add doc

gravitational · Jun 20, 2024 · 48d472e · 48d472e
1 parent 41647dd
commit 48d472e
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 2 deletions.
diff --git a/docs/pages/includes/config-reference/database-config.yaml b/docs/pages/includes/config-reference/database-config.yaml
@@ -103,6 +103,13 @@ db_service:
       server_name: db.example.com
       # Optional path to the CA used to validate the database certificate.
       ca_cert_file: /path/to/pem
+      # Optional configuration that allows Teleport to trust certificate
+      # authorities available on the host system. If not set (by default),
+      # Teleport only trusts self-signed databases with TLS certificates signed
+      # by Teleport's Database Server CA or the ca_cert_file specified in this
+      # TLS setting. For cloud-hosted databases, Teleport downloads the
+      # corresponding required CAs for validation.
+      trust_system_cert_pool: false
 
     # MySQL only options.
     mysql:

diff --git a/docs/pages/includes/database-access/self-hosted-config-start.mdx b/docs/pages/includes/database-access/self-hosted-config-start.mdx
@@ -45,4 +45,19 @@ To configure the Teleport Database Service to trust a custom CA:
       --labels=env=dev
    ```
 
+If your database servers use certificates that are publicly signed by an SSL
+certificate service such as Comodo or Digicert, you can use the
+`trust_system_cert_pool` option without exporting the CA:
+```code
+$ sudo teleport db configure create \
+   -o file \
+   --token=/tmp/token \
+   --proxy=<Var name="example.teleport.sh:443" /> \
+   --name={{ dbName }} \
+   --protocol={{ dbProtocol }} \
+   --uri={{ databaseAddress }} \
+   --trust_system_cert_pool \
+   --labels=env=dev
+```
+
 (!docs/pages/includes/start-teleport.mdx service="the Teleport Database Service"!)
diff --git a/lib/config/database.go b/lib/config/database.go
@@ -366,8 +366,12 @@ db_service:
     {{- end}}
     {{- if or .DatabaseCACertFile .DatabaseTrustSystemCertPool}}
     tls:
+      {{- if .DatabaseCACertFile }}
       ca_cert_file: "{{ .DatabaseCACertFile }}"
+      {{- end }}
+      {{- if .DatabaseTrustSystemCertPool }}
       trust_system_cert_pool: {{ .DatabaseTrustSystemCertPool }}
+      {{- end }}
     {{- end }}
     {{- if or .DatabaseAWSRegion .DatabaseAWSAccountID .DatabaseAWSAssumeRoleARN .DatabaseAWSExternalID .DatabaseAWSRedshiftClusterID .DatabaseAWSRDSInstanceID .DatabaseAWSRDSClusterID .DatabaseAWSElastiCacheGroupID .DatabaseAWSMemoryDBClusterName }}
     aws:

diff --git a/lib/srv/db/common/auth_test.go b/lib/srv/db/common/auth_test.go
@@ -174,8 +174,8 @@ func TestAuthGetTLSConfig(t *testing.T) {
 		},
 		{
 			name:                     "self-hosted with trust_system_cert_pool",
-			sessionDatabase:          newSelfHostedDatabaseWithTrustSytemCertPool(t, "localhost:8888"),
-			expectServerName:         "localhost",
+			sessionDatabase:          newSelfHostedDatabaseWithTrustSytemCertPool(t, "postgres.dev.example.com:8888"),
+			expectServerName:         "postgres.dev.example.com",
 			expectRootCAs:            systemCertPoolWithCA,
 			expectClientCertificates: true,
 		},