Documentation ¶
Overview ¶
Package reversetunnel sets up persistent reverse tunnel between remote site and teleport proxy, when site agents dial to teleport proxy's socket and teleport proxy can connect to any server through this tunnel.
package reversetunnel provides interfaces for accessing remote clusters
via reverse tunnels and directly.
Reverse Tunnels
Proxy server Proxy agent Reverse tunnel +----------+ +---------+ | <----------------------+ | | | | |
+-----+----------+ +---------+-----+ | | | | | | | | +----------------+ +---------------+
Proxy Cluster "A" Proxy Cluster "B"
Reverse tunnel is established from a cluster "B" Proxy to the a cluster "A" proxy, and clients of the cluster "A" can access servers of the cluster "B" via reverse tunnel connection, even if the cluster "B" is behind the firewall.
Multiple Proxies and Revese Tunnels ¶
With multiple proxies behind the load balancer, proxy agents will eventually discover and establish connections to all proxies in cluster.
* Initially Proxy Agent connects to Proxy 1. * Proxy 1 starts sending information about all available proxies that have not received connection from the Proxy Agent yet. This process is called "sending discovery request".
+----------+ | <--------+ | | | +----------+ | +-----------+ +----------+
Proxy 1 +-------------------------------+ | | | | | +-----------+ +----------+ Load Balancer Proxy Agent
+----------+ | | | | +----------+
Proxy 2
* Agent will use the discovery request to establish new connections and check if it has connected and "discovered" all the proxies specified
in the discovery request.
* Assuming that load balancer uses fair load balancing algorithm, agent will eventually discover and connect back to all the proxies.
+----------+ | <--------+ | | | +----------+ | +-----------+ +----------+
Proxy 1 +-------------------------------+ | | | | | | | +-----------+ +----------+ | Load Balancer Proxy Agent
+----------+ | | <--------+ | | +----------+
Proxy 2
Index ¶
Constants ¶
const ( // RemoteAuthServer is a special non-resolvable address that indicates client // requests a connection to the remote auth server. RemoteAuthServer = "@remote-auth-server" // RemoteKubeProxy is a special non-resolvable address that indicates that clients // requests a connection to the remote kubernetes proxy. // This has to be a valid domain name, so it lacks @ RemoteKubeProxy = "remote.kube.proxy.teleport.cluster.local" )
const ConnectedEvent = "connected"
ConnectedEvent is used to indicate that reverse tunnel has connected
Variables ¶
This section is empty.
Functions ¶
Types ¶
type Agent ¶
type Agent struct { sync.RWMutex *log.Entry AgentConfig // contains filtered or unexported fields }
Agent is a reverse tunnel agent running as a part of teleport Proxies to establish outbound reverse tunnels to remote proxies.
There are two operation modes for agents: * Standard agent attempts to establish connection to any available proxy. Standard agent transitions between "connecting" -> "connected states. * Discovering agent attempts to establish connection to a subset of remote proxies (specified in the config via DiscoverProxies parameter.) Discovering agent transitions between "discovering" -> "discovered" states.
func NewAgent ¶
func NewAgent(cfg AgentConfig) (*Agent, error)
NewAgent returns a new reverse tunnel agent
type AgentConfig ¶
type AgentConfig struct { // Addr is target address to dial Addr utils.NetAddr // RemoteCluster is a remote cluster name to connect to RemoteCluster string // Signers contains authentication signers Signers []ssh.Signer // Client is a client to the local auth servers Client auth.ClientI // AccessPoint is a caching access point to the local auth servers AccessPoint auth.AccessPoint // Context is a parent context Context context.Context // DiscoveryC is a channel that receives discovery requests // from reverse tunnel server DiscoveryC chan *discoveryRequest // Username is the name of this client used to authenticate on SSH Username string // DiscoverProxies is set when the agent is created in discovery mode // and is set to connect to one of the target proxies from the list DiscoverProxies []services.Server // Clock is a clock passed in tests, if not set wall clock // will be used Clock clockwork.Clock // EventsC is an optional events channel, used for testing purposes EventsC chan string // KubeDialAddr is a dial address for kubernetes proxy KubeDialAddr utils.NetAddr }
AgentConfig holds configuration for agent
func (*AgentConfig) CheckAndSetDefaults ¶
func (a *AgentConfig) CheckAndSetDefaults() error
CheckAndSetDefaults checks parameters and sets default values
type AgentPool ¶
AgentPool manages the pool of outbound reverse tunnel agents. The agent pool watches the reverse tunnel entries created by the admin and connects/disconnects to added/deleted tunnels.
func NewAgentPool ¶
func NewAgentPool(cfg AgentPoolConfig) (*AgentPool, error)
NewAgentPool returns new isntance of the agent pool
func (*AgentPool) Counts ¶
Counts returns a count of the number of proxies a outbound tunnel is connected to. Used in tests to determine if a proxy has been found and/or removed.
func (*AgentPool) FetchAndSyncAgents ¶
FetchAndSyncAgents executes one time fetch and sync request (used in tests instead of polling)
type AgentPoolConfig ¶
type AgentPoolConfig struct { // Client is client to the auth server this agent connects to receive // a list of pools Client auth.ClientI // AccessPoint is a lightweight access point // that can optionally cache some values AccessPoint auth.AccessPoint // HostSigners is a list of host signers this agent presents itself as HostSigners []ssh.Signer // HostUUID is a unique ID of this host HostUUID string // Context is an optional context Context context.Context // Cluster is a cluster name Cluster string // Clock is a clock used to get time, if not set, // system clock is used Clock clockwork.Clock // KubeDialAddr is an address of a kubernetes proxy KubeDialAddr utils.NetAddr }
AgentPoolConfig holds configuration parameters for the agent pool
func (*AgentPoolConfig) CheckAndSetDefaults ¶
func (cfg *AgentPoolConfig) CheckAndSetDefaults() error
CheckAndSetDefaults checks and sets defaults
type Config ¶
type Config struct { // ID is the ID of this server proxy ID string // ClusterName is a name of this cluster ClusterName string // ClientTLS is a TLS config associated with this proxy // used to connect to remote auth servers on remote clusters ClientTLS *tls.Config // Listener is a listener address for reverse tunnel server Listener net.Listener // HostSigners is a list of host signers HostSigners []ssh.Signer // HostKeyCallback // Limiter is optional request limiter Limiter *limiter.Limiter // LocalAuthClient provides access to a full AuthClient for the local cluster. LocalAuthClient auth.ClientI // AccessPoint provides access to a subset of AuthClient of the cluster. // AccessPoint caches values and can still return results during connection // problems. LocalAccessPoint auth.AccessPoint // NewCachingAccessPoint returns new caching access points // per remote cluster NewCachingAccessPoint state.NewCachingAccessPoint // DirectClusters is a list of clusters accessed directly DirectClusters []DirectCluster // Context is a signalling context Context context.Context // Clock is a clock used in the server, set up to // wall clock if not set Clock clockwork.Clock // KeyGen is a process wide key generator. It is shared to speed up // generation of public/private keypairs. KeyGen sshca.Authority // Ciphers is a list of ciphers that the server supports. If omitted, // the defaults will be used. Ciphers []string // KEXAlgorithms is a list of key exchange (KEX) algorithms that the // server supports. If omitted, the defaults will be used. KEXAlgorithms []string // MACAlgorithms is a list of message authentication codes (MAC) that // the server supports. If omitted the defaults will be used. MACAlgorithms []string // DataDir is a local server data directory DataDir string // PollingPeriod specifies polling period for internal sync // goroutines, used to speed up sync-ups in tests. PollingPeriod time.Duration }
Config is a reverse tunnel server configuration
func (*Config) CheckAndSetDefaults ¶
CheckAndSetDefaults checks parameters and sets default values
type DirectCluster ¶
type DirectCluster struct { // Name is a cluster name Name string // Client is a client to the cluster Client auth.ClientI }
DirectCluster is used to access cluster directly
type RemoteSite ¶
type RemoteSite interface { // DialAuthServer returns a net.Conn to the Auth Server of a site. DialAuthServer() (net.Conn, error) // Dial dials any address within the site network. Dial(fromAddr, toAddr net.Addr, userAgent agent.Agent) (net.Conn, error) // GetLastConnected returns last time the remote site was seen connected GetLastConnected() time.Time // GetName returns site name (identified by authority domain's name) GetName() string // GetStatus returns status of this site (either offline or connected) GetStatus() string // GetClient returns client connected to remote auth server GetClient() (auth.ClientI, error) // CachingAccessPoint returns access point that is lightweight // but is resilient to auth server crashes CachingAccessPoint() (auth.AccessPoint, error) // GetTunnelsCount returns the amount of active inbound tunnels // from the remote cluster GetTunnelsCount() int }
RemoteSite represents remote teleport site that can be accessed via teleport tunnel or directly by proxy
There are two implementations of this interface: local and remote sites.
type Server ¶
type Server interface { // GetSites returns a list of connected remote sites GetSites() []RemoteSite // GetSite returns remote site this node belongs to GetSite(domainName string) (RemoteSite, error) // RemoveSite removes the site with the specified name from the list of connected sites RemoveSite(domainName string) error // Start starts server Start() error // Close closes server's operations immediately Close() error // Shutdown performs graceful server shutdown Shutdown(context.Context) error // Wait waits for server to close all outstanding operations Wait() }
Server is a TCP/IP SSH server which listens on an SSH endpoint and remote/local sites connect and register with it.