Sign inTry Free

Configure RBAC with Teleport

On this page

The Teleport integration provides secure and certificate-based access to SingleStore via the Teleport Database Service. This integration enables you to control access to SingleStore databases using role-based access control (RBAC) through the Teleport RBAC system.

How the Teleport Integration Works

Teleport uses a proxy service that routes traffic from database clients to the SingleStore database using mutual TLS (mTLS). Teleport maintains a certificate authority (CA) for database clients that issues short-lived certificates for user sessions. The Teleport Database Service presents certificates signed by this CA when proxying connections to the SingleStore database, which is configured to trust the Teleport database client CA.

The Teleport Database Service verifies the identity of the SingleStore databases by checking their TLS certificates against either the Teleport database CA or a custom CA configured for the database.

Teleport authenticates using mutual TLS (mTLS). When a user initiates a database session, the Teleport Database Service presents a Teleport-signed certificate to SingleStore. To verify the connection, SingleStore presents its own certificate signed by either Teleport CA or a custom CA. After successful mutual authentication, the Teleport Database Service routes client traffic to the SingleStore database using the same protocol and tools used to connect to MySQL Server.

Prerequisites

  • Install the tctl and tsh clients.

  • SingleStore Toolbox.

  • An active Teleport cluster. Verify connectivity to the Teleport cluster. To test connectivity:

    • Run tsh login to sign in. For example:

      tsh login --proxy=<Teleport_cluster_endpoint> --user=<Teleport_username>

    • Run tctl status. Typically, if this command runs successfully, other tctl commands will run as expected.

  • An active SingleStore deployment running SingleStore database version 9.0.12 or later.

  • A host to run the Teleport Database Service.

  • Install the mariadb or mysql command-line client.

  • (Optional) A certificate authority.

  • (Optional) Install Helm to install the Teleport Database Service on a Kubernetes cluster.

Configure the Teleport Connection

Perform the following tasks to configure the connection between Teleport and SingleStore:

  1. Create a Teleport database token.

  2. Create a certificate/key pair.

  3. Configure SingleStore.

  4. Create a local Teleport User.

  5. Configure and start Teleport Database Service.

  6. Connect to SingleStore.

Once the connection is successfully configured, use Teleport to manage access to the SingleStore databases.

Create a Teleport Database Token

The Teleport Database Service requires a token to connect to the Teleport cluster. Run the following command to generate a valid token:

tctl tokens add --type=db --format=text

Copy and store the generated token in /tmp/token on the server that will run the Teleport Database Service.

Create a Certificate/Key Pair

Configure the SingleStore database to trust the Teleport CA. Alternatively, you can configure the Teleport Database Service to trust a custom CA.

Use Teleport CA

To configure the SingleStore database to trust the Teleport CA and issue a certificate for the database, perform the following tasks:

  1. To use the tctl command-line tool, a Teleport user must be able to assume the Db system role. Add the following allow rule to the Teleport user's role:

    allow:
      impersonate:
        users: ["Db"]
        roles: ["Db"]

  2. Run the following command to export Teleport's CA and generate a certificate/key pair. Update the hostname where the Teleport Database Service can access the SingleStore database server and the certificate validity period before running the command.

    tctl auth sign --format=db --host=<hostname> --out=server --ttl=<validity>

    This command creates 3 files:

    • server.cas

    • server.crt

    • server.key

  3. Export the Teleport Database CA public certificate and merge it with server.cas to generate a bundled certificate to be used by the SingleStore database.

    tctl auth export --type=db > teleport-db-ca.pem
    cat server.cas teleport-db-ca.pem > teleport-bundle.pem

Configure SingleStore

Enable TLS Connections

Run the following commands to enable TLS connections for SingleStore. Update the path to the respective file before running each command.

sdb-admin update-config --key ssl_cert --value /path/to/server.crt --all --yes
sdb-admin update-config --key ssl_key --value /path/to/server.key --all --yes
sdb-admin update-config --key ssl_ca --value /path/to/teleport-bundle.pem --all --yes
sdb-admin update-config --key ssl_ca_for_client_cert --value /path/to/teleport-bundle.pem --all --yes


# Restart the database to apply updates
sdb-admin restart-node --all --yes

Create/Update a Database User

Teleport uses a certificate to authenticate database users. Either create a new user or update an existing user to authenticate via a certificate. For example:

  • To create a new SingleStore database user:

    CREATE USER 'jane'@'%' REQUIRE SUBJECT '/CN=jane';

    Provide the necessary privileges to the new database user. For example:

    GRANT ALL PRIVILEGES ON dbTest.* TO 'jane';

  • Update an existing user:

    ALTER USER 'jane'@'%' REQUIRE SUBJECT '/CN=jane';
    

    -- Remove the password for the user
    SET PASSWORD FOR 'jane'@'%' = PASSWORD("");

Create a Local Teleport User

Use the tctl users add command to create a local Teleport user. For example:

tctl users add \
 --roles=access \
 --db-users="*" \
 --db-names="*" \
jane

This command creates a local Teleport user named jane with the built-in access role and access to all the databases and database user names. Follow the instructions in the output to complete user setup.

Configure and Start Teleport Database Service

Install and configure Teleport on the host where Teleport Database Service will run, using either of the following:

  • Linux server

  • Kubernetes cluster

Install on a Linux Server

  1. To install a Teleport Agent on a Linux server, run the Teleport cluster's install script. The script selects the correct version, edition, and installation mode for the cluster. For example:

    curl "https://<Teleport_cluster_hostname>:<port>/scripts/install.sh" | sudo bash

    Update the Teleport cluster hostname and port before running the command.

  2. Generate a configuration file at /etc/teleport.yaml for the Teleport Database Service. Update example.teleport.sh:443 in the command to use the host and port of the Teleport Proxy Service. Specify the endpoint (host:port) of the SingleStore deployment in the --uri option. For example:

    Note

    This command configures Teleport Database Service to use the Teleport CA.

    Also, a single Teleport process can run multiple services. The following command overwrites any existing configuration file. If you're running multiple services, add --output=stdout to print the configuration in the terminal, and then manually adjust /etc/teleport.yaml.

    sudo teleport db configure create \
       -o file \
       --token=/tmp/token \
       --proxy=example.teleport.sh:443 \
       --name=example-singlestore \
       --protocol=mysql \
       --uri=s2.example.com:3306 \
       --labels=env=dev

  3. Configure the Teleport Database Service to automatically start when the system starts.

    • If Teleport is installed using a package manager, run the following commands:

      sudo systemctl enable teleport
      sudo systemctl start teleport

    • If Teleport is installed using a tar archive, run the following command:

      sudo teleport install systemd -o /etc/systemd/system/teleport.service
      sudo systemctl enable teleport
      sudo systemctl start teleport

    Run the systemctl status teleport command to view the status of the Teleport Database Service.

Install on a Kubernetes Cluster

Teleport provides Helm charts to install the Teleport Database Service on a Kubernetes cluster.

  1. Configure Helm to fetch the Teleport charts from the Teleport Helm repository. Run the following command:

    helm repo add teleport https://charts.releases.teleport.dev

  2. Run the following command to refresh the local Helm cache:

    helm repo update

  3. Install a Teleport Agent in the Kubernetes cluster with the Teleport Database Service configuration. Create a values.yaml file with the required configuration.

    The following configures the Teleport Database Service to use the Teleport CA. Update the host and port of the Teleport Proxy Service and the endpoint of the SingleStore deployment. Replace JOIN_TOKEN with the Teleport Database Token created earlier.

    roles: db
    proxyAddr: example.teleport.sh
    # Set to false if using Teleport Community Edition
    enterprise: true
    authToken: "JOIN_TOKEN"
    databases:
      - name: example-mysql
        uri: s2.example.com:3306
        protocol: mysql
        static_labels:
          env: dev

  4. Install the chart.

    helm install teleport-kube-agent teleport/teleport-kube-agent \
      --create-namespace \
      --namespace teleport-agent \
      --version 18.2.10 \
      -f values.yaml

  5. Run the following command to verify that the Teleport Agent is running:

    kubectl -n teleport-agent get pods
    NAME                    READY   STATUS    RESTARTS   AGE
teleport-kube-agent-0   1/1     Running   0          32s

Connect to SingleStore

Once the Teleport Database Service is added to the cluster, run the following commands to log in to Teleport and view the databases accessible to the current user. For example:

tsh login --proxy=teleport.example.com --user=jane


tsh db ls
Name                Description         Labels
------------------- ------------------- -------
example-singlestore Example SingleStore env=dev

To connect to a database, run the tsh db connect command. For example:

tsh db connect --db-user=jane --db-name=<database> example-singlestore

This command retrieves the credentials for a database and connects to it. Additionally, you can connect to the database using the Web UI.

Note

The mysql or mariadb command-line client must be available in the system PATH to establish a connection. mariadb is the default command-line client for SingleStore.

To log out of a database and remove the credentials, run the following command:

# Remove credentials for a specific database instance.
tsh db logout <database-name>


# Remove credentials for all database instances.
tsh db logout

Last modified: November 11, 2025

Was this article helpful?

On this page

Was this article helpful?

Verification instructions

Note: You must install cosign to verify the authenticity of the SingleStore file.

Use the following steps to verify the authenticity of singlestoredb-server, singlestoredb-toolbox, singlestoredb-studio, and singlestore-client SingleStore files that have been downloaded.

You may perform the following steps on any computer that can run cosign, such as the main deployment host of the cluster.

  1. (Optional) Run the following command to view the associated signature files.

    curl undefined

  2. Download the signature file from the SingleStore release server.

    • Option 1: Click the Download Signature button next to the SingleStore file.

    • Option 2: Copy and paste the following URL into the address bar of your browser and save the signature file.

    • Option 3: Run the following command to download the signature file.

      curl -O undefined

  3. After the signature file has been downloaded, run the following command to verify the authenticity of the SingleStore file.

    echo -n undefined |
        cosign verify-blob --certificate-oidc-issuer https://oidc.eks.us-east-1.amazonaws.com/id/CCDCDBA1379A5596AB5B2E46DCA385BC \
          --certificate-identity https://kubernetes.io/namespaces/freya-production/serviceaccounts/job-worker \
          --bundle undefined \
          --new-bundle-format -
    Verified OK

Try Out This Notebook to See What’s Possible in SingleStore

Get access to other groundbreaking datasets and engage with our community for expert advice.

Sign UpLog In