gentoo resync : 22.06.2019

2 files changed, 67 insertions, 186 deletions

diff --git a/sys-cluster/teleport/files/teleport-2.yaml b/sys-cluster/teleport/files/teleport-2.yaml
deleted file mode 100644
index 384dea937c97..000000000000
--- a/sys-cluster/teleport/files/teleport-2.yaml
+++ /dev/null
@@ -1,130 +0,0 @@
-# By default, this file should be stored in /etc/teleport.yaml
-## IMPORTANT ##
-#When editing YAML configuration, please pay attention to how your editor handles white space. YAML requires consistent handling of tab characters
-# This section of the configuration file applies to all teleport
-# services.
-teleport:
-    # nodename allows to assign an alternative name this node can be reached by.
-    # by default it's equal to hostname
-    # nodename: graviton
-
-    # Data directory where Teleport keeps its data, like keys/users for 
-    # authentication (if using the default BoltDB back-end)
-    data_dir: /var/lib/teleport
-
-    # one-time invitation token used to join a cluster. it is not used on 
-    # subsequent starts
-    auth_token: xxxx-token-xxxx
-
-    # when running in multi-homed or NATed environments Teleport nodes need 
-    # to know which IP it will be reachable at by other nodes
-    # public_addr: 10.1.0.5
-
-    # list of auth servers in a cluster. you will have more than one auth server
-    # if you configure teleport auth to run in HA configuration
-    auth_servers: 
-        - localhost:3025
-
-    # Teleport throttles all connections to avoid abuse. These settings allow
-    # you to adjust the default limits
-    connection_limits:
-        max_connections: 1000
-        max_users: 250
-
-    # Logging configuration. Possible output values are 'stdout', 'stderr' and 
-    # 'syslog'. Possible severity values are INFO, WARN and ERROR (default).
-    log:
-        output: stderr
-        severity: ERROR
-
-    # Type of storage used for keys. You need to configure this to use etcd
-    # backend if you want to run Teleport in HA configuration.
-    storage:
-        type: bolt
-
-# This section configures the 'auth service':
-auth_service:
-    enabled: yes
-
-    # defines the types and second factors the auth server supports
-    authentication:
-        # second_factor can be off, otp, or u2f
-        second_factor: otp
-
-        # this section is only used if using u2f
-        u2f:
-            # app_id should point to the Web UI.
-            app_id: https://localhost:3080
-
-            # facets should list all proxy servers.
-            facets:
-            - https://localhost
-            - https://localhost:3080
-
-    # IP and the port to bind to. Other Teleport nodes will be connecting to
-    # this port (AKA "Auth API" or "Cluster API") to validate client 
-    # certificates 
-    listen_addr: 0.0.0.0:3025
-
-    # Pre-defined tokens for adding new nodes to a cluster. Each token specifies
-    # the role a new node will be allowed to assume. The more secure way to 
-    # add nodes is to use `ttl node add --ttl` command to generate auto-expiring 
-    # tokens. 
-    #
-    # We recommend to use tools like `pwgen` to generate sufficiently random
-    # tokens of 32+ byte length.
-    tokens:
-        - "proxy,node:xxxxx"
-        - "auth:yyyy"
-
-    # Optional "cluster name" is needed when configuring trust between multiple
-    # auth servers. A cluster name is used as part of a signature in certificates
-    # generated by this CA.
-    # 
-    # By default an automatically generated GUID is used.
-    #
-    # IMPORTANT: if you change cluster_name, it will invalidate all generated 
-    # certificates and keys (may need to wipe out /var/lib/teleport directory)
-    cluster_name: "main"
-
-# This section configures the 'node service':
-ssh_service:
-    enabled: yes
-    # IP and the port for SSH service to bind to. 
-    listen_addr: 0.0.0.0:3022
-    # See explanation of labels in "Labeling Nodes" section below
-    labels:
-        role: master
-        type: postgres
-    # List (YAML array) of commands to periodically execute and use
-    # their output as labels. 
-    # See explanation of how this works in "Labeling Nodes" section below
-    commands:
-    - name: hostname
-      command: [/usr/bin/hostname]
-      period: 1m0s
-    - name: arch
-      command: [/usr/bin/uname, -p]
-      period: 1h0m0s
-
-# This section configures the 'proxy servie'
-proxy_service:
-    enabled: yes
-    # SSH forwarding/proxy address. Command line (CLI) clients always begin their
-    # SSH sessions by connecting to this port
-    listen_addr: 0.0.0.0:3023
-
-    # Reverse tunnel listening address. An auth server (CA) can establish an 
-    # outbound (from behind the firewall) connection to this address. 
-    # This will allow users of the outside CA to connect to behind-the-firewall 
-    # nodes.
-    tunnel_listen_addr: 0.0.0.0:3024
-
-    # The HTTPS listen address to serve the Web UI and also to authenticate the 
-    # command line (CLI) users via password+HOTP
-    web_listen_addr: 0.0.0.0:3080
-
-    # TLS certificate for the HTTPS connection. Configuring these properly is 
-    # critical for Teleport security.
-    https_key_file: /etc/teleport/teleport.key
-    https_cert_file: /etc/teleport/teleport.crt
diff --git a/sys-cluster/teleport/files/teleport.yaml b/sys-cluster/teleport/files/teleport.yaml
index 0ab548c1a46b..c6b012590f2e 100644
--- a/sys-cluster/teleport/files/teleport.yaml
+++ b/sys-cluster/teleport/files/teleport.yaml
@@ -7,7 +7,7 @@ teleport:
     # by default it's equal to hostname
     # nodename: graviton
 
-    # Data directory where Teleport daemon keeps its data. 
+    # Data directory where Teleport daemon keeps its data.
     # See "Filesystem Layout" section above for more details.
     data_dir: /var/lib/teleport
 
@@ -17,7 +17,7 @@ teleport:
 
     # When running in multi-homed or NATed environments Teleport nodes need
     # to know which IP it will be reachable at by other nodes
-    # 
+    #
     # This value can be specified as FQDN e.g. host.example.com
     # advertise_ip: 10.1.0.5
 
@@ -38,8 +38,10 @@ teleport:
         output: stderr
         severity: ERROR
 
-    # Type of storage used for keys. You need to configure this to use etcd or 
-    # a DynamoDB backend if you want to run Teleport in HA configuration.
+    # Configuration for the storage back-end used for the cluster state and the
+    # audit log. Several back-end types are supported. See "High Availability"
+    # section of this Admin Manual below to learn how to configure DynamoDB, 
+    # S3, etcd and other highly available back-ends.
     storage:
         # By default teleport uses the `data_dir` directory on a local filesystem
         type: dir
@@ -54,50 +56,38 @@ teleport:
 
     # Cipher algorithms that the server supports. This section only needs to be
     # set if you want to override the defaults.
-    ciphers:
-      - aes128-ctr
-      - aes192-ctr
-      - aes256-ctr
-      - aes128-gcm@openssh.com
+    # ciphers:
+    #   - aes128-ctr
+    #   - aes192-ctr
+    #   - aes256-ctr
+    #   - aes128-gcm@openssh.com
+    #   - chacha20-poly1305@openssh.com
 
     # Key exchange algorithms that the server supports. This section only needs
     # to be set if you want to override the defaults.
-    kex_algos:
-      - curve25519-sha256@libssh.org
-      - ecdh-sha2-nistp256
-      - ecdh-sha2-nistp384
-      - ecdh-sha2-nistp521
-      - diffie-hellman-group14-sha1
-      - diffie-hellman-group1-sha1
+    # kex_algos:
+    #   - curve25519-sha256@libssh.org
+    #   - ecdh-sha2-nistp256
+    #   - ecdh-sha2-nistp384
+    #   - ecdh-sha2-nistp521
 
     # Message authentication code (MAC) algorithms that the server supports.
     # This section only needs to be set if you want to override the defaults.
-    mac_algos:
-      - hmac-sha2-256-etm@openssh.com
-      - hmac-sha2-256
-      - hmac-sha1
-      - hmac-sha1-96
+    # mac_algos:
+    #   - hmac-sha2-256-etm@openssh.com
+    #   - hmac-sha2-256
 
-    # List of the supported ciphersuites. If this section is not specified, 
+    # List of the supported ciphersuites. If this section is not specified,
     # only the default ciphersuites are enabled.
-    ciphersuites:
-       - tls-rsa-with-aes-128-cbc-sha # default
-       - tls-rsa-with-aes-256-cbc-sha # default
-       - tls-rsa-with-aes-128-cbc-sha256
-       - tls-rsa-with-aes-128-gcm-sha256
-       - tls-rsa-with-aes-256-gcm-sha384
-       - tls-ecdhe-ecdsa-with-aes-128-cbc-sha
-       - tls-ecdhe-ecdsa-with-aes-256-cbc-sha
-       - tls-ecdhe-rsa-with-aes-128-cbc-sha
-       - tls-ecdhe-rsa-with-aes-256-cbc-sha
-       - tls-ecdhe-ecdsa-with-aes-128-cbc-sha256
-       - tls-ecdhe-rsa-with-aes-128-cbc-sha256
-       - tls-ecdhe-rsa-with-aes-128-gcm-sha256
-       - tls-ecdhe-ecdsa-with-aes-128-gcm-sha256
-       - tls-ecdhe-rsa-with-aes-256-gcm-sha384
-       - tls-ecdhe-ecdsa-with-aes-256-gcm-sha384
-       - tls-ecdhe-rsa-with-chacha20-poly1305
-       - tls-ecdhe-ecdsa-with-chacha20-poly1305
+    # ciphersuites:
+    #    - tls-rsa-with-aes-128-gcm-sha256
+    #    - tls-rsa-with-aes-256-gcm-sha384
+    #    - tls-ecdhe-rsa-with-aes-128-gcm-sha256
+    #    - tls-ecdhe-ecdsa-with-aes-128-gcm-sha256
+    #    - tls-ecdhe-rsa-with-aes-256-gcm-sha384
+    #    - tls-ecdhe-ecdsa-with-aes-256-gcm-sha384
+    #    - tls-ecdhe-rsa-with-chacha20-poly1305
+    #    - tls-ecdhe-ecdsa-with-chacha20-poly1305
 
 
 # This section configures the 'auth service':
@@ -106,10 +96,10 @@ auth_service:
     enabled: yes
 
     # A cluster name is used as part of a signature in certificates
-    # generated by this CA. 
+    # generated by this CA.
     #
-    # We strongly recommend to explicitly set it to something meaningful as it 
-    # becomes important when configuring trust between multiple clusters. 
+    # We strongly recommend to explicitly set it to something meaningful as it
+    # becomes important when configuring trust between multiple clusters.
     #
     # By default an automatically generated name is used (not recommended)
     #
@@ -138,7 +128,7 @@ auth_service:
     # certificates
     listen_addr: 0.0.0.0:3025
 
-    # The optional DNS name the auth server if locataed behind a load balancer.
+    # The optional DNS name the auth server if located behind a load balancer.
     # (see public_addr section below)
     # public_addr: auth.example.com:3025
 
@@ -163,7 +153,7 @@ auth_service:
     # Only applicable if session_recording=proxy, see "recording proxy mode" for details.
     proxy_checks_host_keys: yes
 
-    # Determines if SSH sessions to cluster nodes are forcefully terminated 
+    # Determines if SSH sessions to cluster nodes are forcefully terminated
     # after no activity from a client (idle client).
     # Examples: "30m", "1h" or "1h30m"
     client_idle_timeout: never
@@ -172,10 +162,6 @@ auth_service:
     # certificates expire in the middle of an active SSH session. (default is 'no')
     disconnect_expired_cert: no
 
-    # If the auth service is deployed outside Kubernetes, but Kubernetes integration
-    # is required, you have to specify a valid kubeconfig credentials:
-    # kubeconfig_file: /path/to/kubeconfig
-
 # This section configures the 'node service':
 ssh_service:
     # Turns 'ssh' role on. Default is 'yes'
@@ -194,10 +180,11 @@ ssh_service:
         role: master
 
     # List of the commands to periodically execute. Their output will be used as node labels.
-    # See "Labeling Nodes" section below for more information.
+    # See "Labeling Nodes" section below for more information and more examples.
     commands:
-    - name: arch             # this command will add a label like 'arch=x86_64' to a node
-      command: [uname, -p]
+    # this command will add a label 'arch=x86_64' to a node
+    - name: arch
+      command: ['/bin/uname', '-p']
       period: 1h0m0s
 
     # enables reading ~/.tsh/environment before creating a session. by default
@@ -209,7 +196,7 @@ ssh_service:
         enabled: no
         service_name: teleport
 
-# This section configures the 'proxy servie'
+# This section configures the 'proxy service'
 proxy_service:
     # Turns 'proxy' role on. Default is 'yes'
     enabled: yes
@@ -228,13 +215,37 @@ proxy_service:
     # command line (CLI) users via password+HOTP
     web_listen_addr: 0.0.0.0:3080
 
-    # The DNS name the proxy server is accessible by cluster users. Defaults to 
-    # the proxy's hostname if not specified. If running multiple proxies behind 
-    # a load balancer, this name must point to the load balancer
+    # The DNS name the proxy HTTPS endpoint as accessible by cluster users.
+    # Defaults to the proxy's hostname if not specified. If running multiple
+    # proxies behind a load balancer, this name must point to the load balancer
     # (see public_addr section below)
     # public_addr: proxy.example.com:3080
+    
+    # The DNS name of the proxy SSH endpoint as accessible by cluster clients.
+    # Defaults to the proxy's hostname if not specified. If running multiple proxies 
+    # behind a load balancer, this name must point to the load balancer. 
+    # Use a TCP load balancer because this port uses SSH protocol.
+    # ssh_public_addr: proxy.example.com:3023
 
     # TLS certificate for the HTTPS connection. Configuring these properly is
     # critical for Teleport security.
     https_key_file: /var/lib/teleport/webproxy_key.pem
     https_cert_file: /var/lib/teleport/webproxy_cert.pem
+
+    # This section configures the Kubernetes proxy service
+    kubernetes:
+        # Turns 'kubernetes' proxy on. Default is 'no'
+        enabled: no
+
+        # Kubernetes proxy listen address.
+        listen_addr: 0.0.0.0:3026
+
+        # The DNS name of the Kubernetes proxy server that is accessible by cluster clients.
+        # If running multiple proxies behind  a load balancer, this name must point to the 
+        # load balancer.
+        # public_addr: ['kube.example.com:3026']
+
+        # This setting is not required if the Teleport proxy service is 
+        # deployed inside a Kubernetes cluster. Otherwise, Teleport proxy 
+        # will use the credentials from this file:
+        # kubeconfig_file: /path/to/kube/config