TeleportProvisionToken
resources.teleport.dev / v2
apiVersion: resources.teleport.dev/v2
kind: TeleportProvisionToken
metadata:
name: example
apiVersion
string
APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kind
string
Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata
object
spec object
ProvisionToken resource definition v2 from Teleport
allow []object
Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token.
aws_account
string
AWSAccount is the AWS account ID.
aws_arn
string
AWSARN is used for the IAM join method, the AWS identity of joining nodes must match this ARN. Supports wildcards "*" and "?".
aws_organization_id
string
AWSOrganizationID is used for the IAM join method, the AWS identity of joining nodes must belong to this organization.
aws_organizational_units object
AWSOrganizationalUnits contains rules for matching AWS accounts based on their Organizational Units. Requires AWS Organization ID to be specified. The account's root ID is considered an Organizational Unit when validating the rule.
exclude
[]string
Exclude is a list of AWS Organizational Unit IDs and children OUs to exclude. Accounts that belong to these OUs, and their children, will be excluded, even if they were included. Only exact matches are supported. Optional. If empty, no OUs are excluded.
include
[]string
Include is a list of AWS Organizational Unit IDs and children OUs to include. Accounts that belong to these OUs, and their children, will be included. Only exact matches or wildcard (*) are supported. Required.
aws_regions
[]string
AWSRegions is used for the EC2 join method and is a list of AWS regions a node is allowed to join from.
aws_role
string
AWSRole is used for the EC2 join method and is the ARN of the AWS role that the Auth Service will assume in order to call the ec2 API.
aws_iid_ttl
string
AWSIIDTTL is the TTL to use for AWS EC2 Instance Identity Documents used to join the cluster with this token.
format:
durationazure object
Azure allows the configuration of options specific to the "azure" join method.
allow []object
Allow is a list of Rules, nodes using this token must match one allow rule to use this token.
resource_groups
[]string
subscription
string
tenant
string
azure_devops object
AzureDevops allows the configuration of options specific to the "azure_devops" join method.
allow []object
Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token. At least one allow rule must be specified.
definition_id
string
pipeline_name
string
project_id
string
project_name
string
repository_ref
string
repository_uri
string
repository_version
string
sub
string
organization_id
string
OrganizationID specifies the UUID of the Azure DevOps organization that this join token will grant access to. This is used to identify the correct issuer verification of the ID token. This is a required field.
bitbucket object
Bitbucket allows the configuration of options specific to the "bitbucket" join method.
allow []object
Allow is a list of Rules, nodes using this token must match one allow rule to use this token.
branch_name
string
deployment_environment_uuid
string
repository_uuid
string
workspace_uuid
string
audience
string
Audience is a Bitbucket-specified audience value for this token. It is unique to each Bitbucket repository, and must be set to the value as written in the Pipelines -> OpenID Connect section of the repository settings.
identity_provider_url
string
IdentityProviderURL is a Bitbucket-specified issuer URL for incoming OIDC tokens. It is unique to each Bitbucket repository, and must be set to the value as written in the Pipelines -> OpenID Connect section of the repository settings.
bot_name
string
BotName is the name of the bot this token grants access to, if any
bound_keypair object
BoundKeypair allows the configuration of options specific to the "bound_keypair" join method.
onboarding object
Onboarding contains parameters related to initial onboarding and keypair registration.
initial_public_key
string
must_register_before
string
format:
date-time
registration_secret
string
recovery object
Recovery contains parameters related to recovery after identity expiration.
limit
integer
format:
int32
mode
string
rotate_after
string
RotateAfter is an optional timestamp that forces clients to perform a keypair rotation on the next join or recovery attempt after the given date. If `LastRotatedAt` is unset or before this timestamp, a rotation will be requested. It is recommended to set this value to the current timestamp if a rotation should be triggered on the next join attempt.
format:
date-timecircleci object
CircleCI allows the configuration of options specific to the "circleci" join method.
allow []object
Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token.
context_id
string
project_id
string
organization_id
string
env0 object
Env0 allows the configuration of options specific to the "env0" join method.
allow []object
Allow is a list of Rules, jobs using this token must match at least one allow rule to use this token.
deployer_email
string
deployment_type
string
env0_tag
string
environment_id
string
environment_name
string
organization_id
string
project_id
string
project_name
string
template_id
string
template_name
string
workspace_name
string
gcp object
GCP allows the configuration of options specific to the "gcp" join method.
allow []object
Allow is a list of Rules, nodes using this token must match one allow rule to use this token.
locations
[]string
project_ids
[]string
service_accounts
[]string
github object
GitHub allows the configuration of options specific to the "github" join method.
allow []object
Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token.
actor
string
enterprise
string
enterprise_id
string
environment
string
ref
string
ref_type
string
repository
string
repository_owner
string
sub
string
workflow
string
enterprise_server_host
string
EnterpriseServerHost allows joining from runners associated with a GitHub Enterprise Server instance. When unconfigured, tokens will be validated against github.com, but when configured to the host of a GHES instance, then the tokens will be validated against host. This value should be the hostname of the GHES instance, and should not include the scheme or a path. The instance must be accessible over HTTPS at this hostname and the certificate must be trusted by the Auth Service.
enterprise_slug
string
EnterpriseSlug allows the slug of a GitHub Enterprise organisation to be included in the expected issuer of the OIDC tokens. This is for compatibility with the `include_enterprise_slug` option in GHE. This field should be set to the slug of your enterprise if this is enabled. If this is not enabled, then this field must be left empty. This field cannot be specified if `enterprise_server_host` is specified. See https://docs.github.com/en/enterprise-cloud@latest/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#customizing-the-issuer-value-for-an-enterprise for more information about customized issuer values.
static_jwks
string
StaticJWKS disables fetching of the GHES signing keys via the JWKS/OIDC endpoints, and allows them to be directly specified. This allows joining from GitHub Actions in GHES instances that are not reachable by the Teleport Auth Service.
gitlab object
GitLab allows the configuration of options specific to the "gitlab" join method.
allow []object
Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token.
ci_config_ref_uri
string
ci_config_sha
string
deployment_tier
string
environment
string
environment_protected
boolean
namespace_path
string
pipeline_source
string
project_path
string
project_visibility
string
ref
string
ref_protected
boolean
ref_type
string
sub
string
user_email
string
user_id
string
user_login
string
domain
string
Domain is the domain of your GitLab instance. This will default to `gitlab.com` - but can be set to the domain of your self-hosted GitLab e.g `gitlab.example.com`.
static_jwks
string
StaticJWKS disables fetching of the GitLab signing keys via the JWKS/OIDC endpoints, and allows them to be directly specified. This allows joining from GitLab CI instances that are not reachable by the Teleport Auth Service.
integration
string
Integration name which provides credentials for validating join attempts. Currently only in use for validating the AWS Organization ID in the IAM Join method.
join_method
string
JoinMethod is the joining method required in order to use this token. Supported joining methods include: azure, circleci, ec2, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm
kubernetes object
Kubernetes allows the configuration of options specific to the "kubernetes" join method.
allow []object
Allow is a list of Rules, nodes using this token must match one allow rule to use this token.
service_account
string
service_account_name
string
service_account_namespace
string
oidc object
OIDCConfig configures the `oidc` type.
insecure_allow_http_issuer
boolean
issuer
string
static_jwks object
StaticJWKS is the configuration specific to the `static_jwks` type.
jwks
string
type
string
Type controls which behavior should be used for validating the Kubernetes Service Account token. Support values: - `in_cluster` - `static_jwks` - `oidc` If unset, this defaults to `in_cluster`.
oracle object
Oracle allows the configuration of options specific to the "oracle" join method.
allow []object
Allow is a list of Rules, nodes using this token must match one allow rule to use this token.
instances
[]string
parent_compartments
[]string
regions
[]string
tenancy
string
roles
[]string
Roles is a list of roles associated with the token, that will be converted to metadata in the SSH and X509 certificates issued to the user of the token
spacelift object
Spacelift allows the configuration of options specific to the "spacelift" join method.
allow []object
Allow is a list of Rules, nodes using this token must match one allow rule to use this token.
caller_id
string
caller_type
string
scope
string
space_id
string
enable_glob_matching
boolean
EnableGlobMatching enables glob-style matching for the space_id and caller_id fields in the rules.
hostname
string
Hostname is the hostname of the Spacelift tenant that tokens will originate from. E.g `example.app.spacelift.io`
suggested_agent_matcher_labels
object
SuggestedAgentMatcherLabels is a set of labels to be used by agents to match on resources. When an agent uses this token, the agent should monitor resources that match those labels. For databases, this means adding the labels to `db_service.resources.labels`. Currently, only node-join scripts create a configuration according to the suggestion.
suggested_labels
object
SuggestedLabels is a set of labels that resources should set when using this token to enroll themselves in the cluster. Currently, only node-join scripts create a configuration according to the suggestion.
terraform_cloud object
TerraformCloud allows the configuration of options specific to the "terraform_cloud" join method.
allow []object
Allow is a list of Rules, nodes using this token must match one allow rule to use this token.
organization_id
string
organization_name
string
project_id
string
project_name
string
run_phase
string
workspace_id
string
workspace_name
string
audience
string
Audience is the JWT audience as configured in the TFC_WORKLOAD_IDENTITY_AUDIENCE(_$TAG) variable in Terraform Cloud. If unset, defaults to the Teleport cluster name. For example, if `TFC_WORKLOAD_IDENTITY_AUDIENCE_TELEPORT=foo` is set in Terraform Cloud, this value should be `foo`. If the variable is set to match the cluster name, it does not need to be set here.
hostname
string
Hostname is the hostname of the Terraform Enterprise instance expected to issue JWTs allowed by this token. This may be unset for regular Terraform Cloud use, in which case it will be assumed to be `app.terraform.io`. Otherwise, it must both match the `iss` (issuer) field included in JWTs, and provide standard JWKS endpoints.
tpm object
TPM allows the configuration of options specific to the "tpm" join method.
allow []object
Allow is a list of Rules, the presented delegated identity must match one allow rule to permit joining.
description
string
ek_certificate_serial
string
ek_public_hash
string
ekcert_allowed_cas
[]string
EKCertAllowedCAs is a list of CA certificates that will be used to validate TPM EKCerts. When specified, joining TPMs must present an EKCert signed by one of the specified CAs. TPMs that do not present an EKCert will be not permitted to join. When unspecified, TPMs will be allowed to join with either an EKCert or an EKPubHash.
status object
Status defines the observed state of the Teleport resource
conditions []object
Conditions represent the latest available observations of an object's state
lastTransitionTime
string required
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format:
date-time
message
string required
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength:
32768
observedGeneration
integer
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format:
int64minimum:
0
reason
string required
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
pattern:
^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$minLength:
1maxLength:
1024
status
string required
status of the condition, one of True, False, Unknown.
enum:
True, False, Unknown
type
string required
type of condition in CamelCase or in foo.example.com/CamelCase.
pattern:
^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$maxLength:
316
teleportResourceID
integer
format:
int64No matches. Try .spec.allow for an exact path