Documentation
¶
Overview ¶
Package 'config' provides facilities for configuring Teleport daemons including
- parsing YAML configuration
- parsing CLI flags
Index ¶
- func ApplyFileConfig(fc *FileConfig, cfg *service.Config) error
- func Configure(clf *CommandLineFlags, cfg *service.Config) error
- func ReadResources(filePath string) ([]services.Resource, error)
- type Auth
- type AuthenticationConfig
- type Authority
- type BPF
- type CachePolicy
- type ClaimMapping
- type ClusterName
- type CommandLabel
- type CommandLineFlags
- type ConnectionLimits
- type ConnectionRate
- type FileConfig
- type Global
- type Kube
- type Log
- type OIDCConnector
- type PAM
- type Proxy
- type ReverseTunnel
- type SSH
- type Service
- type StaticToken
- type StaticTokens
- type TrustedCluster
- type U2F
- type UniversalSecondFactor
- type YAMLMap
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ApplyFileConfig ¶
func ApplyFileConfig(fc *FileConfig, cfg *service.Config) error
ApplyFileConfig applies configuration from a YAML file to Teleport runtime config
Types ¶
type Auth ¶
type Auth struct {
Service `yaml:",inline"`
// ProxyProtocol turns on support for HAProxy proxy protocol
// this is the option that has be turned on only by administrator,
// as only admin knows whether service is in front of trusted load balancer
// or not.
ProxyProtocol string `yaml:"proxy_protocol,omitempty"`
// ClusterName is the name of the CA who manages this cluster
ClusterName ClusterName `yaml:"cluster_name,omitempty"`
// StaticTokens are pre-defined host provisioning tokens supplied via config file for
// environments where paranoid security is not needed
//
// Each token string has the following format: "role1,role2,..:token",
// for exmple: "auth,proxy,node:MTIzNGlvemRmOWE4MjNoaQo"
StaticTokens StaticTokens `yaml:"tokens,omitempty"`
// Authentication holds authentication configuration information like authentication
// type, second factor type, specific connector information, etc.
Authentication *AuthenticationConfig `yaml:"authentication,omitempty"`
// SessionRecording determines where the session is recorded: node, proxy, or off.
SessionRecording string `yaml:"session_recording,omitempty"`
// ProxyChecksHostKeys is used when the proxy is in recording mode and
// determines if the proxy will check the host key of the client or not.
ProxyChecksHostKeys string `yaml:"proxy_checks_host_keys,omitempty"`
// LicenseFile is a path to the license file. The path can be either absolute or
// relative to the global data dir
LicenseFile string `yaml:"license_file,omitempty"`
// FOR INTERNAL USE:
// Authorities : 3rd party certificate authorities (CAs) this auth service trusts.
Authorities []Authority `yaml:"authorities,omitempty"`
// FOR INTERNAL USE:
// ReverseTunnels is a list of SSH tunnels to 3rd party proxy services (used to talk
// to 3rd party auth servers we trust)
ReverseTunnels []ReverseTunnel `yaml:"reverse_tunnels,omitempty"`
// TrustedClustersFile is a file path to a file containing public CA keys
// of clusters we trust. One key per line, those starting with '#' are comments
// Deprecated: Remove in Teleport 2.4.1.
TrustedClusters []TrustedCluster `yaml:"trusted_clusters,omitempty"`
// OIDCConnectors is a list of trusted OpenID Connect Identity providers
// Deprecated: Remove in Teleport 2.4.1.
OIDCConnectors []OIDCConnector `yaml:"oidc_connectors,omitempty"`
// Configuration for "universal 2nd factor"
// Deprecated: Remove in Teleport 2.4.1.
U2F U2F `yaml:"u2f,omitempty"`
// DynamicConfig determines when file configuration is pushed to the backend. Setting
// it here overrides defaults.
// Deprecated: Remove in Teleport 2.4.1.
DynamicConfig *bool `yaml:"dynamic_config,omitempty"`
// PublicAddr sets SSH host principals and TLS DNS names to auth
// server certificates
PublicAddr utils.Strings `yaml:"public_addr,omitempty"`
// ClientIdleTimeout sets global cluster default setting for client idle timeouts
ClientIdleTimeout services.Duration `yaml:"client_idle_timeout,omitempty"`
// DisconnectExpiredCert provides disconnect expired certificate setting -
// if true, connections with expired client certificates will get disconnected
DisconnectExpiredCert services.Bool `yaml:"disconnect_expired_cert,omitempty"`
// KubeconfigFile is an optional path to kubeconfig file,
// if specified, teleport will use API server address and
// trusted certificate authority information from it
KubeconfigFile string `yaml:"kubeconfig_file,omitempty"`
// KeepAliveInterval set the keep-alive interval for server to client
// connections.
KeepAliveInterval services.Duration `yaml:"keep_alive_interval,omitempty"`
// KeepAliveCountMax set the number of keep-alive messages that can be
// missed before the server disconnects the client.
KeepAliveCountMax int64 `yaml:"keep_alive_count_max,omitempty"`
}
Auth is 'auth_service' section of the config file
type AuthenticationConfig ¶
type AuthenticationConfig struct {
Type string `yaml:"type"`
SecondFactor string `yaml:"second_factor,omitempty"`
ConnectorName string `yaml:"connector_name,omitempty"`
U2F *UniversalSecondFactor `yaml:"u2f,omitempty"`
// LocalAuth controls if local authentication is allowed.
LocalAuth *services.Bool `yaml:"local_auth"`
}
AuthenticationConfig describes the auth_service/authentication section of teleport.yaml
func (*AuthenticationConfig) Parse ¶
func (a *AuthenticationConfig) Parse() (services.AuthPreference, error)
Parse returns a services.AuthPreference (type, second factor, U2F).
type Authority ¶
type Authority struct {
// Type is either user or host certificate authority
Type services.CertAuthType `yaml:"type"`
// DomainName identifies domain name this authority serves,
// for host authorities that means base hostname of all servers,
// for user authorities that means organization name
DomainName string `yaml:"domain_name"`
// Checkers is a list of SSH public keys that can be used to check
// certificate signatures in OpenSSH authorized keys format
CheckingKeys []string `yaml:"checking_keys"`
// CheckingKeyFiles is a list of files
CheckingKeyFiles []string `yaml:"checking_key_files"`
// SigningKeys is a list of PEM-encoded private keys used for signing
SigningKeys []string `yaml:"signing_keys"`
// SigningKeyFiles is a list of paths to PEM encoded private keys used for signing
SigningKeyFiles []string `yaml:"signing_key_files"`
// AllowedLogins is a list of allowed logins for users within
// this certificate authority
AllowedLogins []string `yaml:"allowed_logins"`
}
Authority is a host or user certificate authority that can check and if it has private key stored as well, sign it too
type BPF ¶
type BPF struct {
// Enabled enables or disables enhanced session recording for this node.
Enabled string `yaml:"enabled"`
// CommandBufferSize is the size of the perf buffer for command events.
CommandBufferSize *int `yaml:"command_buffer_size,omitempty"`
// DiskBufferSize is the size of the perf buffer for disk events.
DiskBufferSize *int `yaml:"disk_buffer_size,omitempty"`
// NetworkBufferSize is the size of the perf buffer for network events.
NetworkBufferSize *int `yaml:"network_buffer_size,omitempty"`
// CgroupPath controls where cgroupv2 hierarchy is mounted.
CgroupPath string `yaml:"cgroup_path"`
}
BPF is configuration for BPF-based auditing.
type CachePolicy ¶
type CachePolicy struct {
// Type is for cache type `sqlite` or `in-memory`
Type string `yaml:"type,omitempty"`
// EnabledFlag enables or disables cache
EnabledFlag string `yaml:"enabled,omitempty"`
// TTL sets maximum TTL for the cached values
TTL string `yaml:"ttl,omitempty"`
}
CachePolicy is used to control local cache
func (*CachePolicy) Enabled ¶
func (c *CachePolicy) Enabled() bool
Enabled determines if a given "_service" section has been set to 'true'
func (*CachePolicy) NeverExpires ¶
func (c *CachePolicy) NeverExpires() bool
NeverExpires returns if cache never expires by itself
func (*CachePolicy) Parse ¶
func (c *CachePolicy) Parse() (*service.CachePolicy, error)
Parse parses cache policy from Teleport config
type ClaimMapping ¶
type ClaimMapping struct {
// Claim is OIDC claim name
Claim string `yaml:"claim"`
// Value is claim value to match
Value string `yaml:"value"`
// Roles is a list of teleport roles to match
Roles []string `yaml:"roles,omitempty"`
// RoleTemplate is a template for a role that will be filled
// with data from claims.
RoleTemplate *services.RoleV2 `yaml:"role_template,omitempty"`
}
ClaimMapping is OIDC claim mapping that maps claim name to teleport roles
type ClusterName ¶
type ClusterName string
func (ClusterName) Parse ¶
func (c ClusterName) Parse() (services.ClusterName, error)
type CommandLabel ¶
type CommandLabel struct {
Name string `yaml:"name"`
Command []string `yaml:"command,flow"`
Period time.Duration `yaml:"period"`
}
CommandLabel is `command` section of `ssh_service` in the config file
type CommandLineFlags ¶
type CommandLineFlags struct {
// --name flag
NodeName string
// --auth-server flag
AuthServerAddr []string
// --token flag
AuthToken string
// CAPin is the hash of the SKPI of the root CA. Used to verify the cluster
// being joined is the one expected.
CAPin string
// --listen-ip flag
ListenIP net.IP
// --advertise-ip flag
AdvertiseIP string
// --config flag
ConfigFile string
// Bootstrap flag contains a YAML file that defines a set of resources to bootstrap
// a cluster.
BootstrapFile string
// ConfigString is a base64 encoded configuration string
// set by --config-string or TELEPORT_CONFIG environment variable
ConfigString string
// --roles flag
Roles string
// -d flag
Debug bool
// --insecure-no-tls flag
DisableTLS bool
// --labels flag
Labels string
// --pid-file flag
PIDFile string
// DiagnosticAddr is listen address for diagnostic endpoint
DiagnosticAddr string
// PermitUserEnvironment enables reading of ~/.tsh/environment
// when creating a new session.
PermitUserEnvironment bool
// Insecure mode is controlled by --insecure flag and in this mode
// Teleport won't check certificates when connecting to trusted clusters
// It's useful for learning Teleport (following quick starts, etc).
InsecureMode bool
// FIPS mode means Teleport starts in a FedRAMP/FIPS 140-2 compliant
// configuration.
FIPS bool
}
CommandLineFlags stores command line flag values, it's a much simplified subset of Teleport configuration (which is fully expressed via YAML config file)
type ConnectionLimits ¶
type ConnectionLimits struct {
MaxConnections int64 `yaml:"max_connections"`
MaxUsers int `yaml:"max_users"`
Rates []ConnectionRate `yaml:"rates,omitempty"`
}
ConnectionLimits sets up connection limiter
type ConnectionRate ¶
type ConnectionRate struct {
Period time.Duration `yaml:"period"`
Average int64 `yaml:"average"`
Burst int64 `yaml:"burst"`
}
ConnectionRate configures rate limiter
type FileConfig ¶
type FileConfig struct {
Global `yaml:"teleport,omitempty"`
Auth Auth `yaml:"auth_service,omitempty"`
SSH SSH `yaml:"ssh_service,omitempty"`
Proxy Proxy `yaml:"proxy_service,omitempty"`
}
FileConfig structre represents the teleport configuration stored in a config file in YAML format (usually /etc/teleport.yaml)
Use config.ReadFromFile() to read the parsed FileConfig from a YAML file.
func MakeSampleFileConfig ¶
func MakeSampleFileConfig() (fc *FileConfig, err error)
MakeSampleFileConfig returns a sample config structure populated by defaults, useful to generate sample configuration files
func ReadConfig ¶
func ReadConfig(reader io.Reader) (*FileConfig, error)
ReadConfig reads Teleport configuration from reader in YAML format
func ReadConfigFile ¶
func ReadConfigFile(cliConfigPath string) (*FileConfig, error)
readConfigFile reads /etc/teleport.yaml (or whatever is passed via --config flag) and overrides values in 'cfg' structure
func ReadFromFile ¶
func ReadFromFile(filePath string) (*FileConfig, error)
ReadFromFile reads Teleport configuration from a file. Currently only YAML format is supported
func ReadFromString ¶
func ReadFromString(configString string) (*FileConfig, error)
ReadFromString reads values from base64 encoded byte string
func (*FileConfig) Check ¶
func (conf *FileConfig) Check() error
Check ensures that the ciphers, kex algorithms, and mac algorithms set are supported by golang.org/x/crypto/ssh. This ensures we don't start Teleport with invalid configuration.
func (*FileConfig) DebugDumpToYAML ¶
func (conf *FileConfig) DebugDumpToYAML() string
DebugDumpToYAML allows for quick YAML dumping of the config
type Global ¶
type Global struct {
NodeName string `yaml:"nodename,omitempty"`
DataDir string `yaml:"data_dir,omitempty"`
PIDFile string `yaml:"pid_file,omitempty"`
AuthToken string `yaml:"auth_token,omitempty"`
AuthServers []string `yaml:"auth_servers,omitempty"`
Limits ConnectionLimits `yaml:"connection_limits,omitempty"`
Logger Log `yaml:"log,omitempty"`
Storage backend.Config `yaml:"storage,omitempty"`
AdvertiseIP string `yaml:"advertise_ip,omitempty"`
CachePolicy CachePolicy `yaml:"cache,omitempty"`
SeedConfig *bool `yaml:"seed_config,omitempty"`
// CipherSuites is a list of TLS ciphersuites that Teleport supports. If
// omitted, a Teleport selected list of defaults will be used.
CipherSuites []string `yaml:"ciphersuites,omitempty"`
// Ciphers is a list of SSH ciphers that the server supports. If omitted,
// the defaults will be used.
Ciphers []string `yaml:"ciphers,omitempty"`
// KEXAlgorithms is a list of SSH key exchange (KEX) algorithms that the
// server supports. If omitted, the defaults will be used.
KEXAlgorithms []string `yaml:"kex_algos,omitempty"`
// MACAlgorithms is a list of SSH message authentication codes (MAC) that
// the server supports. If omitted the defaults will be used.
MACAlgorithms []string `yaml:"mac_algos,omitempty"`
// CASignatureAlgorithm is an SSH Certificate Authority (CA) signature
// algorithm that the server uses for signing user and host certificates.
// If omitted, the default will be used.
CASignatureAlgorithm *string `yaml:"ca_signature_algo,omitempty"`
// CAPin is the SKPI hash of the CA used to verify the Auth Server.
CAPin string `yaml:"ca_pin"`
}
Global is 'teleport' (global) section of the config file
type Kube ¶
type Kube struct {
// Service is a generic service configuration section
Service `yaml:",inline"`
// PublicAddr is a publicly advertised address of the kubernetes proxy
PublicAddr utils.Strings `yaml:"public_addr,omitempty"`
// KubeconfigFile is an optional path to kubeconfig file,
// if specified, teleport will use API server address and
// trusted certificate authority information from it
KubeconfigFile string `yaml:"kubeconfig_file,omitempty"`
}
Kube is a `kubernetes_service`
type Log ¶
type Log struct {
// Output defines where logs go. It can be one of the following: "stderr", "stdout" or
// a path to a log file
Output string `yaml:"output,omitempty"`
// Severity defines how verbose the log will be. Possible valus are "error", "info", "warn"
Severity string `yaml:"severity,omitempty"`
}
Log configures teleport logging
type OIDCConnector ¶
type OIDCConnector struct {
// ID is a provider id, 'e.g.' google, used internally
ID string `yaml:"id"`
// Issuer URL is the endpoint of the provider, e.g. https://accounts.google.com
IssuerURL string `yaml:"issuer_url"`
// ClientID is id for authentication client (in our case it's our Auth server)
ClientID string `yaml:"client_id"`
// ClientSecret is used to authenticate our client and should not
// be visible to end user
ClientSecret string `yaml:"client_secret"`
// RedirectURL - Identity provider will use this URL to redirect
// client's browser back to it after successful authentication
// Should match the URL on Provider's side
RedirectURL string `yaml:"redirect_url"`
// ACR is the acr_values parameter to be sent with an authorization request.
ACR string `yaml:"acr_values,omitempty"`
// Provider is the identity provider we connect to. This field is
// only required if using acr_values.
Provider string `yaml:"provider,omitempty"`
// Display controls how this connector is displayed
Display string `yaml:"display"`
// Scope is a list of additional scopes to request from OIDC
// note that oidc and email scopes are always requested
Scope []string `yaml:"scope"`
// ClaimsToRoles is a list of mappings of claims to roles
ClaimsToRoles []ClaimMapping `yaml:"claims_to_roles"`
}
OIDCConnector specifies configuration fo Open ID Connect compatible external identity provider, e.g. google in some organisation
func (*OIDCConnector) Parse ¶
func (o *OIDCConnector) Parse() (services.OIDCConnector, error)
Parse parses config struct into services connector and checks if it's valid
type PAM ¶
type PAM struct {
// Enabled controls if PAM will be used or not.
Enabled string `yaml:"enabled"`
// ServiceName is the name of the PAM policy to apply.
ServiceName string `yaml:"service_name"`
}
PAM is configuration for Pluggable Authentication Modules (PAM).
type Proxy ¶
type Proxy struct {
// Service is a generic service configuration section
Service `yaml:",inline"`
// WebAddr is a web UI listen address
WebAddr string `yaml:"web_listen_addr,omitempty"`
// TunAddr is a reverse tunnel address
TunAddr string `yaml:"tunnel_listen_addr,omitempty"`
// KeyFile is a TLS key file
KeyFile string `yaml:"https_key_file,omitempty"`
// CertFile is a TLS Certificate file
CertFile string `yaml:"https_cert_file,omitempty"`
// ProxyProtocol turns on support for HAProxy proxy protocol
// this is the option that has be turned on only by administrator,
// as only admin knows whether service is in front of trusted load balancer
// or not.
ProxyProtocol string `yaml:"proxy_protocol,omitempty"`
// Kube configures kubernetes protocol support of the proxy
Kube Kube `yaml:"kubernetes,omitempty"`
// PublicAddr sets the hostport the proxy advertises for the HTTP endpoint.
// The hosts in PublicAddr are included in the list of host principals
// on the SSH certificate.
PublicAddr utils.Strings `yaml:"public_addr,omitempty"`
// SSHPublicAddr sets the hostport the proxy advertises for the SSH endpoint.
// The hosts in PublicAddr are included in the list of host principals
// on the SSH certificate.
SSHPublicAddr utils.Strings `yaml:"ssh_public_addr,omitempty"`
// TunnelPublicAddr sets the hostport the proxy advertises for the tunnel
// endpoint. The hosts in PublicAddr are included in the list of host
// principals on the SSH certificate.
TunnelPublicAddr utils.Strings `yaml:"tunnel_public_addr,omitempty"`
}
Proxy is a `proxy_service` section of the config file:
type ReverseTunnel ¶
type ReverseTunnel struct {
DomainName string `yaml:"domain_name"`
Addresses []string `yaml:"addresses"`
}
ReverseTunnel is a SSH reverse tunnel maintained by one cluster's proxy to remote Teleport proxy
func (*ReverseTunnel) ConvertAndValidate ¶
func (t *ReverseTunnel) ConvertAndValidate() (services.ReverseTunnel, error)
ConvertAndValidate returns validated services.ReverseTunnel or nil and error otherwize
type SSH ¶
type SSH struct {
Service `yaml:",inline"`
Namespace string `yaml:"namespace,omitempty"`
Labels map[string]string `yaml:"labels,omitempty"`
Commands []CommandLabel `yaml:"commands,omitempty"`
PermitUserEnvironment bool `yaml:"permit_user_env,omitempty"`
PAM *PAM `yaml:"pam,omitempty"`
// PublicAddr sets SSH host principals for SSH service
PublicAddr utils.Strings `yaml:"public_addr,omitempty"`
// BPF is used to configure BPF-based auditing for this node.
BPF *BPF `yaml:"enhanced_recording,omitempty"`
}
SSH is 'ssh_service' section of the config file
type Service ¶
type Service struct {
EnabledFlag string `yaml:"enabled,omitempty"`
ListenAddress string `yaml:"listen_addr,omitempty"`
}
Service is a common configuration of a teleport service
func (*Service) Configured ¶
Configured determines if a given "_service" section has been specified
type StaticToken ¶
type StaticToken string
func (StaticToken) Parse ¶
func (t StaticToken) Parse() (*services.ProvisionTokenV1, error)
Parse is applied to a string in "role,role,role:token" format. It breaks it apart and constructs a services.ProvisionToken which contains the token, role, and expiry (infinite).
type StaticTokens ¶
type StaticTokens []StaticToken
func (StaticTokens) Parse ¶
func (t StaticTokens) Parse() (services.StaticTokens, error)
type TrustedCluster ¶
type TrustedCluster struct {
// KeyFile is a path to a remote authority (AKA "trusted cluster") public keys
KeyFile string `yaml:"key_file,omitempty"`
// AllowedLogins is a comma-separated list of user logins allowed from that cluster
AllowedLogins string `yaml:"allow_logins,omitempty"`
// TunnelAddr is a comma-separated list of reverse tunnel addresses to
// connect to
TunnelAddr string `yaml:"tunnel_addr,omitempty"`
}
TrustedCluster struct holds configuration values under "trusted_clusters" key
type U2F ¶ added in v1.3.0
type UniversalSecondFactor ¶
func (*UniversalSecondFactor) Parse ¶
func (u *UniversalSecondFactor) Parse() services.U2F
Source Files
Click to show internal directories.
Click to hide internal directories.