Fork me on GitHub
Teleport

Teleport Configuration Reference

Improve

teleport.yaml

Teleport uses the YAML file format for configuration. A full configuration reference file is shown below, this provides comments and all available options for teleport.yaml By default, it is stored in /etc/teleport.yaml.

Before using this reference
  • Do not use this example configuration in production.

    You must edit your configuration file to meet the needs of your environment. Using a copy of the reference configuration will have unintended effects. To create a configuration file that you can use as a starting point, run the following command:

    teleport configure -o file
  • You should back up your configuration file before making changes. This will enable you to roll back to the previous configuration if you need to.

  • Do not use this example configuration in production.

    You must edit your configuration file to meet the needs of your environment. Using a copy of the reference configuration will have unintended effects. To create a configuration file that you can use as a starting point, run the following command:

    teleport configure -o file
  • You should back up your configuration file before making changes. This will enable you to roll back to the previous configuration if you need to.

  • Teleport Cloud manages the Auth Service and Proxy Service for you. Your Teleport Nodes should include the following configuration options to avoid unintended effects:

    auth_service:
      enabled: no
    
    proxy_service:
      enabled: no
    
# By default, this file should be stored in /etc/teleport.yaml

# Configuration file version. The current version is "v2".
version: v2

# This section of the configuration file applies to all teleport
# services.
teleport:
    # nodename allows one to assign an alternative name this node can be
    # reached by. By default it's equal to hostname.
    nodename: graviton

    # Data directory where Teleport daemon keeps its data.
    # See "Filesystem Layout" for more details
    # (https://goteleport.com/docs/admin-guide/#filesystem-layout).
    data_dir: /var/lib/teleport

    # PID file for Teleport process
    #pid_file: /var/run/teleport.pid

    # Invitation token or file path containing token used to join a cluster. It
    # is not used on subsequent starts.
    #
    # File path example:
    # auth_token: /var/lib/teleport/tokenjoin
    auth_token: xxxx-token-xxxx

    # Optional CA pin of the auth server. This enables a more secure way of
    # adding new nodes to a cluster. See "Adding Nodes to the Cluster"
    # (https://goteleport.com/docs/admin-guide/#adding-nodes-to-the-cluster).
    ca_pin: "sha256:7e12c17c20d9cb504bbcb3f0236be3f446861f1396dcbb44425fe28ec1c108f1"

    # When running in multi-homed or NATed environments Teleport nodes need
    # to know which IP it will be reachable at by other nodes.
    #
    # This value can be specified as FQDN e.g. host.example.com
    advertise_ip: 10.1.0.5


    # Teleport provides HTTP endpoints for monitoring purposes. They are
    # disabled by default but you can enable them using the diagnosis address.
    # See the Teleport metrics reference:
    # https://goteleport.com/docs/setup/reference/metrics/
    diag_addr: "127.0.0.1:3000"

    # Auth Server address and port to connect to. If you enable the Teleport
    # Auth Server to run in High Availability configuration, the address should
    # point to a Load Balancer.
    # If adding a node located behind NAT, use the Proxy URL. e.g.
    #  auth_servers:
    #     - teleport-proxy.example.com:443
    auth_servers:
        - 10.1.0.5:3025

    # For use on a Teleport Proxy.
    # See the "Teleport Scalability Tweaks" of the admin manual
    # (https://goteleport.com/docs/admin-guide/#teleport-scalability-tweaks)
    # cache:
    #  # use an in-memory cache to speed up the connection of many teleport nodes
    #  # back to proxy
    #  type: in-memory
    #  enabled: true
    #  # can be "never" or a duration such as 300m (300 minutes),
    #  # 2.5h (2 and a half hours), etc. Default is 20h (twenty hours).
    #  ttl: 20h

    # Teleport throttles all connections to avoid abuse. These settings allow
    # you to adjust the default limits
    connection_limits:
        max_connections: 1000
        max_users: 250

    # Logging configuration. Possible output values to disk via
    # '/var/lib/teleport/teleport.log',
    # 'stdout', 'stderr' and 'syslog'. Possible severity values are DEBUG, INFO (default), WARN,
    # and ERROR.
    log:
        output: /var/lib/teleport/teleport.log
        severity: INFO

        # Log format configuration
        # Possible output values are 'json' and 'text' (default).
        # Possible extra_fields values include: timestamp, component, caller,
        # and level.
        # All extra fields are included by default.
        format:
          output: text
          extra_fields: [level, timestamp, component, caller]

    # Configuration for the storage back-end used for the cluster state and the
    # audit log. Several back-end types are supported. See the "High
    # Availability" section of the Admin Manual
    # (https://goteleport.com/docs/admin-guide/#high-availability) to learn how
    # to configure DynamoDB, S3, etcd, and other highly available back-ends.
    storage:
        # By default teleport uses the `data_dir` directory on a local
        # filesystem
        type: dir

        # List of locations where the audit log events will be stored. By
        # default, they are stored in `/var/lib/teleport/log`.
        #
        # When specifying multiple destinations like this, make sure that
        # highly-available storage methods (like DynamoDB or Firestore) are
        # specified first, as this is what the Teleport Web UI uses as its
        # source of events to display.
        audit_events_uri: ['dynamodb://events_table_name', 'firestore://events_table_name', 'file:///var/lib/teleport/log', 'stdout://']

        # Use this setting to configure teleport to store the recorded sessions
        # in an AWS S3 bucket or use GCP Storage with 'gs://'. See "Using
        # Amazon S3" for more information
        # (https://goteleport.com/docs/admin-guide/#using-amazon-s3).
        audit_sessions_uri: 's3://example.com/path/to/bucket?region=us-east-1'

        # DynamoDB Specific Section
        # continuous_backups is used to enable continuous backups.
        continuous_backups: [true|false]

        # DynamoDB Specific Section
        # auto_scaling is used to enable (and define settings for) auto
        # scaling.
        # default: false
        auto_scaling:  [true|false]
        # minimum/maximum read capacity in units
        read_min_capacity: int
        read_max_capacity: int
        read_target_value: float
        # minimum/maximum write capacity in units
        write_min_capacity: int
        write_max_capacity: int
        write_target_value: float

    # CA Signing algorithm used for OpenSSH Certificates
    # Defaults to rsa-sha2-512 in 4.3 and above.
    # valid values are: ssh-rsa, rsa-sha2-256, rsa-sha2-512; ssh-rsa is SHA1
    ca_signature_algo: "rsa-sha2-512"

    # Cipher algorithms that the server supports. This section only needs to be
    # set if you want to override the defaults.
    ciphers:
      - aes128-ctr
      - aes192-ctr
      - aes256-ctr
      - [email protected]
      - [email protected]

    # Key exchange algorithms that the server supports. This section only needs
    # to be set if you want to override the defaults.
    kex_algos:
      - [email protected]
      - ecdh-sha2-nistp256
      - ecdh-sha2-nistp384
      - ecdh-sha2-nistp521

    # Message authentication code (MAC) algorithms that the server supports.
    # This section only needs to be set if you want to override the defaults.
    mac_algos:
      - [email protected]
      - hmac-sha2-256

    # List of the supported ciphersuites. If this section is not specified,
    # only the default ciphersuites are enabled.
    ciphersuites:
       - tls-ecdhe-rsa-with-aes-128-gcm-sha256
       - tls-ecdhe-ecdsa-with-aes-128-gcm-sha256
       - tls-ecdhe-rsa-with-aes-256-gcm-sha384
       - tls-ecdhe-ecdsa-with-aes-256-gcm-sha384
       - tls-ecdhe-rsa-with-chacha20-poly1305
       - tls-ecdhe-ecdsa-with-chacha20-poly1305

# This section configures the 'auth service':
auth_service:
    # Turns 'auth' role on. Default is 'yes'
    enabled: yes

    # A cluster name is used as part of a signature in certificates
    # generated by this CA.
    #
    # We strongly recommend explicitly setting it to something meaningful as it
    # becomes important when configuring trust between multiple clusters.
    #
    # By default an automatically generated name is used (not recommended)
    #
    # IMPORTANT: if you change cluster_name, it will invalidate all generated
    # certificates and keys (may need to wipe out /var/lib/teleport directory)
    cluster_name: "main"

    # ProxyProtocol enables support for HAProxy proxy protocol version 1 when it is turned 'on'.
    # Verify whether the service is in front of a trusted load balancer.
    # The default value is 'on'.
    proxy_protocol: on

    authentication:
        # default authentication type. possible values are 'local' and 'github'
        # for OSS, plus 'oidc' and 'saml' for Enterprise.
        # Only local authentication (Teleport's own user DB) & GitHub is
        # supported in the open source version
        type: local

        # Sets whether local auth is enabled alongside any other authentication
        # type. Default is true. local_auth must be 'false' for FedRAMP / FIPS.
        # (https://goteleport.com/docs/enterprise/ssh-kubernetes-fedramp/)
        #local_auth: true

        # second_factor can be 'off', 'on', 'optional', 'otp', 'webauthn' or
        # 'u2f'.
        # - 'on' requires otp and either webauthn (preferred) or u2f.
        # - 'optional' allows otp and either webauthn (preferred) or u2f.
        # - 'otp', 'webauthn' and 'u2f' require their corresponding second
        #   factor type.
        second_factor: otp

        # this section is used if second_factor is set to 'on', 'optional' or
        # 'webauthn'.
        webauthn:
          # public domain of the Teleport proxy, *excluding* protocol
          # (`https://`) and port number.
          #
          # IMPORTANT: rp_id must never change in the lifetime of the cluster,
          # because it's recorded in the registration data on the second factor
          # authenticator. If the rp_id changes, all existing authenticator
          # registrations will become invalid and all users who use WebAuthn as
          # the second factor will need to re-register.
          rp_id: "localhost"

          # optional allow list of certificate authorities (as local file paths
          # or in-line PEM certificate string) for [device verification](
          # https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Guide/Attestation.html).
          # This field allows you to restrict which device models and vendors
          # you trust.
          # Devices outside of the list will be rejected during registration.
          # By default all devices are allowed.
          # If you must use attestation, consider using
          # `attestation_denied_cas` to forbid troublesome devices instead.
          attestation_allowed_cas:
          - /path/to/allowed_ca.pem
          - |
            -----BEGIN CERTIFICATE-----
            ...
            -----END CERTIFICATE-----

          # optional deny list of certificate authorities (as local file paths
          # or in-line PEM certificate string) for [device verification](
          # https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Guide/Attestation.html).
          # This field allows you to forbid specific device models and vendors,
          # while allowing all others (provided they clear
          # `attestation_allowed_cas` as well).
          # Devices within this list will be rejected during registration. By
          # default no devices are forbidden.
          attestation_denied_cas:
          - /path/to/denied_ca.pem
          - |
            -----BEGIN CERTIFICATE-----
            ...
            -----END CERTIFICATE-----

          # if set to true, disables WebAuthn. Allows a fallback to U2F for
          # second factor modes 'on' and 'optional'.
          disabled: false

        # this section is used if second_factor is set to 'u2f'
        u2f:
            # public address of the Teleport proxy, _including_ the `https://`
            # prefix. If you use a port number other than 443, include it as
            # well.
            #
            # Examples:
            # - "https://example.com" (uses default port 443)
            # - "https://example.com:3080" (uses non-default port 3080)
            #
            # IMPORTANT: app_id must never change in the lifetime of the
            # cluster, because it's recorded in the registration data on the
            # U2F device. If the app_id changes, all existing U2F key
            # registrations will become invalid and all users who use U2F as
            # the second factor will need to re-register.
            app_id: https://localhost:3080

            # list of allowed addresses of the Teleport proxy checked during
            # authentication attempts. This list is used to prevent malicious
            # websites and proxies from requesting U2F challenges on behalf of
            # the legitimate proxy.
            facets:
            # app_id should always also be listed as a facet
            - https://localhost:3080
            - https://localhost
            # localhost allows non-https facets as well
            - localhost:3080
            - localhost

            # optional list of certificate authorities (as local file paths or
            # in-line PEM certificate string) for U2F [device
            # attestation](https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-u2f-overview.html#verifying-that-a-u2f-device-is-genuine)
            # verification. This field allows you to restrict which U2F device
            # vendors you trust. Devices from other vendors will be rejected
            # during registration. By default, any vendor is allowed.
            device_attestation_cas:
            - /path/to/u2f_ca.pem
            - |
              -----BEGIN CERTIFICATE-----
              ...
              -----END CERTIFICATE-----

        # Locking mode determines how to apply lock views locally available to
        # a Teleport component; can be strict or best_effort.
        # See the "Locking mode" section for more details
        # (https://goteleport.com/docs/access-controls/guides/locking/#locking-mode).
        locking_mode: best_effort

    # IP and the port to bind to. Other Teleport nodes will be connecting to
    # this port (AKA "Auth API" or "Cluster API") to validate client
    # certificates
    listen_addr: 0.0.0.0:3025

    # The optional DNS name for the auth server if located behind a load
    # balancer.
    public_addr: auth.example.com:3025

    # Pre-defined tokens for adding new nodes to a cluster. Each token specifies
    # the role a new node will be allowed to assume. The more secure way to
    # add nodes is to use `tctl nodes add --ttl` command to generate auto-expiring
    # tokens.
    #
    # We recommend to use tools like `pwgen` to generate sufficiently random
    # tokens of 32+ byte length.
    tokens:
        - "proxy,node:xxxxx"
        - "auth:yyyy"

    # Optional setting for configuring session recording. Possible values are:
    #    "node"      : sessions will be recorded on the node level  (the
    #                  default)
    #    "node-sync" : session recordings will be streamed from
    #                  node -> auth -> storage service without being stored on
    #                  disk at all.
    #    "proxy"     : recording on the proxy level, see "Recording Proxy Mode"
    #                  (https://goteleport.com/docs/architecture/proxy/#recording-proxy-mode).
    #    "proxy-sync : session recordings will be streamed from
    #                  proxy -> auth -> storage service without being stored on
    #                  disk at all.
    #    "off"   : session recording is turned off
    #
    session_recording: "node"

    # This setting determines if a Teleport proxy performs strict host key
    # checks.
    # Only applicable if session_recording=proxy, see "Recording Proxy Mode"
    # for details
    # (https://goteleport.com/docs/architecture/proxy/#recording-proxy-mode).
    proxy_checks_host_keys: yes

    # Determines if SSH sessions to cluster nodes are forcefully terminated
    # after no activity from a client (idle client).
    # Examples: "30m", "1h" or "1h30m"
    client_idle_timeout: never

    # Send a custom message to the client when they are disconnected due to
    # inactivity. The empty string indicates that no message will be sent.
    # (Currently only supported for SSH connections)
    client_idle_timeout_message: ""

    # Sets an idle timeout for the Web UI. The default is 10m.
    web_idle_timeout: 10m

    # Determines if the clients will be forcefully disconnected when their
    # certificates expire in the middle of an active SSH session. (default is
    # 'no')
    disconnect_expired_cert: no

    # Determines the interval at which Teleport will send keep-alive messages.
    # The default is set to 5 minutes (300 seconds) to stay lower than the
    # common load balancer timeout of 350 seconds.
    # keep_alive_count_max is the number of missed keep-alive messages before
    # the server tears down the connection to the client.
    keep_alive_interval: 5m
    keep_alive_count_max: 3

    # Determines the internal session control timeout cluster-wide. This value
    # will be used with enterprise max_connections and max_sessions. It's
    # unlikely that you'll need to change this.
    # session_control_timeout: 2m

    # Determines the routing strategy used to connect to nodes. Can be
    # 'unambiguous_match' (default), or 'most_recent'.
    routing_strategy: unambiguous_match

    # License file to start auth server with. Note that this setting is ignored
    # in the Teleport Open-Source Edition and is required only for Teleport Pro, Business
    # and Enterprise subscription plans.
    #
    # The path can be either absolute or relative to the configured `data_dir`
    # and should point to the license file obtained from Teleport Download
    # Portal.
    #
    # If not set, by default Teleport will look for the `license.pem` file in
    # the configured `data_dir` .
    license_file: /var/lib/teleport/license.pem

    # Configures a banner message to be displayed to a user logging into the
    # cluster, which must be acknowledged before the user is allowed to log in.
    # Note that will be shown *before* login, so should not contain any
    # confidential information.
    # Defaults to the empty string, implying no message or acknowledgment is
    # required.
    message_of_the_day: ""

    # Indicates to the clients whether the cluster is running in TLS routing
    # mode with all protocols multiplexed on the proxy's web_listen_addr.
    #
    # Possible values are:
    #
    # "multiplex": clients will be connecting to Teleport proxy's web listener
    #              in TLS routing mode.
    # "separate":  clients will be connecting to Teleport proxy's individual
    #              listeners: tunnel_listen_addr, mysql_listen_addr, etc.
    #
    # See "TLS Routing" in Architecture section for additional information.
    proxy_listener_mode: multiplex

# This section configures the 'node service':
ssh_service:
    # Turns 'ssh' role on. Default is 'yes'
    enabled: yes

    # IP and the port for SSH service to bind to.
    listen_addr: 0.0.0.0:3022

    # The optional public address the SSH service. This is useful if
    # administrators want to allow users to connect to nodes directly,
    # bypassing a Teleport proxy.
    public_addr: node.example.com:3022

    # See explanation of labels in "Labeling Nodes and Applications" section
    # (https://goteleport.com/docs/admin-guide/#labeling-nodes-and-applications).
    labels:
        role: leader
        type: postgres

    # List of the commands to periodically execute. Their output will be used
    # as node labels.
    # See "Labeling Nodes" section for more information and more examples
    # (https://goteleport.com/docs/admin-guide/#labeling-nodes-and-applications).
    commands:
    # this command will add a label 'arch=x86_64' to a node
    - name: arch
      command: ['/bin/uname', '-p']
      period: 1h0m0s

    # Enables reading ~/.tsh/environment before creating a session.
    # By default it's set to false can be set true here or through the
    # command-line flag.
    permit_user_env: false

    # Enhanced Session Recording
    # see https://goteleport.com/docs/features/enhanced-session-recording/
    enhanced_recording:
       # Enable or disable enhanced auditing for this node. Default value:
       # false.
       enabled: false

       # command_buffer_size is optional with a default value of 8 pages.
       command_buffer_size: 8

       # disk_buffer_size is optional with default value of 128 pages.
       disk_buffer_size: 128

       # network_buffer_size is optional with default value of 8 pages.
       network_buffer_size: 8

       # Controls where cgroupv2 hierarchy is mounted. Default value:
       # /cgroup2.
       cgroup_path: /cgroup2

    # Configures PAM integration. See our PAM guide for more details
    # (https://goteleport.com/docs/features/ssh-pam/).
    pam:
        # "no" by default
        enabled: yes
        # use /etc/pam.d/sshd configuration (the default)
        service_name: "sshd"
        # use the "auth" modules in the PAM config
        # "false" by default
        use_pam_auth: true

    # Enables/disables TCP forwarding. Default is 'true'
    port_forwarding: true

    # When x11.enabled is set to yes, users with the "permit_x11_forwarding"
    # role option will be able to request X11 forwarding sessions with
    # "tsh ssh -X".
    #
    # X11 forwarding will only work if the server has the "xauth" binary
    # installed and the Teleport node can open Unix sockets.
    # e.g. "$TEMP/.X11-unix/X[display_number]."
    x11:
      # no by default
      enabled: yes
      # display_offset can be used to specify the start of the range of X11
      # displays the server will use when granting X11 forwarding sessions
      # 10 by default
      display_offset: 10
      # max_display can be set to specify the end of the range of X11 displays
      # to use when granting X11 forwarding sessions
      # display_offset + 1000 by default
      max_display: 1010

# This section configures the 'proxy service'
proxy_service:
    # Turns 'proxy' role on. Default is 'yes'
    enabled: yes

    # ProxyProtocol enables support for HAProxy proxy protocol version 1 when
    # it is turned 'on'.
    # Verify whether the service is in front of a trusted load balancer.
    # The default value is 'on'.
    proxy_protocol: on

    # SSH forwarding/proxy address. Command line (CLI) clients always begin
    # their SSH sessions by connecting to this port
    #
    # If not set, behavior depends on the config file version:
    #
    # "v2": listener is not created, SSH is multiplexed on web_listen_addr
    # "v1": defaults to 0.0.0.0:3023
    listen_addr: 0.0.0.0:3023

    # Reverse tunnel listening address. An auth server (CA) can establish an
    # outbound (from behind the firewall) connection to this address.
    # This will allow users of the outside CA to connect to
    # behind-the-firewall nodes.
    #
    # If not set, behavior depends on the config file version:
    #
    # "v2": listener is not created, reverse tunnel traffic is multiplexed on web_listen_addr
    # "v1": defaults to 0.0.0.0:3024
    tunnel_listen_addr: 0.0.0.0:3024

    # The HTTPS listen address to serve the Web UI and also to authenticate the
    # command line (CLI) users via password+HOTP
    # Also handles the PostgreSQL proxy if database access is enabled.
    web_listen_addr: 0.0.0.0:3080

    # The DNS name of the proxy HTTPS endpoint as accessible by cluster users.
    # Defaults to the proxy's hostname if not specified. If running multiple
    # proxies behind a load balancer, this name must point to the load balancer
    # If application access is enabled, public_addr is used to write correct
    # redirects
    # (https://goteleport.com/docs/application-access/guides/connecting-apps/#start-authproxy-service).
    # If database access is enabled, Database clients will connect to the Proxy
    # over this hostname
    # (https://goteleport.com/docs/database-access/architecture/#database-client-to-proxy).
    public_addr: proxy.example.com:3080

    # The DNS name of the proxy SSH endpoint as accessible by cluster clients.
    # Defaults to the proxy's hostname if not specified. If running multiple
    # proxies behind a load balancer, this name must point to the load
    # balancer.
    # Use a TCP load balancer because this port uses SSH protocol.
    ssh_public_addr: proxy.example.com:3023

    # The DNS name of the tunnel SSH endpoint as accessible by trusted clusters
    # and nodes joining the cluster via Teleport IoT/node tunneling.
    # Defaults to the proxy's hostname if not specified. If running multiple
    # proxies behind a load balancer, this name must point to the load
    # balancer. Use a TCP load balancer because this port uses SSH protocol.
    tunnel_public_addr: proxy.example.com:3024

    # TLS certificate for the HTTPS connection. Configuring these properly is
    # critical for Teleport security.
    https_keypairs:
    - key_file: /var/lib/teleport/webproxy_key.pem
      cert_file: /var/lib/teleport/webproxy_cert.pem
    - key_file: /etc/letsencrypt/live/*.teleport.example.com/privkey.pem
      cert_file: /etc/letsencrypt/live/*.teleport.example.com/fullchain.pem

    # Kubernetes proxy listen address.
    #
    # If not set, behavior depends on the config file version:
    #
    # "v2": listener is not created, Kubernetes traffic is multiplexed on web_listen_addr
    # "v1": defaults to 0.0.0.0:3026
    kube_listen_addr: 0.0.0.0:3026
    # optional: set a different public address for kubernetes access
    kube_public_addr: kube.example.com:3026

    # MySQL proxy listen address.
    #
    # If not set, behavior depends on the config file version:
    #
    # "v2": listener is not created, MySQL traffic is multiplexed on
    #       web_listen_addr
    # "v1": defaults to 0.0.0.0:3036
    mysql_listen_addr: "0.0.0.0:3036"

    # Postgres Proxy listener address. If provided, proxy will use a separate
    # listener
    # instead of multiplexing Postgres protocol on web_listener_addr.
    # postgres_listen_addr: "0.0.0.0:5432"

    # Mongo Proxy listener address. If provided, proxy will use a separate
    # listener instead of multiplexing Mongo protocol on web_listener_addr.
    # mongo_listen_addr: "0.0.0.0:27017"

    # Address advertised to MySQL clients. If not set, public_addr is used.
    mysql_public_addr: "mysql.teleport.example.com:3306"

    # Address advertised to PostgresSQL clients. If not set, public_addr is
    # used.
    postgres_public_addr: "postgres.teleport.example.com:443"

    # Address advertised to Mongo clients. If not set, public_addr is used.
    mongo_public_addr: "mongo.teleport.example.com:443"

    # Get an automatic certificate from Letsencrypt.org using ACME via
    # TLS_ALPN-01 challenge.
    # When using ACME, the cluster name must match the 'public_addr' of
    # Teleport and the 'proxy_service' must be publicly accessible over port
    # 443.
    # Also set using the CLI command:
    # 'teleport configure --acme [email protected] \
    # --cluster-name=tele.example.com -o file'
    #acme:
    #  enabled: yes
    #  email: [email protected]

# This section configures the 'application service'
app_service:
    # Turns 'app' role on. Default is 'no'
    enabled: yes
    # Teleport contains a small debug app that can be used to make sure
    # Application Access is working correctly. The app outputs JWTs so it can
    # be useful when extending your application.
    debug_app: true
    apps:
    - name: "kubernetes-dashboard"
      # URI and Port of Application.
      uri: "http://10.0.1.27:8000"
      # Optionally skip TLS verification. default false
      # insecure_skip_verify: true
      # Optional Public Addr
      public_addr: "example.com"
      # Optional Label: These can be used in combination with RBAC rules
      # to limit access to applications
      labels:
         env: "prod"
      # Optional Dynamic Labels
      commands:
      - name: "os"
        command: ["/usr/bin/uname"]
        period: "5s"
      # Optional simple rewriting of Location header
      # Rewrite the "Location" header on redirect responses replacing the
      # host with the public address of this application.
      # redirect:
      #   - "localhost"
      #   - "jenkins.internal.dev"

## This section configures the 'kubernetes service'
kubernetes_service:
    enabled: yes
    # Optional Public & Listen Addr: Set these if you are connecting to
    # Teleport running inside a Kubernetes cluster instead of using a
    # reverse tunnel.
    #
    # Optional Public Addr
    public_addr: [k8s.example.com:3026]
    # Optional Listen Addr
    listen_addr: 0.0.0.0:3026
    # Optional kubeconfig_file and kube_cluster_name. Exactly one of these must
    # be set.
    #
    # When running teleport outside of the kubernetes cluster, use
    # kubeconfig_file to provide teleport with cluster credentials.
    #
    # When running teleport inside of the kubernetes cluster pod, use
    # kube_cluster_name to provide a user-visible name. Teleport uses the pod
    # service account credentials to authenticate to its local kubernetes API.
    kubeconfig_file: /secrets/kubeconfig
    kube_cluster_name:
    # Optional labels: These can be used in combination with RBAC rules
    # to limit access to applications.
    # When using kubeconfig_file above, these labels apply to all kubernetes
    # clusters specified in the kubeconfig.
    labels:
      env: "prod"
    # Optional Dynamic Labels
    - name: "os"
       command: ["/usr/bin/uname"]
       period: "5s"
    # Get cluster name on GKE.
    - name: cluster-name
      command: ['curl', 'http://metadata.google.internal/computeMetadata/v1/instance/attributes/cluster-name', '-H', 'Metadata-Flavor: Google']
      period: 1m0s

# This section configures the 'database service'.
db_service:
  # Enables the Database Service.
  enabled: "yes"

  # Matchers for database resources created with "tctl create" command.
  resources:
  - labels:
      "*": "*"

  # Matchers for registering AWS-hosted databases.
  aws:
    # Database types. Valid options are:
    # 'rds' - discovers and registers AWS RDS and Aurora databases.
    # 'redshift' - discovers and registers AWS Redshift databases.
  - types: ["rds", "redshift"]
    # AWS regions to register databases from.
    regions: ["us-west-1", "us-east-2"]
    # AWS resource tags to match when registering databases.
    tags:
      "*": "*"

  # Lists statically registered databases proxied by this agent.
  databases:
    # Name of the database proxy instance, used to reference in CLI.
  - name: "prod"

    # Free-form description of the database proxy instance.
    description: "Production database"

    # Database protocol. Can be: "postgres", "mysql", "mongodb", "cockroachdb", "sqlserver", or "redis".
    protocol: "postgres"

    # Database connection endpoint. Must be reachable from Database Service.
    uri: "postgres.example.com:5432"

    # Optional TLS configuration.
    tls:
      # TLS verification mode. Valid options are:
      # 'verify-full' - performs full certificate validation (default).
      # 'verify-ca' - the same as `verify-full`, but skips the server name validation.
      # 'insecure' - accepts any certificate provided by database (not recommended).
      mode: verify-full
      # Optional database DNS server name. It allows to override the DNS name on
      # a client certificate when connecting to a database.
      # Use only with 'verify-full' mode.
      server_name: db.example.com
      # Optional path to the CA used to validate the database certificate.
      ca_cert_file: /path/to/pem

    # MySQL only options.
    mysql:
      # The default MySQL server version reported by Teleport Proxy.
      # When this option is set the Database Agent doesn't try to check the MySQL server version.
      server_version: 8.0.28

    # AWS specific configuration, only required for RDS/Aurora/Redshift.
    aws:
      # Region the database is deployed in.
      region: "us-east-1"
      # Redshift specific configuration.
      redshift:
        # Redshift cluster identifier.
        cluster_id: "redshift-cluster-1"

    # GCP specific configuration for Cloud SQL databases.
    gcp:
      # GCP project ID.
      project_id: "xxx-1234"
      # Cloud SQL instance ID.
      instance_id: "example"

    # Settings specific to Active Directory authentication e.g. for SQL Server.
    ad:
      # Path to Kerberos keytab file.
      keytab_file: /path/to/keytab
      # Active Directory domain name.
      domain: EXAMPLE.COM
      # Service Principal Name to obtain Kerberos tickets for.
      spn: MSSQLSvc/ec2amaz-4kn05du.dbadir.teleportdemo.net:1433
      # Optional path to Kerberos configuration file. Defaults to /etc/krb5.conf.
      krb5_file: /etc/krb5.conf

    # Static labels to assign to the database. Used in RBAC.
    static_labels:
      env: "prod"

    # Dynamic labels ("commands"). Used in RBAC.
    dynamic_labels:
    - name: "hostname"
      command: ["hostname"]
      period: 1m0s


# This section configures the windows desktop service
windows_desktop_service:
  enabled: yes
  # This is the address that windows_desktop_service will listen on.
  listen_addr: "localhost:3028"
  # (optional) This is the address that windows_desktop_service will advertise
  # to the rest of Teleport for incoming connections. Only proxy_service should
  # connect to windows_desktop_service, users connect to the proxy's web UI
  # instead.
  public_addr: "desktop-access.example.com:3028"
  ldap:
    # Address of the LDAP server for secure LDAP connections.
    # Usually, this address will use port 636, like: ldap.example.com:636.
    # For best results, this address should point to a highly-available
    # endpoint (a load balancer, VIP, or round-robin DNS) rather than
    # a single domain controller.
    addr:     '$LDAP_SERVER_ADDRESS'
    # Active Directory domain name you are connecting to.
    domain:   '$LDAP_DOMAIN_NAME'
    # LDAP username for authentication. This username must include the domain
    # NetBIOS name. The use of single quotes here is intentional in order to
    # avoid the need to escape the backslash (\) character.
    #
    # For example, if your domain is "example.com", the NetBIOS name for it is
    # likely "EXAMPLE". When connecting as the "svc-teleport" user, you should
    # use the format: "EXAMPLE\svc-teleport".
    username: '$LDAP_USERNAME'
    # You can skip LDAPS certificate verification by setting
    # this to true. It is recommended that this be set to false
    # and the certificate added your system's trusted repository,
    # or its filepath provided in with the der_ca_file variable below.
    insecure_skip_verify: false
    # DER encoded LDAP CA certificate.
    der_ca_file: /path/to/cert
  # (optional) hosts is a list of hostnames to register as WindowsDesktop
  # objects in Teleport.
  hosts:
  - win1.example.com
  - win2.example.com
  - ...
  # (optional) settings for enabling automatic desktop discovery via LDAP
  discovery:
    # The wildcard '*' character tells Teleport to discover all the hosts in
    # the Active Directory Domain. To refine the search, specify a custom DN.
    # To disable automatic discovery, leave this field blank.
    base_dn: '*'
    # (optional) LDAP filters for further customizing the LDAP search.
    # See https://ldap.com/ldap-filters for details on LDAP filter syntax.
    filters:
    - '(location=Oakland)'
    - '(!(primaryGroupID=516))' # exclude domain controllers
    # (optional) LDAP attributes to convert into Teleport labels.
    # The key of the label will be "ldap/" + the value of the attribute.
    label_attributes:
    - location
  # Rules for applying labels to Windows hosts based on regular expressions
  # matched against the host name. If multiple rules match, the desktop will
  # get the union of all matching labels.
  host_labels:
  - match: '^.*\.dev\.example\.com$'
    labels:
      environment: dev
  - match: '^.*\.prod\.example\.com$'
    labels:
      environment: prod