forked from gravitational/teleport
-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.go
85 lines (72 loc) · 2.57 KB
/
main.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
/*
Copyright 2018 Gravitational, Inc.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package main
import (
"crypto/tls"
"crypto/x509"
"io/ioutil"
"log"
"time"
"github.com/gravitational/teleport"
"github.com/gravitational/teleport/lib/auth"
"github.com/gravitational/teleport/lib/utils"
)
func main() {
log.Printf("Starting teleport client...")
// Teleport HTTPS client uses TLS client authentication
// so we have to set up certificates there
tlsConfig, err := setupClientTLS()
if err != nil {
log.Fatalf("Failed to parse TLS config: %v", err)
}
authServerAddr := []utils.NetAddr{*utils.MustParseAddr("127.0.0.1:3025")}
client, err := auth.NewTLSClient(authServerAddr, tlsConfig)
if err != nil {
log.Fatalf("Failed to create client: %v", err)
}
// make an API call to generate a cluster join token for
// adding another proxy to a cluster.
token, err := client.GenerateToken(auth.GenerateTokenRequest{
Token: "mytoken-proxy",
Roles: teleport.Roles{teleport.RoleProxy},
TTL: time.Hour,
})
if err != nil {
log.Fatalf("Failed to generate token: %v", err)
}
log.Printf("Generated token: %v\n", token)
}
// setupClientTLS sets up client TLS authentiction between TLS client
// and Teleport Auth server. This function uses hardcoded certificate paths,
// assuming program runs alongside auth server, but it can be ran
// on a remote location, assuming client has all the client certificates.
func setupClientTLS() (*tls.Config, error) {
// read auth server TLS certificate, used to verify auth server identity
authServerCert, err := ioutil.ReadFile("/var/lib/teleport/ca.cert")
if err != nil {
return nil, err
}
// client TLS key pair, used to authenticate with auth server
tlsCert, err := tls.LoadX509KeyPair("/var/lib/teleport/admin.tlscert", "/var/lib/teleport/admin.key")
if err != nil {
return nil, err
}
// set up TLS config for HTTPS client
tlsConfig := utils.TLSConfig()
certPool := x509.NewCertPool()
certPool.AppendCertsFromPEM(authServerCert)
tlsConfig.Certificates = []tls.Certificate{tlsCert}
tlsConfig.RootCAs = certPool
tlsConfig.ClientCAs = certPool
return tlsConfig, nil
}