allows (or denies) workers into the cluster
Go Other
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
cmd/tsa Add sweep and report functionality for volumes May 15, 2018
etc/systemd Update concourse URL to concourse-ci.org Mar 8, 2018
scripts fix memory leak in tsa forwardTCPIP Mar 27, 2017
tsacmd Remove hardcoded debug log levels as described in concourse/bin#34. Aug 7, 2018
tsafakes accept a list of ATC URLs and random pick one for request Mar 22, 2017
tsaflags switch to concourse/flag Mar 6, 2018
Dockerfile install Go from resource-fetched tarball Aug 16, 2016
LICENSE.md init Apr 2, 2015
NOTICE.md Update Copyright date Aug 2, 2017
README.md Update concourse URL to concourse-ci.org Mar 8, 2018
deleter.go land worker using team-scoped auth token Dec 27, 2016
deleter_test.go land worker using team-scoped auth token Dec 27, 2016
heartbeater.go Remove hardcoded debug log levels as described in concourse/bin#34. Aug 7, 2018
heartbeater_test.go fix race/panic in tsa suite Aug 15, 2018
lander.go land worker using team-scoped auth token Dec 27, 2016
lander_test.go land worker using team-scoped auth token Dec 27, 2016
random_atc_endpoint_picker.go switch to concourse/flag Mar 6, 2018
retirer.go use team-scoped token for retire-worker Dec 29, 2016
retirer_test.go use team-scoped token for retire-worker Dec 29, 2016
sweeper.go Add sweep and report functionality for volumes May 15, 2018
sweeper_test.go Add sweep and report functionality for volumes May 15, 2018
token_generator.go land worker using team-scoped auth token Dec 27, 2016
tsa_suite_test.go suite test bruh Apr 3, 2015
worker_status.go Add sweep and report functionality for volumes May 15, 2018
worker_status_test.go Add sweep and report functionality for volumes May 15, 2018

README.md

tsa

controls worker authentication within concourse

Airport Security

by stuckincustoms

reporting issues and requesting features

please report all issues and feature requests in concourse/concourse

about

TSA is the way workers securely register to join a Concourse deployment. It provides authentication and transport encryption (if required). Worker machines can ssh into TSA with a custom command to register or have traffic forwarded to them. Once an SSH session has been established then TSA begins to automatically heartbeat information about the worker into the ATC's pool.

The main advantage that this provides over the old style of registration is that Workers no longer need to be internet routable in order to have the ATC reach them. They open a reverse tunnel through the TSA which, when collocated with ATC, is far more likely to be easily routable. This also allows for simpler setup and better security as before you either had to expose your Garden server publicly or set up some interesting custom security if the workers and ATC were not in the same private network.

usage

First, create two new SSH keys:

$ ssh-keygen -t rsa -f host_key
$ ssh-keygen -t rsa -f worker_key

Next, let's create an authorized keys file so that our workers are able to authenticate with us without providing a password:

cat worker_key.pub > authorized_keys

Now to start tsa itself:

tsa \
  --peer-ip $PEER_IP \
  --host-key ./host_key \
  --authorized-keys ./authorized_keys \
  --session-signing-key $SIGNING_KEY \
  --atc-url $ATC_URL

The variables here should be set to:

Variable Description
$PEER_IP The host or IP where this machine can be reached by the ATC for the purpose of forwarding traffic to remote workers.
$SIGNING_KEY RSA key used to sign the tokens used when communicating to the ATC.
$ATC_URL ATC URL reachable by the TSA (e.g. https://ci.concourse-ci.org).

registering workers

In order to have a worker on the local network register with tsa you can run the following command:

ssh -p 2222 $TSA_HOST \
  -i worker_key \
  -o UserKnownHostsFile=host_key.pub \
  register-worker \
  < worker.json

The worker.json file should contain the following:

{
    "platform": "linux",
    "tags": [],
    "addr": "$GARDEN_ADDR",
    "baggageclaim_url": "$BAGGAGECLAIM_URL"
}

The variables here should be set to:

Variable Description
$TSA_HOST The hostname or IP where the TSA server can be reached.
$GARDEN_ADDR The address (host and port) of the Garden to advertise.
$BAGGAGECLAIM_URL The API URL (scheme, host, and port) of the BaggageClaim to advertise.

forwarding workers

In order to have a worker on a remote network register with tsa and have its traffic forwarded you can run the following command:

ssh -p 2222 $TSA_HOST \
  -i worker_key \
  -o UserKnownHostsFile=host_key.pub \
  -R0.0.0.0:7777:127.0.0.1:7777 \
  -R0.0.0.0:7788:127.0.0.1:7788 \
  forward-worker \
    --garden 0.0.0.0:7777 \
    --baggageclaim 0.0.0.0:7788 \
  < worker.json

Note that in this case you should always have Garden and BaggageClaim listen on 127.0.0.1 so that they're not exposed to the outside world. For this reason there is no $GARDEN_ADDR or $BAGGAGECLAIM_URL as is the case with register-worker.

The worker.json file should contain the following:

{
    "platform": "linux",
    "tags": []
}