Teleport 6.0 : Database Access Made Easy!!
Saiyam is working at Loft as a Principal Developer Advocate. Previously, at Walmart Labs, Oracle, and HP, Saiyam has worked on many facets of k8s, including the machine learning platform, scaling, multi-cloud, managed k8s services, and k8s documentation. He's worked on implementing Kubernetes solutions in different organizations. When not coding, Saiyam works on contributing to the community by writing blogs and organizing local meetups for Kubernetes and CNCF. He is also a Kubestronaut/Portainer/Traefik/CNCF ambassador and can be reached on Twitter @saiyampathak.
Photo by Markus Spiske on Unsplash
Teleport is an open source, identity-aware, access proxy with an integrated certificate authority. People have been using teleport for ssh-access, Kubernetes clusters and with Teleport 6.0 you get Database access as well (Postgress and MySQL).
In this tutorial, I will show you how you can do it all from scratch for a self-hosted MySQL Database(I will show the database install as well).
Prerequisites: 2 Ubuntu 20.04 instances with sudo access.
I have 2 machines called teleport and database
Complete setup
Step1: Login to the teleport instance and install teleport
curl https://deb.releases.teleport.dev/teleport-pubkey.asc | sudo apt-key add -
add-apt-repository 'deb https://deb.releases.teleport.dev/ stable main'
apt-get update
apt install teleport
Step2: Configure Teleport server
export IP={ip for the instance}
#in my case
export IP=212.2.240.196
teleport configure --acme --acme-email=saiyam911@gmail.com --cluster-name=magic-$IP.nip.io --output="/etc/teleport.yaml"
Wrote config to file "/etc/teleport.yaml". Now you can start the server. Happy Teleporting!
Step3: Start teleport and add a user
systemctl start teleport
systemctl enable teleport
systemctl status teleport
tctl users add teleport-admin --roles=admin --logins=root
User "teleport-admin" has been created but requires a password. Share this URL with the user to complete user setup, link is valid for 1h:
https://magic-212.2.240.196.nip.io:443/web/invite/b39e7b128d3243c6c10407b06d27be26
NOTE: Make sure magic-212.2.240.196.nip.io:443 points at a Teleport proxy which users can access.
Go to the link to set up 2FA
You get the Web-UI Access
Step4: Install Mysql database on the database instance
apt-get update
sudo apt install mysql-server -y
Step5: Add MySQL address in the proxy service of teleport.yaml on the teleport instance
vi /etc/teleport.yaml
#Add below in bold
proxy_service:
enabled: "yes"
listen_addr: 0.0.0.0:3023
web_listen_addr: :443
public_addr: magic-212.2.240.196.nip.io:443
mysql_listen_addr: 0.0.0.0:3036
Step6: certificate Key/pair creation
Below has to be run on teleport instance
# Export Teleport's certificate authority and generate certificate/key pair
# for host db.example.com with a one year validity period.
**tctl auth sign --format=db --host=localhost --out=server --ttl=8760h**
The credentials have been written to server.key, server.crt, server.cas
Copy over the files generated to the database instance
apt install sshpass
sshpass -p 'password' scp server.key server.crt server.cas user@{IP}:/etc/mysql/ssl
above will copy the files in /ssl directory of the database instance
cd /etc/mysql/ssl
ls | grep server
server.cas
server.crt
server.key
Step7: Configure MySQL on the database instance
cd /etc/mysql/
vi mysql.cnf
add below
[mysqld]
require_secure_transport=ON
ssl-ca=/path/to/server.cas
ssl-cert=/path/to/server.crt
ssl-key=/path/to/server.key
#in my case it is
[mysqld]
require_secure_transport=ON
ssl-ca=/etc/mysql/ssl/server.cas
ssl-cert=/etc/mysql/ssl/server.crt
ssl-key=/etc/mysql/ssl/server.key
Change ownership
chown -R mysql:mysql /etc/mysql/ssl/
Create User alice and configure with certificate
mysql> CREATE USER 'alice'@'%' REQUIRE X509;
Query OK, 0 rows affected (0.00 sec)
mysql> ALTER USER 'alice'@'%' REQUIRE X509;
Query OK, 0 rows affected (0.00 sec)
mysql> GRANT ALL ON `%`.* TO 'alice'@'%';
Query OK, 0 rows affected (0.00 sec)
Step8: Create the token for database service to join (below command should run on teleport instance)
**tctl tokens add \
--type=db \
--db-name=mysql \
--db-protocol=mysql \
--db-uri=localhost:3306**
The invite token: 30b936383ccd1d117d9315770c08a63c.
This token will expire in 60 minutes.
Fill out and run this command on a node to start proxying the database:
> teleport start \
--roles=db \
--token=30b936383ccd1d117d9315770c08a63c \
--ca-pin=sha256:0cff619a5e66cb079cbb6110ec884424e5a5d47f16e13b8855344889568b5770 \
--auth-server=magic-212.2.240.196.nip.io:443 \
--db-name=mysql \
--db-protocol=mysql \
--db-uri=localhost:3306
You can either use the above token and create a config file on the database instance for the database service using just the token (https://goteleport.com/docs/ver/6.1/database-access/guides/mysql-self-hosted/#start-database-service-with-config-file)
OR you can just use the output of the above command and run it on the database instance.
Step9: Install teleport on Database instance and then run the output from the above command
curl https://deb.releases.teleport.dev/teleport-pubkey.asc | sudo apt-key add -
add-apt-repository 'deb https://deb.releases.teleport.dev/ stable main'
apt-get update
apt install teleport
Run the command to start database service
teleport start \
> --roles=db \
> --token=30b936383ccd1d117d9315770c08a63c \
> --ca-pin=sha256:0cff619a5e66cb079cbb6110ec884424e5a5d47f16e13b8855344889568b5770 \
> --auth-server=magic-212.2.240.196.nip.io:443 \
> --db-name=mysql \
> --db-protocol=mysql \
> --db-uri=localhost:3306
INFO [PROC:1] Connecting to the cluster magic-212.2.240.196.nip.io with TLS client certificate. service/connect.go:128
INFO [AUDIT:1] Creating directory /var/lib/teleport/log. service/service.go:1895
INFO [AUDIT:1] Creating directory /var/lib/teleport/log/upload. service/service.go:1895
INFO [AUDIT:1] Creating directory /var/lib/teleport/log/upload/sessions. service/service.go:1895
INFO [AUDIT:1] Creating directory /var/lib/teleport/log/upload/sessions/default. service/service.go:1895
INFO [AUDIT:1] Creating directory /var/lib/teleport/log. service/service.go:1895
INFO [AUDIT:1] Creating directory /var/lib/teleport/log/upload. service/service.go:1895
INFO [AUDIT:1] Creating directory /var/lib/teleport/log/upload/streaming. service/service.go:1895
INFO [AUDIT:1] Creating directory /var/lib/teleport/log/upload/streaming/default. service/service.go:1895
INFO [DB:SERVIC] Database service has successfully started: [DatabaseServer(Name=mysql, Version=6.0.2, Labels=map[])]. service/db.go:205
Step10: Login to MySQL instance from Teleport:
Start the terminal session after login into the teleport server from the UI. You can also use tsh login on the teleport instance to login as a particular user.
It will open a terminal session
Now let’s try to access the MySQL database running on the database instance :
root@teleport-9cd889ac:~# **tsh db ls**
Name Description Labels Connect
---------- ----------- ------ ------------------------------------------------------------------------------------------------------
mysql
root@teleport-9cd889ac:~# tsh db login mysql
Connection information for MySQL database "magic-212.2.240.196.nip.io-mysql" has been saved.
You can now connect to the database using the following command:
$ mysql --defaults-group-suffix=_magic-212.2.240.196.nip.io-mysql
Or configure environment variables and use regular CLI flags:
$ eval $(tsh db env)
$ mysql
root@teleport-9cd889ac:~# tsh db ls
Name Description Labels Connect
---------- ----------- ------ ------------------------------------------------------------------------------------------------------
> mysql mysql --defaults-group-suffix=_magic-212.2.240.196.nip.io-mysql --user=<user> --database=<database>
root@teleport-9cd889ac:~# mysql --defaults-group-suffix=_magic-212.2.240.196.nip.io-mysql --user=alice --database=mysql
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 10027
Server version: 8.0.0-Teleport (Ubuntu)
Copyright (c) 2000, 2021, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| sys |
+--------------------+
4 rows in set (0.00 sec)
As you can see a user can establish a Mysql server connection from teleport. how cool is that !!!!
Conclusion:
In simple 10 steps, I was able to set up teleport, create users, create a database and connect to the database from the teleport UI. Optionally you can also create RBAC as teleport supports RBAC so you can create a db role for the database and create users with that role accordingly. docs to create RBAC: https://goteleport.com/docs/ver/6.1/database-access/guides/mysql-self-hosted/#create-role-and-user
Saiyam Pathak CNCF Ambassador Youtube: https://youtube.com/c/saiyam911 Twitter: https://twitter.com/saiyampathak Twitch: https://twitch.tv.saiyampathak Kubernetes CKS book: https://gumroad.com/l/cksbook
