Skip to content
Klutch.sh Docs

Deploying Teleport

Introduction

Teleport is an open-source identity-aware access platform that provides secure access to infrastructure. It replaces VPNs, shared credentials, and legacy privileged access tools with certificate-based authentication and audit logging.

Key highlights of Teleport:

  • SSH Access: Secure server access with short-lived certificates
  • Kubernetes Access: Native kubectl access with RBAC integration
  • Database Access: Secure access to PostgreSQL, MySQL, MongoDB, and more
  • Application Access: Protect internal web applications
  • Session Recording: Record and audit all sessions
  • SSO Integration: SAML, OIDC, and GitHub authentication
  • Role-Based Access: Fine-grained access controls
  • Audit Logs: Complete audit trail of all access
  • MFA Support: Multi-factor authentication enforcement
  • Web UI: Modern web interface for access and administration

This guide walks through deploying Teleport on Klutch.sh using Docker.

Why Deploy Teleport on Klutch.sh

Deploying Teleport on Klutch.sh provides several advantages:

Simplified Deployment: Klutch.sh automatically detects your Dockerfile and builds Teleport without complex orchestration.

Persistent Storage: Attach persistent volumes for certificates, audit logs, and session recordings.

HTTPS by Default: Secure access plane with automatic SSL certificates.

GitHub Integration: Connect your configuration repository for automatic redeployments.

Prerequisites

Before deploying Teleport on Klutch.sh, ensure you have:

  • A Klutch.sh account
  • A GitHub account with a repository for your Teleport configuration
  • Basic familiarity with Docker and containerization concepts
  • A domain name for your Teleport cluster

Deploying Teleport on Klutch.sh

    Create Your Repository

    Create a new GitHub repository with a Dockerfile for Teleport:

    FROM public.ecr.aws/gravitational/teleport:14
    

    ENV TELEPORT_CLUSTER_NAME=${TELEPORT_CLUSTER_NAME}
    ENV TELEPORT_AUTH_TYPE=local
    

    EXPOSE 3023
    EXPOSE 3024
    EXPOSE 3025
    EXPOSE 3080
    EXPOSE 443
    

    VOLUME ["/var/lib/teleport"]

    Push to GitHub

    Initialize and push your repository to GitHub with your Dockerfile.

    Create a New Project on Klutch.sh

    Navigate to the Klutch.sh dashboard and create a new project.

    Create a New App

    Within your project, create a new app and connect your GitHub repository.

    Configure HTTP Traffic

    In the deployment settings:

    • Select HTTP as the traffic type
    • Set the internal port to 3080 (web UI and proxy)

    Set Environment Variables

    Configure the following environment variables:

    VariableValue
    TELEPORT_CLUSTER_NAMEYour cluster domain (e.g., teleport.example.com)
    TELEPORT_AUTH_TYPElocal (or github, saml, oidc)

    Attach Persistent Volumes

    Add the following volumes:

    Mount PathRecommended SizePurpose
    /var/lib/teleport50 GBData, certificates, and session recordings

    Deploy Your Application

    Click Deploy to start the build process.

    Access Teleport

    Once deployment completes, access the Teleport web UI at your app URL.

Configuration

Initial Setup

Create the first user:

Terminal window
tctl users add admin --roles=editor,access --logins=root,ubuntu

Configuring teleport.yaml

Create a configuration file:

version: v3
teleport:
  cluster_name: teleport.example.com
  data_dir: /var/lib/teleport


auth_service:
  enabled: true
  listen_addr: 0.0.0.0:3025


proxy_service:
  enabled: true
  listen_addr: 0.0.0.0:3023
  web_listen_addr: 0.0.0.0:3080
  tunnel_listen_addr: 0.0.0.0:3024
  public_addr: teleport.example.com:443


ssh_service:
  enabled: true

Adding Nodes

Connect servers to your Teleport cluster:

  1. Generate a join token
  2. Install Teleport agent on the node
  3. Configure the agent to join your cluster
  4. Verify node appears in the web UI

SSO Configuration

Set up single sign-on:

  1. Navigate to Auth Connectors in the web UI
  2. Add your IdP (GitHub, SAML, OIDC)
  3. Configure roles and claims mapping
  4. Test authentication flow

Access Requests

Enable just-in-time access:

  1. Define roles with access request capabilities
  2. Users request elevated access
  3. Admins approve or deny requests
  4. Access automatically expires

Additional Resources

Conclusion

Deploying Teleport on Klutch.sh gives you a secure infrastructure access platform with automatic builds, persistent storage, and secure HTTPS access. Replace VPNs and shared credentials with certificate-based authentication and complete audit logging.