factor, U2F).
type AzureMatcher ¶
type AzureMatcher struct { // Subscriptions are Azure subscriptions to query for resources. Subscriptions []string `yaml:"subscriptions,omitempty"` // ResourceGroups are Azure resource groups to query for resources. ResourceGroups []string `yaml:"resource_groups,omitempty"` // Types are Azure types to match: "mysql", "postgres", "aks" Types []string `yaml:"types,omitempty"` // Regions are Azure locations to match for databases. Regions []string `yaml:"regions,omitempty"` // ResourceTags are Azure tags on resources to match. ResourceTags map[string]apiutils.Strings `yaml:"tags,omitempty"` }
AzureMatcher matches Azure databases.
type BPF ¶
type BPF struct { // Enabled enables or disables enhanced session recording for this node. Enabled string `yaml:"enabled"` // CommandBufferSize is the size of the perf buffer for command events. CommandBufferSize *int `yaml:"command_buffer_size,omitempty"` // DiskBufferSize is the size of the perf buffer for disk events. DiskBufferSize *int `yaml:"disk_buffer_size,omitempty"` // NetworkBufferSize is the size of the perf buffer for network events. NetworkBufferSize *int `yaml:"network_buffer_size,omitempty"` // CgroupPath controls where cgroupv2 hierarchy is mounted. CgroupPath string `yaml:"cgroup_path"` }
BPF is configuration for BPF-based auditing.
type CAKeyParams ¶
type CAKeyParams struct { // PKCS11 configures a PKCS#11 HSM to be used for all CA private key generation and // storage. PKCS11 *PKCS11 `yaml:"pkcs11,omitempty"` // GoogleCloudKMS configures Google Cloud Key Management Service to to be used for // all CA private key crypto operations. GoogleCloudKMS *GoogleCloudKMS `yaml:"gcp_kms,omitempty"` }
CAKeyParams configures how CA private keys will be created and stored.
type CachePolicy ¶
type CachePolicy struct { // Type is for cache type `sqlite` or `in-memory` Type string `yaml:"type,omitempty"` // EnabledFlag enables or disables cache EnabledFlag string `yaml:"enabled,omitempty"` // TTL sets maximum TTL for the cached values TTL string `yaml:"ttl,omitempty"` }
CachePolicy is used to control local cache
func (*CachePolicy) Enabled ¶
func (c *CachePolicy) Enabled() bool
Enabled determines if a given "_service" section has been set to 'true'
func (*CachePolicy) Parse ¶
func (c *CachePolicy) Parse() (*service.CachePolicy, error)
Parse parses cache policy from Teleport config
type ClaimMapping ¶
type ClaimMapping struct { // Claim is OIDC claim name Claim string `yaml:"claim"` // Value is claim value to match Value string `yaml:"value"` // Roles is a list of teleport roles to match Roles []string `yaml:"roles,omitempty"` }
ClaimMapping is OIDC claim mapping that maps claim name to teleport roles
type ClusterName ¶
type ClusterName string
func (ClusterName) Parse ¶
func (c ClusterName) Parse() (types.ClusterName, error)
type CommandLabel ¶
type CommandLabel struct { Name string `yaml:"name"` Command []string `yaml:"command,flow"` Period time.Duration `yaml:"period"` }
CommandLabel is `command` section of `ssh_service` in the config file
type CommandLineFlags ¶
type CommandLineFlags struct { // --name flag NodeName string // --auth-server flag AuthServerAddr []string // --token flag AuthToken string // CAPins are the SKPI hashes of the CAs used to verify the Auth Server. CAPins []string // --listen-ip flag ListenIP net.IP // --advertise-ip flag AdvertiseIP string // --config flag ConfigFile string // Bootstrap flag contains a YAML file that defines a set of resources to bootstrap // a cluster. BootstrapFile string // ConfigString is a base64 encoded configuration string // set by --config-string or TELEPORT_CONFIG environment variable ConfigString string // --roles flag Roles string // -d flag Debug bool // --insecure-no-tls flag DisableTLS bool // --labels flag Labels string // --pid-file flag PIDFile string // DiagnosticAddr is listen address for diagnostic endpoint DiagnosticAddr string // PermitUserEnvironment enables reading of ~/.tsh/environment // when creating a new session. PermitUserEnvironment bool // Insecure mode is controlled by --insecure flag and in this mode // Teleport won't check certificates when connecting to trusted clusters // It's useful for learning Teleport (following quick starts, etc). InsecureMode bool // FIPS mode means Teleport starts in a FedRAMP/FIPS 140-2 compliant // configuration. FIPS bool // SkipVersionCheck allows Teleport to connect to auth servers that // have an earlier major version number. SkipVersionCheck bool // AppName is the name of the application to proxy. AppName string // AppURI is the internal address of the application to proxy. AppURI string // AppPublicAddr is the public address of the application to proxy. AppPublicAddr string // DatabaseName is the name of the database to proxy. DatabaseName string // DatabaseDescription is a free-form database description. DatabaseDescription string // DatabaseProtocol is the type of the proxied database e.g. postgres or mysql. DatabaseProtocol string // DatabaseURI is the address to connect to the proxied database. DatabaseURI string // DatabaseCACertFile is the database CA cert path. DatabaseCACertFile string // DatabaseAWSRegion is an optional database cloud region e.g. when using AWS RDS. DatabaseAWSRegion string // DatabaseAWSAccountID is an optional AWS account ID e.g. when using Keyspaces. DatabaseAWSAccountID string // DatabaseAWSRedshiftClusterID is Redshift cluster identifier. DatabaseAWSRedshiftClusterID string // DatabaseAWSRDSInstanceID is RDS instance identifier. DatabaseAWSRDSInstanceID string // DatabaseAWSRDSClusterID is RDS cluster (Aurora) cluster identifier. DatabaseAWSRDSClusterID string // DatabaseGCPProjectID is GCP Cloud SQL project identifier. DatabaseGCPProjectID string // DatabaseGCPInstanceID is GCP Cloud SQL instance identifier. DatabaseGCPInstanceID string // DatabaseADKeytabFile is the path to Kerberos keytab file. DatabaseADKeytabFile string // DatabaseADKrb5File is the path to krb5.conf file. DatabaseADKrb5File string // DatabaseADDomain is the Active Directory domain for authentication. DatabaseADDomain string // DatabaseADSPN is the database Service Principal Name. DatabaseADSPN string // DatabaseMySQLServerVersion is the MySQL server version reported to a client // if the value cannot be obtained from the database. DatabaseMySQLServerVersion string }
CommandLineFlags stores command line flag values, it's a much simplified subset of Teleport configuration (which is fully expressed via YAML config file)
type ConnectionLimits ¶
type ConnectionLimits struct { MaxConnections int64 `yaml:"max_connections"` MaxUsers int `yaml:"max_users"` Rates []ConnectionRate `yaml:"rates,omitempty"` }
ConnectionLimits sets up connection limiter
type ConnectionRate ¶
type ConnectionRate struct { Period time.Duration `yaml:"period"` Average int64 `yaml:"average"` Burst int64 `yaml:"burst"` }
ConnectionRate configures rate limiter
type Database ¶
type Database struct { // Name is the name for the database proxy service. Name string `yaml:"name"` // Description is an optional free-form database description. Description string `yaml:"description,omitempty"` // Protocol is the database type e.g. postgres, mysql, etc. Protocol string `yaml:"protocol"` // URI is the database address to connect to. URI string `yaml:"uri"` // CACertFile is an optional path to the database CA certificate. // Deprecated in favor of TLS.CACertFile. CACertFile string `yaml:"ca_cert_file,omitempty"` // TLS keeps an optional TLS configuration options. TLS DatabaseTLS `yaml:"tls"` // MySQL are additional database options. MySQL DatabaseMySQL `yaml:"mysql"` // StaticLabels is a map of database static labels. StaticLabels map[string]string `yaml:"static_labels,omitempty"` // DynamicLabels is a list of database dynamic labels. DynamicLabels []CommandLabel `yaml:"dynamic_labels,omitempty"` // AWS contains AWS specific settings for RDS/Aurora/Redshift databases. AWS DatabaseAWS `yaml:"aws"` // GCP contains GCP specific settings for Cloud SQL databases. GCP DatabaseGCP `yaml:"gcp"` // AD contains Active Directory database configuration. AD DatabaseAD `yaml:"ad"` // Azure contains Azure database configuration. Azure DatabaseAzure `yaml:"azure"` }
Database represents a single database proxied by the service.
type DatabaseAD ¶
type DatabaseAD struct { // KeytabFile is the path to the Kerberos keytab file. KeytabFile string `yaml:"keytab_file"` // Krb5File is the path to the Kerberos configuration file. Defaults to /etc/krb5.conf. Krb5File string `yaml:"krb5_file,omitempty"` // Domain is the Active Directory domain the database resides in. Domain string `yaml:"domain"` // SPN is the service principal name for the database. SPN string `yaml:"spn"` }
DatabaseAD contains database Active Directory configuration.
type DatabaseAWS ¶
type DatabaseAWS struct { // Region is a cloud region for RDS/Aurora database endpoint. Region string `yaml:"region,omitempty"` // Redshift contains Redshift specific settings. Redshift DatabaseAWSRedshift `yaml:"redshift"` // RDS contains RDS specific settings. RDS DatabaseAWSRDS `yaml:"rds"` // ElastiCache contains ElastiCache specific settings. ElastiCache DatabaseAWSElastiCache `yaml:"elasticache"` // SecretStore contains settings for managing secrets. SecretStore SecretStore `yaml:"secret_store"` // MemoryDB contains MemoryDB specific settings. MemoryDB DatabaseAWSMemoryDB `yaml:"memorydb"` // AccountID is the AWS account ID. AccountID string `yaml:"account_id,omitempty"` }
DatabaseAWS contains AWS specific settings for RDS/Aurora databases.
type DatabaseAWSElastiCache ¶
type DatabaseAWSElastiCache struct { // ReplicationGroupID is the ElastiCache replication group ID. ReplicationGroupID string `yaml:"replication_group_id,omitempty"` }
DatabaseAWSElastiCache contains settings for ElastiCache databases.
type DatabaseAWSMemoryDB ¶
type DatabaseAWSMemoryDB struct { // ClusterName is the MemoryDB cluster name. ClusterName string `yaml:"cluster_name,omitempty"` }
DatabaseAWSMemoryDB contains settings for MemoryDB databases.
type DatabaseAWSRDS ¶
type DatabaseAWSRDS struct { // InstanceID is the RDS instance identifier. InstanceID string `yaml:"instance_id,omitempty"` // ClusterID is the RDS cluster (Aurora) identifier. ClusterID string `yaml:"cluster_id,omitempty"` }
DatabaseAWSRDS contains settings for RDS databases.
type DatabaseAWSRedshift ¶
type DatabaseAWSRedshift struct { // ClusterID is the Redshift cluster identifier. ClusterID string `yaml:"cluster_id,omitempty"` }
DatabaseAWSRedshift contains AWS Redshift specific settings.
type DatabaseAzure ¶
type DatabaseAzure struct { // ResourceID is the Azure fully qualified ID for the resource. ResourceID string `yaml:"resource_id,omitempty"` }
DatabaseAzure contains Azure database configuration.
type DatabaseGCP ¶
type DatabaseGCP struct { // ProjectID is the GCP project ID where the database is deployed. ProjectID string `yaml:"project_id,omitempty"` // InstanceID is the Cloud SQL database instance ID. InstanceID string `yaml:"instance_id,omitempty"` }
DatabaseGCP contains GCP specific settings for Cloud SQL databases.
type DatabaseMySQL ¶
type DatabaseMySQL struct { // ServerVersion is the MySQL version reported by DB proxy instead of default Teleport string. ServerVersion string `yaml:"server_version,omitempty"` }
DatabaseMySQL are an additional MySQL database options.
type DatabaseSampleFlags ¶
type DatabaseSampleFlags struct { // StaticDatabaseName static database name provided by the user. StaticDatabaseName string // StaticDatabaseProtocol static databse protocol provided by the user. StaticDatabaseProtocol string // StaticDatabaseURI static database URI provided by the user. StaticDatabaseURI string // StaticDatabaseStaticLabels list of database static labels provided by // the user. StaticDatabaseStaticLabels map[string]string // StaticDatabaseDynamicLabels list of database dynamic labels provided by // the user.` StaticDatabaseDynamicLabels services.CommandLabels // StaticDatabaseRawLabels "raw" list of database labels provided by the // user. StaticDatabaseRawLabels string // NodeName `nodename` configuration. NodeName string // DataDir `data_dir` configuration. DataDir string // ProxyServer is the address of the proxy servers ProxyServer string // AuthToken auth server token. AuthToken string // CAPins are the SKPI hashes of the CAs used to verify the Auth Server. CAPins []string // AzureMySQLDiscoveryRegions is a list of regions Azure auto-discovery is // configured to discover MySQL servers in. AzureMySQLDiscoveryRegions []string // AzurePostgresDiscoveryRegions is a list of regions Azure auto-discovery is // configured to discover Postgres servers in. AzurePostgresDiscoveryRegions []string // AzureRedisDiscoveryRegions is a list of regions Azure auto-discovery is // configured to discover Azure Cache for Redis servers in. AzureRedisDiscoveryRegions []string // RDSDiscoveryRegions is a list of regions the RDS auto-discovery is // configured. RDSDiscoveryRegions []string // RDSProxyDiscoveryRegions is a list of regions the RDS Proxy // auto-discovery is configured. RDSProxyDiscoveryRegions []string // RedshiftDiscoveryRegions is a list of regions the Redshift // auto-discovery is configured. RedshiftDiscoveryRegions []string // ElastiCacheDiscoveryRegions is a list of regions the ElastiCache // auto-discovery is configured. ElastiCacheDiscoveryRegions []string // MemoryDBDiscoveryRegions is a list of regions the MemoryDB // auto-discovery is configured. MemoryDBDiscoveryRegions []string // DatabaseProtocols is a list of database protocols supported. DatabaseProtocols []string // DatabaseAWSRegion is an optional database cloud region e.g. when using AWS RDS. DatabaseAWSRegion string // DatabaseAWSRedshiftClusterID is Redshift cluster identifier. DatabaseAWSRedshiftClusterID string // DatabaseADDomain is the Active Directory domain for authentication. DatabaseADDomain string // DatabaseADSPN is the database Service Principal Name. DatabaseADSPN string // DatabaseADKeytabFile is the path to Kerberos keytab file. DatabaseADKeytabFile string // DatabaseGCPProjectID is GCP Cloud SQL project identifier. DatabaseGCPProjectID string // DatabaseGCPInstanceID is GCP Cloud SQL instance identifier. DatabaseGCPInstanceID string // DatabaseCACertFile is the database CA cert path. DatabaseCACertFile string // DatabaseAzureSubscriptions is a list of Azure subscriptions. DatabaseAzureSubscriptions []string // DatabaseAzureResourceGroups is a list of Azure resource groups. DatabaseAzureResourceGroups []string }
DatabaseSampleFlags specifies configuration parameters for a database agent.
func (*DatabaseSampleFlags) CheckAndSetDefaults ¶
func (f *DatabaseSampleFlags) CheckAndSetDefaults() error
CheckAndSetDefaults checks and sets default values for the flags.
type DatabaseTLS ¶
type DatabaseTLS struct { // Mode is a TLS verification mode. Available options are 'verify-full', 'verify-ca' or 'insecure', // 'verify-full' is the default option. Mode string `yaml:"mode"` // ServerName allows providing custom server name. // This name will override DNS name when validating certificate presented by the database. ServerName string `yaml:"server_name,omitempty"` // CACertFile is an optional path to the database CA certificate. CACertFile string `yaml:"ca_cert_file,omitempty"` }
DatabaseTLS keeps TLS settings used when connecting to database.
type Databases ¶
type Databases struct { // Service contains common service fields. Service `yaml:",inline"` // Databases is a list of databases proxied by the service. Databases []*Database `yaml:"databases"` // ResourceMatchers match cluster database resources. ResourceMatchers []ResourceMatcher `yaml:"resources,omitempty"` // AWSMatchers match AWS hosted databases. AWSMatchers []AWSMatcher `yaml:"aws,omitempty"` // AzureMatchers match Azure hosted databases. AzureMatchers []AzureMatcher `yaml:"azure,omitempty"` }
Databases represents the database proxy service configuration.
In the configuration file this section will be "db_service".
type Discovery ¶
type Discovery struct { Service `yaml:",inline"` // AWSMatchers are used to match EC2 instances AWSMatchers []AWSMatcher `yaml:"aws,omitempty"` // AzureMatchers are used to match Azure resources. AzureMatchers []AzureMatcher `yaml:"azure,omitempty"` // GCPMatchers are used to match GCP resources. GCPMatchers []GCPMatcher `yaml:"gcp,omitempty"` }
Discovery represents a discovery_service section in the config file.
type FileConfig ¶
type FileConfig struct { Version string `yaml:"version,omitempty"` Global `yaml:"teleport,omitempty"` Auth Auth `yaml:"auth_service,omitempty"` SSH SSH `yaml:"ssh_service,omitempty"` Proxy Proxy `yaml:"proxy_service,omitempty"` Kube Kube `yaml:"kubernetes_service,omitempty"` // Apps is the "app_service" section in Teleport file configuration which // defines application access configuration. Apps Apps `yaml:"app_service,omitempty"` // Databases is the "db_service" section in Teleport configuration file // that defines database access configuration. Databases Databases `yaml:"db_service,omitempty"` // Metrics is the "metrics_service" section in Teleport configuration file // that defines the metrics service configuration Metrics Metrics `yaml:"metrics_service,omitempty"` // WindowsDesktop is the "windows_desktop_service" that defines the // configuration for Windows Desktop Access. WindowsDesktop WindowsDesktopService `yaml:"windows_desktop_service,omitempty"` // Tracing is the "tracing_service" section in Teleport configuration file Tracing TracingService `yaml:"tracing_service,omitempty"` // Discovery is the "discovery_service" section in the Teleport // configuration file Discovery Discovery `yaml:"discovery_service,omitempty"` }
FileConfig structre represents the teleport configuration stored in a config file in YAML format (usually /etc/teleport.yaml)
Use config.ReadFromFile() to read the parsed FileConfig from a YAML file.
func MakeSampleFileConfig ¶
func MakeSampleFileConfig(flags SampleFlags) (fc *FileConfig, err error)
MakeSampleFileConfig returns a sample config to start a standalone server
func ReadConfig ¶
func ReadConfig(reader io.Reader) (*FileConfig, error)
ReadConfig reads Teleport configuration from reader in YAML format
func ReadConfigFile ¶
func ReadConfigFile(cliConfigPath string) (*FileConfig, error)
ReadConfigFile reads /etc/teleport.yaml (or whatever is passed via --config flag) and overrides values in 'cfg' structure
func ReadFromFile ¶
func ReadFromFile(filePath string) (*FileConfig, error)
ReadFromFile reads Teleport configuration from a file. Currently only YAML format is supported
func ReadFromString ¶
func ReadFromString(configString string) (*FileConfig, error)
ReadFromString reads values from base64 encoded byte string
func (*FileConfig) CheckAndSetDefaults ¶
func (conf *FileConfig) CheckAndSetDefaults() error
CheckAndSetDefaults sets defaults and ensures that the ciphers, kex algorithms, and mac algorithms set are supported by golang.org/x/crypto/ssh. This ensures we don't start Teleport with invalid configuration.
func (*FileConfig) DebugDumpToYAML ¶
func (conf *FileConfig) DebugDumpToYAML() string
DebugDumpToYAML allows for quick YAML dumping of the config
type GCPMatcher ¶
type GCPMatcher struct { // Types are GKE resource types to match: "gke". Types []string `yaml:"types,omitempty"` // Locations are GKE locations to search resources for. Locations []string `yaml:"locations,omitempty"` // Tags are GCP labels to match. Tags map[string]apiutils.Strings `yaml:"tags,omitempty"` // ProjectIDs are the GCP project ID where the resources are deployed. ProjectIDs []string `yaml:"project_ids,omitempty"` }
GCPMatcher matches GCP resources.
type Global ¶
type Global struct { NodeName string `yaml:"nodename,omitempty"` DataDir string `yaml:"data_dir,omitempty"` PIDFile string `yaml:"pid_file,omitempty"` JoinParams JoinParams `yaml:"join_params,omitempty"` // v1, v2 AuthServers []string `yaml:"auth_servers,omitempty"` // AuthToken is the old way of configuring the token to be used by the // node to join the Teleport cluster. `JoinParams.TokenName` should be // used instead with `JoinParams.JoinMethod = types.JoinMethodToken`. AuthToken string `yaml:"auth_token,omitempty"` // v3 AuthServer string `yaml:"auth_server,omitempty"` ProxyServer string `yaml:"proxy_server,omitempty"` Limits ConnectionLimits `yaml:"connection_limits,omitempty"` Logger Log `yaml:"log,omitempty"` Storage backend.Config `yaml:"storage,omitempty"` AdvertiseIP string `yaml:"advertise_ip,omitempty"` CachePolicy CachePolicy `yaml:"cache,omitempty"` // CipherSuites is a list of TLS ciphersuites that Teleport supports. If // omitted, a Teleport selected list of defaults will be used. CipherSuites []string `yaml:"ciphersuites,omitempty"` // Ciphers is a list of SSH ciphers that the server supports. If omitted, // the defaults will be used. Ciphers []string `yaml:"ciphers,omitempty"` // KEXAlgorithms is a list of SSH key exchange (KEX) algorithms that the // server supports. If omitted, the defaults will be used. KEXAlgorithms []string `yaml:"kex_algos,omitempty"` // MACAlgorithms is a list of SSH message authentication codes (MAC) that // the server supports. If omitted the defaults will be used. MACAlgorithms []string `yaml:"mac_algos,omitempty"` // CASignatureAlgorithm is ignored but ketp for config backwards compat CASignatureAlgorithm *string `yaml:"ca_signature_algo,omitempty"` // CAPin is the SKPI hash of the CA used to verify the Auth Server. Can be // a single value or a list. CAPin apiutils.Strings `yaml:"ca_pin"` // DiagAddr is the address to expose a diagnostics HTTP endpoint. DiagAddr string `yaml:"diag_addr"` }
Global is 'teleport' (global) section of the config file
type GoogleCloudKMS ¶
type GoogleCloudKMS struct { // KeyRing is the GCP key ring where all keys generated by this auth server // should be held. This must be the fully qualified resource name of the key // ring, including the project and location, e.g. // projects/teleport-project/locations/us-west1/keyRings/teleport-keyring KeyRing string `yaml:"keyring"` // ProtectionLevel specifies how cryptographic operations are performed. // For more information, see https://cloud.google.com/kms/docs/algorithms#protection_levels // Supported options are "HSM" and "SOFTWARE". ProtectionLevel string `yaml:"protection_level"` }
GoogleCloudKMS configures Google Cloud Key Management Service to to be used for all CA private key crypto operations.
type InstallParams ¶
type InstallParams struct { // JoinParams sets the token and method to use when generating // config on EC2 instances JoinParams JoinParams `yaml:"join_params,omitempty"` // ScriptName is the name of the teleport installer script // resource for the EC2 instance to execute ScriptName string `yaml:"script_name,omitempty"` }
InstallParams sets join method to use on discovered nodes
type JoinParams ¶
type JoinParams struct { TokenName string `yaml:"token_name"` Method types.JoinMethod `yaml:"method"` }
JoinParams configures the parameters for Simplified Node Joining.
type KeyPair ¶
type KeyPair struct { // PrivateKey is the path on disk to a PEM encoded private key, PrivateKey string `yaml:"key_file"` // Certificate is the path on disk to a PEM encoded x509 certificate. Certificate string `yaml:"cert_file"` }
KeyPair represents a path on disk to a private key and certificate.
type Kube ¶
type Kube struct { // Service is a generic service configuration section Service `yaml:",inline"` // PublicAddr is a publicly advertised address of the kubernetes service PublicAddr apiutils.Strings `yaml:"public_addr,omitempty"` // KubeconfigFile is an optional path to kubeconfig file, // if specified, teleport will use API server address and // trusted certificate authority information from it KubeconfigFile string `yaml:"kubeconfig_file,omitempty"` // KubeClusterName is the name of a kubernetes cluster this service is // running in. If set, this proxy will handle kubernetes requests for the // cluster. KubeClusterName string `yaml:"kube_cluster_name,omitempty"` // StaticLabels are the static labels for RBAC on kubernetes clusters. StaticLabels map[string]string `yaml:"labels,omitempty"` // DynamicLabels are the dynamic labels for RBAC on kubernetes clusters. DynamicLabels []CommandLabel `yaml:"commands,omitempty"` // ResourceMatchers match cluster kube_cluster resources. ResourceMatchers []ResourceMatcher `yaml:"resources,omitempty"` }
Kube is a `kubernetes_service`
type KubeProxy ¶
type KubeProxy struct { // Service is a generic service configuration section Service `yaml:",inline"` // PublicAddr is a publicly advertised address of the kubernetes proxy PublicAddr apiutils.Strings `yaml:"public_addr,omitempty"` // KubeconfigFile is an optional path to kubeconfig file, // if specified, teleport will use API server address and // trusted certificate authority information from it KubeconfigFile string `yaml:"kubeconfig_file,omitempty"` // ClusterName is the name of a kubernetes cluster this proxy is running // in. If set, this proxy will handle kubernetes requests for the cluster. ClusterName string `yaml:"cluster_name,omitempty"` }
KubeProxy is a `kubernetes` section in `proxy_service`.
type LDAPConfig ¶
type LDAPConfig struct { // Addr is the host:port of the LDAP server (typically port 389). Addr string `yaml:"addr"` // Domain is the ActiveDirectory domain name. Domain string `yaml:"domain"` // Username for LDAP authentication. Username string `yaml:"username"` // InsecureSkipVerify decides whether whether we skip verifying with the LDAP server's CA when making the LDAPS connection. InsecureSkipVerify bool `yaml:"insecure_skip_verify"` // ServerName is the name of the LDAP server for TLS. ServerName string `yaml:"server_name,omitempty"` // DEREncodedCAFile is the filepath to an optional DER encoded CA cert to be used for verification (if InsecureSkipVerify is set to false). DEREncodedCAFile string `yaml:"der_ca_file,omitempty"` // PEMEncodedCACert is an optional PEM encoded CA cert to be used for verification (if InsecureSkipVerify is set to false). PEMEncodedCACert string `yaml:"ldap_ca_cert,omitempty"` }
LDAPConfig is the LDAP connection parameters.
type LegacyLog ¶
type LegacyLog struct { // Output defines where logs go. It can be one of the following: "stderr", "stdout" or // a path to a log file Output string `yaml:"output,omitempty"` // Severity defines how verbose the log will be. Possible values are "error", "info", "warn" Severity string `yaml:"severity,omitempty"` // Format lists the output fields from KnownFormatFields. Example format: [timestamp, component, caller] Format []string `yaml:"format,omitempty"` }
LegacyLog contains the old format of the 'format' field It is kept here for backwards compatibility and should always be maintained The custom yaml unmarshaler should automatically convert it into the new expected format.
type Log ¶
type Log struct { // Output defines where logs go. It can be one of the following: "stderr", "stdout" or // a path to a log file Output string `yaml:"output,omitempty"` // Severity defines how verbose the log will be. Possible values are "error", "info", "warn" Severity string `yaml:"severity,omitempty"` // Format defines the logs output format and extra fields Format LogFormat `yaml:"format,omitempty"` }
Log configures teleport logging
func (*Log) UnmarshalYAML ¶
type LogFormat ¶
type LogFormat struct { // Output defines the output format. Possible values are 'text' and 'json'. Output string `yaml:"output,omitempty"` // ExtraFields lists the output fields from KnownFormatFields. Example format: [timestamp, component, caller] ExtraFields []string `yaml:"extra_fields,omitempty"` }
LogFormat specifies the logs output format and extra fields
type Metrics ¶
type Metrics struct { // Service is a generic service configuration section Service `yaml:",inline"` // KeyPairs is a list of x509 serving key pairs used for securing the metrics endpoint with mTLS. // mTLS will be enabled for the service if both 'keypairs' and 'ca_certs' fields are set. KeyPairs []KeyPair `yaml:"keypairs,omitempty"` // CACerts is a list of prometheus CA certificates to validate clients against. // mTLS will be enabled for the service if both 'keypairs' and 'ca_certs' fields are set. CACerts []string `yaml:"ca_certs,omitempty"` // GRPCServerLatency enables histogram metrics for each grpc endpoint on the auth server GRPCServerLatency bool `yaml:"grpc_server_latency,omitempty"` // GRPCServerLatency enables histogram metrics for each grpc endpoint on the auth server GRPCClientLatency bool `yaml:"grpc_client_latency,omitempty"` }
Metrics is a `metrics_service` section of the config file:
func (*Metrics) MTLSEnabled ¶
MTLSEnabled returns whether mtls is enabled or not in the metrics service config.
type PAM ¶
type PAM struct { // Enabled controls if PAM will be used or not. Enabled string `yaml:"enabled"` // ServiceName is the name of the PAM policy to apply. ServiceName string `yaml:"service_name"` // UsePAMAuth specifies whether to trigger the "auth" PAM modules from the // policy. UsePAMAuth bool `yaml:"use_pam_auth"` // Environment represents environment variables to pass to PAM. // These may contain role-style interpolation syntax. Environment map[string]string `yaml:"environment,omitempty"` }
PAM is configuration for Pluggable Authentication Modules (PAM).
type PKCS11 ¶
type PKCS11 struct { // ModulePath is the path to the PKCS#11 library. ModulePath string `yaml:"module_path"` // TokenLabel is the CKA_LABEL of the HSM token to use. Set this or // SlotNumber to select a token. TokenLabel string `yaml:"token_label,omitempty"` // SlotNumber is the slot number of the HSM token to use. Set this or // TokenLabel to select a token. SlotNumber *int `yaml:"slot_number,omitempty"` // Pin is the raw pin for connecting to the HSM. Set this or PinPath to set // the pin. Pin string `yaml:"pin,omitempty"` // PinPath is a path to a file containing a pin for connecting to the HSM. // Trailing newlines will be removed, other whitespace will be left. Set // this or Pin to set the pin. PinPath string `yaml:"pin_path,omitempty"` }
PKCS11 configures a PKCS#11 HSM to be used for private key generation and storage.
type Proxy ¶
type Proxy struct { // Service is a generic service configuration section Service `yaml:",inline"` // WebAddr is a web UI listen address WebAddr string `yaml:"web_listen_addr,omitempty"` // TunAddr is a reverse tunnel address TunAddr string `yaml:"tunnel_listen_addr,omitempty"` // PeerAddr is the address this proxy will be dialed at by its peers. PeerAddr string `yaml:"peer_listen_addr,omitempty"` // PeerPublicAddr is the hostport the proxy advertises for peer proxy // client connections. PeerPublicAddr string `yaml:"peer_public_addr,omitempty"` // KeyFile is a TLS key file KeyFile string `yaml:"https_key_file,omitempty"` // CertFile is a TLS Certificate file CertFile string `yaml:"https_cert_file,omitempty"` // ProxyProtocol turns on support for HAProxy proxy protocol // this is the option that has be turned on only by administrator, // as only admin knows whether service is in front of trusted load balancer // or not. ProxyProtocol string `yaml:"proxy_protocol,omitempty"` // KubeProxy configures kubernetes protocol support of the proxy Kube KubeProxy `yaml:"kubernetes,omitempty"` // KubeAddr is a shorthand for enabling the Kubernetes endpoint without a // local Kubernetes cluster. KubeAddr string `yaml:"kube_listen_addr,omitempty"` // KubePublicAddr is a public address of the kubernetes endpoint. KubePublicAddr apiutils.Strings `yaml:"kube_public_addr,omitempty"` // PublicAddr sets the hostport the proxy advertises for the HTTP endpoint. // The hosts in PublicAddr are included in the list of host principals // on the SSH certificate. PublicAddr apiutils.Strings `yaml:"public_addr,omitempty"` // SSHPublicAddr sets the hostport the proxy advertises for the SSH endpoint. // The hosts in PublicAddr are included in the list of host principals // on the SSH certificate. SSHPublicAddr apiutils.Strings `yaml:"ssh_public_addr,omitempty"` // TunnelPublicAddr sets the hostport the proxy advertises for the tunnel // endpoint. The hosts in PublicAddr are included in the list of host // principals on the SSH certificate. TunnelPublicAddr apiutils.Strings `yaml:"tunnel_public_addr,omitempty"` // KeyPairs is a list of x509 key pairs the proxy will load. KeyPairs []KeyPair `yaml:"https_keypairs"` // ACME configures ACME protocol support ACME ACME `yaml:"acme"` // MySQLAddr is MySQL proxy listen address. MySQLAddr string `yaml:"mysql_listen_addr,omitempty"` // MySQLPublicAddr is the hostport the proxy advertises for MySQL // client connections. MySQLPublicAddr apiutils.Strings `yaml:"mysql_public_addr,omitempty"` // PostgresAddr is Postgres proxy listen address. PostgresAddr string `yaml:"postgres_listen_addr,omitempty"` // PostgresPublicAddr is the hostport the proxy advertises for Postgres // client connections. PostgresPublicAddr apiutils.Strings `yaml:"postgres_public_addr,omitempty"` // MongoAddr is Mongo proxy listen address. MongoAddr string `yaml:"mongo_listen_addr,omitempty"` // MongoPublicAddr is the hostport the proxy advertises for Mongo // client connections. MongoPublicAddr apiutils.Strings `yaml:"mongo_public_addr,omitempty"` }
Proxy is a `proxy_service` section of the config file:
type ResourceMatcher ¶
type ResourceMatcher struct { // Labels match resource labels. Labels map[string]apiutils.Strings `yaml:"labels,omitempty"` }
ResourceMatcher matches cluster resources.
type RestrictedSession ¶
type RestrictedSession struct { // Enabled enables or disables enforcemant for this node. Enabled string `yaml:"enabled"` // EventsBufferSize is the size in bytes of the channel to report events // from the kernel to us. EventsBufferSize *int `yaml:"events_buffer_size,omitempty"` }
RestrictedSession is a configuration for limiting access to kernel objects
func (*RestrictedSession) Parse ¶
func (r *RestrictedSession) Parse() (*restricted.Config, error)
Parse will parse the enhanced session recording configuration.
type ReverseTunnel ¶
type ReverseTunnel struct { DomainName string `yaml:"domain_name"` Addresses []string `yaml:"addresses"` }
ReverseTunnel is a SSH reverse tunnel maintained by one cluster's proxy to remote Teleport proxy
func (*ReverseTunnel) ConvertAndValidate ¶
func (t *ReverseTunnel) ConvertAndValidate() (types.ReverseTunnel, error)
ConvertAndValidate returns validated services.ReverseTunnel or nil and error otherwize
type Rewrite ¶
type Rewrite struct { // Redirect is a list of hosts that should be rewritten to the public address. Redirect []string `yaml:"redirect"` // Headers is a list of extra headers to inject in the request. Headers []string `yaml:"headers,omitempty"` }
Rewrite is a list of rewriting rules to apply to requests and responses.
type SSH ¶
type SSH struct { Service `yaml:",inline"` Namespace string `yaml:"namespace,omitempty"` Labels map[string]string `yaml:"labels,omitempty"` Commands []CommandLabel `yaml:"commands,omitempty"` PermitUserEnvironment bool `yaml:"permit_user_env,omitempty"` PAM *PAM `yaml:"pam,omitempty"` // PublicAddr sets SSH host principals for SSH service PublicAddr apiutils.Strings `yaml:"public_addr,omitempty"` // BPF is used to configure BPF-based auditing for this node. BPF *BPF `yaml:"enhanced_recording,omitempty"` // RestrictedSession is used to restrict access to kernel objects RestrictedSession *RestrictedSession `yaml:"restricted_session,omitempty"` // MaybeAllowTCPForwarding enables or disables TCP port forwarding. We're // using a pointer-to-bool here because the system default is to allow TCP // forwarding, we need to distinguish between an unset value and a false // value so we can an override unset value with `true`. // // Don't read this value directly: call the AllowTCPForwarding method // instead. MaybeAllowTCPForwarding *bool `yaml:"port_forwarding,omitempty"` // X11 is used to configure X11 forwarding settings X11 *X11 `yaml:"x11,omitempty"` // MaybeSSHFileCopy enables or disables remote file operations via SCP/SFTP. // We're using a pointer-to-bool here because the system default is to allow // SCP/SFTP, we need to distinguish between an unset value and a false // value so we can an override unset value with `true`. // // Don't read this value directly: call the SSHFileCopy method // instead. MaybeSSHFileCopy *bool `yaml:"ssh_file_copy,omitempty"` // DisableCreateHostUser disables automatic user provisioning on this // SSH node. DisableCreateHostUser bool `yaml:"disable_create_host_user,omitempty"` }
SSH is 'ssh_service' section of the config file
func (*SSH) AllowTCPForwarding ¶
AllowTCPForwarding checks whether the config file allows TCP forwarding or not.
func (*SSH) SSHFileCopy ¶
SSHFileCopy checks whether the config file allows for file copying via SCP/SFTP.
func (*SSH) X11ServerConfig ¶
func (ssh *SSH) X11ServerConfig() (*x11.ServerConfig, error)
X11ServerConfig returns the X11 forwarding server configuration.
type SampleFlags ¶
type SampleFlags struct { // ClusterName is an optional cluster name ClusterName string // LicensePath adds license path to config LicensePath string // ACMEEmail is acme email ACMEEmail string // ACMEEnabled turns on ACME ACMEEnabled bool // Version is the Teleport Configuration version. Version string // PublicAddr sets the hostport the proxy advertises for the HTTP endpoint. PublicAddr string // KeyFile is a TLS key file KeyFile string // CertFile is a TLS Certificate file CertFile string // DataDir is a path to a directory where Teleport keep its data DataDir string // AuthToken is a token to register with an auth server AuthToken string // Roles is a list of comma-separated roles to create a config file with Roles string // AuthServer is the address of the auth server AuthServer string // ProxyAddress is the address of the proxy ProxyAddress string // AppName is the name of the application to start AppName string // AppURI is the internal address of the application to proxy AppURI string // NodeLabels is list of labels in the format `foo=bar,baz=bax` to add to newly created nodes. NodeLabels string // CAPin is the SKPI hash of the CA used to verify the Auth Server. Can be // a single value or a list. CAPin string // JoinMethod is the method that will be used to join the cluster, either "token", "iam" or "ec2" JoinMethod string // NodeName is the name of the teleport node NodeName string }
SampleFlags specifies standalone configuration parameters
type SecretStore ¶
type SecretStore struct { // KeyPrefix specifies the secret key prefix. KeyPrefix string `yaml:"key_prefix,omitempty"` // KMSKeyID specifies the KMS key used to encrypt and decrypt the secret. KMSKeyID string `yaml:"kms_key_id,omitempty"` }
SecretStore contains settings for managing secrets.
type Service ¶
type Service struct { EnabledFlag string `yaml:"enabled,omitempty"` ListenAddress string `yaml:"listen_addr,omitempty"` // contains filtered or unexported fields }
Service is a common configuration of a teleport service
func (*Service) Configured ¶
Configured determines if a given "_service" section has been specified
type StaticToken ¶
type StaticToken string
func (StaticToken) Parse ¶
func (t StaticToken) Parse() ([]types.ProvisionTokenV1, error)
Parse is applied to a string in "role,role,role:token" format. It breaks it apart and constructs a list of services.ProvisionToken which contains the token, role, and expiry (infinite). If the token string is a file path, the file may contain multiple newline delimited tokens, in which case each token is used to construct a services.ProvisionToken with the same roles.
type StaticTokens ¶
type StaticTokens []StaticToken
func (StaticTokens) Parse ¶
func (t StaticTokens) Parse() (types.StaticTokens, error)
type SystemdFlags ¶
type SystemdFlags struct { // EnvironmentFile is the environment file path provided by the user. EnvironmentFile string // PIDFile is the process ID (PID) file path provided by the user. PIDFile string // FileDescriptorLimit is the maximum number of open file descriptors provided by the user. FileDescriptorLimit int // TeleportInstallationFile is the teleport installation path provided by the user. TeleportInstallationFile string }
SystemdFlags specifies configuration parameters for a systemd unit file.
func (*SystemdFlags) CheckAndSetDefaults ¶
func (f *SystemdFlags) CheckAndSetDefaults() error
CheckAndSetDefaults checks and sets default values for the flags.
type TracingService ¶
type TracingService struct { // Enabled turns the tracing service role on or off for this process EnabledFlag string `yaml:"enabled,omitempty"` // ExporterURL is the OTLP exporter URL to send spans to ExporterURL string `yaml:"exporter_url"` // KeyPairs is a list of x509 serving key pairs used for mTLS. KeyPairs []KeyPair `yaml:"keypairs,omitempty"` // CACerts are the exporter ca certs to use CACerts []string `yaml:"ca_certs,omitempty"` // SamplingRatePerMillion is the sampling rate for the exporter. // 1_000_000 means all spans will be sampled and 0 means none are sampled. SamplingRatePerMillion int `yaml:"sampling_rate_per_million"` }
TracingService contains configuration for the tracing_service.
func (*TracingService) Enabled ¶
func (s *TracingService) Enabled() bool
type TrustedCluster ¶
type TrustedCluster struct { // KeyFile is a path to a remote authority (AKA "trusted cluster") public keys KeyFile string `yaml:"key_file,omitempty"` // AllowedLogins is a comma-separated list of user logins allowed from that cluster AllowedLogins string `yaml:"allow_logins,omitempty"` // TunnelAddr is a comma-separated list of reverse tunnel addresses to // connect to TunnelAddr string `yaml:"tunnel_addr,omitempty"` }
TrustedCluster struct holds configuration values under "trusted_clusters" key
type UniversalSecondFactor ¶
type Webauthn ¶
type Webauthn struct { RPID string `yaml:"rp_id,omitempty"` AttestationAllowedCAs []string `yaml:"attestation_allowed_cas,omitempty"` AttestationDeniedCAs []string `yaml:"attestation_denied_cas,omitempty"` // Deprecated: Disabled has no effect, it is kept solely to not break existing // configurations. Disabled bool `yaml:"disabled,omitempty"` }
type WindowsDesktopService ¶
type WindowsDesktopService struct { Service `yaml:",inline"` // Labels are the configured windows deesktops service labels. Labels map[string]string `yaml:"labels,omitempty"` // PublicAddr is a list of advertised public addresses of this service. PublicAddr apiutils.Strings `yaml:"public_addr,omitempty"` // LDAP is the LDAP connection parameters. LDAP LDAPConfig `yaml:"ldap"` // Discovery configures desktop discovery via LDAP. Discovery service.LDAPDiscoveryConfig `yaml:"discovery,omitempty"` // Hosts is a list of static Windows hosts connected to this service in // gateway mode. Hosts []string `yaml:"hosts,omitempty"` // HostLabels optionally applies labels to Windows hosts for RBAC. // A host can match multiple rules and will get a union of all // the matched labels. HostLabels []WindowsHostLabelRule `yaml:"host_labels,omitempty"` }
WindowsDesktopService contains configuration for windows_desktop_service.
type WindowsHostLabelRule ¶
type WindowsHostLabelRule struct { // Match is a regexp that is checked against the Windows host's DNS name. // If the regexp matches, this rule's labels will be applied to the host. Match string `yaml:"match"` // Labels is the set of labels to apply to hosts that match this rule. Labels map[string]string `yaml:"labels"` }
WindowsHostLabelRule describes how a set of labels should be a applied to a Windows host.
type X11 ¶
type X11 struct { // Enabled controls whether X11 forwarding requests can be granted by the server. Enabled string `yaml:"enabled"` // DisplayOffset tells the server what X11 display number to start from when // searching for an open X11 unix socket for XServer proxies. DisplayOffset *uint `yaml:"display_offset,omitempty"` // MaxDisplay tells the server what X11 display number to stop at when // searching for an open X11 unix socket for XServer proxies. MaxDisplay *uint `yaml:"max_display,omitempty"` }
X11 is a configuration for X11 forwarding