[v11][breaking] Remove the SQL backend (#17156)

* Revert "Azure AD authentication for the Postgres backend (#15757)" This reverts commit 33c6d82. * Revert "SQL Backend (#11048)" This reverts commit 06fef2a. * Remove Postgres backend from the docs * Remove the Postgres backend from the testplan
gravitational · Oct 7, 2022 · 1de40d4 · 1de40d4
1 parent 30a1db4
commit 1de40d4
Show file tree

Hide file tree

Showing 21 changed files with 6 additions and 3,359 deletions.
diff --git a/.github/ISSUE_TEMPLATE/testplan.md b/.github/ISSUE_TEMPLATE/testplan.md
@@ -884,19 +884,16 @@ Perform all tests on the following configurations:
  - [ ] etcd
  - [ ] DynamoDB
  - [ ] Firestore
- - [ ] Postgres
 
 * Cluster with 10K reverse tunnel nodes:
  - [ ] etcd
  - [ ] DynamoDB
  - [ ] Firestore
- - [ ] Postgres
 
 * Cluster with 500 trusted clusters:
 - [ ] etcd
 - [ ] DynamoDB
 - [ ] Firestore
-- [ ] Postgres
 
 ### Soak Test
 

diff --git a/docs/pages/reference/backends.mdx b/docs/pages/reference/backends.mdx
@@ -16,7 +16,7 @@ no need to configure a backend.
 
 | Data type | Description | Supported storage backends |
 | - | - | - |
-| core cluster state | Cluster configuration (e.g. users, roles, auth connectors) and identity (e.g. certificate authorities, registered nodes, trusted clusters). | Local directory (SQLite), etcd, AWS DynamoDB, GCP Firestore, self-hosted PostgreSQL/CockroachDB (Preview) |
+| core cluster state | Cluster configuration (e.g. users, roles, auth connectors) and identity (e.g. certificate authorities, registered nodes, trusted clusters). | Local directory (SQLite), etcd, AWS DynamoDB, GCP Firestore |
 | audit events | JSON-encoded events from the audit log (e.g. user logins, RBAC changes) | Local directory, AWS DynamoDB, GCP Firestore |
 | session recordings | Raw terminal recordings of interactive user sessions | Local directory, AWS S3 (and any S3-compatible product), GCP Cloud Storage |
 | teleport instance state | ID and credentials of a non-auth teleport instance (e.g. node, proxy) | Local directory |
@@ -684,68 +684,6 @@ teleport:
   Teleport will default to a local file  system for the audit log, i.e.
   `/var/lib/teleport/log` on an auth server.
 
-## PostgreSQL/CockroachDB (Preview)
-
-The PostgreSQL/CockroachDB backend supports storing Teleport cluster state
-in a self-hosted database instance.
-
-<Admonition
-  type="tip"
-  title="NOTE"
->
-  The PostgreSQL/CockroachDB backend is currently in Preview.
-</Admonition>
-
-Connections require mutual TLS authentication. Be sure to configure your
-database instance to support certificate authentication before configuring
-the Teleport PostgreSQL/CockroachDB backend.
-See [PostgreSQL Certificate Authentication](https://www.postgresql.org/docs/current/auth-cert.html) to configure PostgreSQL
-or [Authenticating to CockroachDB Self-Hosted Clusters](https://www.cockroachlabs.com/docs/stable/authentication.html) to configure CockroachDB.
-
-Once your self-hosted database instance has been configured to support
-certificate authentication, configure all Teleport Auth servers to use the backend
-by setting the storage section in the Teleport configuration file.
-
-```yaml
-teleport:
-  storage:
-    # Type of backend: either "postgres" or "cockroachdb".
-    type: cockroachdb
-    # The host:port of the database instance.
-    addr: "cockroachdb.example.com:26257"
-    # Optional database name. Defaults to "teleport".
-    database: "teleport"
-    # Authentication settings.
-    tls:
-      # Path to the database user's certificate.
-      client_cert_file: "/path/to/certs/client.dbuser.crt"
-      # Path to the database user's private key.
-      client_key_file: "/path/to/certs/client.dbuser.key"
-      # Path to the trusted certificate authority
-      # used to generate the client certificates.
-      ca_file: "/path/to/cockroachdb.cas"
-```
-
-Teleport will attempt to create a new database if the configured database does
-not exist. Creating a database requires `CREATEDB` privileges for the Teleport
-user. See PostgreSQL's [CREATE ROLE](https://www.postgresql.org/docs/current/sql-createrole.html)
-documentation for details.
-
-```shell
-$ psql -d postgres
-postgres=# CREATE ROLE dbuser CREATEDB;
-```
-
-If you do not wish to grant `CREATEDB` privileges to the Teleport user, be
-sure to create a database and grant all privileges on the database
-to the Teleport user before starting Teleport.
-
-```shell
-$ psql -d postgres
-postgres=# CREATE DATABASE teleport;
-postgres=# GRANT ALL PRIVILEGES ON DATABASE teleport TO dbuser;
-```
-
 ## SQLite
 
 The Auth Service uses the SQLite backend when no `type` is specified in the

diff --git a/lib/backend/backend.go b/lib/backend/backend.go
@@ -25,10 +25,10 @@ import (
 	"strings"
 	"time"
 
-	"github.com/gravitational/teleport/api/types"
 	"github.com/gravitational/trace"
-
 	"github.com/jonboulle/clockwork"
+
+	"github.com/gravitational/teleport/api/types"
 )
 
 // Forever means that object TTL will not expire unless deleted
@@ -232,36 +232,6 @@ func (p Params) GetString(key string) string {
 	return s
 }
 
-// Cleanse fixes an issue with yamlv2 decoding nested sections to
-// map[interface{}]interface{} rather than map[string]interface{}.
-// ObjectToStruct will fail on the former. yamlv3 corrects this behavior.
-// All non-string keys are dropped.
-func (p Params) Cleanse() {
-	for key, value := range p {
-		if mapValue, ok := value.(map[interface{}]interface{}); ok {
-			p[key] = convertParams(mapValue)
-		}
-	}
-}
-
-// convertParams converts from a map[interface{}]interface{} to
-// map[string]interface{} recursively. All non-string keys are dropped.
-// This function is called by Params.Cleanse.
-func convertParams(from map[interface{}]interface{}) (to map[string]interface{}) {
-	to = make(map[string]interface{}, len(from))
-	for key, value := range from {
-		strKey, ok := key.(string)
-		if !ok {
-			continue
-		}
-		if mapValue, ok := value.(map[interface{}]interface{}); ok {
-			value = convertParams(mapValue)
-		}
-		to[strKey] = value
-	}
-	return to
-}
-
 // NoLimit specifies no limits
 const NoLimit = 0
 

diff --git a/lib/backend/backend_test.go b/lib/backend/backend_test.go
@@ -55,28 +55,3 @@ func TestRangeEnd(t *testing.T) {
 		})
 	}
 }
-
-func TestParamsCleanse(t *testing.T) {
-	source := Params{
-		"Addr": "localhost:345",
-		"TLS": map[interface{}]interface{}{
-			"CAFile": "/path/to/file",
-			"Certs": map[interface{}]interface{}{
-				"Cert": "cert.crt",
-				"Key":  "key.crt",
-			},
-		},
-	}
-	expect := Params{
-		"Addr": "localhost:345",
-		"TLS": map[string]interface{}{
-			"CAFile": "/path/to/file",
-			"Certs": map[string]interface{}{
-				"Cert": "cert.crt",
-				"Key":  "key.crt",
-			},
-		},
-	}
-	source.Cleanse()
-	require.Equal(t, source, expect)
-}
diff --git a/lib/backend/postgres/azure.go b/lib/backend/postgres/azure.go