Teleport is an open source, identity-aware, access proxy with an integrated certificate authority. It is used by smart engineering teams to access various computing resources on public and private clouds, such as:
- SSH servers
- Kubernetes clusters
- Internal web apps
- MySQL and PostgreSQL databases
Teleport consists of just two dependency-free binaries: the
teleport daemon runs on servers, and the
tsh CLI runs on clients. The server daemon can perform several functions:
- The Proxy accepts connections from the clients.
- The Certificate Authority (CA) issues short-lived certificates for clients.
- Sidecars maintain a persistent reverse tunnel to a proxy which allows clients to connect to databases that are running anywhere in the world.
The diagram below shows how this all comes together.
- When a user types
tsh login db-access.proxy.com, they trigger the login sequence. The Teleport proxy running on
db-access.proxy.comaccepts the login request and forwards the client to the company’s identity platform. This could be any identity provider: Google apps, GitHub, Okta, Active Directory, etc.
- After the user completes the login process, the Teleport certificate authority (
CA) issues an x.509 certificate, filled with the user’s identity metadata (roles, etc.) which is returned to the client.
tshclient is now aware of all databases available to this user.
tshalso configures the user’s command line environment, so
psqlknows to talk to the proxy.
- Meanwhile, Teleport’s database service process (shown as “sidecar” in the diagram) is running on the same network as a database. The sidecar establishes an outgoing persistent reverse SSH tunnel to the proxy. These tunnels are how database instances are registered as “online”.
- When a user decides to connect to a specific DB instance, the connection goes from
psqlto a proxy, then (via an appropriate reverse SSH tunnel) to the corresponding sidecar and from there, via mutual TLS, to the target database instance.
Teleport was originally born as a modern, identity-based way of accessing SSH servers, because we wanted the world to move away from archaic SSH keys, bastion hosts, VPNs, “server inventories” and the other pains of legacy SSH.
But SSH is not enough. Modern computing environments are getting more and more complex. In addition to SSH, our users want to access all kinds of computing resources in order to build software faster: Kubernetes clusters, internal web dashboards and, of course, databases!
Moreover, the location of these resources should be irrelevant. We are big believers in the future of environment-free computing, when the entire planet will feel like a giant multi-tenant supercomputer. That supercomputer must provide a simple and secure way of accessing it, and that’s what Teleport is evolving into.
The above is a brief about Teleport. Watch this space for more updates on the latest trends in Technology.