Would it be a problem to run auth and/or proxy servers in a docker cluster?

[iuriaranda]

Hi,

We're considering running the auth and proxy servers in separate containers in a docker cluster (ECS), and we were wondering if that would be a bad practice or counter-advised for some reason. Technically I don't think it's a problem, although there are some things that need to be well-thought, like:

• how to deploy the TLS certificate on the containers
• how to run tctl commands on the auth server.

[klizhentas]

Proxy and Auth were originally designed to run as separate services in production, so it should not be a problem.

How to deploy the TLS cert on the containers - I suggest using KMS and SSM parameter store to distribute certs on AWS.
Running tctl commands on the auth server - should work as is

[klizhentas]

going to close this ticket, but feel free to follow up with your questions here or in the new ticket.

[iuriaranda]

Great, thanks for the quick response.

[iuriaranda]

As I've already mentioned, we're going to run the auth server in Docker in ECS, but the problem then is that we would need to execute tctl commands inside the running container, but of course that is not that straight-forward, and I might even say it's not a good practice. So is there another way to issue administration commands to the auth server remotely?

My (maybe crazy) idea was to spin up a one-off auth container with a pre-configured tctl command to run. This container would start the auth Teleport service, issue the tctl command and shut down immediately. And we would need to do that for each command that we want to issue. Do you think that's doable? And if so, is there any reason not to do it this way?

[klizhentas]

not very documented on our side, but you can use tctl remotely assuming you have the right credentials and can point to auth server. we should document this. Let me create a special ticket for this