Support postgres or other RDBMS for HA cluster state

[sskousen]

What

What would you like Teleport to do differently?

Support RDBMS's like postgres or mysql for cluster state, and potentially audit logs.

How

(Making a lot of assumptions here). Since teleport auth nodes already support sqlite on local storage as a backend, I would expect the majority of the SQL logic to already be built out.

1. Port SQLite logic to postgres driver, or abstract it into a generic SQL driver with different implementations.
2. Add config variables to teleport.yaml for postgres port/username/password/host/etc
3. (This is a hack, but might be the easiest to implement). Since then teleport SQLite connection doesn't support multiple nodes currently, add an 'ha' table to postgres that acts as a key/value store and basically override the etcd function to write to postgres instead of etcd.

Why

Currently, teleport only supports clustered, NoSQL-like storage for cluster state (etcd/dynamo). While these technologies work great, there's also a lot of specialized knowledge and configuration that needs to be done to actually build them in a secure, highly available manner, as well as maintaining and updating them. For small or simple use-cases they can take more time to manage than teleport itself does, especially if it's exclusively being setup for teleport.

At $dayjob, we're a postgres shop, and have a ton of expertise in building and maintaining highly-available postgres clusters. Being able to point teleport directly at postgres for it's cluster state (and potentially even audit logs), would be one less technology that we have to maintain and update (which to be honest, we aren't doing with etcd).

I would also argue that postgres/mysql is simpler to setup and maintain than etcd (the only on-prem storage solution for multiple auth nodes currently supported). I've been burned a number of times by not knowing that I needed to cap etcd revisions, configure auto pruning of those revisions, not to mention getting backups working correctly. That's partly on me for not doing enough research, but I also know that sudo apt-get install postgresql will get me a postgres server in a working and reliable state, and there are tons of tutorials and guides on how to properly configure and architect postgres. If I want to setup replication, SSL, or backups, there are tons guides to get those working too. The vast majority of dev/engineers/etc are going to be much more familiar with RDBMS because of rails, django, etc that are built around them, than etcd or dynamo.

I believe the cluster and audit schemas are stable and consistent enough to be easily translated to columns/tables, but have not really dug into them that much.

Additionally, if only standard SQL is used, it should be as easy as adding the DB driver to support another RDBMS one the initial SQL logic is implemented.

While not a critical need at the moment, postgres should be able to handle a huge amount of audit logs. It would also make querying and filtering those logs a lot easier, since there would be columns.

Workaround

If a workaround exists, please include it.

[pschisa]

We now support this functionality for cluster state: https://goteleport.com/docs/ver/9.0/setup/reference/backends/#postgresqlcockroachdb-preview

[pschisa]

reopening as the preview was removed

[zmb3]

Postgres backend was released in 13.3