[docs] database CA migration and rotation guides#38137
Conversation
GavinFrazar
changed the title
|
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
|
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
GavinFrazar
added
database-access
|
🤖 Vercel preview here: https://docs-ez888o013-goteleport.vercel.app/docs/ver/preview |
greedy52
left a comment
greedy52
left a comment
There was a problem hiding this comment.
Thanks a lot for writing these guides! I think the locations are good but Paul is the better person for this.
Should we link the DB CA rotation guide in tctl auth sign once it's alive?
|
🤖 Vercel preview here: https://docs-ke21ybs9q-goteleport.vercel.app/docs/ver/preview |
ptgott
left a comment
ptgott
left a comment
There was a problem hiding this comment.
In terms of location, I think the main consideration is which search terms a user would use to find the page.
If we think users will search for "CA Rotation", and database-specific CA rotation is something they find out about while reading the docs, we could make "CA Rotation" a subsection of "Manage your Cluster" (rather than "Manage your Cluster" > "Operations"), then put all of our CA rotation content in that subsection so this guide is more discoverable.
If users are searching for database-specific CA rotation information, I think the current approach is fine.
In general, one goal this quarter is to document all CA rotation steps, so we can decouple the task of organizing these docs from the one of writing the docs.
ptgott
left a comment
ptgott
left a comment
There was a problem hiding this comment.
I'll leave a review for the "Database CA Migrations" page later this week
|
🤖 Vercel preview here: https://docs-nsjww84mb-goteleport.vercel.app/docs/ver/preview |
public-teleport-github-review-bot
Bot
removed the request for review
from xinding33
GavinFrazar
force-pushed
the
gavinfrazar/db-ca-split-migration-docs
branch
from
3fc78de to
d161870
Compare
|
🤖 Vercel preview here: https://docs-h8xjx5rxe-goteleport.vercel.app/docs/ver/preview |
|
🤖 Vercel preview here: https://docs-apxr4s06s-goteleport.vercel.app/docs/ver/preview |
GavinFrazar
force-pushed
the
gavinfrazar/db-ca-split-migration-docs
branch
from
d161870 to
24e295f
Compare
|
🤖 Vercel preview here: https://docs-6ynft1n67-goteleport.vercel.app/docs/ver/preview |
* add nav slugs for DB CA migration and rotation guides * add DB CA guides * use --phase last in CA rotation guide example commands, so they're less tedious to edit * link to the database CA rotation guide for db and db_client CA rotation * deprecate spec.ca_cert in db reference * recommend parallel database ca rotation * explain reconfig post rotation to fix db vuln * update cspell to ignore -noout
GavinFrazar
force-pushed
the
gavinfrazar/db-ca-split-migration-docs
branch
from
24e295f to
7386539
Compare
|
🤖 Vercel preview here: https://docs-gvusibrd5-goteleport.vercel.app/docs/ver/preview |
|
@GavinFrazar See the table below for backport results.
|
3 participants
This docs-only PR adds guides for Teleport's database CAs (
dbanddb_client).The guides explain the historical context of why these CAs were added, how they were added via a migration that cloned their predecessor CA (if upgrading from an older version), and how to handle "completing" those migrations by rotating CAs.
Additionally, I added a guide specific to database CA rotation.
The existing CA rotation guide was really too focused on
hostCA rotation to adequately explain database CA rotation.I think at some point we might add other CA-type-specific rotation guides, but that is out of scope for this PR.
Relevant related PR:
For reviewers ( @greedy52 @ptgott ) I wasn't too sure about which section to put these guides under.
I put them in the operations guides, because that's where we have other migration guides and the other CA rotation guide.
Let me know if you think these would be better elsewhere, like in the database-access section somewhere.