Provide web API for downloading mTLS certificates for database access #14049
Assignees
Labels
discover
Issues related to Teleport Discover
feature-request
Used for new features in Teleport, improvements to current should be #enhancements
Comments
r0mant
added
feature-request
|
I'm almost certain there was an issue for this same request with desktop access certs, but I can't find it. |
marcoandredinis
added a commit
that referenced
this issue
Aug 1, 2022
In the context of Teleport Discover we are trying to ease the usage of Teleport for the user's first interaction. When adding a new database resource the user must, among other things, generate the mTLS files Examples: https://goteleport.com/docs/database-access/guides/postgres-self-hosted/#step-25-create-a-certificatekey-pair https://goteleport.com/docs/database-access/guides/mysql-self-hosted/#step-24-create-a-certificatekey-pair This PR aims to reduce this friction: the user should be able to setup the resource without prior setup of local tools (`tsh login`) We're doing this by providing an endpoint that will return those exact files Demo ```shell marco@lenix ~/p/downloadmtls> curl --silent --insecure 'https://127.0.0.1.nip.io:3080/v1/webapi/sites/lenix/sign' --dat a '{"hostname":"discover.example.com", "ttl":"9999h", "format": "db"}' --header 'Authorization: Bearer 308bf3dd3019ddc4 2cff44a48e028480' --header 'Content-Type: application/json' -OJ marco@lenix ~/p/downloadmtls> tar -xvf teleport_mTLS_discover.example.com.tar.gz server.key server.crt server.cas marco@lenix ~/p/downloadmtls> head -1 server.* ==> server.cas <== -----BEGIN CERTIFICATE----- ==> server.crt <== -----BEGIN CERTIFICATE----- ==> server.key <== -----BEGIN RSA PRIVATE KEY----- ``` Fixes #14049
marcoandredinis
added a commit
that referenced
this issue
Aug 1, 2022
In the context of Teleport Discover we are trying to ease the usage of Teleport for the user's first interaction. When adding a new database resource the user must, among other things, generate the mTLS files Examples: https://goteleport.com/docs/database-access/guides/postgres-self-hosted/#step-25-create-a-certificatekey-pair https://goteleport.com/docs/database-access/guides/mysql-self-hosted/#step-24-create-a-certificatekey-pair This PR aims to reduce this friction: the user should be able to setup the resource without prior setup of local tools (`tsh login`) We're doing this by providing an endpoint that will return those exact files Demo ```shell marco@lenix ~/p/downloadmtls> curl --silent --insecure 'https://127.0.0.1.nip.io:3080/v1/webapi/sites/lenix/sign' --dat a '{"hostname":"discover.example.com", "ttl":"9999h", "format": "db"}' --header 'Authorization: Bearer 308bf3dd3019ddc4 2cff44a48e028480' --header 'Content-Type: application/json' -OJ marco@lenix ~/p/downloadmtls> tar -xvf teleport_mTLS_discover.example.com.tar.gz server.key server.crt server.cas marco@lenix ~/p/downloadmtls> head -1 server.* ==> server.cas <== -----BEGIN CERTIFICATE----- ==> server.crt <== -----BEGIN CERTIFICATE----- ==> server.key <== -----BEGIN RSA PRIVATE KEY----- ``` Fixes #14049
marcoandredinis
added a commit
that referenced
this issue
Aug 1, 2022
Download mTLS files from Web (#14526) In the context of Teleport Discover we are trying to ease the usage of Teleport for the user's first interaction. When adding a new database resource the user must, among other things, generate the mTLS files Examples: https://goteleport.com/docs/database-access/guides/postgres-self-hosted/#step-25-create-a-certificatekey-pair https://goteleport.com/docs/database-access/guides/mysql-self-hosted/#step-24-create-a-certificatekey-pair This PR aims to reduce this friction: the user should be able to setup the resource without prior setup of local tools (`tsh login`) We're doing this by providing an endpoint that will return those exact files Demo ```shell marco@lenix ~/p/downloadmtls> curl --silent --insecure 'https://127.0.0.1.nip.io:3080/v1/webapi/sites/lenix/sign' --dat a '{"hostname":"discover.example.com", "ttl":"9999h", "format": "db"}' --header 'Authorization: Bearer 308bf3dd3019ddc4 2cff44a48e028480' --header 'Content-Type: application/json' -OJ marco@lenix ~/p/downloadmtls> tar -xvf teleport_mTLS_discover.example.com.tar.gz server.key server.crt server.cas marco@lenix ~/p/downloadmtls> head -1 server.* ==> server.cas <== -----BEGIN CERTIFICATE----- ==> server.crt <== -----BEGIN CERTIFICATE----- ==> server.key <== -----BEGIN RSA PRIVATE KEY----- ``` Fixes #14049
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When configuring self-hosted databases, users need to download Teleport's CA and generate cert/key pair in order to configure mutual TLS between Teleport and the database server. Right now we ask users to run
tctl auth signcommand to get these files.In Teleport Discover wizard, instead of asking users to run auth sign (which would also require them to login first), we can provide them with a
curlcommand that will make a request to web API to generate these files and download them.The API should return a tarball containing Teleport's CA (specifically, database CA for db access), and cert/key pair.
Check if we create audit log entry when these secrets are generated and add it if we don't (can do later).
The discover wizard should show the
curlcommand to the user that will call this endpoint and download the mTLS secrets. We should use some cryptographically secure token to authenticate the client's request, which web UI will pre-generate and which will expire after first use. Look at/webapi/host/credentialsthat uses similar approach for node registration. See if we can reuseProvisionTokenor one of otherXXXTokenobjects for this.The text was updated successfully, but these errors were encountered: