Skip to search

TeleportAppV3

resources.teleport.dev / v1

apiVersion: resources.teleport.dev/v1 kind: TeleportAppV3 metadata: name: example
View raw schema
apiVersion string
APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kind string
Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata object
spec object
App resource definition v3 from Teleport
UserGroups []string
UserGroups are a list of user group IDs that this app is associated with.
aws object
AWS contains additional options for AWS applications.
external_id string
ExternalID is the AWS External ID used when assuming roles in this app.
roles_anywhere_profile object
RolesAnywhereProfile contains the IAM Roles Anywhere fields associated with this Application. These fields are set when performing the synchronization of AWS IAM Roles Anywhere Profiles into Teleport Apps.
accept_role_session_name boolean
Whether this Roles Anywhere Profile accepts a custom role session name. When not supported, the AWS Session Name will be the X.509 certificate's serial number. When supported, the AWS Session Name will be the identity's username. This value comes from: https://docs.aws.amazon.com/rolesanywhere/latest/APIReference/API_ProfileDetail.html / acceptRoleSessionName
profile_arn string
ProfileARN is the AWS IAM Roles Anywhere Profile ARN that originated this Teleport App.
cloud string
Cloud identifies the cloud instance the app represents.
cors object
CORSPolicy defines the Cross-Origin Resource Sharing settings for the app.
allow_credentials boolean
allow_credentials indicates whether credentials are allowed.
allowed_headers []string
allowed_headers specifies which headers can be used when accessing the app.
allowed_methods []string
allowed_methods specifies which methods are allowed when accessing the app.
allowed_origins []string
allowed_origins specifies which origins are allowed to access the app.
exposed_headers []string
exposed_headers indicates which headers are made available to scripts via the browser.
max_age integer
max_age indicates how long (in seconds) the results of a preflight request can be cached.
format: int32
dynamic_labels object
DynamicLabels are the app's command labels.
identity_center object
IdentityCenter encapsulates information specific to AWS IAM Identity Center. Only valid for Identity Center account apps.
account_id string
Account ID is the AWS-assigned ID of the account
permission_sets []object
PermissionSets lists the available permission sets on the given account
arn string
ARN is the fully-formed ARN of the Permission Set.
assignment_name string
AssignmentID is the ID of the Teleport Account Assignment resource that represents this permission being assigned on the enclosing Account.
name string
Name is the human-readable name of the Permission Set.
inference object
LLM contains LLM inference endpoint related configurations.
fallback_model string
Defines a model that will be used if the model requested is not on the list. The fallback model must be in the "models" list.
format string
Defines the LLM inference API format.
models []object
Defines the list of supported models, and optionally their name on the inference provider.
name string
provider_name string
provider string
Defines which inference provider will be used to serve the requests.
insecure_skip_verify boolean
InsecureSkipVerify disables app's TLS certificate verification.
integration string
Integration is the integration name that must be used to access this Application. Only applicable to AWS App Access. If present, the Application must use the Integration's credentials instead of ambient credentials to access Cloud APIs.
mcp object
MCP contains MCP server related configurations.
args []string
Args to execute with the command.
command string
Command to launch stdio-based MCP servers.
run_as_host_user string
RunAsHostUser is the host user account under which the command will be executed. Required for stdio-based MCP servers.
public_addr string
PublicAddr is the public address the application is accessible at.
required_app_names []string
RequiredAppNames is a list of app names that are required for this app to function. Any app listed here will be part of the authentication redirect flow and authenticate alongside this app.
rewrite object
Rewrite is a list of rewriting rules to apply to requests and responses.
headers []object
Headers is a list of headers to inject when passing the request over to the application.
name string
Name is the http header name.
value string
Value is the http header value.
jwt_claims string
JWTClaims configures whether roles/traits are included in the JWT token.
redirect []string
Redirect defines a list of hosts which will be rewritten to the public address of the application if they occur in the "Location" header.
tcp_ports []object
TCPPorts is a list of ports and port ranges that an app agent can forward connections to. Only applicable to TCP App Access. If this field is not empty, URI is expected to contain no port number and start with the tcp protocol.
end_port integer
EndPort describes the end of the range, inclusive. If set, it must be between 2 and 65535 and be greater than Port when describing a port range. When omitted or set to zero, it signifies that the port range defines a single port.
format: int32
port integer
Port describes the start of the range. It must be between 1 and 65535.
format: int32
tls object
TLS contains the app TLS configuration.
allowed_cas []string
AllowedCas is the list of user provided CAs used for verifying upstream certificates. Accepted values are PEM-encoded CA certificates and Teleport CA aliases. Supported aliases: "workload_identity" (workload Identity CA. Allows accepting certificates issued by `tbot`).
client_cert_mode string
ClientCertMode specifies which client certificate mode to use for the upstream connection. Supported values: "managed" (app service will issue client certificates to use in the app upstream connection, establishing mTLS connections), "disabled" (app upstream connection won't use client certificates).
mode string
Mode defines the TLS verification. Supported values: "verify-full" (performs certificate validation, and asserts server name and SPIFFE ID), "verify-server-name" (performs certificate validation, and asserts server name), "verify-spiffe-id": (performs certificate validation, and asserts SPIFFE ID. Requires `server_spiffe_id` option), "insecure": (accepts any certificate provided by app)
server_name string
ServerName specifies a custom hostname used for TLS verification against the upstream certificate.
server_spiffe_id string
ServerSpiffeId specifies a SPIFFE ID that must be present on the server certificate.
uri string
URI is the web app endpoint.
use_any_proxy_public_addr boolean
UseAnyProxyPublicAddr will rebuild this app's fqdn based on the proxy public addr that the request originated from. This should be true if your proxy has multiple proxy public addrs and you want the app to be accessible from any of them. If `public_addr` is explicitly set in the app spec, setting this value to true will overwrite that public address in the web UI.
status object
Status defines the observed state of the Teleport resource
conditions []object
Conditions represent the latest available observations of an object's state
lastTransitionTime string required
lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
message string required
message is a human readable message indicating details about the transition. This may be an empty string.
maxLength: 32768
observedGeneration integer
observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
format: int64
minimum: 0
reason string required
reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
minLength: 1
maxLength: 1024
status string required
status of the condition, one of True, False, Unknown.
enum: True, False, Unknown
type string required
type of condition in CamelCase or in foo.example.com/CamelCase.
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
maxLength: 316
teleportResourceID integer
format: int64

No matches. Try .spec.UserGroups for an exact path