From 7ca954b0a9917fc0d7ea45f15e2ad4624871a54f Mon Sep 17 00:00:00 2001 From: Gavin Frazar Date: Wed, 31 Jan 2024 11:07:10 -0800 Subject: [PATCH 01/13] fix indentation of note in mongo guide --- docs/pages/database-access/guides/mongodb-self-hosted.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/pages/database-access/guides/mongodb-self-hosted.mdx b/docs/pages/database-access/guides/mongodb-self-hosted.mdx index b501e6fe2efc7..4c395de0de3bc 100644 --- a/docs/pages/database-access/guides/mongodb-self-hosted.mdx +++ b/docs/pages/database-access/guides/mongodb-self-hosted.mdx @@ -22,12 +22,12 @@ videoBanner: 6lgVObxoLkc - MongoDB cluster (standalone or replica set) version `(=mongodb.min_version=)` or newer. - + Teleport database access supports MongoDB `(=mongodb.min_version=)` and newer. Older versions have not been tested and are not guaranteed to work. MongoDB `(=mongodb.min_version=)` was released in November 2017 and reached EOL in April 2021 so if you're still using an older version, consider upgrading. - + - (!docs/pages/includes/tctl.mdx!) - A certificate authority for MongoDB Replica Set, and the public certificate From 4a5c01e0cf5a06e6f7351ae3d0f056adca56966e Mon Sep 17 00:00:00 2001 From: Gavin Frazar Date: Wed, 31 Jan 2024 11:07:31 -0800 Subject: [PATCH 02/13] note redis version limits next to version prereq --- docs/pages/database-access/guides/redis-cluster.mdx | 9 +++++---- docs/pages/database-access/guides/redis.mdx | 8 ++++---- 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/docs/pages/database-access/guides/redis-cluster.mdx b/docs/pages/database-access/guides/redis-cluster.mdx index 86dbc1e229a05..31eb760a3c33f 100644 --- a/docs/pages/database-access/guides/redis-cluster.mdx +++ b/docs/pages/database-access/guides/redis-cluster.mdx @@ -22,13 +22,14 @@ If you want to configure Redis Standalone, please read [Database Access with Red (!docs/pages/includes/edition-prereqs-tabs.mdx!) - Redis version `6.0` or newer. + + + Redis `7.0` and RESP3 (REdis Serialization Protocol) are currently not supported. + + - `redis-cli` version `6.2` or newer installed and added to your system's `PATH` environment variable. - A host where you will run the Teleport Database Service. - - Redis `7.0` and RESP3 (REdis Serialization Protocol) are currently not supported. - - - (!docs/pages/includes/tctl.mdx!) ## Step 1/6. Set up the Teleport Database Service diff --git a/docs/pages/database-access/guides/redis.mdx b/docs/pages/database-access/guides/redis.mdx index 04dd0be020ce6..73ec39424c758 100644 --- a/docs/pages/database-access/guides/redis.mdx +++ b/docs/pages/database-access/guides/redis.mdx @@ -23,16 +23,16 @@ If you want to configure Redis Cluster, please read [Database Access with Redis - Redis version `6.0` or newer. + + Redis `7.0` and RESP3 (REdis Serialization Protocol) are currently not supported. + + - `redis-cli` version `6.2` or newer installed and added to your system's `PATH` environment variable. - A host where you will run the Teleport Database Service. See [Installation](../../installation.mdx) for details. - - Redis `7.0` and RESP3 (REdis Serialization Protocol) are currently not supported. - - - (!docs/pages/includes/tctl.mdx!) ## Step 1/5. Set up the Teleport Database Service From 58a22ff5beda42a415545a0a176fdc5a44f8992d Mon Sep 17 00:00:00 2001 From: Gavin Frazar Date: Wed, 31 Jan 2024 11:07:36 -0800 Subject: [PATCH 03/13] extract custom db tls CA snippet from MongoDB --- .../guides/mongodb-self-hosted.mdx | 16 +--------------- .../includes/database-access/custom-db-ca.mdx | 16 ++++++++++++++++ 2 files changed, 17 insertions(+), 15 deletions(-) create mode 100644 docs/pages/includes/database-access/custom-db-ca.mdx diff --git a/docs/pages/database-access/guides/mongodb-self-hosted.mdx b/docs/pages/database-access/guides/mongodb-self-hosted.mdx index 4c395de0de3bc..c3bf3a70afeef 100644 --- a/docs/pages/database-access/guides/mongodb-self-hosted.mdx +++ b/docs/pages/database-access/guides/mongodb-self-hosted.mdx @@ -159,21 +159,7 @@ Create the secrets: Database Client CA and allow access via Teleport, while still allowing MongoDB replication over TLS using your CA's certs for peer verification. - Next, modify your Teleport Database Service to trust your MongoDB Replica - Set CA: - ```yaml - databases: - - name: "example-mongo" - protocol: "mongodb" - uri: "mongo.example.com:27017" - static_labels: - "env": "dev" - tls: - ca_cert_file: "/path/to/your/ca.crt" - ``` - - Now the Teleport Database Service will trust certificates presented by your - MongoDB Replica Set. + (!docs/pages/includes/database-access/custom-db-ca.mdx db="MongoDB Replica Set" protocol="mongodb" port="27017"!) diff --git a/docs/pages/includes/database-access/custom-db-ca.mdx b/docs/pages/includes/database-access/custom-db-ca.mdx new file mode 100644 index 0000000000000..6a1cdc25ce460 --- /dev/null +++ b/docs/pages/includes/database-access/custom-db-ca.mdx @@ -0,0 +1,16 @@ +{{ scheme="" query="" }} + +Modify the Teleport Database Service to trust your {{ db }} CA: + ```yaml + databases: + - name: "example-{{ protocol }}" + protocol: "{{ protocol }}" + uri: "{{ scheme }}{{ protocol }}.example.com:{{ port }}{{ query }}" + static_labels: + "env": "example" + tls: + ca_cert_file: "" + ``` + +Now the Teleport Database Service will trust certificates presented by your +{{ db }}. From c4780756b37a76303957e9aea081d12812d1ef0f Mon Sep 17 00:00:00 2001 From: Gavin Frazar Date: Wed, 31 Jan 2024 11:07:39 -0800 Subject: [PATCH 04/13] update pre-reqs for self-hosted cluster databases --- .../guides/cockroachdb-self-hosted.mdx | 8 ++----- .../guides/mongodb-self-hosted.mdx | 15 +++---------- .../database-access/guides/redis-cluster.mdx | 4 ++++ .../database-access/split-db-ca-details.mdx | 21 +++++++++++++++++++ 4 files changed, 30 insertions(+), 18 deletions(-) create mode 100644 docs/pages/includes/database-access/split-db-ca-details.mdx diff --git a/docs/pages/database-access/guides/cockroachdb-self-hosted.mdx b/docs/pages/database-access/guides/cockroachdb-self-hosted.mdx index e6fdb1fafea57..e8cb59ef9096b 100644 --- a/docs/pages/database-access/guides/cockroachdb-self-hosted.mdx +++ b/docs/pages/database-access/guides/cockroachdb-self-hosted.mdx @@ -25,12 +25,8 @@ description: How to configure Teleport database access with self-hosted Cockroac - (!docs/pages/includes/tctl.mdx!) - A certificate authority to issue CockroachDB certificates for nodes in your CockroachDB cluster. - Teleport uses a split CA architecture for database access, and requires that - you create your own CA for node-to-node mTLS communication. - See [cockroach cert](https://www.cockroachlabs.com/docs/stable/cockroach-cert) - for instructions on creating a CA and issuing a client certificate and key - for each node. The certificate and key should be named `client.node.crt` and - `client.node.key`. + + (!docs/pages/includes/database-access/split-db-ca-details.mdx db="CockroachDB"!) ## Step 1/4. Set up the Teleport Database Service diff --git a/docs/pages/database-access/guides/mongodb-self-hosted.mdx b/docs/pages/database-access/guides/mongodb-self-hosted.mdx index c3bf3a70afeef..90571278596f7 100644 --- a/docs/pages/database-access/guides/mongodb-self-hosted.mdx +++ b/docs/pages/database-access/guides/mongodb-self-hosted.mdx @@ -31,18 +31,9 @@ videoBanner: 6lgVObxoLkc - (!docs/pages/includes/tctl.mdx!) - A certificate authority for MongoDB Replica Set, and the public certificate - for that CA, in PEM format, e.g. `/path/to/your/ca.crt`. + for that CA, in PEM format: ``. - - A MongoDB replica set requires that each MongoDB server is configured with a - certificate that has extendedKeyUsage `clientAuth, serverAuth`. - - Teleport uses a split CA architecture for better security: - the Teleport Database Server CA issues certs with `serverAuth` - and the Teleport Database Client CA issues certs with `clientAuth`. - Therefore, you must provide each MongoDB server with a certificate issued by - your own CA with extendedKeyUsage `clientAuth, serverAuth`. - + (!docs/pages/includes/database-access/split-db-ca-details.mdx db="MongoDB Replica Set"!) ## Step 1/3. Install and configure Teleport @@ -152,7 +143,7 @@ Create the secrets: ```code $ tctl auth export --type=db_client > db-client-ca.crt - $ cat /path/to/your/ca.crt db-client-ca.crt > /etc/certs/mongo.cas + $ cat db-client-ca.crt > /etc/certs/mongo.cas ``` When MongoDB is configured to trust these CAs, it will trust the Teleport diff --git a/docs/pages/database-access/guides/redis-cluster.mdx b/docs/pages/database-access/guides/redis-cluster.mdx index 31eb760a3c33f..9cc0e420bc344 100644 --- a/docs/pages/database-access/guides/redis-cluster.mdx +++ b/docs/pages/database-access/guides/redis-cluster.mdx @@ -29,6 +29,10 @@ If you want to configure Redis Standalone, please read [Database Access with Red - `redis-cli` version `6.2` or newer installed and added to your system's `PATH` environment variable. - A host where you will run the Teleport Database Service. +- A certificate authority to issue server certificates for nodes in your Redis + Cluster. + + (!docs/pages/includes/database-access/split-db-ca-details.mdx db="Redis Cluster"!) - (!docs/pages/includes/tctl.mdx!) diff --git a/docs/pages/includes/database-access/split-db-ca-details.mdx b/docs/pages/includes/database-access/split-db-ca-details.mdx new file mode 100644 index 0000000000000..1605a45b7127b --- /dev/null +++ b/docs/pages/includes/database-access/split-db-ca-details.mdx @@ -0,0 +1,21 @@ +
+Distributed databases like {{ db }} use mTLS for node-to-node communication. +Teleport requires that you have your own CA to issue certificates for +node-to-node mTLS communication. + +Teleport uses a split-CA architecture for database access. The Teleport `db` CA +issues server certificates and the `db_client` CA issues client certificates. + +Databases are configured to trust the Teleport `db_client` CA for client +authentication, but not the `db` CA. +Additionally, Teleport only issues *ephemeral* `db_client` CA certificates. + +When a {{ db }} node connects to another {{ db }} node, it must present a +certificate that the other node trusts for client authentication. +Since Teleport does not issue long-lived `db_client` certificates, the node +needs to have a long-lived certificate issued by another CA that its peer node +trusts. + +The split `db` and `db_client` CA architecture was introduced as a security fix +in Teleport `15`. +
From dcee40841c2ec6a27dc49c63217db7f8ce4a9f32 Mon Sep 17 00:00:00 2001 From: Gavin Frazar Date: Wed, 31 Jan 2024 11:07:41 -0800 Subject: [PATCH 05/13] expand tls config setup in CockroachDB guide --- .../guides/cockroachdb-self-hosted.mdx | 101 ++++++++++++++++-- 1 file changed, 91 insertions(+), 10 deletions(-) diff --git a/docs/pages/database-access/guides/cockroachdb-self-hosted.mdx b/docs/pages/database-access/guides/cockroachdb-self-hosted.mdx index e8cb59ef9096b..1cba538dc3709 100644 --- a/docs/pages/database-access/guides/cockroachdb-self-hosted.mdx +++ b/docs/pages/database-access/guides/cockroachdb-self-hosted.mdx @@ -82,44 +82,125 @@ in the CockroachDB documentation for more information. To set up mutual TLS authentication, you need to make sure that: - Teleport trusts certificates presented by CockroachDB nodes. -- CockroachDB trusts client certificates signed by Teleport. +- CockroachDB nodes trust client certificates signed by both your CockroachDB CA + and your Teleport cluster's `db_client` CA. -Generate the secrets by running the following `tctl` command against your -Teleport cluster: +CockroachDB nodes need to trust the Teleport `db_client` CA so that Teleport +users can authenticate to your CockroachDB cluster as clients. + +The CockroachDB CA needs to be trusted by each CockroachDB node so that nodes +can authenticate themselves as clients to other nodes in the CockroachDB +cluster. This is because CockroachDB uses mTLS for node-to-node communication. + + + +In this configuration, your CockroachDB CA will be used to issue the server cert +`node.crt` for each CockroachDB node. + +This configuration is simpler to set up, because an existing CockroachDB cluster +already has `node.crt` issued for each node and you only need to configure the +CockroachDB nodes to trust your Teleport `db_client` CA. +Another benefit is that your CockroachDB nodes will continue to serve the same +CockroachDB CA-issued cert, rather than serving a new cert signed by Teleport's +`db` CA, so you don't have to configure other clients to trust a new CA. + +Copy your CockroachDB CA cert to `ca-client.crt` in the certs directory of +each CockroachDB node: + +```code +$ CERTS_DIR= +$ cp "${CERTS_DIR}/ca.crt" "${CERTS_DIR}/ca-client.crt" +``` + +Next, for each CockroachDB node, export Teleport's `db_client` CA using `tctl` +(or export it once and copy it to each node) and append the certificate to +`ca-client.crt`: + +```code +$ tctl auth export --type=db_client >> /ca-client.crt +``` + +(!docs/pages/includes/database-access/custom-db-ca.mdx db="CockroachDB" protocol="cockroachdb" port="26257"!) + + +In this configuration, Teleport's CA will be used to issue the server cert, +`node.crt`, and your own custom CA will be used to issue the client certificate, +`client.node.crt`, for each CockroachDB node. + +(!docs/pages/includes/database-access/tctl-auth-sign.mdx!) + +Generate secrets for a CockroachDB node using `tctl`: ```code $ tctl auth sign \ --format=cockroachdb \ --host=roach.example.com \ - --out=/path/to/cockroach/certs/dir/ \ + --out= \ --ttl=2190h ``` +(!docs/pages/includes/database-access/ttl-note.mdx!) + The command will produce 4 files: - `ca.crt` with Teleport's `db` certificate authority - `ca-client.crt` with Teleport's `db_client` certificate authority - `node.crt` / `node.key` with the node's certificate and key. + +You can specify multiple comma-separated addresses e.g. +`--host=roach,node-1,192.168.1.1`. +However, you must include the hostname that Teleport will use to connect to the +database. + + Do not rename these files as this is how CockroachDB expects them to be named. See [Node key and certificates](https://www.cockroachlabs.com/docs/v21.1/create-security-certificates-custom-ca#node-key-and-certificates) for details. -Generate the secrets for each cluster node and make sure to use the hostname -Teleport will be using to connect to the nodes in the `--host` flag. +Prepend your CockroachDB CA's certificate to `ca-client.crt`. +Now issue a client certificate for the node using your CockroachDB CA: - - You can specify multiple comma-separated addresses e.g. `--host=roach,node-1,192.168.1.1`. - +```code +$ cockroach cert create-client node \ + --certs-dir= \ + --ca-key=ca-secrets/ca-client.key +``` + +
+If you see an error message like: `tls: private key does not match public key`, +it likely means you did not prepend your CockroachDB CA cert to `ca-client.crt` +earlier. + +`cockroach cert create-client` expects the first certificate in `ca-client.crt` +(in the `--certs-dir` specified) to be the certificate signed by `--ca-key`. +Ensure that your CockroachDB CA certificate is the first certificate in +`ca-client.crt`. +
+ +Now copy `` to the CockroachDB +node and repeat these steps for all of your other CockroachDB nodes. + + Restart your CockroachDB nodes, passing them the directory with generated secrets via the `--certs-dir` flag: ```code $ cockroach start \ - --certs-dir=/path/to/cockroachdb/certs/dir/ \ + --certs-dir= \ # other flags... ``` +Alternatively, if the nodes were already started with +`--certs-dir=`, you can send a +`SIGHUP` signal to the `cockroach` process to reload certificates without +restarting the node. You must send `SIGHUP` as the same user that started the +`cockroach` process: + +```code +$ pkill -SIGHUP -x cockroach +``` + ## Step 4/4. Connect Log in to your Teleport cluster. Your CockroachDB cluster should appear in the From 7ea71f1ea37971001580c3a949a3b19c9ec26bb5 Mon Sep 17 00:00:00 2001 From: Gavin Frazar Date: Wed, 31 Jan 2024 11:07:43 -0800 Subject: [PATCH 06/13] remove redis cluster tls-cluster no config tab This config still requires a custom CA, so it's pointless and less secure. It also doesn't work with the rest of the guide steps currently. --- .../database-access/guides/redis-cluster.mdx | 78 ++----------------- 1 file changed, 8 insertions(+), 70 deletions(-) diff --git a/docs/pages/database-access/guides/redis-cluster.mdx b/docs/pages/database-access/guides/redis-cluster.mdx index 9cc0e420bc344..10bd44c7adcdc 100644 --- a/docs/pages/database-access/guides/redis-cluster.mdx +++ b/docs/pages/database-access/guides/redis-cluster.mdx @@ -71,43 +71,16 @@ Install and configure Teleport where you will run the Teleport Database Service: ## Step 4/6. Set up mutual TLS -(!docs/pages/includes/database-access/tctl-auth-sign.mdx!) - -We will show you how to use the `tctl auth sign` command below. - -When connecting to Redis Cluster, sign certificates for each member -using their hostnames and IP addresses. -For example, if the first member is accessible at `redis1.example.com` with IP `10.0.0.1` and -the second at `redis2.example.com` with IP `10.0.0.2`, run: +Export your Teleport cluster's `db_client` CA cert and concatenate it with your Redis +Cluster's CA cert (in PEM format): ```code -$ tctl auth sign --format=redis --host=redis1.example.com,10.0.0.1 --out=redis1 --ttl=2190h -$ tctl auth sign --format=redis --host=redis2.example.com,10.0.0.2 --out=redis2 --ttl=2190h +$ tctl auth export --type=db_client > db-client-ca.crt +$ cat out.cas > pem-bundle.cas ``` -(!docs/pages/includes/database-access/ttl-note.mdx!) - -The command will create three files: -- `out.cas` with Teleport's database client certificate authority -- `out.key` with a generated private key -- `out.crt` with a generated certificate issued by Teleport's database server -certificate authority - -You will need these files to enable mutual TLS on your Redis server. - - - -If you wish to enable intra-cluster TLS communication in Redis, you will need -to generate and manage a CA to issue certificates for Redis Cluster nodes, -and configure your Teleport Database Service to trust that CA. - -Concatenate your CA's cert (in PEM format) with Teleport's database client -certificate authority: -```sh -cat /path/to/your/ca.crt out.cas > pem-bundle.cas -``` - -Using your CA, issue `server.crt` for your Redis Cluster node and enable mutual -TLS in your `redis.conf` configuration file, then restart the database: +Using your Redis Cluster's CA, issue `server.crt` for each of your Redis Cluster +nodes and enable mutual TLS in your `redis.conf` configuration file, then +restart each node: ```ini tls-port 7001 @@ -124,42 +97,7 @@ tls-ca-cert-file /usr/local/etc/redis/certs/pem-bundle.cas tls-protocols "TLSv1.2 TLSv1.3" ``` -Modify your Teleport Database Service to trust your Redis Cluster CA: -```yaml - databases: - - name: "example-redis" - protocol: "redis" - uri: "rediss://redis.example.com:6379?mode=cluster" - static_labels: - "env": "dev" - tls: - ca_cert_file: "/path/to/your/ca.crt" -``` - - -Use the generated secrets to enable mutual TLS in your `redis.conf` configuration -file and restart the database: - -```ini -tls-port 7001 -port 0 -cluster-enabled yes -tls-replication no -tls-cluster no -aclfile /path/to/users.acl -masterauth GENERATED_STRONG_PASSWORD -masteruser replica-user -tls-cert-file /usr/local/etc/redis/certs/server.crt -tls-key-file /usr/local/etc/redis/certs/server.key -tls-ca-cert-file /usr/local/etc/redis/certs/server.cas -tls-protocols "TLSv1.2 TLSv1.3" -``` - -With this configuration, communication between user clients and the Redis -Cluster will still use TLS, but Redis nodes will not use TLS to communicate with -each other. - - +(!docs/pages/includes/database-access/custom-db-ca.mdx db="Redis Cluster" protocol="redis" scheme="rediss://" port="6379" query="?mode=cluster"!) Once mutual TLS has been enabled, you will no longer be able to connect to the cluster without providing a valid client certificate. You can use the From 153f91ec0d3fdbd48a8d3548b0d9dbf3101e5207 Mon Sep 17 00:00:00 2001 From: Gavin Frazar Date: Wed, 31 Jan 2024 11:07:45 -0800 Subject: [PATCH 07/13] use code block instead of sh in redis cluster doc --- .../database-access/guides/redis-cluster.mdx | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/docs/pages/database-access/guides/redis-cluster.mdx b/docs/pages/database-access/guides/redis-cluster.mdx index 10bd44c7adcdc..aa89f9c9dd4de 100644 --- a/docs/pages/database-access/guides/redis-cluster.mdx +++ b/docs/pages/database-access/guides/redis-cluster.mdx @@ -110,18 +110,18 @@ in the Redis documentation for more details. ## Step 5/6. Create a cluster Use the following command to create the cluster. Please note `redis-cli --cluster create` accepts only IP addresses. -```sh -export REDISCLI_AUTH=STRONG_GENERATED_PASSWORD -export CERTS_DIR=/path/to/certs/ -export IP1=10.0.0.1 # update with the real node 1 IP -export IP2=10.0.0.2 # update with the real node 2 IP -export IP3=10.0.0.3 # update with the real node 3 IP -export IP4=10.0.0.4 # update with the real node 4 IP -export IP5=10.0.0.5 # update with the real node 5 IP -export IP6=10.0.0.6 # update with the real node 6 IP -redis-cli --user alice --cluster-replicas 1 --tls --cluster-yes \ ---cluster create ${IP1}:7001 ${IP2}:7002 ${IP3}:7003 ${IP4}:7004 ${IP5}:7005 ${IP6}:7006 \ ---cacert ${CERTS_DIR}/server.cas --key ${CERTS_DIR}/server.key --cert ${CERTS_DIR}/server.crt +```code +$ export REDISCLI_AUTH=STRONG_GENERATED_PASSWORD +$ export CERTS_DIR=/path/to/certs/ +$ export IP1=10.0.0.1 # update with the real node 1 IP +$ export IP2=10.0.0.2 # update with the real node 2 IP +$ export IP3=10.0.0.3 # update with the real node 3 IP +$ export IP4=10.0.0.4 # update with the real node 4 IP +$ export IP5=10.0.0.5 # update with the real node 5 IP +$ export IP6=10.0.0.6 # update with the real node 6 IP +$ redis-cli --user alice --cluster-replicas 1 --tls --cluster-yes \ + --cluster create ${IP1}:7001 ${IP2}:7002 ${IP3}:7003 ${IP4}:7004 ${IP5}:7005 ${IP6}:7006 \ + --cacert ${CERTS_DIR}/server.cas --key ${CERTS_DIR}/server.key --cert ${CERTS_DIR}/server.crt ``` ## Step 6/6. Connect From 9df92aec9482de20e78007da29b89c15979ace83 Mon Sep 17 00:00:00 2001 From: Gavin Frazar Date: Wed, 31 Jan 2024 11:07:50 -0800 Subject: [PATCH 08/13] dont explain tctl auth sign setup when unused --- .../database-access/guides/cockroachdb-self-hosted.mdx | 2 -- docs/pages/database-access/guides/mongodb-self-hosted.mdx | 6 ++---- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/docs/pages/database-access/guides/cockroachdb-self-hosted.mdx b/docs/pages/database-access/guides/cockroachdb-self-hosted.mdx index 1cba538dc3709..979e845f6e5fc 100644 --- a/docs/pages/database-access/guides/cockroachdb-self-hosted.mdx +++ b/docs/pages/database-access/guides/cockroachdb-self-hosted.mdx @@ -77,8 +77,6 @@ in the CockroachDB documentation for more information. ### Set up mutual TLS -(!docs/pages/includes/database-access/tctl-auth-sign.mdx!) - To set up mutual TLS authentication, you need to make sure that: - Teleport trusts certificates presented by CockroachDB nodes. diff --git a/docs/pages/database-access/guides/mongodb-self-hosted.mdx b/docs/pages/database-access/guides/mongodb-self-hosted.mdx index 90571278596f7..f935153173cd2 100644 --- a/docs/pages/database-access/guides/mongodb-self-hosted.mdx +++ b/docs/pages/database-access/guides/mongodb-self-hosted.mdx @@ -115,12 +115,10 @@ accordingly to grant the user appropriate database permissions. ### Set up mutual TLS -(!docs/pages/includes/database-access/tctl-auth-sign.mdx!) - -Create the secrets: - + (!docs/pages/includes/database-access/tctl-auth-sign.mdx!) + When connecting to standalone MongoDB, sign the certificate for the hostname over which Teleport will be connecting to it. From c63a197a087a12de8046dd631e35d93a87884b20 Mon Sep 17 00:00:00 2001 From: Gavin Frazar Date: Wed, 31 Jan 2024 14:22:32 -0800 Subject: [PATCH 09/13] fix redis-cluster code block --- docs/pages/database-access/guides/redis-cluster.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/pages/database-access/guides/redis-cluster.mdx b/docs/pages/database-access/guides/redis-cluster.mdx index aa89f9c9dd4de..eaadc826b3c8e 100644 --- a/docs/pages/database-access/guides/redis-cluster.mdx +++ b/docs/pages/database-access/guides/redis-cluster.mdx @@ -75,7 +75,7 @@ Export your Teleport cluster's `db_client` CA cert and concatenate it with your Cluster's CA cert (in PEM format): ```code $ tctl auth export --type=db_client > db-client-ca.crt -$ cat out.cas > pem-bundle.cas +$ cat db-client-ca.crt > pem-bundle.cas ``` Using your Redis Cluster's CA, issue `server.crt` for each of your Redis Cluster From ce7d757ad6066f3609a772579032cf05c43b3a37 Mon Sep 17 00:00:00 2001 From: Gavin Frazar Date: Wed, 31 Jan 2024 14:47:04 -0800 Subject: [PATCH 10/13] describe teleport trust setup last --- docs/pages/database-access/guides/redis-cluster.mdx | 3 +-- docs/pages/includes/database-access/custom-db-ca.mdx | 1 - 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/docs/pages/database-access/guides/redis-cluster.mdx b/docs/pages/database-access/guides/redis-cluster.mdx index eaadc826b3c8e..772dda400f17e 100644 --- a/docs/pages/database-access/guides/redis-cluster.mdx +++ b/docs/pages/database-access/guides/redis-cluster.mdx @@ -97,8 +97,6 @@ tls-ca-cert-file /usr/local/etc/redis/certs/pem-bundle.cas tls-protocols "TLSv1.2 TLSv1.3" ``` -(!docs/pages/includes/database-access/custom-db-ca.mdx db="Redis Cluster" protocol="redis" scheme="rediss://" port="6379" query="?mode=cluster"!) - Once mutual TLS has been enabled, you will no longer be able to connect to the cluster without providing a valid client certificate. You can use the `tls-auth-clients optional` setting to allow connections @@ -107,6 +105,7 @@ from clients that do not present a certificate. See [TLS Support](https://redis.io/topics/encryption) in the Redis documentation for more details. +(!docs/pages/includes/database-access/custom-db-ca.mdx db="Redis Cluster" protocol="redis" scheme="rediss://" port="6379" query="?mode=cluster"!) ## Step 5/6. Create a cluster Use the following command to create the cluster. Please note `redis-cli --cluster create` accepts only IP addresses. diff --git a/docs/pages/includes/database-access/custom-db-ca.mdx b/docs/pages/includes/database-access/custom-db-ca.mdx index 6a1cdc25ce460..96ed9057512b9 100644 --- a/docs/pages/includes/database-access/custom-db-ca.mdx +++ b/docs/pages/includes/database-access/custom-db-ca.mdx @@ -1,5 +1,4 @@ {{ scheme="" query="" }} - Modify the Teleport Database Service to trust your {{ db }} CA: ```yaml databases: From e76af3f1dd0562bc9f1184051caa5df25a262377 Mon Sep 17 00:00:00 2001 From: Gavin Frazar Date: Wed, 31 Jan 2024 15:14:06 -0800 Subject: [PATCH 11/13] clarify cluster creation certs --- docs/pages/database-access/guides/redis-cluster.mdx | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/docs/pages/database-access/guides/redis-cluster.mdx b/docs/pages/database-access/guides/redis-cluster.mdx index 772dda400f17e..c85a706c9d3eb 100644 --- a/docs/pages/database-access/guides/redis-cluster.mdx +++ b/docs/pages/database-access/guides/redis-cluster.mdx @@ -108,6 +108,12 @@ in the Redis documentation for more details. (!docs/pages/includes/database-access/custom-db-ca.mdx db="Redis Cluster" protocol="redis" scheme="rediss://" port="6379" query="?mode=cluster"!) ## Step 5/6. Create a cluster +To create the cluster after mutual TLS is enabled, you will need to use a +certificate that the Redis nodes trust for client authentication. +You can use a certificate that you already issued for one of the nodes, i.e. +`server.crt` or you can issue a new client certificate using your Redis Cluster +CA. + Use the following command to create the cluster. Please note `redis-cli --cluster create` accepts only IP addresses. ```code $ export REDISCLI_AUTH=STRONG_GENERATED_PASSWORD @@ -120,7 +126,7 @@ $ export IP5=10.0.0.5 # update with the real node 5 IP $ export IP6=10.0.0.6 # update with the real node 6 IP $ redis-cli --user alice --cluster-replicas 1 --tls --cluster-yes \ --cluster create ${IP1}:7001 ${IP2}:7002 ${IP3}:7003 ${IP4}:7004 ${IP5}:7005 ${IP6}:7006 \ - --cacert ${CERTS_DIR}/server.cas --key ${CERTS_DIR}/server.key --cert ${CERTS_DIR}/server.crt + --cacert ${CERTS_DIR}/ca.crt --key ${CERTS_DIR}/server.key --cert ${CERTS_DIR}/server.crt ``` ## Step 6/6. Connect From 2b37318b677d10822921a41d463847ccfd5c9f13 Mon Sep 17 00:00:00 2001 From: Gavin Frazar Date: Wed, 31 Jan 2024 15:23:51 -0800 Subject: [PATCH 12/13] use more descriptive tab labels for cockroachdb --- .../database-access/guides/cockroachdb-self-hosted.mdx | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/docs/pages/database-access/guides/cockroachdb-self-hosted.mdx b/docs/pages/database-access/guides/cockroachdb-self-hosted.mdx index 979e845f6e5fc..47b52206df222 100644 --- a/docs/pages/database-access/guides/cockroachdb-self-hosted.mdx +++ b/docs/pages/database-access/guides/cockroachdb-self-hosted.mdx @@ -20,9 +20,12 @@ description: How to configure Teleport database access with self-hosted Cockroac (!docs/pages/includes/edition-prereqs-tabs.mdx!) - CockroachDB cluster. + - A host, e.g., an Amazon EC2 instance, where you will run the Teleport Database Service. + - (!docs/pages/includes/tctl.mdx!) + - A certificate authority to issue CockroachDB certificates for nodes in your CockroachDB cluster. @@ -91,7 +94,7 @@ can authenticate themselves as clients to other nodes in the CockroachDB cluster. This is because CockroachDB uses mTLS for node-to-node communication. - + In this configuration, your CockroachDB CA will be used to issue the server cert `node.crt` for each CockroachDB node. @@ -120,7 +123,7 @@ $ tctl auth export --type=db_client >> - + In this configuration, Teleport's CA will be used to issue the server cert, `node.crt`, and your own custom CA will be used to issue the client certificate, `client.node.crt`, for each CockroachDB node. From d8825fe953b92413b7259f10202fa96c40608551 Mon Sep 17 00:00:00 2001 From: Gavin Frazar Date: Wed, 31 Jan 2024 15:29:38 -0800 Subject: [PATCH 13/13] only mention lack of support for RESP3 redis 7.0 is supported with RESP2, no need to call it out. --- docs/pages/database-access/guides/redis-cluster.mdx | 4 +++- docs/pages/database-access/guides/redis.mdx | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/pages/database-access/guides/redis-cluster.mdx b/docs/pages/database-access/guides/redis-cluster.mdx index c85a706c9d3eb..0a5eb6eb3bebf 100644 --- a/docs/pages/database-access/guides/redis-cluster.mdx +++ b/docs/pages/database-access/guides/redis-cluster.mdx @@ -24,11 +24,13 @@ If you want to configure Redis Standalone, please read [Database Access with Red - Redis version `6.0` or newer. - Redis `7.0` and RESP3 (REdis Serialization Protocol) are currently not supported. + RESP3 (REdis Serialization Protocol) is currently not supported. - `redis-cli` version `6.2` or newer installed and added to your system's `PATH` environment variable. + - A host where you will run the Teleport Database Service. + - A certificate authority to issue server certificates for nodes in your Redis Cluster. diff --git a/docs/pages/database-access/guides/redis.mdx b/docs/pages/database-access/guides/redis.mdx index 73ec39424c758..a6f50feff7856 100644 --- a/docs/pages/database-access/guides/redis.mdx +++ b/docs/pages/database-access/guides/redis.mdx @@ -24,7 +24,7 @@ If you want to configure Redis Cluster, please read [Database Access with Redis - Redis version `6.0` or newer. - Redis `7.0` and RESP3 (REdis Serialization Protocol) are currently not supported. + RESP3 (REdis Serialization Protocol) is currently not supported. - `redis-cli` version `6.2` or newer installed and added to your system's `PATH` environment variable.