Updated Trusted Cluster docs with more more details, explain security

tradeoffs, and new role mapping.
gravitational · May 25, 2017 · 2f4ef63 · 2f4ef63
1 parent bedd6db
commit 2f4ef63
Show file tree

Hide file tree

Showing 2 changed files with 390 additions and 72 deletions.
diff --git a/docs/2.0/enterprise.md b/docs/2.0/enterprise.md
@@ -166,78 +166,7 @@ Two resources are supported currently:
 
 ### Dynamic Trusted Clusters
 
-The section below will re-create the example configuration
-from the [Trusted Clusters section](admin-guide.md#trusted-clusters) in the admin manual using dynamic resources.
-If you have not already, it will be helpful to review this section first.
-
-To add behind-the-firewall machines and restrict access so only users with role
-"admin" can access them, do the following:
-
-First, create a static or dynamic token on `main` that will be used by `cluster-b`
-to join `main`. A dynamic token can be generated by running:
-`tctl nodes add --ttl=5m --roles=trustedcluster` and a static token can be
-generated out-of-band and added to your configuration file like so:
-
-```yaml
-auth_service:
-  enabled: yes
-  cluster_name: main
-  tokens:
-    # generate a large random number for your token, we recommend
-    # using a tool like `pwgen` to generate sufficiently random
-    # tokens of length greater than 32 bytes
-    - "trustedcluster:fake-token"
-```
-
-Then, create a `TrustedCluster` resource on `cluster-b` that tells `cluster-b`
-how to connect to main and the token created in the previous step for
-authorization and authentication. To do that, copy the resource below
-to a file called `trusted-cluster.yaml`.
-
-```yaml
-kind: trusted_cluster
-version: v1
-metadata:
-  description: "Trusted Cluster B"
-  name: "Cluster B"
-  namespace: "default"
-spec:
-  enabled: true
-  roles: [ "admin" ]
-  token: "fake-token"
-  tunnel_addr: <main-addr>:3024
-  web_proxy_addr: <main-addr>:3080
-```
-
-Notice how we defined `roles` in the `TrustedCluster` resource. This is
-the role assumed by any user when they connect from `main` to `cluster-b`.
-That means we need to make sure the `admin` role exists in Teleport and we
-need it associate it with a user (let's say the user is named "john"). To do
-that, copy the resource below to a file called`admin-role.yaml`.
-
-```yaml
-kind: role
-version: v1
-metadata:
-  description: "Admin Role"
-  name: "admin"
-spec:
-  logins: [ "john", "root" ]
-  max_session_ttl: 90h0m0s
-```
-
-Now inject both roles into the Teleport "auth service" on `cluster-b` using `tctl`:
-
-```bash
-$ tctl create -f  trusted-cluster.yaml
-$ tctl create -f  admin-role.yaml
-```
-
-That's it. To verify that the trusted cluster is online:
-
-```bash
-$ tsh --proxy=main.proxy clusters
-```
+See the [Dynamic Trusted Clusters](trustedclusters.md) more more details and examples.
 
 ### Authentication Preferences