Documentation ¶
Overview ¶
Package 'config' provides facilities for configuring Teleport daemons including
- parsing YAML configuration
- parsing CLI flags
Index ¶
- func ApplyFileConfig(fc *FileConfig, cfg *service.Config) error
- func Configure(clf *CommandLineFlags, cfg *service.Config) error
- type Auth
- type AuthenticationConfig
- type Authority
- type CachePolicy
- type ClaimMapping
- type ClusterName
- type CommandLabel
- type CommandLineFlags
- type ConnectionLimits
- type ConnectionRate
- type FileConfig
- type Global
- type KeyPair
- type Kube
- type Log
- type OIDCConnector
- type PAM
- type Proxy
- type ReverseTunnel
- type SSH
- type Service
- type StaticToken
- type StaticTokens
- type TrustedCluster
- type U2F
- type UniversalSecondFactor
- type YAMLMap
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ApplyFileConfig ¶
func ApplyFileConfig(fc *FileConfig, cfg *service.Config) error
ApplyFileConfig applies configuration from a YAML file to Teleport runtime config
Types ¶
type Auth ¶
type Auth struct { Service `yaml:",inline"` // ProxyProtocol turns on support for HAProxy proxy protocol // this is the option that has be turned on only by administrator, // as only admin knows whether service is in front of trusted load balancer // or not. ProxyProtocol string `yaml:"proxy_protocol,omitempty"` // ClusterName is the name of the CA who manages this cluster ClusterName ClusterName `yaml:"cluster_name,omitempty"` // StaticTokens are pre-defined host provisioning tokens supplied via config file for // environments where paranoid security is not needed // // Each token string has the following format: "role1,role2,..:token", // for exmple: "auth,proxy,node:MTIzNGlvemRmOWE4MjNoaQo" StaticTokens StaticTokens `yaml:"tokens,omitempty"` // Authentication holds authentication configuration information like authentication // type, second factor type, specific connector information, etc. Authentication *AuthenticationConfig `yaml:"authentication,omitempty"` // SessionRecording determines where the session is recorded: node, proxy, or off. SessionRecording string `yaml:"session_recording"` // ProxyChecksHostKeys is used when the proxy is in recording mode and // determines if the proxy will check the host key of the client or not. ProxyChecksHostKeys string `yaml:"proxy_checks_host_keys,omitempty"` // LicenseFile is a path to the license file. The path can be either absolute or // relative to the global data dir LicenseFile string `yaml:"license_file,omitempty"` // FOR INTERNAL USE: // Authorities : 3rd party certificate authorities (CAs) this auth service trusts. Authorities []Authority `yaml:"authorities,omitempty"` // FOR INTERNAL USE: // ReverseTunnels is a list of SSH tunnels to 3rd party proxy services (used to talk // to 3rd party auth servers we trust) ReverseTunnels []ReverseTunnel `yaml:"reverse_tunnels,omitempty"` // TrustedClustersFile is a file path to a file containing public CA keys // of clusters we trust. One key per line, those starting with '#' are comments // Deprecated: Remove in Teleport 2.4.1. TrustedClusters []TrustedCluster `yaml:"trusted_clusters,omitempty"` // OIDCConnectors is a list of trusted OpenID Connect Identity providers // Deprecated: Remove in Teleport 2.4.1. OIDCConnectors []OIDCConnector `yaml:"oidc_connectors,omitempty"` // Configuration for "universal 2nd factor" // Deprecated: Remove in Teleport 2.4.1. U2F U2F `yaml:"u2f,omitempty"` // DynamicConfig determines when file configuration is pushed to the backend. Setting // it here overrides defaults. // Deprecated: Remove in Teleport 2.4.1. DynamicConfig *bool `yaml:"dynamic_config,omitempty"` // PublicAddr sets SSH host principals and TLS DNS names to auth // server certificates PublicAddr utils.Strings `yaml:"public_addr,omitempty"` // ClientIdleTimeout sets global cluster default setting for client idle timeouts ClientIdleTimeout services.Duration `yaml:"client_idle_timeout"` // DisconnectExpiredCert provides disconnect expired certificate setting - // if true, connections with expired client certificates will get disconnected DisconnectExpiredCert services.Bool `yaml:"disconnect_expired_cert"` // KubeconfigFile is an optional path to kubeconfig file, // if specified, teleport will use API server address and // trusted certificate authority information from it KubeconfigFile string `yaml:"kubeconfig_file,omitempty"` // KeepAliveInterval set the keep-alive interval for server to client // connections. KeepAliveInterval services.Duration `yaml:"keep_alive_interval,omitempty"` // KeepAliveCountMax set the number of keep-alive messages that can be // missed before the server disconnects the client. KeepAliveCountMax int `yaml:"keep_alive_count_max"` }
Auth is 'auth_service' section of the config file
type AuthenticationConfig ¶
type AuthenticationConfig struct { Type string `yaml:"type"` SecondFactor string `yaml:"second_factor,omitempty"` ConnectorName string `yaml:"connector_name,omitempty"` U2F *UniversalSecondFactor `yaml:"u2f,omitempty"` // TODO: OIDC connection is DEPRECATED!!!! Users are supposed to use resources // for configuring OIDC connectors OIDC *OIDCConnector `yaml:"oidc,omitempty"` }
AuthenticationConfig describes the auth_service/authentication section of teleport.yaml
func (*AuthenticationConfig) Parse ¶
func (a *AuthenticationConfig) Parse() (services.AuthPreference, services.OIDCConnector, error)
Parse returns the Authentication Configuration in two parts: AuthPreference (type, second factor, u2f) and OIDCConnector.
type Authority ¶
type Authority struct { // Type is either user or host certificate authority Type services.CertAuthType `yaml:"type"` // DomainName identifies domain name this authority serves, // for host authorities that means base hostname of all servers, // for user authorities that means organization name DomainName string `yaml:"domain_name"` // Checkers is a list of SSH public keys that can be used to check // certificate signatures in OpenSSH authorized keys format CheckingKeys []string `yaml:"checking_keys"` // CheckingKeyFiles is a list of files CheckingKeyFiles []string `yaml:"checking_key_files"` // SigningKeys is a list of PEM-encoded private keys used for signing SigningKeys []string `yaml:"signing_keys"` // SigningKeyFiles is a list of paths to PEM encoded private keys used for signing SigningKeyFiles []string `yaml:"signing_key_files"` // AllowedLogins is a list of allowed logins for users within // this certificate authority AllowedLogins []string `yaml:"allowed_logins"` }
Authority is a host or user certificate authority that can check and if it has private key stored as well, sign it too
type CachePolicy ¶
type CachePolicy struct { // EnabledFlag enables or disables cache EnabledFlag string `yaml:"enabled,omitempty"` // TTL sets maximum TTL for the cached values TTL string `yaml:"ttl,omitempty"` }
CachePolicy is used to control local cache
func (*CachePolicy) Enabled ¶
func (c *CachePolicy) Enabled() bool
Enabled determines if a given "_service" section has been set to 'true'
func (*CachePolicy) NeverExpires ¶
func (c *CachePolicy) NeverExpires() bool
NeverExpires returns if cache never expires by itself
func (*CachePolicy) Parse ¶
func (c *CachePolicy) Parse() (*service.CachePolicy, error)
Parse parses cache policy from Teleport config
type ClaimMapping ¶
type ClaimMapping struct { // Claim is OIDC claim name Claim string `yaml:"claim"` // Value is claim value to match Value string `yaml:"value"` // Roles is a list of teleport roles to match Roles []string `yaml:"roles,omitempty"` // RoleTemplate is a template for a role that will be filled // with data from claims. RoleTemplate *services.RoleV2 `yaml:"role_template,omitempty"` }
ClaimMapping is OIDC claim mapping that maps claim name to teleport roles
type ClusterName ¶
type ClusterName string
func (ClusterName) Parse ¶
func (c ClusterName) Parse() (services.ClusterName, error)
type CommandLabel ¶
type CommandLabel struct { Name string `yaml:"name"` Command []string `yaml:"command,flow"` Period time.Duration `yaml:"period"` }
CommandLabel is `command` section of `ssh_service` in the config file
type CommandLineFlags ¶
type CommandLineFlags struct { // --name flag NodeName string // --auth-server flag AuthServerAddr string // --token flag AuthToken string // CAPin is the hash of the SKPI of the root CA. Used to verify the cluster // being joined is the one expected. CAPin string // --listen-ip flag ListenIP net.IP // --advertise-ip flag AdvertiseIP string // --config flag ConfigFile string // ConfigString is a base64 encoded configuration string // set by --config-string or TELEPORT_CONFIG environment variable ConfigString string // --roles flag Roles string // -d flag Debug bool // --insecure-no-tls flag DisableTLS bool // --labels flag Labels string // --pid-file flag PIDFile string // DiagnosticAddr is listen address for diagnostic endpoint DiagnosticAddr string // PermitUserEnvironment enables reading of ~/.tsh/environment // when creating a new session. PermitUserEnvironment bool // Insecure mode is controlled by --insecure flag and in this mode // Teleport won't check certificates when connecting to trusted clusters // It's useful for learning Teleport (following quick starts, etc). InsecureMode bool }
CommandLineFlags stores command line flag values, it's a much simplified subset of Teleport configuration (which is fully expressed via YAML config file)
type ConnectionLimits ¶
type ConnectionLimits struct { MaxConnections int64 `yaml:"max_connections"` MaxUsers int `yaml:"max_users"` Rates []ConnectionRate `yaml:"rates,omitempty"` }
ConnectionLimits sets up connection limiter
type ConnectionRate ¶
type ConnectionRate struct { Period time.Duration `yaml:"period"` Average int64 `yaml:"average"` Burst int64 `yaml:"burst"` }
ConnectionRate configures rate limiter
type FileConfig ¶
type FileConfig struct { Global `yaml:"teleport,omitempty"` Auth Auth `yaml:"auth_service,omitempty"` SSH SSH `yaml:"ssh_service,omitempty"` Proxy Proxy `yaml:"proxy_service,omitempty"` }
FileConfig structre represents the teleport configuration stored in a config file in YAML format (usually /etc/teleport.yaml)
Use config.ReadFromFile() to read the parsed FileConfig from a YAML file.
func MakeSampleFileConfig ¶
func MakeSampleFileConfig() (fc *FileConfig)
MakeSampleFileConfig returns a sample config structure populated by defaults, useful to generate sample configuration files
func ReadConfig ¶
func ReadConfig(reader io.Reader) (*FileConfig, error)
ReadConfig reads Teleport configuration from reader in YAML format
func ReadConfigFile ¶
func ReadConfigFile(cliConfigPath string) (*FileConfig, error)
readConfigFile reads /etc/teleport.yaml (or whatever is passed via --config flag) and overrides values in 'cfg' structure
func ReadFromFile ¶
func ReadFromFile(filePath string) (*FileConfig, error)
ReadFromFile reads Teleport configuration from a file. Currently only YAML format is supported
func ReadFromString ¶
func ReadFromString(configString string) (*FileConfig, error)
ReadFromString reads values from base64 encoded byte string
func (*FileConfig) Check ¶
func (conf *FileConfig) Check() error
Check ensures that the ciphers, kex algorithms, and mac algorithms set are supported by golang.org/x/crypto/ssh. This ensures we don't start Teleport with invalid configuration.
func (*FileConfig) DebugDumpToYAML ¶
func (conf *FileConfig) DebugDumpToYAML() string
DebugDumpToYAML allows for quick YAML dumping of the config
type Global ¶
type Global struct { NodeName string `yaml:"nodename,omitempty"` DataDir string `yaml:"data_dir,omitempty"` PIDFile string `yaml:"pid_file,omitempty"` AuthToken string `yaml:"auth_token,omitempty"` AuthServers []string `yaml:"auth_servers,omitempty"` Limits ConnectionLimits `yaml:"connection_limits,omitempty"` Logger Log `yaml:"log,omitempty"` Storage backend.Config `yaml:"storage,omitempty"` AdvertiseIP string `yaml:"advertise_ip,omitempty"` CachePolicy CachePolicy `yaml:"cache,omitempty"` SeedConfig *bool `yaml:"seed_config,omitempty"` // Keys holds the list of SSH key/cert pairs used by all services // Each service (like proxy, auth, node) can find the key it needs // by looking into certificate Keys []KeyPair `yaml:"keys,omitempty"` // CipherSuites is a list of TLS ciphersuites that Teleport supports. If // omitted, a Teleport selected list of defaults will be used. CipherSuites []string `yaml:"ciphersuites,omitempty"` // Ciphers is a list of SSH ciphers that the server supports. If omitted, // the defaults will be used. Ciphers []string `yaml:"ciphers,omitempty"` // KEXAlgorithms is a list of SSH key exchange (KEX) algorithms that the // server supports. If omitted, the defaults will be used. KEXAlgorithms []string `yaml:"kex_algos,omitempty"` // MACAlgorithms is a list of SSH message authentication codes (MAC) that // the server supports. If omitted the defaults will be used. MACAlgorithms []string `yaml:"mac_algos,omitempty"` // CAPin is the SKPI hash of the CA used to verify the Auth Server. CAPin string `yaml:"ca_pin"` }
Global is 'teleport' (global) section of the config file
type KeyPair ¶
type KeyPair struct { // PrivateKeyFile is a path to file with private key PrivateKeyFile string `yaml:"private_key_file"` // CertFile is a path to file with OpenSSH certificate CertFile string `yaml:"cert_file"` // PrivateKey is PEM encoded OpenSSH private key PrivateKey string `yaml:"private_key"` // Cert is certificate in OpenSSH authorized keys format Cert string `yaml:"cert"` // TLSCert is TLS certificate in PEM format TLSCert string `yaml:"tls_cert"` // TLSCACert is TLS certificate in PEM format for trusted CA TLSCACert string `yaml:"tls_ca_cert"` }
KeyPair is a pair of private key and certificates
type Kube ¶
type Kube struct { // Service is a generic service configuration section Service `yaml:",inline"` // PublicAddr is a publicly advertised address of the kubernetes proxy PublicAddr utils.Strings `yaml:"public_addr,omitempty"` }
Kube is a `kubernetes_service`
type Log ¶
type Log struct { // Output defines where logs go. It can be one of the following: "stderr", "stdout" or // a path to a log file Output string `yaml:"output,omitempty"` // Severity defines how verbose the log will be. Possible valus are "error", "info", "warn" Severity string `yaml:"severity,omitempty"` }
Log configures teleport logging
type OIDCConnector ¶
type OIDCConnector struct { // ID is a provider id, 'e.g.' google, used internally ID string `yaml:"id"` // Issuer URL is the endpoint of the provider, e.g. https://accounts.google.com IssuerURL string `yaml:"issuer_url"` // ClientID is id for authentication client (in our case it's our Auth server) ClientID string `yaml:"client_id"` // ClientSecret is used to authenticate our client and should not // be visible to end user ClientSecret string `yaml:"client_secret"` // RedirectURL - Identity provider will use this URL to redirect // client's browser back to it after successful authentication // Should match the URL on Provider's side RedirectURL string `yaml:"redirect_url"` // ACR is the acr_values parameter to be sent with an authorization request. ACR string `yaml:"acr_values,omitempty"` // Provider is the identity provider we connect to. This field is // only required if using acr_values. Provider string `yaml:"provider,omitempty"` // Display controls how this connector is displayed Display string `yaml:"display"` // Scope is a list of additional scopes to request from OIDC // note that oidc and email scopes are always requested Scope []string `yaml:"scope"` // ClaimsToRoles is a list of mappings of claims to roles ClaimsToRoles []ClaimMapping `yaml:"claims_to_roles"` }
OIDCConnector specifies configuration fo Open ID Connect compatible external identity provider, e.g. google in some organisation
func (*OIDCConnector) Parse ¶
func (o *OIDCConnector) Parse() (services.OIDCConnector, error)
Parse parses config struct into services connector and checks if it's valid
type PAM ¶
type PAM struct { // Enabled controls if PAM will be used or not. Enabled string `yaml:"enabled"` // ServiceName is the name of the PAM policy to apply. ServiceName string `yaml:"service_name"` }
PAM is configuration for Pluggable Authentication Modules (PAM).
type Proxy ¶
type Proxy struct { // Service is a generic service configuration section Service `yaml:",inline"` // WebAddr is a web UI listen address WebAddr string `yaml:"web_listen_addr,omitempty"` // TunAddr is a reverse tunnel address TunAddr string `yaml:"tunnel_listen_addr,omitempty"` // KeyFile is a TLS key file KeyFile string `yaml:"https_key_file,omitempty"` // CertFile is a TLS Certificate file CertFile string `yaml:"https_cert_file,omitempty"` // ProxyProtocol turns on support for HAProxy proxy protocol // this is the option that has be turned on only by administrator, // as only admin knows whether service is in front of trusted load balancer // or not. ProxyProtocol string `yaml:"proxy_protocol,omitempty"` // Kube configures kubernetes protocol support of the proxy Kube Kube `yaml:"kubernetes,omitempty"` // PublicAddr sets the hostport the proxy advertises for the HTTP endpoint. // The hosts in PublicAddr are included in the list of host principals // on the SSH certificate. PublicAddr utils.Strings `yaml:"public_addr,omitempty"` // SSHPublicAddr sets the hostport the proxy advertises for the SSH endpoint. // The hosts in PublicAddr are included in the list of host principals // on the SSH certificate. SSHPublicAddr utils.Strings `yaml:"ssh_public_addr,omitempty"` }
Proxy is a `proxy_service` section of the config file:
type ReverseTunnel ¶
type ReverseTunnel struct { DomainName string `yaml:"domain_name"` Addresses []string `yaml:"addresses"` }
ReverseTunnel is a SSH reverse tunnel maintained by one cluster's proxy to remote Teleport proxy
func (*ReverseTunnel) ConvertAndValidate ¶
func (t *ReverseTunnel) ConvertAndValidate() (services.ReverseTunnel, error)
ConvertAndValidate returns validated services.ReverseTunnel or nil and error otherwize
type SSH ¶
type SSH struct { Service `yaml:",inline"` Namespace string `yaml:"namespace,omitempty"` Labels map[string]string `yaml:"labels,omitempty"` Commands []CommandLabel `yaml:"commands,omitempty"` PermitUserEnvironment bool `yaml:"permit_user_env,omitempty"` PAM *PAM `yaml:"pam,omitempty"` // PublicAddr sets SSH host principals for SSH service PublicAddr utils.Strings `yaml:"public_addr,omitempty"` }
SSH is 'ssh_service' section of the config file
type Service ¶
type Service struct { EnabledFlag string `yaml:"enabled,omitempty"` ListenAddress string `yaml:"listen_addr,omitempty"` }
Service is a common configuration of a teleport service
func (*Service) Configured ¶
Configured determines if a given "_service" section has been specified
type StaticToken ¶
type StaticToken string
func (StaticToken) Parse ¶
func (t StaticToken) Parse() (services.ProvisionToken, error)
Parse is applied to a string in "role,role,role:token" format. It breaks it apart and constructs a services.ProvisionToken which contains the token, role, and expiry (infinite).
type StaticTokens ¶
type StaticTokens []StaticToken
func (StaticTokens) Parse ¶
func (t StaticTokens) Parse() (services.StaticTokens, error)
type TrustedCluster ¶
type TrustedCluster struct { // KeyFile is a path to a remote authority (AKA "trusted cluster") public keys KeyFile string `yaml:"key_file,omitempty"` // AllowedLogins is a comma-separated list of user logins allowed from that cluster AllowedLogins string `yaml:"allow_logins,omitempty"` // TunnelAddr is a comma-separated list of reverse tunnel addresses to // connect to TunnelAddr string `yaml:"tunnel_addr,omitempty"` }
TrustedCluster struct holds configuration values under "trusted_clusters" key
type U2F ¶
type UniversalSecondFactor ¶
func (*UniversalSecondFactor) Parse ¶
func (u *UniversalSecondFactor) Parse() services.U2F