-
Notifications
You must be signed in to change notification settings - Fork 1.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'master' into mcbattirola/remove-team--use-new-flags
- Loading branch information
Showing
45 changed files
with
2,168 additions
and
392 deletions.
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| Next, you need to create a Bot. A Bot is a Teleport identity for a machine or | ||
| group of machines. Like users, bots have a set of roles and traits which define | ||
| what they can access. | ||
|
|
||
| Create `bot.yaml`: | ||
|
|
||
| ```yaml | ||
| kind: bot | ||
| version: v1 | ||
| metadata: | ||
| # name is a unique identifier for the Bot in the cluster. | ||
| name: example | ||
| spec: | ||
| # roles is a list of roles to grant to the Bot. Don't worry if you don't know | ||
| # what roles you need to specify here, the Access Guides will walk you through | ||
| # creating and assigning roles to the already created Bot. | ||
| roles: [] | ||
| ``` | ||
| Make sure you replace `example` with a unique, descriptive name for your Bot. | ||
|
|
||
| Use `tctl` to apply this file: | ||
|
|
||
| ```code | ||
| $ tctl create bot.yaml | ||
| ``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,51 @@ | ||
| ```yaml | ||
| kind: token | ||
| version: v2 | ||
| metadata: | ||
| # name identifies the token. When configuring a bot or node to join using this | ||
| # token, this name should be specified. | ||
| name: tpm-token | ||
| spec: | ||
| # For Machine ID and TPM joining, roles will always be "Bot" and | ||
| # join_method will always be "tpm". | ||
| roles: [Bot] | ||
| join_method: tpm | ||
|
|
||
| # bot_name specifies the name of the bot that this token will grant access to | ||
| # when it is used. | ||
| bot_name: tpm-demo | ||
|
|
||
| # tpm specifies the TPM join method specific configuration for this token. | ||
| tpm: | ||
| # ekcert_allowed_cas is a list of CA certificates that will be used to | ||
| # validate TPM EKCerts. These should be PEM wrapped. | ||
| # | ||
| # When specified, joining TPMs must present an EKCert signed by one of the | ||
| # specified CAs. TPMs that do not present an EKCert will be not permitted to | ||
| # join. | ||
| # | ||
| # When unspecified, TPMs will be allowed to join with either an EKCert or an | ||
| # EKPubHash. | ||
| ekcert_allowed_cas: | ||
| - | | ||
| -----BEGIN CERTIFICATE----- | ||
| ... CA Certificate Data ... | ||
| -----END CERTIFICATE----- | ||
| # allow is a list of Rules, the presented TPM must match one allow rule to | ||
| # be permitted to join using this token. | ||
| allow: | ||
| # description is a human-readable description of the rule. It has no | ||
| # bearing on whether a TPM is allowed to join, but can be used to | ||
| # associate a rule with a specific host (e.g the asset tag of the server | ||
| # in which the TPM resides). | ||
| - description: "example-build-server-100" | ||
| # ek_public_hash is the SHA256 hash of the EKPub marshaled in PKIX format | ||
| # and encoded in hexadecimal. This value will also be checked when a TPM | ||
| # has submitted an EKCert, and the public key in the EKCert will be used | ||
| # for this check. | ||
| ek_public_hash: "d4b4example6fabfc568d74f2example6c35a05337d7af9a6example6c891aa6" | ||
| # ek_certificate_serial is the serial number of the EKCert in hexadecimal | ||
| # with colon separated nibbles. This value will not be checked when a TPM | ||
| # does not have an EKCert configured. | ||
| ek_certificate_serial: "01:23:45:67:89:ex:am:pl:e0:23:45:67:89:ab:cd:ef" | ||
| ``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| The `tpm` join method is a secure way for Bots and Agents to authenticate with | ||
| the Teleport Auth Service without using any shared secrets. Instead of using a | ||
| hared secret, the unique identity of the host's Trusted Platform Module (TPM) | ||
| and public key cryptography is used to authenticate the host. | ||
|
|
||
| In environments where there is no other form of identity available to machines, | ||
| e.g on-prem, this is the most secure method for joining. It avoids the need to | ||
| distribute a shared secret as is needed for the `token` join method. | ||
|
|
||
| A Trusted Platform Module (TPM) is a secure, physical cryptoprocessor that is | ||
| installed on a host. TPMs can store cryptographic material and perform a number | ||
| of cryptographic operations, without exposing the cryptographic material to the | ||
| operating system. Each TPM has a unique key pair burned-in known as the | ||
| Endorsement Key (EK). | ||
|
|
||
| Some TPMs also contain an X.509 certificate for this key pair that is signed by | ||
| the manufacturer's CA. This is known as the EK Certificate (EKCert). This | ||
| certificate can be used by the TPM to prove to a third-party (who trusts the | ||
| manufacturer's CA) that the TPM is genuine and abides by the TPM specification. | ||
|
|
||
| When using the `tpm` join method, you must first query the TPM's public key and | ||
| then create a join token that explicitly allows this public key. Even if the | ||
| host operating system is reinstalled, the EK public key will not change, meaning | ||
| that the TPM will still be usable to join your Teleport cluster. If you have a | ||
| large number of hosts, it may make sense to use automation tooling such as | ||
| ansible to query the TPMs across your fleet and then generate join tokens. | ||
|
|
||
| <Admonition type="warning"> | ||
| The `tpm` join method is currently not compatible with FIPS 140-2. | ||
| </Admonition> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.