Documentation
¶
Overview ¶
Package reversetunnel sets up persistent reverse tunnel between remote site and teleport proxy, when site agents dial to teleport proxy's socket and teleport proxy can connect to any server through this tunnel.
package reversetunnel provides interfaces for accessing remote clusters
via reverse tunnels and directly.
Reverse Tunnels
Proxy server Proxy agent
Reverse tunnel
+----------+ +---------+
| <----------------------+ |
| | | |
+-----+----------+ +---------+-----+ | | | | | | | | +----------------+ +---------------+
Proxy Cluster "A" Proxy Cluster "B"
Reverse tunnel is established from a cluster "B" Proxy to the a cluster "A" proxy, and clients of the cluster "A" can access servers of the cluster "B" via reverse tunnel connection, even if the cluster "B" is behind the firewall.
Multiple Proxies and Revese Tunnels ¶
With multiple proxies behind the load balancer, proxy agents will eventually discover and establish connections to all proxies in cluster.
* Initially Proxy Agent connects to Proxy 1. * Proxy 1 starts sending information about all available proxies that have not received connection from the Proxy Agent yet. This process is called "sending discovery request".
+----------+ | <--------+ | | | +----------+ | +-----------+ +----------+
Proxy 1 +-------------------------------+ |
| | | |
+-----------+ +----------+
Load Balancer Proxy Agent
+----------+ | | | | +----------+
Proxy 2
* Agent will use the discovery request to establish new connections and check if it has connected and "discovered" all the proxies specified
in the discovery request.
* Assuming that load balancer uses fair load balancing algorithm, agent will eventually discover and connect back to all the proxies.
+----------+ | <--------+ | | | +----------+ | +-----------+ +----------+
Proxy 1 +-------------------------------+ |
| | | | |
| +-----------+ +----------+
| Load Balancer Proxy Agent
+----------+ | | <--------+ | | +----------+
Proxy 2
Index ¶
Constants ¶
const ( // RemoteAuthServer is a special non-resolvable address that indicates client // requests a connection to the remote auth server. RemoteAuthServer = "@remote-auth-server" // RemoteKubeProxy is a special non-resolvable address that indicates that clients // requests a connection to the remote kubernetes proxy. // This has to be a valid domain name, so it lacks @ RemoteKubeProxy = "remote.kube.proxy.teleport.cluster.local" )
const ConnectedEvent = "connected"
ConnectedEvent is used to indicate that reverse tunnel has connected
Variables ¶
This section is empty.
Functions ¶
Types ¶
type Agent ¶
type Agent struct {
sync.RWMutex
*log.Entry
AgentConfig
// contains filtered or unexported fields
}
Agent is a reverse tunnel agent running as a part of teleport Proxies to establish outbound reverse tunnels to remote proxies.
There are two operation modes for agents: * Standard agent attempts to establish connection to any available proxy. Standard agent transitions between "connecting" -> "connected states. * Discovering agent attempts to establish connection to a subset of remote proxies (specified in the config via DiscoverProxies parameter.) Discovering agent transitions between "discovering" -> "discovered" states.
func NewAgent ¶
func NewAgent(cfg AgentConfig) (*Agent, error)
NewAgent returns a new reverse tunnel agent
type AgentConfig ¶
type AgentConfig struct {
// Addr is target address to dial
Addr utils.NetAddr
// RemoteCluster is a remote cluster name to connect to
RemoteCluster string
// Signers contains authentication signers
Signers []ssh.Signer
// Client is a client to the local auth servers
Client auth.ClientI
// AccessPoint is a caching access point to the local auth servers
AccessPoint auth.AccessPoint
// Context is a parent context
Context context.Context
// DiscoveryC is a channel that receives discovery requests
// from reverse tunnel server
DiscoveryC chan *discoveryRequest
// Username is the name of this client used to authenticate on SSH
Username string
// DiscoverProxies is set when the agent is created in discovery mode
// and is set to connect to one of the target proxies from the list
DiscoverProxies []services.Server
// Clock is a clock passed in tests, if not set wall clock
// will be used
Clock clockwork.Clock
// EventsC is an optional events channel, used for testing purposes
EventsC chan string
// KubeDialAddr is a dial address for kubernetes proxy
KubeDialAddr utils.NetAddr
}
AgentConfig holds configuration for agent
func (*AgentConfig) CheckAndSetDefaults ¶
func (a *AgentConfig) CheckAndSetDefaults() error
CheckAndSetDefaults checks parameters and sets default values
type AgentPool ¶ added in v1.0.0
AgentPool manages the pool of outbound reverse tunnel agents. The agent pool watches the reverse tunnel entries created by the admin and connects/disconnects to added/deleted tunnels.
func NewAgentPool ¶ added in v1.0.0
func NewAgentPool(cfg AgentPoolConfig) (*AgentPool, error)
NewAgentPool returns new isntance of the agent pool
func (*AgentPool) Counts ¶
Counts returns a count of the number of proxies a outbound tunnel is connected to. Used in tests to determine if a proxy has been found and/or removed.
func (*AgentPool) FetchAndSyncAgents ¶ added in v1.0.0
FetchAndSyncAgents executes one time fetch and sync request (used in tests instead of polling)
type AgentPoolConfig ¶ added in v1.0.0
type AgentPoolConfig struct {
// Client is client to the auth server this agent connects to receive
// a list of pools
Client auth.ClientI
// AccessPoint is a lightweight access point
// that can optionally cache some values
AccessPoint auth.AccessPoint
// HostSigners is a list of host signers this agent presents itself as
HostSigners []ssh.Signer
// HostUUID is a unique ID of this host
HostUUID string
// Context is an optional context
Context context.Context
// Cluster is a cluster name
Cluster string
// Clock is a clock used to get time, if not set,
// system clock is used
Clock clockwork.Clock
// KubeDialAddr is an address of a kubernetes proxy
KubeDialAddr utils.NetAddr
}
AgentPoolConfig holds configuration parameters for the agent pool
func (*AgentPoolConfig) CheckAndSetDefaults ¶
func (cfg *AgentPoolConfig) CheckAndSetDefaults() error
CheckAndSetDefaults checks and sets defaults
type Config ¶
type Config struct {
// ID is the ID of this server proxy
ID string
// ClusterName is a name of this cluster
ClusterName string
// ClientTLS is a TLS config associated with this proxy
// used to connect to remote auth servers on remote clusters
ClientTLS *tls.Config
// Listener is a listener address for reverse tunnel server
Listener net.Listener
// HostSigners is a list of host signers
HostSigners []ssh.Signer
// HostKeyCallback
// Limiter is optional request limiter
Limiter *limiter.Limiter
// LocalAuthClient provides access to a full AuthClient for the local cluster.
LocalAuthClient auth.ClientI
// AccessPoint provides access to a subset of AuthClient of the cluster.
// AccessPoint caches values and can still return results during connection
// problems.
LocalAccessPoint auth.AccessPoint
// NewCachingAccessPoint returns new caching access points
// per remote cluster
NewCachingAccessPoint state.NewCachingAccessPoint
// DirectClusters is a list of clusters accessed directly
DirectClusters []DirectCluster
// Context is a signalling context
Context context.Context
// Clock is a clock used in the server, set up to
// wall clock if not set
Clock clockwork.Clock
// KeyGen is a process wide key generator. It is shared to speed up
// generation of public/private keypairs.
KeyGen sshca.Authority
// Ciphers is a list of ciphers that the server supports. If omitted,
// the defaults will be used.
Ciphers []string
// KEXAlgorithms is a list of key exchange (KEX) algorithms that the
// server supports. If omitted, the defaults will be used.
KEXAlgorithms []string
// MACAlgorithms is a list of message authentication codes (MAC) that
// the server supports. If omitted the defaults will be used.
MACAlgorithms []string
// DataDir is a local server data directory
DataDir string
// PollingPeriod specifies polling period for internal sync
// goroutines, used to speed up sync-ups in tests.
PollingPeriod time.Duration
}
Config is a reverse tunnel server configuration
func (*Config) CheckAndSetDefaults ¶
CheckAndSetDefaults checks parameters and sets default values
type DirectCluster ¶
type DirectCluster struct {
// Name is a cluster name
Name string
// Client is a client to the cluster
Client auth.ClientI
}
DirectCluster is used to access cluster directly
type RemoteSite ¶
type RemoteSite interface {
// DialAuthServer returns a net.Conn to the Auth Server of a site.
DialAuthServer() (net.Conn, error)
// Dial dials any address within the site network, in terminating
// mode it uses local instance of forwarding server to terminate
// and record the connection
Dial(fromAddr, toAddr net.Addr, userAgent agent.Agent) (net.Conn, error)
// DialTCP dials any address within the site network,
// ignores recording mode and always uses TCP dial, used
// in components that need direct dialer.
DialTCP(fromAddr, toAddr net.Addr) (net.Conn, error)
// GetLastConnected returns last time the remote site was seen connected
GetLastConnected() time.Time
// GetName returns site name (identified by authority domain's name)
GetName() string
// GetStatus returns status of this site (either offline or connected)
GetStatus() string
// GetClient returns client connected to remote auth server
GetClient() (auth.ClientI, error)
// CachingAccessPoint returns access point that is lightweight
// but is resilient to auth server crashes
CachingAccessPoint() (auth.AccessPoint, error)
// GetTunnelsCount returns the amount of active inbound tunnels
// from the remote cluster
GetTunnelsCount() int
}
RemoteSite represents remote teleport site that can be accessed via teleport tunnel or directly by proxy
There are two implementations of this interface: local and remote sites.
type Server ¶
type Server interface {
// GetSites returns a list of connected remote sites
GetSites() []RemoteSite
// GetSite returns remote site this node belongs to
GetSite(domainName string) (RemoteSite, error)
// RemoveSite removes the site with the specified name from the list of connected sites
RemoveSite(domainName string) error
// Start starts server
Start() error
// Close closes server's operations immediately
Close() error
// Shutdown performs graceful server shutdown
Shutdown(context.Context) error
// Wait waits for server to close all outstanding operations
Wait()
}
Server is a TCP/IP SSH server which listens on an SSH endpoint and remote/local sites connect and register with it.
Source Files