service

package
v11.3.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 13, 2022 License: Apache-2.0 Imports: 120 Imported by: 0

Documentation

Overview

Package service implements teleport running service, takes care of initialization, cleanup and shutdown procedures

Index

Constants

View Source
const (
	// AuthIdentityEvent is generated when the Auth Servers identity has been
	// initialized in the backend.
	AuthIdentityEvent = "AuthIdentity"

	// InstanceIdentityEvent is generated by the supervisor when the instance-level
	// identity has been registered with the Auth server.
	InstanceIdentityEvent = "InstanceIdentity"

	// ProxyIdentityEvent is generated by the supervisor when the proxy's
	// identity has been registered with the Auth Server.
	ProxyIdentityEvent = "ProxyIdentity"

	// SSHIdentityEvent is generated when node's identity has been registered
	// with the Auth Server.
	SSHIdentityEvent = "SSHIdentity"

	// KubeIdentityEvent is generated by the supervisor when the kubernetes
	// service's identity has been registered with the Auth Server.
	KubeIdentityEvent = "KubeIdentity"

	// AppsIdentityEvent is generated when the identity of the application proxy
	// service has been registered with the Auth Server.
	AppsIdentityEvent = "AppsIdentity"

	// DatabasesIdentityEvent is generated when the identity of the database
	// proxy service has been registered with the auth server.
	DatabasesIdentityEvent = "DatabasesIdentity"

	// WindowsDesktopIdentityEvent is generated by the supervisor when the
	// windows desktop service's identity has been registered with the Auth
	// Server.
	WindowsDesktopIdentityEvent = "WindowsDesktopIdentity"

	// DiscoveryIdentityEvent is generated when the identity of the
	DiscoveryIdentityEvent = "DiscoveryIdentityEvent"

	// AuthTLSReady is generated when the Auth Server has initialized the
	// TLS Mutual Auth endpoint and is ready to start accepting connections.
	AuthTLSReady = "AuthTLSReady"

	// ProxyWebServerReady is generated when the proxy has initialized the web
	// server and is ready to start accepting connections.
	ProxyWebServerReady = "ProxyWebServerReady"

	// ProxyReverseTunnelReady is generated when the proxy has initialized the
	// reverse tunnel server and is ready to start accepting connections.
	ProxyReverseTunnelReady = "ProxyReverseTunnelReady"

	// DebugAppReady is generated when the debugging application has been started
	// and is ready to serve requests.
	DebugAppReady = "DebugAppReady"

	// ProxyAgentPoolReady is generated when the proxy has initialized the
	// remote cluster watcher (to spawn reverse tunnels) and is ready to start
	// accepting connections.
	ProxyAgentPoolReady = "ProxyAgentPoolReady"

	// ProxySSHReady is generated when the proxy has initialized a SSH server
	// and is ready to start accepting connections.
	ProxySSHReady = "ProxySSHReady"

	// NodeSSHReady is generated when the Teleport node has initialized a SSH server
	// and is ready to start accepting SSH connections.
	NodeSSHReady = "NodeReady"

	// KubernetesReady is generated when the kubernetes service has been initialized.
	KubernetesReady = "KubernetesReady"

	// AppsReady is generated when the Teleport app proxy service is ready to
	// start accepting connections.
	AppsReady = "AppsReady"

	// DatabasesReady is generated when the Teleport database proxy service
	// is ready to start accepting connections.
	DatabasesReady = "DatabasesReady"

	// MetricsReady is generated when the Teleport metrics service is ready to
	// start accepting connections.
	MetricsReady = "MetricsReady"

	// WindowsDesktopReady is generated when the Teleport windows desktop
	// service is ready to start accepting connections.
	WindowsDesktopReady = "WindowsDesktopReady"

	// TracingReady is generated when the Teleport tracing service is ready to
	// start exporting spans.
	TracingReady = "TracingReady"

	// InstanceReady is generated when the teleport instance control handle has
	// been set up.
	InstanceReady = "InstanceReady"

	// DiscoveryReady is generated when the Teleport database proxy service
	// is ready to start accepting connections.
	DiscoveryReady = "DiscoveryReady"

	// TeleportExitEvent is generated when the Teleport process begins closing
	// all listening sockets and exiting.
	TeleportExitEvent = "TeleportExit"

	// TeleportReloadEvent is generated to trigger in-process teleport
	// service reload - all servers and clients will be re-created
	// in a graceful way.
	TeleportReloadEvent = "TeleportReload"

	// TeleportPhaseChangeEvent is generated to indidate that teleport
	// CA rotation phase has been updated, used in tests
	TeleportPhaseChangeEvent = "TeleportPhaseChange"

	// TeleportReadyEvent is generated to signal that all teleport
	// internal components have started successfully.
	TeleportReadyEvent = "TeleportReady"

	// ServiceExitedWithErrorEvent is emitted whenever a service
	// has exited with an error, the payload includes the error
	ServiceExitedWithErrorEvent = "ServiceExitedWithError"

	// TeleportDegradedEvent is emitted whenever a service is operating in a
	// degraded manner.
	TeleportDegradedEvent = "TeleportDegraded"

	// TeleportOKEvent is emitted whenever a service is operating normally.
	TeleportOKEvent = "TeleportOKEvent"
)

Variables

View Source
var (
	ListenerAuth       = ListenerType(teleport.ComponentAuth)
	ListenerNodeSSH    = ListenerType(teleport.ComponentNode)
	ListenerProxySSH   = ListenerType(teleport.Component(teleport.ComponentProxy, "ssh"))
	ListenerDiagnostic = ListenerType(teleport.ComponentDiagnostic)
	ListenerProxyKube  = ListenerType(teleport.Component(teleport.ComponentProxy, "kube"))
	ListenerKube       = ListenerType(teleport.ComponentKube)
	// Proxy can use the same listener for tunnels and web interface
	// (multiplexing the requests).
	ListenerProxyTunnelAndWeb = ListenerType(teleport.Component(teleport.ComponentProxy, "tunnel", "web"))
	ListenerProxyWeb          = ListenerType(teleport.Component(teleport.ComponentProxy, "web"))
	ListenerProxyTunnel       = ListenerType(teleport.Component(teleport.ComponentProxy, "tunnel"))
	ListenerProxyMySQL        = ListenerType(teleport.Component(teleport.ComponentProxy, "mysql"))
	ListenerProxyPostgres     = ListenerType(teleport.Component(teleport.ComponentProxy, "postgres"))
	ListenerProxyMongo        = ListenerType(teleport.Component(teleport.ComponentProxy, "mongo"))
	ListenerProxyPeer         = ListenerType(teleport.Component(teleport.ComponentProxy, "peer"))
	ListenerMetrics           = ListenerType(teleport.ComponentMetrics)
	ListenerWindowsDesktop    = ListenerType(teleport.ComponentWindowsDesktop)
)

AllTLSModes keeps all possible database TLS modes for easy access.

View Source
var ErrTeleportExited = &trace.CompareFailedError{Message: "teleport process has shutdown"}

ErrTeleportExited means that teleport has exited

View Source
var ErrTeleportReloading = &trace.CompareFailedError{Message: "teleport process is reloading"}

ErrTeleportReloading is returned when signal waiter exits because the teleport process has initiaded shutdown

Functions

func ApplyDefaults

func ApplyDefaults(cfg *Config)

ApplyDefaults applies default values to the existing config structure

func ApplyFIPSDefaults

func ApplyFIPSDefaults(cfg *Config)

ApplyFIPSDefaults updates default configuration to be FedRAMP/FIPS 140-2 compliant.

func Run

func Run(ctx context.Context, cfg Config, newTeleport NewProcess) error

Run starts teleport processes, waits for signals and handles internal process reloads.

Types

type ACME

type ACME struct {
	// Enabled enables or disables ACME support
	Enabled bool
	// Email receives notifications from ACME server
	Email string
	// URI is ACME server URI
	URI string
}

ACME configures ACME automatic certificate renewal

type App

type App struct {
	// Name of the application.
	Name string

	// Description is the app description.
	Description string

	// URI is the internal address of the application.
	URI string

	// Public address of the application. This is the address users will access
	// the application at.
	PublicAddr string

	// StaticLabels is a map of static labels to apply to this application.
	StaticLabels map[string]string

	// DynamicLabels is a list of dynamic labels to apply to this application.
	DynamicLabels services.CommandLabels

	// InsecureSkipVerify is used to skip validating the server's certificate.
	InsecureSkipVerify bool

	// Rewrite defines a block that is used to rewrite requests and responses.
	Rewrite *Rewrite

	// AWS contains additional options for AWS applications.
	AWS *AppAWS `yaml:"aws,omitempty"`
}

App is the specific application that will be proxied by the application service. This needs to exist because if the "config" package tries to directly create a services.App it will get into circular imports.

func (*App) CheckAndSetDefaults

func (a *App) CheckAndSetDefaults() error

CheckAndSetDefaults validates an application.

type AppAWS

type AppAWS struct {
	// ExternalID is the AWS External ID used when assuming roles in this app.
	ExternalID string `yaml:"external_id,omitempty"`
}

AppAWS contains additional options for AWS applications.

type AppsConfig

type AppsConfig struct {
	// Enabled enables application proxying service.
	Enabled bool

	// DebugApp enabled a header dumping debugging application.
	DebugApp bool

	// Apps is the list of applications that are being proxied.
	Apps []App

	// ResourceMatchers match cluster database resources.
	ResourceMatchers []services.ResourceMatcher

	// MonitorCloseChannel will be signaled when a monitor closes a connection.
	// Used only for testing. Optional.
	MonitorCloseChannel chan struct{}
}

AppsConfig configures application proxy service.

type AuthConfig

type AuthConfig struct {
	// Enabled turns auth role on or off for this process
	Enabled bool

	// EnableProxyProtocol enables proxy protocol support
	EnableProxyProtocol bool

	// ListenAddr is the listening address of the auth service
	ListenAddr utils.NetAddr

	// Authorities is a set of trusted certificate authorities
	// that will be added by this auth server on the first start
	Authorities []types.CertAuthority

	// Resources is a set of previously backed up resources
	// used to bootstrap backend state on the first start.
	Resources []types.Resource

	// Roles is a set of roles to pre-provision for this cluster
	Roles []types.Role

	// ClusterName is a name that identifies this authority and all
	// host nodes in the cluster that will share this authority domain name
	// as a base name, e.g. if authority domain name is example.com,
	// all nodes in the cluster will have UUIDs in the form: <uuid>.example.com
	ClusterName types.ClusterName

	// StaticTokens are pre-defined host provisioning tokens supplied via config file for
	// environments where paranoid security is not needed
	StaticTokens types.StaticTokens

	// StorageConfig contains configuration settings for the storage backend.
	StorageConfig backend.Config

	Limiter limiter.Config

	// NoAudit, when set to true, disables session recording and event audit
	NoAudit bool

	// Preference defines the authentication preference (type and second factor) for
	// the auth server.
	Preference types.AuthPreference

	// AuditConfig stores cluster audit configuration.
	AuditConfig types.ClusterAuditConfig

	// NetworkingConfig stores cluster networking configuration.
	NetworkingConfig types.ClusterNetworkingConfig

	// SessionRecordingConfig stores session recording configuration.
	SessionRecordingConfig types.SessionRecordingConfig

	// LicenseFile is a full path to the license file
	LicenseFile string

	// PublicAddrs affects the SSH host principals and DNS names added to the SSH and TLS certs.
	PublicAddrs []utils.NetAddr

	// KeyStore configuration. Handles CA private keys which may be held in a HSM.
	KeyStore keystore.Config

	// LoadAllCAs sends the host CAs of all clusters to SSH clients logging in when enabled,
	// instead of just the host CA for the current cluster.
	LoadAllCAs bool
}

AuthConfig is a configuration of the auth server

type CachePolicy

type CachePolicy struct {
	// Enabled enables or disables caching
	Enabled bool
}

CachePolicy sets caching policy for proxies and nodes

func (*CachePolicy) CheckAndSetDefaults

func (c *CachePolicy) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default values

func (CachePolicy) String

func (c CachePolicy) String() string

String returns human-friendly representation of the policy

type Config

type Config struct {
	// Teleport configuration version.
	Version string
	// DataDir is the directory where teleport stores its permanent state
	// (in case of auth server backed by BoltDB) or local state, e.g. keys
	DataDir string

	// Hostname is a node host name
	Hostname string

	// JoinMethod is the method the instance will use to join the auth server
	JoinMethod types.JoinMethod

	// ProxyServer is the address of the proxy
	ProxyServer utils.NetAddr

	// Identities is an optional list of pre-generated key pairs
	// for teleport roles, this is helpful when server is preconfigured
	Identities []*auth.Identity

	// AdvertiseIP is used to "publish" an alternative IP address or hostname this node
	// can be reached on, if running behind NAT
	AdvertiseIP string

	// CachePolicy sets caching policy for nodes and proxies
	// in case if they lose connection to auth servers
	CachePolicy CachePolicy

	// Auth service configuration. Manages cluster state and configuration.
	Auth AuthConfig

	// Proxy service configuration. Manages incoming and outbound
	// connections to the cluster.
	Proxy ProxyConfig

	// SSH service configuration. Manages SSH servers running within the cluster.
	SSH SSHConfig

	// App service configuration. Manages applications running within the cluster.
	Apps AppsConfig

	// Databases defines database proxy service configuration.
	Databases DatabasesConfig

	// Metrics defines the metrics service configuration.
	Metrics MetricsConfig

	// WindowsDesktop defines the Windows desktop service configuration.
	WindowsDesktop WindowsDesktopConfig

	// Discovery defines the discovery service configuration.
	Discovery DiscoveryConfig

	// Tracing defines the tracing service configuration.
	Tracing TracingConfig

	// Keygen points to a key generator implementation
	Keygen sshca.Authority

	// HostUUID is a unique UUID of this host (it will be known via this UUID within
	// a teleport cluster). It's automatically generated on 1st start
	HostUUID string

	// Console writer to speak to a user
	Console io.Writer

	// ReverseTunnels is a list of reverse tunnels to create on the
	// first cluster start
	ReverseTunnels []types.ReverseTunnel

	// OIDCConnectors is a list of trusted OpenID Connect identity providers
	OIDCConnectors []types.OIDCConnector

	// PidFile is a full path of the PID file for teleport daemon
	PIDFile string

	// Trust is a service that manages users and credentials
	Trust services.Trust

	// Presence service is a discovery and hearbeat tracker
	Presence services.Presence

	// Events is events service
	Events types.Events

	// Provisioner is a service that keeps track of provisioning tokens
	Provisioner services.Provisioner

	// Trust is a service that manages users and credentials
	Identity services.Identity

	// Access is a service that controls access
	Access services.Access

	// UsageReporter is a service that reports usage events.
	UsageReporter services.UsageReporter

	// ClusterConfiguration is a service that provides cluster configuration
	ClusterConfiguration services.ClusterConfiguration

	// CipherSuites is a list of TLS ciphersuites that Teleport supports. If
	// omitted, a Teleport selected list of defaults will be used.
	CipherSuites []uint16

	// Ciphers is a list of SSH ciphers that the server supports. If omitted,
	// the defaults will be used.
	Ciphers []string

	// KEXAlgorithms is a list of SSH key exchange (KEX) algorithms that the
	// server supports. If omitted, the defaults will be used.
	KEXAlgorithms []string

	// MACAlgorithms is a list of SSH message authentication codes (MAC) that
	// the server supports. If omitted the defaults will be used.
	MACAlgorithms []string

	// DiagnosticAddr is an address for diagnostic and healthz endpoint service
	DiagnosticAddr utils.NetAddr

	// Debug sets debugging mode, results in diagnostic address
	// endpoint extended with additional /debug handlers
	Debug bool

	// UploadEventsC is a channel for upload events
	// used in tests
	UploadEventsC chan events.UploadEvent `json:"-"`

	// FileDescriptors is an optional list of file descriptors for the process
	// to inherit and use for listeners, used for in-process updates.
	FileDescriptors []FileDescriptor

	// PollingPeriod is set to override default internal polling periods
	// of sync agents, used to speed up integration tests.
	PollingPeriod time.Duration

	// ClientTimeout is set to override default client timeouts
	// used by internal clients, used to speed up integration tests.
	ClientTimeout time.Duration

	// ShutdownTimeout is set to override default shutdown timeout.
	ShutdownTimeout time.Duration

	// CAPins are the SKPI hashes of the CAs used to verify the Auth Server.
	CAPins []string

	// Clock is used to control time in tests.
	Clock clockwork.Clock

	// TeleportVersion is used to control the Teleport version in tests.
	TeleportVersion string

	// FIPS means FedRAMP/FIPS 140-2 compliant configuration was requested.
	FIPS bool

	// SkipVersionCheck means the version checking between server and client
	// will be skipped.
	SkipVersionCheck bool

	// BPFConfig holds configuration for the BPF service.
	BPFConfig *bpf.Config

	// Kube is a Kubernetes API gateway using Teleport client identities.
	Kube KubeConfig

	// Log optionally specifies the logger
	Log utils.Logger

	// PluginRegistry allows adding enterprise logic to Teleport services
	PluginRegistry plugin.Registry

	// RotationConnectionInterval is the interval between connection
	// attempts as used by the rotation state service
	RotationConnectionInterval time.Duration

	// MaxRetryPeriod is the maximum period between reconnection attempts to auth
	MaxRetryPeriod time.Duration

	// ConnectFailureC is a channel to notify of failures to connect to auth (used in tests).
	ConnectFailureC chan time.Duration

	// TeleportHome is the path to tsh configuration and data, used
	// for loading profiles when TELEPORT_HOME is set
	TeleportHome string

	// CircuitBreakerConfig configures the auth client circuit breaker.
	CircuitBreakerConfig breaker.Config
	// contains filtered or unexported fields
}

Config structure is used to initialize _all_ services Teleport can run. Some settings are global (like DataDir) while others are grouped into sections, like AuthConfig

func MakeDefaultConfig

func MakeDefaultConfig() (config *Config)

MakeDefaultConfig creates a new Config structure and populates it with defaults

func (*Config) ApplyCAPins

func (cfg *Config) ApplyCAPins(caPins []string) error

ApplyCAPins assigns the given CA pin(s), filtering out empty pins. If a pin is specified as a path to a file, that file must not be empty.

func (*Config) AuthServerAddresses

func (cfg *Config) AuthServerAddresses() []utils.NetAddr

AuthServerAddresses returns the value of authServers for config versions v1 and v2 and will return just the first (as only one should be set) address for config versions v3 onwards.

func (*Config) DebugDumpToYAML

func (cfg *Config) DebugDumpToYAML() string

DebugDumpToYAML is useful for debugging: it dumps the Config structure into a string

func (*Config) HasToken

func (cfg *Config) HasToken() bool

HasToken gives the ability to check if there has been a token value stored in the config

func (*Config) RoleConfig

func (cfg *Config) RoleConfig() RoleConfig

RoleConfig is a config for particular Teleport role

func (*Config) SetAuthServerAddress

func (cfg *Config) SetAuthServerAddress(addr utils.NetAddr)

SetAuthServerAddress sets the value of authServers to a single value

func (*Config) SetAuthServerAddresses

func (cfg *Config) SetAuthServerAddresses(addrs []utils.NetAddr) error

SetAuthServerAddresses sets the value of authServers If the config version is v1 or v2, it will set the value to all the given addresses (as multiple can be specified). If the config version is v3 or onwards, it'll error if more than one address is given.

func (*Config) SetToken

func (cfg *Config) SetToken(token string)

SetToken stores the value for --token or auth_token in the config

This can be either the token or an absolute path to a file containing the token.

func (*Config) Token

func (cfg *Config) Token() (string, error)

Token returns token needed to join the auth server

If the value stored points to a file, it will attempt to read the token value from the file and return an error if it wasn't successful If the value stored doesn't point to a file, it'll return the value stored If the token hasn't been set, an empty string will be returned

type Connector

type Connector struct {
	// ClientIdentity is the identity to be used in internal cluster
	// clients to the auth service.
	ClientIdentity *auth.Identity

	// ServerIdentity is the identity to be used in servers - serving SSH
	// and x509 certificates to clients.
	ServerIdentity *auth.Identity

	// Client is authenticated client with credentials from ClientIdentity.
	Client *auth.Client
}

Connector has all resources process needs to connect to other parts of the cluster: client and identity.

func (*Connector) Close

func (c *Connector) Close() error

Close closes resources associated with connector

func (*Connector) TunnelProxyResolver

func (c *Connector) TunnelProxyResolver() reversetunnel.Resolver

TunnelProxyResolver if non-nil, indicates that the client is connected to the Auth Server through the reverse SSH tunnel proxy

func (*Connector) UseTunnel

func (c *Connector) UseTunnel() bool

UseTunnel indicates if the client is connected directly to the Auth Server (false) or through the proxy (true).

type Database

type Database struct {
	// Name is the database name, used to refer to in CLI.
	Name string
	// Description is a free-form database description.
	Description string
	// Protocol is the database type, e.g. postgres or mysql.
	Protocol string
	// URI is the database endpoint to connect to.
	URI string
	// StaticLabels is a map of database static labels.
	StaticLabels map[string]string
	// MySQL are additional MySQL database options.
	MySQL MySQLOptions
	// DynamicLabels is a list of database dynamic labels.
	DynamicLabels services.CommandLabels
	// TLS keeps database connection TLS configuration.
	TLS DatabaseTLS
	// AWS contains AWS specific settings for RDS/Aurora/Redshift databases.
	AWS DatabaseAWS
	// GCP contains GCP specific settings for Cloud SQL databases.
	GCP DatabaseGCP
	// AD contains Active Directory configuration for database.
	AD DatabaseAD
	// Azure contains Azure database configuration.
	Azure DatabaseAzure
}

Database represents a single database that's being proxied.

func (*Database) CheckAndSetDefaults

func (d *Database) CheckAndSetDefaults() error

CheckAndSetDefaults validates the database proxy configuration.

func (*Database) ToDatabase

func (d *Database) ToDatabase() (types.Database, error)

ToDatabase converts Database to types.Database.

type DatabaseAD

type DatabaseAD struct {
	// KeytabFile is the path to the Kerberos keytab file.
	KeytabFile string
	// Krb5File is the path to the Kerberos configuration file. Defaults to /etc/krb5.conf.
	Krb5File string
	// Domain is the Active Directory domain the database resides in.
	Domain string
	// SPN is the service principal name for the database.
	SPN string
}

DatabaseAD contains database Active Directory configuration.

func (*DatabaseAD) CheckAndSetDefaults

func (d *DatabaseAD) CheckAndSetDefaults(name string) error

CheckAndSetDefaults validates database Active Directory configuration.

func (*DatabaseAD) IsEmpty

func (d *DatabaseAD) IsEmpty() bool

IsEmpty returns true if the database AD configuration is empty.

type DatabaseAWS

type DatabaseAWS struct {
	// Region is the cloud region database is running in when using AWS RDS.
	Region string
	// Redshift contains Redshift specific settings.
	Redshift DatabaseAWSRedshift
	// RDS contains RDS specific settings.
	RDS DatabaseAWSRDS
	// ElastiCache contains ElastiCache specific settings.
	ElastiCache DatabaseAWSElastiCache
	// MemoryDB contains MemoryDB specific settings.
	MemoryDB DatabaseAWSMemoryDB
	// SecretStore contains settings for managing secrets.
	SecretStore DatabaseAWSSecretStore
	// AccountID is the AWS account ID.
	AccountID string
}

DatabaseAWS contains AWS specific settings for RDS/Aurora databases.

type DatabaseAWSElastiCache

type DatabaseAWSElastiCache struct {
	// ReplicationGroupID is the ElastiCache replication group ID.
	ReplicationGroupID string
}

DatabaseAWSElastiCache contains settings for ElastiCache databases.

type DatabaseAWSMemoryDB

type DatabaseAWSMemoryDB struct {
	// ClusterName is the MemoryDB cluster name.
	ClusterName string
}

DatabaseAWSMemoryDB contains settings for MemoryDB databases.

type DatabaseAWSRDS

type DatabaseAWSRDS struct {
	// InstanceID is the RDS instance identifier.
	InstanceID string
	// ClusterID is the RDS cluster (Aurora) identifier.
	ClusterID string
}

DatabaseAWSRDS contains AWS RDS specific settings.

type DatabaseAWSRedshift

type DatabaseAWSRedshift struct {
	// ClusterID is the Redshift cluster identifier.
	ClusterID string
}

DatabaseAWSRedshift contains AWS Redshift specific settings.

type DatabaseAWSSecretStore

type DatabaseAWSSecretStore struct {
	// KeyPrefix specifies the secret key prefix.
	KeyPrefix string
	// KMSKeyID specifies the AWS KMS key for encryption.
	KMSKeyID string
}

DatabaseAWSSecretStore contains secret store configurations.

type DatabaseAzure

type DatabaseAzure struct {
	// ResourceID is the Azure fully qualified ID for the resource.
	ResourceID string `yaml:"resource_id,omitempty"`
}

DatabaseAzure contains Azure database configuration.

type DatabaseGCP

type DatabaseGCP struct {
	// ProjectID is the GCP project ID where the database is deployed.
	ProjectID string
	// InstanceID is the Cloud SQL instance ID.
	InstanceID string
}

DatabaseGCP contains GCP specific settings for Cloud SQL databases.

type DatabaseTLS

type DatabaseTLS struct {
	// Mode is the TLS connection mode. See TLSMode for more details.
	Mode TLSMode
	// ServerName allows providing custom server name.
	// This name will override DNS name when validating certificate presented by the database.
	ServerName string
	// CACert is an optional database CA certificate.
	CACert []byte
}

DatabaseTLS keeps TLS settings used when connecting to database.

type DatabasesConfig

type DatabasesConfig struct {
	// Enabled enables the database proxy service.
	Enabled bool
	// Databases is a list of databases proxied by this service.
	Databases []Database
	// ResourceMatchers match cluster database resources.
	ResourceMatchers []services.ResourceMatcher
	// AWSMatchers match AWS hosted databases.
	AWSMatchers []services.AWSMatcher
	// AzureMatchers match Azure hosted databases.
	AzureMatchers []services.AzureMatcher
	// Limiter limits the connection and request rates.
	Limiter limiter.Config
}

DatabasesConfig configures the database proxy service.

type DiscoveryConfig

type DiscoveryConfig struct {
	Enabled bool
	// AWSMatchers are used to match EC2 instances for auto enrollment.
	AWSMatchers []services.AWSMatcher
	// AzureMatchers are used to match resources for auto discovery.
	AzureMatchers []services.AzureMatcher
	// GCPMatchers are used to match GCP resources for auto discovery.
	GCPMatchers []services.GCPMatcher
}

func (DiscoveryConfig) IsEmpty

func (d DiscoveryConfig) IsEmpty() bool

IsEmpty validates if the Discovery Service config has no cloud matchers.

type Event

type Event struct {
	Name    string
	Payload interface{}
}

Event is a special service event that can be generated by various goroutines in the supervisor

func (*Event) String

func (e *Event) String() string

type EventMapping

type EventMapping struct {
	// In is the incoming event sequence.
	In []string
	// Out is the outbound event to generate.
	Out string
}

EventMapping maps a sequence of incoming events and if triggered, generates an out event.

func (EventMapping) String

func (e EventMapping) String() string

String returns user-friendly representation of the mapping.

type ExitEventPayload

type ExitEventPayload struct {
	// Service is the service that exited
	Service Service
	// Error is the error of the service exit
	Error error
}

ExitEventPayload contains information about service name, and service error if it exited with error

type FileDescriptor

type FileDescriptor struct {
	// Type is a listener type, e.g. auth:ssh
	Type string
	// Address is an address of the listener, e.g. 127.0.0.1:3025
	Address string
	// File is a file descriptor associated with the listener
	File *os.File
}

FileDescriptor is a file descriptor associated with a listener

func (*FileDescriptor) ToListener

func (fd *FileDescriptor) ToListener() (net.Listener, error)

type Func

type Func func() error

Func is a service function

type Header struct {
	// Name is the http header name.
	Name string
	// Value is the http header value.
	Value string
}

Header represents a single http header passed over to the proxied application.

func ParseHeader

func ParseHeader(header string) (*Header, error)

ParseHeader parses the provided string as a http header.

func ParseHeaders

func ParseHeaders(headers []string) (headersOut []Header, err error)

ParseHeaders parses the provided list as http headers.

type HostLabelRule

type HostLabelRule struct {
	Regexp *regexp.Regexp
	Labels map[string]string
}

HostLabelRule specifies a set of labels that should be applied to hosts matching the provided regexp.

type HostLabelRules

type HostLabelRules struct {
	// contains filtered or unexported fields
}

HostLabelRules is a collection of rules describing how to apply labels to hosts.

func NewHostLabelRules

func NewHostLabelRules(rules ...HostLabelRule) HostLabelRules

func (HostLabelRules) LabelsForHost

func (h HostLabelRules) LabelsForHost(host string) map[string]string

LabelsForHost returns the set of all labels that should be applied to the specified host. If multiple rules match and specify the same label keys, the value will be that of the last matching rule.

type KeyPair

type KeyPair struct {
	// PrivateKey is a private key in PEM format
	PrivateKey []byte
	// PublicSSHKey is a public key in SSH format
	PublicSSHKey []byte
	// PublicTLSKey is a public key in X509 format
	PublicTLSKey []byte
}

KeyPair is a private/public key pair

type KeyPairPath

type KeyPairPath struct {
	// PrivateKey is the path to a PEM encoded private key.
	PrivateKey string
	// Certificate is the path to a PEM encoded certificate.
	Certificate string
}

KeyPairPath are paths to a key and certificate file.

type KubeConfig

type KubeConfig struct {
	// Enabled turns kubernetes service role on or off for this process
	Enabled bool

	// ListenAddr is the address to listen on for incoming kubernetes requests.
	// Optional.
	ListenAddr *utils.NetAddr

	// PublicAddrs is a list of the public addresses the Teleport kubernetes
	// service can be reached by the proxy service.
	PublicAddrs []utils.NetAddr

	// KubeClusterName is the name of a kubernetes cluster this proxy is running
	// in. If empty, defaults to the Teleport cluster name.
	KubeClusterName string

	// KubeconfigPath is a path to kubeconfig
	KubeconfigPath string

	// Labels are used for RBAC on clusters.
	StaticLabels  map[string]string
	DynamicLabels services.CommandLabels

	// Limiter limits the connection and request rates.
	Limiter limiter.Config

	// CheckImpersonationPermissions is an optional override to the default
	// impersonation permissions check, for use in testing.
	CheckImpersonationPermissions proxy.ImpersonationPermissionsChecker

	// ResourceMatchers match dynamic kube_cluster resources.
	ResourceMatchers []services.ResourceMatcher
}

KubeConfig specifies configuration for kubernetes service

type KubeProxyConfig

type KubeProxyConfig struct {
	// Enabled turns kubernetes proxy role on or off for this process
	Enabled bool

	// ListenAddr is the address to listen on for incoming kubernetes requests.
	ListenAddr utils.NetAddr

	// ClusterOverride causes all traffic to go to a specific remote
	// cluster, used only in tests
	ClusterOverride string

	// PublicAddrs is a list of the public addresses the Teleport Kube proxy can be accessed by,
	// it also affects the host principals and routing logic
	PublicAddrs []utils.NetAddr

	// KubeconfigPath is a path to kubeconfig
	KubeconfigPath string

	// LegacyKubeProxy specifies that this proxy was configured using the
	// legacy kubernetes section.
	LegacyKubeProxy bool
}

KubeProxyConfig specifies configuration for proxy service

type LDAPConfig

type LDAPConfig struct {
	// Addr is the address:port of the LDAP server (typically port 389).
	Addr string
	// Domain is the ActiveDirectory domain name.
	Domain string
	// Username for LDAP authentication.
	Username string
	// InsecureSkipVerify decides whether whether we skip verifying with the LDAP server's CA when making the LDAPS connection.
	InsecureSkipVerify bool
	// ServerName is the name of the LDAP server for TLS.
	ServerName string
	// CA is an optional CA cert to be used for verification if InsecureSkipVerify is set to false.
	CA *x509.Certificate
}

LDAPConfig is the LDAP connection parameters.

type LDAPDiscoveryConfig

type LDAPDiscoveryConfig struct {
	// BaseDN is the base DN to search for desktops.
	// Use the value '*' to search from the root of the domain,
	// or leave blank to disable desktop discovery.
	BaseDN string `yaml:"base_dn"`
	// Filters are additional LDAP filters to apply to the search.
	// See: https://ldap.com/ldap-filters/
	Filters []string `yaml:"filters"`
	// LabelAttributes are LDAP attributes to apply to hosts discovered
	// via LDAP. Teleport labels hosts by prefixing the attribute with
	// "ldap/" - for example, a value of "location" here would result in
	// discovered desktops having a label with key "ldap/location" and
	// the value being the value of the "location" attribute.
	LabelAttributes []string `yaml:"label_attributes"`
}

type ListenerType

type ListenerType string

ListenerType identifies different registered listeners in process.registeredListeners.

type LocalService

type LocalService struct {
	// Function is a function to call
	Function Func
	// ServiceName is a service name
	ServiceName string
	// Critical is set to true
	// when the service is critical and program can't continue
	// without it
	Critical bool
}

LocalService is a locally defined service

func (*LocalService) IsCritical

func (l *LocalService) IsCritical() bool

IsCritical returns true if the service is critical and program can't continue without it

func (*LocalService) Name

func (l *LocalService) Name() string

Name returns unique service name

func (*LocalService) Serve

func (l *LocalService) Serve() error

Serve starts the function

func (*LocalService) String

func (l *LocalService) String() string

String returns user-friendly service name

type LocalSupervisor

type LocalSupervisor struct {
	sync.Mutex
	// contains filtered or unexported fields
}

LocalSupervisor is a Teleport's implementation of the Supervisor interface.

func (*LocalSupervisor) BroadcastEvent

func (s *LocalSupervisor) BroadcastEvent(event Event)

BroadcastEvent generates event and broadcasts it to all subscribed parties.

func (*LocalSupervisor) ExitContext

func (s *LocalSupervisor) ExitContext() context.Context

ExitContext returns context that will be closed when a hard TeleportExitEvent is broadcasted.

func (*LocalSupervisor) GracefulExitContext

func (s *LocalSupervisor) GracefulExitContext() context.Context

GracefulExitContext returns context that will be closed when a hard or graceful TeleportExitEvent is broadcasted.

func (*LocalSupervisor) ListenForEvents

func (s *LocalSupervisor) ListenForEvents(ctx context.Context, name string, eventC chan<- Event)

func (*LocalSupervisor) Register

func (s *LocalSupervisor) Register(srv Service)

func (*LocalSupervisor) RegisterCriticalFunc

func (s *LocalSupervisor) RegisterCriticalFunc(name string, fn Func)

RegisterCriticalFunc creates a critical service from function spec and registers it within the system, if this service exits with error, the process shuts down.

func (*LocalSupervisor) RegisterEventMapping

func (s *LocalSupervisor) RegisterEventMapping(m EventMapping)

RegisterEventMapping registers event mapping - when the sequence in the event mapping triggers, the outbound event will be generated.

func (*LocalSupervisor) RegisterFunc

func (s *LocalSupervisor) RegisterFunc(name string, fn Func)

RegisterFunc creates a service from function spec and registers it within the system

func (*LocalSupervisor) ReloadContext

func (s *LocalSupervisor) ReloadContext() context.Context

ReloadContext returns context that will be closed when TeleportReloadEvent is broadcasted.

func (*LocalSupervisor) RemoveService

func (s *LocalSupervisor) RemoveService(srv Service) error

RemoveService removes service from supervisor tracking list

func (*LocalSupervisor) Run

func (s *LocalSupervisor) Run() error

func (*LocalSupervisor) ServiceCount

func (s *LocalSupervisor) ServiceCount() int

ServiceCount returns the number of registered and actively running services

func (*LocalSupervisor) Services

func (s *LocalSupervisor) Services() []string

func (*LocalSupervisor) Start

func (s *LocalSupervisor) Start() error

func (*LocalSupervisor) Wait

func (s *LocalSupervisor) Wait() error

func (*LocalSupervisor) WaitForEvent

func (s *LocalSupervisor) WaitForEvent(ctx context.Context, name string) (Event, error)

func (*LocalSupervisor) WaitForEventTimeout

func (s *LocalSupervisor) WaitForEventTimeout(timeout time.Duration, name string) (Event, error)

type MetricsConfig

type MetricsConfig struct {
	// Enabled turns the metrics service role on or off for this process
	Enabled bool

	// ListenAddr is the address to listen on for incoming metrics requests.
	// Optional.
	ListenAddr *utils.NetAddr

	// MTLS turns mTLS on the metrics service on or off
	MTLS bool

	// KeyPairs are the key and certificate pairs that the metrics service will
	// use for mTLS.
	// Used in conjunction with MTLS = true
	KeyPairs []KeyPairPath

	// CACerts are prometheus ca certs
	// use for mTLS.
	// Used in conjunction with MTLS = true
	CACerts []string

	// GRPCServerLatency enables histogram metrics for each grpc endpoint on the auth server
	GRPCServerLatency bool

	// GRPCServerLatency enables histogram metrics for each grpc endpoint on the auth server
	GRPCClientLatency bool
}

MetricsConfig specifies configuration for the metrics service

type MySQLOptions

type MySQLOptions struct {
	// ServerVersion is the version reported by Teleport DB Proxy on initial handshake.
	ServerVersion string
}

MySQLOptions are additional MySQL options.

type NewProcess

type NewProcess func(cfg *Config) (Process, error)

NewProcess is a function that creates new teleport from config

type NewTeleportOption

type NewTeleportOption func(*newTeleportConfig)

func WithIMDSClient

func WithIMDSClient(client cloud.InstanceMetadata) NewTeleportOption

WithIMDSClient provides NewTeleport with a custom EC2 instance metadata client.

type Process

type Process interface {
	// Closer closes all resources used by the process
	io.Closer
	// Start starts the process in a non-blocking way
	Start() error
	// WaitForSignals waits for and handles system process signals.
	WaitForSignals(context.Context) error
	// ExportFileDescriptors exports service listeners
	// file descriptors used by the process.
	ExportFileDescriptors() ([]FileDescriptor, error)
	// Shutdown starts graceful shutdown of the process,
	// blocks until all resources are freed and go-routines are
	// shut down.
	Shutdown(context.Context)
	// WaitForEvent waits for one event with the specified name (returns the
	// latest such event if at least one has been broadcasted already, ignoring
	// the context). Returns an error if the context is canceled before an event
	// is received.
	WaitForEvent(ctx context.Context, name string) (Event, error)
	// WaitWithContext waits for the service to stop. This is a blocking
	// function.
	WaitWithContext(ctx context.Context)
}

Process is a interface for processes

type ProxyConfig

type ProxyConfig struct {
	// Enabled turns proxy role on or off for this process
	Enabled bool

	// DisableTLS is enabled if we don't want self-signed certs
	DisableTLS bool

	// DisableWebInterface allows turning off serving the Web UI interface
	DisableWebInterface bool

	// DisableWebService turns off serving web service completely, including web UI
	DisableWebService bool

	// DisableReverseTunnel disables reverse tunnel on the proxy
	DisableReverseTunnel bool

	// DisableDatabaseProxy disables database access proxy listener
	DisableDatabaseProxy bool

	// ReverseTunnelListenAddr is address where reverse tunnel dialers connect to
	ReverseTunnelListenAddr utils.NetAddr

	// EnableProxyProtocol enables proxy protocol support
	EnableProxyProtocol bool

	// WebAddr is address for web portal of the proxy
	WebAddr utils.NetAddr

	// SSHAddr is address of ssh proxy
	SSHAddr utils.NetAddr

	// MySQLAddr is address of MySQL proxy.
	MySQLAddr utils.NetAddr

	// PostgresAddr is address of Postgres proxy.
	PostgresAddr utils.NetAddr

	// MongoAddr is address of Mongo proxy.
	MongoAddr utils.NetAddr

	// PeerAddr is the proxy peering address.
	PeerAddr utils.NetAddr

	// PeerPublicAddr is the public address the proxy advertises for proxy
	// peering clients.
	PeerPublicAddr utils.NetAddr

	Limiter limiter.Config

	// PublicAddrs is a list of the public addresses the proxy advertises
	// for the HTTP endpoint. The hosts in PublicAddr are included in the
	// list of host principals on the TLS and SSH certificate.
	PublicAddrs []utils.NetAddr

	// SSHPublicAddrs is a list of the public addresses the proxy advertises
	// for the SSH endpoint. The hosts in PublicAddr are included in the
	// list of host principals on the TLS and SSH certificate.
	SSHPublicAddrs []utils.NetAddr

	// TunnelPublicAddrs is a list of the public addresses the proxy advertises
	// for the tunnel endpoint. The hosts in PublicAddr are included in the
	// list of host principals on the TLS and SSH certificate.
	TunnelPublicAddrs []utils.NetAddr

	// PostgresPublicAddrs is a list of the public addresses the proxy
	// advertises for Postgres clients.
	PostgresPublicAddrs []utils.NetAddr

	// MySQLPublicAddrs is a list of the public addresses the proxy
	// advertises for MySQL clients.
	MySQLPublicAddrs []utils.NetAddr

	// MongoPublicAddrs is a list of the public addresses the proxy
	// advertises for Mongo clients.
	MongoPublicAddrs []utils.NetAddr

	// Kube specifies kubernetes proxy configuration
	Kube KubeProxyConfig

	// KeyPairs are the key and certificate pairs that the proxy will load.
	KeyPairs []KeyPairPath

	// ACME is ACME protocol support config
	ACME ACME

	// DisableALPNSNIListener allows turning off the ALPN Proxy listener. Used in tests.
	DisableALPNSNIListener bool
}

ProxyConfig specifies configuration for proxy service

func (ProxyConfig) KubeAddr

func (c ProxyConfig) KubeAddr() (string, error)

KubeAddr returns the address for the Kubernetes endpoint on this proxy that can be reached by clients.

type Rate

type Rate struct {
	Amount int
	Time   time.Duration
}

Rate describes a rate ratio, i.e. the number of "events" that happen over some unit time period

type Rewrite

type Rewrite struct {
	// Redirect is a list of hosts that should be rewritten to the public address.
	Redirect []string
	// Headers is a list of extra headers to inject in the request.
	Headers []Header
}

Rewrite is a list of rewriting rules to apply to requests and responses.

type RoleConfig

type RoleConfig struct {
	DataDir     string
	HostUUID    string
	HostName    string
	AuthServers []utils.NetAddr
	Auth        AuthConfig
	Console     io.Writer
}

RoleConfig is a configuration for a server role (either proxy or node)

type SSHConfig

type SSHConfig struct {
	Enabled               bool
	Addr                  utils.NetAddr
	Namespace             string
	Shell                 string
	Limiter               limiter.Config
	Labels                map[string]string
	CmdLabels             services.CommandLabels
	PermitUserEnvironment bool

	// PAM holds PAM configuration for Teleport.
	PAM *pam.Config

	// PublicAddrs affects the SSH host principals and DNS names added to the SSH and TLS certs.
	PublicAddrs []utils.NetAddr

	// BPF holds BPF configuration for Teleport.
	BPF *bpf.Config

	// RestrictedSession holds kernel objects restrictions for Teleport.
	RestrictedSession *restricted.Config

	// AllowTCPForwarding indicates that TCP port forwarding is allowed on this node
	AllowTCPForwarding bool

	// IdleTimeoutMessage is sent to the client when a session expires due to
	// the inactivity timeout expiring. The empty string indicates that no
	// timeout message will be sent.
	IdleTimeoutMessage string

	// X11 holds x11 forwarding configuration for Teleport.
	X11 *x11.ServerConfig

	// AllowFileCopying indicates whether this node is allowed to handle
	// remote file operations via SCP or SFTP.
	AllowFileCopying bool

	// DisableCreateHostUser disables automatic user provisioning on this
	// SSH node.
	DisableCreateHostUser bool
}

SSHConfig configures SSH server node role

type Service

type Service interface {
	// Serve starts the function
	Serve() error
	// String returns user-friendly description of service
	String() string
	// Name returns service name
	Name() string
	// IsCritical returns true if the service is critical
	// and program can't continue without it
	IsCritical() bool
}

Service is a running teleport service function

type Supervisor

type Supervisor interface {
	// Register adds the service to the pool, if supervisor is in
	// the started state, the service will be started immediately
	// otherwise, it will be started after Start() has been called
	Register(srv Service)

	// RegisterFunc creates a service from function spec and registers
	// it within the system
	RegisterFunc(name string, fn Func)

	// RegisterCriticalFunc creates a critical service from function spec and registers
	// it within the system, if this service exits with error,
	// the process shuts down.
	RegisterCriticalFunc(name string, fn Func)

	// ServiceCount returns the number of registered and actively running
	// services
	ServiceCount() int

	// Start starts all unstarted services
	Start() error

	// Wait waits until all services exit
	Wait() error

	// Run starts and waits for the service to complete
	// it's a combinatioin Start() and Wait()
	Run() error

	// Services returns list of running services
	Services() []string

	// BroadcastEvent generates event and broadcasts it to all
	// subscribed parties.
	BroadcastEvent(Event)

	// WaitForEvent waits for one event with the specified name (returns the
	// latest such event if at least one has been broadcasted already, ignoring
	// the context). Returns an error if the context is canceled before an event
	// is received.
	WaitForEvent(ctx context.Context, name string) (Event, error)

	// WaitForEventTimeout waits for one event with the specified name (returns the
	// latest such event if at least one has been broadcasted already). Returns
	// an error if the timeout triggers before an event is received.
	WaitForEventTimeout(timeout time.Duration, name string) (Event, error)

	// ListenForEvents arranges for eventC to receive events with the specified
	// name; if the event was already broadcasted, eventC will receive the latest
	// value immediately. The broadcasting will stop when the context is done.
	ListenForEvents(ctx context.Context, name string, eventC chan<- Event)

	// RegisterEventMapping registers event mapping -
	// when the sequence in the event mapping triggers, the
	// outbound event will be generated.
	RegisterEventMapping(EventMapping)

	// ExitContext returns context that will be closed when
	// a hard TeleportExitEvent is broadcasted.
	ExitContext() context.Context

	// GracefulExitContext returns context that will be closed when
	// a graceful or hard TeleportExitEvent is broadcast.
	GracefulExitContext() context.Context

	// ReloadContext returns context that will be closed when
	// TeleportReloadEvent is broadcasted.
	ReloadContext() context.Context
}

Supervisor implements the simple service logic - registering service functions and de-registering the service goroutines

func NewSupervisor

func NewSupervisor(id string, parentLog logrus.FieldLogger) Supervisor

NewSupervisor returns new instance of initialized supervisor

type TLSMode

type TLSMode string

TLSMode defines all possible database verification modes.

const (
	// VerifyFull is the strictest. Verifies certificate and server name.
	VerifyFull TLSMode = "verify-full"
	// VerifyCA checks the certificate, but skips the server name verification.
	VerifyCA TLSMode = "verify-ca"
	// Insecure accepts any certificate.
	Insecure TLSMode = "insecure"
)

func (*TLSMode) CheckAndSetDefaults

func (m *TLSMode) CheckAndSetDefaults() error

CheckAndSetDefaults check if TLSMode holds a correct value. If the value is not set VerifyFull is set as a default. BadParameter error is returned if value set is incorrect.

func (TLSMode) ToProto

func (m TLSMode) ToProto() types.DatabaseTLSMode

ToProto returns a matching protobuf type or VerifyFull for empty value.

type TeleportProcess

type TeleportProcess struct {
	Clock clockwork.Clock
	sync.Mutex
	Supervisor
	Config *Config

	// PluginsRegistry handles plugin registrations with Teleport services
	PluginRegistry plugin.Registry

	// identities of this process (credentials to auth sever, basically)
	Identities map[types.SystemRole]*auth.Identity

	// TracingProvider is the provider to be used for exporting traces. In the event
	// that tracing is disabled this will be a no-op provider that drops all spans.
	TracingProvider *tracing.Provider
	// contains filtered or unexported fields
}

TeleportProcess structure holds the state of the Teleport daemon, controlling execution and configuration of the teleport services: ssh, auth and proxy.

func NewTeleport

func NewTeleport(cfg *Config, opts ...NewTeleportOption) (*TeleportProcess, error)

NewTeleport takes the daemon configuration, instantiates all required services and starts them under a supervisor, returning the supervisor object.

func (*TeleportProcess) AuthAddr

func (process *TeleportProcess) AuthAddr() (*utils.NetAddr, error)

AuthAddr returns auth server endpoint, if configured and started.

func (*TeleportProcess) Close

func (process *TeleportProcess) Close() error

Close broadcasts close signals and exits immediately

func (*TeleportProcess) DiagnosticAddr

func (process *TeleportProcess) DiagnosticAddr() (*utils.NetAddr, error)

DiagnosticAddr returns the diagnostic endpoint, if configured and started.

func (*TeleportProcess) ExportFileDescriptors

func (process *TeleportProcess) ExportFileDescriptors() ([]FileDescriptor, error)

ExportFileDescriptors exports file descriptors to be passed to child process

func (*TeleportProcess) GetAuditLog

func (process *TeleportProcess) GetAuditLog() events.IAuditLog

GetAuditLog returns the process' audit log

func (*TeleportProcess) GetAuthServer

func (process *TeleportProcess) GetAuthServer() *auth.Server

GetAuthServer returns the process' auth server

func (*TeleportProcess) GetBackend

func (process *TeleportProcess) GetBackend() backend.Backend

GetBackend returns the process' backend

func (*TeleportProcess) GetIdentity

func (process *TeleportProcess) GetIdentity(role types.SystemRole) (i *auth.Identity, err error)

GetIdentity returns the process identity (credentials to the auth server) for a given teleport Role. A teleport process can have any combination of 3 roles: auth, node, proxy and they have their own identities

func (*TeleportProcess) NodeSSHAddr

func (process *TeleportProcess) NodeSSHAddr() (*utils.NetAddr, error)

NodeSSHAddr returns the node SSH endpoint, if configured and started.

func (*TeleportProcess) OnExit

func (process *TeleportProcess) OnExit(serviceName string, callback func(interface{}))

OnExit allows individual services to register a callback function which will be called when Teleport Process is asked to exit. Usually services terminate themselves when the callback is called

func (*TeleportProcess) ProxyKubeAddr

func (process *TeleportProcess) ProxyKubeAddr() (*utils.NetAddr, error)

ProxyKubeAddr returns the proxy kubernetes endpoint, if configured and started.

func (*TeleportProcess) ProxyPeerAddr

func (process *TeleportProcess) ProxyPeerAddr() (*utils.NetAddr, error)

ProxyTunnelAddr returns the proxy peer address, if configured and started.

func (*TeleportProcess) ProxySSHAddr

func (process *TeleportProcess) ProxySSHAddr() (*utils.NetAddr, error)

ProxySSHAddr returns the proxy SSH endpoint, if configured and started.

func (*TeleportProcess) ProxyTunnelAddr

func (process *TeleportProcess) ProxyTunnelAddr() (*utils.NetAddr, error)

ProxyTunnelAddr returns the proxy reverse tunnel endpoint, if configured and started.

func (*TeleportProcess) ProxyWebAddr

func (process *TeleportProcess) ProxyWebAddr() (*utils.NetAddr, error)

ProxyWebAddr returns the proxy web interface endpoint, if configured and started.

func (*TeleportProcess) Shutdown

func (process *TeleportProcess) Shutdown(ctx context.Context)

Shutdown launches graceful shutdown process and waits for it to complete

func (*TeleportProcess) StartShutdown

func (process *TeleportProcess) StartShutdown(ctx context.Context) context.Context

StartShutdown launches non-blocking graceful shutdown process that signals completion, returns context that will be closed once the shutdown is done

func (*TeleportProcess) WaitForSignals

func (process *TeleportProcess) WaitForSignals(ctx context.Context) error

WaitForSignals waits for system signals and processes them. Should not be called twice by the process.

func (*TeleportProcess) WaitWithContext

func (process *TeleportProcess) WaitWithContext(ctx context.Context)

WaitWithContext waits until all internal services stop.

type TracingConfig

type TracingConfig struct {
	// Enabled turns the tracing service role on or off for this process.
	Enabled bool

	// ExporterURL is the OTLP exporter URL to send spans to.
	ExporterURL string

	// KeyPairs are the paths for key and certificate pairs that the tracing
	// service will use for outbound TLS connections.
	KeyPairs []KeyPairPath

	// CACerts are the paths to the CA certs used to validate the collector.
	CACerts []string

	// SamplingRate is the sampling rate for the exporter.
	// 1.0 will record and export all spans and 0.0 won't record any spans.
	SamplingRate float64
}

TracingConfig specifies the configuration for the tracing service

func (TracingConfig) Config

func (t TracingConfig) Config(attrs ...attribute.KeyValue) (*tracing.Config, error)

Config generates a tracing.Config that is populated from the values provided to the tracing_service

type WindowsDesktopConfig

type WindowsDesktopConfig struct {
	Enabled bool
	// ListenAddr is the address to listed on for incoming desktop connections.
	ListenAddr utils.NetAddr
	// PublicAddrs is a list of advertised public addresses of the service.
	PublicAddrs []utils.NetAddr
	// LDAP is the LDAP connection parameters.
	LDAP LDAPConfig

	// Discovery configures automatic desktop discovery via LDAP.
	Discovery LDAPDiscoveryConfig

	// Hosts is an optional list of static Windows hosts to expose through this
	// service.
	Hosts []utils.NetAddr
	// ConnLimiter limits the connection and request rates.
	ConnLimiter limiter.Config
	// HostLabels specifies rules that are used to apply labels to Windows hosts.
	HostLabels HostLabelRules
	Labels     map[string]string
}

WindowsDesktopConfig specifies the configuration for the Windows Desktop Access service.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL