Alexander/notelescope

Makefile

@@ -4,16 +4,12 @@ ETCD_FLAGS := TELEPORT_TEST_ETCD_NODES=${ETCD_NODES}
 
 .PHONY: install test test-with-etcd remove-temp files test-package update test-grep-package cover-package cover-package-with-etcd run profile sloccount set-etcd install-assets docs-serve
 
-install: teleport telescope
+install: teleport
 
 teleport: remove-temp-files
 	go install github.com/gravitational/teleport/tool/teleport
 	go install github.com/gravitational/teleport/tool/tctl
 
-telescope: remove-temp-files
-	go install github.com/gravitational/teleport/tool/telescope/telescope
-	go install github.com/gravitational/teleport/tool/tscopectl
-
 test: install
 	go test -v -test.parallel=0 ./... -cover
 
@@ -47,45 +43,51 @@ cover-package-with-etcd: remove-temp-files
 
 pack-teleport: DIR := $(shell mktemp -d)
 pack-teleport: pkg teleport
-	cp assets/build/teleport/orbit.manifest.json $(DIR)
+	cp assets/build/orbit.manifest.json $(DIR)
 	mkdir -p $(DIR)/rootfs/usr/bin
-	cp $(GOPATH)/bin/teleport $(DIR)/rootfs/usr/bin
-	cp $(GOPATH)/bin/tctl $(DIR)/rootfs/usr/bin
-	orbit pack $(DIR) $(PKG)
-	rm -rf $(DIR)
-
-pack-telescope: DIR := $(shell mktemp -d)
-pack-telescope: pkg telescope
-	cp assets/build/telescope/orbit.manifest.json $(DIR)
 	mkdir -p $(DIR)/rootfs/usr/bin $(DIR)/rootfs/etc/web-assets/
-	cp $(GOPATH)/bin/telescope $(DIR)/rootfs/usr/bin
-	cp $(GOPATH)/bin/tscopectl $(DIR)/rootfs/usr/bin
 	cp -r ./assets/web/* $(DIR)/rootfs/etc/web-assets/
+	cp $(GOPATH)/bin/teleport $(DIR)/rootfs/usr/bin
+	cp $(GOPATH)/bin/tctl $(DIR)/rootfs/usr/bin
 	orbit pack $(DIR) $(PKG)
 	rm -rf $(DIR)
 
 pkg:
 	@if [ "$$PKG" = "" ] ; then echo "ERROR: enter PKG parameter:\n\nmake publish PKG=<name>:<sem-ver>, e.g. teleport:0.0.1\n\n" && exit 255; fi
 
+# run-embedded-proxy starts a auth server, ssh node and proxy that allows web access 
+# to all the nodes
 run-embedded: install
 	rm -f /tmp/teleport.auth.sock
 	teleport --config=examples/embedded.yaml
 
-
-run-telescope: install
-	rm -f /tmp/telescope.auth.sock
-	telescope --config=examples/telescope.yaml
-
-trust-telescope: 
-	tscopectl user-ca pub-key > /tmp/user.pubkey
-	tscopectl host-ca pub-key > /tmp/host.pubkey
-	tctl remote-ca upsert --type=user --id=user.telescope.vendor.io --fqdn=telescope.vendor.io --path=/tmp/user.pubkey
-	tctl remote-ca upsert --type=host --id=host.telescope.vendor.io --fqdn=telescope.vendor.io --path=/tmp/host.pubkey
+# run-embedded-proxy starts a ssh node, auth server and reverse tunnel that connect outside of
+# the organization server
+run-embedded-proxy: install
+	rm -f /tmp/teleport.auth.sock
+	teleport --config=examples/embedded-proxy.yaml
+
+# run proxy start s
+run-proxy: install
+	rm -f /tmp/teleport.proxy.auth.sock
+	teleport --config=examples/proxy.yaml
+
+trust-proxy:
+#   get user and host SSH certificates from proxy's organization, note that we are connecting to proxy's auth server
+#   that serves proxy's organization certs and not teleport's
+	tctl --auth=unix:///tmp/teleport.proxy.auth.sock user-ca pub-key > /tmp/user.pubkey
+	tctl --auth=unix:///tmp/teleport.proxy.auth.sock host-ca pub-key > /tmp/host.pubkey
+
+#   add proxy's certs to teleport as trusted remote certificate authorities
+	tctl remote-ca upsert --type=user --id=user.proxy.vendor.io --fqdn=proxy.vendor.io --path=/tmp/user.pubkey
+	tctl remote-ca upsert --type=host --id=host.proxy.vendor.io --fqdn=proxy.vendor.io --path=/tmp/host.pubkey
 	tctl remote-ca ls --type=user
 	tctl remote-ca ls --type=host
-	tctl host-ca pub-key > /tmp/tscope-host.pubkey
-	tscopectl remote-ca upsert --type=host --id=host.auth.vendor.io --fqdn=auth.vendor.io --path=/tmp/tscope-host.pubkey
-	tscopectl remote-ca ls --type=host
+
+#   now export teleport's host CA certificate and add it as a trusted cert for proxy
+	tctl host-ca pub-key > /tmp/teleport.pubkey
+	tctl --auth=unix:///tmp/teleport.proxy.auth.sock remote-ca upsert --type=host --id=host.auth.gravitational.io --fqdn=node1.gravitational.io --path=/tmp/teleport.pubkey
+	tctl --auth=unix:///tmp/teleport.proxy.auth.sock remote-ca ls --type=host
 
 profile:
 	go tool pprof http://localhost:6060/debug/pprof/profile

assets/build/teleport/orbit.manifest.json → assets/build/orbit.manifest.json

@@ -38,9 +38,9 @@
             },
             {
                 "type": "String",
-                "name": "fqdn",
+                "name": "hostname",
                 "required": true,
-                "env": "TELEPORT_FQDN"
+                "env": "TELEPORT_HOSTNAME"
             },
             {
                 "type": "Bool",
@@ -62,9 +62,9 @@
             },
             {
                 "type": "String",
-                "name": "authDomain",
-                "env": "TELEPORT_AUTH_DOMAIN",
-                "cli": {"name": "auth-domain"}
+                "name": "authHostAuthorityDomain",
+                "env": "TELEPORT_AUTH_HOST_AUTHORITY_DOMAIN",
+                "cli": {"name": "auth-host-authority-domain"}
             },
             {
                 "type": "String",
@@ -95,20 +95,10 @@
                 }
             },
             {
-                "type": "List",
-                "name": "authTrustedUserAuthorities",
-                "spec": {
-                    "name": "authTrustedUserAuthority",
-                    "env": "TELEPORT_AUTH_TRUSTED_USER_AUTHORITIES",
-                    "type": "KeyVal",
-                    "cli": {"name": "auth-trusted-user-authority"},
-                    "spec": {
-                        "keys": [
-                            {"name": "key", "type":"String"},
-                            {"name": "val", "type":"String"}
-                        ]
-                    }
-                }
+                "type": "String",
+                "name": "authTrustedAuthorities",
+                "env": "TELEPORT_AUTH_TRUSTED_AUTHORITIES",
+                "cli": {"name": "auth-trusted-authorities"}
             },
             {
                 "type": "Enum",
@@ -119,6 +109,18 @@
                     "values": ["bolt", "etcd"]
                 }
             },
+            {
+                "type": "String",
+                "name": "authUserCAKeyPair",
+                "env": "TELEPORT_AUTH_USER_CA_KEYPAIR",
+                "cli": {"name": "auth-user-ca-keypair"}
+            },
+            {
+                "type": "String",
+                "name": "authHostCAKeyPair",
+                "env": "TELEPORT_AUTH_HOST_CA_KEYPAIR",
+                "cli": {"name": "auth-host-ca-keypair"}
+            },
             {
                 "type": "List",
                 "name": "authKeysBackendParams",
@@ -217,21 +219,63 @@
             },
             {
                 "type": "Bool",
-                "name": "tunEnabled",
-                "env": "TELEPORT_TUN_ENABLED",
-                "cli": {"name": "tun-enabled"}
+                "name": "reverseTunnelEnabled",
+                "env": "TELEPORT_REVERSE_TUNNEL_ENABLED",
+                "cli": {"name": "reverse-tunnel-enabled"}
+            },
+            {
+                "type": "String",
+                "name": "reverseTunnelToken",
+                "env": "TELEPORT_REVERSE_TUNNEL_TOKEN",
+                "cli": {"name": "reverse-tunnel-token"}
+            },
+            {
+                "type": "String",
+                "name": "reverseTunnelDialAddr",
+                "env": "TELEPORT_REVERSE_TUNNEL_DIAL_ADDR",
+                "cli": {"name": "reverse-tunnel-dial-addr"}
+            },
+            {
+                "type": "Bool",
+                "name": "proxyEnabled",
+                "env": "TELEPORT_PROXY_ENABLED",
+                "cli": {"name": "proxy-enabled"}
+            },
+            {
+                "type": "String",
+                "name": "proxyToken",
+                "env": "TELEPORT_PROXY_TOKEN",
+                "cli": {"name": "proxy-token"}
+            },
+            {
+                "type": "String",
+                "name": "proxyReverseTunnelListenAddr",
+                "env": "TELEPORT_PROXY_REVERSE_TUNNEL_LISTEN_ADDR",
+                "cli": {"name": "proxy-reverse-tunnel-listen-addr"}
+            },
+            {
+                "type": "String",
+                "name": "proxyWebAddr",
+                "env": "TELEPORT_PROXY_WEB_ADDR",
+                "cli": {"name": "proxy-web-addr"}
+            },
+            {
+                "type": "String",
+                "name": "proxyAssetsDir",
+                "env": "TELEPORT_PROXY_ASSETS_DIR",
+                "cli": {"name": "proxy-assets-dir"}
             },
             {
                 "type": "String",
-                "name": "tunToken",
-                "env": "TELEPORT_TUN_TOKEN",
-                "cli": {"name": "tun-token"}
+                "name": "proxyTLSKey",
+                "env": "TELEPORT_PROXY_TLS_KEY",
+                "cli": {"name": "proxy-tls-key"}
             },
             {
                 "type": "String",
-                "name": "tunServerAddr",
-                "env": "TELEPORT_TUN_SERVER_ADDR",
-                "cli": {"name": "tun-server-addr"}
+                "name": "proxyTLSCert",
+                "env": "TELEPORT_PROXY_TLS_CERT",
+                "cli": {"name": "proxy-tls-cert"}
             }
         ]
     }

assets/web/teleport/assets/static/js/grv/frame.jsx → assets/web/assets/static/js/grv/frame.jsx

@@ -35,11 +35,11 @@ var LeftNavBar = React.createClass({
     },
     items: function() {
         return grv.nav_sections.concat([
-            {icon: "fa fa-key", url: grv.path("keys"), title: "Keys", key: "keys"},
+            {icon: "fa fa-hdd-o", url: grv.path("servers"), title: "Servers", key: "servers"},
             {icon: "fa fa-list", url: grv.path("events"), title: "Timeline", key: "events"},
+            {icon: "fa fa-wechat", url: grv.path("sessions"), title: "Sessions", key: "sessions"},            
             {icon: "fa fa-arrows-h", url: grv.path("webtuns"), title: "Web Tunnels", key: "webtuns"},
-            {icon: "fa fa-hdd-o", url: grv.path("servers"), title: "Instances", key: "servers"},
-            {icon: "fa fa-wechat", url: grv.path("sessions"), title: "Sessions", key: "sessions"},
+            {icon: "fa fa-key", url: grv.path("keys"), title: "Access control", key: "keys"},            
         ]);
     },
     render: function(){