Add "tunnel" mode to tsh proxy db #11720
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
database-access
ravicious
added a commit
to gravitational/webapps
that referenced
this pull request
Apr 5, 2022
As described in gravitational/webapps.e#177, we want to replace the db tab with just two sections: * "Connect with CLI" which will show the command to use in terminal * "Connect with GUI" which links to our documentation After gravitational/teleport#11720 gets merged, the "Connect with CLI" section will be massively simplified: it'll be basically just something like: psql postgres://localhost:12345 Moreover, @smallinsky suggested that tsh should be responsible for creating those CLI connection commands. We should also do this in the future as it'll let us support new protocols as soon as they land in tsh, without us having to touch Teleterm codebase, for the most part.
|
To test this I need to have a cluster running code from this PR that also has a db connected to it, right? Is there an easy way to set this up? |
smallinsky
approved these changes
Apr 5, 2022
ravicious
added a commit
to gravitational/webapps
that referenced
this pull request
Apr 6, 2022
As described in gravitational/webapps.e#177, we want to replace the db tab with just two sections: * "Connect with CLI" which will show the command to use in terminal * "Connect with GUI" which links to our documentation After gravitational/teleport#11720 gets merged, the "Connect with CLI" section will be massively simplified: it'll be basically just something like: psql postgres://localhost:12345 Moreover, @smallinsky suggested that tsh should be responsible for creating those CLI connection commands. We should also do this in the future as it'll let us support new protocols as soon as they land in tsh, without us having to touch Teleterm codebase, for the most part.
greedy52
approved these changes
Apr 6, 2022
Comment on lines
+391
to
+413
| Use the following command to connect to the database: | ||
| $ {{.command}} |
There was a problem hiding this comment.
The "mtls" mode should also work for GUIs? Not suggesting any change here. Just curious if this should be default mode eventually.
There was a problem hiding this comment.
Yep. I was planning to look into updating the docs after this merges.
|
@r0mant sorry for the nitpicks on the name, I was looking at this flag, what do you think about |
|
@klizhentas Sounds good, I will rename. |
r0mant
changed the title
@greedy52 It will work for Mongo/Redis/MSSQL because those already use mutual TLS but not for Postgres/MySQL because older servers don't support plain connections through the TLS tunnel. |
ravicious
approved these changes
Apr 7, 2022
There was a problem hiding this comment.
I tested this on a Postgres db through Teleterm and it works like a charm.
In the future (after the Teleterm preview release) we might remove the concept of a "gateway" in Teleterm in favor of just running tsh proxy db underneath. Though the current gateway system also executes the equivalent of tsh db login, so we'll see.
r0mant
added a commit
that referenced
this pull request
Apr 7, 2022
This was referenced Apr 14, 2022
Closed
ravicious
added a commit
to gravitational/webapps
that referenced
this pull request
Apr 26, 2022
As described in gravitational/webapps.e#177, we want to replace the db tab with just two sections: * "Connect with CLI" which will show the command to use in terminal * "Connect with GUI" which links to our documentation After gravitational/teleport#11720 gets merged, the "Connect with CLI" section will be massively simplified: it'll be basically just something like: psql postgres://localhost:12345 Moreover, @smallinsky suggested that tsh should be responsible for creating those CLI connection commands. We should also do this in the future as it'll let us support new protocols as soon as they land in tsh, without us having to touch Teleterm codebase, for the most part.
ravicious
added a commit
to gravitational/webapps
that referenced
this pull request
Apr 27, 2022
As described in gravitational/webapps.e#177, we want to replace the db tab with just two sections: * "Connect with CLI" which will show the command to use in terminal * "Connect with GUI" which links to our documentation After gravitational/teleport#11720 gets merged, the "Connect with CLI" section will be massively simplified: it'll be basically just something like: psql postgres://localhost:12345 Moreover, @smallinsky suggested that tsh should be responsible for creating those CLI connection commands. We should also do this in the future as it'll let us support new protocols as soon as they land in tsh, without us having to touch Teleterm codebase, for the most part.
ravicious
added a commit
to gravitational/webapps
that referenced
this pull request
Apr 27, 2022
* Limit navigation capabilities to reduce attack surface At the moment we don't create new windows nor navigate away from the rendered app, so we can just block everything. * Update to electron@13.6.9 (#703) * Use x64 arch when building & packaging Teleterm Our build system doesn't support arm64 for Mac releases yet (see issue gravitational/teleport#4226 for more information). Because of that, for the preview release we're likely going to have only the x64 version of Teleterm. This means that the shipped version of tsh should also be the x64 version. I tried to change electron-builder's config to use x64 for macOS, but the config options don't seem to work. I tried `mac.defaultArch` as well as changing `mac.target` in various ways but `electron-builder install-app-deps` just doesn't pick up those options. Both were set through `packages/teleterm/package.json` * Add `Notifications` component and service * Show errors in `ClusterResources`' tables using standard `Danger` labels * Use `Notifications` error in `syncRootCluster()` and `removeGateway()` * Do not block app rendering when initializing function fails * Fix accessing `serversSyncStatus` Map in `clustersService` * Revert "Use x64 arch when building & packaging Teleterm" This reverts commit 276e9a9. Turns out that for development, we need to use arm64 version of native deps. The build server is going to use x64 anyway, as per the reverted commit, but when making manual demo builds, we'll have to remember to use x64 for Teleterm and tsh. * Submit modals' forms on `Enter` press * Remove global `keyDown` handler from `KeyboardArrowsNavigation` as it blocked submitting forms * Use teleterm/logger in runtimeSettings (#716) The one from shared/libs/logger calls `window`, which doesn't exist in the context of Electron main process. * Improve Teleterm README (#719) * Mention that `yarn build-term` needs to be run first before attempting to run the app in dev mode (already had a couple of people who had problems with setting up the app because they didn't run this first). * Mention the assumption about both repos living in the same folder. * Move the architecture diagram to the end of the file. Most people reading the README are not doing it for the diagram, but build instructions. * Explain when gRPC files need to be recompiled. * Prevent crash when network or cluster is offline (#712) * Simplify the db connection tab (#720) As described in gravitational/webapps.e#177, we want to replace the db tab with just two sections: * "Connect with CLI" which will show the command to use in terminal * "Connect with GUI" which links to our documentation After gravitational/teleport#11720 gets merged, the "Connect with CLI" section will be massively simplified: it'll be basically just something like: psql postgres://localhost:12345 Moreover, @smallinsky suggested that tsh should be responsible for creating those CLI connection commands. We should also do this in the future as it'll let us support new protocols as soon as they land in tsh, without us having to touch Teleterm codebase, for the most part. * Resolve shell env (#718) Co-authored-by: Grzegorz Zdunek <gzdunek@users.noreply.github.com> Co-authored-by: Grzegorz Zdunek <grzegorz.zdunek@goteleport.com>
ravicious
added a commit
that referenced
this pull request
Apr 28, 2022
#11720 was backported to v9, but at that time Teleport Connect wasn't backported to v9, so the changes to gateway.go were dropped. This PR reintroduces them, as without that part it's not possible to open db connections when running Teleport Connect from the v9 branch.
ravicious
added a commit
that referenced
this pull request
Apr 28, 2022
#11720 was backported to v9, but at that time Teleport Connect wasn't backported to v9, so the changes to gateway.go were dropped. This PR reintroduces them, as without that part it's not possible to open db connections when running Teleport Connect from the v9 branch.
ravicious
added a commit
that referenced
this pull request
Apr 29, 2022
#11720 was backported to v9, but at that time Teleport Connect wasn't backported to v9, so the changes to gateway.go were dropped. This PR reintroduces them, as without that part it's not possible to open db connections when running Teleport Connect from the v9 branch.
Closed
hatched
pushed a commit
to hatched/teleport-merge
that referenced
this pull request
Nov 30, 2022
As described in gravitational/webapps.e#177, we want to replace the db tab with just two sections: * "Connect with CLI" which will show the command to use in terminal * "Connect with GUI" which links to our documentation After gravitational#11720 gets merged, the "Connect with CLI" section will be massively simplified: it'll be basically just something like: psql postgres://localhost:12345 Moreover, @smallinsky suggested that tsh should be responsible for creating those CLI connection commands. We should also do this in the future as it'll let us support new protocols as soon as they land in tsh, without us having to touch Teleterm codebase, for the most part.
hatched
pushed a commit
that referenced
this pull request
Dec 20, 2022
As described in gravitational/webapps.e#177, we want to replace the db tab with just two sections: * "Connect with CLI" which will show the command to use in terminal * "Connect with GUI" which links to our documentation After #11720 gets merged, the "Connect with CLI" section will be massively simplified: it'll be basically just something like: psql postgres://localhost:12345 Moreover, @smallinsky suggested that tsh should be responsible for creating those CLI connection commands. We should also do this in the future as it'll let us support new protocols as soon as they land in tsh, without us having to touch Teleterm codebase, for the most part.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR updates
tsh proxy dbcommand to support "mutual TLS" mode where it opens a TLS tunnel which is already authenticated with the database's client certificate. This makes it possible for the actual database clients to connect through the local proxy directly without TLS authentication since the tunnel is already authenticated. The primary use-case for this is better UX for the local proxy usage with database clients which is esp. important for simplifying the Teleport Terminal usage.Here's a usage example for Postgres. Start local authenticated proxy:
Connect to the database:
I have verified this for Postgres, MySQL, MongoDB and Redis. SQL Server already worked this way.
Refs https://github.com/gravitational/webapps.e/issues/177.