Context
Teleport (20.1k stars, Go, AGPL-3.0 — API is Apache 2.0) is a zero-trust access platform with certificate-based short-lived auth for SSH, K8s, databases, and web apps.
What to yoink
- Short-lived certificate auth — no standing credentials, every session gets a time-limited X.509 cert
- Certificate authority — internal CA that issues user and host certificates with identity metadata embedded
- Unified access protocol — single proxy that handles SSH, K8s, database, and web application access
- Session recording — full session capture with replay for audit/compliance
- Device trust — device identity verification as part of access decisions
Approach
Keep is currently a PoC with Envoy + OPA + Google SSO. If it graduates beyond PoC, Teleport's cert-based model is the natural evolution:
- Study Teleport's certificate authority and cert issuance flow
- Port short-lived cert patterns (no long-lived tokens or passwords)
- Borrow session recording implementation for compliance
- Evaluate device trust integration (relevant to Keep's Vouch-based device attestation)
Note: AGPL-3.0 license is restrictive for vendoring, but the architectural patterns are freely borrowable. API layer is Apache 2.0.
References
Priority
Tier 3 — Next-step architecture if keep moves to production
Context
Teleport (20.1k stars, Go, AGPL-3.0 — API is Apache 2.0) is a zero-trust access platform with certificate-based short-lived auth for SSH, K8s, databases, and web apps.
What to yoink
Approach
Keep is currently a PoC with Envoy + OPA + Google SSO. If it graduates beyond PoC, Teleport's cert-based model is the natural evolution:
Note: AGPL-3.0 license is restrictive for vendoring, but the architectural patterns are freely borrowable. API layer is Apache 2.0.
References
Priority
Tier 3 — Next-step architecture if keep moves to production