self-hosted/teleport
self-hosted/teleport
1
0
Fork 0
mirror of https://github.com/gravitational/teleport synced 2024-10-19 08:43:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

Introduce config v3, add auth_server and proxy_server, remove auth_addresses (#15761)

Browse source
This commit is contained in:
Ryan Clark 2022-09-28 16:30:15 +01:00 committed by GitHub
parent 9b99a4831c
commit 806a568ada
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
89 changed files with 1134 additions and 683 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
api/types/installers/installer.sh.tmpl
View file

@ -33,7 +33,7 @@
# token is read as a parameter from the AWS ssm script run and
# passed as the first argument to the script
sudo /usr/local/bin/teleport node configure \
--auth-server="{{ .PublicProxyAddr }}" \
--proxy="{{ .PublicProxyAddr }}" \
--join-method=iam \
--token="$1" \
--output=file \

16
api/types/provisioning.go
View file

@ -21,6 +21,7 @@ import (
"time"
"github.com/gravitational/teleport/api/defaults"
apiutils "github.com/gravitational/teleport/api/utils"
"github.com/gravitational/trace"
)
@ -39,6 +40,21 @@ const (
JoinMethodIAM JoinMethod = "iam"
)
var JoinMethods = []JoinMethod{
JoinMethodToken,
JoinMethodEC2,
JoinMethodIAM,
}
func ValidateJoinMethod(method JoinMethod) error {
hasJoinMethod := apiutils.SliceContainsStr(JoinMethods, method)
if !hasJoinMethod {
return trace.BadParameter("join method must be one of %s", apiutils.JoinStrings(JoinMethods, ", "))
}
return nil
}
// ProvisionToken is a provisioning token
type ProvisionToken interface {
Resource

31
api/utils/slices.go
View file

@ -16,6 +16,10 @@ limitations under the License.
package utils
import (
"strings"
)
// CopyByteSlice returns a copy of the byte slice.
func CopyByteSlice(in []byte) []byte {
if in == nil {
@ -52,7 +56,7 @@ func StringSlicesEqual(a, b []string) bool {
}
// SliceContainsStr returns 'true' if the slice contains the given value
func SliceContainsStr(slice []string, value string) bool {
func SliceContainsStr[T ~string](slice []T, value T) bool {
for i := range slice {
if slice[i] == value {
return true
@ -61,6 +65,31 @@ func SliceContainsStr(slice []string, value string) bool {
return false
}
// JoinStrings returns a string that is all the elements in the slice `T[]` joined by `sep`
// This being generic allows for the usage of custom string times, without having to convert
// the elements to a string to be passed into `strings.Join`.
func JoinStrings[T ~string](elems []T, sep string) T {
switch len(elems) {
case 0:
return ""
case 1:
return elems[0]
}
n := len(sep) * (len(elems) - 1)
for i := 0; i < len(elems); i++ {
n += len(elems[i])
}
var b strings.Builder
b.Grow(n)
b.WriteString(string(elems[0]))
for _, s := range elems[1:] {
b.WriteString(sep)
b.WriteString(string(s))
}
return T(b.String())
}
// Deduplicate deduplicates list of strings
func Deduplicate(in []string) []string {
if len(in) == 0 {

19
assets/aws/files/bin/teleport-generate-config
View file

@ -307,6 +307,7 @@ elif [[ "${TELEPORT_ROLE}" == "proxy" ]]; then
# Teleport proxy proxies and optionally records
# SSH sessions
cat >${USE_CONFIG_PATH} <<EOF
version: v3
teleport:
auth_token: /var/lib/teleport/token
ca_pin: CA_PIN_HASH_PLACEHOLDER
@ -324,8 +325,7 @@ teleport:
storage:
type: dir
path: /var/lib/teleport/backend
auth_servers:
- ${TELEPORT_AUTH_SERVER_LB}:3025
auth_server: ${TELEPORT_AUTH_SERVER_LB}:3025
auth_service:
enabled: no
@ -348,7 +348,7 @@ EOF
if [[ "${USE_ACM}" != "true" ]]; then
write_https_keypairs_section
fi
# set up the database listeners
write_database_section TELEPORT_DOMAIN_NAME
@ -374,6 +374,7 @@ elif [[ "${TELEPORT_ROLE}" == "node" ]]; then
echo "node" > ${USE_CONFD_DIR}/role.node
# Teleport node handles incoming connections
cat >${USE_CONFIG_PATH} <<EOF
version: v3
teleport:
auth_token: /var/lib/teleport/token
ca_pin: CA_PIN_HASH_PLACEHOLDER
@ -386,8 +387,7 @@ teleport:
storage:
type: dir
path: /var/lib/teleport/backend
auth_servers:
- ${TELEPORT_AUTH_SERVER_LB}:3025
auth_server: ${TELEPORT_AUTH_SERVER_LB}:443
auth_service:
enabled: no
@ -506,7 +506,7 @@ EOF
# set up the database listeners
write_database_section TELEPORT_EXTERNAL_HOSTNAME
# set up the kubernetes listener
write_kubernetes_section TELEPORT_EXTERNAL_HOSTNAME
@ -527,7 +527,7 @@ EOF
# set up the database listeners
write_database_section TELEPORT_EXTERNAL_HOSTNAME
# set up the kubernetes listener
write_kubernetes_section TELEPORT_EXTERNAL_HOSTNAME
@ -588,7 +588,7 @@ EOF
# write ssh/tunnel config
write_ssh_and_tunnel_section 3080
# set up the database listeners
write_database_section TELEPORT_EXTERNAL_HOSTNAME
@ -767,13 +767,14 @@ EOF
elif [[ "${TELEPORT_ROLE}" == "agent" ]]; then
echo "agent" > ${USE_CONFD_DIR}/role.agent
cat >${USE_CONFIG_PATH} <<EOF
version: v3
teleport:
log:
output: stderr
severity: INFO
data_dir: /var/lib/teleport
auth_token: ${TELEPORT_JOIN_TOKEN}
auth_servers: ['${TELEPORT_PROXY_SERVER_LB}']
proxy_server: ${TELEPORT_PROXY_SERVER_LB}
auth_service:
enabled: no

4
assets/aws/files/tests/agent-app.bats
View file

@ -18,10 +18,10 @@ load fixtures/common
[ ${GENERATE_EXIT_CODE?} -eq 0 ]
}
@test "[${TEST_SUITE?}] teleport.auth_servers is set correctly" {
@test "[${TEST_SUITE?}] teleport.proxy_server is set correctly" {
load ${TELEPORT_CONFD_DIR?}/conf
cat "${TELEPORT_CONFIG_PATH?}"
cat "${TELEPORT_CONFIG_PATH?}" | grep -E "^ auth_servers:" -A1 | grep -q "${TELEPORT_PROXY_SERVER_LB?}"
cat "${TELEPORT_CONFIG_PATH?}" | grep -E "^ proxy_server:" -A1 | grep -q "${TELEPORT_PROXY_SERVER_LB?}"
}
@test "[${TEST_SUITE?}] teleport.auth_token is set correctly" {

4
assets/aws/files/tests/agent-db.bats
View file

@ -20,10 +20,10 @@ load fixtures/common
[ ${GENERATE_EXIT_CODE?} -eq 0 ]
}
@test "[${TEST_SUITE?}] teleport.auth_servers is set correctly" {
@test "[${TEST_SUITE?}] teleport.proxy_server is set correctly" {
load ${TELEPORT_CONFD_DIR?}/conf
cat "${TELEPORT_CONFIG_PATH?}"
cat "${TELEPORT_CONFIG_PATH?}" | grep -E "^ auth_servers:" -A1 | grep -q "${TELEPORT_PROXY_SERVER_LB?}"
cat "${TELEPORT_CONFIG_PATH?}" | grep -E "^ proxy_server:" -A1 | grep -q "${TELEPORT_PROXY_SERVER_LB?}"
}
@test "[${TEST_SUITE?}] teleport.auth_token is set correctly" {

4
assets/aws/files/tests/agent-ssh.bats
View file

@ -15,10 +15,10 @@ load fixtures/common
[ ${GENERATE_EXIT_CODE?} -eq 0 ]
}
@test "[${TEST_SUITE?}] teleport.auth_servers is set correctly" {
@test "[${TEST_SUITE?}] teleport.proxy_server is set correctly" {
load ${TELEPORT_CONFD_DIR?}/conf
cat "${TELEPORT_CONFIG_PATH?}"
cat "${TELEPORT_CONFIG_PATH?}" | grep -E "^ auth_servers:" -A1 | grep -q "${TELEPORT_PROXY_SERVER_LB?}"
cat "${TELEPORT_CONFIG_PATH?}" | grep -E "^ proxy_server:" -A1 | grep -q "${TELEPORT_PROXY_SERVER_LB?}"
}
@test "[${TEST_SUITE?}] teleport.auth_token is set correctly" {

4
assets/aws/files/tests/ha-node.bats
View file

@ -15,9 +15,9 @@ load fixtures/common
[ ${GENERATE_EXIT_CODE?} -eq 0 ]
}
@test "[${TEST_SUITE?}] teleport.auth_servers is set correctly" {
@test "[${TEST_SUITE?}] teleport.auth_server is set correctly" {
load ${TELEPORT_CONFD_DIR?}/conf
cat "${TELEPORT_CONFIG_PATH?}" | grep -E "^ auth_servers:" -A1 | grep -q "${TELEPORT_AUTH_SERVER_LB?}"
cat "${TELEPORT_CONFIG_PATH?}" | grep -E "^ auth_server:" -A1 | grep -q "${TELEPORT_AUTH_SERVER_LB?}"
}
# in each test, we echo the block so that if the test fails, the block is outputted

4
assets/aws/files/tests/ha-proxy-acm-alias.bats
View file

@ -22,10 +22,10 @@ load fixtures/common
[ ${GENERATE_EXIT_CODE?} -eq 0 ]
}
@test "[${TEST_SUITE?}] teleport.auth_servers is set correctly" {
@test "[${TEST_SUITE?}] teleport.auth_server is set correctly" {
load ${TELEPORT_CONFD_DIR?}/conf
cat "${TELEPORT_CONFIG_PATH?}"
cat "${TELEPORT_CONFIG_PATH?}" | grep -E "^ auth_servers:" -A1 | grep -q "${TELEPORT_AUTH_SERVER_LB?}"
cat "${TELEPORT_CONFIG_PATH?}" | grep -E "^ auth_server:" -A1 | grep -q "${TELEPORT_AUTH_SERVER_LB?}"
}
# in each test, we echo the block so that if the test fails, the block is outputted

4
assets/aws/files/tests/ha-proxy-acm.bats
View file

@ -21,10 +21,10 @@ load fixtures/common
[ ${GENERATE_EXIT_CODE?} -eq 0 ]
}
@test "[${TEST_SUITE?}] teleport.auth_servers is set correctly" {
@test "[${TEST_SUITE?}] teleport.auth_server is set correctly" {
load ${TELEPORT_CONFD_DIR?}/conf
cat "${TELEPORT_CONFIG_PATH?}"
cat "${TELEPORT_CONFIG_PATH?}" | grep -E "^ auth_servers:" -A1 | grep -q "${TELEPORT_AUTH_SERVER_LB?}"
cat "${TELEPORT_CONFIG_PATH?}" | grep -E "^ auth_server:" -A1 | grep -q "${TELEPORT_AUTH_SERVER_LB?}"
}
# in each test, we echo the block so that if the test fails, the block is outputted

4
assets/aws/files/tests/ha-proxy-mysql.bats
View file

@ -22,10 +22,10 @@ load fixtures/common
[ ${GENERATE_EXIT_CODE?} -eq 0 ]
}
@test "[${TEST_SUITE?}] teleport.auth_servers is set correctly" {
@test "[${TEST_SUITE?}] teleport.auth_server is set correctly" {
load ${TELEPORT_CONFD_DIR?}/conf
cat "${TELEPORT_CONFIG_PATH?}"
cat "${TELEPORT_CONFIG_PATH?}" | grep -E "^ auth_servers:" -A1 | grep -q "${TELEPORT_AUTH_SERVER_LB?}"
cat "${TELEPORT_CONFIG_PATH?}" | grep -E "^ auth_server:" -A1 | grep -q "${TELEPORT_AUTH_SERVER_LB?}"
}
# in each test, we echo the block so that if the test fails, the block is outputted

4
assets/aws/files/tests/ha-proxy-no-db.bats
View file

@ -22,10 +22,10 @@ load fixtures/common
[ ${GENERATE_EXIT_CODE?} -eq 0 ]
}
@test "[${TEST_SUITE?}] teleport.auth_servers is set correctly" {
@test "[${TEST_SUITE?}] teleport.auth_server is set correctly" {
load ${TELEPORT_CONFD_DIR?}/conf
cat "${TELEPORT_CONFIG_PATH?}"
cat "${TELEPORT_CONFIG_PATH?}" | grep -E "^ auth_servers:" -A1 | grep -q "${TELEPORT_AUTH_SERVER_LB?}"
cat "${TELEPORT_CONFIG_PATH?}" | grep -E "^ auth_server:" -A1 | grep -q "${TELEPORT_AUTH_SERVER_LB?}"
}
# in each test, we echo the block so that if the test fails, the block is outputted

4
assets/aws/files/tests/ha-proxy.bats
View file

@ -22,10 +22,10 @@ load fixtures/common
[ ${GENERATE_EXIT_CODE?} -eq 0 ]
}
@test "[${TEST_SUITE?}] teleport.auth_servers is set correctly" {
@test "[${TEST_SUITE?}] teleport.auth_server is set correctly" {
load ${TELEPORT_CONFD_DIR?}/conf
cat "${TELEPORT_CONFIG_PATH?}"
cat "${TELEPORT_CONFIG_PATH?}" | grep -E "^ auth_servers:" -A1 | grep -q "${TELEPORT_AUTH_SERVER_LB?}"
cat "${TELEPORT_CONFIG_PATH?}" | grep -E "^ auth_server:" -A1 | grep -q "${TELEPORT_AUTH_SERVER_LB?}"
}
# in each test, we echo the block so that if the test fails, the block is outputted

5
assets/loadtest/teleport/teleport-iot-node.yaml
View file

@ -1,3 +1,4 @@
version: v3
teleport:
data_dir: /var/lib/teleport
log:
@ -6,11 +7,11 @@ teleport:
output: json
storage:
type: dir
auth_servers: ["${PROXY_HOST}:3080"]
auth_token: "node-${NODE_TOKEN}"
proxy_server: ${PROXY_HOST}:3080
auth_service:
enabled: false
proxy_service:
enabled: false
ssh_service:
enabled: true
enabled: true

5
assets/loadtest/teleport/teleport-node.yaml
View file

@ -1,3 +1,4 @@
version: v3
teleport:
data_dir: /var/lib/teleport
log:
@ -6,11 +7,11 @@ teleport:
output: json
storage:
type: dir
auth_servers: ["auth:3025"]
auth_token: "node-${NODE_TOKEN}"
auth_server: auth:3025
auth_service:
enabled: false
proxy_service:
enabled: false
ssh_service:
enabled: true
enabled: true

5
assets/loadtest/teleport/teleport-proxy.yaml
View file

@ -1,3 +1,4 @@
version: v3
teleport:
log:
severity: DEBUG
@ -5,7 +6,7 @@ teleport:
output: json
data_dir: /var/lib/teleport
auth_servers: ["auth:3025"]
auth_server: auth:3025
auth_token: "proxy-${PROXY_TOKEN}"
cache:
type: in-memory
@ -24,4 +25,4 @@ proxy_service:
https_cert_file: /etc/teleport-tls/tls.crt
https_key_file: /etc/teleport-tls/tls.key
public_addr: "${PROXY_HOST}:3080"
tunnel_public_addr: "${PROXY_HOST}:3024"
tunnel_public_addr: "${PROXY_HOST}:3024"

15
docker/one-node.yaml
View file

@ -1,5 +1,6 @@
version: v3
teleport:
auth_servers: ["one"]
auth_server: one
auth_token: foo
log:
output: /var/lib/teleport/teleport.log
@ -7,8 +8,8 @@ teleport:
data_dir: /var/lib/teleport
storage:
path: /var/lib/teleport/backend
type: dir
path: /var/lib/teleport/backend
type: dir
auth_service:
enabled: no
@ -16,11 +17,11 @@ auth_service:
ssh_service:
enabled: yes
labels:
cluster: one
cluster: one
commands:
- name: kernel
command: [/bin/uname, -r]
period: 5m
- name: kernel
command: [ /bin/uname, -r ]
period: 5m
proxy_service:
enabled: no

8
docker/one-proxy.yaml
View file

@ -1,4 +1,5 @@
# standalone proxy connected to
version: v3
teleport:
auth_token: foo
nodename: one-proxy
@ -6,12 +7,11 @@ teleport:
log:
output: stdout
severity: DEBUG
auth_servers:
- one:3025
auth_server: one:3025
data_dir: /var/lib/teleport
storage:
path: /var/lib/teleport/backend
type: dir
path: /var/lib/teleport/backend
type: dir
auth_service:
enabled: no

13
docker/two-node.yaml
View file

@ -1,7 +1,8 @@
# Dumb SSH node for cluster "two"
version: v3
teleport:
nodename: node-on-second-cluster
auth_servers: ["two-auth"]
auth_server: two-auth
auth_token: foo
advertise_ip: 172.10.1.4
log:
@ -9,17 +10,17 @@ teleport:
severity: DEBUG
data_dir: /var/lib/teleport
storage:
path: /var/lib/teleport/backend
type: dir
path: /var/lib/teleport/backend
type: dir
ssh_service:
enabled: yes
labels:
cluster: two
role: dumb_node
cluster: two
role: dumb_node
proxy_service:
enabled: no
enabled: no
auth_service:
enabled: no

23
docker/two-proxy.yaml
View file

@ -1,15 +1,16 @@
# Proxy server for cluster "two". Also runs "node" role
version: v3
teleport:
nodename: two-proxy
auth_servers: ["two-auth"]
auth_server: two-auth
auth_token: foo
log:
output: stdout
severity: DEBUG
data_dir: /var/lib/teleport
storage:
path: /var/lib/teleport/backend
type: dir
path: /var/lib/teleport/backend
type: dir
auth_service:
enabled: no
@ -17,14 +18,14 @@ auth_service:
ssh_service:
enabled: yes
labels:
cluster: two
role: proxy+node
cluster: two
role: proxy+node
commands:
- name: kernel
command: [/bin/uname, -r]
period: 5m
- name: kernel
command: [ /bin/uname, -r ]
period: 5m
proxy_service:
enabled: yes
listen_addr: 0.0.0.0:5023
web_listen_addr: 0.0.0.0:5080
enabled: yes
listen_addr: 0.0.0.0:5023
web_listen_addr: 0.0.0.0:5080

20
docs/pages/access-controls/compliance-frameworks/fedramp.mdx
View file

@ -49,8 +49,9 @@ $ sudo ./install
Now, save the following configuration file as `/etc/teleport.yaml` on the auth server.
```yaml
version: v3
teleport:
auth_token: zw6C82kq7VEUSJeSDzuldWsxakql6jrTYmphxRQOlrATTGbLQoaIwEBo48o9
auth_token: xxxx-token-xxxx
# Pre-defined tokens for adding new nodes to a cluster. Each token specifies
# the role a new node will be allowed to assume. The more secure way to
# add nodes is to use `ttl node add --ttl` command to generate auto-expiring
@ -59,7 +60,7 @@ teleport:
# We recommend to use tools like `pwgen` to generate sufficiently random
# tokens of 32+ byte length.
# you can also use auth server's IP, i.e. "10.1.1.10:3025"
auth_servers: [ "10.1.1.10:3025" ]
auth_server: 10.1.1.10:3025
auth_service:
# enable the auth service:
@ -67,9 +68,9 @@ auth_service:
tokens:
# this static token is used for other nodes to join this Teleport cluster
- proxy,node:zw6C82kq7VEUSJeSDzuldWsxakql6jrTYmphxRQOlrATTGbLQoaIwEBo48o9
- proxy,node:xxxx-token-xxxx
# this token is used to establish trust with other Teleport clusters
- trusted_cluster:TaZff3DLbpsMZmIMhvEr7kulOgegjg7yyQNTS0q6UFWfsJ9N6rxVBjg6t7nw
- trusted_cluster:xxxx-different-token-xxxx
# To Support FIPS local_auth needs to be turned off and a SSO connector is
# required to log into Teleport.
@ -93,11 +94,16 @@ Save the following configuration file as `/etc/teleport.yaml` on the Node
Service host:
```yaml
version: v3
teleport:
auth_token: zw6C82kq7VEUSJeSDzuldWsxakql6jrTYmphxRQOlrATTGbLQoaIwEBo48o9
auth_servers: [ "10.1.1.10:3025" ]
auth_token: xxxx-token-xxxx
# enable ssh service and disable auth and proxy:
# Specify either the proxy address
proxy_server: teleport.example.com:3080
# or the auth server address
auth_server: 10.1.1.10:3025
# Enable ssh service and disable auth and proxy:
ssh_service:
enabled: true
auth_service:

10
docs/pages/application-access/guides/aws-console.mdx
View file

@ -12,7 +12,7 @@ This guide will explain how to:
- Access AWS Management Console through Teleport.
- View Teleport users' AWS console activity in CloudTrail.
- Access the AWS Command Line Interface (CLI) through Teleport.
- Access the AWS Command Line Interface (CLI) through Teleport.
- Access applications using AWS SDKs through Teleport.
## Prerequisites
@ -75,7 +75,7 @@ This step is only required if you are allowing access from another account. The
</Admonition>
Teleport uses AWS [federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html) to generate sign-in URLs for users, which relies on the `AssumeRole` API
for getting temporary security credentials.
for getting temporary security credentials.
You will need to update your IAM roles' "Trusted entities" to include your AWS account ID.
Go to the [Roles](https://console.aws.amazon.com/iamv2/home#/roles) list, pick
@ -163,18 +163,18 @@ for details.
Add AWS management console to your application service configuration:
```yaml
version: v3
teleport:
# Data directory for the Application Proxy service. If running on the same
# node as Auth/Proxy service, make sure to use different data directories.
data_dir: /var/lib/teleport-app
# Instructs the service to load the join token from the specified file
# Instructs the service to load the auth token from the specified file
# during initial registration with the cluster.
auth_token: /var/lib/teleport-app/token
# Proxy address to connect to. Note that it has to be the proxy address
# because the app service always connects to the cluster over a reverse
# tunnel.
auth_servers:
- teleport.example.com:3080
proxy_server: teleport.example.com:3080
app_service:
enabled: "yes"
apps:

6
docs/pages/application-access/guides/connecting-apps.mdx
View file

@ -133,18 +133,18 @@ Teleport proxy server.
Example `teleport.yaml` configuration:
```yaml
version: v3
teleport:
# Data directory for the Application Proxy service. If running on the same
# node as Auth/Proxy service, make sure to use different data directories.
data_dir: /var/lib/teleport-app
# Instructs the service to load the join token from the specified file
# Instructs the service to load the auth token from the specified file
# during initial registration with the cluster.
auth_token: /tmp/token
# Proxy address to connect to. Note that it has to be the proxy address
# because the app service always connects to the cluster over a reverse
# tunnel.
auth_servers:
- teleport.example.com:3080
proxy_server: teleport.example.com:3080
app_service:
enabled: yes
# Teleport provides a small debug app that can be used to make sure application

4
docs/pages/application-access/guides/tcp.mdx
View file

@ -77,10 +77,10 @@ Create the Application Service configuration file `/etc/teleport.yaml` with
the following contents:
```yaml
version: v3
teleport:
auth_token: "/tmp/token"
auth_servers:
- teleport.example.com:3080
proxy_server: teleport.example.com:3080
auth_service:
enabled: "no"
ssh_service:

8
docs/pages/database-access/guides/mongodb-atlas.mdx
View file

@ -75,10 +75,10 @@ On the node where you will run the Teleport Database Service, run
`teleport db start` with the following in `/etc/teleport.yaml`:
```yaml
version: v3
teleport:
auth_token: "/tmp/token"
auth_servers:
- "teleport.example.com:443"
proxy_server: teleport.example.com:443
db_service:
enabled: "yes"
databases:
@ -122,10 +122,10 @@ On the node where you will run the Teleport Database Service, run
`teleport db start` with the following in `/etc/teleport.yaml`:
```yaml
version: v3
teleport:
auth_token: "/tmp/token"
auth_servers:
- "mytenant.teleport.sh"
proxy_server: mytenant.teleport.sh
db_service:
enabled: "yes"
databases:

8
docs/pages/database-access/guides/mysql-cloudsql.mdx
View file

@ -134,14 +134,14 @@ a single Cloud SQL MySQL database:
<ScopedBlock scope={["oss", "enterprise"]}>
```yaml
version: v3
teleport:
data_dir: /var/lib/teleport-db
nodename: test
# Proxy address to connect to. Note that it has to be the proxy address
# because the Database Service always connects to the cluster over a reverse
# tunnel.
auth_servers:
- teleport.example.com:3080
proxy_server: teleport.example.com:3080
db_service:
enabled: "yes"
# This section contains definitions of all databases proxied by this
@ -178,12 +178,12 @@ proxy_service:
<ScopedBlock scope={["cloud"]}>
```yaml
version: v3
teleport:
data_dir: /var/lib/teleport-db
nodename: test
# Proxy address to connect to. Use your Teleport Cloud tenant address.
auth_servers:
- mytenant.teleport.sh
proxy_server: mytenant.teleport.sh
db_service:
enabled: "yes"
# This section contains definitions of all databases proxied by this

8
docs/pages/database-access/guides/postgres-cloudsql.mdx
View file

@ -205,14 +205,14 @@ a single Cloud SQL PostgreSQL database:
<ScopedBlock scope={["oss", "enterprise"]}>
```yaml
version: v3
teleport:
data_dir: /var/lib/teleport-db
nodename: test
# Proxy address to connect to. Note that it has to be the proxy address
# because the Database Service always connects to the cluster over a reverse
# tunnel.
auth_servers:
- teleport.example.com:3080
proxy_server: teleport.example.com:3080
db_service:
enabled: "yes"
# This section contains definitions of all databases proxied by this
@ -249,12 +249,12 @@ proxy_service:
<ScopedBlock scope={["cloud"]}>
```yaml
version: v3
teleport:
data_dir: /var/lib/teleport-db
nodename: test
# Proxy address to connect to. Use your Teleport Cloud tenant address here.
auth_servers:
- mytenant.teleport.sh
proxy_server: mytenant.teleport.sh
db_service:
enabled: "yes"
# This section contains definitions of all databases proxied by this

6
docs/pages/deploy-a-cluster/deployments/aws-terraform.mdx
View file

@ -746,8 +746,7 @@ $ aws elbv2 describe-load-balancers --names "${TF_VAR_cluster_name}-auth" --quer
With this method, the Nodes should be configured like so:
```yaml
auth_servers:
- example-cluster-auth-c5b0fc2764ee015b.elb.us-east-1.amazonaws.com:3025
auth_server: example-cluster-auth-c5b0fc2764ee015b.elb.us-east-1.amazonaws.com:3025
```
### Joining Nodes via Teleport IoT/Node tunneling
@ -759,8 +758,7 @@ With this method, you can join the nodes using the public facing proxy address -
example.
```yaml
auth_servers:
- teleport.example.com:443
proxy_server: teleport.example.com:443
```
### Trusted Clusters

7
docs/pages/deploy-a-cluster/deployments/gcp.mdx
View file

@ -188,12 +188,12 @@ Save the following configuration file as `/etc/teleport.yaml` on the Proxy Serve
```yaml
# enable multiplexing all traffic on TCP port 443
version: v2
version: v3
teleport:
auth_token: EXAMPLE-PROXY-JOIN-TOKEN
# We recommend using a TCP load balancer pointed to the auth servers when
# setting up in High Availability mode.
auth_servers: [ "auth.example.com:3025" ]
auth_server: auth.example.com:3025
# enable proxy service, disable auth and ssh
ssh_service:
enabled: false
@ -214,11 +214,12 @@ proxy_service:
Save the following configuration file as `/etc/teleport.yaml` on the Node:
```yaml
version: v3
teleport:
auth_token: EXAMPLE-NODE-JOIN-TOKEN
# Nodes and other agents can be joined to the cluster via the proxy's public address.
# This will establish a reverse tunnel between the proxy and the node which is used for all traffic.
auth_servers: [ "teleport.example.com:443" ]
proxy_server: teleport.example.com:443
# enable ssh service and disable auth and proxy
ssh_service:
enabled: true

8
docs/pages/desktop-access/getting-started.mdx
View file

@ -335,7 +335,7 @@ gpupdate.exe /force
<Admonition type="note" title="Secure Cipher Suites">
Teleport's RDP client supports only secure algorithms
for making TLS connections, so we have to configure our Domain Controller
for making TLS connections, so we have to configure our Domain Controller
to support those cipher suites as well.
This step is only *necessary* for Windows Server 2012 R2 Domain Controller as it does not support
secure algorithms by default. If it does not apply to you, you can skip this step and go to the [next step](#step-57-export-your-ldap-ca-certificate).
@ -466,7 +466,7 @@ windows_desktop_service:
</Details>
<Details title="Desktop Service Configuration" min="8.0" scopeOnly={true} scope={"cloud"}>
For Teleport Cloud, Windows Desktop Service should establish a reverse tunnel to
the hosted proxy. This requires setting `auth_servers` to your cloud tenant and
the hosted proxy. This requires setting `proxy_server` to your cloud tenant and
providing a join token.
First, generate a join token with the following command:
@ -479,10 +479,10 @@ Copy the join token to a file on the instance where you will run Windows Desktop
Service, and then use the following configuration:
```yaml
version: v3
teleport:
auth_token: /path/to/token
auth_servers:
- mytenant.teleport.sh # replace with your cloud tenant
proxy_server: mytenant.teleport.sh # replace with your cloud tenant
windows_desktop_service:
enabled: yes
ldap:

4
docs/pages/desktop-access/reference/configuration.mdx
View file

@ -25,7 +25,7 @@ The Windows Desktop Service can be deployed in two modes.
In *direct* mode, Windows Desktop Services registers directly with the Teleport
Auth Server, and listens for desktop connections from the Teleport Proxy. To
enable direct mode, set `windows_desktop_service.listen_addr` in
`teleport.yaml`, and ensure that `teleport.auth_servers` points directly at the
`teleport.yaml`, and ensure that `teleport.auth_server` points directly at the
Auth Server. Direct mode requires network connectivity from the Teleport Proxy
to Windows Desktop Service, and from Windows Desktop Service to the Auth Server.
@ -36,5 +36,5 @@ connection to a Teleport Proxy. The Windows Desktop Service establishes a
reverse tunnel to the proxy, and both registration with the Auth Server and
desktop sessions are performed over this tunnel. To enable this mode, ensure
that `windows_desktop_service.listen_addr` is *unset*, and point
`teleport.auth_servers` at a Teleport Proxy.
`teleport.proxy_server` at a Teleport Proxy.

44
docs/pages/management/admin/labels.mdx
View file

@ -104,13 +104,14 @@ On the host where you will run your Node, paste the following content into
<ScopedBlock scope={["oss", "enterprise"]}>
```yaml
version: v2
version: v3
teleport:
auth_servers:
# The address of your Auth Service. You can also use a Proxy Service
# address, e.g., tele.example.com:443, if your Auth Service is not
# exposed to the internet.
- tele.example.com:3025
# The address of your Auth Service.
auth_server: tele.example.com:3025
# Or, you can also use a Proxy Service
# address, e.g., tele.example.com:443, if your Auth Service is not
# exposed to the internet.
proxy_server: tele.example.com:443
auth_service:
enabled: false
@ -129,11 +130,10 @@ ssh_service:
<ScopedBlock scope={["cloud"]}>
```yaml
version: v2
version: v3
teleport:
auth_servers:
# Your Teleport Cloud tenant address
- mytenant.teleport.sh:443
# Your Teleport Cloud tenant address
proxy_server: mytenant.teleport.sh:443
auth_service:
enabled: false
@ -161,8 +161,8 @@ machine. Your Teleport user must be authorized to access the Node.
```code
$ tsh ls --query 'labels["environment"]=="dev"'
Node Name Address Labels
------------ ---------- ---------------
Node Name Address Labels
------------ ---------- ---------------
bdcb47b87ad6 ⟵ Tunnel environment=dev
```
@ -231,7 +231,7 @@ host:
kubernetes_groups: null
kubernetes_users: null
- logins: null
+ logins:
+ logins:
+ - root
windows_logins: null
version: v2
@ -240,7 +240,7 @@ host:
Apply your changes:
```code
$ tctl create -f user.yaml
$ tctl create -f user.yaml
user "myuser" has been updated
```
@ -261,10 +261,9 @@ Edit `/etc/teleport.yaml` to define a `commands` array as shown below:
<ScopedBlock scope={["oss", "enterprise"]}>
```yaml
version: v2
version: v3
teleport:
auth_servers:
- tele.example.com:3025
auth_server: tele.example.com:3025
auth_service:
enabled: false
@ -290,10 +289,9 @@ ssh_service:
<ScopedBlock scope={["cloud"]}>
```yaml
version: v2
version: v3
teleport:
auth_servers:
- mytenant.teleport.sh:443
proxy_server: mytenant.teleport.sh:443
auth_service:
enabled: false
@ -360,9 +358,9 @@ machine. Your Teleport user must be authorized to access the Node.
```code
$ tsh ls
Node Name Address Labels
----------------- ---------- ---------------
ip-192-0-2-0 ⟵ Tunnel arch=x86_64,hostname=ip-172-30-156-233
Node Name Address Labels
----------------- ---------- ---------------
ip-192-0-2-0 ⟵ Tunnel arch=x86_64,hostname=ip-172-30-156-233
```
<Details title="Problems re-joining the Node?">

12
docs/pages/management/guides/joining-nodes-aws-ec2.mdx
View file

@ -23,7 +23,7 @@ IAM credentials with `ec2:DescribeInstances` permissions are required on
your Teleport Auth Service. No IAM credentials are required on the Nodes or
Proxy Service instances.
<Details
<Details
opened
title="Other AWS Node joining methods"
scope={["oss", "enterprise"]}
@ -63,8 +63,8 @@ more in the following guide:
See [Installation](../../installation.mdx) for details.
- An AWS EC2 instance to act as a Teleport Node, with the Teleport binary
installed. The Node should not have an existing data dir (`/var/lib/teleport` by default).
Remove the data directory if this instance has previously joined a Teleport cluster.
installed. The Node should not have an existing data dir (`/var/lib/teleport` by default).
Remove the data directory if this instance has previously joined a Teleport cluster.
</TabItem>
<TabItem
@ -126,7 +126,7 @@ policy and attach it to your EC2 instance running the Teleport Auth Server.
If you are running your Teleport Auth Server outside of AWS you can attach
the `teleport-DescribeInstances-policy` directly to an IAM user which
Teleport will use to authenticate.
Teleport will use to authenticate.
You can provide the IAM credentials to Teleport through a shared configuration
file or environment variables. See
@ -195,12 +195,12 @@ and `method: ec2` as shown in the following example config:
```
# /etc/teleport.yaml
version: v3
teleport:
join_params:
token_name: ec2-token
method: ec2
auth_servers:
- https://teleport.example.com:443
proxy_server: https://teleport.example.com:443
ssh_service:
enabled: yes
auth_service:

12
docs/pages/management/guides/joining-nodes-aws-iam.mdx
View file

@ -13,8 +13,8 @@ an EC2 instance with an attached IAM role. No specific permissions or IAM policy
is required: an IAM role with no attached policies is sufficient. No IAM
credentials are required on the Teleport Auth Service.
<Details
scope={["oss", "enterprise"]}
<Details
scope={["oss", "enterprise"]}
scopeOnly
opened
title="Other AWS Node joining methods"
@ -38,8 +38,8 @@ Read more in the following guide:
[Adding Nodes to the cluster](../admin/adding-nodes.mdx)
</Details>
<Details
scope={["cloud"]}
<Details
scope={["cloud"]}
scopeOnly
opened
title="Another AWS Node joining method"
@ -149,12 +149,12 @@ and `method: iam` as shown in the following example config:
```
# /etc/teleport.yaml
version: v3
teleport:
join_params:
token_name: iam-token
method: iam
auth_servers:
- https://teleport.example.com:443
proxy_server: https://teleport.example.com:443
ssh_service:
enabled: yes
auth_service:

8
docs/pages/reference/backends.mdx
View file

@ -42,10 +42,9 @@ run in a highly available fashion.
## Auth Server State
To run multiple instances of Teleport Auth Server, you must switch to a High Availability secrets back-end first. Also, you must tell each node in a cluster that there is more than one auth server available. There are two ways to do this:
To run multiple instances of Teleport Auth Server, you must switch to a High Availability secrets back-end first.
- Use a load balancer to create a single auth API access point (AP) and specify this AP in `auth_servers` section of Teleport configuration for all nodes in a cluster. This load balancer should do TCP level forwarding.
- If a load balancer is not an option, you must specify each instance of an auth server in `auth_servers` section of Teleport configuration.
To do this, use a load balancer to create a single auth API access point (AP) and specify this AP in the `auth_server` field of the Teleport configuration file for all Nodes in a cluster. This load balancer should do TCP-level forwarding.
**IMPORTANT:** with multiple instances of the auth servers running, special
attention needs to be paid to keeping their configuration identical. Settings
@ -119,8 +118,7 @@ To configure Teleport for using etcd as a storage backend:
don't already have a TLS setup.
- Configure all Teleport Auth servers to use etcd in the "storage" section of the config file as shown below.
- Deploy several auth servers connected to etcd backend.
- Deploy several proxy nodes that have `auth_servers` pointed to the list of auth
servers to connect to.
- Deploy several Proxy Service instances that have `auth_server` pointed to the auth server to connect to.
```yaml
teleport:

64
docs/pages/reference/config.mdx
View file

@ -65,8 +65,8 @@ By default, it is stored in `/etc/teleport.yaml`.
```yaml
# By default, this file should be stored in /etc/teleport.yaml
# Configuration file version. The current version is "v2".
version: v2
# Configuration file version. The current version is "v3".
version: v3
# This section of the configuration file applies to all teleport
# services.
@ -89,6 +89,10 @@ teleport:
#
# File path example:
# auth_token: /var/lib/teleport/tokenjoin
#
# This is the same as setting join_params.method to "token", and join_params.token_name
# to the value of auth_token.
# You should only use either auth_token or join_params.
auth_token: xxxx-token-xxxx
# join_params are parameters to set when joining a cluster via
@ -99,16 +103,22 @@ teleport:
# IAM join method documentation:
# https://goteleport.com/docs/setup/guides/joining-nodes-aws-iam/
join_params:
# method, when set to "token", is equivalent to using auth_token.
# When `method` is set to "token", it is the equivalent to using `auth_token` above.
# You should only use either auth_token or join_params.
method: "token"|"ec2"|"iam"
# When method is "token", token_name is either the
# token or the path to a file containing the token.
# If method is "iam" or "ec2", token_name will be will be the name of
# the joining token resource, e.g., "ec2-token" or "iam-token" as created
# in the Joining Nodes via EC2 or IAM guides.
# If method is "token", token_name will be the invitation token
# or an absolute path to a file containing the token used to join a cluster.
# It is not used on subsequent starts.
# If using a file, it only needs to exist when teleport is first ran.
#
# If method is "iam" or "ec2", token_name will be will be
# the name of the joining token resource, e.g., "ec2-token" or
# "iam-token" as created in the Joining Nodes via EC2 or IAM
# guides.
token_name: "token-name"
# File path example:
# token_name: /var/lib/teleport/tokenjoin
token_name: "token-name"
# Optional CA pin of the auth server. This enables a more secure way of
# adding new nodes to a cluster. See "Adding Nodes to your Cluster"
@ -128,14 +138,24 @@ teleport:
# https://goteleport.com/docs/setup/reference/metrics/
diag_addr: "127.0.0.1:3000"
# Only use one of auth_server or proxy_server.
#
# When you have either the application service or database service enabled,
# only tunneling through the proxy is supported, so you should specify proxy_server.
# All other services support both tunneling through the proxy and directly connecting
# to the auth server, so you can specify either auth_server or proxy_server.
# Auth Server address and port to connect to. If you enable the Teleport
# Auth Server to run in High Availability configuration, the address should
# point to a Load Balancer.
# If adding a node located behind NAT, use the Proxy URL. e.g.
# auth_servers:
# - teleport-proxy.example.com:443
auth_servers:
- 10.1.0.5:3025
# If adding a node located behind NAT, specify `proxy_servers` instead
auth_server: 10.1.0.5:3025
# Proxy Server address and port to connect to. If you enable the Teleport
# Proxy Server to run in High Availability configuration, the address should
# point to a Load Balancer.
proxy_server: teleport-proxy.example.com:443
# cache:
# # The cache is enabled by default, it can be disabled with this flag
@ -773,3 +793,17 @@ kubernetes_service:
# This section configures the windows desktop service
(!docs/pages/includes/desktop-access/desktop-config.yaml!)
```
## Changelog
### v3
**Introduced in Teleport v11**
Replaced `teleport.auth_servers` with either `teleport.auth_server` or `teleport.proxy_server`.
### v2
**Introduced in Teleport v8**
Added support for multiplexing via `auth_service.proxy_listener_mode`.

12
docs/pages/server-access/guides/bpf-session-recording.mdx
View file

@ -136,17 +136,21 @@ $ tctl tokens rm (=presets.tokens.first=)
### Create a configuration file
Set up your Teleport Node with the following content in `/etc/teleport.yaml`.
Set up your Teleport Node with the following content in `/etc/teleport.yaml`.
```yaml
# Example config to be saved as etc/teleport.yaml
version: v3
teleport:
nodename: graviton-node
# The token you created earlier
auth_token: (=presets.tokens.first=)
auth_servers:
# Replace with the address of the Teleport Auth Service or Proxy Service.
- 127.0.0.1:3025
# Replace with the address of the Teleport Auth Service
auth_server: 127.0.0.1:3025
# Or specify the Proxy Service address.
proxy_server: 127.0.0.1:3080
data_dir: /var/lib/teleport
proxy_service:
enabled: false

4
docs/pages/server-access/guides/restricted-session.mdx
View file

@ -63,12 +63,12 @@ Set up your Teleport Node with the following content in `/etc/teleport.yaml`.
```yaml
# Example config to be saved as /etc/teleport.yaml
version: v3
teleport:
nodename: graviton-node
auth_token: exampletoken
auth_servers:
# Replace with the address of the Teleport Auth Server.
- 127.0.0.1:3025
auth_server: 127.0.0.1:3025
data_dir: /var/lib/teleport
proxy_service:
enabled: false

2
e

@ -1 +1 @@
Subproject commit d6361937c42ddd6d097e68328dda0ffb9b7e5972
Subproject commit 2747a0a578556c5a4fbfde85d7944c259e5fdad9

4
examples/aws/eks/teleport.yaml
View file

@ -2,6 +2,7 @@ export TELEPORT_PUBLIC_DNS_NAME="[teleport-proxy.example.com]"
export TELEPORT_CLUSTER_NAME="[teleport-cluster-name]"
cat > teleport.yaml << EOF
# By default, this file should be stored in /etc/teleport.yaml
version: v3
teleport:
nodename: $TELEPORT_PUBLIC_DNS_NAME
cluster_name: $TELEPORT_CLUSTER_NAME
@ -11,8 +12,7 @@ export TELEPORT_CLUSTER_NAME="[teleport-cluster-name]"
severity: ERROR
storage:
type: dir
auth_servers:
- 127.0.0.1:3025
auth_server: 127.0.0.1:3025
log:
output: stderr
severity: INFO

123
examples/chart/teleport-cluster/tests/__snapshot__/deployment_test.yaml.snap
View file

@ -34,9 +34,6 @@ sets Deployment annotations when specified:
name: data
serviceAccountName: RELEASE-NAME
volumes:
- name: gcp-credentials
secret:
secretName: teleport-gcp-credentials
- configMap:
name: RELEASE-NAME
name: config
@ -79,9 +76,6 @@ sets Pod annotations when specified:
name: data
serviceAccountName: RELEASE-NAME
volumes:
- name: gcp-credentials
secret:
secretName: teleport-gcp-credentials
- configMap:
name: RELEASE-NAME
name: config
@ -124,9 +118,6 @@ should add PersistentVolumeClaim as volume when in custom mode and persistence.e
name: data
serviceAccountName: RELEASE-NAME
volumes:
- name: gcp-credentials
secret:
secretName: teleport-gcp-credentials
- configMap:
name: RELEASE-NAME
name: config
@ -169,9 +160,6 @@ should add PersistentVolumeClaim as volume when in standalone mode and persisten
name: data
serviceAccountName: RELEASE-NAME
volumes:
- name: gcp-credentials
secret:
secretName: teleport-gcp-credentials
- configMap:
name: RELEASE-NAME
name: config
@ -249,9 +237,6 @@ should add emptyDir for data in AWS mode:
name: data
serviceAccountName: RELEASE-NAME
volumes:
- name: gcp-credentials
secret:
secretName: teleport-gcp-credentials
- configMap:
name: RELEASE-NAME
name: config
@ -353,9 +338,6 @@ should add insecureSkipProxyTLSVerify to args when set in values:
name: data
serviceAccountName: RELEASE-NAME
volumes:
- name: gcp-credentials
secret:
secretName: teleport-gcp-credentials
- configMap:
name: RELEASE-NAME
name: config
@ -398,9 +380,6 @@ should add named PersistentVolumeClaim as volume when in custom mode and persist
name: data
serviceAccountName: RELEASE-NAME
volumes:
- name: gcp-credentials
secret:
secretName: teleport-gcp-credentials
- configMap:
name: RELEASE-NAME
name: config
@ -444,9 +423,6 @@ should add named PersistentVolumeClaim as volume when in custom mode and persist
name: data
serviceAccountName: RELEASE-NAME
volumes:
- name: gcp-credentials
secret:
secretName: teleport-gcp-credentials
- configMap:
name: RELEASE-NAME
name: config
@ -495,9 +471,6 @@ should do enterprise things when when enterprise is set in values:
- name: license
secret:
secretName: license
- name: gcp-credentials
secret:
secretName: teleport-gcp-credentials
- configMap:
name: RELEASE-NAME
name: config
@ -540,9 +513,6 @@ should expose diag port:
name: data
serviceAccountName: RELEASE-NAME
volumes:
- name: gcp-credentials
secret:
secretName: teleport-gcp-credentials
- configMap:
name: RELEASE-NAME
name: config
@ -585,9 +555,6 @@ should have Recreate strategy in standalone mode:
name: data
serviceAccountName: RELEASE-NAME
volumes:
- name: gcp-credentials
secret:
secretName: teleport-gcp-credentials
- configMap:
name: RELEASE-NAME
name: config
@ -642,9 +609,6 @@ should have multiple replicas when replicaCount is set:
name: data
serviceAccountName: RELEASE-NAME
volumes:
- name: gcp-credentials
secret:
secretName: teleport-gcp-credentials
- configMap:
name: RELEASE-NAME
name: config
@ -699,9 +663,6 @@ should mount ConfigMap for config in AWS mode:
name: data
serviceAccountName: RELEASE-NAME
volumes:
- name: gcp-credentials
secret:
secretName: teleport-gcp-credentials
- configMap:
name: RELEASE-NAME
name: config
@ -802,9 +763,6 @@ should mount ConfigMap for config in custom mode:
name: data
serviceAccountName: RELEASE-NAME
volumes:
- name: gcp-credentials
secret:
secretName: teleport-gcp-credentials
- configMap:
name: RELEASE-NAME
name: config
@ -847,9 +805,6 @@ should mount ConfigMap for config in standalone mode:
name: data
serviceAccountName: RELEASE-NAME
volumes:
- name: gcp-credentials
secret:
secretName: teleport-gcp-credentials
- configMap:
name: RELEASE-NAME
name: config
@ -1186,9 +1141,6 @@ should mount cert-manager TLS secret when highAvailability.certManager.enabled i
name: data
serviceAccountName: RELEASE-NAME
volumes:
- name: gcp-credentials
secret:
secretName: teleport-gcp-credentials
- name: teleport-tls
secret:
secretName: teleport-tls
@ -1236,9 +1188,6 @@ should mount extraVolumes and extraVolumeMounts:
name: my-mount
serviceAccountName: RELEASE-NAME
volumes:
- name: gcp-credentials
secret:
secretName: teleport-gcp-credentials
- configMap:
name: RELEASE-NAME
name: config
@ -1293,9 +1242,6 @@ should mount tls.existingCASecretName and set environment when set in values:
name: data
serviceAccountName: RELEASE-NAME
volumes:
- name: gcp-credentials
secret:
secretName: teleport-gcp-credentials
- name: teleport-tls
secret:
secretName: helm-lint-existing-tls-secret
@ -1355,9 +1301,6 @@ should mount tls.existingCASecretName and set extra environment when set in valu
name: data
serviceAccountName: RELEASE-NAME
volumes:
- name: gcp-credentials
secret:
secretName: teleport-gcp-credentials
- name: teleport-tls
secret:
secretName: helm-lint-existing-tls-secret
@ -1409,9 +1352,6 @@ should mount tls.existingSecretName when set in values:
name: data
serviceAccountName: RELEASE-NAME
volumes:
- name: gcp-credentials
secret:
secretName: teleport-gcp-credentials
- name: teleport-tls
secret:
secretName: helm-lint-existing-tls-secret
@ -1457,9 +1397,6 @@ should not add PersistentVolumeClaim as volume when in custom mode and persisten
name: data
serviceAccountName: RELEASE-NAME
volumes:
- name: gcp-credentials
secret:
secretName: teleport-gcp-credentials
- configMap:
name: RELEASE-NAME
name: config
@ -1501,9 +1438,6 @@ should not add PersistentVolumeClaim as volume when in standalone mode and persi
name: data
serviceAccountName: RELEASE-NAME
volumes:
- name: gcp-credentials
secret:
secretName: teleport-gcp-credentials
- configMap:
name: RELEASE-NAME
name: config
@ -1546,9 +1480,6 @@ should not add PersistentVolumeClaim as volume when in standalone mode and persi
name: data
serviceAccountName: RELEASE-NAME
volumes:
- name: gcp-credentials
secret:
secretName: teleport-gcp-credentials
- configMap:
name: RELEASE-NAME
name: config
@ -1591,9 +1522,6 @@ should not add PersistentVolumeClaim as volume when in standalone mode and persi
name: data
serviceAccountName: RELEASE-NAME
volumes:
- name: gcp-credentials
secret:
secretName: teleport-gcp-credentials
- configMap:
name: RELEASE-NAME
name: config
@ -1635,9 +1563,6 @@ should not do enterprise things when when enterprise is not set in values:
name: data
serviceAccountName: RELEASE-NAME
volumes:
- name: gcp-credentials
secret:
secretName: teleport-gcp-credentials
- configMap:
name: RELEASE-NAME
name: config
@ -1680,9 +1605,6 @@ should not have more than one replica in standalone mode:
name: data
serviceAccountName: RELEASE-NAME
volumes:
- name: gcp-credentials
secret:
secretName: teleport-gcp-credentials
- configMap:
name: RELEASE-NAME
name: config
@ -1737,9 +1659,6 @@ should not have strategy in AWS mode:
name: data
serviceAccountName: RELEASE-NAME
volumes:
- name: gcp-credentials
secret:
secretName: teleport-gcp-credentials
- configMap:
name: RELEASE-NAME
name: config
@ -1840,9 +1759,6 @@ should not have strategy in custom mode:
name: data
serviceAccountName: RELEASE-NAME
volumes:
- name: gcp-credentials
secret:
secretName: teleport-gcp-credentials
- configMap:
name: RELEASE-NAME
name: config
@ -1885,9 +1801,6 @@ should not mount TLS secrets when when highAvailability.certManager.enabled is f
name: data
serviceAccountName: RELEASE-NAME
volumes:
- name: gcp-credentials
secret:
secretName: teleport-gcp-credentials
- configMap:
name: RELEASE-NAME
name: config
@ -1930,9 +1843,6 @@ should not set securityContext when is empty object (default value):
name: data
serviceAccountName: RELEASE-NAME
volumes:
- name: gcp-credentials
secret:
secretName: teleport-gcp-credentials
- configMap:
name: RELEASE-NAME
name: config
@ -2003,9 +1913,6 @@ should provision initContainer correctly when set in values:
name: data
serviceAccountName: RELEASE-NAME
volumes:
- name: gcp-credentials
secret:
secretName: teleport-gcp-credentials
- configMap:
name: RELEASE-NAME
name: config
@ -2057,9 +1964,6 @@ should set affinity when set in values:
name: data
serviceAccountName: RELEASE-NAME
volumes:
- name: gcp-credentials
secret:
secretName: teleport-gcp-credentials
- configMap:
name: RELEASE-NAME
name: config
@ -2105,9 +2009,6 @@ should set environment when extraEnv set in values:
name: data
serviceAccountName: RELEASE-NAME
volumes:
- name: gcp-credentials
secret:
secretName: teleport-gcp-credentials
- configMap:
name: RELEASE-NAME
name: config
@ -2150,9 +2051,6 @@ should set imagePullPolicy when set in values:
name: data
serviceAccountName: RELEASE-NAME
volumes:
- name: gcp-credentials
secret:
secretName: teleport-gcp-credentials
- configMap:
name: RELEASE-NAME
name: config
@ -2201,9 +2099,6 @@ should set postStart command if set in values:
name: data
serviceAccountName: RELEASE-NAME
volumes:
- name: gcp-credentials
secret:
secretName: teleport-gcp-credentials
- configMap:
name: RELEASE-NAME
name: config
@ -2247,9 +2142,6 @@ should set priorityClassName when set in values:
priorityClassName: system-cluster-critical
serviceAccountName: RELEASE-NAME
volumes:
- name: gcp-credentials
secret:
secretName: teleport-gcp-credentials
- configMap:
name: RELEASE-NAME
name: config
@ -2292,9 +2184,6 @@ should set probeTimeoutSeconds when set in values:
name: data
serviceAccountName: RELEASE-NAME
volumes:
- name: gcp-credentials
secret:
secretName: teleport-gcp-credentials
- configMap:
name: RELEASE-NAME
name: config
@ -2347,9 +2236,6 @@ should set required affinity when highAvailability.requireAntiAffinity is set:
name: data
serviceAccountName: RELEASE-NAME
volumes:
- name: gcp-credentials
secret:
secretName: teleport-gcp-credentials
- configMap:
name: RELEASE-NAME
name: config
@ -2398,9 +2284,6 @@ should set resources when set in values:
name: data
serviceAccountName: RELEASE-NAME
volumes:
- name: gcp-credentials
secret:
secretName: teleport-gcp-credentials
- configMap:
name: RELEASE-NAME
name: config
@ -2450,9 +2333,6 @@ should set securityContext when set in values:
name: data
serviceAccountName: RELEASE-NAME
volumes:
- name: gcp-credentials
secret:
secretName: teleport-gcp-credentials
- configMap:
name: RELEASE-NAME
name: config
@ -2516,9 +2396,6 @@ should set tolerations when set in values:
operator: Equal
value: teleport
volumes:
- name: gcp-credentials
secret:
secretName: teleport-gcp-credentials
- configMap:
name: RELEASE-NAME
name: config

3
examples/chart/teleport-kube-agent/templates/config.yaml
View file

@ -19,9 +19,10 @@ metadata:
{{- end }}
data:
teleport.yaml: |
version: v3
teleport:
auth_token: "/etc/teleport-secrets/auth-token"
auth_servers: ["{{ required "proxyAddr is required in chart values" .Values.proxyAddr }}"]
proxy_server: {{ required "proxyAddr is required in chart values" .Values.proxyAddr }}
{{- if .Values.caPin }}
ca_pin: {{- toYaml .Values.caPin | nindent 8 }}
{{- end }}

69
examples/chart/teleport-kube-agent/tests/__snapshot__/config_test.yaml.snap
View file

@ -3,9 +3,10 @@ does not generate a config for clusterrole.yaml:
apiVersion: v1
data:
teleport.yaml: |
version: v3
teleport:
auth_token: "/etc/teleport-secrets/auth-token"
auth_servers: ["proxy.example.com:3080"]
proxy_server: proxy.example.com:3080
log:
severity: INFO
output: stderr
@ -38,9 +39,10 @@ does not generate a config for pdb.yaml:
apiVersion: v1
data:
teleport.yaml: |
version: v3
teleport:
auth_token: "/etc/teleport-secrets/auth-token"
auth_servers: ["proxy.example.com:3080"]
proxy_server: proxy.example.com:3080
log:
severity: INFO
output: stderr
@ -73,9 +75,10 @@ matches snapshot and tests for annotations.yaml:
apiVersion: v1
data:
teleport.yaml: |
version: v3
teleport:
auth_token: "/etc/teleport-secrets/auth-token"
auth_servers: ["proxy.example.com:3080"]
proxy_server: proxy.example.com:3080
log:
severity: INFO
output: stderr
@ -111,9 +114,10 @@ matches snapshot and tests for extra-labels.yaml:
apiVersion: v1
data:
teleport.yaml: |
version: v3
teleport:
auth_token: "/etc/teleport-secrets/auth-token"
auth_servers: ["proxy.example.com:3080"]
proxy_server: proxy.example.com:3080
log:
severity: INFO
output: stderr
@ -149,9 +153,10 @@ matches snapshot for affinity.yaml:
apiVersion: v1
data:
teleport.yaml: |
version: v3
teleport:
auth_token: "/etc/teleport-secrets/auth-token"
auth_servers: ["proxy.example.com:3080"]
proxy_server: proxy.example.com:3080
log:
severity: INFO
output: stderr
@ -184,9 +189,10 @@ matches snapshot for all-v6.yaml:
apiVersion: v1
data:
teleport.yaml: |
version: v3
teleport:
auth_token: "/etc/teleport-secrets/auth-token"
auth_servers: ["proxy.example.com:3080"]
proxy_server: proxy.example.com:3080
log:
severity: INFO
output: stderr
@ -235,9 +241,10 @@ matches snapshot for aws-databases.yaml:
apiVersion: v1
data:
teleport.yaml: |
version: v3
teleport:
auth_token: "/etc/teleport-secrets/auth-token"
auth_servers: ["proxy.example.com:3080"]
proxy_server: proxy.example.com:3080
log:
severity: INFO
output: stderr
@ -282,9 +289,10 @@ matches snapshot for backwards-compatibility.yaml:
apiVersion: v1
data:
teleport.yaml: |
version: v3
teleport:
auth_token: "/etc/teleport-secrets/auth-token"
auth_servers: ["proxy.example.com:3080"]
proxy_server: proxy.example.com:3080
log:
severity: INFO
output: stderr
@ -317,9 +325,10 @@ matches snapshot for ca-pin.yaml:
apiVersion: v1
data:
teleport.yaml: |
version: v3
teleport:
auth_token: "/etc/teleport-secrets/auth-token"
auth_servers: ["proxy.example.com:3080"]
proxy_server: proxy.example.com:3080
ca_pin:
- sha256:7e12c17c20d9cb504bbcb3f0236be3f446861f1396dcbb44425fe28ec1c108f1
log:
@ -354,9 +363,10 @@ matches snapshot for db.yaml:
apiVersion: v1
data:
teleport.yaml: |
version: v3
teleport:
auth_token: "/etc/teleport-secrets/auth-token"
auth_servers: ["proxy.example.com:3080"]
proxy_server: proxy.example.com:3080
log:
severity: INFO
output: stderr
@ -394,9 +404,10 @@ matches snapshot for dynamic-app.yaml:
apiVersion: v1
data:
teleport.yaml: |
version: v3
teleport:
auth_token: "/etc/teleport-secrets/auth-token"
auth_servers: ["proxy.example.com:3080"]
proxy_server: proxy.example.com:3080
log:
severity: INFO
output: stderr
@ -431,9 +442,10 @@ matches snapshot for dynamic-db.yaml:
apiVersion: v1
data:
teleport.yaml: |
version: v3
teleport:
auth_token: "/etc/teleport-secrets/auth-token"
auth_servers: ["proxy.example.com:3080"]
proxy_server: proxy.example.com:3080
log:
severity: INFO
output: stderr
@ -468,9 +480,10 @@ matches snapshot for imagepullsecrets.yaml:
apiVersion: v1
data:
teleport.yaml: |
version: v3
teleport:
auth_token: "/etc/teleport-secrets/auth-token"
auth_servers: ["proxy.example.com:3080"]
proxy_server: proxy.example.com:3080
log:
severity: INFO
output: stderr
@ -503,9 +516,10 @@ matches snapshot for initcontainers.yaml:
apiVersion: v1
data:
teleport.yaml: |
version: v3
teleport:
auth_token: "/etc/teleport-secrets/auth-token"
auth_servers: ["proxy.example.com:3080"]
proxy_server: proxy.example.com:3080
log:
severity: INFO
output: stderr
@ -538,9 +552,10 @@ matches snapshot for log-basic.yaml:
apiVersion: v1
data:
teleport.yaml: |
version: v3
teleport:
auth_token: "/etc/teleport-secrets/auth-token"
auth_servers: ["proxy.example.com:3080"]
proxy_server: proxy.example.com:3080
log:
severity: INFO
output: stderr
@ -573,9 +588,10 @@ matches snapshot for log-extra.yaml:
apiVersion: v1
data:
teleport.yaml: |
version: v3
teleport:
auth_token: "/etc/teleport-secrets/auth-token"
auth_servers: ["proxy.example.com:3080"]
proxy_server: proxy.example.com:3080
log:
severity: DEBUG
output: /var/lib/teleport/test.log
@ -608,9 +624,10 @@ matches snapshot for log-legacy.yaml:
apiVersion: v1
data:
teleport.yaml: |
version: v3
teleport:
auth_token: "/etc/teleport-secrets/auth-token"
auth_servers: ["proxy.example.com:3080"]
proxy_server: proxy.example.com:3080
log:
severity: DEBUG
output: stderr
@ -643,9 +660,10 @@ matches snapshot for node-selector.yaml:
apiVersion: v1
data:
teleport.yaml: |
version: v3
teleport:
auth_token: "/etc/teleport-secrets/auth-token"
auth_servers: ["proxy.example.com:3080"]
proxy_server: proxy.example.com:3080
log:
severity: INFO
output: stderr
@ -678,9 +696,10 @@ matches snapshot for pdb.yaml:
apiVersion: v1
data:
teleport.yaml: |
version: v3
teleport:
auth_token: "/etc/teleport-secrets/auth-token"
auth_servers: ["proxy.example.com:3080"]
proxy_server: proxy.example.com:3080
log:
severity: DEBUG
output: /var/lib/teleport/test.log
@ -713,9 +732,10 @@ matches snapshot for resources.yaml:
apiVersion: v1
data:
teleport.yaml: |
version: v3
teleport:
auth_token: "/etc/teleport-secrets/auth-token"
auth_servers: ["proxy.example.com:3080"]
proxy_server: proxy.example.com:3080
log:
severity: INFO
output: stderr
@ -748,9 +768,10 @@ matches snapshot for stateful.yaml:
apiVersion: v1
data:
teleport.yaml: |
version: v3
teleport:
auth_token: "/etc/teleport-secrets/auth-token"
auth_servers: ["proxy.example.com:3080"]
proxy_server: proxy.example.com:3080
log:
severity: INFO
output: stderr
@ -783,9 +804,10 @@ matches snapshot for tolerations.yaml:
apiVersion: v1
data:
teleport.yaml: |
version: v3
teleport:
auth_token: "/etc/teleport-secrets/auth-token"
auth_servers: ["proxy.example.com:3080"]
proxy_server: proxy.example.com:3080
log:
severity: INFO
output: stderr
@ -818,9 +840,10 @@ matches snapshot for volumes.yaml:
apiVersion: v1
data:
teleport.yaml: |
version: v3
teleport:
auth_token: "/etc/teleport-secrets/auth-token"
auth_servers: ["proxy.example.com:3080"]
proxy_server: proxy.example.com:3080
log:
severity: INFO
output: stderr

4
examples/chart/teleport-kube-agent/tests/__snapshot__/deployment_test.yaml.snap
View file

@ -18,7 +18,7 @@ sets Deployment annotations when specified if action is Upgrade:
template:
metadata:
annotations:
checksum/config: 511656bfc4345260ef1ddc4319c2a30ff1e004c72c518c82020a76e088a10cd8
checksum/config: 40ee068e95f9baae75f3b7f6ef1a62a7ffdf3d9005e74514e597dbd4c4af595e
kubernetes.io/pod: test-annotation
kubernetes.io/pod-different: 4
labels:
@ -86,7 +86,7 @@ sets Deployment labels when specified if action is Upgrade:
template:
metadata:
annotations:
checksum/config: b37ca9b3da292ffe343a4629c7da7dc006ec03156fc19268123a24df51dfeb78
checksum/config: e23c34c3027af13bb06e161dfe1fe316312a1d5621ef217502a5c76596e49668
labels:
app: RELEASE-NAME
app.kubernetes.io/name: teleport-kube-agent

4
examples/chart/teleport-kube-agent/tests/__snapshot__/statefulset_test.yaml.snap
View file

@ -150,7 +150,7 @@ sets StatefulSet labels when specified:
template:
metadata:
annotations:
checksum/config: b37ca9b3da292ffe343a4629c7da7dc006ec03156fc19268123a24df51dfeb78
checksum/config: e23c34c3027af13bb06e161dfe1fe316312a1d5621ef217502a5c76596e49668
labels:
app: RELEASE-NAME
app.kubernetes.io/name: teleport-kube-agent
@ -381,7 +381,7 @@ should add volumeClaimTemplate for data volume when using StatefulSet and is Fre
template:
metadata:
annotations:
checksum/config: b68f736b13876b204549cacfa6683f63942acdfe1e98c43d74f9868eb8f1edff
checksum/config: 85faa83e7e3e6789b109a5d52e61141243de9d7c5e408af802fb5ad544f79698
labels:
app: RELEASE-NAME
spec:

4
examples/local-cluster/node/teleport.yaml
View file

@ -1,8 +1,8 @@
version: v3
teleport:
nodename: graviton-node
auth_token: hello
auth_servers:
- 127.0.0.1:5000
auth_server: 127.0.0.1:5000
data_dir: .data
proxy_service:
enabled: "no"

4
examples/local-cluster/proxy/teleport.yaml
View file

@ -1,8 +1,8 @@
version: v3
teleport:
nodename: graviton-proxy
auth_token: hello
auth_servers:
- 127.0.0.1:5000
auth_server: 127.0.0.1:5000
data_dir: .data
proxy_service:
enabled: "yes"

20
integration/appaccess/pack.go
View file

@ -556,12 +556,10 @@ func (p *Pack) startRootAppServers(t *testing.T, count int, extraApps []service.
raConf.Log = log
raConf.DataDir = t.TempDir()
raConf.SetToken("static-token-value")
raConf.AuthServers = []utils.NetAddr{
{
AddrNetwork: "tcp",
Addr: p.rootCluster.Web,
},
}
raConf.SetAuthServerAddress(utils.NetAddr{
AddrNetwork: "tcp",
Addr: p.rootCluster.Web,
})
raConf.Auth.Enabled = false
raConf.Proxy.Enabled = false
raConf.SSH.Enabled = false
@ -701,12 +699,10 @@ func (p *Pack) startLeafAppServers(t *testing.T, count int, extraApps []service.
laConf.Log = log
laConf.DataDir = t.TempDir()
laConf.SetToken("static-token-value")
laConf.AuthServers = []utils.NetAddr{
{
AddrNetwork: "tcp",
Addr: p.leafCluster.Web,
},
}
laConf.SetAuthServerAddress(utils.NetAddr{
AddrNetwork: "tcp",
Addr: p.leafCluster.Web,
})
laConf.Auth.Enabled = false
laConf.Proxy.Enabled = false
laConf.SSH.Enabled = false

20
integration/db/fixture.go
View file

@ -109,12 +109,10 @@ func (pack *databaseClusterPack) StartDatabaseServices(t *testing.T, clock clock
conf := service.MakeDefaultConfig()
conf.DataDir = filepath.Join(t.TempDir(), pack.name)
conf.SetToken("static-token-value")
conf.AuthServers = []utils.NetAddr{
{
AddrNetwork: "tcp",
Addr: pack.Cluster.Web,
},
}
conf.SetAuthServerAddress(utils.NetAddr{
AddrNetwork: "tcp",
Addr: pack.Cluster.Web,
})
conf.Databases.Enabled = true
conf.Databases.Databases = []service.Database{
pack.PostgresService,
@ -400,12 +398,10 @@ func (p *DatabasePack) startRootDatabaseAgent(t *testing.T, params databaseAgent
conf.DataDir = t.TempDir()
conf.SetToken("static-token-value")
conf.DiagnosticAddr = *utils.MustParseAddr(helpers.NewListener(t, service.ListenerDiagnostic, &conf.FileDescriptors))
conf.AuthServers = []utils.NetAddr{
{
AddrNetwork: "tcp",
Addr: p.Root.Cluster.Web,
},
}
conf.SetAuthServerAddress(utils.NetAddr{
AddrNetwork: "tcp",
Addr: p.Root.Cluster.Web,
})
conf.Clock = p.clock
conf.Databases.Enabled = true
conf.Databases.Databases = params.databases

10
integration/ec2_test.go
View file

@ -63,7 +63,7 @@ func newNodeConfig(t *testing.T, authAddr utils.NetAddr, tokenName string, joinM
config.Auth.Enabled = false
config.Proxy.Enabled = false
config.DataDir = t.TempDir()
config.AuthServers = append(config.AuthServers, authAddr)
config.SetAuthServerAddress(authAddr)
config.Log = newSilentLogger()
config.CircuitBreakerConfig = breaker.NoopBreakerConfig()
return config
@ -84,7 +84,7 @@ func newProxyConfig(t *testing.T, authAddr utils.NetAddr, tokenName string, join
config.Proxy.EnableProxyProtocol = true
config.DataDir = t.TempDir()
config.AuthServers = append(config.AuthServers, authAddr)
config.SetAuthServerAddress(authAddr)
config.Log = newSilentLogger()
config.CircuitBreakerConfig = breaker.NoopBreakerConfig()
return config
@ -107,7 +107,7 @@ func newAuthConfig(t *testing.T, clock clockwork.Clock) *service.Config {
ClusterName: "testcluster",
})
require.NoError(t, err)
config.AuthServers = append(config.AuthServers, config.Auth.ListenAddr)
config.SetAuthServerAddress(config.Auth.ListenAddr)
config.Auth.StorageConfig = storageConfig
config.Auth.NetworkingConfig.SetProxyListenerMode(types.ProxyListenerMode_Multiplex)
config.Auth.StaticTokens, err = types.NewStaticTokens(types.StaticTokensSpecV2{
@ -342,7 +342,7 @@ func TestEC2Labels(t *testing.T) {
tconf.Proxy.DisableWebInterface = true
tconf.Auth.StorageConfig = storageConfig
tconf.Auth.ListenAddr.Addr = helpers.NewListener(t, service.ListenerAuth, &tconf.FileDescriptors)
tconf.AuthServers = append(tconf.AuthServers, tconf.Auth.ListenAddr)
tconf.SetAuthServerAddress(tconf.Auth.ListenAddr)
tconf.SSH.Enabled = true
tconf.SSH.Addr.Addr = helpers.NewListener(t, service.ListenerNodeSSH, &tconf.FileDescriptors)
@ -447,7 +447,7 @@ func TestEC2Hostname(t *testing.T) {
tconf.Proxy.WebAddr.Addr = helpers.NewListener(t, service.ListenerProxyWeb, &tconf.FileDescriptors)
tconf.Auth.StorageConfig = storageConfig
tconf.Auth.ListenAddr.Addr = helpers.NewListener(t, service.ListenerAuth, &tconf.FileDescriptors)
tconf.AuthServers = append(tconf.AuthServers, tconf.Auth.ListenAddr)
tconf.SetAuthServerAddress(tconf.Auth.ListenAddr)
tconf.SSH.Enabled = true
tconf.SSH.Addr.Addr = helpers.NewListener(t, service.ListenerNodeSSH, &tconf.FileDescriptors)

60
integration/helpers/instance.go
View file

@ -508,7 +508,7 @@ func (i *TeleInstance) GenerateConfig(t *testing.T, trustedSecrets []*InstanceSe
tconf.Proxy.MongoAddr.Addr = i.Mongo
}
}
tconf.AuthServers = append(tconf.AuthServers, tconf.Auth.ListenAddr)
tconf.SetAuthServerAddress(tconf.Auth.ListenAddr)
tconf.Auth.StorageConfig = backend.Config{
Type: lite.GetName(),
Params: backend.Params{"path": dataDir + string(os.PathListSeparator) + defaults.BackendDir, "poll_stream_period": 50 * time.Millisecond},
@ -618,8 +618,18 @@ func (i *TeleInstance) StartNodeWithTargetPort(tconf *service.Config, authPort s
tconf.DataDir = dataDir
authServer := utils.MustParseAddr(net.JoinHostPort(i.Hostname, authPort))
tconf.AuthServers = append(tconf.AuthServers, *authServer)
if tconf.Version == defaults.TeleportConfigVersionV3 {
if tconf.ProxyServer.IsEmpty() {
authServer := utils.MustParseAddr(net.JoinHostPort(i.Hostname, authPort))
tconf.SetAuthServerAddress(*authServer)
}
} else {
authServer := utils.MustParseAddr(net.JoinHostPort(i.Hostname, authPort))
if err := tconf.SetAuthServerAddresses(append(tconf.AuthServerAddresses(), *authServer)); err != nil {
return nil, err
}
}
tconf.SetToken("token")
tconf.UploadEventsC = i.UploadEventsC
tconf.CachePolicy = service.CachePolicy{
@ -671,12 +681,10 @@ func (i *TeleInstance) StartApp(conf *service.Config) (*service.TeleportProcess,
i.tempDirs = append(i.tempDirs, dataDir)
conf.DataDir = dataDir
conf.AuthServers = []utils.NetAddr{
{
AddrNetwork: "tcp",
Addr: i.Web,
},
}
conf.SetAuthServerAddress(utils.NetAddr{
AddrNetwork: "tcp",
Addr: i.Web,
})
conf.SetToken("token")
conf.UploadEventsC = i.UploadEventsC
conf.Auth.Enabled = false
@ -723,12 +731,10 @@ func (i *TeleInstance) StartApps(configs []*service.Config) ([]*service.Teleport
}
cfg.DataDir = dataDir
cfg.AuthServers = []utils.NetAddr{
{
AddrNetwork: "tcp",
Addr: i.Web,
},
}
cfg.SetAuthServerAddress(utils.NetAddr{
AddrNetwork: "tcp",
Addr: i.Web,
})
cfg.SetToken("token")
cfg.UploadEventsC = i.UploadEventsC
cfg.Auth.Enabled = false
@ -787,12 +793,10 @@ func (i *TeleInstance) StartDatabase(conf *service.Config) (*service.TeleportPro
i.tempDirs = append(i.tempDirs, dataDir)
conf.DataDir = dataDir
conf.AuthServers = []utils.NetAddr{
{
AddrNetwork: "tcp",
Addr: i.Web,
},
}
conf.SetAuthServerAddress(utils.NetAddr{
AddrNetwork: "tcp",
Addr: i.Web,
})
conf.SetToken("token")
conf.UploadEventsC = i.UploadEventsC
conf.Auth.Enabled = false
@ -850,12 +854,10 @@ func (i *TeleInstance) StartKube(t *testing.T, conf *service.Config, clusterName
i.tempDirs = append(i.tempDirs, dataDir)
conf.DataDir = dataDir
conf.AuthServers = []utils.NetAddr{
{
AddrNetwork: "tcp",
Addr: i.Web,
},
}
conf.SetAuthServerAddress(utils.NetAddr{
AddrNetwork: "tcp",
Addr: i.Web,
})
conf.SetToken("token")
conf.UploadEventsC = i.UploadEventsC
conf.Auth.Enabled = false
@ -903,7 +905,7 @@ func (i *TeleInstance) StartNodeAndProxy(t *testing.T, name string) (sshPort, we
tconf.Log = i.Log
authServer := utils.MustParseAddr(i.Auth)
tconf.AuthServers = append(tconf.AuthServers, *authServer)
tconf.SetAuthServerAddress(*authServer)
tconf.SetToken("token")
tconf.HostUUID = name
tconf.Hostname = name
@ -994,7 +996,7 @@ func (i *TeleInstance) StartProxy(cfg ProxyConfig) (reversetunnel.Server, *servi
tconf.Console = nil
tconf.Log = i.Log
authServer := utils.MustParseAddr(i.Auth)
tconf.AuthServers = append(tconf.AuthServers, *authServer)
tconf.SetAuthServerAddress(*authServer)
tconf.CachePolicy = service.CachePolicy{Enabled: true}
tconf.DataDir = dataDir
tconf.UploadEventsC = i.UploadEventsC

4
integration/hsm/hsm_test.go
View file

@ -253,7 +253,7 @@ func newHSMAuthConfig(ctx context.Context, t *testing.T, storageConfig *backend.
ClusterName: "testcluster",
})
require.NoError(t, err)
config.AuthServers = append(config.AuthServers, config.Auth.ListenAddr)
config.SetAuthServerAddress(config.Auth.ListenAddr)
config.Auth.StaticTokens, err = types.NewStaticTokens(types.StaticTokensSpecV2{
StaticTokens: []types.ProvisionTokenV1{
{
@ -291,7 +291,7 @@ func newProxyConfig(ctx context.Context, t *testing.T, authAddr utils.NetAddr, l
config.PollingPeriod = 1 * time.Second
config.ShutdownTimeout = time.Minute
config.DataDir = t.TempDir()
config.AuthServers = append(config.AuthServers, authAddr)
config.SetAuthServerAddress(authAddr)
config.CircuitBreakerConfig = breaker.NoopBreakerConfig()
config.Log = log
return config

44
integration/integration_test.go
View file

@ -720,12 +720,10 @@ func (s *integrationTestSuite) newTeleportIoT(t *testing.T, logins []string) *he
tconf := s.defaultServiceConfig()
tconf.Hostname = Host
tconf.SetToken("token")
tconf.AuthServers = []utils.NetAddr{
{
AddrNetwork: "tcp",
Addr: main.Web,
},
}
tconf.SetAuthServerAddress(utils.NetAddr{
AddrNetwork: "tcp",
Addr: main.Web,
})
tconf.Auth.Enabled = false
@ -2695,12 +2693,10 @@ func testTrustedTunnelNode(t *testing.T, suite *integrationTestSuite) {
tconf := suite.defaultServiceConfig()
tconf.Hostname = tunnelNodeHostname
tconf.SetToken("token")
tconf.AuthServers = []utils.NetAddr{
{
AddrNetwork: "tcp",
Addr: aux.Web,
},
}
tconf.SetAuthServerAddress(utils.NetAddr{
AddrNetwork: "tcp",
Addr: aux.Web,
})
tconf.Auth.Enabled = false
tconf.Proxy.Enabled = false
tconf.SSH.Enabled = true
@ -3107,12 +3103,10 @@ func testReverseTunnelCollapse(t *testing.T, suite *integrationTestSuite) {
tconf := suite.defaultServiceConfig()
tconf.Hostname = "cluster-main-node"
tconf.SetToken("token")
tconf.AuthServers = []utils.NetAddr{
{
AddrNetwork: "tcp",
Addr: proxyConfig.WebAddr,
},
}
tconf.SetAuthServerAddress(utils.NetAddr{
AddrNetwork: "tcp",
Addr: proxyConfig.WebAddr,
})
tconf.Auth.Enabled = false
tconf.Proxy.Enabled = false
tconf.SSH.Enabled = true
@ -3248,12 +3242,10 @@ func testDiscoveryNode(t *testing.T, suite *integrationTestSuite) {
tconf := suite.defaultServiceConfig()
tconf.Hostname = "cluster-main-node"
tconf.SetToken("token")
tconf.AuthServers = []utils.NetAddr{
{
AddrNetwork: "tcp",
Addr: main.Web,
},
}
tconf.SetAuthServerAddress(utils.NetAddr{
AddrNetwork: "tcp",
Addr: main.Web,
})
tconf.Auth.Enabled = false
@ -6303,9 +6295,7 @@ func testListResourcesAcrossClusters(t *testing.T, suite *integrationTestSuite)
conf.DataDir = t.TempDir()
conf.SetToken("token")
conf.UploadEventsC = i.UploadEventsC
conf.AuthServers = []utils.NetAddr{
*utils.MustParseAddr(net.JoinHostPort(i.Hostname, helpers.PortStr(t, i.Web))),
}
conf.SetAuthServerAddress(*utils.MustParseAddr(net.JoinHostPort(i.Hostname, helpers.PortStr(t, i.Web))))
conf.HostUUID = name
conf.Hostname = name
conf.SSH.Enabled = true

20
integration/proxy/proxy_helpers.go
View file

@ -178,12 +178,10 @@ func (p *Suite) addNodeToLeafCluster(t *testing.T, tunnelNodeHostname string) {
tconf.Log = utils.NewLoggerForTests()
tconf.Hostname = tunnelNodeHostname
tconf.SetToken("token")
tconf.AuthServers = []utils.NetAddr{
{
AddrNetwork: "tcp",
Addr: p.leaf.Web,
},
}
tconf.SetAuthServerAddress(utils.NetAddr{
AddrNetwork: "tcp",
Addr: p.leaf.Web,
})
tconf.Auth.Enabled = false
tconf.Proxy.Enabled = false
tconf.SSH.Enabled = true
@ -513,16 +511,12 @@ func mustStartALPNLocalProxyWithConfig(t *testing.T, config alpnproxy.LocalProxy
return lp
}
func makeNodeConfig(nodeName, authAddr string) *service.Config {
func makeNodeConfig(nodeName, proxyAddr string) *service.Config {
nodeConfig := service.MakeDefaultConfig()
nodeConfig.Version = defaults.TeleportConfigVersionV3
nodeConfig.Hostname = nodeName
nodeConfig.SetToken("token")
nodeConfig.AuthServers = []utils.NetAddr{
{
AddrNetwork: "tcp",
Addr: authAddr,
},
}
nodeConfig.ProxyServer = *utils.MustParseAddr(proxyAddr)
nodeConfig.Auth.Enabled = false
nodeConfig.Proxy.Enabled = false
nodeConfig.SSH.Enabled = true

6
integration/proxy/proxy_tunnel_strategy_test.go
View file

@ -329,7 +329,7 @@ func (p *proxyTunnelStrategy) makeProxy(t *testing.T) {
authAddr := utils.MustParseAddr(p.auth.Auth)
conf := service.MakeDefaultConfig()
conf.AuthServers = append(conf.AuthServers, *authAddr)
conf.SetAuthServerAddress(*authAddr)
conf.SetToken("token")
conf.DataDir = t.TempDir()
@ -372,7 +372,7 @@ func (p *proxyTunnelStrategy) makeNode(t *testing.T) {
})
conf := service.MakeDefaultConfig()
conf.AuthServers = append(conf.AuthServers, utils.FromAddr(p.lb.Addr()))
conf.SetAuthServerAddress(utils.FromAddr(p.lb.Addr()))
conf.SetToken("token")
conf.DataDir = t.TempDir()
@ -414,7 +414,7 @@ func (p *proxyTunnelStrategy) makeDatabase(t *testing.T) {
})
conf := service.MakeDefaultConfig()
conf.AuthServers = append(conf.AuthServers, utils.FromAddr(p.lb.Addr()))
conf.SetAuthServerAddress(utils.FromAddr(p.lb.Addr()))
conf.SetToken("token")
conf.DataDir = t.TempDir()

6
lib/auth/bot_test.go
View file

@ -226,7 +226,7 @@ func TestRegisterBotOnboardFeatureDisabled(t *testing.T) {
ID: IdentityID{
Role: types.RoleBot,
},
Servers: []utils.NetAddr{*utils.MustParseAddr(srv.Addr().String())},
AuthServers: []utils.NetAddr{*utils.MustParseAddr(srv.Addr().String())},
PublicTLSKey: tlsPublicKey,
PublicSSHKey: publicKey,
})
@ -291,7 +291,7 @@ func TestRegisterBotCertificateGenerationCheck(t *testing.T) {
ID: IdentityID{
Role: types.RoleBot,
},
Servers: []utils.NetAddr{*utils.MustParseAddr(srv.Addr().String())},
AuthServers: []utils.NetAddr{*utils.MustParseAddr(srv.Addr().String())},
PublicTLSKey: tlsPublicKey,
PublicSSHKey: publicKey,
})
@ -348,7 +348,7 @@ func TestRegisterBotCertificateGenerationStolen(t *testing.T) {
ID: IdentityID{
Role: types.RoleBot,
},
Servers: []utils.NetAddr{*utils.MustParseAddr(srv.Addr().String())},
AuthServers: []utils.NetAddr{*utils.MustParseAddr(srv.Addr().String())},
PublicTLSKey: tlsPublicKey,
PublicSSHKey: publicKey,
})

2
lib/auth/join_test.go
View file

@ -344,7 +344,7 @@ func TestRegister_Bot(t *testing.T) {
ID: IdentityID{
Role: types.RoleBot,
},
Servers: []utils.NetAddr{*utils.MustParseAddr(srv.Addr().String())},
AuthServers: []utils.NetAddr{*utils.MustParseAddr(srv.Addr().String())},
PublicTLSKey: tlsPublicKey,
PublicSSHKey: publicKey,
})

94
lib/auth/register.go
View file

@ -91,8 +91,10 @@ type RegisterParams struct {
Token string
// ID is identity ID
ID IdentityID
// Servers is a list of auth servers to dial
Servers []utils.NetAddr
// AuthServers is a list of auth servers to dial
AuthServers []utils.NetAddr
// ProxyServer is a proxy server to dial
ProxyServer utils.NetAddr
// AdditionalPrincipals is a list of additional principals to dial
AdditionalPrincipals []string
// DNSNames is a list of DNS names to add to x509 certificate
@ -124,10 +126,31 @@ type RegisterParams struct {
FIPS bool
}
func (r *RegisterParams) setDefaults() {
func (r *RegisterParams) checkAndSetDefaults() error {
if r.Clock == nil {
r.Clock = clockwork.NewRealClock()
}
if err := r.verifyAuthOrProxyAddress(); err != nil {
return trace.BadParameter("no auth or proxy servers set")
}
return nil
}
func (r *RegisterParams) verifyAuthOrProxyAddress() error {
haveAuthServers := len(r.AuthServers) > 0
haveProxyServer := !r.ProxyServer.IsEmpty()
if !haveAuthServers && !haveProxyServer {
return trace.BadParameter("no auth or proxy servers set")
}
if haveAuthServers && haveProxyServer {
return trace.BadParameter("only one of auth or proxy server should be set")
}
return nil
}
// CredGetter is an interface for a client that can be used to get host
@ -140,7 +163,9 @@ type HostCredentials func(context.Context, string, bool, types.RegisterUsingToke
// tokens to prove a valid auth server was used to issue the joining request
// as well as a method for the node to validate the auth server.
func Register(params RegisterParams) (*proto.Certs, error) {
params.setDefaults()
if err := params.checkAndSetDefaults(); err != nil {
return nil, trace.Wrap(err)
}
// Read in the token. The token can either be passed in or come from a file
// on disk.
token, err := utils.TryReadValueAsFile(params.Token)
@ -163,22 +188,34 @@ func Register(params RegisterParams) (*proto.Certs, error) {
}
}
log.WithField("auth-servers", params.Servers).Debugf("Registering node to the cluster.")
type registerMethod struct {
call func(token string, params RegisterParams) (*proto.Certs, error)
desc string
}
registerThroughAuth := registerMethod{registerThroughAuth, "with auth server"}
registerThroughProxy := registerMethod{registerThroughProxy, "via proxy server"}
registerMethods := []registerMethod{registerThroughAuth, registerThroughProxy}
if params.GetHostCredentials == nil {
log.Debugf("Missing client, it is not possible to register through proxy.")
registerMethods = []registerMethod{registerThroughAuth}
} else if authServerIsProxy(params.Servers) {
log.Debugf("The first specified auth server appears to be a proxy.")
registerMethods = []registerMethod{registerThroughProxy, registerThroughAuth}
if !params.ProxyServer.IsEmpty() {
log.WithField("proxy-server", params.ProxyServer).Debugf("Registering node to the cluster.")
registerMethods = []registerMethod{registerThroughProxy}
if proxyServerIsAuth(params.ProxyServer) {
log.Debugf("The specified proxy server appears to be an auth server.")
}
} else {
log.WithField("auth-servers", params.AuthServers).Debugf("Registering node to the cluster.")
if params.GetHostCredentials == nil {
log.Debugf("Missing client, it is not possible to register through proxy.")
registerMethods = []registerMethod{registerThroughAuth}
} else if authServerIsProxy(params.AuthServers) {
log.Debugf("The first specified auth server appears to be a proxy.")
registerMethods = []registerMethod{registerThroughProxy, registerThroughAuth}
}
}
var collectedErrs []error
@ -206,12 +243,15 @@ func authServerIsProxy(servers []utils.NetAddr) bool {
return port == defaults.HTTPListenPort || port == teleport.StandardHTTPSPort
}
// proxyServerIsAuth returns true if the address given to register with
// appears to be an auth server.
func proxyServerIsAuth(server utils.NetAddr) bool {
port := server.Port(0)
return port == defaults.AuthListenPort
}
// registerThroughProxy is used to register through the proxy server.
func registerThroughProxy(token string, params RegisterParams) (*proto.Certs, error) {
if len(params.Servers) == 0 {
return nil, trace.BadParameter("no auth servers set")
}
var certs *proto.Certs
if params.JoinMethod == types.JoinMethodIAM {
// IAM join method requires gRPC client
@ -228,7 +268,7 @@ func registerThroughProxy(token string, params RegisterParams) (*proto.Certs, er
// params to call proxy HTTP endpoint
var err error
certs, err = params.GetHostCredentials(context.Background(),
params.Servers[0].String(),
getHostAddresses(params)[0],
lib.IsInsecureDevMode(),
types.RegisterUsingTokenRequest{
Token: token,
@ -248,6 +288,14 @@ func registerThroughProxy(token string, params RegisterParams) (*proto.Certs, er
return certs, nil
}
func getHostAddresses(params RegisterParams) []string {
if !params.ProxyServer.IsEmpty() {
return []string{params.ProxyServer.String()}
}
return utils.NetAddrsToStrings(params.AuthServers)
}
// registerThroughAuth is used to register through the auth server.
func registerThroughAuth(token string, params RegisterParams) (*proto.Certs, error) {
var client *Client
@ -295,10 +343,6 @@ func registerThroughAuth(token string, params RegisterParams) (*proto.Certs, err
// proxy. The Proxy's TLS cert will be verified using the host's root CA pool
// (PKI) unless the --insecure flag was passed.
func proxyJoinServiceClient(params RegisterParams) (*client.JoinServiceClient, error) {
if len(params.Servers) == 0 {
return nil, trace.BadParameter("no auth servers set")
}
tlsConfig := utils.TLSConfig(params.CipherSuites)
tlsConfig.Time = params.Clock.Now
// set NextProtos for TLS routing, the actual protocol will be h2
@ -310,7 +354,7 @@ func proxyJoinServiceClient(params RegisterParams) (*client.JoinServiceClient, e
}
conn, err := grpc.Dial(
params.Servers[0].String(),
getHostAddresses(params)[0],
grpc.WithUnaryInterceptor(metadata.UnaryClientInterceptor),
grpc.WithStreamInterceptor(metadata.StreamClientInterceptor),
grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)),
@ -353,7 +397,7 @@ func insecureRegisterClient(params RegisterParams) (*Client, error) {
}
client, err := NewClient(client.Config{
Addrs: utils.NetAddrsToStrings(params.Servers),
Addrs: getHostAddresses(params),
Credentials: []client.Credentials{
client.LoadTLS(tlsConfig),
},
@ -392,7 +436,7 @@ func pinRegisterClient(params RegisterParams) (*Client, error) {
tlsConfig.InsecureSkipVerify = true
tlsConfig.Time = params.Clock.Now
authClient, err := NewClient(client.Config{
Addrs: utils.NetAddrsToStrings(params.Servers),
Addrs: getHostAddresses(params),
Credentials: []client.Credentials{
client.LoadTLS(tlsConfig),
},
@ -443,7 +487,7 @@ func pinRegisterClient(params RegisterParams) (*Client, error) {
tlsConfig.RootCAs = certPool
authClient, err = NewClient(client.Config{
Addrs: utils.NetAddrsToStrings(params.Servers),
Addrs: getHostAddresses(params),
Credentials: []client.Credentials{
client.LoadTLS(tlsConfig),
},

28
lib/auth/tls_test.go
View file

@ -2777,8 +2777,8 @@ func TestRegisterCAPin(t *testing.T) {
// Attempt to register with valid CA pin, should work.
_, err = Register(RegisterParams{
Servers: []utils.NetAddr{utils.FromAddr(tt.server.Addr())},
Token: token,
AuthServers: []utils.NetAddr{utils.FromAddr(tt.server.Addr())},
Token: token,
ID: IdentityID{
HostUUID: "once",
NodeName: "node-name",
@ -2795,8 +2795,8 @@ func TestRegisterCAPin(t *testing.T) {
// Attempt to register with multiple CA pins where the auth server only
// matches one, should work.
_, err = Register(RegisterParams{
Servers: []utils.NetAddr{utils.FromAddr(tt.server.Addr())},
Token: token,
AuthServers: []utils.NetAddr{utils.FromAddr(tt.server.Addr())},
Token: token,
ID: IdentityID{
HostUUID: "once",
NodeName: "node-name",
@ -2812,8 +2812,8 @@ func TestRegisterCAPin(t *testing.T) {
// Attempt to register with invalid CA pin, should fail.
_, err = Register(RegisterParams{
Servers: []utils.NetAddr{utils.FromAddr(tt.server.Addr())},
Token: token,
AuthServers: []utils.NetAddr{utils.FromAddr(tt.server.Addr())},
Token: token,
ID: IdentityID{
HostUUID: "once",
NodeName: "node-name",
@ -2829,8 +2829,8 @@ func TestRegisterCAPin(t *testing.T) {
// Attempt to register with multiple invalid CA pins, should fail.
_, err = Register(RegisterParams{
Servers: []utils.NetAddr{utils.FromAddr(tt.server.Addr())},
Token: token,
AuthServers: []utils.NetAddr{utils.FromAddr(tt.server.Addr())},
Token: token,
ID: IdentityID{
HostUUID: "once",
NodeName: "node-name",
@ -2865,8 +2865,8 @@ func TestRegisterCAPin(t *testing.T) {
// Attempt to register with multiple CA pins, should work
_, err = Register(RegisterParams{
Servers: []utils.NetAddr{utils.FromAddr(tt.server.Addr())},
Token: token,
AuthServers: []utils.NetAddr{utils.FromAddr(tt.server.Addr())},
Token: token,
ID: IdentityID{
HostUUID: "once",
NodeName: "node-name",
@ -2908,8 +2908,8 @@ func TestRegisterCAPath(t *testing.T) {
// Attempt to register with nothing at the CA path, should work.
_, err = Register(RegisterParams{
Servers: []utils.NetAddr{utils.FromAddr(tt.server.Addr())},
Token: token,
AuthServers: []utils.NetAddr{utils.FromAddr(tt.server.Addr())},
Token: token,
ID: IdentityID{
HostUUID: "once",
NodeName: "node-name",
@ -2937,8 +2937,8 @@ func TestRegisterCAPath(t *testing.T) {
// Attempt to register with valid CA path, should work.
_, err = Register(RegisterParams{
Servers: []utils.NetAddr{utils.FromAddr(tt.server.Addr())},
Token: token,
AuthServers: []utils.NetAddr{utils.FromAddr(tt.server.Addr())},
Token: token,
ID: IdentityID{
HostUUID: "once",
NodeName: "node-name",

4
lib/client/api_login_test.go
View file

@ -370,7 +370,7 @@ func newStandaloneTeleport(t *testing.T, clock clockwork.Clock) *standaloneBundl
cfg.Clock = clock
cfg.Console = console
cfg.Log = logger
cfg.AuthServers = []utils.NetAddr{randomAddr} // must be present
cfg.SetAuthServerAddress(randomAddr) // must be present
cfg.Auth.Preference, err = types.NewAuthPreferenceFromConfigFile(types.AuthPreferenceSpecV2{
Type: constants.Local,
SecondFactor: constants.SecondFactorOptional,
@ -453,7 +453,7 @@ func newStandaloneTeleport(t *testing.T, clock clockwork.Clock) *standaloneBundl
cfg.Clock = clock
cfg.Console = console
cfg.Log = logger
cfg.AuthServers = []utils.NetAddr{*authAddr}
cfg.SetAuthServerAddress(*authAddr)
cfg.Auth.Enabled = false
cfg.Proxy.Enabled = true
cfg.Proxy.WebAddr = randomAddr

134
lib/config/configuration.go
View file

@ -216,6 +216,9 @@ func ApplyFileConfig(fc *FileConfig, cfg *service.Config) error {
if fc == nil {
return nil
}
applyConfigVersion(fc, cfg)
// merge file-based config with defaults in 'cfg'
if fc.Auth.Disabled() {
cfg.Auth.Enabled = false
@ -253,20 +256,8 @@ func ApplyFileConfig(fc *FileConfig, cfg *service.Config) error {
}
cfg.PIDFile = fc.PIDFile
// config file has auth servers in there?
if len(fc.AuthServers) > 0 {
cfg.AuthServers = make([]utils.NetAddr, 0, len(fc.AuthServers))
for _, as := range fc.AuthServers {
addr, err := utils.ParseHostPortAddr(as, defaults.AuthListenPort)
if err != nil {
return trace.Wrap(err)
}
if err != nil {
return trace.Errorf("cannot parse auth server address: '%v'", as)
}
cfg.AuthServers = append(cfg.AuthServers, *addr)
}
if err := applyAuthOrProxyAddress(fc, cfg); err != nil {
return trace.Wrap(err)
}
if err := applyTokenConfig(fc, cfg); err != nil {
@ -391,8 +382,6 @@ func ApplyFileConfig(fc *FileConfig, cfg *service.Config) error {
}
}
applyConfigVersion(fc, cfg)
// Apply configuration for "auth_service", "proxy_service", "ssh_service",
// and "app_service" if they are enabled.
if fc.Auth.Enabled() {
@ -451,6 +440,72 @@ func ApplyFileConfig(fc *FileConfig, cfg *service.Config) error {
return nil
}
func applyAuthOrProxyAddress(fc *FileConfig, cfg *service.Config) error {
switch cfg.Version {
// For config versions v1 and v2, the auth_servers field can point to an auth
// server or a proxy server
case defaults.TeleportConfigVersionV1, defaults.TeleportConfigVersionV2:
// config file has auth servers in there?
if len(fc.AuthServers) > 0 {
var parsedAddresses []utils.NetAddr
for _, as := range fc.AuthServers {
addr, err := utils.ParseHostPortAddr(as, defaults.AuthListenPort)
if err != nil {
return trace.Wrap(err)
}
parsedAddresses = append(parsedAddresses, *addr)
}
if err := cfg.SetAuthServerAddresses(parsedAddresses); err != nil {
return trace.Wrap(err)
}
}
if fc.AuthServer != "" {
return trace.BadParameter("auth_server is supported from config version v3 onwards")
}
if fc.ProxyServer != "" {
return trace.BadParameter("proxy_server is supported from config version v3 onwards")
}
// From v3 onwards, either auth_server or proxy_server should be set
case defaults.TeleportConfigVersionV3:
if len(fc.AuthServers) > 0 {
return trace.BadParameter("config v3 has replaced auth_servers with either auth_server or proxy_server")
}
haveAuthServer := fc.AuthServer != ""
haveProxyServer := fc.ProxyServer != ""
if haveProxyServer && haveAuthServer {
return trace.BadParameter("only one of auth_server or proxy_server should be set")
}
if haveAuthServer {
addr, err := utils.ParseHostPortAddr(fc.AuthServer, defaults.AuthListenPort)
if err != nil {
return trace.Wrap(err)
}
cfg.SetAuthServerAddress(*addr)
}
if haveProxyServer {
addr, err := utils.ParseHostPortAddr(fc.ProxyServer, defaults.HTTPListenPort)
if err != nil {
return trace.Wrap(err)
}
cfg.ProxyServer = *addr
}
}
return nil
}
func applyLogConfig(loggerConfig Log, cfg *service.Config) error {
logger := log.StandardLogger()
@ -544,7 +599,9 @@ func applyAuthConfig(fc *FileConfig, cfg *service.Config) error {
return trace.Wrap(err)
}
cfg.Auth.ListenAddr = *addr
cfg.AuthServers = append(cfg.AuthServers, *addr)
if len(cfg.AuthServerAddresses()) == 0 {
cfg.SetAuthServerAddress(*addr)
}
}
for _, t := range fc.Auth.ReverseTunnels {
tun, err := t.ConvertAndValidate()
@ -857,8 +914,7 @@ func applyProxyConfig(fc *FileConfig, cfg *service.Config) error {
case legacyKube && newKube:
return trace.BadParameter("proxy_service should either set kube_listen_addr/kube_public_addr or kubernetes.enabled, not both; keep kubernetes.enabled if you don't enable kubernetes_service, or keep kube_listen_addr otherwise")
case !legacyKube && !newKube:
if fc.Version == defaults.TeleportConfigVersionV2 {
// Always enable kube service if using config V2 (TLS routing is supported)
if fc.Version != "" && fc.Version != defaults.TeleportConfigVersionV1 {
cfg.Proxy.Kube.Enabled = true
}
}
@ -955,8 +1011,8 @@ func getPostgresDefaultPort(cfg *service.Config) int {
}
func applyDefaultProxyListenerAddresses(cfg *service.Config) {
if cfg.Version == defaults.TeleportConfigVersionV2 {
// For v2 configuration if an address is not provided don't fallback to the default values.
// From v2 onwards if an address is not provided don't fall back to the default values.
if cfg.Version != "" && cfg.Version != defaults.TeleportConfigVersionV1 {
return
}
@ -1978,13 +2034,18 @@ func Configure(clf *CommandLineFlags, cfg *service.Config) error {
log.Warnf("not starting the local auth service. --auth-server flag tells to connect to another auth server")
cfg.Auth.Enabled = false
}
cfg.AuthServers = make([]utils.NetAddr, 0, len(clf.AuthServerAddr))
authServerAddresses := make([]utils.NetAddr, 0, len(clf.AuthServerAddr))
for _, as := range clf.AuthServerAddr {
addr, err := utils.ParseHostPortAddr(as, defaults.AuthListenPort)
if err != nil {
return trace.BadParameter("cannot parse auth server address: '%v'", as)
}
cfg.AuthServers = append(cfg.AuthServers, *addr)
authServerAddresses = append(authServerAddresses, *addr)
}
if err := cfg.SetAuthServerAddresses(authServerAddresses); err != nil {
return trace.Wrap(err)
}
}
@ -2032,8 +2093,8 @@ func Configure(clf *CommandLineFlags, cfg *service.Config) error {
}
// auth_servers not configured, but the 'auth' is enabled (auth is on localhost)?
if len(cfg.AuthServers) == 0 && cfg.Auth.Enabled {
cfg.AuthServers = append(cfg.AuthServers, cfg.Auth.ListenAddr)
if len(cfg.AuthServerAddresses()) == 0 && cfg.Auth.Enabled {
cfg.SetAuthServerAddress(cfg.Auth.ListenAddr)
}
// add data_dir to the backend config:
@ -2188,23 +2249,24 @@ func splitRoles(roles string) []string {
// applyTokenConfig applies the auth_token and join_params to the config
func applyTokenConfig(fc *FileConfig, cfg *service.Config) error {
if fc.AuthToken != "" {
cfg.JoinMethod = types.JoinMethodToken
cfg.SetToken(fc.AuthToken)
}
if fc.JoinParams != (JoinParams{}) {
if cfg.HasToken() {
if fc.JoinParams != (JoinParams{}) {
return trace.BadParameter("only one of auth_token or join_params should be set")
}
cfg.JoinMethod = types.JoinMethodToken
cfg.SetToken(fc.AuthToken)
return nil
}
if fc.JoinParams != (JoinParams{}) {
cfg.SetToken(fc.JoinParams.TokenName)
switch fc.JoinParams.Method {
case types.JoinMethodEC2, types.JoinMethodIAM, types.JoinMethodToken:
cfg.JoinMethod = fc.JoinParams.Method
default:
return trace.BadParameter(`unknown value for join_params.method: %q, expected one of %v`, fc.JoinParams.Method, []types.JoinMethod{types.JoinMethodEC2, types.JoinMethodIAM, types.JoinMethodToken})
if err := types.ValidateJoinMethod(fc.JoinParams.Method); err != nil {
return trace.Wrap(err)
}
cfg.JoinMethod = fc.JoinParams.Method
}
return nil

13
lib/config/database.go
View file

@ -38,14 +38,12 @@ var databaseAgentConfigurationTemplate = template.Must(template.New("").Funcs(da
# Teleport database agent configuration file.
# Configuration reference: https://goteleport.com/docs/database-access/reference/configuration/
#
version: v3
teleport:
nodename: {{ .NodeName }}
data_dir: {{ .DataDir }}
proxy_server: {{ .ProxyServer }}
auth_token: {{ .AuthToken }}
auth_servers:
{{- range .AuthServersAddr }}
- {{ . }}
{{- end }}
{{- if .CAPins }}
ca_pin:
{{- range .CAPins }}
@ -312,7 +310,7 @@ type DatabaseSampleFlags struct {
// the user.
StaticDatabaseStaticLabels map[string]string
// StaticDatabaseDynamicLabels list of database dynamic labels provided by
// the user.
// the user.`
StaticDatabaseDynamicLabels services.CommandLabels
// StaticDatabaseRawLabels "raw" list of database labels provided by the
// user.
@ -321,9 +319,8 @@ type DatabaseSampleFlags struct {
NodeName string
// DataDir `data_dir` configuration.
DataDir string
// ProxyServerAddr is a list of addresses of the auth servers placed on
// the configuration.
AuthServersAddr []string
// ProxyServer is the address of the proxy servers
ProxyServer string
// AuthToken auth server token.
AuthToken string
// CAPins are the SKPI hashes of the CAs used to verify the Auth Server.

12
lib/config/database_test.go
View file

@ -25,11 +25,11 @@ import (
func TestMakeDatabaseConfig(t *testing.T) {
t.Run("Global", func(t *testing.T) {
flags := DatabaseSampleFlags{
NodeName: "testlocal",
DataDir: "/var/lib/data",
AuthServersAddr: []string{"localhost:3080"},
AuthToken: "/tmp/token.txt",
CAPins: []string{"pin-1", "pin-2"},
NodeName: "testlocal",
DataDir: "/var/lib/data",
ProxyServer: "localhost:3080",
AuthToken: "/tmp/token.txt",
CAPins: []string{"pin-1", "pin-2"},
}
configString, err := MakeDatabaseAgentConfigString(flags)
@ -40,7 +40,7 @@ func TestMakeDatabaseConfig(t *testing.T) {
require.Equal(t, flags.NodeName, fileConfig.NodeName)
require.Equal(t, flags.DataDir, fileConfig.DataDir)
require.ElementsMatch(t, flags.AuthServersAddr, fileConfig.AuthServers)
require.Equal(t, flags.ProxyServer, fileConfig.ProxyServer)
require.Equal(t, flags.AuthToken, fileConfig.AuthToken)
require.ElementsMatch(t, flags.CAPins, fileConfig.CAPin)
})

22
lib/config/fileconf.go
View file

@ -160,6 +160,8 @@ type SampleFlags struct {
Roles string
// AuthServer is the address of the auth server
AuthServer string
// ProxyAddress is the address of the proxy
ProxyAddress string
// AppName is the name of the application to start
AppName string
// AppURI is the internal address of the application to proxy
@ -222,6 +224,10 @@ func MakeSampleFileConfig(flags SampleFlags) (fc *FileConfig, err error) {
g.AuthServers = []string{flags.AuthServer}
}
if flags.ProxyAddress != "" {
g.ProxyServer = flags.ProxyAddress
}
g.CAPin = strings.Split(flags.CAPin, ",")
roles := roleMapFromFlags(flags)
@ -311,7 +317,8 @@ func makeSampleAuthConfig(conf *service.Config, flags SampleFlags, enabled bool)
a.LicenseFile = flags.LicensePath
}
if flags.Version == defaults.TeleportConfigVersionV2 {
// from config v2 onwards, we support `proxy_listener_mode`, so we set it to `multiplex`
if flags.Version != defaults.TeleportConfigVersionV1 {
a.ProxyListenerMode = types.ProxyListenerMode_Multiplex
}
} else {
@ -574,12 +581,19 @@ type Global struct {
DataDir string `yaml:"data_dir,omitempty"`
PIDFile string `yaml:"pid_file,omitempty"`
JoinParams JoinParams `yaml:"join_params,omitempty"`
// v1, v2
AuthServers []string `yaml:"auth_servers,omitempty"`
// AuthToken is the old way of configuring the token to be used by the
// node to join the Teleport cluster. `JoinParams.TokenName` should be
// used instead with `JoinParams.JoinMethod = types.JoinMethodToken`.
AuthToken string `yaml:"auth_token,omitempty"`
JoinParams JoinParams `yaml:"join_params,omitempty"`
AuthServers []string `yaml:"auth_servers,omitempty"`
AuthToken string `yaml:"auth_token,omitempty"`
// v3
AuthServer string `yaml:"auth_server,omitempty"`
ProxyServer string `yaml:"proxy_server,omitempty"`
Limits ConnectionLimits `yaml:"connection_limits,omitempty"`
Logger Log `yaml:"log,omitempty"`
Storage backend.Config `yaml:"storage,omitempty"`

10
lib/config/testdata_test.go
View file

@ -20,13 +20,12 @@ const StaticConfigString = `
#
# Some comments
#
version: v3
teleport:
nodename: edsger.example.com
advertise_ip: 10.10.10.1:3022
pid_file: /var/run/teleport.pid
auth_servers:
- auth0.server.example.org:3024
- auth1.server.example.org:3024
auth_server: auth0.server.example.org:3024
auth_token: xxxyyy
log:
output: stderr
@ -84,14 +83,13 @@ ssh_service:
`
const SmallConfigString = `
version: v3
teleport:
nodename: cat.example.com
advertise_ip: 10.10.10.1
pid_file: /var/run/teleport.pid
auth_token: %v
auth_servers:
- auth0.server.example.org:3024
- auth1.server.example.org:3024
auth_server: auth0.server.example.org:3024
log:
output: stderr
severity: INFO

20
lib/defaults/defaults.go
View file

@ -29,6 +29,7 @@ import (
"github.com/gravitational/teleport"
"github.com/gravitational/teleport/api/defaults"
apiutils "github.com/gravitational/teleport/api/utils"
"github.com/gravitational/teleport/lib/limiter"
"github.com/gravitational/teleport/lib/utils"
@ -816,8 +817,27 @@ const (
TeleportConfigVersionV1 string = "v1"
// TeleportConfigVersionV2 is the teleport proxy configuration v2 version.
TeleportConfigVersionV2 string = "v2"
// TeleportConfigVersionV3 is the teleport proxy configuration v3 version.
TeleportConfigVersionV3 string = "v3"
)
// TeleportConfigVersions is an exported slice of the allowed versions in the config file,
// for convenience (looping through, etc)
var TeleportConfigVersions = []string{
TeleportConfigVersionV1,
TeleportConfigVersionV2,
TeleportConfigVersionV3,
}
func ValidateConfigVersion(version string) error {
hasVersion := apiutils.SliceContainsStr(TeleportConfigVersions, version)
if !hasVersion {
return trace.BadParameter("version must be one of %s", strings.Join(TeleportConfigVersions, ", "))
}
return nil
}
// Default values for tsh and tctl commands.
const (
// Use more human readable format than RFC3339

53
lib/service/cfg.go
View file

@ -90,10 +90,8 @@ type Config struct {
// JoinMethod is the method the instance will use to join the auth server
JoinMethod types.JoinMethod
// AuthServers is a list of auth servers, proxies and peer auth servers to
// connect to. Yes, this is not just auth servers, the field name is
// misleading.
AuthServers []utils.NetAddr
// ProxyServer is the address of the proxy
ProxyServer utils.NetAddr
// Identities is an optional list of pre-generated key pairs
// for teleport roles, this is helpful when server is preconfigured
@ -269,6 +267,49 @@ type Config struct {
// This is private to avoid external packages reading the value - the value should be obtained
// using Token()
token string
// v1, v2 -
// AuthServers is a list of auth servers, proxies and peer auth servers to
// connect to. Yes, this is not just auth servers, the field name is
// misleading.
// v3 -
// AuthServers contains a single address that is set by `auth_server` in the config
// A proxy address would be specified separately, so this no longer contains both
// auth servers and proxies.
//
// In order to keep backwards compatibility between v3 and v2/v1, this is now private
// and the value is retrieved via AuthServerAddresses() and set via SetAuthServerAddresses()
// as we still need to keep multiple addresses and return them for older config versions.
authServers []utils.NetAddr
}
// AuthServerAddresses returns the value of authServers for config versions v1 and v2 and
// will return just the first (as only one should be set) address for config versions v3
// onwards.
func (cfg *Config) AuthServerAddresses() []utils.NetAddr {
return cfg.authServers
}
// SetAuthServerAddresses sets the value of authServers
// If the config version is v1 or v2, it will set the value to all the given addresses (as
// multiple can be specified).
// If the config version is v3 or onwards, it'll error if more than one address is given.
func (cfg *Config) SetAuthServerAddresses(addrs []utils.NetAddr) error {
// from config v3 onwards, we will error if more than one address is given
if cfg.Version != defaults.TeleportConfigVersionV1 && cfg.Version != defaults.TeleportConfigVersionV2 {
if len(addrs) > 1 {
return trace.BadParameter("only one auth server address should be set from config v3 onwards")
}
}
cfg.authServers = addrs
return nil
}
// SetAuthServerAddress sets the value of authServers to a single value
func (cfg *Config) SetAuthServerAddress(addr utils.NetAddr) {
cfg.authServers = []utils.NetAddr{addr}
}
// Token returns token needed to join the auth server
@ -329,7 +370,7 @@ func (cfg *Config) RoleConfig() RoleConfig {
DataDir: cfg.DataDir,
HostUUID: cfg.HostUUID,
HostName: cfg.Hostname,
AuthServers: cfg.AuthServers,
AuthServers: cfg.AuthServerAddresses(),
Auth: cfg.Auth,
Console: cfg.Console,
}
@ -1308,6 +1349,8 @@ func ApplyDefaults(cfg *Config) {
var sc ssh.Config
sc.SetDefaults()
cfg.Version = defaults.TeleportConfigVersionV1
if cfg.Log == nil {
cfg.Log = utils.NewLogger()
}

142
lib/service/connect.go
View file

@ -253,7 +253,7 @@ func (process *TeleportProcess) connect(role types.SystemRole, opts ...certOptio
}, nil
}
process.log.Infof("Connecting to the cluster %v with TLS client certificate.", identity.ClusterName)
clt, err := process.newClient(process.Config.AuthServers, identity)
clt, err := process.newClient(identity)
if err != nil {
// In the event that a user is attempting to connect a machine to
// a different cluster it will give a cryptic warning about an
@ -282,7 +282,7 @@ func (process *TeleportProcess) connect(role types.SystemRole, opts ...certOptio
ServerIdentity: identity,
}, nil
}
clt, err := process.newClient(process.Config.AuthServers, identity)
clt, err := process.newClient(identity)
if err != nil {
return nil, trace.Wrap(err)
}
@ -304,7 +304,7 @@ func (process *TeleportProcess) connect(role types.SystemRole, opts ...certOptio
ServerIdentity: identity,
}, nil
}
clt, err := process.newClient(process.Config.AuthServers, newIdentity)
clt, err := process.newClient(newIdentity)
if err != nil {
return nil, trace.Wrap(err)
}
@ -326,7 +326,7 @@ func (process *TeleportProcess) connect(role types.SystemRole, opts ...certOptio
ServerIdentity: newIdentity,
}, nil
}
clt, err := process.newClient(process.Config.AuthServers, newIdentity)
clt, err := process.newClient(newIdentity)
if err != nil {
return nil, trace.Wrap(err)
}
@ -346,7 +346,7 @@ func (process *TeleportProcess) connect(role types.SystemRole, opts ...certOptio
ServerIdentity: identity,
}, nil
}
clt, err := process.newClient(process.Config.AuthServers, identity)
clt, err := process.newClient(identity)
if err != nil {
return nil, trace.Wrap(err)
}
@ -511,7 +511,7 @@ func (process *TeleportProcess) firstTimeConnectWithAssertions(role types.System
}
process.deleteKeyPair(role, reason)
clt, err := process.newClient(process.Config.AuthServers, identity)
clt, err := process.newClient(identity)
if err != nil {
return nil, trace.Wrap(err)
}
@ -591,17 +591,23 @@ func (process *TeleportProcess) firstTimeConnect(role types.SystemRole) (*Connec
return nil, trace.Wrap(err)
}
dataDir := defaults.DataDir
if process.Config.DataDir != "" {
dataDir = process.Config.DataDir
}
certs, err := auth.Register(auth.RegisterParams{
Token: token,
ID: id,
Servers: process.Config.AuthServers,
AuthServers: process.Config.AuthServerAddresses(),
ProxyServer: process.Config.ProxyServer,
AdditionalPrincipals: additionalPrincipals,
DNSNames: dnsNames,
PublicTLSKey: keyPair.PublicTLSKey,
PublicSSHKey: keyPair.PublicSSHKey,
CipherSuites: process.Config.CipherSuites,
CAPins: process.Config.CAPins,
CAPath: filepath.Join(defaults.DataDir, defaults.CACertFile),
CAPath: filepath.Join(dataDir, defaults.CACertFile),
GetHostCredentials: client.HostCredentials,
Clock: process.Clock,
JoinMethod: process.Config.JoinMethod,
@ -631,7 +637,7 @@ func (process *TeleportProcess) firstTimeConnect(role types.SystemRole) (*Connec
ServerIdentity: identity,
}
} else {
clt, err := process.newClient(process.Config.AuthServers, identity)
clt, err := process.newClient(identity)
if err != nil {
return nil, trace.Wrap(err)
}
@ -1042,55 +1048,99 @@ func (process *TeleportProcess) rotate(conn *Connector, localState auth.StateV2,
}
}
// newClient attempts to connect directly to the Auth Server. If it fails, it
// falls back to trying to connect to the Auth Server through the proxy.
// The proxy address might be configured in process environment as apidefaults.TunnelPublicAddrEnvar
// in which case, no attempt at discovering the reverse tunnel address is made.
func (process *TeleportProcess) newClient(authServers []utils.NetAddr, identity *auth.Identity) (*auth.Client, error) {
// newClient attempts to connect to either the proxy server or auth server
// For config v3 and onwards, it will only connect to either the proxy (via tunnel) or the auth server (direct),
// depending on what was specified in the config.
// For config v1 and v2, it will attempt to direct dial the auth server, and fallback to trying to tunnel
// to the Auth Server through the proxy.
func (process *TeleportProcess) newClient(identity *auth.Identity) (*auth.Client, error) {
tlsConfig, err := identity.TLSConfig(process.Config.CipherSuites)
if err != nil {
return nil, trace.Wrap(err)
}
logger := process.log.WithField("auth-addrs", utils.NetAddrsToStrings(authServers))
logger.Debug("Attempting to connect to Auth Server directly.")
directClient, directErr := process.newClientDirect(authServers, tlsConfig, identity.ID.Role)
if directErr == nil {
logger.Debug("Connected to Auth Server with direct connection.")
return directClient, nil
}
logger.Debug("Failed to connect to Auth Server directly.")
// Don't attempt to connect through a tunnel as a proxy or auth server.
if identity.ID.Role == types.RoleAuth || identity.ID.Role == types.RoleProxy {
return nil, trace.Wrap(directErr)
}
logger.Debug("Attempting to discover reverse tunnel address.")
logger.Debug("Attempting to connect to Auth Server through tunnel.")
sshClientConfig, err := identity.SSHClientConfig(process.Config.FIPS)
if err != nil {
return nil, trace.Wrap(err)
}
tunnelClient, err := process.newClientThroughTunnel(authServers, tlsConfig, sshClientConfig)
if err != nil {
process.log.Errorf("Node failed to establish connection to Teleport Proxy. We have tried the following endpoints:")
process.log.Errorf("- connecting to auth server directly: %v", directErr)
if trace.IsConnectionProblem(err) && strings.Contains(err.Error(), "connection refused") {
err = trace.Wrap(err, "This is the alternative port we tried and it's not configured.")
authServers := process.Config.AuthServerAddresses()
connectToAuthServer := func(logger *logrus.Entry) (*auth.Client, error) {
logger.Debug("Attempting to connect to Auth Server directly.")
client, err := process.newClientDirect(authServers, tlsConfig, identity.ID.Role)
if err != nil {
logger.Debug("Failed to connect to Auth Server directly.")
return nil, err
}
process.log.Errorf("- connecting to auth server through tunnel: %v", err)
collectedErrs := trace.NewAggregate(directErr, err)
if utils.IsUntrustedCertErr(collectedErrs) {
collectedErrs = trace.WrapWithMessage(collectedErrs, utils.SelfSignedCertsMsg)
}
return nil, trace.WrapWithMessage(collectedErrs,
"Failed to connect to Auth Server directly or over tunnel, no methods remaining.")
logger.Debug("Connected to Auth Server with direct connection.")
return client, nil
}
logger.Debug("Connected to Auth Server through tunnel.")
return tunnelClient, nil
switch process.Config.Version {
// for config v1 and v2, attempt to directly connect to the auth server and fall back to tunneling
case defaults.TeleportConfigVersionV1, defaults.TeleportConfigVersionV2:
// if we don't have a proxy address, try to connect to the auth server directly
logger := process.log.WithField("auth-addrs", utils.NetAddrsToStrings(authServers))
directClient, directErr := connectToAuthServer(logger)
if directErr == nil {
return directClient, nil
}
// Don't attempt to connect through a tunnel as a proxy or auth server.
if identity.ID.Role == types.RoleAuth || identity.ID.Role == types.RoleProxy {
return nil, trace.Wrap(directErr)
}
// if that fails, attempt to connect to the auth server through a tunnel
logger.Debug("Attempting to discover reverse tunnel address.")
logger.Debug("Attempting to connect to Auth Server through tunnel.")
tunnelClient, err := process.newClientThroughTunnel(authServers, tlsConfig, sshClientConfig)
if err != nil {
process.log.Errorf("Node failed to establish connection to Teleport Proxy. We have tried the following endpoints:")
process.log.Errorf("- connecting to auth server directly: %v", directErr)
if trace.IsConnectionProblem(err) && strings.Contains(err.Error(), "connection refused") {
err = trace.Wrap(err, "This is the alternative port we tried and it's not configured.")
}
process.log.Errorf("- connecting to auth server through tunnel: %v", err)
collectedErrs := trace.NewAggregate(directErr, err)
if utils.IsUntrustedCertErr(collectedErrs) {
collectedErrs = trace.WrapWithMessage(collectedErrs, utils.SelfSignedCertsMsg)
}
return nil, trace.WrapWithMessage(collectedErrs,
"Failed to connect to Auth Server directly or over tunnel, no methods remaining.")
}
logger.Debug("Connected to Auth Server through tunnel.")
return tunnelClient, nil
// for config v3, either tunnel to the given proxy server or directly connect to the given auth server
case defaults.TeleportConfigVersionV3:
proxyServer := process.Config.ProxyServer
if !proxyServer.IsEmpty() {
logger := process.log.WithField("proxy-server", proxyServer.String())
logger.Debug("Attempting to connect to Auth Server through tunnel.")
tunnelClient, err := process.newClientThroughTunnel([]utils.NetAddr{proxyServer}, tlsConfig, sshClientConfig)
if err != nil {
return nil, trace.Errorf("Failed to connect to Proxy Server through tunnel: %v", err)
}
logger.Debug("Connected to Auth Server through tunnel.")
return tunnelClient, nil
}
// if we don't have a proxy address, try to connect to the auth server directly
logger := process.log.WithField("auth-server", utils.NetAddrsToStrings(authServers))
return connectToAuthServer(logger)
}
return nil, trace.NotImplemented("could not find connection strategy for config version %s", process.Config.Version)
}
func (process *TeleportProcess) newClientThroughTunnel(authServers []utils.NetAddr, tlsConfig *tls.Config, sshConfig *ssh.ClientConfig) (*auth.Client, error) {

4
lib/service/desktop.go
View file

@ -86,9 +86,9 @@ func (process *TeleportProcess) initWindowsDesktopServiceRegistered(log *logrus.
// Filter out cases where both listen_addr and tunnel are set or both are
// not set.
case useTunnel && !cfg.WindowsDesktop.ListenAddr.IsEmpty():
return trace.BadParameter("either set windows_desktop_service.listen_addr if this process can be reached from a teleport proxy or point teleport.auth_servers to a proxy to dial out, but don't set both")
return trace.BadParameter("either set windows_desktop_service.listen_addr if this process can be reached from a teleport proxy or point teleport.proxy_server to a proxy to dial out, but don't set both")
case !useTunnel && cfg.WindowsDesktop.ListenAddr.IsEmpty():
return trace.BadParameter("set windows_desktop_service.listen_addr if this process can be reached from a teleport proxy or point teleport.auth_servers to a proxy to dial out")
return trace.BadParameter("set windows_desktop_service.listen_addr if this process can be reached from a teleport proxy or point teleport.proxy_server to a proxy to dial out")
// Start a local listener and let proxies dial in.
case !useTunnel && !cfg.WindowsDesktop.ListenAddr.IsEmpty():

4
lib/service/kubernetes.go
View file

@ -86,7 +86,7 @@ func (process *TeleportProcess) initKubernetesService(log *logrus.Entry, conn *C
// Filter out cases where both listen_addr and tunnel are set or both are
// not set.
case conn.UseTunnel() && !cfg.Kube.ListenAddr.IsEmpty():
return trace.BadParameter("either set kubernetes_service.listen_addr if this process can be reached from a teleport proxy or point teleport.auth_servers to a proxy to dial out, but don't set both")
return trace.BadParameter("either set kubernetes_service.listen_addr if this process can be reached from a teleport proxy or point teleport.proxy_server to a proxy to dial out, but don't set both")
case !conn.UseTunnel() && cfg.Kube.ListenAddr.IsEmpty():
// TODO(awly): if this process runs auth, proxy and kubernetes
// services, the proxy should be able to route requests to this
@ -96,7 +96,7 @@ func (process *TeleportProcess) initKubernetesService(log *logrus.Entry, conn *C
//
// For now, as a lazy shortcut, kuberentes_service.listen_addr is
// always required when running in the same process with a proxy.
return trace.BadParameter("set kubernetes_service.listen_addr if this process can be reached from a teleport proxy or point teleport.auth_servers to a proxy to dial out")
return trace.BadParameter("set kubernetes_service.listen_addr if this process can be reached from a teleport proxy or point teleport.proxy_server to a proxy to dial out")
// Start a local listener and let proxies dial in.
case !conn.UseTunnel() && !cfg.Kube.ListenAddr.IsEmpty():

2
lib/service/proxy_settings.go
View file

@ -48,7 +48,7 @@ func (p *proxySettings) GetProxySettings(ctx context.Context) (*webclient.ProxyS
}
switch p.cfg.Version {
case defaults.TeleportConfigVersionV2:
case defaults.TeleportConfigVersionV2, defaults.TeleportConfigVersionV3:
return p.buildProxySettingsV2(resp.GetProxyListenerMode()), nil
default:
return p.buildProxySettings(resp.GetProxyListenerMode()), nil

57
lib/service/service.go
View file

@ -969,15 +969,15 @@ func NewTeleport(cfg *Config, opts ...NewTeleportOption) (*TeleportProcess, erro
// if user started auth and another service (without providing the auth address for
// that service, the address of the in-process auth will be used
if process.Config.Auth.Enabled && len(process.Config.AuthServers) == 0 {
process.Config.AuthServers = []utils.NetAddr{process.Config.Auth.ListenAddr}
if process.Config.Auth.Enabled && len(process.Config.AuthServerAddresses()) == 0 {
process.Config.SetAuthServerAddress(process.Config.Auth.ListenAddr)
}
if len(process.Config.AuthServers) != 0 && process.Config.AuthServers[0].Port(0) == 0 {
if len(process.Config.AuthServerAddresses()) != 0 && process.Config.AuthServerAddresses()[0].Port(0) == 0 {
// port appears undefined, attempt early listener creation so that we can get the real port
listener, err := process.importOrCreateListener(ListenerAuth, process.Config.Auth.ListenAddr.Addr)
if err == nil {
process.Config.AuthServers = []utils.NetAddr{utils.FromAddr(listener.Addr())}
process.Config.SetAuthServerAddress(utils.FromAddr(listener.Addr()))
}
}
@ -3456,7 +3456,7 @@ func (process *TeleportProcess) initProxyEndpoint(conn *Connector) error {
NodeWatcher: nodeWatcher,
CertAuthorityWatcher: caWatcher,
CircuitBreakerConfig: process.Config.CircuitBreakerConfig,
LocalAuthAddresses: utils.NetAddrsToStrings(process.Config.AuthServers),
LocalAuthAddresses: utils.NetAddrsToStrings(process.Config.AuthServerAddresses()),
})
if err != nil {
return trace.Wrap(err)
@ -3507,7 +3507,7 @@ func (process *TeleportProcess) initProxyEndpoint(conn *Connector) error {
webConfig := web.Config{
Proxy: tsrv,
AuthServers: cfg.AuthServers[0],
AuthServers: cfg.AuthServerAddresses()[0],
DomainName: cfg.Hostname,
ProxyClient: conn.Client,
ProxySSHAddr: proxySSHAddr,
@ -3676,7 +3676,7 @@ func (process *TeleportProcess) initProxyEndpoint(conn *Connector) error {
ReverseTunnelServer: tsrv,
FIPS: process.Config.FIPS,
Log: rcWatchLog,
LocalAuthAddresses: utils.NetAddrsToStrings(process.Config.AuthServers),
LocalAuthAddresses: utils.NetAddrsToStrings(process.Config.AuthServerAddresses()),
})
if err != nil {
return trace.Wrap(err)
@ -3873,7 +3873,7 @@ func (process *TeleportProcess) initProxyEndpoint(conn *Connector) error {
var alpnServer *alpnproxy.Proxy
if !cfg.Proxy.DisableTLS && !cfg.Proxy.DisableALPNSNIListener && listeners.web != nil {
authDialerService := alpnproxyauth.NewAuthProxyDialerService(tsrv, clusterName, utils.NetAddrsToStrings(process.Config.AuthServers))
authDialerService := alpnproxyauth.NewAuthProxyDialerService(tsrv, clusterName, utils.NetAddrsToStrings(process.Config.AuthServerAddresses()))
alpnRouter.Add(alpnproxy.HandlerDecs{
MatchFunc: alpnproxy.MatchByALPNPrefix(string(alpncommon.ProtocolAuth)),
HandlerWithConnInfo: authDialerService.HandleConnection,
@ -4649,47 +4649,6 @@ func (process *TeleportProcess) Close() error {
return trace.NewAggregate(errors...)
}
func validateConfig(cfg *Config) error {
if !cfg.Auth.Enabled && !cfg.SSH.Enabled && !cfg.Proxy.Enabled && !cfg.Kube.Enabled && !cfg.Apps.Enabled && !cfg.Databases.Enabled && !cfg.WindowsDesktop.Enabled && !cfg.Discovery.Enabled {
return trace.BadParameter(
"config: enable at least one of auth_service, ssh_service, proxy_service, app_service, database_service, kubernetes_service, windows_desktop_service or discovery_service")
}
if cfg.DataDir == "" {
return trace.BadParameter("config: please supply data directory")
}
if cfg.Console == nil {
cfg.Console = io.Discard
}
if cfg.Log == nil {
cfg.Log = logrus.StandardLogger()
}
if len(cfg.AuthServers) == 0 {
return trace.BadParameter("auth_servers is empty")
}
for i := range cfg.Auth.Authorities {
if err := services.ValidateCertAuthority(cfg.Auth.Authorities[i]); err != nil {
return trace.Wrap(err)
}
}
for _, tun := range cfg.ReverseTunnels {
if err := services.ValidateReverseTunnel(tun); err != nil {
return trace.Wrap(err)
}
}
if cfg.PollingPeriod == 0 {
cfg.PollingPeriod = defaults.LowResPollingPeriod
}
cfg.SSH.Namespace = types.ProcessNamespace(cfg.SSH.Namespace)
return nil
}
// initSelfSignedHTTPSCert generates and self-signs a TLS key+cert pair for https connection
// to the proxy server.
func initSelfSignedHTTPSCert(cfg *Config) (err error) {

10
lib/service/service_test.go
View file

@ -95,7 +95,7 @@ func TestMonitor(t *testing.T) {
var err error
cfg.DataDir = t.TempDir()
cfg.DiagnosticAddr = utils.NetAddr{AddrNetwork: "tcp", Addr: "127.0.0.1:0"}
cfg.AuthServers = []utils.NetAddr{{AddrNetwork: "tcp", Addr: "127.0.0.1:0"}}
cfg.SetAuthServerAddress(utils.NetAddr{AddrNetwork: "tcp", Addr: "127.0.0.1:0"})
cfg.Auth.Enabled = true
cfg.Auth.StorageConfig.Params["path"] = t.TempDir()
cfg.Auth.ListenAddr = utils.NetAddr{AddrNetwork: "tcp", Addr: "127.0.0.1:0"}
@ -459,7 +459,7 @@ func TestDesktopAccessFIPS(t *testing.T) {
// Create and configure a default Teleport configuration.
cfg := MakeDefaultConfig()
cfg.AuthServers = []utils.NetAddr{{AddrNetwork: "tcp", Addr: "127.0.0.1:0"}}
cfg.SetAuthServerAddress(utils.NetAddr{AddrNetwork: "tcp", Addr: "127.0.0.1:0"})
cfg.Clock = clockwork.NewFakeClock()
cfg.DataDir = t.TempDir()
cfg.Auth.Enabled = false
@ -580,7 +580,7 @@ func TestTeleportProcess_reconnectToAuth(t *testing.T) {
clock := clockwork.NewFakeClock()
// Create and configure a default Teleport configuration.
cfg := MakeDefaultConfig()
cfg.AuthServers = []utils.NetAddr{{AddrNetwork: "tcp", Addr: "127.0.0.1:0"}}
cfg.SetAuthServerAddress(utils.NetAddr{AddrNetwork: "tcp", Addr: "127.0.0.1:0"})
cfg.Clock = clock
cfg.DataDir = t.TempDir()
cfg.Auth.Enabled = false
@ -641,7 +641,7 @@ func TestTeleportProcessAuthVersionCheck(t *testing.T) {
// Create Node process.
nodeCfg := MakeDefaultConfig()
nodeCfg.AuthServers = []utils.NetAddr{listenAddr}
nodeCfg.SetAuthServerAddress(listenAddr)
nodeCfg.DataDir = t.TempDir()
nodeCfg.SetToken(token)
nodeCfg.Auth.Enabled = false
@ -669,7 +669,7 @@ func TestTeleportProcessAuthVersionCheck(t *testing.T) {
require.NoError(t, err)
authCfg := MakeDefaultConfig()
authCfg.AuthServers = []utils.NetAddr{listenAddr}
authCfg.SetAuthServerAddress(listenAddr)
authCfg.DataDir = t.TempDir()
authCfg.Auth.Enabled = true
authCfg.Auth.StaticTokens = staticTokens

159
lib/service/validateconfig.go Normal file
View file

@ -0,0 +1,159 @@
/*
Copyright 2022 Gravitational, Inc.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package service
import (
"io"
"github.com/gravitational/teleport"
"github.com/gravitational/teleport/api/types"
"github.com/gravitational/teleport/lib/defaults"
"github.com/gravitational/teleport/lib/services"
"github.com/gravitational/trace"
"github.com/sirupsen/logrus"
)
func validateConfig(cfg *Config) error {
applyDefaults(cfg)
if err := defaults.ValidateConfigVersion(cfg.Version); err != nil {
return err
}
if err := verifyEnabledService(cfg); err != nil {
return err
}
if err := validateAuthOrProxyServices(cfg); err != nil {
return err
}
if cfg.DataDir == "" {
return trace.BadParameter("config: please supply data directory")
}
for i := range cfg.Auth.Authorities {
if err := services.ValidateCertAuthority(cfg.Auth.Authorities[i]); err != nil {
return trace.Wrap(err)
}
}
for _, tun := range cfg.ReverseTunnels {
if err := services.ValidateReverseTunnel(tun); err != nil {
return trace.Wrap(err)
}
}
cfg.SSH.Namespace = types.ProcessNamespace(cfg.SSH.Namespace)
return nil
}
func applyDefaults(cfg *Config) {
if cfg.Version == "" {
cfg.Version = defaults.TeleportConfigVersionV1
}
if cfg.Console == nil {
cfg.Console = io.Discard
}
if cfg.Log == nil {
cfg.Log = logrus.StandardLogger()
}
if cfg.PollingPeriod == 0 {
cfg.PollingPeriod = defaults.LowResPollingPeriod
}
}
func validateAuthOrProxyServices(cfg *Config) error {
haveAuthServers := len(cfg.authServers) > 0
haveProxyServer := !cfg.ProxyServer.IsEmpty()
if cfg.Version == defaults.TeleportConfigVersionV3 {
if haveAuthServers && haveProxyServer {
return trace.BadParameter("config: cannot use both auth_server and proxy_server")
}
if !haveAuthServers && !haveProxyServer {
return trace.BadParameter("config: auth_server or proxy_server is required")
}
if !cfg.Auth.Enabled {
if haveAuthServers && cfg.Apps.Enabled {
return trace.BadParameter("config: when app_service is enabled, proxy_server must be specified instead of auth_server")
}
if haveAuthServers && cfg.Databases.Enabled {
return trace.BadParameter("config: when db_service is enabled, proxy_server must be specified instead of auth_server")
}
}
if haveProxyServer {
port := cfg.ProxyServer.Port(0)
if port == defaults.AuthListenPort {
cfg.Log.Warnf("config: proxy_server is pointing to port %d, is this the auth server address?", defaults.AuthListenPort)
}
}
if haveAuthServers {
authServerPort := cfg.authServers[0].Port(0)
checkPorts := []int{defaults.HTTPListenPort, teleport.StandardHTTPSPort}
for _, port := range checkPorts {
if authServerPort == port {
cfg.Log.Warnf("config: auth_server is pointing to port %d, is this the proxy server address?", port)
}
}
}
return nil
}
if haveProxyServer {
return trace.BadParameter("config: proxy_server is supported from config version v3 onwards")
}
if !haveAuthServers {
return trace.BadParameter("config: auth_servers is required")
}
return nil
}
func verifyEnabledService(cfg *Config) error {
enabled := []bool{
cfg.Auth.Enabled,
cfg.SSH.Enabled,
cfg.Proxy.Enabled,
cfg.Kube.Enabled,
cfg.Apps.Enabled,
cfg.Databases.Enabled,
cfg.WindowsDesktop.Enabled,
cfg.Discovery.Enabled,
}
for _, item := range enabled {
if item {
return nil
}
}
return trace.BadParameter(
"config: enable at least one of auth_service, ssh_service, proxy_service, app_service, database_service, kubernetes_service, windows_desktop_service or discover_service")
}

120
lib/service/validateconfig_test.go Normal file
View file

@ -0,0 +1,120 @@
/*
*
* Copyright 2015-2022 Gravitational, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
* /
*
*/
package service
import (
"fmt"
"strings"
"testing"
"github.com/gravitational/teleport/lib/defaults"
"github.com/gravitational/teleport/lib/utils"
"github.com/stretchr/testify/require"
)
func TestValidateConfig(t *testing.T) {
tests := []struct {
desc string
config *Config
err string
}{
{
desc: "invalid version",
config: &Config{
Version: "v1.1",
},
err: fmt.Sprintf("version must be one of %s", strings.Join(defaults.TeleportConfigVersions, ", ")),
},
{
desc: "no service enabled",
config: &Config{
Version: defaults.TeleportConfigVersionV2,
},
err: "config: enable at least one of auth_service, ssh_service, proxy_service, app_service, database_service, kubernetes_service, windows_desktop_service or discover_service",
},
{
desc: "no auth_servers or proxy_server specified",
config: &Config{
Version: defaults.TeleportConfigVersionV3,
Auth: AuthConfig{
Enabled: true,
},
},
err: "config: auth_server or proxy_server is required",
},
{
desc: "no auth_servers specified",
config: &Config{
Version: defaults.TeleportConfigVersionV2,
Auth: AuthConfig{
Enabled: true,
},
},
err: "config: auth_servers is required",
},
{
desc: "specifying proxy_server with the wrong config version",
config: &Config{
Version: defaults.TeleportConfigVersionV2,
Auth: AuthConfig{
Enabled: true,
},
ProxyServer: *utils.MustParseAddr("0.0.0.0"),
},
err: "config: proxy_server is supported from config version v3 onwards",
},
{
desc: "specifying auth_server when app_service is enabled",
config: &Config{
Version: defaults.TeleportConfigVersionV3,
Apps: AppsConfig{
Enabled: true,
},
DataDir: "/",
authServers: []utils.NetAddr{*utils.MustParseAddr("0.0.0.0")},
},
err: "config: when app_service is enabled, proxy_server must be specified instead of auth_server",
},
{
desc: "specifying auth_server when db_service is enabled",
config: &Config{
Version: defaults.TeleportConfigVersionV3,
Databases: DatabasesConfig{
Enabled: true,
},
DataDir: "/",
authServers: []utils.NetAddr{*utils.MustParseAddr("0.0.0.0")},
},
err: "config: when db_service is enabled, proxy_server must be specified instead of auth_server",
},
}
for _, test := range tests {
t.Run(test.desc, func(t *testing.T) {
err := validateConfig(test.config)
if test.err == "" {
require.NoError(t, err)
} else {
require.EqualError(t, err, test.err)
}
})
}
}

2
lib/tbot/renew.go
View file

@ -464,7 +464,7 @@ func (b *Bot) getIdentityFromToken() (*identity.Identity, error) {
ID: auth.IdentityID{
Role: types.RoleBot,
},
Servers: []utils.NetAddr{*addr},
AuthServers: []utils.NetAddr{*addr},
PublicTLSKey: tlsPublicKey,
PublicSSHKey: sshPublicKey,
CAPins: b.cfg.Onboarding.CAPins,

6
lib/tbot/testhelpers/srv.go
View file

@ -159,7 +159,7 @@ func MakeBotAuthClient(t *testing.T, fc *config.FileConfig, ident *identity.Iden
authConfig.TLS, err = ident.TLSConfig(cfg.CipherSuites)
require.NoError(t, err)
authConfig.AuthServers = cfg.AuthServers
authConfig.AuthServers = cfg.AuthServerAddresses()
authConfig.Log = cfg.Log
client, err := authclient.Connect(context.Background(), authConfig)
@ -188,7 +188,7 @@ func MakeDefaultAuthClient(t *testing.T, log utils.Logger, fc *config.FileConfig
authConfig.TLS, err = identity.TLSConfig(cfg.CipherSuites)
require.NoError(t, err)
authConfig.AuthServers = cfg.AuthServers
authConfig.AuthServers = cfg.AuthServerAddresses()
authConfig.Log = log
client, err := authclient.Connect(context.Background(), authConfig)
@ -239,7 +239,7 @@ func MakeMemoryBotConfig(t *testing.T, fc *config.FileConfig, botParams *proto.C
require.NoError(t, err)
cfg := &botconfig.BotConfig{
AuthServer: authCfg.AuthServers[0].String(),
AuthServer: authCfg.AuthServerAddresses()[0].String(),
Onboarding: &botconfig.OnboardingConfig{
JoinMethod: botParams.JoinMethod,
},

3
lib/web/scripts/desktop/configure-ad.ps1
View file

@ -140,9 +140,10 @@ $COMPUTER_IP = (Resolve-DnsName -Type A $Env:COMPUTERNAME).Address
$LDAP_ADDR="$COMPUTER_IP" + ":636"
$DESKTOP_ACCESS_CONFIG_YAML=@'
version v3
teleport:
auth_token: {0}
auth_servers: [ {1} ]
proxy_server: {1}
auth_service:
enabled: no

4
lib/web/scripts/node-join/README.md
View file

@ -54,10 +54,10 @@ Required arguments:
| Flag | Description | Example value | Required |
| - | - | - | - |
| `-v` | Teleport version | `4.3.5` | yes |
| `-h` | Hostname for the Teleport auth/proxy server | `teleport.example.com` | yes |
| `-h` | Hostname for the Teleport Proxy Service | `teleport.example.com` | yes |
| `-j` | A valid node join token | `ool7ahpo4thohmeuS1gieY7laiwae7oo` | yes |
| `-c` | The CA pin hash of the cluster being joined | `sha256:6abdd3a143a230fd31c9706d668bba3ee25a6e0eec54fcd69680c1ec0530fe9c` | yes |
| `-p` | Port connect to on the Teleport auth/proxy server | `3080` | no |
| `-p` | Port connect to on the Teleport Proxy Service | `3080` | no |
If any of these arguments is not provided via CLI flags, they will be requested interactively at runtime.

6
lib/web/scripts/node-join/install.sh
View file

@ -414,12 +414,12 @@ install_teleport_app_config() {
log "Writing Teleport app service config to ${TELEPORT_CONFIG_PATH}"
CA_PINS_CONFIG=$(get_yaml_list "ca_pin" "${CA_PIN_HASHES}" " ")
cat << EOF > ${TELEPORT_CONFIG_PATH}
version: v3
teleport:
nodename: ${NODENAME}
auth_token: ${JOIN_TOKEN}
${CA_PINS_CONFIG}
auth_servers:
- ${TARGET_HOSTNAME}:${TARGET_PORT}
proxy_server: ${TARGET_HOSTNAME}:${TARGET_PORT}
log:
output: stderr
severity: INFO
@ -444,7 +444,7 @@ install_teleport_node_config() {
--token ${JOIN_TOKEN} \
${JOIN_METHOD_FLAG} \
--ca-pin ${CA_PINS} \
--auth-server ${TARGET_HOSTNAME}:${TARGET_PORT} \
--proxy ${TARGET_HOSTNAME}:${TARGET_PORT} \
"${LABELS_FLAG[@]}" \
--output ${TELEPORT_CONFIG_PATH}
}

8
operator/sidecar/sidecar.go
View file

@ -73,11 +73,15 @@ func createAuthClientConfig(opts Options) (*authclient.Config, error) {
return nil, trace.Wrap(err)
}
cfg.AuthServers, err = utils.ParseAddrs([]string{opts.Addr})
authServers, err := utils.ParseAddrs([]string{opts.Addr})
if err != nil {
return nil, trace.Wrap(err)
}
if err := cfg.SetAuthServerAddresses(authServers); err != nil {
return nil, trace.Wrap(err)
}
// read the host UUID only in case the identity was not provided,
// because it will be used for reading local auth server identity
cfg.HostUUID, err = utils.ReadHostUUID(cfg.DataDir)
@ -99,7 +103,7 @@ func createAuthClientConfig(opts Options) (*authclient.Config, error) {
if err != nil {
return nil, trace.Wrap(err)
}
authConfig.AuthServers = cfg.AuthServers
authConfig.AuthServers = cfg.AuthServerAddresses()
authConfig.Log = cfg.Log
return authConfig, nil

27
tool/tctl/common/tctl.go
View file

@ -191,7 +191,7 @@ func TryRun(commands []CLICommand, args []string) error {
}
utils.Consolef(os.Stderr, log.WithField(trace.Component, teleport.ComponentClient), teleport.ComponentClient,
"Cannot connect to the auth server: %v.\nIs the auth server running on %q?",
err, cfg.AuthServers[0].Addr)
err, cfg.AuthServerAddresses()[0].Addr)
return trace.NewAggregate(&toolcommon.ExitCodeError{Code: 1}, err)
}
@ -223,6 +223,10 @@ func ApplyConfig(ccf *GlobalCLIFlags, cfg *service.Config) (*authclient.Config,
}
cfg.Log = log.StandardLogger()
if cfg.Version == "" {
cfg.Version = defaults.TeleportConfigVersionV1
}
// If the config file path provided is not a blank string, load the file and apply its values
var fileConf *config.FileConfig
var err error
@ -248,12 +252,14 @@ func ApplyConfig(ccf *GlobalCLIFlags, cfg *service.Config) (*authclient.Config,
// --auth-server flag(-s)
if len(ccf.AuthServerAddr) != 0 {
addrs, err := utils.ParseAddrs(ccf.AuthServerAddr)
authServers, err := utils.ParseAddrs(ccf.AuthServerAddr)
if err != nil {
return nil, trace.Wrap(err)
}
// Overwrite any existing configuration with flag values.
cfg.AuthServers = addrs
if err := cfg.SetAuthServerAddresses(authServers); err != nil {
return nil, trace.Wrap(err)
}
}
// Config file should take precedence, if available.
@ -272,12 +278,17 @@ func ApplyConfig(ccf *GlobalCLIFlags, cfg *service.Config) (*authclient.Config,
// If auth server is not provided on the command line or in file
// configuration, use the default.
if len(cfg.AuthServers) == 0 {
cfg.AuthServers, err = utils.ParseAddrs([]string{defaults.AuthConnectAddr().Addr})
if len(cfg.AuthServerAddresses()) == 0 {
authServers, err := utils.ParseAddrs([]string{defaults.AuthConnectAddr().Addr})
if err != nil {
return nil, trace.Wrap(err)
}
if err := cfg.SetAuthServerAddresses(authServers); err != nil {
return nil, trace.Wrap(err)
}
}
authConfig := new(authclient.Config)
// --identity flag
if ccf.IdentityFilePath != "" {
@ -330,7 +341,7 @@ func ApplyConfig(ccf *GlobalCLIFlags, cfg *service.Config) (*authclient.Config,
}
}
authConfig.TLS.InsecureSkipVerify = ccf.Insecure
authConfig.AuthServers = cfg.AuthServers
authConfig.AuthServers = cfg.AuthServerAddresses()
authConfig.Log = cfg.Log
return authConfig, nil
@ -421,9 +432,9 @@ func LoadConfigFromProfile(ccf *GlobalCLIFlags, cfg *service.Config) (*authclien
return nil, trace.Wrap(err)
}
log.Debugf("Setting auth server to web proxy %v.", webProxyAddr)
cfg.AuthServers = []utils.NetAddr{*webProxyAddr}
cfg.SetAuthServerAddress(*webProxyAddr)
}
authConfig.AuthServers = cfg.AuthServers
authConfig.AuthServers = cfg.AuthServerAddresses()
authConfig.Log = cfg.Log
return authConfig, nil

20
tool/teleport/common/teleport.go
View file

@ -232,7 +232,7 @@ func Run(options Options) (app *kingpin.Application, executedCommand string, con
dbConfigureCreate := dbConfigure.Command("create", "Creates a sample Database Service configuration.")
dbConfigureCreate.Flag("proxy", fmt.Sprintf("Teleport proxy address to connect to [%s].", defaults.ProxyWebListenAddr().Addr)).
Default(defaults.ProxyWebListenAddr().Addr).
StringsVar(&dbConfigCreateFlags.AuthServersAddr)
StringVar(&dbConfigCreateFlags.ProxyServer)
dbConfigureCreate.Flag("token", "Invitation token to register with an auth server [none].").Default("/tmp/token").StringVar(&dbConfigCreateFlags.AuthToken)
dbConfigureCreate.Flag("rds-discovery", "List of AWS regions in which the agent will discover RDS/Aurora instances.").StringsVar(&dbConfigCreateFlags.RDSDiscoveryRegions)
dbConfigureCreate.Flag("redshift-discovery", "List of AWS regions in which the agent will discover Redshift instances.").StringsVar(&dbConfigCreateFlags.RedshiftDiscoveryRegions)
@ -320,7 +320,7 @@ func Run(options Options) (app *kingpin.Application, executedCommand string, con
dump.Flag("acme-email",
"Email to receive updates from Letsencrypt.org.").StringVar(&dumpFlags.ACMEEmail)
dump.Flag("test", "Path to a configuration file to test.").ExistingFileVar(&dumpFlags.testConfigFile)
dump.Flag("version", "Teleport configuration version.").Default(defaults.TeleportConfigVersionV2).StringVar(&dumpFlags.Version)
dump.Flag("version", "Teleport configuration version.").Default(defaults.TeleportConfigVersionV3).StringVar(&dumpFlags.Version)
dump.Flag("public-addr", "The hostport that the proxy advertises for the HTTP endpoint.").StringVar(&dumpFlags.PublicAddr)
dump.Flag("cert-file", "Path to a TLS certificate file for the proxy.").ExistingFileVar(&dumpFlags.CertFile)
dump.Flag("key-file", "Path to a TLS key file for the proxy.").ExistingFileVar(&dumpFlags.KeyFile)
@ -328,6 +328,7 @@ func Run(options Options) (app *kingpin.Application, executedCommand string, con
dump.Flag("token", "Invitation token to register with an auth server.").StringVar(&dumpFlags.AuthToken)
dump.Flag("roles", "Comma-separated list of roles to create config with.").StringVar(&dumpFlags.Roles)
dump.Flag("auth-server", "Address of the auth server.").StringVar(&dumpFlags.AuthServer)
dump.Flag("proxy", "Address of the proxy.").StringVar(&dumpFlags.ProxyAddress)
dump.Flag("app-name", "Name of the application to start when using app role.").StringVar(&dumpFlags.AppName)
dump.Flag("app-uri", "Internal address of the application to proxy.").StringVar(&dumpFlags.AppURI)
dump.Flag("node-labels", "Comma-separated list of labels to add to newly created nodes, for example env=staging,cloud=aws.").StringVar(&dumpFlags.NodeLabels)
@ -339,11 +340,12 @@ func Run(options Options) (app *kingpin.Application, executedCommand string, con
dumpNodeConfigure.Flag("output",
"Write to stdout with -o=stdout, default config file with -o=file or custom path with -o=file:///path").Short('o').Default(
teleport.SchemeStdout).StringVar(&dumpFlags.output)
dumpNodeConfigure.Flag("version", "Teleport configuration version.").Default(defaults.TeleportConfigVersionV2).StringVar(&dumpFlags.Version)
dumpNodeConfigure.Flag("version", "Teleport configuration version.").Default(defaults.TeleportConfigVersionV3).StringVar(&dumpFlags.Version)
dumpNodeConfigure.Flag("public-addr", "The hostport that the node advertises for the SSH endpoint.").StringVar(&dumpFlags.PublicAddr)
dumpNodeConfigure.Flag("data-dir", "Path to a directory where Teleport keep its data.").Default(defaults.DataDir).StringVar(&dumpFlags.DataDir)
dumpNodeConfigure.Flag("token", "Invitation token to register with an auth server.").StringVar(&dumpFlags.AuthToken)
dumpNodeConfigure.Flag("auth-server", "Address of the auth server.").StringVar(&dumpFlags.AuthServer)
dumpNodeConfigure.Flag("proxy", "Address of the proxy server.").StringVar(&dumpFlags.ProxyAddress)
dumpNodeConfigure.Flag("labels", "Comma-separated list of labels to add to newly created nodes ex) env=staging,cloud=aws.").StringVar(&dumpFlags.NodeLabels)
dumpNodeConfigure.Flag("ca-pin", "Comma-separated list of SKPI hashes for the CA used to verify the auth server.").StringVar(&dumpFlags.CAPin)
dumpNodeConfigure.Flag("join-method", "Method to use to join the cluster (token, iam, ec2)").Default("token").EnumVar(&dumpFlags.JoinMethod, "token", "iam", "ec2")
@ -489,16 +491,12 @@ func normalizeOutput(output string) string {
}
func checkConfigurationFileVersion(version string) error {
supportedVersions := []string{defaults.TeleportConfigVersionV1, defaults.TeleportConfigVersionV2}
switch version {
case defaults.TeleportConfigVersionV1, defaults.TeleportConfigVersionV2, "":
default:
return trace.BadParameter(
"unsupported Teleport configuration version %q, supported are: %s",
version, strings.Join(supportedVersions, ","))
// allow an empty version as we default to v1
if version == "" {
return nil
}
return nil
return defaults.ValidateConfigVersion(version)
}
// onConfigDump is the handler for "configure" CLI command

4
tool/teleport/common/teleport_test.go
View file

@ -206,11 +206,11 @@ func TestDumpConfigFile(t *testing.T) {
}
const configData = `
version: v3
teleport:
advertise_ip: 10.5.5.5
nodename: hvostongo.example.org
auth_servers:
- auth.server.example.org:3024
auth_server: auth.server.example.org:3024
auth_token: xxxyyy
log:
output: stderr

2
tool/tsh/aws_test.go
View file

@ -146,7 +146,7 @@ func makeTestApplicationServer(t *testing.T, auth *service.TeleportProcess, prox
proxyAddr, err := proxy.ProxyWebAddr()
require.NoError(t, err)
cfg.AuthServers = []utils.NetAddr{*proxyAddr}
cfg.SetAuthServerAddress(*proxyAddr)
token, err := proxy.Config.Token()
require.NoError(t, err)

2
tool/tsh/db_test.go
View file

@ -370,7 +370,7 @@ func makeTestDatabaseServer(t *testing.T, auth *service.TeleportProcess, proxy *
proxyAddr, err := proxy.ProxyWebAddr()
require.NoError(t, err)
cfg.AuthServers = []utils.NetAddr{*proxyAddr}
cfg.SetAuthServerAddress(*proxyAddr)
token, err := proxy.Config.Token()
require.NoError(t, err)

4
tool/tsh/tctl_test.go
View file

@ -233,9 +233,9 @@ func TestSetAuthServerFlagWhileLoggedIn(t *testing.T) {
_, err = common.ApplyConfig(ccf, cfg)
require.NoError(t, err)
require.NotEmpty(t, cfg.AuthServers, "auth servers should be set to a non-empty default if not specified")
require.NotEmpty(t, cfg.AuthServerAddresses(), "auth servers should be set to a non-empty default if not specified")
require.ElementsMatch(t, tt.want, cfg.AuthServers)
require.ElementsMatch(t, tt.want, cfg.AuthServerAddresses())
})
}
}

6
tool/tsh/tsh_test.go
View file

@ -2280,7 +2280,7 @@ func makeTestSSHNode(t *testing.T, authAddr *utils.NetAddr, opts ...testServerOp
cfg.Hostname = "node"
cfg.DataDir = t.TempDir()
cfg.AuthServers = []utils.NetAddr{*authAddr}
cfg.SetAuthServerAddress(*authAddr)
cfg.SetToken(staticToken)
cfg.Auth.Enabled = false
cfg.Proxy.Enabled = false
@ -2326,7 +2326,7 @@ func makeTestServers(t *testing.T, opts ...testServerOptFunc) (auth *service.Tel
cfg.Hostname = "localhost"
cfg.DataDir = t.TempDir()
cfg.AuthServers = []utils.NetAddr{{AddrNetwork: "tcp", Addr: net.JoinHostPort("127.0.0.1", ports.Pop())}}
cfg.SetAuthServerAddress(utils.NetAddr{AddrNetwork: "tcp", Addr: net.JoinHostPort("127.0.0.1", ports.Pop())})
cfg.Auth.Resources = options.bootstrap
cfg.Auth.StorageConfig.Params = backend.Params{defaults.BackendPath: filepath.Join(cfg.DataDir, defaults.BackendDir)}
cfg.Auth.StaticTokens, err = types.NewStaticTokens(types.StaticTokensSpecV2{
@ -2371,7 +2371,7 @@ func makeTestServers(t *testing.T, opts ...testServerOptFunc) (auth *service.Tel
cfg.Hostname = "localhost"
cfg.DataDir = t.TempDir()
cfg.AuthServers = []utils.NetAddr{*authAddr}
cfg.SetAuthServerAddress(*authAddr)
cfg.SetToken(staticToken)
cfg.SSH.Enabled = false
cfg.Auth.Enabled = false

3
vagrant/opt/b-node/teleport.yaml
View file

@ -1,8 +1,9 @@
# Node for cluster-B
version: v3
teleport:
nodename: bear
auth_token: hello
auth_servers: ["b-auth:5025"]
auth_server: b-auth:5025
log:
output: stderr
severity: INFO