From a98d5007f46b36d5069c9f8541267c1ead647840 Mon Sep 17 00:00:00 2001 From: Graeme Lawes Date: Wed, 19 Jun 2019 19:07:17 -0400 Subject: [PATCH] sys-cluster/teleport: add v4.0.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Update files/teleport.yaml for v3.2.*/v4.0.0 features, as v3.1.* and below have been removed Signed-off-by: Graeme Lawes Signed-off-by: Michał Górny --- sys-cluster/teleport/Manifest | 1 + sys-cluster/teleport/files/teleport.yaml | 123 +++++++++++---------- sys-cluster/teleport/teleport-4.0.0.ebuild | 49 ++++++++ 3 files changed, 117 insertions(+), 56 deletions(-) create mode 100644 sys-cluster/teleport/teleport-4.0.0.ebuild diff --git a/sys-cluster/teleport/Manifest b/sys-cluster/teleport/Manifest index f444c13ff088..c2553415a1e4 100644 --- a/sys-cluster/teleport/Manifest +++ b/sys-cluster/teleport/Manifest @@ -2,3 +2,4 @@ DIST teleport-2.7.9.tar.gz 18221805 BLAKE2B c634f97008310c4cabf4020bc8a600de7eb9 DIST teleport-3.1.8.tar.gz 22605752 BLAKE2B 2ddebb0b0c8c42d36d113e409ce04f194e5ed77a7d88dd3e0a5982e303b8db8e013b156693c5fcd038d9d81f2907d17fdb65f82b34bdc84379bb0c46498e53a5 SHA512 de834309f96c327b54470deec043a498da969c5f3a872777a44143fceb070bd1c9ee837f218f46dc5b82ee1b40fb869a422b8cf9c22d26618f07a069de165f6e DIST teleport-3.2.0.tar.gz 22613098 BLAKE2B 0ff9675a071f5fb660ad4a7b0e085b9bec01c3d0967bdd206ce29a51addae545c4b2621854cbffdc0f76d0cbc6e5ec8f39e082b80b26ba13d352b1add199c965 SHA512 a3fdb520a62361f78632ac1680f86f183a533e47696791586b3c5ff7d505eb167a881c438c6a3dd72395140c521c065c8d8e4b93b5b8c9cbf134688dd8c1f8da DIST teleport-3.2.6.tar.gz 22620079 BLAKE2B 07b4bcb5b53a511c25f0556fad33b461307b524554e993097f634b1751d7fd3c664de0478427efa18dc20e597fb73f3c5bd09ba961754456245e1306372ed0ee SHA512 20be34820f9b9f29c492f8dabe8914012b66ebfb9db51f3dff0e19b8a1f7b85b948cc1036861d03ca6de9e6f30ba0b43caf4760bc95c74e45a38f0cad080820c +DIST teleport-4.0.0.tar.gz 34913323 BLAKE2B 2890d18fed82d9a2da18be6ce9c981ddc1a4ac374862d853f09001c88ed3f9092b9a006c98f6d489dcaae8a702827f98ee12e870708d6746f429f9457debbb33 SHA512 b59ee7e99808475d50e84feff160e2a3c71f04d67dc7d8caa9476251c3e1f51d057de7384f4750b60c121db630c49a8315f9903d8f7ae3e04469f4532ca7078c diff --git a/sys-cluster/teleport/files/teleport.yaml b/sys-cluster/teleport/files/teleport.yaml index 0ab548c1a46b..c6b012590f2e 100644 --- a/sys-cluster/teleport/files/teleport.yaml +++ b/sys-cluster/teleport/files/teleport.yaml @@ -7,7 +7,7 @@ teleport: # by default it's equal to hostname # nodename: graviton - # Data directory where Teleport daemon keeps its data. + # Data directory where Teleport daemon keeps its data. # See "Filesystem Layout" section above for more details. data_dir: /var/lib/teleport @@ -17,7 +17,7 @@ teleport: # When running in multi-homed or NATed environments Teleport nodes need # to know which IP it will be reachable at by other nodes - # + # # This value can be specified as FQDN e.g. host.example.com # advertise_ip: 10.1.0.5 @@ -38,8 +38,10 @@ teleport: output: stderr severity: ERROR - # Type of storage used for keys. You need to configure this to use etcd or - # a DynamoDB backend if you want to run Teleport in HA configuration. + # Configuration for the storage back-end used for the cluster state and the + # audit log. Several back-end types are supported. See "High Availability" + # section of this Admin Manual below to learn how to configure DynamoDB, + # S3, etcd and other highly available back-ends. storage: # By default teleport uses the `data_dir` directory on a local filesystem type: dir @@ -54,50 +56,38 @@ teleport: # Cipher algorithms that the server supports. This section only needs to be # set if you want to override the defaults. - ciphers: - - aes128-ctr - - aes192-ctr - - aes256-ctr - - aes128-gcm@openssh.com + # ciphers: + # - aes128-ctr + # - aes192-ctr + # - aes256-ctr + # - aes128-gcm@openssh.com + # - chacha20-poly1305@openssh.com # Key exchange algorithms that the server supports. This section only needs # to be set if you want to override the defaults. - kex_algos: - - curve25519-sha256@libssh.org - - ecdh-sha2-nistp256 - - ecdh-sha2-nistp384 - - ecdh-sha2-nistp521 - - diffie-hellman-group14-sha1 - - diffie-hellman-group1-sha1 + # kex_algos: + # - curve25519-sha256@libssh.org + # - ecdh-sha2-nistp256 + # - ecdh-sha2-nistp384 + # - ecdh-sha2-nistp521 # Message authentication code (MAC) algorithms that the server supports. # This section only needs to be set if you want to override the defaults. - mac_algos: - - hmac-sha2-256-etm@openssh.com - - hmac-sha2-256 - - hmac-sha1 - - hmac-sha1-96 + # mac_algos: + # - hmac-sha2-256-etm@openssh.com + # - hmac-sha2-256 - # List of the supported ciphersuites. If this section is not specified, + # List of the supported ciphersuites. If this section is not specified, # only the default ciphersuites are enabled. - ciphersuites: - - tls-rsa-with-aes-128-cbc-sha # default - - tls-rsa-with-aes-256-cbc-sha # default - - tls-rsa-with-aes-128-cbc-sha256 - - tls-rsa-with-aes-128-gcm-sha256 - - tls-rsa-with-aes-256-gcm-sha384 - - tls-ecdhe-ecdsa-with-aes-128-cbc-sha - - tls-ecdhe-ecdsa-with-aes-256-cbc-sha - - tls-ecdhe-rsa-with-aes-128-cbc-sha - - tls-ecdhe-rsa-with-aes-256-cbc-sha - - tls-ecdhe-ecdsa-with-aes-128-cbc-sha256 - - tls-ecdhe-rsa-with-aes-128-cbc-sha256 - - tls-ecdhe-rsa-with-aes-128-gcm-sha256 - - tls-ecdhe-ecdsa-with-aes-128-gcm-sha256 - - tls-ecdhe-rsa-with-aes-256-gcm-sha384 - - tls-ecdhe-ecdsa-with-aes-256-gcm-sha384 - - tls-ecdhe-rsa-with-chacha20-poly1305 - - tls-ecdhe-ecdsa-with-chacha20-poly1305 + # ciphersuites: + # - tls-rsa-with-aes-128-gcm-sha256 + # - tls-rsa-with-aes-256-gcm-sha384 + # - tls-ecdhe-rsa-with-aes-128-gcm-sha256 + # - tls-ecdhe-ecdsa-with-aes-128-gcm-sha256 + # - tls-ecdhe-rsa-with-aes-256-gcm-sha384 + # - tls-ecdhe-ecdsa-with-aes-256-gcm-sha384 + # - tls-ecdhe-rsa-with-chacha20-poly1305 + # - tls-ecdhe-ecdsa-with-chacha20-poly1305 # This section configures the 'auth service': @@ -106,10 +96,10 @@ auth_service: enabled: yes # A cluster name is used as part of a signature in certificates - # generated by this CA. + # generated by this CA. # - # We strongly recommend to explicitly set it to something meaningful as it - # becomes important when configuring trust between multiple clusters. + # We strongly recommend to explicitly set it to something meaningful as it + # becomes important when configuring trust between multiple clusters. # # By default an automatically generated name is used (not recommended) # @@ -138,7 +128,7 @@ auth_service: # certificates listen_addr: 0.0.0.0:3025 - # The optional DNS name the auth server if locataed behind a load balancer. + # The optional DNS name the auth server if located behind a load balancer. # (see public_addr section below) # public_addr: auth.example.com:3025 @@ -163,7 +153,7 @@ auth_service: # Only applicable if session_recording=proxy, see "recording proxy mode" for details. proxy_checks_host_keys: yes - # Determines if SSH sessions to cluster nodes are forcefully terminated + # Determines if SSH sessions to cluster nodes are forcefully terminated # after no activity from a client (idle client). # Examples: "30m", "1h" or "1h30m" client_idle_timeout: never @@ -172,10 +162,6 @@ auth_service: # certificates expire in the middle of an active SSH session. (default is 'no') disconnect_expired_cert: no - # If the auth service is deployed outside Kubernetes, but Kubernetes integration - # is required, you have to specify a valid kubeconfig credentials: - # kubeconfig_file: /path/to/kubeconfig - # This section configures the 'node service': ssh_service: # Turns 'ssh' role on. Default is 'yes' @@ -194,10 +180,11 @@ ssh_service: role: master # List of the commands to periodically execute. Their output will be used as node labels. - # See "Labeling Nodes" section below for more information. + # See "Labeling Nodes" section below for more information and more examples. commands: - - name: arch # this command will add a label like 'arch=x86_64' to a node - command: [uname, -p] + # this command will add a label 'arch=x86_64' to a node + - name: arch + command: ['/bin/uname', '-p'] period: 1h0m0s # enables reading ~/.tsh/environment before creating a session. by default @@ -209,7 +196,7 @@ ssh_service: enabled: no service_name: teleport -# This section configures the 'proxy servie' +# This section configures the 'proxy service' proxy_service: # Turns 'proxy' role on. Default is 'yes' enabled: yes @@ -228,13 +215,37 @@ proxy_service: # command line (CLI) users via password+HOTP web_listen_addr: 0.0.0.0:3080 - # The DNS name the proxy server is accessible by cluster users. Defaults to - # the proxy's hostname if not specified. If running multiple proxies behind - # a load balancer, this name must point to the load balancer + # The DNS name the proxy HTTPS endpoint as accessible by cluster users. + # Defaults to the proxy's hostname if not specified. If running multiple + # proxies behind a load balancer, this name must point to the load balancer # (see public_addr section below) # public_addr: proxy.example.com:3080 + + # The DNS name of the proxy SSH endpoint as accessible by cluster clients. + # Defaults to the proxy's hostname if not specified. If running multiple proxies + # behind a load balancer, this name must point to the load balancer. + # Use a TCP load balancer because this port uses SSH protocol. + # ssh_public_addr: proxy.example.com:3023 # TLS certificate for the HTTPS connection. Configuring these properly is # critical for Teleport security. https_key_file: /var/lib/teleport/webproxy_key.pem https_cert_file: /var/lib/teleport/webproxy_cert.pem + + # This section configures the Kubernetes proxy service + kubernetes: + # Turns 'kubernetes' proxy on. Default is 'no' + enabled: no + + # Kubernetes proxy listen address. + listen_addr: 0.0.0.0:3026 + + # The DNS name of the Kubernetes proxy server that is accessible by cluster clients. + # If running multiple proxies behind a load balancer, this name must point to the + # load balancer. + # public_addr: ['kube.example.com:3026'] + + # This setting is not required if the Teleport proxy service is + # deployed inside a Kubernetes cluster. Otherwise, Teleport proxy + # will use the credentials from this file: + # kubeconfig_file: /path/to/kube/config diff --git a/sys-cluster/teleport/teleport-4.0.0.ebuild b/sys-cluster/teleport/teleport-4.0.0.ebuild new file mode 100644 index 000000000000..546c0f2921f3 --- /dev/null +++ b/sys-cluster/teleport/teleport-4.0.0.ebuild @@ -0,0 +1,49 @@ +# Copyright 2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 +inherit golang-build systemd + +DESCRIPTION="Modern SSH server for teams managing distributed infrastructure" +HOMEPAGE="https://gravitational.com/teleport" + +EGO_PN="github.com/gravitational/${PN}/..." + +if [[ ${PV} == "9999" ]] ; then + inherit git-r3 golang-vcs + EGIT_REPO_URI="https://github.com/gravitational/${PN}.git" +else + inherit golang-vcs-snapshot + SRC_URI="https://github.com/gravitational/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz" + KEYWORDS="~amd64 ~arm" +fi + +IUSE="pam" +LICENSE="Apache-2.0" +RESTRICT="test strip" +SLOT="0" + +DEPEND="app-arch/zip" +RDEPEND="pam? ( sys-libs/pam )" + +src_compile() { + BUILDFLAGS="" GOPATH="${S}" emake -j1 -C src/${EGO_PN%/*} full +} + +src_install() { + keepdir /var/lib/${PN} /etc/${PN} + dobin src/${EGO_PN%/*}/build/{tsh,tctl,teleport} + + insinto /etc/${PN} + newins "${FILESDIR}"/${PN}.yaml ${PN}.yaml + + newinitd "${FILESDIR}"/${PN}.init.d ${PN} + newconfd "${FILESDIR}"/${PN}.conf.d ${PN} + + systemd_newunit "${FILESDIR}"/${PN}.service ${PN}.service + systemd_install_serviced "${FILESDIR}"/${PN}.service.conf ${PN}.service +} + +src_test() { + BUILDFLAGS="" GOPATH="${S}" emake -C src/${EGO_PN%/*} test +} -- 2.26.2