update

2024-04-03 22:04:13 +02:00
parent 7e68609006
commit 0b373d31db
142 changed files with 7334 additions and 0 deletions
--- a/apps/teleport/teleport-aiassist.md
+++ b/apps/teleport/teleport-aiassist.md
@ -0,0 +1,64 @@
+# Teleport Assist
+
+**'Teleport Assist'** is an artificial intelligence feature, that utilizes facts about your infrastructure to help answer questions, generate command line scripts, and help you perform routine tasks on target nodes. At the moment only SSH and bash are supported. Support for SQL, AWS API and Kubernetes is planned for the near future.
+
+> **'Teleport Assist'** is currently experimental, available starting from Teleport v12.4 for Teleport Community Edition.
+
+## Prerequisites
+
+- You will need an active OpenAI account with GPT-4 API access as Teleport Assist relies on OpenAI services.
+  
+## Configuration
+
+Copy the GPT-4 API key into the file `/etc/teleport/openai_key`, and set read-only permissions and change the file owner to the user that the Teleport Proxy Service uses by running the following commands:
+
+```sh
+chmod 400 /etc/teleport/openai_key
+chown teleport:teleport /etc/teleport/openai_key
+```
+
+To enable Teleport Assist, you need to provide your OpenAI API key. On each Proxy and Auth Service host, perform the following actions.
+
+If the host is running the Auth Service, add the following section:
+
+```yaml
+auth_service:
+  assist:
+    openai:
+      api_token_path: /etc/teleport/openai_key
+```
+
+If the host is running the Proxy Service, add the following section:
+
+```yaml
+proxy_service:
+  assist:
+    openai:
+      api_token_path: /etc/teleport/openai_key
+```
+
+Restart Teleport for the changes to take effect.
+
+Make sure that your Teleport user has the `assistant` permission. By default, users with built-in `access` and `editor` roles have this permission. You can also add it to a custom role. Here is an example:
+
+```yaml
+kind: role
+version: v6
+metadata:
+  name: assist
+spec:
+  allow:
+    rules:
+    - resources:
+      - assistant
+      verbs:
+      - list
+      - create
+      - read
+      - update
+      - delete
+```
+
+## Usage
+
+Now that you have Teleport Assist enabled, you can start using it, by click on the **'Assist'** button in the Teleport UI.
--- a/apps/teleport/teleport-appservice.md
+++ b/apps/teleport/teleport-appservice.md
@ -0,0 +1,52 @@
+# Teleport App Service
+
+The **'Teleport App Service'** is a secure and convenient way to access internal applications from anywhere. It uses Teleport's built-in IAM system to authenticate users, and allows users to access applications from a web browser or command-line client. The **'Teleport App Service'** can be scaled to support numerous users and applications.
+
+## Requirements
+
+> To securely access applications, you need to obtain a valid [SSL/TLS certificate](../../misc/ssl-certs.md) for Teleport, and its application subdomains.
+
+### Example: wildcard certificate in [Traefik](../traefik/traefik.md)
+
+```yaml
+labels:
+- "traefik.http.routers.teleport.rule=HostRegexp(`teleport.your-domain`, `{subhost:[a-z]+}.teleport.your-domain`)"
+- "traefik.http.routers.teleport.tls.domains[0].main=teleport.your-domain"
+- "traefik.http.routers.teleport.tls.domains[0].sans=*.teleport.your-domain"
+```
+
+## Configuration
+
+The following snippet shows the full YAML configuration of an Application Service appearing in the `teleport.yaml` configuration file:
+
+```yaml
+app_service:
+  enabled: yes
+  apps:
+  - name: "grafana"
+    description: "This is an internal Grafana instance"
+    uri: "http://localhost:3000"
+    public_addr: "grafana.teleport.example.com".  # (optional)
+    insecure_skip_verify: false  # (optional) don't very certificate
+```
+
+## Usage
+
+To access a configured application in the Teleport UI, you can either:
+
+- Go to the **Applications** tab and click the **Launch** button for the application that you want to access.
+- Enter the subdomain of the application in your web browser, e.g. `https://grafana.teleport.example.com`.
+
+### Relevant CLI commands
+
+List the available applications:
+
+```sh
+tsh apps ls
+```
+
+Retrieves short-lived X.509 certificate for CLI application access.
+
+```sh
+tsh apps login grafana
+```
--- a/apps/teleport/teleport-configuration.md
+++ b/apps/teleport/teleport-configuration.md
@ -0,0 +1,50 @@
+# Teleport Configuration
+
+In order to avoid breaking existing configurations, Teleport's configuration is versioned. The newer configuration version is `v3`. If a `version` is not specified in the configuration file, `v1` is assumed.
+
+## Instance-wide settings
+
+### Log Settings
+
+```yaml
+teleport:
+  log:
+    output: stderr
+    severity: INFO
+    format:
+      output: text
+```
+
+## Proxy Service
+
+```yaml
+proxy_service:
+  enabled: "yes"
+  web_listen_addr: 0.0.0.0:3080
+  # -- (Optional) when using reverse proxy
+  # public_addr: ['your-server-url:443']
+  https_keypairs: []
+  acme: {}
+  # --(Optional) ACME
+  # acme:
+  #   enabled: "yes"
+  #   email: your-email-address
+```
+
+## Auth Service
+
+```yaml
+auth_service:
+  enabled: "yes"
+  listen_addr: 0.0.0.0:3025
+  proxy_listener_mode: multiplex
+  cluster_name: your-server-url
+```
+
+## Additional Services Configuration
+
+- [SSH Service](teleport-ssh)
+- [Kubernetes Service](teleport-kubernetes)
+- [Application Service](teleport-appservice)
+- [Databases Service](teleport-databases)
+- [Remote Desktop Service](teleport-remotedesktop)
--- a/apps/teleport/teleport-databases.md
+++ b/apps/teleport/teleport-databases.md
@ -0,0 +1,3 @@
+# Teleport Databases Service
+
+WIP
--- a/apps/teleport/teleport-installation.md
+++ b/apps/teleport/teleport-installation.md
@ -0,0 +1,3 @@
+# Teleport Installation Guidelines
+
+WIP
--- a/apps/teleport/teleport-kubernetes.md
+++ b/apps/teleport/teleport-kubernetes.md
@ -0,0 +1,3 @@
+# Teleport Kubernetes Service
+
+WIP
--- a/apps/teleport/teleport-passwordless.md
+++ b/apps/teleport/teleport-passwordless.md
@ -0,0 +1,3 @@
+# Teleport Passwordless Auth
+
+WIP
--- a/apps/teleport/teleport-remotedesktop.md
+++ b/apps/teleport/teleport-remotedesktop.md
@ -0,0 +1,3 @@
+# Remote Desktop Service
+
+WIP
--- a/apps/teleport/teleport-ssh.md
+++ b/apps/teleport/teleport-ssh.md
@ -0,0 +1,3 @@
+# Teleport SSH Service
+
+WIP
--- a/apps/teleport/teleport.md
+++ b/apps/teleport/teleport.md
@ -0,0 +1,24 @@
+# Teleport
+
+DevOps teams use **'Teleport'** to access [SSH](../../networking/ssh.md) and Windows servers, [Kubernetes](../../kubernetes/kubernetes.md), databases, AWS Console, and web applications. **'Teleport'** prevents phishing by moving away from static credentials towards ephemeral certificates backed by biometrics and hardware identity, and stops attacker pivots with the [Zero Trust design](../../misc/zerotrust.md).
+
+Project homepage: [Teleport](https://goteleport.com/)
+Documentation: [Teleport Docs](https://goteleport.com/docs/)
+
+## Installation
+
+[Teleport Installation Guidelines](teleport-installation)
+
+## Configuration
+
+[Teleport General Configuration Guidelines](teleport-configuration)
+
+## Features
+
+- [SSH Service](teleport-ssh)
+- [Kubernetes Service](teleport-kubernetes)
+- [Databases Service](teleport-databases)
+- [Remote Desktop Service](teleport-remotedesktop)
+- [Application Service](teleport-appservice)
+- [Passwordless Auth](teleport-passwordless)
+- [AI Assist](teleport-aiassist)