Teleport PostgreSQL Backend using client cert authentation #30247
stevenGravy
started this conversation in
Show and tell
Replies: 2 comments 1 reply
-
If you want a more self contained Docker version, copy paste the below files and then run the
Run the following Docker command to run Postgres fully configured to work with Teleport.
|
Beta Was this translation helpful? Give feedback.
0 replies
-
Hello @stevenGravy, I'm applying your config for teleport with postgresql backend storage. For high availability, my idea is that to setup 2 teleport nodes with postgresql and to replicate data between two nodes. Can it be possible and how can i make that approach? |
Beta Was this translation helpful? Give feedback.
1 reply
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Here is a set of steps to enable the PostgreSQL backend with client cert connections from Teleport. Below uses a self-signed CA which should be adaptable. This installs postgresql and Teleport within the same host for simplicity.
NOTE: An important consideration here is this uses Subject Alternate Name (SAN) that is required to use the
verify-full
setting. Most examples on creating and using client certs with PostgreSQL do not show this. You may have to useverify-ca
mode if your certs do not have SAN settings.Please see the documentation on configuring in a Azure Cloud environment. This is meant for standalone environments not using Cloud backends.
Pre-requisites:
Install and configure Postgresql
Host type: Ubuntu 22.04
Install PostgreSQL
sudo apt update # install postgresql and required wal2json logical decoding plugin sudo apt install postgresql postgresql-14-wal2json -y
On Aug 9, 2023 this installed PostgreSQL 14 which meets the 13+ requirement.
Configure WAL
In
/etc/postgresql/14/main/postgresql.conf
set the required settings.Create
teleport
userCreate CA and Client certs
To connect via client certs we are going to create and install a CA. We will then issue client certs for the
teleport
user. Note a major difference here is the specification of subject alternate name which is required for verify all usage.# perform as postgres user if not still that user sudo su postgres
Configure TLS
In
postgresql.conf
set the SSL settingsIn
pg_hba.conf
in the same directory set the allowed connections. Thisallows local connections by the
postgres
user and certs by all other users.Restart PostgreSQL
# exit postgres user back to your admin user or root sudo service postgresql restart
To check the health of your postgresql use
journalctl
Confirm client connection
The root user will be running Teleport so it should have the client certs in its postgres folder.
Copy the client certificates and root into the
root
user.The
root
user will be connecting with the client certs when it runs Teleport to the postgres service.Test connect
You now have the client certificates installed and should be able to connect
via client certs to the database.
Install Teleport
Install Teleport and configure with your cluster address.
Configure Teleport storage
Set the storage for the postgresql storage and sessions uri. in
/etc/teleport.yaml
Replace the minioserver address with the location of your server. You may want to put this on the same machine.Confirm Backend storage
In a separate terminal on the host create a user
As part of the output you should see for a postgres cluster state start.
Viewing events in the db
You can connect to the postgresql databases to view Teleport audit entries.
Beta Was this translation helpful? Give feedback.
All reactions