Dynamic Database Registration
Dynamic database registration allows Teleport administrators to register new databases (or update/unregister existing ones) without having to update the static configuration and restart Teleport Database Service instances.
Dynamic registration also enables administrators to deploy multiple Database Service instances for high availability by configuring Database Service replicas to watch for the same database resources.
To enable dynamic registration, include a
resources section in your Teleport
Database Service configuration with a list of resource label selectors you'd like this
service to monitor for registering:
db_service:
enabled: "yes"
resources:
- labels:
"*": "*"
You can use a wildcard selector to register all dynamic app resources in the cluster on the Database Service or provide a specific set of labels for a subset:
resources:
- labels:
"env": "prod"
"engine": "postgres"
- labels:
"env": "test"
"engine": "mysql"
Next define a database resource:
kind: db
version: v3
metadata:
name: example
description: "Example database"
labels:
env: prod
engine: postgres
spec:
protocol: "postgres"
uri: "localhost:5432"
The user creating the dynamic registration needs to have a role with access to the
database labels and the
db resource. In this example role the user can only
create and maintain databases labeled
env: prod and
engine: postgres.
kind: role
metadata:
name: dynamicregexample
spec:
allow:
db_labels:
engine: postgres
env: prod
rules:
- resources:
- db
verbs:
- list
- create
- read
- update
- delete
version: v5
See the full database resource spec reference.
To create a database resource, run:
tctl create database.yaml
After the resource has been created, it will appear among the list of available
databases (in
tsh db ls or UI) as long as at least one Database Service
instance picks it up according to its label selectors.
To update an existing database resource, run:
tctl create -f database.yaml
If the updated resource's labels no longer match a particular database, it will unregister and stop proxying it.
To delete a database resource, run:
tctl rm db/example
Aside from
tctl, dynamic resources can also be added by:
See Using Dynamic Resources to learn more about managing Teleport's dynamic resources in general.