## Context Part of the Teleport integration feature tracked in platform-ui#87. Customer (Justin Cameron) needs Teleport-based access to replace SSH port forwarding for advanced users (AllFeaturesUser/Admin). **Platform UI issue:** https://gitlab.com/postgres-ai/platform-ui/-/issues/87 --- ## Goal DBLab Engine must register/deregister services in Teleport dynamically as clones are created and destroyed, so users can connect via `tsh proxy db` instead of SSH port forwarding. --- ## What needs to be implemented ### 1. Teleport config block in `server.yml` ```yaml teleport: enabled: true proxy_addr: teleport.customer.com:443 join_token: "join-token-here" cluster_name: "customer-cluster" ``` ### 2. On DBLab Engine startup Register the DBLab API service in Teleport: ```bash tctl create db.yaml ``` ```yaml kind: db version: v3 metadata: name: dblab-api-{environment-id} spec: protocol: tcp uri: localhost:2345 ``` This is a **static service** — registered once, stays until Teleport integration is disabled. ### 3. Clone lifecycle hooks **On clone created:** ```bash tctl create clone-db.yaml ``` ```yaml kind: db version: v3 metadata: name: dblab-clone-{environment-id}-{clone-id}-{port} spec: protocol: postgres uri: localhost:{port} ``` **On clone destroyed:** ```bash tctl rm db/dblab-clone-{environment-id}-{clone-id}-{port} ``` ### 4. Clone API response — add Teleport fields ```json { "id": "kangelov-mrdc", "db_port": 6003, "teleport": { "db_name": "dblab-clone-gitlab-production-main-kangelov-mrdc-6003", "connect_cmd": "tsh proxy db dblab-clone-gitlab-production-main-kangelov-mrdc-6003 --port 6003" } } ``` --- ## Naming scheme | Service | Teleport name | |---|---| | DBLab API | `dblab-api-{environment-id}` | | Clone | `dblab-clone-{environment-id}-{clone-id}-{port}` | **Real examples (GitLab):** - `dblab-api-gitlab-production-main` - `dblab-clone-gitlab-production-main-kangelov-mrdc-6003` - `dblab-clone-gitlab-production-main-webui-149411-6030` - `dblab-clone-gitlab-production-main-database-testing-5541212-22838068-main-6014` Clone IDs can be user-defined, Joe-generated (`webui-{n}`), or pipeline-generated (`database-testing-{pipeline}-{job}-{branch}`). All are `[a-z0-9-]` — Teleport-compatible. Max name length ~79 chars — acceptable. --- ## Implementation approach - **Registration:** shell out to `tctl create` (binary installed alongside Teleport agent on host) - **Deregistration:** shell out to `tctl rm` - **No Teleport Go SDK dependency** for v1 --- ## Open Questions - [ ] Verify: is DBLab `environment-id` the same as the instance "Project" name in console? (e.g. `gitlab-production-main`) — to be confirmed in preview env - [ ] Join token storage: config file? Or should platform-ui pass it via API at setup time? - [ ] Minimum Teleport version (`tctl create db` dynamic registration: v13+) - [ ] Where does `tctl` get its credentials to talk to the Teleport cluster? (needs an admin identity file or bot token) --- ## References - Platform UI issue: https://gitlab.com/postgres-ai/platform-ui/-/issues/87 - Teleport dynamic DB registration: https://goteleport.com/docs/database-access/guides/dynamic-registration/ - DBLab API reference: https://postgres.ai/docs/reference-guides/database-lab-engine-api-reference