Participant Access
Teabar provides secure, firewall-friendly access to environments for participants. Whether participants are on corporate networks with strict restrictions or using personal devices, they can access their environments through a browser with no software installation required.
Access Methods
Web Terminal
Browser-based terminal and IDE access.
Authentication
Magic links, SSO, credentials, and access codes.
Custom Domains
Use your own domain for environment access.
White-labeling
Brand Teabar as your own platform (Enterprise).
How Access Works
The Teabar Gateway handles all participant access, providing secure routing, authentication, and protocol handling:
┌─────────────────────────────────────────────────────────────────────┐
│ teabar-gateway │
│ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────────────┐ │
│ │ TLS │ │ Auth │ │ WebSocket Proxy │ │
│ │ Termination │───►│ Validation │───►│ (Terminal, IDE) │ │
│ └──────────────┘ └──────────────┘ └──────────────────────┘ │
│ │ │
└──────────────────────────────────────────────────────┼───────────────┘
│
┌────────────────────────────┼────────────────┐
│ Environment │ │
│ ▼ │
│ ┌──────────┐ ┌──────────────────────┐ │
│ │ GitLab │ │ Participant VMs │ │
│ └──────────┘ │ ┌────┐ ┌────┐ ┌────┐│ │
│ │ │ P1 │ │ P2 │ │ P3 ││ │
│ ┌──────────┐ │ └────┘ └────┘ └────┘│ │
│ │ ArgoCD │ └──────────────────────┘ │
│ └──────────┘ │
└────────────────────────────────────────────┘Access Methods Overview
| Method | Network Requirements | Software Required | Use Case |
|---|---|---|---|
| Web Terminal | HTTPS (443) only | None (browser) | Universal access, restricted networks |
| Web IDE | HTTPS (443) only | None (browser) | Full development environment |
| Tunneled Services | HTTPS (443) only | None (browser) | Access GitLab, ArgoCD, custom apps |
| SSH | SSH (22) or custom | SSH client | Power users, unrestricted networks |
| Port Forward | Varies | teactl CLI | Local development, kubectl access |
Tip
Web Terminal and Web IDE work on any network that allows HTTPS traffic, making them ideal for participants on corporate or educational networks with restrictive firewalls.
URL Structure
Default Domain
Environments are accessible via the teabar.dev domain:
<service>.<environment>.<organization>.teabar.dev
Examples:
terminal.march-workshop.acme.teabar.dev → Web terminal
gitlab.march-workshop.acme.teabar.dev → GitLab UI
argocd.march-workshop.acme.teabar.dev → ArgoCD UI
app.march-workshop.acme.teabar.dev → Your applicationParticipant-Specific URLs
For per-participant resources:
<environment>.<organization>.teabar.dev/participant/<id>/<resource>
Examples:
march-workshop.acme.teabar.dev/participant/p1/terminal
march-workshop.acme.teabar.dev/participant/p1/ide
march-workshop.acme.teabar.dev/participant/p1/ports/3000Custom Domains (Enterprise)
Use your own domain:
<service>.<environment>.labs.yourcompany.com
Examples:
terminal.march-workshop.labs.acme.com
gitlab.march-workshop.labs.acme.comQuick Start
Invite Participants
# Invite via email (magic link)
teactl participant invite my-workshop --email [email protected]
# Bulk invite from CSV
teactl participant invite my-workshop --emails participants.csv
# Create with credentials
teactl participant create my-workshop --name p1 --generate-password
# Generate access codes (for in-person events)
teactl participant codes my-workshop --count 25Get Access URLs
# List all access URLs for an environment
teactl access url my-workshop
# Get participant-specific URL
teactl access url my-workshop --participant p1Example output:
Environment: my-workshop
Organization: acme
Services:
Terminal: https://terminal.my-workshop.acme.teabar.dev
IDE: https://ide.my-workshop.acme.teabar.dev
GitLab: https://gitlab.my-workshop.acme.teabar.dev
ArgoCD: https://argocd.my-workshop.acme.teabar.dev
Participant Access:
p1: https://my-workshop.acme.teabar.dev/participant/p1/terminal
p2: https://my-workshop.acme.teabar.dev/participant/p2/terminal
...Blueprint Configuration
Basic Access Configuration
apiVersion: teabar.dev/v1
kind: Blueprint
metadata:
name: my-workshop
spec:
access:
# Terminal type
terminal:
type: both # shell | ide | both
# Authentication methods
authentication:
methods:
- type: magic_link
expiry: 7d
- type: credentials
# Exposed ports
exposedPorts:
- port: 3000
name: "Dev Server"
public: false # Requires authFull Access Configuration
spec:
access:
# Terminal configuration
terminal:
type: both
shell:
image: ubuntu:22.04
command: /bin/bash
ide:
extensions:
- ms-python.python
- golang.go
- hashicorp.terraform
session:
persistence: true
timeout: 24h
backend: tmux
# Authentication
authentication:
methods:
- type: magic_link
enabled: true
expiry: 7d
- type: sso
enabled: true
provider: okta
- type: credentials
enabled: true
- type: access_code
enabled: true
codeLength: 6
expiry: 24h
# Exposed services
exposedPorts:
- port: 3000
name: "Development Server"
description: "Participant's dev server"
public: false
- port: 8080
name: "Application"
public: true # No auth required
# Built-in services
services:
- name: gitlab
enabled: true
- name: argocd
enabled: trueFirewall Compatibility
WebSocket over HTTPS (Primary)
All real-time communication uses WebSocket over HTTPS (port 443):
Participant Browser ──WSS/443──► teabar-gateway ──► EnvironmentLong-Polling Fallback
For networks that block WebSocket upgrades:
Participant Browser ──HTTPS/443──► teabar-gateway ──► Environment
(polling)Automatic detection:
- Attempt WebSocket connection
- If connection fails after 5 seconds, fall back to long-polling
- Long-polling interval: 500ms for terminal, 2s for other updates
Protocol Requirements
| Protocol | Port | Required | Notes |
|---|---|---|---|
| HTTPS | 443 | Yes | All traffic |
| WSS | 443 | Recommended | Real-time features (terminal) |
| SSH | 22 | Optional | Direct SSH (if network allows) |
Participant Management
List Participants
teactl participant list my-workshopOutput:
NAME STATUS AUTH METHOD LAST ACCESS
p1 active magic_link 2 hours ago
p2 active credentials 5 minutes ago
p3 pending access_code never
p4 revoked magic_link 1 day agoRevoke Access
# Revoke specific participant
teactl participant revoke my-workshop --name p1
# Revoke all participants
teactl participant revoke my-workshop --allPort Exposure
Blueprint-Defined Ports
Ports defined in the blueprint are automatically exposed:
spec:
access:
exposedPorts:
- port: 3000
name: "Dev Server"Runtime Port Exposure
Educators can expose additional ports at runtime:
# Expose port for one participant
teactl access expose my-workshop --participant p1 --port 8080
# Expose port for all participants
teactl access expose my-workshop --all-participants --port 8080
# List exposed ports
teactl access ports my-workshop
# Unexpose
teactl access unexpose my-workshop --participant p1 --port 8080Note
Participants cannot expose ports themselves. Port exposure is controlled by blueprint authors and educators to maintain security.
Session Management
View Active Sessions
teactl access sessions my-workshopOutput:
PARTICIPANT TYPE STARTED LAST ACTIVITY
p1 terminal 10 minutes ago 2 minutes ago
p1 ide 5 minutes ago 1 minute ago
p2 terminal 1 hour ago 30 minutes agoTerminate Sessions
# Terminate specific session
teactl access terminate my-workshop --session <session-id>
# Terminate all sessions for a participant
teactl access terminate my-workshop --participant p1 --allCLI Access
For educators and administrators:
# Get kubeconfig for cluster access
teactl access kubeconfig my-workshop
# SSH to a VM
teactl access ssh my-workshop --vm participant-vm --participant p1
# Port forward
teactl access port-forward my-workshop --vm database --port 5432:5432
# Get service credentials
teactl access credentials my-workshop