From our docs, it is possible to conclude that an admin needs to install teleport on every host they want to register with their Teleport cluster. For example, StrongDM's "Alternatives to Teleport" post says that "Teleport software must be running on every server to be managed by Teleport access." This is incorrect, and we need to clarify our documentation so readers have a more complete understanding of Teleport's architecture earlier in their experience with Teleport.
I propose the following steps:
Step
How this helps
Issue
PR
Come up with a name for non-Auth/Proxy services
A standard name for the Database Service, Kubernetes Service, etc. would go a long way toward preventing misconceptions around how Teleport needs to be deployed. We could use something like "gateway," "relay," or "resource service," rather than "agent," to dispel the idea that teleport must be installed on the same host as the resource it registers with a cluster. We could also use "agent" while clarifying what it means in the context of Teleport.
Add architectural clarity earlier in a reader's documentation journey
We should determine when readers tend to form an understanding of Teleport's architecture and ensure that this understanding is correct, especially in relation to Teleport's use of agents. Crucially, this understanding may not come from the "Architecture" section, since this is organized separately from our Getting Started docs.
#13363
#16762
Update all architectural descriptions in the docs
Currently, a lot of our docs still assume that a Teleport deployment consists of an Auth Service, Proxy Service, and Nodes. Now that the teleport binary can run other services, we should make it clearer how these run. Update our architecture documentation to clarify the role of resource-specific services.
The SSH Service is the only resource service that can be replaced completely with Teleport-issued static credentials. This is especially useful for use-cases where a machine supports an OpenSSH server but not other daemons. Make it clearer at an earlier point in a user's documentation experience that they can use Teleport this way.
Add a single "Teleport Agentless" guide in the docs
For users specifically looking for an agentless setup—or wondering how resource services fit within the architecture of a Teleport deployment—gather relevant docs into a single description.
Details
From our docs, it is possible to conclude that an admin needs to install
teleport
on every host they want to register with their Teleport cluster. For example, StrongDM's "Alternatives to Teleport" post says that "Teleport software must be running on every server to be managed by Teleport access." This is incorrect, and we need to clarify our documentation so readers have a more complete understanding of Teleport's architecture earlier in their experience with Teleport.I propose the following steps:
teleport
must be installed on the same host as the resource it registers with a cluster.We could also use "agent" while clarifying what it means in the context of Teleport.
teleport
binary can run other services, we should make it clearer how these run. Update our architecture documentation to clarify the role of resource-specific services.Category