Documentation
¶
Overview ¶
Package 'config' provides facilities for configuring Teleport daemons including
- parsing YAML configuration
- parsing CLI flags
Index ¶
- func ApplyFileConfig(fc *FileConfig, cfg *service.Config) error
- func Configure(clf *CommandLineFlags, cfg *service.Config) error
- type Auth
- type AuthenticationConfig
- type Authority
- type CachePolicy
- type ClaimMapping
- type CommandLabel
- type CommandLineFlags
- type ConnectionLimits
- type ConnectionRate
- type FileConfig
- type Global
- type KeyPair
- type Log
- type OIDCConnector
- type Proxy
- type ReverseTunnel
- type SSH
- type Service
- type StaticToken
- type TrustedCluster
- type U2F
- type UniversalSecondFactor
- type YAMLMap
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ApplyFileConfig ¶
func ApplyFileConfig(fc *FileConfig, cfg *service.Config) error
ApplyFileConfig applies configuration from a YAML file to Teleport runtime config
Types ¶
type Auth ¶
type Auth struct {
Service `yaml:",inline"`
// DomainName is the name of the CA who manages this cluster
DomainName string `yaml:"cluster_name,omitempty"`
// TrustedClustersFile is a file path to a file containing public CA keys
// of clusters we trust. One key per line, those starting with '#' are comments
TrustedClusters []TrustedCluster `yaml:"trusted_clusters,omitempty"`
// FOR INTERNAL USE:
// Authorities : 3rd party certificate authorities (CAs) this auth service trusts.
Authorities []Authority `yaml:"authorities,omitempty"`
// FOR INTERNAL USE:
// ReverseTunnels is a list of SSH tunnels to 3rd party proxy services (used to talk
// to 3rd party auth servers we trust)
ReverseTunnels []ReverseTunnel `yaml:"reverse_tunnels,omitempty"`
// StaticTokens are pre-defined host provisioning tokens supplied via config file for
// environments where paranoid security is not needed
//
// Each token string has the following format: "role1,role2,..:token",
// for exmple: "auth,proxy,node:MTIzNGlvemRmOWE4MjNoaQo"
StaticTokens []StaticToken `yaml:"tokens,omitempty"`
// Authentication holds authentication configuration information like authentication
// type, second factor type, specific connector information, etc.
Authentication *AuthenticationConfig `yaml:"authentication,omitempty"`
// OIDCConnectors is a list of trusted OpenID Connect Identity providers
// Deprecated: Use OIDC section in Authentication section instead.
OIDCConnectors []OIDCConnector `yaml:"oidc_connectors"`
// Configuration for "universal 2nd factor"
// Deprecated: Use U2F section in Authentication section instead.
U2F U2F `yaml:"u2f,omitempty"`
// DynamicConfig determines when file configuration is pushed to the backend. Setting
// it here overrides defaults.
DynamicConfig *bool `yaml:"dynamic_config,omitempty"`
}
Auth is 'auth_service' section of the config file
type AuthenticationConfig ¶
type AuthenticationConfig struct {
Type string `yaml:"type"`
SecondFactor string `yaml:"second_factor,omitempty"`
U2F *UniversalSecondFactor `yaml:"u2f,omitempty"`
OIDC *OIDCConnector `yaml:"oidc,omitempty"`
}
func (*AuthenticationConfig) Parse ¶
func (a *AuthenticationConfig) Parse() (services.AuthPreference, services.OIDCConnector, services.UniversalSecondFactor, error)
Parse returns the Authentication Configuration in three parts, the AuthPreference (type and second factor) as well as OIDCConnector and UniversalSecondFactor that define how those two are configured (if provided).
type Authority ¶
type Authority struct {
// Type is either user or host certificate authority
Type services.CertAuthType `yaml:"type"`
// DomainName identifies domain name this authority serves,
// for host authorities that means base hostname of all servers,
// for user authorities that means organization name
DomainName string `yaml:"domain_name"`
// Checkers is a list of SSH public keys that can be used to check
// certificate signatures in OpenSSH authorized keys format
CheckingKeys []string `yaml:"checking_keys"`
// CheckingKeyFiles is a list of files
CheckingKeyFiles []string `yaml:"checking_key_files"`
// SigningKeys is a list of PEM-encoded private keys used for signing
SigningKeys []string `yaml:"signing_keys"`
// SigningKeyFiles is a list of paths to PEM encoded private keys used for signing
SigningKeyFiles []string `yaml:"signing_key_files"`
// AllowedLogins is a list of allowed logins for users within
// this certificate authority
AllowedLogins []string `yaml:"allowed_logins"`
}
Authority is a host or user certificate authority that can check and if it has private key stored as well, sign it too
type CachePolicy ¶
type CachePolicy struct {
// EnabledFlag enables or disables cache
EnabledFlag string `yaml:"enabled,omitempty"`
// TTL sets maximum TTL for the cached values
TTL string `yaml:"ttl,omitempty"`
}
CachePolicy is used to control local cache
func (*CachePolicy) Enabled ¶
func (c *CachePolicy) Enabled() bool
Enabled determines if a given "_service" section has been set to 'true'
func (*CachePolicy) NeverExpires ¶
func (c *CachePolicy) NeverExpires() bool
NeverExpires returns if cache never expires by itself
func (*CachePolicy) Parse ¶
func (c *CachePolicy) Parse() (*service.CachePolicy, error)
Parse parses cache policy from Teleport config
type ClaimMapping ¶
type ClaimMapping struct {
// Claim is OIDC claim name
Claim string `yaml:"claim"`
// Value is claim value to match
Value string `yaml:"value"`
// Roles is a list of teleport roles to match
Roles []string `yaml:"roles,omitempty"`
// RoleTemplate is a template for a role that will be filled
// with data from claims.
RoleTemplate *services.RoleV2 `yaml:"role_template,omitempty"`
}
ClaimMapping is OIDC claim mapping that maps claim name to teleport roles
type CommandLabel ¶
type CommandLabel struct {
Name string `yaml:"name"`
Command []string `yaml:"command,flow"`
Period time.Duration `yaml:"period"`
}
CommandLabel is `command` section of `ssh_service` in the config file
type CommandLineFlags ¶
type CommandLineFlags struct {
// --name flag
NodeName string
// --auth-server flag
AuthServerAddr string
// --token flag
AuthToken string
// --listen-ip flag
ListenIP net.IP
// --advertise-ip flag
AdvertiseIP net.IP
// --config flag
ConfigFile string
// ConfigString is a base64 encoded configuration string
// set by --config-string or TELEPORT_CONFIG environment variable
ConfigString string
// --roles flag
Roles string
// -d flag
Debug bool
// --labels flag
Labels string
// --httpprofile hidden flag
HTTPProfileEndpoint bool
// --pid-file flag
PIDFile string
// Gops starts gops agent on a specified address
// if not specified, gops won't start
Gops bool
// GopsAddr specifies to gops addr to listen on
GopsAddr string
// DiagnosticAddr is listen address for diagnostic endpoint
DiagnosticAddr string
// PermitUserEnvironment enables reading of ~/.tsh/environment
// when creating a new session.
PermitUserEnvironment bool
}
CommandLineFlags stores command line flag values, it's a much simplified subset of Teleport configuration (which is fully expressed via YAML config file)
type ConnectionLimits ¶
type ConnectionLimits struct {
MaxConnections int64 `yaml:"max_connections"`
MaxUsers int `yaml:"max_users"`
Rates []ConnectionRate `yaml:"rates,omitempty"`
}
ConnectionLimits sets up connection limiter
type ConnectionRate ¶
type ConnectionRate struct {
Period time.Duration `yaml:"period"`
Average int64 `yaml:"average"`
Burst int64 `yaml:"burst"`
}
ConnectionRate configures rate limiter
type FileConfig ¶
type FileConfig struct {
Global `yaml:"teleport,omitempty"`
Auth Auth `yaml:"auth_service,omitempty"`
SSH SSH `yaml:"ssh_service,omitempty"`
Proxy Proxy `yaml:"proxy_service,omitempty"`
}
FileConfig structre represents the teleport configuration stored in a config file in YAML format (usually /etc/teleport.yaml)
Use config.ReadFromFile() to read the parsed FileConfig from a YAML file.
func MakeSampleFileConfig ¶
func MakeSampleFileConfig() (fc *FileConfig)
MakeSampleFileConfig returns a sample config structure populated by defaults, useful to generate sample configuration files
func ReadConfig ¶
func ReadConfig(reader io.Reader) (*FileConfig, error)
ReadConfig reads Teleport configuration from reader in YAML format
func ReadConfigFile ¶
func ReadConfigFile(cliConfigPath string) (*FileConfig, error)
readConfigFile reads /etc/teleport.yaml (or whatever is passed via --config flag) and overrides values in 'cfg' structure
func ReadFromFile ¶
func ReadFromFile(filePath string) (*FileConfig, error)
ReadFromFile reads Teleport configuration from a file. Currently only YAML format is supported
func ReadFromString ¶
func ReadFromString(configString string) (*FileConfig, error)
ReadFromString reads values from base64 encoded byte string
func (*FileConfig) Check ¶
func (conf *FileConfig) Check() error
Check ensures that the ciphers, kex algorithms, and mac algorithms set are supported by golang.org/x/crypto/ssh. This ensures we don't start Teleport with invalid configuration.
func (*FileConfig) DebugDumpToYAML ¶
func (conf *FileConfig) DebugDumpToYAML() string
DebugDumpToYAML allows for quick YAML dumping of the config
type Global ¶
type Global struct {
NodeName string `yaml:"nodename,omitempty"`
DataDir string `yaml:"data_dir,omitempty"`
PIDFile string `yaml:"pid_file,omitempty"`
AuthToken string `yaml:"auth_token,omitempty"`
AuthServers []string `yaml:"auth_servers,omitempty"`
Limits ConnectionLimits `yaml:"connection_limits,omitempty"`
Logger Log `yaml:"log,omitempty"`
Storage backend.Config `yaml:"storage,omitempty"`
AdvertiseIP net.IP `yaml:"advertise_ip,omitempty"`
CachePolicy CachePolicy `yaml:"cache,omitempty"`
SeedConfig *bool `yaml:"seed_config,omitempty"`
// Keys holds the list of SSH key/cert pairs used by all services
// Each service (like proxy, auth, node) can find the key it needs
// by looking into certificate
Keys []KeyPair `yaml:"keys,omitempty"`
// Ciphers is a list of ciphers that the server supports. If omitted,
// the defaults will be used.
Ciphers []string `yaml:"ciphers,omitempty"`
// KEXAlgorithms is a list of key exchange (KEX) algorithms that the
// server supports. If omitted, the defaults will be used.
KEXAlgorithms []string `yaml:"kex_algos,omitempty"`
// MACAlgorithms is a list of message authentication codes (MAC) that
// the server supports. If omitted the defaults will be used.
MACAlgorithms []string `yaml:"mac_algos,omitempty"`
}
Global is 'teleport' (global) section of the config file
type KeyPair ¶
type KeyPair struct {
// PrivateKeyFile is a path to file with private key
PrivateKeyFile string `yaml:"private_key_file"`
// CertFile is a path to file with OpenSSH certificate
CertFile string `yaml:"cert_file"`
// PrivateKey is PEM encoded OpenSSH private key
PrivateKey string `yaml:"private_key"`
// Cert is certificate in OpenSSH authorized keys format
Cert string `yaml:"cert"`
}
KeyPair is a pair of private key and certificates
type Log ¶
type Log struct {
// Output defines where logs go. It can be one of the following: "stderr", "stdout" or
// a path to a log file
Output string `yaml:"output,omitempty"`
// Severity defines how verbose the log will be. Possible valus are "error", "info", "warn"
Severity string `yaml:"severity,omitempty"`
}
Log configures teleport logging
type OIDCConnector ¶
type OIDCConnector struct {
// ID is a provider id, 'e.g.' google, used internally
ID string `yaml:"id"`
// Issuer URL is the endpoint of the provider, e.g. https://accounts.google.com
IssuerURL string `yaml:"issuer_url"`
// ClientID is id for authentication client (in our case it's our Auth server)
ClientID string `yaml:"client_id"`
// ClientSecret is used to authenticate our client and should not
// be visible to end user
ClientSecret string `yaml:"client_secret"`
// RedirectURL - Identity provider will use this URL to redirect
// client's browser back to it after successfull authentication
// Should match the URL on Provider's side
RedirectURL string `yaml:"redirect_url"`
// ACR is the acr_values parameter to be sent with an authorization request.
ACR string `yaml:"acr_values,omitempty"`
// Provider is the identity provider we connect to. This field is
// only required if using acr_values.
Provider string `yaml:"provider,omitempty"`
// Display controls how this connector is displayed
Display string `yaml:"display"`
// Scope is a list of additional scopes to request from OIDC
// note that oidc and email scopes are always requested
Scope []string `yaml:"scope"`
// ClaimsToRoles is a list of mappings of claims to roles
ClaimsToRoles []ClaimMapping `yaml:"claims_to_roles"`
}
OIDCConnector specifies configuration fo Open ID Connect compatible external identity provider, e.g. google in some organisation
func (*OIDCConnector) Parse ¶
func (o *OIDCConnector) Parse() (services.OIDCConnector, error)
Parse parses config struct into services connector and checks if it's valid
type Proxy ¶
type Proxy struct {
Service `yaml:",inline"`
WebAddr string `yaml:"web_listen_addr,omitempty"`
TunAddr string `yaml:"tunnel_listen_addr,omitempty"`
KeyFile string `yaml:"https_key_file,omitempty"`
CertFile string `yaml:"https_cert_file,omitempty"`
PublicAddr string `yaml:"public_addr,omitempty"`
}
Proxy is `proxy_service` section of the config file:
type ReverseTunnel ¶
type ReverseTunnel struct {
DomainName string `yaml:"domain_name"`
Addresses []string `yaml:"addresses"`
}
ReverseTunnel is a SSH reverse tunnel mantained by one cluster's proxy to remote Teleport proxy
func (*ReverseTunnel) ConvertAndValidate ¶
func (t *ReverseTunnel) ConvertAndValidate() (services.ReverseTunnel, error)
ConvertAndValidate returns validated services.ReverseTunnel or nil and error otherwize
type SSH ¶
type SSH struct {
Service `yaml:",inline"`
Namespace string `yaml:"namespace,omitempty"`
Labels map[string]string `yaml:"labels,omitempty"`
Commands []CommandLabel `yaml:"commands,omitempty"`
PermitUserEnvironment bool `yaml:"permit_user_env,omitempty"`
}
SSH is 'ssh_service' section of the config file
type Service ¶
type Service struct {
EnabledFlag string `yaml:"enabled,omitempty"`
ListenAddress string `yaml:"listen_addr,omitempty"`
}
Service is a common configuration of a teleport service
func (*Service) Configured ¶
Configured determines if a given "_service" section has been specified
type StaticToken ¶
type StaticToken string
type TrustedCluster ¶
type TrustedCluster struct {
// KeyFile is a path to a remote authority (AKA "trusted cluster") public keys
KeyFile string `yaml:"key_file,omitempty"`
// AllowedLogins is a comma-separated list of user logins allowed from that cluster
AllowedLogins string `yaml:"allow_logins,omitempty"`
// TunnelAddr is a comma-separated list of reverse tunnel addressess to
// connect to
TunnelAddr string `yaml:"tunnel_addr,omitempty"`
}
TrustedCluster struct holds configuration values under "trusted_clusters" key
type U2F ¶ added in v1.3.0
type UniversalSecondFactor ¶
func (*UniversalSecondFactor) Parse ¶
func (u *UniversalSecondFactor) Parse() (services.UniversalSecondFactor, error)
Source Files
Click to show internal directories.
Click to hide internal directories.