-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a database TLS option to trust system CAs #43286
Conversation
12397b6
to
949cabf
Compare
🤖 Vercel preview here: https://docs-ib28s6q04-goteleport.vercel.app/docs/ver/preview |
949cabf
to
48d472e
Compare
🤖 Vercel preview here: https://docs-ns2m9pc6t-goteleport.vercel.app/docs/ver/preview |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
need to update the db
tctl reference in docs/pages/database-access/reference/configuration.mdx
as well
docs/pages/includes/database-access/self-hosted-config-start.mdx
Outdated
Show resolved
Hide resolved
🤖 Vercel preview here: https://docs-xzz73ctt4-goteleport.vercel.app/docs/ver/preview |
🤖 Vercel preview here: https://docs-nbzlwju82-goteleport.vercel.app/docs/ver/preview |
🤖 Vercel preview here: https://docs-b5fipngxv-goteleport.vercel.app/docs/ver/preview |
* Add a database TLS option to trust system CAs * add doc * review comments * make derive
Closes #42221:
changelog: added support to trust system CAs for self-hosted databases
Example:
The flag avoids downloading the CA for the database service or appending the pem file for terraform db resources, when database servers are publicly-signed.
In theory, this also gives a small performance boost as db definition will be smaller without the CA bytes.
Tested by generating a self-signed cert for a Redis database. Then faked /etc/hosts, then added the self-signed cert to system store (
/etc/pki/ca-trust/source/anchors/
for Amazon linux, thenupdate-ca-trust extract
)