From c4d8ed5765fe0ee880dd7afc4e37e3e4f21c9f43 Mon Sep 17 00:00:00 2001 From: Noah Stride Date: Tue, 30 Apr 2024 17:26:18 +0100 Subject: [PATCH] Add `database-tunnel` service to Machine ID reference (#40993) (#41040) * Add `database-tunnel` service to Machine ID reference * Update docs/pages/machine-id/reference/configuration.mdx --------- Co-authored-by: Paul Gottschling --- .../machine-id/reference/configuration.mdx | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/docs/pages/machine-id/reference/configuration.mdx b/docs/pages/machine-id/reference/configuration.mdx index ae962a92d10c8..27d814a681a56 100644 --- a/docs/pages/machine-id/reference/configuration.mdx +++ b/docs/pages/machine-id/reference/configuration.mdx @@ -302,6 +302,45 @@ principals: (!docs/pages/includes/machine-id/common-output-config.yaml!) ``` +### Services + +Services are configurable long-lived components that run within `tbot`. Unlike +Outputs, they may not necessarily generate artifacts. Typically, services +provide supporting functionality for machine to machine access, for example, +opening tunnels or providing APIs. + +#### `database-tunnel` + +The `database-tunnel` service opens a listener for a service that tunnels +connections to a database server. + +The tunnel authenticates connections for the client, meaning that any +application which can connect to the listener will be able to connect to the +database as the specified user. For this reason, we heavily recommend using the +Unix socket listener type and configuring the permissions of the socket to +ensure that only the intended applications can connect. + +```yaml +# type specifies the type of the service. For the database tunnel service, this +# will always be `database-tunnel`. +type: database-tunnel +# listen specifies the address that the service should listen on. +# +# Two types of listener are supported: +# - TCP: `tcp://
:` +# - Unix socket: `unix:///` +listen: tcp://127.0.0.1:25432 +# service is the name of the database server, as configured in Teleport, that +# the service should open a tunnel to. +service: postgres-docker +# database is the name of the specific database on the specified database +# service. +database: postgres +# username is the name of the user on the specified database server to open a +# tunnel for. +username: postgres +``` + ### Destinations A destination is somewhere that `tbot` can read and write artifacts.