Open timothyb89 opened 1 year ago
Unfortunately this hits a different RPC than regular host certs: https://github.com/gravitational/teleport/blob/14640c80de7a1ab26db0d70de31dc2bb27ff3d66/lib/client/db/database_certificates.go#L99
We can probably still leverage some of the host cert RBAC infrastructure, though.
Would other database host certificate formats also be considered in this change? Example tctl auth sign --format=cassandra
and tctl auth sign --format=scylla
What
We currently require users to export host CA to connect Databases and complete set up. https://goteleport.com/docs/database-access/guides/redis/#step-45-set-up-mutual-tls
# Redis Example tctl auth sign --format=redis --host=redis.example.com --out=server --ttl=2190h # MySQL Example tctl auth sign --format=db --host=db.example.com --out=server --ttl=2190h
It would be good if MachineID could be used to retrieve these certs
Copied from duplicate https://github.com/gravitational/teleport/issues/11358
What would you like Teleport to do?
Machine ID should be able to automate
tctl auth sign --format=db ...
What problem does this solve?
Machine ID can already issue host certs with the
ssh_host_cert
config template. It would be useful if bots could issue these certs to avoid the need for long-lived certificates.If a workaround exists, please include it.
The traditional
tctl auth sign --format=db ...
still works, but in practice requires users to set a long TTL.