// KeepAliveCountMax is the number of keep-alive messages that can be missed
// before
// the server disconnects the connection to the client.
int64 KeepAliveCountMax;
// LocalAuth is true if local authentication is enabled.
bool LocalAuth;
// SessionControlTimeout is the session control lease expiry and defines
// the upper limit of how long a node may be out of contact with the auth
// server before it begins terminating controlled sessions.
int64 SessionControlTimeout;
}
```
It is proposed to distribute them in the following fashion:
```proto
// ClusterID field is moved into ClusterName resource.
message ClusterName {
...
string ClusterID;
}
message SessionRecordingConfig {
// ClusterConfig.SessionRecording is renamed to SessionRecordingConfig.Mode.
string Mode;
bool ProxyChecksHostKeys;
}
message ClusterNetworkingConfig {
int64 ClientIdleTimeout;
int64 KeepAliveInterval;
int64 KeepAliveCountMax;
int64 SessionControlTimeout;
}
// The already existing AuditConfig is turned into a standalone resource.
message AuditConfig { ... }
// DisconnectExpiredCert & LocalAuth fields are moved into ClusterAuthPreference.
message ClusterAuthPreference {
...
bool AllowLocalAuth;
bool DisconnectExpiredCert;
}
```
No configuration value should be stored in more than one location in the backend.
Consequently, after the proposed transition has fully taken place,
there will be no `ClusterConfig` resource to be stored in the backend.
#### Backward compatibility
Updating the `ClusterConfig` resource using the `SetClusterConfig` endpoint -- exposed as part of the Auth server HTTP/JSON API, but not really used in the wild -- will not be supported anymore.
To fulfill the obligation of backward compatibility with respect to older Teleport components, reading of `ClusterConfig` will remain supported:
1.`GetClusterConfig` is to populate the legacy `ClusterConfig` structure with data obtained from the other configuration resources.
2. To ensure proper cache propagation, updates to the other configuration resources that contain fields previously belonging to `ClusterConfig` will trigger a `ClusterConfig` event in addition to the event of their own kind.
3.`ClusterConfig` events will be populated with data obtained from the other configuration resources.
### (Teleport Cloud only) Restricting to a subset of values of a field
Certain field values should not be available for configuring by Cloud users.
The `Modules` interface shall be extended to provide a resource validation step,
allowing to inject additional checks when the Cloud license flag is set.
### Additional dynamically configurable resources
In addition to the resources derived from `ClusterConfig`, the resources
`ClusterAuthPreference` and `PAMConfig` should also be adapted to facilitate
the dynamic configuration workflow.
### Working with a whole cluster configuration
`KindClusterConfig` should be retained but reinterpreted as a helper meta-kind
similar to `KindConnectors`. It would allow aggregating all the cluster config
related resources into a single `tctl get` output:
```
$ tctl get cluster_config
kind: session_recording_config
[...]
---
kind: cluster_networking_config
[...]
---
kind: audit_config
[...]
---
kind: cluster_auth_preference
[...]
---
kind: pam_config
[...]
```
This combined output can be subsequently edited and used to replace the old
configuration by passing it to the `tctl create` command which is able to
consume multiple resource definitions (provided the user has the privileges
needed to update all the resource kinds).
Note that if a field of a configuration resource is omitted from the YAML, the
field's value will be reset to its default. The `tctl` workflow supports only
replacing (or overwriting) of a stored resource with another full resource,
not a partial update of the stored resource.
### Examples
#### Setting up node-sync session recording
In this example, `session_recording_config` is assumed to be already
dynamically pre-configured: in particular, while the `mode` field would be by
default set to `node`, here it is already set to `off`.
```
$ tctl get session_recording_config | tee reccfg.yaml
kind: session_recording_config
metadata:
id: 1618929344290245400
name: session-recording-config
labels:
teleport.dev/origin: dynamic
spec:
mode: "off"
proxy_checks_host_keys: yes
version: v2
$ sed -i 's/mode: "off"/mode: "node-sync"/' reccfg.yaml