Draft for guide to enable the Postgres Event driver **only** #44714
programmerq
started this conversation in
Show and tell
Replies: 1 comment
-
This is a working draft, and will likely have several revisions. Share feedback if you find any issues! |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Guide to Configure PostgreSQL for Teleport Event Backend
This guide will help you configure PostgreSQL to serve as an event backend for Teleport. It focuses solely on setting up audit event storage without addressing cluster state storage or database access.
Prerequisites
postgresql.conf
.openssl
for generating certificates.Steps:
Deploy PostgreSQL Service
Configure PostgreSQL's Host TLS Certificates
Generate the certificates
Use your organization's standard practice for provisioning a TLS
certificate for PostgreSQL. If you are using a certificate authority that is
not trusted by default, you can include that in Teleport's configuration later
so it can verify the certificate. This can be a letsencrypt certificate, a
self-signed, or a cert signed by a traditional certificate authority.
In this guide, we will refer to these certificates as:
We advise users to follow the Postgres documentation to set up host certificates if you do not have an existing certificate process: https://www.postgresql.org/docs/current/ssl-tcp.html#SSL-CERTIFICATE-CREATION. Note that they use 'intermediate.crt' as the filename for what we will refer to as 'server_ca.crt' later in the guide.
Generate and Install Host TLS Certificates
Update
postgresql.conf
to use your TLS certificates:We will come back to this file later to allow the Postgres service to trust the client certificates
Create Necessary User for Teleport
Connect to PostgreSQL and create a user and database for audit events:
Ensure that the teleport user has a search_path that resolves to a schema that exists and allows that user to create tables.
Generate Client Certificate for Teleport Auth Service
If you have a standard procedure for issuing client certificates in your environment, that is allowed. You can use a CA-signed client certificate, or a self-signed client certificate. We will use the following file names:
CN=teleport
- a cert that is allowed to connect as theteleport
user created previouslyteleport-client.crt
certificateGenerate a self-signed client certificate for the Teleport Auth Service:
This command will give you a 10 year cert for the 'teleport' user.
Configure PostgreSQL to Trust the Teleport Client Certificate
Update
pg_hba.conf
to require client certificates for connections to the Teleport database:# TYPE DATABASE USER CIDR-ADDRESS METHOD hostssl teleport_audit teleport 0.0.0.0/0 cert hostssl teleport_audit teleport ::/0 cert
Copy
teleport-client.crt
to the PostgreSQL server and pointssl_ca_file
to it inpostgresql.conf
:Restart Postgres.
Test Connection String
Compose and test the connection string ensuring proper mutual TLS setup:
psql "postgresql://teleport@database-address/teleport_audit?sslmode=verify-full&sslcert=/path/to/teleport-client.crt&sslkey=/path/to/teleport-client.key&sslrootcert=/path/to/server-ca.crt"
If the command connects successfully, proceed to configure Teleport.
Configure Teleport Auth Server
Update your
teleport.yaml
configuration file:Deploying with Teleport Cluster Helm Chart
Create a Kubernetes secret with the client certificates and CA:
Add
extraVolumes
andextraVolumeMounts
entries to your Helm values:Deploy the Helm chart and monitor the logs:
Diagram
Documentation References
Beta Was this translation helpful? Give feedback.
All reactions