Type:
How-To
Question/Problem:
How do I access the Leaf cluster via API through the Root Cluster proxy?
Solution:
This is possible but requires port-forwarding. Currently there is no mechanism internally to allow a user to traverse the reverse-tunnel connections to all remote clusters via API natively.
To get the port-forwarding option to work admins will have to do the following:
- Generate a short-lived cert on the root with
tctl auth sign --ttl=<10m> --user=<teleport-api-user> --out=api-cert.pem
- Grab it and download it to the local host from which the API scripts will run
- Run the following on the local host:
tsh ssh --cluster=<leaf-cluster> --proxy <root.proxy.com> -i api-cert.pem -L 5001:localhost:443 <unix-user>@<leaf-node>
- Once the tunnel forwarding has been established through the root cluster add the
localhost:5001
addr to the list of addresses in the referenced go file and make sure that the identity file being utilized is the same one used for port-forwarding above.
Example:
package main
import (
"context"
"log"
"github.com/gravitational/teleport/api/client"
)
func main() {
ctx := context.Background()
clt, err := client.New(ctx, client.Config{
Addrs: []string{
"localhost:5001",
},
Credentials: []client.Credentials{
//client.LoadProfile("", ""),
client.LoadIdentityFile("/Users/alen/api-cert.pem"),
},
})
if err != nil {
log.Fatalf("failed to create client: %v", err)
}
defer clt.Close()
resp, err := clt.Ping(ctx)
if err != nil {
log.Fatalf("failed to ping server: %v", err)
}
log.Printf("Example success!")
log.Printf("Example server response: %s", resp.ClusterName)
log.Printf("Server version: %s", resp.ServerVersion)
}
Comments
0 comments
Article is closed for comments.