search

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.
https://goteleport.com
GNU Affero General Public License v3.0
17.44k stars 1.74k forks source link

Clarify misconceptions around Teleport's use of agents #13351

Closed ptgott closed 1 year ago

ptgott commented 2 years ago

Details

From our docs, it is possible to conclude that an admin needs to install teleport on every host they want to register with their Teleport cluster. For example, StrongDM's "Alternatives to Teleport" post says that "Teleport software must be running on every server to be managed by Teleport access." This is incorrect, and we need to clarify our documentation so readers have a more complete understanding of Teleport's architecture earlier in their experience with Teleport.

I propose the following steps:

Step How this helps Issue PR
Come up with a name for non-Auth/Proxy services A standard name for the Database Service, Kubernetes Service, etc. would go a long way toward preventing misconceptions around how Teleport needs to be deployed. We could use something like "gateway," "relay," or "resource service," rather than "agent," to dispel the idea that teleport must be installed on the same host as the resource it registers with a cluster.
We could also use "agent" while clarifying what it means in the context of Teleport.		 https://github.com/gravitational/teleport/issues/10976 #16762
Add architectural clarity earlier in a reader's documentation journey We should determine when readers tend to form an understanding of Teleport's architecture and ensure that this understanding is correct, especially in relation to Teleport's use of agents. Crucially, this understanding may not come from the "Architecture" section, since this is organized separately from our Getting Started docs. #13363 #16762
Update all architectural descriptions in the docs Currently, a lot of our docs still assume that a Teleport deployment consists of an Auth Service, Proxy Service, and Nodes. Now that the teleport binary can run other services, we should make it clearer how these run. Update our architecture documentation to clarify the role of resource-specific services. #13364
Find a way to make our OpenSSH guide more prominent The SSH Service is the only resource service that can be replaced completely with Teleport-issued static credentials. This is especially useful for use-cases where a machine supports an OpenSSH server but not other daemons. Make it clearer at an earlier point in a user's documentation experience that they can use Teleport this way. #13365 https://github.com/gravitational/teleport/pull/24340
Add a single "Teleport Agentless" guide in the docs For users specifically looking for an agentless setup—or wondering how resource services fit within the architecture of a Teleport deployment—gather relevant docs into a single description. #13861 https://github.com/gravitational/teleport/pull/27703

Category

ptgott commented 1 year ago

Closing as complete. Since there is one remaining issue in the tracking table, no longer need the umbrella issue.