# by default it's equal to hostname
# nodename: graviton
- # Data directory where Teleport daemon keeps its data.
+ # Data directory where Teleport daemon keeps its data.
# See "Filesystem Layout" section above for more details.
data_dir: /var/lib/teleport
# When running in multi-homed or NATed environments Teleport nodes need
# to know which IP it will be reachable at by other nodes
- #
+ #
# This value can be specified as FQDN e.g. host.example.com
# advertise_ip: 10.1.0.5
output: stderr
severity: ERROR
- # Type of storage used for keys. You need to configure this to use etcd or
- # a DynamoDB backend if you want to run Teleport in HA configuration.
+ # Configuration for the storage back-end used for the cluster state and the
+ # audit log. Several back-end types are supported. See "High Availability"
+ # section of this Admin Manual below to learn how to configure DynamoDB,
+ # S3, etcd and other highly available back-ends.
storage:
# By default teleport uses the `data_dir` directory on a local filesystem
type: dir
# Cipher algorithms that the server supports. This section only needs to be
# set if you want to override the defaults.
- ciphers:
- - aes128-ctr
- - aes192-ctr
- - aes256-ctr
- - aes128-gcm@openssh.com
+ # ciphers:
+ # - aes128-ctr
+ # - aes192-ctr
+ # - aes256-ctr
+ # - aes128-gcm@openssh.com
+ # - chacha20-poly1305@openssh.com
# Key exchange algorithms that the server supports. This section only needs
# to be set if you want to override the defaults.
- kex_algos:
- - curve25519-sha256@libssh.org
- - ecdh-sha2-nistp256
- - ecdh-sha2-nistp384
- - ecdh-sha2-nistp521
- - diffie-hellman-group14-sha1
- - diffie-hellman-group1-sha1
+ # kex_algos:
+ # - curve25519-sha256@libssh.org
+ # - ecdh-sha2-nistp256
+ # - ecdh-sha2-nistp384
+ # - ecdh-sha2-nistp521
# Message authentication code (MAC) algorithms that the server supports.
# This section only needs to be set if you want to override the defaults.
- mac_algos:
- - hmac-sha2-256-etm@openssh.com
- - hmac-sha2-256
- - hmac-sha1
- - hmac-sha1-96
+ # mac_algos:
+ # - hmac-sha2-256-etm@openssh.com
+ # - hmac-sha2-256
- # List of the supported ciphersuites. If this section is not specified,
+ # List of the supported ciphersuites. If this section is not specified,
# only the default ciphersuites are enabled.
- ciphersuites:
- - tls-rsa-with-aes-128-cbc-sha # default
- - tls-rsa-with-aes-256-cbc-sha # default
- - tls-rsa-with-aes-128-cbc-sha256
- - tls-rsa-with-aes-128-gcm-sha256
- - tls-rsa-with-aes-256-gcm-sha384
- - tls-ecdhe-ecdsa-with-aes-128-cbc-sha
- - tls-ecdhe-ecdsa-with-aes-256-cbc-sha
- - tls-ecdhe-rsa-with-aes-128-cbc-sha
- - tls-ecdhe-rsa-with-aes-256-cbc-sha
- - tls-ecdhe-ecdsa-with-aes-128-cbc-sha256
- - tls-ecdhe-rsa-with-aes-128-cbc-sha256
- - tls-ecdhe-rsa-with-aes-128-gcm-sha256
- - tls-ecdhe-ecdsa-with-aes-128-gcm-sha256
- - tls-ecdhe-rsa-with-aes-256-gcm-sha384
- - tls-ecdhe-ecdsa-with-aes-256-gcm-sha384
- - tls-ecdhe-rsa-with-chacha20-poly1305
- - tls-ecdhe-ecdsa-with-chacha20-poly1305
+ # ciphersuites:
+ # - tls-rsa-with-aes-128-gcm-sha256
+ # - tls-rsa-with-aes-256-gcm-sha384
+ # - tls-ecdhe-rsa-with-aes-128-gcm-sha256
+ # - tls-ecdhe-ecdsa-with-aes-128-gcm-sha256
+ # - tls-ecdhe-rsa-with-aes-256-gcm-sha384
+ # - tls-ecdhe-ecdsa-with-aes-256-gcm-sha384
+ # - tls-ecdhe-rsa-with-chacha20-poly1305
+ # - tls-ecdhe-ecdsa-with-chacha20-poly1305
# This section configures the 'auth service':
enabled: yes
# A cluster name is used as part of a signature in certificates
- # generated by this CA.
+ # generated by this CA.
#
- # We strongly recommend to explicitly set it to something meaningful as it
- # becomes important when configuring trust between multiple clusters.
+ # We strongly recommend to explicitly set it to something meaningful as it
+ # becomes important when configuring trust between multiple clusters.
#
# By default an automatically generated name is used (not recommended)
#
# certificates
listen_addr: 0.0.0.0:3025
- # The optional DNS name the auth server if locataed behind a load balancer.
+ # The optional DNS name the auth server if located behind a load balancer.
# (see public_addr section below)
# public_addr: auth.example.com:3025
# Only applicable if session_recording=proxy, see "recording proxy mode" for details.
proxy_checks_host_keys: yes
- # Determines if SSH sessions to cluster nodes are forcefully terminated
+ # Determines if SSH sessions to cluster nodes are forcefully terminated
# after no activity from a client (idle client).
# Examples: "30m", "1h" or "1h30m"
client_idle_timeout: never
# certificates expire in the middle of an active SSH session. (default is 'no')
disconnect_expired_cert: no
- # If the auth service is deployed outside Kubernetes, but Kubernetes integration
- # is required, you have to specify a valid kubeconfig credentials:
- # kubeconfig_file: /path/to/kubeconfig
-
# This section configures the 'node service':
ssh_service:
# Turns 'ssh' role on. Default is 'yes'
role: master
# List of the commands to periodically execute. Their output will be used as node labels.
- # See "Labeling Nodes" section below for more information.
+ # See "Labeling Nodes" section below for more information and more examples.
commands:
- - name: arch # this command will add a label like 'arch=x86_64' to a node
- command: [uname, -p]
+ # this command will add a label 'arch=x86_64' to a node
+ - name: arch
+ command: ['/bin/uname', '-p']
period: 1h0m0s
# enables reading ~/.tsh/environment before creating a session. by default
enabled: no
service_name: teleport
-# This section configures the 'proxy servie'
+# This section configures the 'proxy service'
proxy_service:
# Turns 'proxy' role on. Default is 'yes'
enabled: yes
# command line (CLI) users via password+HOTP
web_listen_addr: 0.0.0.0:3080
- # The DNS name the proxy server is accessible by cluster users. Defaults to
- # the proxy's hostname if not specified. If running multiple proxies behind
- # a load balancer, this name must point to the load balancer
+ # The DNS name the proxy HTTPS endpoint as accessible by cluster users.
+ # Defaults to the proxy's hostname if not specified. If running multiple
+ # proxies behind a load balancer, this name must point to the load balancer
# (see public_addr section below)
# public_addr: proxy.example.com:3080
+
+ # The DNS name of the proxy SSH endpoint as accessible by cluster clients.
+ # Defaults to the proxy's hostname if not specified. If running multiple proxies
+ # behind a load balancer, this name must point to the load balancer.
+ # Use a TCP load balancer because this port uses SSH protocol.
+ # ssh_public_addr: proxy.example.com:3023
# TLS certificate for the HTTPS connection. Configuring these properly is
# critical for Teleport security.
https_key_file: /var/lib/teleport/webproxy_key.pem
https_cert_file: /var/lib/teleport/webproxy_cert.pem
+
+ # This section configures the Kubernetes proxy service
+ kubernetes:
+ # Turns 'kubernetes' proxy on. Default is 'no'
+ enabled: no
+
+ # Kubernetes proxy listen address.
+ listen_addr: 0.0.0.0:3026
+
+ # The DNS name of the Kubernetes proxy server that is accessible by cluster clients.
+ # If running multiple proxies behind a load balancer, this name must point to the
+ # load balancer.
+ # public_addr: ['kube.example.com:3026']
+
+ # This setting is not required if the Teleport proxy service is
+ # deployed inside a Kubernetes cluster. Otherwise, Teleport proxy
+ # will use the credentials from this file:
+ # kubeconfig_file: /path/to/kube/config
projects / gentoo.git / commitdiff