diff options
author | V3n3RiX <venerix@redcorelinux.org> | 2019-06-22 11:30:24 +0100 |
---|---|---|
committer | V3n3RiX <venerix@redcorelinux.org> | 2019-06-22 11:30:24 +0100 |
commit | d56d144655e3785864da43c9acb6c228ef9360ae (patch) | |
tree | b769b599a558483f82e9a057c41f1edd29626dd1 /sys-cluster/teleport/files | |
parent | fab849d1daed0ba7f2ac497d07985c3dbb692543 (diff) |
gentoo resync : 22.06.2019
Diffstat (limited to 'sys-cluster/teleport/files')
-rw-r--r-- | sys-cluster/teleport/files/teleport-2.yaml | 130 | ||||
-rw-r--r-- | sys-cluster/teleport/files/teleport.yaml | 123 |
2 files changed, 67 insertions, 186 deletions
diff --git a/sys-cluster/teleport/files/teleport-2.yaml b/sys-cluster/teleport/files/teleport-2.yaml deleted file mode 100644 index 384dea937c97..000000000000 --- a/sys-cluster/teleport/files/teleport-2.yaml +++ /dev/null @@ -1,130 +0,0 @@ -# By default, this file should be stored in /etc/teleport.yaml -## IMPORTANT ## -#When editing YAML configuration, please pay attention to how your editor handles white space. YAML requires consistent handling of tab characters -# This section of the configuration file applies to all teleport -# services. -teleport: - # nodename allows to assign an alternative name this node can be reached by. - # by default it's equal to hostname - # nodename: graviton - - # Data directory where Teleport keeps its data, like keys/users for - # authentication (if using the default BoltDB back-end) - data_dir: /var/lib/teleport - - # one-time invitation token used to join a cluster. it is not used on - # subsequent starts - auth_token: xxxx-token-xxxx - - # when running in multi-homed or NATed environments Teleport nodes need - # to know which IP it will be reachable at by other nodes - # public_addr: 10.1.0.5 - - # list of auth servers in a cluster. you will have more than one auth server - # if you configure teleport auth to run in HA configuration - auth_servers: - - localhost:3025 - - # Teleport throttles all connections to avoid abuse. These settings allow - # you to adjust the default limits - connection_limits: - max_connections: 1000 - max_users: 250 - - # Logging configuration. Possible output values are 'stdout', 'stderr' and - # 'syslog'. Possible severity values are INFO, WARN and ERROR (default). - log: - output: stderr - severity: ERROR - - # Type of storage used for keys. You need to configure this to use etcd - # backend if you want to run Teleport in HA configuration. - storage: - type: bolt - -# This section configures the 'auth service': -auth_service: - enabled: yes - - # defines the types and second factors the auth server supports - authentication: - # second_factor can be off, otp, or u2f - second_factor: otp - - # this section is only used if using u2f - u2f: - # app_id should point to the Web UI. - app_id: https://localhost:3080 - - # facets should list all proxy servers. - facets: - - https://localhost - - https://localhost:3080 - - # IP and the port to bind to. Other Teleport nodes will be connecting to - # this port (AKA "Auth API" or "Cluster API") to validate client - # certificates - listen_addr: 0.0.0.0:3025 - - # Pre-defined tokens for adding new nodes to a cluster. Each token specifies - # the role a new node will be allowed to assume. The more secure way to - # add nodes is to use `ttl node add --ttl` command to generate auto-expiring - # tokens. - # - # We recommend to use tools like `pwgen` to generate sufficiently random - # tokens of 32+ byte length. - tokens: - - "proxy,node:xxxxx" - - "auth:yyyy" - - # Optional "cluster name" is needed when configuring trust between multiple - # auth servers. A cluster name is used as part of a signature in certificates - # generated by this CA. - # - # By default an automatically generated GUID is used. - # - # IMPORTANT: if you change cluster_name, it will invalidate all generated - # certificates and keys (may need to wipe out /var/lib/teleport directory) - cluster_name: "main" - -# This section configures the 'node service': -ssh_service: - enabled: yes - # IP and the port for SSH service to bind to. - listen_addr: 0.0.0.0:3022 - # See explanation of labels in "Labeling Nodes" section below - labels: - role: master - type: postgres - # List (YAML array) of commands to periodically execute and use - # their output as labels. - # See explanation of how this works in "Labeling Nodes" section below - commands: - - name: hostname - command: [/usr/bin/hostname] - period: 1m0s - - name: arch - command: [/usr/bin/uname, -p] - period: 1h0m0s - -# This section configures the 'proxy servie' -proxy_service: - enabled: yes - # SSH forwarding/proxy address. Command line (CLI) clients always begin their - # SSH sessions by connecting to this port - listen_addr: 0.0.0.0:3023 - - # Reverse tunnel listening address. An auth server (CA) can establish an - # outbound (from behind the firewall) connection to this address. - # This will allow users of the outside CA to connect to behind-the-firewall - # nodes. - tunnel_listen_addr: 0.0.0.0:3024 - - # The HTTPS listen address to serve the Web UI and also to authenticate the - # command line (CLI) users via password+HOTP - web_listen_addr: 0.0.0.0:3080 - - # TLS certificate for the HTTPS connection. Configuring these properly is - # critical for Teleport security. - https_key_file: /etc/teleport/teleport.key - https_cert_file: /etc/teleport/teleport.crt diff --git a/sys-cluster/teleport/files/teleport.yaml b/sys-cluster/teleport/files/teleport.yaml index 0ab548c1a46b..c6b012590f2e 100644 --- a/sys-cluster/teleport/files/teleport.yaml +++ b/sys-cluster/teleport/files/teleport.yaml @@ -7,7 +7,7 @@ teleport: # by default it's equal to hostname # nodename: graviton - # Data directory where Teleport daemon keeps its data. + # Data directory where Teleport daemon keeps its data. # See "Filesystem Layout" section above for more details. data_dir: /var/lib/teleport @@ -17,7 +17,7 @@ teleport: # When running in multi-homed or NATed environments Teleport nodes need # to know which IP it will be reachable at by other nodes - # + # # This value can be specified as FQDN e.g. host.example.com # advertise_ip: 10.1.0.5 @@ -38,8 +38,10 @@ teleport: output: stderr severity: ERROR - # Type of storage used for keys. You need to configure this to use etcd or - # a DynamoDB backend if you want to run Teleport in HA configuration. + # Configuration for the storage back-end used for the cluster state and the + # audit log. Several back-end types are supported. See "High Availability" + # section of this Admin Manual below to learn how to configure DynamoDB, + # S3, etcd and other highly available back-ends. storage: # By default teleport uses the `data_dir` directory on a local filesystem type: dir @@ -54,50 +56,38 @@ teleport: # Cipher algorithms that the server supports. This section only needs to be # set if you want to override the defaults. - ciphers: - - aes128-ctr - - aes192-ctr - - aes256-ctr - - aes128-gcm@openssh.com + # ciphers: + # - aes128-ctr + # - aes192-ctr + # - aes256-ctr + # - aes128-gcm@openssh.com + # - chacha20-poly1305@openssh.com # Key exchange algorithms that the server supports. This section only needs # to be set if you want to override the defaults. - kex_algos: - - curve25519-sha256@libssh.org - - ecdh-sha2-nistp256 - - ecdh-sha2-nistp384 - - ecdh-sha2-nistp521 - - diffie-hellman-group14-sha1 - - diffie-hellman-group1-sha1 + # kex_algos: + # - curve25519-sha256@libssh.org + # - ecdh-sha2-nistp256 + # - ecdh-sha2-nistp384 + # - ecdh-sha2-nistp521 # Message authentication code (MAC) algorithms that the server supports. # This section only needs to be set if you want to override the defaults. - mac_algos: - - hmac-sha2-256-etm@openssh.com - - hmac-sha2-256 - - hmac-sha1 - - hmac-sha1-96 + # mac_algos: + # - hmac-sha2-256-etm@openssh.com + # - hmac-sha2-256 - # List of the supported ciphersuites. If this section is not specified, + # List of the supported ciphersuites. If this section is not specified, # only the default ciphersuites are enabled. - ciphersuites: - - tls-rsa-with-aes-128-cbc-sha # default - - tls-rsa-with-aes-256-cbc-sha # default - - tls-rsa-with-aes-128-cbc-sha256 - - tls-rsa-with-aes-128-gcm-sha256 - - tls-rsa-with-aes-256-gcm-sha384 - - tls-ecdhe-ecdsa-with-aes-128-cbc-sha - - tls-ecdhe-ecdsa-with-aes-256-cbc-sha - - tls-ecdhe-rsa-with-aes-128-cbc-sha - - tls-ecdhe-rsa-with-aes-256-cbc-sha - - tls-ecdhe-ecdsa-with-aes-128-cbc-sha256 - - tls-ecdhe-rsa-with-aes-128-cbc-sha256 - - tls-ecdhe-rsa-with-aes-128-gcm-sha256 - - tls-ecdhe-ecdsa-with-aes-128-gcm-sha256 - - tls-ecdhe-rsa-with-aes-256-gcm-sha384 - - tls-ecdhe-ecdsa-with-aes-256-gcm-sha384 - - tls-ecdhe-rsa-with-chacha20-poly1305 - - tls-ecdhe-ecdsa-with-chacha20-poly1305 + # ciphersuites: + # - tls-rsa-with-aes-128-gcm-sha256 + # - tls-rsa-with-aes-256-gcm-sha384 + # - tls-ecdhe-rsa-with-aes-128-gcm-sha256 + # - tls-ecdhe-ecdsa-with-aes-128-gcm-sha256 + # - tls-ecdhe-rsa-with-aes-256-gcm-sha384 + # - tls-ecdhe-ecdsa-with-aes-256-gcm-sha384 + # - tls-ecdhe-rsa-with-chacha20-poly1305 + # - tls-ecdhe-ecdsa-with-chacha20-poly1305 # This section configures the 'auth service': @@ -106,10 +96,10 @@ auth_service: enabled: yes # A cluster name is used as part of a signature in certificates - # generated by this CA. + # generated by this CA. # - # We strongly recommend to explicitly set it to something meaningful as it - # becomes important when configuring trust between multiple clusters. + # We strongly recommend to explicitly set it to something meaningful as it + # becomes important when configuring trust between multiple clusters. # # By default an automatically generated name is used (not recommended) # @@ -138,7 +128,7 @@ auth_service: # certificates listen_addr: 0.0.0.0:3025 - # The optional DNS name the auth server if locataed behind a load balancer. + # The optional DNS name the auth server if located behind a load balancer. # (see public_addr section below) # public_addr: auth.example.com:3025 @@ -163,7 +153,7 @@ auth_service: # Only applicable if session_recording=proxy, see "recording proxy mode" for details. proxy_checks_host_keys: yes - # Determines if SSH sessions to cluster nodes are forcefully terminated + # Determines if SSH sessions to cluster nodes are forcefully terminated # after no activity from a client (idle client). # Examples: "30m", "1h" or "1h30m" client_idle_timeout: never @@ -172,10 +162,6 @@ auth_service: # certificates expire in the middle of an active SSH session. (default is 'no') disconnect_expired_cert: no - # If the auth service is deployed outside Kubernetes, but Kubernetes integration - # is required, you have to specify a valid kubeconfig credentials: - # kubeconfig_file: /path/to/kubeconfig - # This section configures the 'node service': ssh_service: # Turns 'ssh' role on. Default is 'yes' @@ -194,10 +180,11 @@ ssh_service: role: master # List of the commands to periodically execute. Their output will be used as node labels. - # See "Labeling Nodes" section below for more information. + # See "Labeling Nodes" section below for more information and more examples. commands: - - name: arch # this command will add a label like 'arch=x86_64' to a node - command: [uname, -p] + # this command will add a label 'arch=x86_64' to a node + - name: arch + command: ['/bin/uname', '-p'] period: 1h0m0s # enables reading ~/.tsh/environment before creating a session. by default @@ -209,7 +196,7 @@ ssh_service: enabled: no service_name: teleport -# This section configures the 'proxy servie' +# This section configures the 'proxy service' proxy_service: # Turns 'proxy' role on. Default is 'yes' enabled: yes @@ -228,13 +215,37 @@ proxy_service: # command line (CLI) users via password+HOTP web_listen_addr: 0.0.0.0:3080 - # The DNS name the proxy server is accessible by cluster users. Defaults to - # the proxy's hostname if not specified. If running multiple proxies behind - # a load balancer, this name must point to the load balancer + # The DNS name the proxy HTTPS endpoint as accessible by cluster users. + # Defaults to the proxy's hostname if not specified. If running multiple + # proxies behind a load balancer, this name must point to the load balancer # (see public_addr section below) # public_addr: proxy.example.com:3080 + + # The DNS name of the proxy SSH endpoint as accessible by cluster clients. + # Defaults to the proxy's hostname if not specified. If running multiple proxies + # behind a load balancer, this name must point to the load balancer. + # Use a TCP load balancer because this port uses SSH protocol. + # ssh_public_addr: proxy.example.com:3023 # TLS certificate for the HTTPS connection. Configuring these properly is # critical for Teleport security. https_key_file: /var/lib/teleport/webproxy_key.pem https_cert_file: /var/lib/teleport/webproxy_cert.pem + + # This section configures the Kubernetes proxy service + kubernetes: + # Turns 'kubernetes' proxy on. Default is 'no' + enabled: no + + # Kubernetes proxy listen address. + listen_addr: 0.0.0.0:3026 + + # The DNS name of the Kubernetes proxy server that is accessible by cluster clients. + # If running multiple proxies behind a load balancer, this name must point to the + # load balancer. + # public_addr: ['kube.example.com:3026'] + + # This setting is not required if the Teleport proxy service is + # deployed inside a Kubernetes cluster. Otherwise, Teleport proxy + # will use the credentials from this file: + # kubeconfig_file: /path/to/kube/config |