diff --git a/docs/pages/reference/operator-resources/resources-teleport-dev-botsv1.mdx b/docs/pages/reference/operator-resources/resources-teleport-dev-botsv1.mdx
new file mode 100644
index 0000000000000..2ff7537e48fec
--- /dev/null
+++ b/docs/pages/reference/operator-resources/resources-teleport-dev-botsv1.mdx
@@ -0,0 +1,38 @@
+---
+title: TeleportBotV1
+description: Provides a comprehensive list of fields in the TeleportBotV1 resource available through the Teleport Kubernetes operator
+tocDepth: 3
+---
+
+{/*Auto-generated file. Do not edit.*/}
+{/*To regenerate, navigate to integrations/operator and run "make crd-docs".*/}
+
+This guide is a comprehensive reference to the fields in the `TeleportBotV1`
+resource, which you can apply after installing the Teleport Kubernetes operator.
+
+
+## resources.teleport.dev/v1
+
+**apiVersion:** resources.teleport.dev/v1
+
+|Field|Type|Description|
+|---|---|---|
+|apiVersion|string|APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources|
+|kind|string|Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds|
+|metadata|object||
+|spec|[object](#spec)|Bot resource definition v1 from Teleport|
+
+### spec
+
+|Field|Type|Description|
+|---|---|---|
+|roles|[]string|The roles that the bot should be able to impersonate.|
+|traits|[][object](#spectraits-items)|The traits that will be associated with the bot for the purposes of role templating. Where multiple specified with the same name, these will be merged by the server.|
+
+### spec.traits items
+
+|Field|Type|Description|
+|---|---|---|
+|name|string|The name of the trait. This is what allows the trait to be queried in role templates.|
+|values|[]string|The values associated with the named trait.|
+
diff --git a/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_botsv1.yaml b/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_botsv1.yaml
new file mode 100644
index 0000000000000..87454a36eb5e5
--- /dev/null
+++ b/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_botsv1.yaml
@@ -0,0 +1,139 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ creationTimestamp: null
+ name: teleportbotsv1.resources.teleport.dev
+spec:
+ group: resources.teleport.dev
+ names:
+ kind: TeleportBotV1
+ listKind: TeleportBotV1List
+ plural: teleportbotsv1
+ shortNames:
+ - botv1
+ - botsv1
+ singular: teleportbotv1
+ scope: Namespaced
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ description: BotV1 is the Schema for the botsv1 API
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Bot resource definition v1 from Teleport
+ properties:
+ roles:
+ description: The roles that the bot should be able to impersonate.
+ items:
+ type: string
+ nullable: true
+ type: array
+ traits:
+ description: The traits that will be associated with the bot for the
+ purposes of role templating. Where multiple specified with the
+ same name, these will be merged by the server.
+ items:
+ properties:
+ name:
+ description: The name of the trait. This is what allows the
+ trait to be queried in role templates.
+ type: string
+ values:
+ description: The values associated with the named trait.
+ items:
+ type: string
+ nullable: true
+ type: array
+ type: object
+ nullable: true
+ type: array
+ type: object
+ status:
+ description: Status defines the observed state of the Teleport resource
+ properties:
+ conditions:
+ description: Conditions represent the latest available observations
+ of an object's state
+ items:
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ teleportResourceID:
+ format: int64
+ type: integer
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
diff --git a/examples/chart/teleport-cluster/charts/teleport-operator/templates/role.yaml b/examples/chart/teleport-cluster/charts/teleport-operator/templates/role.yaml
index 1b7c21935ce5c..d4b5ac7a99721 100644
--- a/examples/chart/teleport-cluster/charts/teleport-operator/templates/role.yaml
+++ b/examples/chart/teleport-cluster/charts/teleport-operator/templates/role.yaml
@@ -38,6 +38,8 @@ rules:
- teleportopenssheiceserversv2/status
- teleporttrustedclustersv2
- teleporttrustedclustersv2/status
+ - teleportbotsv1
+ - teleportbotsv1/status
verbs:
- get
- list
diff --git a/examples/chart/teleport-cluster/templates/auth/config.yaml b/examples/chart/teleport-cluster/templates/auth/config.yaml
index d1c4bffcb5cf6..cbf65a7ede1fb 100644
--- a/examples/chart/teleport-cluster/templates/auth/config.yaml
+++ b/examples/chart/teleport-cluster/templates/auth/config.yaml
@@ -139,6 +139,14 @@ data:
- read
- update
- delete
+ - resources:
+ - bot
+ verbs:
+ - list
+ - create
+ - read
+ - update
+ - delete
deny: {}
version: v7
---
diff --git a/integrations/operator/CONTRIBUTING.md b/integrations/operator/CONTRIBUTING.md
index e90050c6e719c..09f11143a5ff8 100644
--- a/integrations/operator/CONTRIBUTING.md
+++ b/integrations/operator/CONTRIBUTING.md
@@ -60,12 +60,9 @@ your resource version is added to the root `scheme` with a call like
#### Add RBAC permissions for the new resource type
-Add Kubernetes RBAC permissions to allow the operator to work with the resources
-on the Kubernetes side.
-The cluster role spec is found in `../../examples/chart/teleport-cluster/templates/auth/config.yaml`.
-
-Update the RBAC permissions in `hack/fixture-operator-role.yaml` to update
-operator the role used for debugging.
+- Grant the operator access to the Kubernetes resource in: `../../examples/chart/teleport-cluster/charts/templates/role.yaml`.
+- Grant the operator access to the Teleport resource in: `../../examples/chart/teleport-cluster/templates/auth/config.yaml`.
+- Update the RBAC permissions in `hack/fixture-operator-role.yaml` to update operator the role used for debugging.
### Debugging tips
diff --git a/integrations/operator/Makefile b/integrations/operator/Makefile
index 2204e15be8fc3..63e8d333f5c70 100644
--- a/integrations/operator/Makefile
+++ b/integrations/operator/Makefile
@@ -82,7 +82,8 @@ crdgen: ## Generate CRDs
PROTOS = \
teleport/loginrule/v1/loginrule.proto \
teleport/accesslist/v1/accesslist.proto \
- teleport/legacy/types/types.proto
+ teleport/legacy/types/types.proto \
+ teleport/machineid/v1/bot.proto
.PHONY: manifests
manifests: crdgen controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
diff --git a/integrations/operator/README.md b/integrations/operator/README.md
index d240ca82da84b..6706876d782ae 100644
--- a/integrations/operator/README.md
+++ b/integrations/operator/README.md
@@ -24,6 +24,7 @@ The operator supports reconciling the following Kubernetes CRs:
- TeleportOpenSSHEICEServerV2
- TeleportOpenSSHServerV2
- TeleportTrustedClusterV2
+- TeleportBotV1
- TeleportSAMLConnector [1]
- TeleportOIDCConnector [1]
- TeleportLoginRule [1]
diff --git a/integrations/operator/apis/resources/v1/botv1_types.go b/integrations/operator/apis/resources/v1/botv1_types.go
new file mode 100644
index 0000000000000..57c0fc915ab89
--- /dev/null
+++ b/integrations/operator/apis/resources/v1/botv1_types.go
@@ -0,0 +1,104 @@
+/*
+ * Teleport
+ * Copyright (C) 2025 Gravitational, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see .
+ */
+
+package v1
+
+import (
+ "google.golang.org/protobuf/encoding/protojson"
+ "google.golang.org/protobuf/proto"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+ headerv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/header/v1"
+ machineidv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/machineid/v1"
+ "github.com/gravitational/teleport/api/types"
+ "github.com/gravitational/teleport/integrations/operator/apis/resources"
+)
+
+func init() {
+ SchemeBuilder.Register(&TeleportBotV1{}, &TeleportBotV1List{})
+}
+
+//+kubebuilder:object:root=true
+//+kubebuilder:subresource:status
+
+// TeleportBotV1 holds the kubernetes custom resources for Bot
+type TeleportBotV1 struct {
+ metav1.TypeMeta `json:",inline"`
+ metav1.ObjectMeta `json:"metadata,omitempty"`
+
+ Spec *TeleportBotV1Spec `json:"spec,omitempty"`
+ Status resources.Status `json:"status,omitempty"`
+}
+
+// TeleportBotV1Spec defines the desired state of TeleportBotV1
+type TeleportBotV1Spec machineidv1.BotSpec
+
+//+kubebuilder:object:root=true
+
+// TeleportBotV1List contains a list of TeleportBotV1
+type TeleportBotV1List struct {
+ metav1.TypeMeta `json:",inline"`
+ metav1.ListMeta `json:"metadata,omitempty"`
+ Items []TeleportBotV1 `json:"items"`
+}
+
+// ToTeleport returns a Bot, which wraps the actual
+// [machineidv1.Bot] and implements the necessary interface methods used
+// by the TeleportResourceReconciler.
+func (l *TeleportBotV1) ToTeleport() *machineidv1.Bot {
+ resource := &machineidv1.Bot{
+ Kind: types.KindBot,
+ Version: types.V1,
+ Metadata: &headerv1.Metadata{
+ Name: l.Name,
+ Description: l.Annotations[resources.DescriptionKey],
+ Labels: l.Labels,
+ },
+ Spec: (*machineidv1.BotSpec)(l.Spec),
+ }
+ return resource
+}
+
+// StatusConditions returns a pointer to Status.Conditions slice. This is used
+// by the teleport resource controller to report conditions back to on resource.
+func (l *TeleportBotV1) StatusConditions() *[]metav1.Condition {
+ return &l.Status.Conditions
+}
+
+// UnmarshalJSON delegates unmarshaling of the BotSpec to protojson, which is
+// necessary for the BotSpec (and other Proto RFD153 resources) to be
+// unmarshaled correctly from the unstructured object.
+func (spec *TeleportBotV1Spec) UnmarshalJSON(data []byte) error {
+ return protojson.UnmarshalOptions{
+ DiscardUnknown: true,
+ }.Unmarshal(data, (*machineidv1.BotSpec)(spec))
+}
+
+// MarshalJSON delegates marshaling of the BotSpec to protojson, which is
+// necessary for the BotSpec (and other Proto RFD153 resources) to be
+// marshaled correctly into the unstructured object.
+func (spec *TeleportBotV1Spec) MarshalJSON() ([]byte, error) {
+ return protojson.Marshal((*machineidv1.BotSpec)(spec))
+}
+
+// DeepCopyInto deep-copies one user spec into another.
+// Required to satisfy runtime.Object interface.
+func (spec *TeleportBotV1Spec) DeepCopyInto(out *TeleportBotV1Spec) {
+ proto.Reset((*machineidv1.BotSpec)(out))
+ proto.Merge((*machineidv1.BotSpec)(out), (*machineidv1.BotSpec)(spec))
+}
diff --git a/integrations/operator/apis/resources/v1/botv1_types_test.go b/integrations/operator/apis/resources/v1/botv1_types_test.go
new file mode 100644
index 0000000000000..c7301c82ed8f9
--- /dev/null
+++ b/integrations/operator/apis/resources/v1/botv1_types_test.go
@@ -0,0 +1,34 @@
+/*
+ * Teleport
+ * Copyright (C) 2025 Gravitational, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see .
+ */
+
+package v1
+
+import (
+ "testing"
+
+ "github.com/stretchr/testify/require"
+)
+
+func TestTeleportBotV1Spec_DeepCopyInto(t *testing.T) {
+ in := &TeleportBotV1Spec{
+ Roles: []string{"roleA", "roleB"},
+ }
+ out := &TeleportBotV1Spec{}
+ in.DeepCopyInto(out)
+ require.Equal(t, in, out)
+}
diff --git a/integrations/operator/apis/resources/v1/zz_generated.deepcopy.go b/integrations/operator/apis/resources/v1/zz_generated.deepcopy.go
index 6b803d79d2577..c793bb736e41a 100644
--- a/integrations/operator/apis/resources/v1/zz_generated.deepcopy.go
+++ b/integrations/operator/apis/resources/v1/zz_generated.deepcopy.go
@@ -95,6 +95,78 @@ func (in *TeleportAccessListSpec) DeepCopy() *TeleportAccessListSpec {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TeleportBotV1) DeepCopyInto(out *TeleportBotV1) {
+ *out = *in
+ out.TypeMeta = in.TypeMeta
+ in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+ if in.Spec != nil {
+ in, out := &in.Spec, &out.Spec
+ *out = (*in).DeepCopy()
+ }
+ in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TeleportBotV1.
+func (in *TeleportBotV1) DeepCopy() *TeleportBotV1 {
+ if in == nil {
+ return nil
+ }
+ out := new(TeleportBotV1)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *TeleportBotV1) DeepCopyObject() runtime.Object {
+ if c := in.DeepCopy(); c != nil {
+ return c
+ }
+ return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TeleportBotV1List) DeepCopyInto(out *TeleportBotV1List) {
+ *out = *in
+ out.TypeMeta = in.TypeMeta
+ in.ListMeta.DeepCopyInto(&out.ListMeta)
+ if in.Items != nil {
+ in, out := &in.Items, &out.Items
+ *out = make([]TeleportBotV1, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TeleportBotV1List.
+func (in *TeleportBotV1List) DeepCopy() *TeleportBotV1List {
+ if in == nil {
+ return nil
+ }
+ out := new(TeleportBotV1List)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *TeleportBotV1List) DeepCopyObject() runtime.Object {
+ if c := in.DeepCopy(); c != nil {
+ return c
+ }
+ return nil
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TeleportBotV1Spec.
+func (in *TeleportBotV1Spec) DeepCopy() *TeleportBotV1Spec {
+ if in == nil {
+ return nil
+ }
+ out := new(TeleportBotV1Spec)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TeleportLoginRule) DeepCopyInto(out *TeleportLoginRule) {
*out = *in
diff --git a/integrations/operator/config/crd/bases/resources.teleport.dev_botsv1.yaml b/integrations/operator/config/crd/bases/resources.teleport.dev_botsv1.yaml
new file mode 100644
index 0000000000000..87454a36eb5e5
--- /dev/null
+++ b/integrations/operator/config/crd/bases/resources.teleport.dev_botsv1.yaml
@@ -0,0 +1,139 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ creationTimestamp: null
+ name: teleportbotsv1.resources.teleport.dev
+spec:
+ group: resources.teleport.dev
+ names:
+ kind: TeleportBotV1
+ listKind: TeleportBotV1List
+ plural: teleportbotsv1
+ shortNames:
+ - botv1
+ - botsv1
+ singular: teleportbotv1
+ scope: Namespaced
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ description: BotV1 is the Schema for the botsv1 API
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Bot resource definition v1 from Teleport
+ properties:
+ roles:
+ description: The roles that the bot should be able to impersonate.
+ items:
+ type: string
+ nullable: true
+ type: array
+ traits:
+ description: The traits that will be associated with the bot for the
+ purposes of role templating. Where multiple specified with the
+ same name, these will be merged by the server.
+ items:
+ properties:
+ name:
+ description: The name of the trait. This is what allows the
+ trait to be queried in role templates.
+ type: string
+ values:
+ description: The values associated with the named trait.
+ items:
+ type: string
+ nullable: true
+ type: array
+ type: object
+ nullable: true
+ type: array
+ type: object
+ status:
+ description: Status defines the observed state of the Teleport resource
+ properties:
+ conditions:
+ description: Conditions represent the latest available observations
+ of an object's state
+ items:
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ teleportResourceID:
+ format: int64
+ type: integer
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
diff --git a/integrations/operator/controllers/resources/botv1_controller.go b/integrations/operator/controllers/resources/botv1_controller.go
new file mode 100644
index 0000000000000..c7ddffd984457
--- /dev/null
+++ b/integrations/operator/controllers/resources/botv1_controller.go
@@ -0,0 +1,89 @@
+/*
+ * Teleport
+ * Copyright (C) 2025 Gravitational, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see .
+ */
+
+package resources
+
+import (
+ "context"
+
+ "github.com/gravitational/trace"
+ kclient "sigs.k8s.io/controller-runtime/pkg/client"
+
+ "github.com/gravitational/teleport/api/client"
+ machineidv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/machineid/v1"
+ resourcesv1 "github.com/gravitational/teleport/integrations/operator/apis/resources/v1"
+ "github.com/gravitational/teleport/integrations/operator/controllers"
+ "github.com/gravitational/teleport/integrations/operator/controllers/reconcilers"
+)
+
+// botClient implements TeleportResourceClient and offers CRUD methods needed to reconcile bot
+type botClient struct {
+ teleportClient *client.Client
+}
+
+// Get gets the Teleport bot of a given name
+func (l botClient) Get(ctx context.Context, name string) (*machineidv1.Bot, error) {
+ resp, err := l.teleportClient.
+ BotServiceClient().
+ GetBot(ctx, &machineidv1.GetBotRequest{BotName: name})
+ if err != nil {
+ return nil, trace.Wrap(err)
+ }
+ return resp, nil
+}
+
+// Create creates a Teleport bot
+func (l botClient) Create(ctx context.Context, resource *machineidv1.Bot) error {
+ _, err := l.teleportClient.
+ BotServiceClient().
+ CreateBot(ctx, &machineidv1.CreateBotRequest{Bot: resource})
+ return trace.Wrap(err)
+}
+
+// Update updates a Teleport bot
+func (l botClient) Update(ctx context.Context, resource *machineidv1.Bot) error {
+ _, err := l.teleportClient.
+ BotServiceClient().
+ UpsertBot(ctx, &machineidv1.UpsertBotRequest{Bot: resource})
+ return trace.Wrap(err)
+}
+
+// Delete deletes a Teleport bot
+func (l botClient) Delete(ctx context.Context, name string) error {
+ _, err := l.teleportClient.
+ BotServiceClient().
+ DeleteBot(ctx, &machineidv1.DeleteBotRequest{BotName: name})
+ return trace.Wrap(err)
+}
+
+// NewBotV1Reconciler instantiates a new Kubernetes controller reconciling bot
+// resources
+func NewBotV1Reconciler(client kclient.Client, tClient *client.Client) (controllers.Reconciler, error) {
+ botClient := &botClient{
+ teleportClient: tClient,
+ }
+
+ resourceReconciler, err := reconcilers.NewTeleportResource153Reconciler[
+ *machineidv1.Bot, *resourcesv1.TeleportBotV1,
+ ](
+ client,
+ botClient,
+ )
+
+ return resourceReconciler, trace.Wrap(err, "building teleport resource reconciler")
+}
diff --git a/integrations/operator/controllers/resources/botv1_controller_test.go b/integrations/operator/controllers/resources/botv1_controller_test.go
new file mode 100644
index 0000000000000..ad6b0174eb52a
--- /dev/null
+++ b/integrations/operator/controllers/resources/botv1_controller_test.go
@@ -0,0 +1,173 @@
+/*
+ * Teleport
+ * Copyright (C) 2025 Gravitational, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see .
+ */
+
+package resources_test
+
+import (
+ "context"
+ "strings"
+ "testing"
+
+ "github.com/google/go-cmp/cmp"
+ "github.com/gravitational/trace"
+ "google.golang.org/protobuf/testing/protocmp"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ kclient "sigs.k8s.io/controller-runtime/pkg/client"
+
+ headerv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/header/v1"
+ machineidv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/machineid/v1"
+ "github.com/gravitational/teleport/api/types"
+ resourcesv1 "github.com/gravitational/teleport/integrations/operator/apis/resources/v1"
+ "github.com/gravitational/teleport/integrations/operator/controllers/reconcilers"
+ "github.com/gravitational/teleport/integrations/operator/controllers/resources/testlib"
+)
+
+var botSpec = &machineidv1.BotSpec{
+ Roles: []string{"roleA", "roleB"},
+ Traits: []*machineidv1.Trait{
+ {
+ Name: "traitA",
+ Values: []string{"valueA", "valueB"},
+ },
+ {
+ Name: "traitB",
+ Values: []string{"valueC", "valueD"},
+ },
+ },
+}
+
+type botTestingPrimitives struct {
+ setup *testSetup
+ reconcilers.Resource153Adapter[*machineidv1.Bot]
+}
+
+func (g *botTestingPrimitives) Init(setup *testSetup) {
+ g.setup = setup
+}
+
+func (g *botTestingPrimitives) SetupTeleportFixtures(ctx context.Context) error {
+ return nil
+}
+
+func (g *botTestingPrimitives) CreateTeleportResource(ctx context.Context, name string) error {
+ bot := &machineidv1.Bot{
+ Kind: types.KindBot,
+ Version: types.V1,
+ Metadata: &headerv1.Metadata{
+ Name: name,
+ Labels: map[string]string{
+ types.OriginLabel: types.OriginKubernetes,
+ },
+ },
+ Spec: botSpec,
+ }
+ _, err := g.setup.TeleportClient.
+ BotServiceClient().
+ CreateBot(ctx, &machineidv1.CreateBotRequest{Bot: bot})
+ return trace.Wrap(err)
+}
+
+func (g *botTestingPrimitives) GetTeleportResource(ctx context.Context, name string) (*machineidv1.Bot, error) {
+ resp, err := g.setup.TeleportClient.
+ BotServiceClient().
+ GetBot(ctx, &machineidv1.GetBotRequest{BotName: name})
+ if err != nil {
+ return nil, trace.Wrap(err)
+ }
+ return resp, nil
+}
+
+func (g *botTestingPrimitives) DeleteTeleportResource(ctx context.Context, name string) error {
+ _, err := g.setup.TeleportClient.
+ BotServiceClient().
+ DeleteBot(ctx, &machineidv1.DeleteBotRequest{BotName: name})
+ if err != nil {
+ return trace.Wrap(err)
+ }
+ return nil
+}
+
+func (g *botTestingPrimitives) CreateKubernetesResource(ctx context.Context, name string) error {
+ bot := &resourcesv1.TeleportBotV1{
+ ObjectMeta: metav1.ObjectMeta{
+ Name: name,
+ Namespace: g.setup.Namespace.Name,
+ },
+ Spec: (*resourcesv1.TeleportBotV1Spec)(botSpec),
+ }
+ return trace.Wrap(g.setup.K8sClient.Create(ctx, bot))
+}
+
+func (g *botTestingPrimitives) DeleteKubernetesResource(ctx context.Context, name string) error {
+ bot := &resourcesv1.TeleportBotV1{
+ ObjectMeta: metav1.ObjectMeta{
+ Name: name,
+ Namespace: g.setup.Namespace.Name,
+ },
+ }
+ return trace.Wrap(g.setup.K8sClient.Delete(ctx, bot))
+}
+
+func (g *botTestingPrimitives) GetKubernetesResource(ctx context.Context, name string) (*resourcesv1.TeleportBotV1, error) {
+ bot := &resourcesv1.TeleportBotV1{}
+ obj := kclient.ObjectKey{
+ Name: name,
+ Namespace: g.setup.Namespace.Name,
+ }
+ err := g.setup.K8sClient.Get(ctx, obj, bot)
+ return bot, trace.Wrap(err)
+}
+
+func (g *botTestingPrimitives) ModifyKubernetesResource(ctx context.Context, name string) error {
+ bot, err := g.GetKubernetesResource(ctx, name)
+ if err != nil {
+ return trace.Wrap(err)
+ }
+ bot.Spec.Roles = []string{"changed"}
+ return trace.Wrap(g.setup.K8sClient.Update(ctx, bot))
+}
+
+func (g *botTestingPrimitives) CompareTeleportAndKubernetesResource(
+ tResource *machineidv1.Bot, kubeResource *resourcesv1.TeleportBotV1) (bool, string) {
+ diff := cmp.Diff(
+ tResource,
+ kubeResource.ToTeleport(),
+ testlib.ProtoCompareOptions(
+ protocmp.IgnoreFields(&machineidv1.Bot{}, "status"),
+ protocmp.SortRepeated(func(a, b *machineidv1.Trait) bool {
+ return strings.Compare(a.Name, b.Name) == -1
+ }),
+ )...,
+ )
+ return diff == "", diff
+}
+
+func TestBotCreation(t *testing.T) {
+ test := &botTestingPrimitives{}
+ testlib.ResourceCreationTest[*machineidv1.Bot, *resourcesv1.TeleportBotV1](t, test)
+}
+
+func TestBotDeletionDrift(t *testing.T) {
+ test := &botTestingPrimitives{}
+ testlib.ResourceDeletionDriftTest[*machineidv1.Bot, *resourcesv1.TeleportBotV1](t, test)
+}
+
+func TestBotUpdate(t *testing.T) {
+ test := &botTestingPrimitives{}
+ testlib.ResourceUpdateTest[*machineidv1.Bot, *resourcesv1.TeleportBotV1](t, test)
+}
diff --git a/integrations/operator/controllers/resources/setup.go b/integrations/operator/controllers/resources/setup.go
index fffceccbf8c39..407237a3c437e 100644
--- a/integrations/operator/controllers/resources/setup.go
+++ b/integrations/operator/controllers/resources/setup.go
@@ -48,6 +48,7 @@ func SetupAllControllers(log logr.Logger, mgr manager.Manager, teleportClient *c
{"TeleportOpenSSHServerV2", NewOpenSSHServerV2Reconciler},
{"TeleportOpenSSHEICEServerV2", NewOpenSSHEICEServerV2Reconciler},
{"TeleportTrustedClusterV2", NewTrustedClusterV2Reconciler},
+ {"TeleportBotV1", NewBotV1Reconciler},
}
oidc := modules.GetProtoEntitlement(features, entitlements.OIDC)
diff --git a/integrations/operator/controllers/resources/testlib/compare.go b/integrations/operator/controllers/resources/testlib/compare.go
index edb98827cc54e..15a4a2e833932 100644
--- a/integrations/operator/controllers/resources/testlib/compare.go
+++ b/integrations/operator/controllers/resources/testlib/compare.go
@@ -23,7 +23,9 @@ import (
"github.com/google/go-cmp/cmp"
"github.com/google/go-cmp/cmp/cmpopts"
+ "google.golang.org/protobuf/testing/protocmp"
+ headerv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/header/v1"
"github.com/gravitational/teleport/api/types"
"github.com/gravitational/teleport/api/types/header"
)
@@ -53,3 +55,14 @@ var defaultCompareOpts = []cmp.Option{
func CompareOptions(customOpts ...cmp.Option) []cmp.Option {
return append(defaultCompareOpts, customOpts...)
}
+
+var defaultProtoCompareOpts = []cmp.Option{
+ protocmp.Transform(),
+ protocmp.IgnoreFields(&headerv1.Metadata{}, "labels"),
+}
+
+// ProtoCompareOptions returns comparison options for comparing protobuf messages.
+// Use instead of CompareOptions when using with RFD153 bare proto resources.
+func ProtoCompareOptions(customOpts ...cmp.Option) []cmp.Option {
+ return append(defaultProtoCompareOpts, customOpts...)
+}
diff --git a/integrations/operator/controllers/resources/testlib/env.go b/integrations/operator/controllers/resources/testlib/env.go
index f049806d7df3f..a0e6a34645ce4 100644
--- a/integrations/operator/controllers/resources/testlib/env.go
+++ b/integrations/operator/controllers/resources/testlib/env.go
@@ -140,6 +140,7 @@ func defaultTeleportServiceConfig(t *testing.T) (*helpers.TeleInstance, string)
types.NewRule(types.KindAccessList, unrestricted),
types.NewRule(types.KindNode, unrestricted),
types.NewRule(types.KindTrustedCluster, unrestricted),
+ types.NewRule(types.KindBot, unrestricted),
},
},
})
diff --git a/integrations/operator/crdgen/Makefile b/integrations/operator/crdgen/Makefile
index e457aaa0288f6..75d76666a1595 100644
--- a/integrations/operator/crdgen/Makefile
+++ b/integrations/operator/crdgen/Makefile
@@ -1,7 +1,8 @@
PROTOS = \
teleport/loginrule/v1/loginrule.proto \
teleport/accesslist/v1/accesslist.proto \
- teleport/legacy/types/types.proto
+ teleport/legacy/types/types.proto \
+ teleport/machineid/v1/bot.proto
libfiles := $(wildcard *.go)
diff --git a/integrations/operator/crdgen/handlerequest.go b/integrations/operator/crdgen/handlerequest.go
index 57f479de185e3..795ccc933c09f 100644
--- a/integrations/operator/crdgen/handlerequest.go
+++ b/integrations/operator/crdgen/handlerequest.go
@@ -214,6 +214,7 @@ func generateSchema(file *File, groupName string, format crdFormatFunc, resp *go
},
},
{name: "TrustedClusterV2", opts: []resourceSchemaOption{withVersionInKindOverride()}},
+ {name: "Bot", opts: []resourceSchemaOption{withVersionOverride(types.V1), withVersionInKindOverride()}},
}
for _, resource := range resources {
diff --git a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_botsv1.yaml b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_botsv1.yaml
new file mode 100644
index 0000000000000..87454a36eb5e5
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_botsv1.yaml
@@ -0,0 +1,139 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ creationTimestamp: null
+ name: teleportbotsv1.resources.teleport.dev
+spec:
+ group: resources.teleport.dev
+ names:
+ kind: TeleportBotV1
+ listKind: TeleportBotV1List
+ plural: teleportbotsv1
+ shortNames:
+ - botv1
+ - botsv1
+ singular: teleportbotv1
+ scope: Namespaced
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ description: BotV1 is the Schema for the botsv1 API
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Bot resource definition v1 from Teleport
+ properties:
+ roles:
+ description: The roles that the bot should be able to impersonate.
+ items:
+ type: string
+ nullable: true
+ type: array
+ traits:
+ description: The traits that will be associated with the bot for the
+ purposes of role templating. Where multiple specified with the
+ same name, these will be merged by the server.
+ items:
+ properties:
+ name:
+ description: The name of the trait. This is what allows the
+ trait to be queried in role templates.
+ type: string
+ values:
+ description: The values associated with the named trait.
+ items:
+ type: string
+ nullable: true
+ type: array
+ type: object
+ nullable: true
+ type: array
+ type: object
+ status:
+ description: Status defines the observed state of the Teleport resource
+ properties:
+ conditions:
+ description: Conditions represent the latest available observations
+ of an object's state
+ items:
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ teleportResourceID:
+ format: int64
+ type: integer
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
diff --git a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_openssheiceserversv2.yaml b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_openssheiceserversv2.yaml
index 3617909ae6a67..bad8469a76fb6 100644
--- a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_openssheiceserversv2.yaml
+++ b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_openssheiceserversv2.yaml
@@ -88,6 +88,20 @@ spec:
type: string
type: object
type: object
+ github:
+ description: GitHub contains info about GitHub proxies where each
+ server represents a GitHub organization.
+ nullable: true
+ properties:
+ integration:
+ description: Integration is the integration that is associated
+ with this Server.
+ type: string
+ organization:
+ description: Organization specifies the name of the organization
+ for the GitHub integration.
+ type: string
+ type: object
hostname:
description: Hostname is server hostname
type: string
diff --git a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_opensshserversv2.yaml b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_opensshserversv2.yaml
index ad7dfd4174776..fe3d76a8db7a4 100644
--- a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_opensshserversv2.yaml
+++ b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_opensshserversv2.yaml
@@ -87,6 +87,20 @@ spec:
type: string
type: object
type: object
+ github:
+ description: GitHub contains info about GitHub proxies where each
+ server represents a GitHub organization.
+ nullable: true
+ properties:
+ integration:
+ description: Integration is the integration that is associated
+ with this Server.
+ type: string
+ organization:
+ description: Organization specifies the name of the organization
+ for the GitHub integration.
+ type: string
+ type: object
hostname:
description: Hostname is server hostname
type: string
diff --git a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_provisiontokens.yaml b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_provisiontokens.yaml
index e42dc48675faa..00ebc526193c5 100644
--- a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_provisiontokens.yaml
+++ b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_provisiontokens.yaml
@@ -295,6 +295,12 @@ spec:
will default to `gitlab.com` - but can be set to the domain
of your self-hosted GitLab e.g `gitlab.example.com`.
type: string
+ static_jwks:
+ description: StaticJWKS disables fetching of the GitLab signing
+ keys via the JWKS/OIDC endpoints, and allows them to be directly
+ specified. This allows joining from GitLab CI instances that
+ are not reachable by the Teleport Auth Service.
+ type: string
type: object
join_method:
description: 'JoinMethod is the joining method required in order to
@@ -330,6 +336,32 @@ spec:
- `in_cluster` - `static_jwks` If unset, this defaults to `in_cluster`.'
type: string
type: object
+ oracle:
+ description: Oracle allows the configuration of options specific to
+ the "oracle" join method.
+ nullable: true
+ properties:
+ allow:
+ description: Allow is a list of Rules, nodes using this token
+ must match one allow rule to use this token.
+ items:
+ properties:
+ parent_compartments:
+ items:
+ type: string
+ nullable: true
+ type: array
+ regions:
+ items:
+ type: string
+ nullable: true
+ type: array
+ tenancy:
+ type: string
+ type: object
+ nullable: true
+ type: array
+ type: object
roles:
description: Roles is a list of roles associated with the token, that
will be converted to metadata in the SSH and X509 certificates issued
diff --git a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_roles.yaml b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_roles.yaml
index f7b4a591b6f8f..5b8d0cded38e0 100644
--- a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_roles.yaml
+++ b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_roles.yaml
@@ -157,6 +157,18 @@ spec:
type: string
nullable: true
type: array
+ github_permissions:
+ description: GitHubPermissions defines GitHub integration related
+ permissions.
+ items:
+ properties:
+ orgs:
+ items:
+ type: string
+ nullable: true
+ type: array
+ type: object
+ type: array
group_labels:
additionalProperties:
x-kubernetes-preserve-unknown-fields: true
@@ -733,6 +745,18 @@ spec:
type: string
nullable: true
type: array
+ github_permissions:
+ description: GitHubPermissions defines GitHub integration related
+ permissions.
+ items:
+ properties:
+ orgs:
+ items:
+ type: string
+ nullable: true
+ type: array
+ type: object
+ type: array
group_labels:
additionalProperties:
x-kubernetes-preserve-unknown-fields: true
@@ -1352,7 +1376,7 @@ spec:
type: string
type: object
request_access:
- description: RequestAccess defines the request strategy (optional|note|always)
+ description: RequestAccess defines the request strategy (optional|reason|always)
where optional is the default.
type: string
request_prompt:
@@ -1606,6 +1630,18 @@ spec:
type: string
nullable: true
type: array
+ github_permissions:
+ description: GitHubPermissions defines GitHub integration related
+ permissions.
+ items:
+ properties:
+ orgs:
+ items:
+ type: string
+ nullable: true
+ type: array
+ type: object
+ type: array
group_labels:
additionalProperties:
x-kubernetes-preserve-unknown-fields: true
@@ -2182,6 +2218,18 @@ spec:
type: string
nullable: true
type: array
+ github_permissions:
+ description: GitHubPermissions defines GitHub integration related
+ permissions.
+ items:
+ properties:
+ orgs:
+ items:
+ type: string
+ nullable: true
+ type: array
+ type: object
+ type: array
group_labels:
additionalProperties:
x-kubernetes-preserve-unknown-fields: true
@@ -2801,7 +2849,7 @@ spec:
type: string
type: object
request_access:
- description: RequestAccess defines the request strategy (optional|note|always)
+ description: RequestAccess defines the request strategy (optional|reason|always)
where optional is the default.
type: string
request_prompt:
diff --git a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_rolesv6.yaml b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_rolesv6.yaml
index c90af3b7e8161..dd182abc2946b 100644
--- a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_rolesv6.yaml
+++ b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_rolesv6.yaml
@@ -160,6 +160,18 @@ spec:
type: string
nullable: true
type: array
+ github_permissions:
+ description: GitHubPermissions defines GitHub integration related
+ permissions.
+ items:
+ properties:
+ orgs:
+ items:
+ type: string
+ nullable: true
+ type: array
+ type: object
+ type: array
group_labels:
additionalProperties:
x-kubernetes-preserve-unknown-fields: true
@@ -736,6 +748,18 @@ spec:
type: string
nullable: true
type: array
+ github_permissions:
+ description: GitHubPermissions defines GitHub integration related
+ permissions.
+ items:
+ properties:
+ orgs:
+ items:
+ type: string
+ nullable: true
+ type: array
+ type: object
+ type: array
group_labels:
additionalProperties:
x-kubernetes-preserve-unknown-fields: true
@@ -1355,7 +1379,7 @@ spec:
type: string
type: object
request_access:
- description: RequestAccess defines the request strategy (optional|note|always)
+ description: RequestAccess defines the request strategy (optional|reason|always)
where optional is the default.
type: string
request_prompt:
diff --git a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_rolesv7.yaml b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_rolesv7.yaml
index 64324e5d6fd39..2f43956e09ef8 100644
--- a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_rolesv7.yaml
+++ b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_rolesv7.yaml
@@ -160,6 +160,18 @@ spec:
type: string
nullable: true
type: array
+ github_permissions:
+ description: GitHubPermissions defines GitHub integration related
+ permissions.
+ items:
+ properties:
+ orgs:
+ items:
+ type: string
+ nullable: true
+ type: array
+ type: object
+ type: array
group_labels:
additionalProperties:
x-kubernetes-preserve-unknown-fields: true
@@ -736,6 +748,18 @@ spec:
type: string
nullable: true
type: array
+ github_permissions:
+ description: GitHubPermissions defines GitHub integration related
+ permissions.
+ items:
+ properties:
+ orgs:
+ items:
+ type: string
+ nullable: true
+ type: array
+ type: object
+ type: array
group_labels:
additionalProperties:
x-kubernetes-preserve-unknown-fields: true
@@ -1355,7 +1379,7 @@ spec:
type: string
type: object
request_access:
- description: RequestAccess defines the request strategy (optional|note|always)
+ description: RequestAccess defines the request strategy (optional|reason|always)
where optional is the default.
type: string
request_prompt:
diff --git a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_users.yaml b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_users.yaml
index 504c3695c4532..0c68b6dec714f 100644
--- a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_users.yaml
+++ b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_users.yaml
@@ -57,6 +57,10 @@ spec:
description: SAMLSingleLogoutURL is the SAML Single log-out
URL to initiate SAML SLO (single log-out), if applicable.
type: string
+ user_id:
+ description: UserID is the ID of the identity. Some connectors
+ like GitHub have an unique ID apart from the username.
+ type: string
username:
description: Username is username supplied by external identity
provider
@@ -76,6 +80,10 @@ spec:
description: SAMLSingleLogoutURL is the SAML Single log-out
URL to initiate SAML SLO (single log-out), if applicable.
type: string
+ user_id:
+ description: UserID is the ID of the identity. Some connectors
+ like GitHub have an unique ID apart from the username.
+ type: string
username:
description: Username is username supplied by external identity
provider
@@ -101,6 +109,10 @@ spec:
description: SAMLSingleLogoutURL is the SAML Single log-out
URL to initiate SAML SLO (single log-out), if applicable.
type: string
+ user_id:
+ description: UserID is the ID of the identity. Some connectors
+ like GitHub have an unique ID apart from the username.
+ type: string
username:
description: Username is username supplied by external identity
provider
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/access_graph/v1/authorized_key.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/access_graph/v1/authorized_key.proto
new file mode 100644
index 0000000000000..1795d7a415a58
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/access_graph/v1/authorized_key.proto
@@ -0,0 +1,52 @@
+// Copyright 2024 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.access_graph.v1;
+
+import "teleport/header/v1/metadata.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/accessgraph/v1;accessgraphv1";
+
+// The `AuthorizedKey` message represents an authorized key entry for a specific local user.
+// These authorized keys are generated by the server when a particular SSH AuthorizedKey is granted access to a user on the node.
+message AuthorizedKey {
+ // metadata is the AuthorizedKey's metadata.
+ teleport.header.v1.Metadata metadata = 1;
+ // kind is a resource kind.
+ string kind = 2;
+ // sub_kind is an optional resource sub kind, used in some resources.
+ string sub_kind = 3;
+ // version is version.
+ string version = 4;
+ // Spec is an AuthorizedKey specification.
+ AuthorizedKeySpec spec = 5;
+}
+
+// AuthorizedKeySpec is the authorized key spec.
+message AuthorizedKeySpec {
+ // host_id is the node identifier and must match the credentials used.
+ string host_id = 1;
+ // key_fingerprint is the SHA256 SSH public key fingerprint.
+ string key_fingerprint = 2;
+ // host_user is the user who can be accessed using the fingerprint above.
+ string host_user = 3;
+ // key_comment is the authorized key's comment.
+ // Authorized keys consist of the following space-separated fields:
+ // options, keytype, base64-encoded key, comment. The options field is optional.
+ string key_comment = 4;
+ // key_type is the ssh's key type.
+ string key_type = 5;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/access_graph/v1/private_key.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/access_graph/v1/private_key.proto
new file mode 100644
index 0000000000000..239c515d89044
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/access_graph/v1/private_key.proto
@@ -0,0 +1,67 @@
+// Copyright 2024 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.access_graph.v1;
+
+import "teleport/header/v1/metadata.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/accessgraph/v1;accessgraphv1";
+
+// The `PrivateKey` message represents a private key entry for a specific local user.
+// It serves as a reference to a private key located on a user's laptop. Note that it *NEVER* contains the private key itself.
+// Instead, it stores metadata related to the key, including the fingerprint of the public key, the device trust identifier, and the public key mode.
+// The Teleport Access Graph uses this metadata to assess whether a particular private key is authorized to access a user on the node without using Teleport.
+message PrivateKey {
+ // metadata is the PrivateKey's metadata.
+ teleport.header.v1.Metadata metadata = 1;
+ // kind is a resource kind.
+ string kind = 2;
+ // sub_kind is an optional resource sub kind, used in some resources.
+ string sub_kind = 3;
+ // version is version.
+ string version = 4;
+ // Spec is a PrivateKey specification.
+ PrivateKeySpec spec = 5;
+}
+
+// PrivateKeySpec is the private key spec.
+message PrivateKeySpec {
+ // device_id is the device trust identifier of the device that owns the key.
+ string device_id = 1;
+ // public_key_fingerprint is the SHA256 of the SSH public key corresponding to
+ // the private key.
+ string public_key_fingerprint = 2;
+ // public_key_mode is the public key mode.
+ PublicKeyMode public_key_mode = 3;
+}
+
+// PublicKeyMode is the mode of the public key.
+// The public key can be derived from the private key, stored in a separate file, or the private key was password protected
+// and we could not extract the public key from it or from the file.
+enum PublicKeyMode {
+ // PUBLIC_KEY_MODE_UNSPECIFIED is an invalid state.
+ PUBLIC_KEY_MODE_UNSPECIFIED = 0;
+ // PUBLIC_KEY_MODE_DERIVED is the state where the public key is derived from the private key.
+ PUBLIC_KEY_MODE_DERIVED = 1;
+ // PUBLIC_KEY_MODE_PUB_FILE is a state where the public key is stored in a separate file from the private key.
+ // The private key is password protected and we could not extract the public key from it.
+ // This mode is used when the private key is password protected and there is a .pub file next to the private key
+ // that contains the public key.
+ PUBLIC_KEY_MODE_PUB_FILE = 2;
+ // PUBLIC_KEY_MODE_PROTECTED is a state where the private key is password protected and we could not extract the public key from it
+ // or from the .pub file.
+ PUBLIC_KEY_MODE_PROTECTED = 3;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/access_graph/v1/secrets_service.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/access_graph/v1/secrets_service.proto
new file mode 100644
index 0000000000000..7c2b3d49e6e76
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/access_graph/v1/secrets_service.proto
@@ -0,0 +1,101 @@
+// Copyright 2024 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.access_graph.v1;
+
+import "teleport/access_graph/v1/authorized_key.proto";
+import "teleport/access_graph/v1/private_key.proto";
+import "teleport/devicetrust/v1/assert.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/accessgraph/v1;accessgraphv1";
+
+// SecretsScannerService provides methods for Access Graph Secret Scanner functionality.
+service SecretsScannerService {
+ // ReportAuthorizedKeys is used by Teleport SSH nodes to report authorized keys
+ // that could be used to bypass Teleport.
+ // The client (Teleport SSH Node) should authenticate using the certificate-key pair signed by Teleport HostCA.
+ rpc ReportAuthorizedKeys(stream ReportAuthorizedKeysRequest) returns (stream ReportAuthorizedKeysResponse) {}
+
+ // ReportSecrets is used by trusted devices to report secrets found on the host that could be used to bypass Teleport.
+ // The client (device) should first authenticate using the [ReportSecretsRequest.device_assertion] flow. Please refer to
+ // the [teleport.devicetrust.v1.AssertDeviceRequest] and [teleport.devicetrust.v1.AssertDeviceResponse] messages for more details.
+ //
+ // Once the device is asserted, the client can send the secrets using the [ReportSecretsRequest.private_keys] field
+ // and then close the client side of the stream.
+ //
+ // -> ReportSecrets (client) [1 or more]
+ // -> CloseStream (client)
+ // <- TerminateStream (server)
+ //
+ // Any failure in the assertion ceremony will result in the stream being terminated by the server. All secrets
+ // reported by the client before the assertion terminates will be ignored and result in the stream being terminated.
+ rpc ReportSecrets(stream ReportSecretsRequest) returns (stream ReportSecretsResponse) {}
+}
+
+// ReportAuthorizedKeysRequest is used by Teleport nodes to report authorized keys
+// that could be used to bypass Teleport.
+message ReportAuthorizedKeysRequest {
+ // keys is a list of authorized keys that could be used to bypass Teleport.
+ repeated teleport.access_graph.v1.AuthorizedKey keys = 1;
+ // operation indicates the operation that the client wants to perform.
+ OperationType operation = 2;
+}
+
+// ReportAuthorizedKeysResponse is the response from ReportAuthorizedKeys
+// RPC method.
+message ReportAuthorizedKeysResponse {}
+
+// ReportSecretsRequest is used by trusted devices to report secrets found on the host
+// that could be used to bypass Teleport.
+message ReportSecretsRequest {
+ oneof payload {
+ // The device should initiate the device assertion ceremony by sending the
+ // AssertDeviceRequest. Please refer to the [teleport.devicetrust.v1.AssertDeviceRequest]
+ // message for more details.
+ teleport.devicetrust.v1.AssertDeviceRequest device_assertion = 1;
+ // private_keys is a list of private keys that were found on the device.
+ ReportPrivateKeys private_keys = 4;
+ }
+}
+
+// ReportPrivateKeys is used by trusted devices to report private keys found on the host
+// that could be used to bypass Teleport.
+message ReportPrivateKeys {
+ // keys is a list of private keys that could be used to bypass Teleport.
+ repeated teleport.access_graph.v1.PrivateKey keys = 1;
+}
+
+// ReportSecretsResponse is the response from the ReportSecrets
+// RPC method.
+message ReportSecretsResponse {
+ oneof payload {
+ // device_assertion is the response from the device assertion ceremony.
+ // Please refer to the [teleport.devicetrust.v1.AssertDeviceResponse]
+ // message for more details
+ teleport.devicetrust.v1.AssertDeviceResponse device_assertion = 1;
+ }
+}
+
+// OperationType is an enum that indicates the operation that the client wants to perform.
+enum OperationType {
+ // OPERATION_TYPE_UNSPECIFIED is an unknown operation.
+ OPERATION_TYPE_UNSPECIFIED = 0;
+ // OPERATION_TYPE_ADD is an operation that indicates that the client wants to add keys to the list.
+ OPERATION_TYPE_ADD = 1;
+ // OPERATION_TYPE_SYNC is an operation that indicates that the client has sent all the keys and
+ // the server can proceed with the analysis.
+ OPERATION_TYPE_SYNC = 2;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/accesslist/v1/accesslist_service.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/accesslist/v1/accesslist_service.proto
new file mode 100644
index 0000000000000..73fc691c92ab4
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/accesslist/v1/accesslist_service.proto
@@ -0,0 +1,418 @@
+// Copyright 2023 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.accesslist.v1;
+
+import "google/protobuf/empty.proto";
+import "google/protobuf/timestamp.proto";
+import "teleport/accesslist/v1/accesslist.proto";
+import "teleport/legacy/types/types.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/accesslist/v1;accesslistv1";
+
+// AccessListService provides CRUD methods for Access List resources.
+service AccessListService {
+ // GetAccessLists returns a list of all access lists.
+ rpc GetAccessLists(GetAccessListsRequest) returns (GetAccessListsResponse);
+ // ListAccessLists returns a paginated list of all access lists.
+ rpc ListAccessLists(ListAccessListsRequest) returns (ListAccessListsResponse);
+ // GetAccessList returns the specified access list resource.
+ rpc GetAccessList(GetAccessListRequest) returns (AccessList);
+ // UpsertAccessList creates or updates an access list resource.
+ rpc UpsertAccessList(UpsertAccessListRequest) returns (AccessList);
+ // UpdateAccessList updates an access list resource.
+ rpc UpdateAccessList(UpdateAccessListRequest) returns (AccessList);
+ // DeleteAccessList hard deletes the specified access list resource.
+ rpc DeleteAccessList(DeleteAccessListRequest) returns (google.protobuf.Empty);
+ // DeleteAllAccessLists hard deletes all access lists.
+ rpc DeleteAllAccessLists(DeleteAllAccessListsRequest) returns (google.protobuf.Empty);
+ // GetAccessListsToReview will return access lists that need to be reviewed by
+ // the current user.
+ rpc GetAccessListsToReview(GetAccessListsToReviewRequest) returns (GetAccessListsToReviewResponse);
+
+ // CountAccessListMembers returns the count of access list members in an
+ // access list.
+ rpc CountAccessListMembers(CountAccessListMembersRequest) returns (CountAccessListMembersResponse);
+ // ListAccessListMembers returns a paginated list of all access list members.
+ rpc ListAccessListMembers(ListAccessListMembersRequest) returns (ListAccessListMembersResponse);
+ // ListAllAccessListMembers returns a paginated list of all access list
+ // members for all access lists.
+ rpc ListAllAccessListMembers(ListAllAccessListMembersRequest) returns (ListAllAccessListMembersResponse);
+ // GetAccessListMember returns the specified access list member resource.
+ rpc GetAccessListMember(GetAccessListMemberRequest) returns (Member);
+ // GetAccessListOwners returns a list of all owners in an Access List,
+ // including those inherited from nested Access Lists.
+ rpc GetAccessListOwners(GetAccessListOwnersRequest) returns (GetAccessListOwnersResponse);
+ // UpsertAccessListMember creates or updates an access list member resource.
+ rpc UpsertAccessListMember(UpsertAccessListMemberRequest) returns (Member);
+ // UpdateAccessListMember conditionally updates an access list member resource.
+ rpc UpdateAccessListMember(UpdateAccessListMemberRequest) returns (Member);
+ // DeleteAccessListMember hard deletes the specified access list member
+ // resource.
+ rpc DeleteAccessListMember(DeleteAccessListMemberRequest) returns (google.protobuf.Empty);
+ // DeleteAllAccessListMembers hard deletes all access list members for an
+ // access list.
+ rpc DeleteAllAccessListMembersForAccessList(DeleteAllAccessListMembersForAccessListRequest) returns (google.protobuf.Empty);
+ // DeleteAllAccessListMembers hard deletes all access list members for an
+ // access list.
+ rpc DeleteAllAccessListMembers(DeleteAllAccessListMembersRequest) returns (google.protobuf.Empty);
+
+ // UpsertAccessListWithMembers creates or updates an access list with members.
+ rpc UpsertAccessListWithMembers(UpsertAccessListWithMembersRequest) returns (UpsertAccessListWithMembersResponse);
+
+ // ListAccessListReviews will list access list reviews for a particular access
+ // list.
+ rpc ListAccessListReviews(ListAccessListReviewsRequest) returns (ListAccessListReviewsResponse);
+ // ListAllAccessListReviews will list access list reviews for all access
+ // lists.
+ rpc ListAllAccessListReviews(ListAllAccessListReviewsRequest) returns (ListAllAccessListReviewsResponse);
+ // CreateAccessListReview will create a new review for an access list. It will
+ // also modify the original access list and its members depending on the
+ // details of the review.
+ rpc CreateAccessListReview(CreateAccessListReviewRequest) returns (CreateAccessListReviewResponse);
+ // DeleteAccessListReview will delete an access list review from the backend.
+ rpc DeleteAccessListReview(DeleteAccessListReviewRequest) returns (google.protobuf.Empty);
+
+ // AccessRequestPromote promotes an access request to an access list.
+ rpc AccessRequestPromote(AccessRequestPromoteRequest) returns (AccessRequestPromoteResponse);
+
+ // GetSuggestedAccessLists returns suggested access lists for an access
+ // request.
+ rpc GetSuggestedAccessLists(GetSuggestedAccessListsRequest) returns (GetSuggestedAccessListsResponse);
+
+ // GetInheritedGrants returns the inherited grants for an access list.
+ rpc GetInheritedGrants(GetInheritedGrantsRequest) returns (GetInheritedGrantsResponse);
+}
+
+// GetAccessListsRequest is the request for getting all access lists.
+message GetAccessListsRequest {}
+
+// GetAccessListsResponse is the response for getting all access lists.
+message GetAccessListsResponse {
+ // access_lists is the list of access lists.
+ repeated AccessList access_lists = 1;
+}
+
+// ListAccessListsRequest is the request for getting paginated access lists.
+message ListAccessListsRequest {
+ // page_size is the size of the page to request.
+ int32 page_size = 1;
+
+ // next_token is the page token.
+ string next_token = 2;
+}
+
+// ListAccessListsResponse is the response for getting paginated access lists.
+message ListAccessListsResponse {
+ // access_lists is the list of access lists.
+ repeated AccessList access_lists = 1;
+ // next_token is the next page token.
+ string next_token = 2;
+}
+
+// GetInheritedGrantsRequest is the request for getting inherited grants.
+message GetInheritedGrantsRequest {
+ // access_list_id is the ID of the access list to retrieve.
+ string access_list_id = 1;
+}
+
+// GetInheritedGrantsResponse is the response for getting inherited grants.
+message GetInheritedGrantsResponse {
+ // grants is the list of inherited member grants.
+ AccessListGrants grants = 1;
+}
+
+// GetAccessListRequest is the request for retrieving an access list.
+message GetAccessListRequest {
+ // name is the name of the access list to retrieve.
+ string name = 1;
+}
+
+// UpsertAccessListRequest is the request for upserting an access list.
+message UpsertAccessListRequest {
+ // access_list is the access list to upsert.
+ AccessList access_list = 1;
+}
+
+// UpdateAccessListRequest is the request for updating an access list.
+message UpdateAccessListRequest {
+ // access_list is the access list to upsert.
+ AccessList access_list = 1;
+}
+
+// DeleteAccessListRequest is the request for deleting an access list.
+message DeleteAccessListRequest {
+ // name is the name of the access list to delete.
+ string name = 1;
+}
+
+// DeleteAllAccessListsRequest is the request for deleting all access lists.
+message DeleteAllAccessListsRequest {}
+
+// GetAccessListsToReviewRequest is the request for getting access lists that
+// the current user needs to review.
+message GetAccessListsToReviewRequest {}
+
+// GetAccessListsToReviewResponse is the response for getting access lists that
+// the current user needs to review.
+message GetAccessListsToReviewResponse {
+ repeated AccessList access_lists = 1;
+}
+
+// CountAccessListMembersRequest is the request for counting access list
+// members.
+message CountAccessListMembersRequest {
+ // access_list_name is the name of the access list to retrieve.
+ string access_list_name = 1;
+}
+
+// CountAccessListMembersResponse is the response for counting access list
+// members.
+message CountAccessListMembersResponse {
+ // count is the number of access list members in the access list.
+ uint32 count = 1;
+ // list_count is the number of access list members of type list in the access list.
+ uint32 list_count = 2;
+}
+
+// ListAccessListMembersRequest is the request for getting paginated access list
+// members.
+message ListAccessListMembersRequest {
+ // page_size is the size of the page to request.
+ int32 page_size = 1;
+
+ // page_token is the page token.
+ string page_token = 2;
+
+ // access_list is the name of the access list that the member belongs to.
+ string access_list = 3;
+}
+
+// ListAccessListMembersResponse is the response for getting paginated access
+// list members.
+message ListAccessListMembersResponse {
+ // members is the list of access list members.
+ repeated Member members = 1;
+ // next_page_token is the next page token.
+ string next_page_token = 2;
+}
+
+// ListAllAccessListMembersRequest is the request for getting paginated access
+// list members for all access lists.
+message ListAllAccessListMembersRequest {
+ // page_size is the size of the page to request.
+ int32 page_size = 1;
+
+ // page_token is the page token.
+ string page_token = 2;
+}
+
+// ListAllAccessListMembersResponse is the response for getting paginated access
+// list members for all access lists.
+message ListAllAccessListMembersResponse {
+ // members is the list of access list members.
+ repeated Member members = 1;
+ // next_page_token is the next page token.
+ string next_page_token = 2;
+}
+
+// UpsertAccessListWithMembers is the request for upserting an access list with
+// members.
+message UpsertAccessListWithMembersRequest {
+ // access_list is the access list to upsert.
+ AccessList access_list = 1;
+ // members is the list of access list members.
+ repeated Member members = 2;
+}
+
+// UpsertAccessListWithMembersResponse is the response for upserting an access
+// list with members.
+message UpsertAccessListWithMembersResponse {
+ // access_list is the access list that was upserted.
+ AccessList access_list = 1;
+ // members is the list of access list members that were upserted.
+ repeated Member members = 2;
+}
+
+// GetAccessListMemberRequest is the request for retrieving an access list
+// member.
+message GetAccessListMemberRequest {
+ // access_list is the name of the access list that the member belongs to.
+ string access_list = 1;
+
+ // member_name is the name of the user that belongs to the access list.
+ string member_name = 2;
+}
+
+// GetAccessListOwnersRequest is the request for getting a list of all owners
+// in an Access List, including those inherited from nested Access Lists.
+message GetAccessListOwnersRequest {
+ // access_list is the name of the access list.
+ string access_list = 1;
+}
+
+// GetAccessListOwnersResponse is the response for getting a list of all
+// owners in an Access List, including those inherited from nested Access Lists.
+message GetAccessListOwnersResponse {
+ // owners is the list of all owners in the Access List, including those
+ // inherited from nested Access Lists.
+ repeated accesslist.v1.AccessListOwner owners = 1;
+}
+
+// UpsertAccessListMemberRequest is the request for upserting an access list
+// member.
+message UpsertAccessListMemberRequest {
+ reserved 1, 2, 3;
+ reserved "access_list", "name", "reason";
+
+ // member is the access list member to upsert.
+ Member member = 4;
+}
+
+// UpdateAccessListMemberRequest is the request for updating an access list
+// member.
+message UpdateAccessListMemberRequest {
+ // member is the access list member to upsert.
+ Member member = 1;
+}
+
+// DeleteAccessListMemberRequest is the request for deleting a member from an
+// access list.
+message DeleteAccessListMemberRequest {
+ reserved 2;
+ reserved "name";
+
+ // access_list is the name of access list.
+ string access_list = 1;
+ // member_name is the name of the user to delete.
+ string member_name = 3;
+}
+
+// DeleteAllAccessListMembersForAccessListRequest is the request for deleting
+// all members from an access list.
+message DeleteAllAccessListMembersForAccessListRequest {
+ // access_list is the name of access list.
+ string access_list = 1;
+}
+
+// DeleteAllAccessListMembersRequest is the request for all access list members
+// in the backend.
+message DeleteAllAccessListMembersRequest {
+ reserved 1;
+ reserved "access_list";
+}
+
+// ListAccessListReviewsRequest is the request for getting paginated access list
+// reviews for a particular access list.
+message ListAccessListReviewsRequest {
+ // access_list is the name of the access list that we're listing reviews for.
+ string access_list = 1;
+
+ // page_size is the size of the page to request.
+ int32 page_size = 2;
+
+ // next_token is the page token.
+ string next_token = 3;
+}
+
+// ListAccessListReviewsResponse is the response for getting paginated access
+// list reviews for a particular access list.
+message ListAccessListReviewsResponse {
+ // reviews is the list of access list reviews.
+ repeated Review reviews = 1;
+
+ // next_token is the next page token.
+ string next_token = 2;
+}
+
+// ListAllAccessListReviewsRequest is the request for getting paginated access
+// list reviews for all access lists.
+message ListAllAccessListReviewsRequest {
+ // page_size is the size of the page to request.
+ int32 page_size = 1;
+
+ // next_token is the page token.
+ string next_token = 2;
+}
+
+// ListAllAccessListReviewsResponse is the response for getting paginated access
+// list reviews for all access lists.
+message ListAllAccessListReviewsResponse {
+ // reviews is the list of access list reviews.
+ repeated Review reviews = 1;
+
+ // next_token is the next page token.
+ string next_token = 2;
+}
+
+// CreateAccessListReviewRequest is the request for creating an access list
+// review.
+message CreateAccessListReviewRequest {
+ // review is the actual review to create.
+ Review review = 1;
+}
+
+// CreateAccessListReviewResponse is the response for creating an access list
+// review.
+message CreateAccessListReviewResponse {
+ // review_name is the name of the review that was just created.
+ string review_name = 1;
+
+ // next_audit_date is when the next audit should be done by.
+ google.protobuf.Timestamp next_audit_date = 2;
+}
+
+// DeleteAccessListReviewRequest is the request for deleting an access list
+// review.
+message DeleteAccessListReviewRequest {
+ // review_name is the name of the review to delete.
+ string review_name = 1;
+
+ // access_list_name is the name of the access list to delete the review from.
+ string access_list_name = 2;
+}
+
+// AccessRequestPromoteRequest is the request for promoting an access request to
+// an access list.
+message AccessRequestPromoteRequest {
+ // RequestID is the unique ID of the request to be promoted.
+ string request_id = 1;
+ // AccessListName is the name of the access list to promote the request to.
+ string access_list_name = 2;
+ // Reason is the access request review reason.
+ string reason = 3;
+}
+
+// AccessRequestPromoteResponse is the response for promoting an access request
+// to an access list.
+message AccessRequestPromoteResponse {
+ // AccessRequest is the updated access request.
+ types.AccessRequestV3 access_request = 1;
+}
+
+// GetSuggestedAccessListsRequest is the request for suggested access lists for
+// an access request.
+message GetSuggestedAccessListsRequest {
+ // access_request_id is the unique ID of the request.
+ string access_request_id = 1;
+}
+
+// GetSuggestedAccessListsResponse is the response for suggested access lists
+// for an access request.
+message GetSuggestedAccessListsResponse {
+ // access_lists is the list of suggested lists.
+ repeated AccessList access_lists = 1;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/accessmonitoringrules/v1/access_monitoring_rules.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/accessmonitoringrules/v1/access_monitoring_rules.proto
new file mode 100644
index 0000000000000..6b385a9f42eaf
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/accessmonitoringrules/v1/access_monitoring_rules.proto
@@ -0,0 +1,126 @@
+// Copyright 2024 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.accessmonitoringrules.v1;
+
+import "teleport/header/v1/metadata.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/accessmonitoringrules/v1;accessmonitoringrulesv1";
+
+// AccessMonitoringRule represents an access monitoring rule resources.
+message AccessMonitoringRule {
+ // metadata is the rules's metadata.
+ teleport.header.v1.Metadata metadata = 1;
+ // kind is a resource kind
+ string kind = 2;
+ // sub_kind is an optional resource sub kind, used in some resources
+ string sub_kind = 3;
+ // version is version
+ string version = 4;
+ // Spec is an AccessMonitoringRule specification
+ AccessMonitoringRuleSpec spec = 5;
+}
+
+// AccessMonitoringRuleSpec is the access monitoring rule spec
+message AccessMonitoringRuleSpec {
+ // subjects the rule operates on, can be a resource kind or a particular resource property.
+ repeated string subjects = 1;
+ // states are the desired state which the monitoring rule is attempting to bring the subjects matching the condition to.
+ repeated string states = 2;
+ // condition is a predicate expression that operates on the specified subject resources,
+ // and determines whether the subject will be moved into desired state.
+ string condition = 3;
+ // notification defines the plugin configuration for notifications if rule is triggered.
+ Notification notification = 4;
+}
+
+// Notification contains configurations for plugin notification rules.
+message Notification {
+ // name is the name of the plugin to which this configuration should apply.
+ string name = 1;
+ // recipients is the list of recipients the plugin should notify.
+ repeated string recipients = 2;
+}
+
+// CreateAccessMonitoringRuleRequest is the request for CreateAccessMonitoringRule.
+message CreateAccessMonitoringRuleRequest {
+ // access_monitoring_rule is the specification of the rule to be created.
+ AccessMonitoringRule rule = 1;
+}
+
+// UpdateAccessMonitoringRuleRequest is the request for UpdateAccessMonitoringRule.
+message UpdateAccessMonitoringRuleRequest {
+ // access_monitoring_rule is the specification of the rule to be updated.
+ AccessMonitoringRule rule = 1;
+}
+
+// UpsertAccessMonitoringRuleRequest is the request for UpsertAccessMonitoringRule.
+message UpsertAccessMonitoringRuleRequest {
+ // access_monitoring_rule is the specification of the rule to be upserted.
+ AccessMonitoringRule rule = 1;
+}
+
+// GetAccessMonitoringRuleRequest is the request for GetAccessMonitoringRule.
+message GetAccessMonitoringRuleRequest {
+ // resource_name is the name of the rule to be returned.
+ string name = 1;
+}
+
+// DeleteAccessMonitoringRuleRequest is the request for DeleteAccessMonitoringRule.
+message DeleteAccessMonitoringRuleRequest {
+ // resource_name is the name of the rule to be removed.
+ string name = 1;
+}
+
+// ListAccessMonitoringRulesRequest is the request for ListAccessMonitoringRules.
+message ListAccessMonitoringRulesRequest {
+ // page_size is the maximum number of items to return.
+ // The server may impose a different page size at its discretion.
+ int64 page_size = 1;
+ // page_token is the next_page_token value returned from a previous List request, if any.
+ string page_token = 2;
+}
+
+// ListAccessMonitoringRulesWithFilterRequest is the request for ListAccessMonitoringRulesWithFilter.
+message ListAccessMonitoringRulesWithFilterRequest {
+ // page_size is the maximum number of items to return.
+ // The server may impose a different page size at its discretion.
+ int64 page_size = 1;
+ // page_token is the next_page_token value returned from a previous List request, if any.
+ string page_token = 2;
+ // subjects are the subjects the access monitoring rules must have. This field is optional.
+ repeated string subjects = 3;
+ // notification_name is the value of the notification name field the rule must have. This field is optional.
+ string notification_name = 4;
+}
+
+// ListAccessMonitoringRulesResponse is the response from ListAccessMonitoringRules.
+message ListAccessMonitoringRulesResponse {
+ // The page of AccessMonitoringRule that matched the request.
+ repeated AccessMonitoringRule rules = 1;
+ // Token to retrieve the next page of results, or empty if there are no
+ // more results in the list.
+ string next_page_token = 2;
+}
+
+// ListAccessMonitoringRulesWithFilterResponse is the response from ListAccessMonitoringRulesWithFilter.
+message ListAccessMonitoringRulesWithFilterResponse {
+ // The page of AccessMonitoringRule that matched the request.
+ repeated AccessMonitoringRule rules = 1;
+ // Token to retrieve the next page of results, or empty if there are no
+ // more results in the list.
+ string next_page_token = 2;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/accessmonitoringrules/v1/access_monitoring_rules_service.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/accessmonitoringrules/v1/access_monitoring_rules_service.proto
new file mode 100644
index 0000000000000..6025d31796ccb
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/accessmonitoringrules/v1/access_monitoring_rules_service.proto
@@ -0,0 +1,46 @@
+// Copyright 2024 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.accessmonitoringrules.v1;
+
+import "google/protobuf/empty.proto";
+import "teleport/accessmonitoringrules/v1/access_monitoring_rules.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/accessmonitoringrules/v1;accessmonitoringrulesv1";
+
+// AccessMonitoringRulesService provides CRUD methods for Access Monitoring Rules resources.
+service AccessMonitoringRulesService {
+ // CreateAccessMonitoringRule creates the specified access monitoring rule.
+ rpc CreateAccessMonitoringRule(CreateAccessMonitoringRuleRequest) returns (AccessMonitoringRule);
+
+ // UpdateAccessMonitoringRule updates the specified access monitoring rule.
+ rpc UpdateAccessMonitoringRule(UpdateAccessMonitoringRuleRequest) returns (AccessMonitoringRule);
+
+ // UpsertAccessMonitoringRule upserts the specified access monitoring rule.
+ rpc UpsertAccessMonitoringRule(UpsertAccessMonitoringRuleRequest) returns (AccessMonitoringRule);
+
+ // GetAccessMonitoringRule gets the specified access monitoring rule.
+ rpc GetAccessMonitoringRule(GetAccessMonitoringRuleRequest) returns (AccessMonitoringRule);
+
+ // DeleteAccessMonitoringRule deletes the specified access monitoring rule.
+ rpc DeleteAccessMonitoringRule(DeleteAccessMonitoringRuleRequest) returns (google.protobuf.Empty);
+
+ // ListAccessMonitoringRules lists current access monitoring rules.
+ rpc ListAccessMonitoringRules(ListAccessMonitoringRulesRequest) returns (ListAccessMonitoringRulesResponse);
+
+ // ListAccessMonitoringRulesWithFilter lists current access monitoring rules that match the provided filter.
+ rpc ListAccessMonitoringRulesWithFilter(ListAccessMonitoringRulesWithFilterRequest) returns (ListAccessMonitoringRulesWithFilterResponse);
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/auditlog/v1/auditlog.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/auditlog/v1/auditlog.proto
new file mode 100644
index 0000000000000..adb1a32fa06b6
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/auditlog/v1/auditlog.proto
@@ -0,0 +1,131 @@
+// Copyright 2023 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.auditlog.v1;
+
+import "google/protobuf/struct.proto";
+import "google/protobuf/timestamp.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/auditlog/v1;auditlogv1";
+
+// AuditLogService provides methods to access audit log.
+service AuditLogService {
+ // StreamUnstructuredSessionEvents streams audit events from a given session recording in an unstructured format.
+ // This endpoint is used by the event handler to retrieve the session events as JSON.
+ rpc StreamUnstructuredSessionEvents(StreamUnstructuredSessionEventsRequest) returns (stream EventUnstructured);
+ // GetUnstructuredEvents gets events from the audit log in an unstructured format.
+ // This endpoint is used by the event handler to retrieve the events as JSON.
+ rpc GetUnstructuredEvents(GetUnstructuredEventsRequest) returns (EventsUnstructured);
+ // ExportUnstructuredEvents exports events from a given event chunk returned by GetEventExportChunks. This API prioritizes
+ // performance over ordering and filtering, and is intended for bulk export of events.
+ rpc ExportUnstructuredEvents(ExportUnstructuredEventsRequest) returns (stream ExportEventUnstructured);
+ // GetEventExportChunks returns a stream of event chunks that can be exported via ExportUnstructuredEvents. The returned
+ // list isn't ordered and polling for new chunks requires re-consuming the entire stream from the beginning.
+ rpc GetEventExportChunks(GetEventExportChunksRequest) returns (stream EventExportChunk);
+}
+
+// StreamUnstructuredSessionEventsRequest is a request containing data needed to fetch a session recording.
+message StreamUnstructuredSessionEventsRequest {
+ // session_id is the ID for a given session in an UUIDv4 format.
+ string session_id = 1;
+ // start_index is the index of the event to resume the stream after.
+ // A start_index of 0 creates a new stream.
+ int32 start_index = 2;
+}
+
+// Order controls the ordering of objects returned based on the timestamp field.
+enum Order {
+ ORDER_DESCENDING_UNSPECIFIED = 0;
+ ORDER_ASCENDING = 1;
+}
+
+// GetUnstructuredEventsRequest is a request with the needed data to fetch events.
+message GetUnstructuredEventsRequest {
+ // namespace, if not set, defaults to 'default'.
+ string namespace = 1;
+ // start_date is the oldest date of returned events.
+ google.protobuf.Timestamp start_date = 2;
+ // end_date is the newest date of returned events.
+ google.protobuf.Timestamp end_date = 3;
+ // event_types is optional, if not set, returns all events.
+ repeated string event_types = 4;
+ // limit is the maximum amount of events returned.
+ int32 limit = 5;
+ // start_key is used to resume a query in order to enable pagination.
+ // If the previous response had LastKey set then this should be
+ // set to its value. Otherwise leave empty.
+ string start_key = 6;
+ // order specifies an ascending or descending order of events.
+ // A value of 0 means a descending order and a value of 1 means an ascending order.
+ Order order = 7;
+}
+
+// EventsUnstructured represents a list of events.AuditEvent in an unstructured format.
+message EventsUnstructured {
+ // items is a list of unstructured formatted audit events.
+ repeated EventUnstructured items = 1;
+ // last_key is the key of the last event if the returned set did not contain all events found i.e limit <
+ // actual amount. this is the key clients can supply in another API request to continue fetching
+ // events from the previous last position.
+ string last_key = 2;
+}
+
+// ExportUnstructuredEventsRequest is a request with the needed data to export events.
+message ExportUnstructuredEventsRequest {
+ // date is the target date from which to export events. note that only the UTC date of the
+ // timestamp value is used. use of a specific local timestamp may produce confusing results.
+ google.protobuf.Timestamp date = 1;
+ // chunk is the chunk to export events from.
+ string chunk = 2;
+ // cursor is an optional mechanism to resume interrupted streams for a given chunk.
+ string cursor = 3;
+}
+
+// ExportEventUnstructured is the stream item of the ExportUnstructuredEvents method.
+message ExportEventUnstructured {
+ // event is the unstructured representation of the event payload.
+ EventUnstructured event = 1;
+ // cursor is the cursor to resume the stream after this point.
+ string cursor = 2;
+}
+
+// EventUnstructured represents a single events.AuditEvent in an unstructured format.
+message EventUnstructured {
+ // type is the type of the event.
+ string type = 1;
+ // id is the unique ID of the event.
+ // If the underlying event defines an ID, it will be used, otherwise
+ // it is a SHA256 hash of the event payload.
+ string id = 2;
+ // time is the time when the event was generated.
+ google.protobuf.Timestamp time = 3;
+ // index is the index of the event.
+ int64 index = 4;
+ // unstructured is the unstructured representation of the event payload.
+ google.protobuf.Struct unstructured = 5;
+}
+
+// GetEventExportChunksRequest is used to request the next set of event chunks to export.
+message GetEventExportChunksRequest {
+ // date is the date for which to list export shards.
+ google.protobuf.Timestamp date = 1;
+}
+
+// EventExportChunk represents a chunk of events to export.
+message EventExportChunk {
+ // chunk is the chunk to export.
+ string chunk = 1;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/autoupdate/v1/autoupdate.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/autoupdate/v1/autoupdate.proto
new file mode 100644
index 0000000000000..73f6d440f998e
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/autoupdate/v1/autoupdate.proto
@@ -0,0 +1,250 @@
+// Copyright 2024 Gravitational, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.autoupdate.v1;
+
+import "google/protobuf/duration.proto";
+import "google/protobuf/timestamp.proto";
+import "teleport/header/v1/metadata.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/autoupdate/v1;autoupdate";
+
+// AutoUpdateConfig is a config singleton used to configure cluster
+// autoupdate settings.
+message AutoUpdateConfig {
+ string kind = 1;
+ string sub_kind = 2;
+ string version = 3;
+ teleport.header.v1.Metadata metadata = 4;
+
+ AutoUpdateConfigSpec spec = 5;
+}
+
+// AutoUpdateConfigSpec encodes the parameters of the autoupdate config object.
+message AutoUpdateConfigSpec {
+ reserved 1;
+ reserved "tools_autoupdate"; // ToolsAutoupdate is replaced by tools.mode.
+ AutoUpdateConfigSpecTools tools = 2;
+ AutoUpdateConfigSpecAgents agents = 3;
+}
+
+// AutoUpdateConfigSpecTools encodes the parameters for client tools auto updates.
+message AutoUpdateConfigSpecTools {
+ // Mode defines state of the client tools auto update.
+ string mode = 1;
+}
+
+// AutoUpdateConfigSpecAgents encodes the parameters of automatic agent updates.
+message AutoUpdateConfigSpecAgents {
+ reserved 5;
+ reserved "agent_schedules";
+ // mode specifies whether agent autoupdates are enabled, disabled, or paused.
+ string mode = 1;
+ // strategy to use for updating the agents.
+ string strategy = 2;
+ // maintenance_window_duration is the maintenance window duration. This can only be set if `strategy` is "time-based".
+ // Once the window is over, the group transitions to the done state. Existing agents won't be updated until the next
+ // maintenance window.
+ google.protobuf.Duration maintenance_window_duration = 3;
+ // schedules specifies schedules for updates of grouped agents.
+ AgentAutoUpdateSchedules schedules = 6;
+}
+
+// AgentAutoUpdateSchedules specifies update scheduled for grouped agents.
+message AgentAutoUpdateSchedules {
+ // regular schedules for non-critical versions.
+ repeated AgentAutoUpdateGroup regular = 1;
+}
+
+// AgentAutoUpdateGroup specifies the update schedule for a group of agents.
+message AgentAutoUpdateGroup {
+ reserved 4;
+ reserved "wait_days";
+
+ // name of the group
+ string name = 1;
+ // days when the update can run. Supported values are "Mon", "Tue", "Wed", "Thu", "Fri", "Sat", "Sun" and "*"
+ repeated string days = 2;
+ // start_hour to initiate update
+ int32 start_hour = 3;
+ // wait_hours after last group succeeds before this group can run. This can only be used when the strategy is "halt-on-failure".
+ // This field must be positive.
+ int32 wait_hours = 5;
+}
+
+// AutoUpdateVersion is a resource singleton with version required for
+// tools autoupdate.
+message AutoUpdateVersion {
+ string kind = 1;
+ string sub_kind = 2;
+ string version = 3;
+ teleport.header.v1.Metadata metadata = 4;
+
+ AutoUpdateVersionSpec spec = 5;
+}
+
+// AutoUpdateVersionSpec encodes the parameters of the autoupdate versions.
+message AutoUpdateVersionSpec {
+ reserved 1;
+ reserved "tools_version"; // ToolsVersion is replaced by tools.target_version.
+ AutoUpdateVersionSpecTools tools = 2;
+ AutoUpdateVersionSpecAgents agents = 3;
+}
+
+// AutoUpdateVersionSpecTools encodes the parameters for client tools auto updates.
+message AutoUpdateVersionSpecTools {
+ // TargetVersion specifies the semantic version required for tools to establish a connection with the cluster.
+ // Client tools after connection to the cluster going to be updated to this version automatically.
+ string target_version = 1;
+}
+
+// AutoUpdateVersionSpecAgents is the spec for the autoupdate version.
+message AutoUpdateVersionSpecAgents {
+ // start_version is the version to update from.
+ string start_version = 1;
+ // target_version is the version to update to.
+ string target_version = 2;
+ // schedule to use for the rollout
+ string schedule = 3;
+ // autoupdate_mode to use for the rollout
+ string mode = 4;
+}
+
+// AutoUpdateAgentRollout is the resource the Teleport Auth Service uses to track and control the rollout of a new
+// agent version. This resource is written by the automatic agent update controller in the Teleport Auth Service
+// and read by the Teleport Proxy Service.
+message AutoUpdateAgentRollout {
+ string kind = 1;
+ string sub_kind = 2;
+ string version = 3;
+ teleport.header.v1.Metadata metadata = 4;
+ AutoUpdateAgentRolloutSpec spec = 5;
+ AutoUpdateAgentRolloutStatus status = 6;
+}
+
+// AutoUpdateAgentRolloutSpec describes the desired agent rollout.
+// This is built by merging the user-provided AutoUpdateConfigSpecAgents and the operator-provided
+// AutoUpdateVersionSpecAgents.
+message AutoUpdateAgentRolloutSpec {
+ // start_version is the version to update from.
+ string start_version = 1;
+ // target_version is the version to update to.
+ string target_version = 2;
+ // schedule to use for the rollout. Supported values are "regular" and "immediate".
+ // - "regular" follows the regular group schedule
+ // - "immediate" updates all the agents immediately
+ string schedule = 3;
+ // autoupdate_mode to use for the rollout. Supported modes are:
+ // - "enabled": Teleport will update existing agents.
+ // - "disabled": Teleport will not update existing agents.
+ // - "suspended": Teleport will temporarily stop updating existing agents.
+ string autoupdate_mode = 4;
+ // strategy to use for updating the agents. Supported strategies are:
+ // - "time-based": agents update as soon as their maintenance window starts. There is no dependency between groups.
+ // This strategy allows Teleport users to setup reliable follow-the-sun updates and enforce the maintenance window
+ // more strictly. A group finishes its update at the end of the maintenance window, regardless of the new version
+ // adoption rate. Agents that missed the maintenance window will not attempt to update until the next maintenance
+ // window.
+ // - "halt-on-failure": the update proceeds from the first group to the last group, ensuring that each group
+ // successfully updates before allowing the next group to proceed. This is the strategy that offers the best
+ // availability. A group finishes its update once most of its agents are running the correct version. Agents that
+ // missed the group update will try to catch back as soon as possible.
+ string strategy = 5;
+ // maintenance_window_duration is the maintenance window duration. This can only be set if `strategy` is "time-based".
+ // Once the window is over, the group transitions to the done state. Existing agents won't be updated until the next
+ // maintenance window.
+ google.protobuf.Duration maintenance_window_duration = 6;
+}
+
+// AutoUpdateAgentRolloutStatus tracks the current agent rollout status.
+// The status is reset if any spec field changes except the mode.
+message AutoUpdateAgentRolloutStatus {
+ repeated AutoUpdateAgentRolloutStatusGroup groups = 1;
+ AutoUpdateAgentRolloutState state = 2;
+ // The start time is set when the rollout is created or reset. Usually this is caused by a version change.
+ // The timestamp allows the controller to detect that the rollout just changed.
+ // The controller will not start any group that should have been active before the start_time to avoid a double-update
+ // effect.
+ // For example, a group updates every day between 13:00 and 14:00. If the target version changes to 13:30, the group
+ // will not start updating to the new version directly. The controller sees that the group theoretical start time is
+ // before the rollout start time and the maintenance window belongs to the previous rollout.
+ // When the timestamp is nil, the controller will ignore the start time and check and allow groups to activate.
+ google.protobuf.Timestamp start_time = 3;
+
+ // Time override is an optional timestamp making the autoupdate_agent_rollout controller use a specific time instead
+ // of the system clock when evaluating time-based criteria. This field is used for testing and troubleshooting
+ // purposes.
+ google.protobuf.Timestamp time_override = 4;
+}
+
+// AutoUpdateAgentRolloutStatusGroup tracks the current agent rollout status of a specific group.
+message AutoUpdateAgentRolloutStatusGroup {
+ reserved 8;
+ reserved "config_wait_days";
+
+ // name of the group
+ string name = 1;
+ // start_time of the rollout
+ google.protobuf.Timestamp start_time = 2;
+ // state is the current state of the rollout.
+ AutoUpdateAgentGroupState state = 3;
+ // last_update_time is the time of the previous update for this group.
+ google.protobuf.Timestamp last_update_time = 4;
+ // last_update_reason is the trigger for the last update
+ string last_update_reason = 5;
+ // config_days when the update can run. Supported values are "Mon", "Tue", "Wed", "Thu", "Fri", "Sat", "Sun" and "*"
+ repeated string config_days = 6;
+ // config_start_hour to initiate update
+ int32 config_start_hour = 7;
+ // config_wait_hours after last group succeeds before this group can run. This can only be used when the strategy is "halt-on-failure".
+ // This field must be positive.
+ int32 config_wait_hours = 9;
+}
+
+// AutoUpdateAgentGroupState represents the agent group state. This state controls whether the agents from this group
+// should install the start version, the target version, and if they should update immediately or wait.
+enum AutoUpdateAgentGroupState {
+ // AUTO_UPDATE_AGENT_GROUP_STATE_UNSPECIFIED state
+ AUTO_UPDATE_AGENT_GROUP_STATE_UNSPECIFIED = 0;
+ // AUTO_UPDATE_AGENT_GROUP_STATE_UNSTARTED represents that the group update has not been started yet.
+ AUTO_UPDATE_AGENT_GROUP_STATE_UNSTARTED = 1;
+ // AUTO_UPDATE_AGENT_GROUP_STATE_ACTIVE represents that the group is actively getting updated.
+ // New agents should run v2, existing agents are instructed to update to v2.
+ AUTO_UPDATE_AGENT_GROUP_STATE_ACTIVE = 2;
+ // AUTO_UPDATE_AGENT_GROUP_STATE_DONE represents that the group has been updated. New agents should run v2.
+ AUTO_UPDATE_AGENT_GROUP_STATE_DONE = 3;
+ // AUTO_UPDATE_AGENT_GROUP_STATE_ROLLEDBACK represents that the group has been rolled back.
+ // New agents should run v1, existing agents should update to v1.
+ AUTO_UPDATE_AGENT_GROUP_STATE_ROLLEDBACK = 4;
+}
+
+// AutoUpdateAgentRolloutState represents the rollout state. This tells if Teleport started updating agents from the
+// start version to the target version, if the update is done, still in progress
+// or if the rollout was manually reverted.
+enum AutoUpdateAgentRolloutState {
+ // AUTO_UPDATE_AGENT_ROLLOUT_STATE_UNSPECIFIED state
+ AUTO_UPDATE_AGENT_ROLLOUT_STATE_UNSPECIFIED = 0;
+ // AUTO_UPDATE_AGENT_ROLLOUT_STATE_UNSTARTED represents that no group in the rollout has been started yet.
+ AUTO_UPDATE_AGENT_ROLLOUT_STATE_UNSTARTED = 1;
+ // AUTO_UPDATE_AGENT_ROLLOUT_STATE_ACTIVE represents that at least one group of the rollout has started.
+ // If every group is finished, the state will be AUTO_UPDATE_AGENT_ROLLOUT_STATE_DONE.
+ AUTO_UPDATE_AGENT_ROLLOUT_STATE_ACTIVE = 2;
+ // AUTO_UPDATE_AGENT_ROLLOUT_STATE_DONE represents that every group is in the DONE state, or has been in the done
+ // state (groups might become active again in time-based strategy).
+ AUTO_UPDATE_AGENT_ROLLOUT_STATE_DONE = 3;
+ // AUTO_UPDATE_AGENT_ROLLOUT_STATE_ROLLEDBACK represents that at least one group is in the rolledback state.
+ AUTO_UPDATE_AGENT_ROLLOUT_STATE_ROLLEDBACK = 4;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/autoupdate/v1/autoupdate_service.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/autoupdate/v1/autoupdate_service.proto
new file mode 100644
index 0000000000000..4191d09f83101
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/autoupdate/v1/autoupdate_service.proto
@@ -0,0 +1,133 @@
+// Copyright 2024 Gravitational, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.autoupdate.v1;
+
+import "google/protobuf/empty.proto";
+import "teleport/autoupdate/v1/autoupdate.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/autoupdate/v1;autoupdate";
+
+// AutoUpdateService provides an API to manage autoupdates.
+service AutoUpdateService {
+ // GetAutoUpdateConfig gets the current autoupdate config singleton.
+ rpc GetAutoUpdateConfig(GetAutoUpdateConfigRequest) returns (AutoUpdateConfig);
+
+ // CreateAutoUpdateConfig creates a new AutoUpdateConfig.
+ rpc CreateAutoUpdateConfig(CreateAutoUpdateConfigRequest) returns (AutoUpdateConfig);
+
+ // CreateAutoUpdateConfig updates AutoUpdateConfig singleton.
+ rpc UpdateAutoUpdateConfig(UpdateAutoUpdateConfigRequest) returns (AutoUpdateConfig);
+
+ // UpsertAutoUpdateConfig creates a new AutoUpdateConfig or replaces an existing AutoUpdateConfig.
+ rpc UpsertAutoUpdateConfig(UpsertAutoUpdateConfigRequest) returns (AutoUpdateConfig);
+
+ // DeleteAutoUpdateConfig hard deletes the specified AutoUpdateConfig.
+ rpc DeleteAutoUpdateConfig(DeleteAutoUpdateConfigRequest) returns (google.protobuf.Empty);
+
+ // GetAutoUpdateVersion gets the current autoupdate version singleton.
+ rpc GetAutoUpdateVersion(GetAutoUpdateVersionRequest) returns (AutoUpdateVersion);
+
+ // CreateAutoUpdateVersion creates a new AutoUpdateVersion.
+ rpc CreateAutoUpdateVersion(CreateAutoUpdateVersionRequest) returns (AutoUpdateVersion);
+
+ // UpdateAutoUpdateVersion updates AutoUpdateVersion singleton.
+ rpc UpdateAutoUpdateVersion(UpdateAutoUpdateVersionRequest) returns (AutoUpdateVersion);
+
+ // UpsertAutoUpdateVersion creates a new AutoUpdateVersion or replaces an existing AutoUpdateVersion.
+ rpc UpsertAutoUpdateVersion(UpsertAutoUpdateVersionRequest) returns (AutoUpdateVersion);
+
+ // DeleteAutoUpdateVersion hard deletes the specified AutoUpdateVersionRequest.
+ rpc DeleteAutoUpdateVersion(DeleteAutoUpdateVersionRequest) returns (google.protobuf.Empty);
+
+ // GetAutoUpdateVersion gets the current autoupdate version singleton.
+ rpc GetAutoUpdateAgentRollout(GetAutoUpdateAgentRolloutRequest) returns (AutoUpdateAgentRollout);
+
+ // CreateAutoUpdateAgentRollout creates a new AutoUpdateAgentRollout.
+ rpc CreateAutoUpdateAgentRollout(CreateAutoUpdateAgentRolloutRequest) returns (AutoUpdateAgentRollout);
+
+ // UpdateAutoUpdateAgentRollout updates AutoUpdateAgentRollout singleton.
+ rpc UpdateAutoUpdateAgentRollout(UpdateAutoUpdateAgentRolloutRequest) returns (AutoUpdateAgentRollout);
+
+ // UpsertAutoUpdateAgentRollout creates a new AutoUpdateAgentRollout or replaces an existing AutoUpdateAgentRollout.
+ rpc UpsertAutoUpdateAgentRollout(UpsertAutoUpdateAgentRolloutRequest) returns (AutoUpdateAgentRollout);
+
+ // DeleteAutoUpdateAgentRollout hard deletes the specified AutoUpdateAgentRolloutRequest.
+ rpc DeleteAutoUpdateAgentRollout(DeleteAutoUpdateAgentRolloutRequest) returns (google.protobuf.Empty);
+}
+
+// Request for GetAutoUpdateConfig.
+message GetAutoUpdateConfigRequest {}
+
+// Request for CreateAutoUpdateConfig.
+message CreateAutoUpdateConfigRequest {
+ AutoUpdateConfig config = 1;
+}
+
+// Request for UpdateAutoUpdateConfig.
+message UpdateAutoUpdateConfigRequest {
+ AutoUpdateConfig config = 1;
+}
+
+// Request for UpsertAutoUpdateConfig.
+message UpsertAutoUpdateConfigRequest {
+ AutoUpdateConfig config = 1;
+}
+
+// Request for DeleteAutoUpdateConfig.
+message DeleteAutoUpdateConfigRequest {}
+
+// Request for GetAutoUpdateVersion.
+message GetAutoUpdateVersionRequest {}
+
+// Request for CreateAutoUpdateVersion.
+message CreateAutoUpdateVersionRequest {
+ AutoUpdateVersion version = 1;
+}
+
+// Request for UpdateAutoUpdateConfig.
+message UpdateAutoUpdateVersionRequest {
+ AutoUpdateVersion version = 1;
+}
+
+// Request for UpsertAutoUpdateVersion.
+message UpsertAutoUpdateVersionRequest {
+ AutoUpdateVersion version = 1;
+}
+
+// Request for DeleteAutoUpdateVersion.
+message DeleteAutoUpdateVersionRequest {}
+
+// Request for GetAutoUpdateAgentRollout.
+message GetAutoUpdateAgentRolloutRequest {}
+
+// Request for CreateAutoUpdateAgentRollout.
+message CreateAutoUpdateAgentRolloutRequest {
+ AutoUpdateAgentRollout rollout = 1;
+}
+
+// Request for UpdateAutoUpdateConfig.
+message UpdateAutoUpdateAgentRolloutRequest {
+ AutoUpdateAgentRollout rollout = 1;
+}
+
+// Request for UpsertAutoUpdateAgentRollout.
+message UpsertAutoUpdateAgentRolloutRequest {
+ AutoUpdateAgentRollout rollout = 1;
+}
+
+// Request for DeleteAutoUpdateAgentRollout.
+message DeleteAutoUpdateAgentRolloutRequest {}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/clusterconfig/v1/access_graph.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/clusterconfig/v1/access_graph.proto
new file mode 100644
index 0000000000000..147aa9261a07b
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/clusterconfig/v1/access_graph.proto
@@ -0,0 +1,41 @@
+// Copyright 2024 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.clusterconfig.v1;
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/clusterconfig/v1;clusterconfigv1";
+
+// AccessGraphConfig holds the information about the configured Access Graph service.
+message AccessGraphConfig {
+ // enabled indicates if the Access Graph is enabled for the cluster.
+ bool enabled = 1;
+ // address is the address of the access graph service. The address is in the
+ // form of "host:port".
+ string address = 2;
+ // ca is the PEM-encoded CA certificate of the access graph service.
+ bytes ca = 3;
+ // insecure is a flag that indicates whether the access graph service should
+ // skip verifying the server's certificate chain and host name.
+ bool insecure = 4;
+ // secrets_scan_config is used to configure the parameters for the secrets scanning functionality.
+ AccessGraphSecretsScanConfiguration secrets_scan_config = 5;
+}
+
+// AccessGraphSecretsScanConfiguration controls the secrets scanning service parameters.
+message AccessGraphSecretsScanConfiguration {
+ // ssh_scan_enabled indicates if the SSH scan feature is enabled for the cluster.
+ bool ssh_scan_enabled = 1;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/clusterconfig/v1/access_graph_settings.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/clusterconfig/v1/access_graph_settings.proto
new file mode 100644
index 0000000000000..3f0e99639f51e
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/clusterconfig/v1/access_graph_settings.proto
@@ -0,0 +1,51 @@
+// Copyright 2024 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.clusterconfig.v1;
+
+import "teleport/header/v1/metadata.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/clusterconfig/v1;clusterconfigv1";
+
+// AccessGraphSettings holds dynamic configuration settings for the Access Graph service.
+message AccessGraphSettings {
+ // kind is the kind of the resource.
+ string kind = 1;
+ // sub_kind is the sub kind of the resource.
+ string sub_kind = 2;
+ // version is the version of the resource.
+ string version = 3;
+ // metadata is the metadata of the resource.
+ teleport.header.v1.Metadata metadata = 4;
+ // spec is the spec of the resource.
+ AccessGraphSettingsSpec spec = 5;
+}
+
+// AccessGraphSettingsSpec is the spec for the Access Graph service configuration settings.
+message AccessGraphSettingsSpec {
+ // secrets_scan_config is used to configure the parameters for the secrets scanning functionality.
+ AccessGraphSecretsScanConfig secrets_scan_config = 1;
+}
+
+// AccessGraphSecretsScanConfig is used to configure the parameters for the secrets scanning functionality.
+enum AccessGraphSecretsScanConfig {
+ // ACCESS_GRAPH_SECRETS_SCAN_CONFIG_UNSPECIFIED is an unknown secrets scan configuration.
+ ACCESS_GRAPH_SECRETS_SCAN_CONFIG_UNSPECIFIED = 0;
+ // ACCESS_GRAPH_SECRETS_SCAN_CONFIG_DISABLED is a disabled secrets scan configuration.
+ ACCESS_GRAPH_SECRETS_SCAN_CONFIG_DISABLED = 1;
+ // ACCESS_GRAPH_SECRETS_SCAN_CONFIG_ENABLED is an enabled secrets scan configuration.
+ ACCESS_GRAPH_SECRETS_SCAN_CONFIG_ENABLED = 2;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/clusterconfig/v1/clusterconfig_service.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/clusterconfig/v1/clusterconfig_service.proto
new file mode 100644
index 0000000000000..55454bb0670d1
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/clusterconfig/v1/clusterconfig_service.proto
@@ -0,0 +1,151 @@
+// Copyright 2023 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.clusterconfig.v1;
+
+import "teleport/clusterconfig/v1/access_graph.proto";
+import "teleport/clusterconfig/v1/access_graph_settings.proto";
+import "teleport/legacy/types/types.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/clusterconfig/v1;clusterconfigv1";
+
+// ClusterConfigService provides methods to manage cluster configuration resources.
+service ClusterConfigService {
+ // GetClusterNetworkingConfig retrieves the active cluster networking configuration.
+ rpc GetClusterNetworkingConfig(GetClusterNetworkingConfigRequest) returns (types.ClusterNetworkingConfigV2);
+ // UpdateClusterNetworkingConfig updates the cluster networking configuration.
+ rpc UpdateClusterNetworkingConfig(UpdateClusterNetworkingConfigRequest) returns (types.ClusterNetworkingConfigV2);
+ // UpsertClusterNetworkingConfig overwrites the active cluster networking configuration.
+ rpc UpsertClusterNetworkingConfig(UpsertClusterNetworkingConfigRequest) returns (types.ClusterNetworkingConfigV2);
+ // ResetClusterNetworkingConfig restores the active cluster networking configuration to default settings.
+ rpc ResetClusterNetworkingConfig(ResetClusterNetworkingConfigRequest) returns (types.ClusterNetworkingConfigV2);
+
+ // GetSessionRecordingConfig retrieves the active session recording configuration.
+ rpc GetSessionRecordingConfig(GetSessionRecordingConfigRequest) returns (types.SessionRecordingConfigV2);
+ // UpdateSessionRecordingConfig updates the session recording configuration.
+ rpc UpdateSessionRecordingConfig(UpdateSessionRecordingConfigRequest) returns (types.SessionRecordingConfigV2);
+ // UpsertSessionRecordingConfig overwrites the active session recording configuration.
+ rpc UpsertSessionRecordingConfig(UpsertSessionRecordingConfigRequest) returns (types.SessionRecordingConfigV2);
+ // ResetSessionRecordingConfig restores the active session recording configuration to default settings.
+ rpc ResetSessionRecordingConfig(ResetSessionRecordingConfigRequest) returns (types.SessionRecordingConfigV2);
+
+ // GetAuthPreference retrieves the active auth preference.
+ rpc GetAuthPreference(GetAuthPreferenceRequest) returns (types.AuthPreferenceV2);
+ // UpdateAuthPreference updates the auth preference.
+ rpc UpdateAuthPreference(UpdateAuthPreferenceRequest) returns (types.AuthPreferenceV2);
+ // UpsertAuthPreference overwrites the active auth preference.
+ rpc UpsertAuthPreference(UpsertAuthPreferenceRequest) returns (types.AuthPreferenceV2);
+ // ResetAuthPreference restores the active auth preference to default settings.
+ rpc ResetAuthPreference(ResetAuthPreferenceRequest) returns (types.AuthPreferenceV2);
+
+ // GetClusterAuditConfig retrieves the active cluster audit configuration.
+ rpc GetClusterAuditConfig(GetClusterAuditConfigRequest) returns (types.ClusterAuditConfigV2);
+
+ // GetClusterAccessGraphConfig retrieves the cluster Access Graph configuration from Auth service.
+ rpc GetClusterAccessGraphConfig(GetClusterAccessGraphConfigRequest) returns (GetClusterAccessGraphConfigResponse);
+
+ // GetAccessGraphSettings updates the cluster Access Graph configuration.
+ rpc GetAccessGraphSettings(GetAccessGraphSettingsRequest) returns (teleport.clusterconfig.v1.AccessGraphSettings);
+ // CreateAccessGraphSettings creates the cluster Access Graph configuration.
+ rpc CreateAccessGraphSettings(CreateAccessGraphSettingsRequest) returns (teleport.clusterconfig.v1.AccessGraphSettings);
+ // UpdateAccessGraphSettings updates the cluster Access Graph configuration.
+ rpc UpdateAccessGraphSettings(UpdateAccessGraphSettingsRequest) returns (teleport.clusterconfig.v1.AccessGraphSettings);
+ // UpsertAccessGraphSettings overwrites the active cluster Access Graph configuration.
+ rpc UpsertAccessGraphSettings(UpsertAccessGraphSettingsRequest) returns (teleport.clusterconfig.v1.AccessGraphSettings);
+ // ResetAccessGraphSettings restores the active cluster Access Graph to default settings.
+ rpc ResetAccessGraphSettings(ResetAccessGraphSettingsRequest) returns (teleport.clusterconfig.v1.AccessGraphSettings);
+}
+
+// Request for GetClusterNetworkingConfig
+message GetClusterNetworkingConfigRequest {}
+
+// Request for UpdateClusterNetworkingConfig
+message UpdateClusterNetworkingConfigRequest {
+ types.ClusterNetworkingConfigV2 cluster_network_config = 1;
+}
+
+// Request for UpsertClusterNetworkingConfig
+message UpsertClusterNetworkingConfigRequest {
+ types.ClusterNetworkingConfigV2 cluster_network_config = 1;
+}
+
+// Request for ResetClusterNetworkingConfig
+message ResetClusterNetworkingConfigRequest {}
+
+// Request for GetSessionRecordingConfig
+message GetSessionRecordingConfigRequest {}
+
+// Request for UpdateSessionRecordingConfig
+message UpdateSessionRecordingConfigRequest {
+ types.SessionRecordingConfigV2 session_recording_config = 1;
+}
+
+// Request for UpsertSessionRecordingConfig
+message UpsertSessionRecordingConfigRequest {
+ types.SessionRecordingConfigV2 session_recording_config = 1;
+}
+
+// Request for ResetSessionRecordingConfig
+message ResetSessionRecordingConfigRequest {}
+
+// Request for GetAuthPreference
+message GetAuthPreferenceRequest {}
+
+// Request for UpdateAuthPreference
+message UpdateAuthPreferenceRequest {
+ types.AuthPreferenceV2 auth_preference = 1;
+}
+
+// Request for UpsertAuthPreference
+message UpsertAuthPreferenceRequest {
+ types.AuthPreferenceV2 auth_preference = 1;
+}
+
+// Request for ResetAuthPreference
+message ResetAuthPreferenceRequest {}
+
+// Request for GetClusterAuditConfig
+message GetClusterAuditConfigRequest {}
+
+// Request for GetClusterAccessGraphConfig
+message GetClusterAccessGraphConfigRequest {}
+
+// Response for GetClusterAccessGraphConfig
+message GetClusterAccessGraphConfigResponse {
+ // access_graph holds the information about Access Graph service.
+ teleport.clusterconfig.v1.AccessGraphConfig access_graph = 1;
+}
+
+// Request for GetAccessGraphSettings
+message GetAccessGraphSettingsRequest {}
+
+// Request for CreateAccessGraphSettings
+message CreateAccessGraphSettingsRequest {
+ teleport.clusterconfig.v1.AccessGraphSettings access_graph_settings = 1;
+}
+
+// Request for UpdateAccessGraphSettings
+message UpdateAccessGraphSettingsRequest {
+ teleport.clusterconfig.v1.AccessGraphSettings access_graph_settings = 1;
+}
+
+// Request for UpsertAccessGraphSettings
+message UpsertAccessGraphSettingsRequest {
+ teleport.clusterconfig.v1.AccessGraphSettings access_graph_settings = 1;
+}
+
+// Request for ResetAccessGraphSettings
+message ResetAccessGraphSettingsRequest {}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/crownjewel/v1/crownjewel.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/crownjewel/v1/crownjewel.proto
new file mode 100644
index 0000000000000..55c453a913e18
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/crownjewel/v1/crownjewel.proto
@@ -0,0 +1,93 @@
+// Copyright 2023 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.crownjewel.v1;
+
+import "google/protobuf/wrappers.proto";
+import "teleport/header/v1/metadata.proto";
+import "teleport/label/v1/label.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/crownjewel/v1;crownjewelv1";
+
+// CrownJewel represents a Crown Jewel resource.
+// Crown Jewel is a resource that represents a set of resources that are
+// considered critical to the organization. Access Graph uses Crown Jewel to
+// generate audit events if access to a resource has changed.
+message CrownJewel {
+ // The kind of resource represented.
+ string kind = 1;
+ // Mandatory field for all resources. Not populated for this resource type.
+ string sub_kind = 2;
+ // The version of the resource being represented.
+ string version = 3;
+ // Common metadata that all resources share.
+ teleport.header.v1.Metadata metadata = 4;
+ // Spec is the crown jewel spec.
+ CrownJewelSpec spec = 5;
+}
+
+// CrownJewelSpec is the specification of a Crown Jewel.
+message CrownJewelSpec {
+ // TeleportMatchers is a list of teleport matchers.
+ // DEPRECATED: Use query instead.
+ repeated TeleportMatcher teleport_matchers = 1;
+ // AWSMatchers is a list of AWS matchers.
+ // DEPRECATED: Use query instead.
+ repeated AWSMatcher aws_matchers = 2;
+ // Query is a Access Graph query to match resources.
+ string query = 3;
+}
+
+// TeleportMatcher represents a matcher for Teleport resources.
+message TeleportMatcher {
+ reserved 1;
+ reserved "name";
+ // Kind is the kind of the resource: ssh, k8s, db, etc
+ // Multiple kinds can be provided to match multiple kinds.
+ repeated string kinds = 2;
+ // Labels is a set of labels.
+ repeated teleport.label.v1.Label labels = 3;
+ // Names are the name of resources. When the name is provided, it will match
+ // resources with the same name.
+ repeated string names = 4;
+}
+
+// AWSMatcher represents a matcher for AWS resources.
+// Those matchers are used only by Access Graph. Teleport related matchers are
+// defined in the TeleportMatcher.
+message AWSMatcher {
+ // Types are AWS database types to match, "ec2", "rds", "s3", etc
+ repeated string types = 1;
+ // Regions are AWS regions to query for resources.
+ repeated string regions = 2;
+ // Tags are AWS resource Tags to match.
+ // labels is a set of labels.
+ repeated AWSTag tags = 3;
+
+ reserved 4;
+ reserved "arn";
+
+ // ARNs are AWS resources ARN to match.
+ repeated string arns = 5;
+}
+
+// AWSTag is a tag that is attached to an AWS resource.
+message AWSTag {
+ // Key is the key of the tag.
+ string key = 1;
+ // Value is the value of the tag.
+ repeated google.protobuf.StringValue values = 2;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/crownjewel/v1/crownjewel_service.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/crownjewel/v1/crownjewel_service.proto
new file mode 100644
index 0000000000000..3ca25630d0743
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/crownjewel/v1/crownjewel_service.proto
@@ -0,0 +1,92 @@
+// Copyright 2024 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.crownjewel.v1;
+
+import "google/protobuf/empty.proto";
+import "teleport/crownjewel/v1/crownjewel.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/crownjewel/v1;crownjewelv1";
+
+// CrownJewelService is a service that provides methods to manage CrownJewels.
+service CrownJewelService {
+ // CreateCrownJewel creates a new CrownJewel.
+ rpc CreateCrownJewel(CreateCrownJewelRequest) returns (CrownJewel);
+ // GetCrownJewel gets a CrownJewel by name.
+ rpc GetCrownJewel(GetCrownJewelRequest) returns (CrownJewel);
+ // ListCrownJewels returns a list of CrownJewels. It supports pagination.
+ rpc ListCrownJewels(ListCrownJewelsRequest) returns (ListCrownJewelsResponse);
+ // UpdateCrownJewel updates an existing CrownJewel.
+ rpc UpdateCrownJewel(UpdateCrownJewelRequest) returns (CrownJewel);
+ // UpsertCrownJewel upserts a CrownJewel.
+ rpc UpsertCrownJewel(UpsertCrownJewelRequest) returns (CrownJewel);
+ // DeleteCrownJewel deletes a CrownJewel.
+ rpc DeleteCrownJewel(DeleteCrownJewelRequest) returns (google.protobuf.Empty);
+}
+
+// CrownJewelRequest is a request to create a new CrownJewel.
+message CreateCrownJewelRequest {
+ reserved 1;
+ reserved "crown_jewels";
+
+ teleport.crownjewel.v1.CrownJewel crown_jewel = 2;
+}
+
+// GetCrownJewelRequest is a request to get a CrownJewel by name.
+message GetCrownJewelRequest {
+ // Name is the name of the CrownJewel to get.
+ string name = 1;
+}
+
+// ListCrownJewelsRequest is a request to get a list of CrownJewels.
+message ListCrownJewelsRequest {
+ // page_size is the maximum number of items to return.
+ // The server may impose a different page size at its discretion.
+ int64 page_size = 1;
+ // page_token is the next_page_token value returned from a previous List request, if any.
+ string page_token = 2;
+}
+
+// ListCrownJewelsResponse is a response to GetCrownJewelsRequest.
+message ListCrownJewelsResponse {
+ repeated teleport.crownjewel.v1.CrownJewel crown_jewels = 1;
+
+ // Token to retrieve the next page of results, or empty if there are no
+ // more results in the list.
+ string next_page_token = 2;
+}
+
+// UpdateCrownJewelRequest is a request to update an existing CrownJewel.
+message UpdateCrownJewelRequest {
+ reserved 1;
+ reserved "crown_jewels";
+
+ teleport.crownjewel.v1.CrownJewel crown_jewel = 2;
+}
+
+// UpsertCrownJewelRequest is a request to upsert a CrownJewel.
+message UpsertCrownJewelRequest {
+ reserved 1;
+ reserved "crown_jewels";
+
+ teleport.crownjewel.v1.CrownJewel crown_jewel = 2;
+}
+
+// DeleteCrownJewelRequest is a request to delete a CrownJewel.
+message DeleteCrownJewelRequest {
+ // Name is the name of the CrownJewel to delete.
+ string name = 1;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/dbobject/v1/dbobject.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/dbobject/v1/dbobject.proto
new file mode 100644
index 0000000000000..3532a96af1cfa
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/dbobject/v1/dbobject.proto
@@ -0,0 +1,53 @@
+// Copyright 2023 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.dbobject.v1;
+
+import "teleport/header/v1/metadata.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/dbobject/v1;dbobjectv1";
+
+// DatabaseObject represents a database object that can be imported into Teleport.
+// An example of such object would be a database table, along with various metadata.
+// For rationale behind this type, see the RFD 151.
+message DatabaseObject {
+ // The kind of resource represented.
+ string kind = 1;
+ // Mandatory field for all resources. Not populated for this resource type.
+ string sub_kind = 2;
+ // The version of the resource being represented.
+ string version = 3;
+ // Common metadata that all resources share.
+ teleport.header.v1.Metadata metadata = 4;
+ // Specification for the database object.
+ DatabaseObjectSpec spec = 5;
+}
+
+// DatabaseObjectSpec is the spec for the database object.
+message DatabaseObjectSpec {
+ // The protocol used to connect to the database (e.g., postgres). Required.
+ string protocol = 1;
+ // The name of the database service that this object belongs to. Required.
+ string database_service_name = 2;
+ // The kind of database object (e.g., table, view). Required.
+ string object_kind = 3;
+ // The database containing the object. Optional.
+ string database = 4;
+ // The schema containing the object (if applicable). Optional.
+ string schema = 5;
+ // The name of the object. Required.
+ string name = 6;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/dbobject/v1/dbobject_service.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/dbobject/v1/dbobject_service.proto
new file mode 100644
index 0000000000000..a3d7bf6598e0b
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/dbobject/v1/dbobject_service.proto
@@ -0,0 +1,102 @@
+// Copyright 2024 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.dbobject.v1;
+
+import "google/protobuf/empty.proto";
+import "teleport/dbobject/v1/dbobject.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/dbobject/v1;dbobjectv1";
+
+// DatabaseObjectService provides methods to manage Teleport DatabaseObjects
+service DatabaseObjectService {
+ // GetDatabaseObject is used to query a database object resource by its name.
+ //
+ // This will return a NotFound error if the specified database object does not exist.
+ rpc GetDatabaseObject(GetDatabaseObjectRequest) returns (DatabaseObject);
+
+ // ListDatabaseObjects is used to query database objects.
+ //
+ // Follows the pagination semantics of
+ // https://cloud.google.com/apis/design/standard_methods#list.
+ rpc ListDatabaseObjects(ListDatabaseObjectsRequest) returns (ListDatabaseObjectsResponse);
+
+ // CreateDatabaseObject is used to create a database object.
+ //
+ // This will return an error if a database object by that name already exists.
+ rpc CreateDatabaseObject(CreateDatabaseObjectRequest) returns (DatabaseObject);
+
+ // UpdateDatabaseObject is used to modify an existing database object.
+ rpc UpdateDatabaseObject(UpdateDatabaseObjectRequest) returns (DatabaseObject);
+
+ // UpsertDatabaseObject is used to create or replace an existing database object.
+ //
+ // Prefer using CreateDatabaseObject and UpdateDatabaseObject.
+ rpc UpsertDatabaseObject(UpsertDatabaseObjectRequest) returns (DatabaseObject);
+
+ // DeleteDatabaseObject is used to delete a specific database object.
+ //
+ // This will return a NotFound error if the specified database object does not exist.
+ rpc DeleteDatabaseObject(DeleteDatabaseObjectRequest) returns (google.protobuf.Empty);
+}
+
+// The request for CreateDatabaseObject.
+message CreateDatabaseObjectRequest {
+ // The database object to create.
+ DatabaseObject object = 1;
+}
+
+// The request for GetDatabaseObject.
+message GetDatabaseObjectRequest {
+ // The name of the database object to fetch.
+ string name = 1;
+}
+
+// The request for ListDatabaseObjects.
+message ListDatabaseObjectsRequest {
+ // The maximum number of items to return.
+ // The server may impose a different page size at its discretion.
+ int32 page_size = 1;
+ // The page_token is the next_page_token value returned from a previous List request, if any.
+ string page_token = 2;
+}
+
+// The response for ListDatabaseObjects.
+message ListDatabaseObjectsResponse {
+ // The page of database objects that matched the request.
+ repeated DatabaseObject objects = 1;
+ // Token to retrieve the next page of results, or empty if there are no
+ // more results in the list.
+ string next_page_token = 2;
+}
+
+// The request for UpdateDatabaseObject.
+message UpdateDatabaseObjectRequest {
+ // The database object to replace.
+ DatabaseObject object = 1;
+}
+
+// The request for UpsertDatabaseObject.
+message UpsertDatabaseObjectRequest {
+ // The database object to create or replace.
+ DatabaseObject object = 1;
+}
+
+// The request for DeleteDatabaseObject.
+message DeleteDatabaseObjectRequest {
+ // The name of the database object to delete.
+ string name = 1;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/dbobjectimportrule/v1/dbobjectimportrule.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/dbobjectimportrule/v1/dbobjectimportrule.proto
new file mode 100644
index 0000000000000..9e94cb6e3e4b2
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/dbobjectimportrule/v1/dbobjectimportrule.proto
@@ -0,0 +1,91 @@
+// Copyright 2023 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.dbobjectimportrule.v1;
+
+import "teleport/header/v1/metadata.proto";
+import "teleport/label/v1/label.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/dbobjectimportrule/v1;dbobjectimportrulev1";
+
+// DatabaseObjectImportRule is the resource representing a global database object import rule.
+// The import rules govern which database objects are imported from databases.
+// See type teleport.dbobject.v1.DatabaseObject for the description of a database object.
+// For rationale behind this type, see the RFD 151.
+message DatabaseObjectImportRule {
+ // The kind of resource represented.
+ string kind = 1;
+ // Mandatory field for all resources. Not populated for this resource type.
+ string sub_kind = 2;
+ // The version of the resource being represented.
+ string version = 3;
+ // Common metadata that all resources share.
+ teleport.header.v1.Metadata metadata = 4;
+
+ // spec represents the specifications for the database object import rule.
+ DatabaseObjectImportRuleSpec spec = 5;
+}
+
+// DatabaseObjectImportRuleSpec is the spec for database object import rule.
+message DatabaseObjectImportRuleSpec {
+ // priority represents the priority of the rule application.
+ //
+ // Rules are processed from lowest to highest priority.
+ // If two rules apply the same label, then the value applied with the rule with the highest priority wins.
+ int32 priority = 1;
+
+ reserved 2;
+ reserved "db_labels";
+
+ // db_labels is a set of labels matched against database labels.
+ repeated teleport.label.v1.Label database_labels = 3;
+
+ // mappings is a list of matches that will map match conditions to labels.
+ repeated DatabaseObjectImportRuleMapping mappings = 4;
+}
+
+// DatabaseObjectImportRuleMapping is the mapping between object properties and labels that will be added to the object.
+message DatabaseObjectImportRuleMapping {
+ // match specifies the matching rules, like the object names.
+ DatabaseObjectImportMatch match = 1;
+
+ // scope specifies the object scope. Optional. If not provided, all scopes will be accepted.
+ DatabaseObjectImportScope scope = 2;
+
+ // add_labels specifies which labels to add if the match succeeds. At least one should be present.
+ map add_labels = 3;
+}
+
+// DatabaseObjectImportMatch specifies acceptable object names. Must have at least one non-empty member.
+message DatabaseObjectImportMatch {
+ // table_names specify the names of the tables to match. Optional.
+ repeated string table_names = 1;
+
+ // view_names specify the names of the views to match. Optional.
+ repeated string view_names = 2;
+
+ // procedure_names specify the names of the procedures to match. Optional.
+ repeated string procedure_names = 3;
+}
+
+// DatabaseObjectImportScope specifies the object scope. Members are matched independently of each other.
+message DatabaseObjectImportScope {
+ // database_names specify the names of the databases to include in the scope. Optional.
+ repeated string database_names = 1;
+
+ // schema_names specify the names of the schemas to include in the scope. Optional.
+ repeated string schema_names = 2;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/dbobjectimportrule/v1/dbobjectimportrule_service.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/dbobjectimportrule/v1/dbobjectimportrule_service.proto
new file mode 100644
index 0000000000000..da8ea7a6594a7
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/dbobjectimportrule/v1/dbobjectimportrule_service.proto
@@ -0,0 +1,102 @@
+// Copyright 2023 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.dbobjectimportrule.v1;
+
+import "google/protobuf/empty.proto";
+import "teleport/dbobjectimportrule/v1/dbobjectimportrule.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/dbobjectimportrule/v1;dbobjectimportrulev1";
+
+// DatabaseObjectImportRuleService provides methods to manage Teleport DatabaseObjectImportRules
+service DatabaseObjectImportRuleService {
+ // GetDatabaseObjectImportRule is used to query a DatabaseObjectImportRule resource by its name.
+ //
+ // This will return a NotFound error if the specified DatabaseObjectImportRule does not exist.
+ rpc GetDatabaseObjectImportRule(GetDatabaseObjectImportRuleRequest) returns (DatabaseObjectImportRule);
+
+ // ListDatabaseObjectImportRules is used to query DatabaseObjectImportRules.
+ //
+ // Follows the pagination semantics of
+ // https://cloud.google.com/apis/design/standard_methods#list.
+ rpc ListDatabaseObjectImportRules(ListDatabaseObjectImportRulesRequest) returns (ListDatabaseObjectImportRulesResponse);
+
+ // CreateDatabaseObjectImportRule is used to create a DatabaseObjectImportRule.
+ //
+ // This will return an error if a DatabaseObjectImportRule by that name already exists.
+ rpc CreateDatabaseObjectImportRule(CreateDatabaseObjectImportRuleRequest) returns (DatabaseObjectImportRule);
+
+ // UpdateDatabaseObjectImportRule is used to modify an existing DatabaseObjectImportRule.
+ rpc UpdateDatabaseObjectImportRule(UpdateDatabaseObjectImportRuleRequest) returns (DatabaseObjectImportRule);
+
+ // UpsertDatabaseObjectImportRule is used to create or replace an existing DatabaseObjectImportRule.
+ //
+ // Prefer using CreateDatabaseObjectImportRule and UpdateDatabaseObjectImportRule.
+ rpc UpsertDatabaseObjectImportRule(UpsertDatabaseObjectImportRuleRequest) returns (DatabaseObjectImportRule);
+
+ // DeleteDatabaseObjectImportRule is used to delete a specific DatabaseObjectImportRule.
+ //
+ // This will return a NotFound error if the specified DatabaseObjectImportRule does not exist.
+ rpc DeleteDatabaseObjectImportRule(DeleteDatabaseObjectImportRuleRequest) returns (google.protobuf.Empty);
+}
+
+// The request for CreateDatabaseObjectImportRule.
+message CreateDatabaseObjectImportRuleRequest {
+ // The DatabaseObjectImportRule to create.
+ DatabaseObjectImportRule rule = 1;
+}
+
+// The request for GetDatabaseObjectImportRule.
+message GetDatabaseObjectImportRuleRequest {
+ // The name of the DatabaseObjectImportRule to fetch.
+ string name = 1;
+}
+
+// The request for ListDatabaseObjectImportRules.
+message ListDatabaseObjectImportRulesRequest {
+ // The maximum number of items to return.
+ // The server may impose a different page size at its discretion.
+ int32 page_size = 1;
+ // The page_token is the next_page_token value returned from a previous List request, if any.
+ string page_token = 2;
+}
+
+// The response for ListDatabaseObjectImportRules.
+message ListDatabaseObjectImportRulesResponse {
+ // The page of DatabaseObjectImportRules that matched the request.
+ repeated DatabaseObjectImportRule rules = 1;
+ // Token to retrieve the next page of results, or empty if there are no
+ // more results in the list.
+ string next_page_token = 2;
+}
+
+// The request for UpdateDatabaseObjectImportRule.
+message UpdateDatabaseObjectImportRuleRequest {
+ // The DatabaseObjectImportRule to replace.
+ DatabaseObjectImportRule rule = 1;
+}
+
+// The request for UpsertDatabaseObjectImportRule.
+message UpsertDatabaseObjectImportRuleRequest {
+ // The DatabaseObjectImportRule to create or replace.
+ DatabaseObjectImportRule rule = 1;
+}
+
+// The request for DeleteDatabaseObjectImportRule.
+message DeleteDatabaseObjectImportRuleRequest {
+ // The name of the DatabaseObjectImportRule to delete.
+ string name = 1;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/decision/v1alpha1/database_access.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/decision/v1alpha1/database_access.proto
new file mode 100644
index 0000000000000..cd852a45d0b6d
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/decision/v1alpha1/database_access.proto
@@ -0,0 +1,53 @@
+// Copyright 2024 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.decision.v1alpha1;
+
+import "teleport/decision/v1alpha1/denial_metadata.proto";
+import "teleport/decision/v1alpha1/permit_metadata.proto";
+import "teleport/decision/v1alpha1/request_metadata.proto";
+import "teleport/decision/v1alpha1/resource.proto";
+import "teleport/decision/v1alpha1/tls_identity.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionpb";
+
+// EvaluateDatabaseAccessRequest describes a request to evaluate whether or not
+// a given database access attempt should be permitted.
+message EvaluateDatabaseAccessRequest {
+ RequestMetadata metadata = 1;
+ TLSIdentity tls_identity = 2;
+ Resource database = 3;
+}
+
+// EvaluateDatabaseAccessResponse describes the result of a database access
+// evaluation.
+message EvaluateDatabaseAccessResponse {
+ oneof result {
+ DatabaseAccessPermit permit = 1;
+ DatabaseAccessDenial denial = 2;
+ }
+}
+
+// DatabaseAccessPermit describes the parameters/constraints of a permissible
+// database access attempt.
+message DatabaseAccessPermit {
+ PermitMetadata metadata = 1;
+}
+
+// DatabaseAccessDenial describes a database access denial.
+message DatabaseAccessDenial {
+ DenialMetadata metadata = 1;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/decision/v1alpha1/decision_service.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/decision/v1alpha1/decision_service.proto
new file mode 100644
index 0000000000000..b5f98c7d5e33e
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/decision/v1alpha1/decision_service.proto
@@ -0,0 +1,40 @@
+// Copyright 2024 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.decision.v1alpha1;
+
+import "teleport/decision/v1alpha1/database_access.proto";
+import "teleport/decision/v1alpha1/ssh_access.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionpb";
+
+// DecisionService performs authorization decisions for Teleport.
+//
+// DecisionService acts the PDP (Policy Decision Point) for Teleport services,
+// whereas the services themselves act as the PEP (Policy Enforcement Point).
+// In other words, it calculates the outcome of an authorization request but
+// does not enforce it - each Teleport service must do so.
+//
+// Evaluation responses carry all the data necessary for the enforcement of a
+// decision. A successful evaluation carries a Permit, whereas a failed
+// evaluation carries a Denial.
+service DecisionService {
+ // EvaluateSSHAccess evaluates an SSH access attempt.
+ rpc EvaluateSSHAccess(EvaluateSSHAccessRequest) returns (EvaluateSSHAccessResponse);
+
+ // EvaluateDatabaseAccess evaluate a database access attempt.
+ rpc EvaluateDatabaseAccess(EvaluateDatabaseAccessRequest) returns (EvaluateDatabaseAccessResponse);
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/decision/v1alpha1/denial_metadata.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/decision/v1alpha1/denial_metadata.proto
new file mode 100644
index 0000000000000..6c30f1fba49b5
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/decision/v1alpha1/denial_metadata.proto
@@ -0,0 +1,38 @@
+// Copyright 2024 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.decision.v1alpha1;
+
+import "teleport/decision/v1alpha1/enforcement_feature.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionpb";
+
+// Metadata for access denials.
+message DenialMetadata {
+ // FeatureAssertions is a list of EnforcementFeature that the PEP (Policy
+ // Enforcement Point) *must* implement in order to correctly enforce the
+ // decision. Note that denials rarely need feature assertions since they
+ // typically "fail safe" anyway.
+ repeated EnforcementFeature feature_assertions = 1;
+
+ // PdpVersion is the version of the PDP (Policy Decision Point) that evaluated
+ // the decision request.
+ string pdp_version = 2;
+
+ // UserMessage is a sanitized message safe for return to the subject identity
+ // of the decision request.
+ string user_message = 3;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/decision/v1alpha1/enforcement_feature.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/decision/v1alpha1/enforcement_feature.proto
new file mode 100644
index 0000000000000..599a516a1ab92
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/decision/v1alpha1/enforcement_feature.proto
@@ -0,0 +1,26 @@
+// Copyright 2024 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.decision.v1alpha1;
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionpb";
+
+// EnforcementFeature represents PEP (Policy Enforcement Point) features.
+enum EnforcementFeature {
+ // ENFORCEMENT_FEATURE_UNSPECIFIED is the default/unspecified value for
+ // EnforcementFeature. Asserting this feature has no effect.
+ ENFORCEMENT_FEATURE_UNSPECIFIED = 0;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/decision/v1alpha1/permit_metadata.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/decision/v1alpha1/permit_metadata.proto
new file mode 100644
index 0000000000000..ba7f607a4c62d
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/decision/v1alpha1/permit_metadata.proto
@@ -0,0 +1,34 @@
+// Copyright 2024 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.decision.v1alpha1;
+
+import "teleport/decision/v1alpha1/enforcement_feature.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionpb";
+
+// Metadata for access permits.
+message PermitMetadata {
+ // FeatureAssertions is a list of EnforcementFeature that the PEP (Policy
+ // Enforcement Point) *must* implement in order to correctly enforce the
+ // decision. Note that where possible new features should be structured to
+ // "fail safe" rather than relying on feature assertions.
+ repeated EnforcementFeature feature_assertions = 1;
+
+ // PdpVersion is the version of the PDP (Policy Decision Point) that evaluated
+ // the decision request.
+ string pdp_version = 2;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/decision/v1alpha1/request_metadata.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/decision/v1alpha1/request_metadata.proto
new file mode 100644
index 0000000000000..2059bd59d3407
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/decision/v1alpha1/request_metadata.proto
@@ -0,0 +1,44 @@
+// Copyright 2024 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.decision.v1alpha1;
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionpb";
+
+// Metadata for evaluation requests.
+message RequestMetadata {
+ // FeatureAssertions is a list of DecisionFeature that the PDP (Policy
+ // Decision Point) *must* implement in order to correctly evaluate the
+ // decision request. Note that changes that require new features in the PDP in
+ // order for it to understand a decision request are rare and should be
+ // avoided if possible.
+ repeated DecisionFeature feature_assertions = 1;
+
+ // PepVersionHint is the *likely* version of the PEP that will enforce the
+ // decision. Not all decision requests can guarantee that the expected PEP
+ // (Policy Enforcement Point) version will actually be the version that ends
+ // up enforcing the decision. Hard compatibility requirements must be enforced
+ // via feature assertions so that PEPs can correctly reject decisions that
+ // they cannot enforce.
+ string pep_version_hint = 2;
+}
+
+// DecisionFeature represents supported PDP (Policy Decision Point) features.
+enum DecisionFeature {
+ // DECISION_FEATURE_UNSPECIFIED is the default/unspecified value for
+ // DecisionFeature. Asserting this feature has no effect.
+ DECISION_FEATURE_UNSPECIFIED = 0;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/decision/v1alpha1/resource.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/decision/v1alpha1/resource.proto
new file mode 100644
index 0000000000000..25b1e970ae114
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/decision/v1alpha1/resource.proto
@@ -0,0 +1,37 @@
+// Copyright 2024 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.decision.v1alpha1;
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionpb";
+
+// Resource is the conventional reference type used to refer to the "object" of
+// an action that is being considered for an authorization decision. For
+// example, a call to EvaluateSSHAccess would use the Resource type to reference
+// the ssh node being accessed.
+message Resource {
+ // Kind is the type of the resource. Required for requests that support
+ // multiple types, otherwise safe to omit.
+ string kind = 1;
+
+ // SubKind is the subtype of the resource. Usually not required as most
+ // resources don't have subkinds, or their subkinds do not have an effect on
+ // authorization decisions.
+ string sub_kind = 2;
+
+ // Name is the unique name of the resource.
+ string name = 3;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/decision/v1alpha1/ssh_access.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/decision/v1alpha1/ssh_access.proto
new file mode 100644
index 0000000000000..df2685c529db5
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/decision/v1alpha1/ssh_access.proto
@@ -0,0 +1,75 @@
+// Copyright 2024 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.decision.v1alpha1;
+
+import "google/protobuf/duration.proto";
+import "teleport/decision/v1alpha1/denial_metadata.proto";
+import "teleport/decision/v1alpha1/permit_metadata.proto";
+import "teleport/decision/v1alpha1/request_metadata.proto";
+import "teleport/decision/v1alpha1/resource.proto";
+import "teleport/decision/v1alpha1/ssh_identity.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionpb";
+
+// EvaluateSSHAccessRequest describes a request to evaluate whether or not a
+// given ssh access attempt should be permitted.
+message EvaluateSSHAccessRequest {
+ // Metadata holds common authorization decision request fields.
+ RequestMetadata metadata = 1;
+
+ // User describes the teleport user requesting access.
+ SSHIdentity ssh_identity = 2;
+
+ // Node references the target node the user is attempting to access.
+ Resource node = 3;
+}
+
+// EvaluateSSHAccessResponse describes the result of an SSH access evaluation.
+message EvaluateSSHAccessResponse {
+ oneof decision {
+ SSHAccessPermit permit = 1;
+ SSHAccessDenial denial = 2;
+ }
+}
+
+// SSHAccessPermit describes the parameters/constraints of a permissible SSH
+// access attempt.
+message SSHAccessPermit {
+ PermitMetadata metadata = 1;
+ repeated string logins = 2;
+ bool forward_agent = 3;
+ google.protobuf.Duration max_session_ttl = 4;
+ bool port_forwarding = 5;
+ int64 client_idle_timeout = 6;
+ bool disconnect_expired_cert = 7;
+ repeated string bpf = 8;
+ bool x11_forwarding = 9;
+ int64 max_connections = 10;
+ int64 max_sessions = 11;
+ string lock = 12;
+ bool create_host_user = 13;
+ bool ssh_file_copy = 14;
+ string create_host_user_mode = 15;
+ string create_host_user_shell = 16;
+ repeated string host_groups = 17;
+ repeated string host_sudoers = 18;
+}
+
+// SSHAccessDenial describes an SSH access denial.
+message SSHAccessDenial {
+ DenialMetadata metadata = 1;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/decision/v1alpha1/ssh_identity.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/decision/v1alpha1/ssh_identity.proto
new file mode 100644
index 0000000000000..c63fa2f73850c
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/decision/v1alpha1/ssh_identity.proto
@@ -0,0 +1,189 @@
+// Copyright 2024 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.decision.v1alpha1;
+
+import "google/protobuf/timestamp.proto";
+import "teleport/decision/v1alpha1/tls_identity.proto";
+import "teleport/trait/v1/trait.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionpb";
+
+// SSHIdentity is the identity used for SSH connections.
+message SSHIdentity {
+ // --- common identity fields ---
+
+ // ValidAfter is the unix timestamp that marks the start time for when the certificate should
+ // be considered valid.
+ uint64 valid_after = 1;
+
+ // ValidBefore is the unix timestamp that marks the end time for when the certificate should
+ // be considered valid.
+ uint64 valid_before = 2;
+
+ // CertType indicates what type of cert this is (user or host).
+ uint32 cert_type = 3;
+
+ // Principals is the list of SSH principals associated with the certificate (this means the
+ // list of allowed unix logins in the case of user certs).
+ repeated string principals = 4;
+
+ // --- host identity fields ---
+
+ // ClusterName is the name of the cluster within which a node lives
+ string cluster_name = 5;
+ // SystemRole identifies the system role of a Teleport instance
+ string system_role = 6;
+
+ // -- user identity fields ---
+
+ // Username is teleport username
+ string username = 7;
+
+ // Impersonator is set when a user requests certificate for another user
+ string impersonator = 8;
+
+ // PermitX11Forwarding permits X11 forwarding for this cert
+ bool permit_x11_forwarding = 9;
+
+ // PermitAgentForwarding permits agent forwarding for this cert
+ bool permit_agent_forwarding = 10;
+
+ // PermitPortForwarding permits port forwarding.
+ bool permit_port_forwarding = 11;
+
+ // Roles is a list of roles assigned to this user
+ repeated string roles = 12;
+
+ // RouteToCluster specifies the target cluster
+ // if present in the certificate, will be used
+ // to route the requests to
+ string route_to_cluster = 13;
+
+ // Traits hold claim data used to populate a role at runtime.
+ repeated teleport.trait.v1.Trait traits = 14;
+
+ // ActiveRequests tracks privilege escalation requests applied during
+ // certificate construction.
+ repeated string active_requests = 15;
+
+ // MFAVerified is the UUID of an MFA device when this Identity was
+ // confirmed immediately after an MFA check.
+ string mfa_verified = 16;
+
+ // PreviousIdentityExpires is the expiry time of the identity/cert that this
+ // identity/cert was derived from. It is used to determine a session's hard
+ // deadline in cases where both require_session_mfa and disconnect_expired_cert
+ // are enabled. See https://github.com/gravitational/teleport/issues/18544.
+ google.protobuf.Timestamp previous_identity_expires = 17;
+
+ // LoginIP is an observed IP of the client on the moment of certificate creation.
+ string login_ip = 18;
+
+ // PinnedIP is an IP from which client must communicate with Teleport.
+ string pinned_ip = 19;
+
+ // DisallowReissue flags that any attempt to request new certificates while
+ // authenticated with this cert should be denied.
+ bool disallow_reissue = 20;
+
+ // CertificateExtensions are user configured ssh key extensions (note: this field also
+ // ends up aggregating all *unknown* extensions during cert parsing, meaning that this
+ // can sometimes contain fields that were inserted by a newer version of teleport).
+ repeated CertExtension certificate_extensions = 21;
+
+ // Renewable indicates this certificate is renewable.
+ bool renewable = 22;
+
+ // Generation counts the number of times a certificate has been renewed, with a generation of 1
+ // meaning the cert has never been renewed. A generation of zero means the cert's generation is
+ // not being tracked.
+ uint64 generation = 23;
+
+ // BotName is set to the name of the bot, if the user is a Machine ID bot user.
+ // Empty for human users.
+ string bot_name = 24;
+
+ // BotInstanceID is the unique identifier for the bot instance, if this is a
+ // Machine ID bot. It is empty for human users.
+ string bot_instance_id = 25;
+
+ // AllowedResourceIDs lists the resources the user should be able to access.
+ repeated ResourceId allowed_resource_ids = 26;
+
+ // ConnectionDiagnosticID references the ConnectionDiagnostic that we should use to append traces when testing a Connection.
+ string connection_diagnostic_id = 27;
+
+ // PrivateKeyPolicy is the private key policy supported by this certificate.
+ string private_key_policy = 28;
+
+ // DeviceID is the trusted device identifier.
+ string device_id = 29;
+
+ // DeviceAssetTag is the device inventory identifier.
+ string device_asset_tag = 30;
+
+ // DeviceCredentialID is the identifier for the credential used by the device
+ // to authenticate itself.
+ string device_credential_id = 31;
+
+ // GitHubUserID indicates the GitHub user ID identified by the GitHub
+ // connector.
+ string github_user_id = 32;
+
+ // GitHubUsername indicates the GitHub username identified by the GitHub
+ // connector.
+ string github_username = 33;
+}
+
+// CertExtensionMode specifies the type of extension to use in the cert. This type
+// must be kept up to date with types.CertExtensionMode.
+enum CertExtensionMode {
+ // CERT_EXTENSION_MODE_UNSPECIFIED is the default value and should not be used.
+ CERT_EXTENSION_MODE_UNSPECIFIED = 0;
+
+ // EXTENSION represents a cert extension that may or may not be
+ // honored by the server.
+ CERT_EXTENSION_MODE_EXTENSION = 1;
+}
+
+// CertExtensionType represents the certificate type the extension is for.
+// Currently only ssh is supported. This type must be kept up to date with
+// types.CertExtensionType.
+enum CertExtensionType {
+ // CERT_EXTENSION_TYPE_UNSPECIFIED is the default value and should not be used.
+ CERT_EXTENSION_TYPE_UNSPECIFIED = 0;
+
+ // SSH is used when extending an ssh certificate
+ CERT_EXTENSION_TYPE_SSH = 1;
+}
+
+// CertExtension represents a key/value for a certificate extension. This type must
+// be kept up to date with types.CertExtension.
+message CertExtension {
+ // Type represents the certificate type being extended, only ssh
+ // is supported at this time.
+ // 0 is "ssh".
+ CertExtensionType type = 1;
+ // Mode is the type of extension to be used -- currently
+ // critical-option is not supported.
+ // 0 is "extension".
+ CertExtensionMode mode = 2;
+ // Name specifies the key to be used in the cert extension.
+ string name = 3;
+ // Value specifies the value to be used in the cert extension.
+ string value = 4;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/decision/v1alpha1/ssh_join.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/decision/v1alpha1/ssh_join.proto
new file mode 100644
index 0000000000000..534b335ff4127
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/decision/v1alpha1/ssh_join.proto
@@ -0,0 +1,64 @@
+// Copyright 2024 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.decision.v1alpha1;
+
+import "teleport/decision/v1alpha1/denial_metadata.proto";
+import "teleport/decision/v1alpha1/permit_metadata.proto";
+import "teleport/decision/v1alpha1/request_metadata.proto";
+import "teleport/decision/v1alpha1/resource.proto";
+import "teleport/decision/v1alpha1/ssh_identity.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionpb";
+
+// EvaluateSSHJoinRequest describes a request to evaluate whether or not a
+// given ssh session-joining attempt should be permitted.
+message EvaluateSSHJoinRequest {
+ // Metadata holds common authorization decision request fields.
+ RequestMetadata metadata = 1;
+
+ // SshAuthority identifies the authority that issued the below identity.
+ SSHAuthority ssh_authority = 2;
+
+ // SshIdentity describes the teleport user requesting access.
+ SSHIdentity ssh_identity = 3;
+
+ // Node references the target node the user is attempting to access.
+ Resource node = 4;
+
+ // SessionId is the ID of the session the user is attempting to join.
+ string session_id = 5;
+}
+
+// EvaluateSSHJoinResponse describes the result of an SSH session-joining evaluation.
+message EvaluateSSHJoinResponse {
+ oneof decision {
+ SSHJoinPermit permit = 1;
+ SSHJoinDenial denial = 2;
+ }
+}
+
+// SSHJoinPermit describes the parameters/constraints of a permissible SSH
+// access attempt.
+message SSHJoinPermit {
+ PermitMetadata metadata = 1;
+ // TODO
+}
+
+// SSHJoinDenial describes an SSH session-joining denial.
+message SSHJoinDenial {
+ DenialMetadata metadata = 1;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/decision/v1alpha1/tls_identity.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/decision/v1alpha1/tls_identity.proto
new file mode 100644
index 0000000000000..4e36f3c8d380a
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/decision/v1alpha1/tls_identity.proto
@@ -0,0 +1,249 @@
+// Copyright 2024 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.decision.v1alpha1;
+
+import "google/protobuf/timestamp.proto";
+import "teleport/trait/v1/trait.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionpb";
+
+// TLSIdentity is the identity used for TLS connections.
+// Must be kept in sync with tlsca.Identity.
+message TLSIdentity {
+ // Username is the name of the user (for end-users/bots) or the Host ID (for
+ // Teleport processes).
+ string username = 1;
+
+ // Impersonator is a username of a user impersonating this user.
+ string impersonator = 2;
+
+ // Groups is a list of groups (Teleport roles) encoded in the identity.
+ repeated string groups = 3;
+
+ // SystemRoles is a list of system roles (e.g. auth, proxy, node, etc) used in
+ // "multi-role" certificates. Single-role certificates encode the system role
+ // in `Groups` for back-compat reasons.
+ repeated string system_roles = 4;
+
+ // Usage is a list of usage restrictions encoded in the identity.
+ repeated string usage = 5;
+
+ // Principals is a list of Unix logins allowed.
+ repeated string principals = 6;
+
+ // KubernetesGroups is a list of Kubernetes groups allowed.
+ repeated string kubernetes_groups = 7;
+
+ // KubernetesUsers is a list of Kubernetes users allowed.
+ repeated string kubernetes_users = 8;
+
+ // Expires specifies whenever the session will expire.
+ google.protobuf.Timestamp expires = 9;
+
+ // RouteToCluster specifies the target cluster.
+ string route_to_cluster = 10;
+
+ // KubernetesCluster specifies the target kubernetes cluster for TLS
+ // identities. This can be empty on older Teleport clients.
+ string kubernetes_cluster = 11;
+
+ // Traits hold claim data used to populate a role at runtime.
+ repeated teleport.trait.v1.Trait traits = 12;
+
+ // RouteToApp holds routing information for applications. Routing metadata
+ // allows Teleport web proxy to route HTTP requests to the appropriate cluster
+ // and Teleport application proxy within the cluster.
+ RouteToApp route_to_app = 13;
+
+ // TeleportCluster is the name of the teleport cluster that this identity
+ // originated from. For TLS certs this may not be the same as cert issuer, in
+ // case of multi-hop requests that originate from a remote cluster.
+ string teleport_cluster = 14;
+
+ // RouteToDatabase contains routing information for databases.
+ RouteToDatabase route_to_database = 15;
+
+ // DatabaseNames is a list of allowed database names.
+ repeated string database_names = 16;
+
+ // DatabaseUsers is a list of allowed database users.
+ repeated string database_users = 17;
+
+ // MfaVerified is the UUID of an MFA device when this Identity was
+ // confirmed immediately after an MFA check.
+ string mfa_verified = 18;
+
+ // PreviousIdentityExpires is the expiry time of the identity/cert that this
+ // identity/cert was derived from. It is used to determine a session's hard
+ // deadline in cases where both require_session_mfa and
+ // disconnect_expired_cert are enabled.
+ // See https://github.com/gravitational/teleport/issues/18544.
+ google.protobuf.Timestamp previous_identity_expires = 19;
+
+ // LoginIp is an observed IP of the client that this Identity represents.
+ string login_ip = 20;
+
+ // PinnedIp is an IP the certificate is pinned to.
+ string pinned_ip = 21;
+
+ // AwsRoleArns is a list of allowed AWS role ARNs user can assume.
+ repeated string aws_role_arns = 22;
+
+ // AzureIdentities is a list of allowed Azure identities user can assume.
+ repeated string azure_identities = 23;
+
+ // GcpServiceAccounts is a list of allowed GCP service accounts that the user
+ // can assume.
+ repeated string gcp_service_accounts = 24;
+
+ // ActiveRequests is a list of UUIDs of active requests for this Identity.
+ repeated string active_requests = 25;
+
+ // DisallowReissue is a flag that, if set, instructs the auth server to deny
+ // any attempts to reissue new certificates while authenticated with this
+ // certificate.
+ bool disallow_reissue = 26;
+
+ // Renewable indicates that this identity is allowed to renew it's own
+ // credentials. This is only enabled for certificate renewal bots.
+ bool renewable = 27;
+
+ // Generation counts the number of times this certificate has been renewed.
+ uint64 generation = 28;
+
+ // BotName indicates the name of the Machine ID bot this identity was issued
+ // to, if any.
+ string bot_name = 29;
+
+ // BotInstanceId is a unique identifier for Machine ID bots that is persisted
+ // through renewals.
+ string bot_instance_id = 30;
+
+ // AllowedResourceIds lists the resources the identity should be allowed to
+ // access.
+ repeated ResourceId allowed_resource_ids = 31;
+
+ // PrivateKeyPolicy is the private key policy supported by this identity.
+ string private_key_policy = 32;
+
+ // ConnectionDiagnosticId is used to add connection diagnostic messages when
+ // Testing a Connection.
+ string connection_diagnostic_id = 33;
+
+ // DeviceExtensions holds device-aware extensions for the identity.
+ DeviceExtensions device_extensions = 34;
+
+ // UserType indicates if the User was created by an SSO Provider or locally.
+ string user_type = 35;
+}
+
+// RouteToApp holds routing information for applications.
+message RouteToApp {
+ // SessionId is an ID used to identify application sessions created by this
+ // certificate.
+ string session_id = 1;
+
+ // PublicAddr (and ClusterName) are used to route requests issued with this
+ // certificate to the appropriate application proxy/cluster.
+ string public_addr = 2;
+
+ // ClusterName (and PublicAddr) are used to route requests issued with this
+ // certificate to the appropriate application proxy/cluster.
+ string cluster_name = 3;
+
+ // Name is the app name.
+ string name = 4;
+
+ // AwsRoleArn is the AWS role to assume when accessing AWS console.
+ string aws_role_arn = 5;
+
+ // AzureIdentity is the Azure identity to assume when accessing Azure API.
+ string azure_identity = 6;
+
+ // GcpServiceAccount is the GCP service account to assume when accessing GCP
+ // API.
+ string gcp_service_account = 7;
+
+ // Uri is the URI of the app. This is the internal endpoint where the
+ // application is running and isn't user-facing.
+ string uri = 8;
+
+ // TargetPort is the port to which connections should be routed to. Used only
+ // for multi-port TCP apps. It is appended to the hostname from the URI in the
+ // app spec, since the URI from RouteToApp is not used as the source of truth
+ // for routing.
+ int32 target_port = 9;
+}
+
+// RouteToDatabase contains routing information for databases.
+message RouteToDatabase {
+ // ServiceName is the name of the Teleport database proxy service to route
+ // requests to.
+ string service_name = 1;
+
+ // Protocol is the database protocol.
+ //
+ // It is embedded in identity so clients can understand what type of database
+ // this is without contacting server.
+ string protocol = 2;
+
+ // Username is an optional database username to serve as a default username to
+ // connect as.
+ string username = 3;
+
+ // Database is an optional database name to serve as a default database to
+ // connect to.
+ string database = 4;
+
+ // Roles is an optional list of database roles to use for a database session.
+ // This list should be a subset of allowed database roles. If not specified,
+ // Database Service will use all allowed database roles for this database.
+ repeated string roles = 5;
+}
+
+// ResourceId is a unique identifier for a teleport resource.
+// Must be kept in sync with types.ResourceID.
+message ResourceId {
+ // ClusterName is the name of the cluster the resource is in.
+ string cluster_name = 1;
+
+ // Kind is the resource kind.
+ string kind = 2;
+
+ // Name is the name of the specific resource.
+ string name = 3;
+
+ // SubResourceName is the resource belonging to resource identified by "Name"
+ // that the user is allowed to access to. When granting access to a
+ // subresource, access to other resources is limited. Currently it just
+ // supports resources of Kind=pod and the format is the following
+ // "/".
+ string sub_resource_name = 4;
+}
+
+// DeviceExtensions holds device-aware extensions for the identity.
+message DeviceExtensions {
+ // DeviceId is the trusted device identifier.
+ string device_id = 1;
+
+ // AssetTag is the device inventory identifier.
+ string asset_tag = 2;
+
+ // CredentialId is the identifier for the credential used by the device to
+ // authenticate itself.
+ string credential_id = 3;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/devicetrust/v1/assert.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/devicetrust/v1/assert.proto
new file mode 100644
index 0000000000000..5841c0a5c0519
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/devicetrust/v1/assert.proto
@@ -0,0 +1,74 @@
+// Copyright 2024 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.devicetrust.v1;
+
+import "teleport/devicetrust/v1/authenticate_challenge.proto";
+import "teleport/devicetrust/v1/device_collected_data.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/devicetrust/v1;devicetrustv1";
+
+// Request to assert an enrolled device. Assertion authenticates the device,
+// regardless of the user driving the assertion.
+//
+// Assertion messages are meant to be included by other requests and responses,
+// either streams or multi-stage RPCs. The ceremony is resolved by a co-located
+// DeviceTrustService.
+//
+// See the lib/devicetrust/assert (client) and lib/devicetrust/assertserver
+// (server) packages.
+//
+// Assertion ceremony flow:
+// -> AssertDeviceInit (client)
+// <- AssertDeviceChallenge (server)
+// -> AssertDeviceChallengeResponse (client)
+// <- DeviceAsserted (server)
+//
+// A successful ceremony signifies that the device is registered, enrolled and
+// passed the authentication challenge.
+message AssertDeviceRequest {
+ oneof payload {
+ AssertDeviceInit init = 1;
+ AuthenticateDeviceChallengeResponse challenge_response = 2;
+ TPMAuthenticateDeviceChallengeResponse tpm_challenge_response = 3;
+ }
+}
+
+// Response of the device assertion ceremony.
+// See [AssertDeviceRequest].
+message AssertDeviceResponse {
+ oneof payload {
+ AuthenticateDeviceChallenge challenge = 1;
+ TPMAuthenticateDeviceChallenge tpm_challenge = 2;
+ DeviceAsserted device_asserted = 3;
+ }
+}
+
+// AssertDeviceInit initiates the device assertion ceremony.
+// See [AssertDeviceRequest].
+message AssertDeviceInit {
+ // ID of the enrolled device credential.
+ string credential_id = 1;
+
+ // Device collected data.
+ // Matched against the device registration information and any previously
+ // collected data.
+ DeviceCollectedData device_data = 2;
+}
+
+// DeviceAsserted marks a successful device assertion ceremony.
+// See [AssertDeviceRequest].
+message DeviceAsserted {}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/devicetrust/v1/authenticate_challenge.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/devicetrust/v1/authenticate_challenge.proto
new file mode 100644
index 0000000000000..e47e71939ebc5
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/devicetrust/v1/authenticate_challenge.proto
@@ -0,0 +1,58 @@
+// Copyright 2022 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.devicetrust.v1;
+
+import "teleport/devicetrust/v1/tpm.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/devicetrust/v1;devicetrustv1";
+
+// AuthenticateDeviceChallenge carries the authentication challenge.
+message AuthenticateDeviceChallenge {
+ // Randomly-generated, opaque challenge to be signed using the device key.
+ bytes challenge = 1;
+}
+
+// AuthenticateDeviceChallengeResponse carries the authentication challenge
+// response.
+message AuthenticateDeviceChallengeResponse {
+ // Signature over the challenge, using the device key.
+ bytes signature = 1;
+ // Signature over the challenge, using the SSH key. This is required when the
+ // SSH and TLS public keys do not match, to prove ownership of the private key
+ // associated with the SSH certificate being augmented.
+ bytes ssh_signature = 2;
+}
+
+// TPMAuthenticateDeviceChallenge carries the authentication challenge
+// specific to TPMs.
+message TPMAuthenticateDeviceChallenge {
+ // Randomly-generated nonce to be used during platform attestation by the
+ // TPM.
+ bytes attestation_nonce = 1;
+}
+
+// TPMAuthenticateDeviceChallengeResponse carries the authentication challenge
+// response specific to TPMs.
+message TPMAuthenticateDeviceChallengeResponse {
+ // The result of the client's platform attestation with the nonce provided
+ // in `TPMAuthenticateDeviceChallenge`.
+ TPMPlatformParameters platform_parameters = 1;
+ // Signature over the attestation_nonce, using the SSH key. This is required
+ // when the SSH and TLS public keys do not match, to prove ownership of the
+ // private key associated with the SSH certificate being augmented.
+ bytes ssh_signature = 2;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/devicetrust/v1/device.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/devicetrust/v1/device.proto
new file mode 100644
index 0000000000000..4954c906bf448
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/devicetrust/v1/device.proto
@@ -0,0 +1,137 @@
+// Copyright 2022 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.devicetrust.v1;
+
+import "google/protobuf/timestamp.proto";
+import "teleport/devicetrust/v1/device_collected_data.proto";
+import "teleport/devicetrust/v1/device_enroll_token.proto";
+import "teleport/devicetrust/v1/device_profile.proto";
+import "teleport/devicetrust/v1/device_source.proto";
+import "teleport/devicetrust/v1/os_type.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/devicetrust/v1;devicetrustv1";
+
+// Device represents a registered device.
+// Registered devices may be enrolled. Enrolled devices are allowed to perform
+// device-aware actions.
+message Device {
+ // API version of the Device definition, present for compatibility with
+ // types.DeviceV1.
+ // Always "v1".
+ string api_version = 1;
+
+ // Unique device identifier.
+ // System managed.
+ string id = 2;
+
+ // Device operating system.
+ // Required.
+ OSType os_type = 3;
+
+ // Device inventory identifier.
+ // Takes different meanings depending on the device and operating system.
+ // For macOS devices it is the device serial number.
+ // Required.
+ string asset_tag = 4;
+
+ // Create time.
+ // System managed.
+ google.protobuf.Timestamp create_time = 5;
+
+ // Last update time.
+ // System managed.
+ google.protobuf.Timestamp update_time = 6;
+
+ // Enrollment token for the device.
+ // Only present in situations where device creation and enrollment are rolled
+ // into a single operation.
+ // Transient.
+ DeviceEnrollToken enroll_token = 7;
+
+ // Enrollment status of the device.
+ // May be changed to DEVICE_ENROLL_STATUS_NOT_ENROLLED at any time to
+ // forcefully unenroll a device (server-side only).
+ // System managed.
+ DeviceEnrollStatus enroll_status = 8;
+
+ // Currently enrolled device credential.
+ // Manually unenrolling a device clears the credential.
+ // System managed.
+ DeviceCredential credential = 9;
+
+ // Device data collected during enrollment and device authentication.
+ // Enrollment data is always present, while authentication data is capped at N
+ // most recent events.
+ // Only present in certain read modes.
+ // Transient.
+ repeated DeviceCollectedData collected_data = 10;
+
+ // Source of the device.
+ // Devices managed directly via Teleport (`tctl`, Web UI, etc) have no
+ // assigned source.
+ DeviceSource source = 11;
+
+ // Device information acquired from an external source.
+ DeviceProfile profile = 12;
+
+ // Device owner.
+ // Usually the owner is the same user who performed the enrollment ceremony.
+ // May be empty for legacy devices (Teleport v13.2 and older).
+ // Manually unenrolling a device clears the owner.
+ // System-managed.
+ string owner = 13;
+}
+
+// DeviceCredential represents the current enrolled public key of a device.
+message DeviceCredential {
+ // Unique identifier of the credential, defined client-side.
+ string id = 1;
+ // Device public key marshaled as a PKIX, ASN.1 DER. Used only on MacOS.
+ bytes public_key_der = 2;
+ // The degree to which the device credential is attested.
+ DeviceAttestationType device_attestation_type = 3;
+ // For TPM devices, the serial number of the TPM endorsement certificate.
+ string tpm_ekcert_serial = 4;
+ // For TPM devices, the encoded TPMT_PUBLIC structure containing the
+ // attestation public key and signing parameters.
+ bytes tpm_ak_public = 5;
+}
+
+// AttestationType indicates the degree to which the device credential has
+// been attested.
+enum DeviceAttestationType {
+ // Bare public key which has only verified with proof of ownership.
+ // Used on macOS.
+ DEVICE_ATTESTATION_TYPE_UNSPECIFIED = 0;
+ // Credential was verified through a TPM EK->AK chain on enrollment.
+ DEVICE_ATTESTATION_TYPE_TPM_EKPUB = 1;
+ // Credential was verified through a TPM EKCert->AK chain on enrollment,
+ // but no allow-listed CAs were configured to validate this EKCert against.
+ DEVICE_ATTESTATION_TYPE_TPM_EKCERT = 2;
+ // Credential was verified through a TPM EKCert->AK chain on enrollment, and
+ // the EKCert was signed by a configured allow-listed CA.
+ DEVICE_ATTESTATION_TYPE_TPM_EKCERT_TRUSTED = 3;
+}
+
+// DeviceEnrollStatus represents the enrollment status of a device.
+enum DeviceEnrollStatus {
+ DEVICE_ENROLL_STATUS_UNSPECIFIED = 0;
+ // Device is registered but not enrolled.
+ DEVICE_ENROLL_STATUS_NOT_ENROLLED = 1;
+ // Device is registered and enrolled.
+ DEVICE_ENROLL_STATUS_ENROLLED = 2;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/devicetrust/v1/device_collected_data.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/devicetrust/v1/device_collected_data.proto
new file mode 100644
index 0000000000000..81d02ddbb0bb8
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/devicetrust/v1/device_collected_data.proto
@@ -0,0 +1,106 @@
+// Copyright 2022 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.devicetrust.v1;
+
+import "google/protobuf/timestamp.proto";
+import "teleport/devicetrust/v1/os_type.proto";
+import "teleport/devicetrust/v1/tpm.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/devicetrust/v1;devicetrustv1";
+
+// DeviceCollectedData contains information gathered from the device during
+// various ceremonies.
+// Gathered information must match, within reason, the original registration
+// data and previous instances of collected data.
+message DeviceCollectedData {
+ // Time of data collection, set by the client.
+ // Required.
+ google.protobuf.Timestamp collect_time = 1;
+
+ // Time of data collection, as received by the server.
+ // System managed.
+ google.protobuf.Timestamp record_time = 2;
+
+ // Device operating system.
+ // Required.
+ OSType os_type = 3;
+
+ // Device serial number used to match the device with the inventory.
+ // This field is one of the three following
+ // values in this precedence:
+ // - reported_asset_tag
+ // - system_serial_number
+ // - base_board_serial_number
+ // Required.
+ string serial_number = 4;
+
+ // Non-descriptive model identifier.
+ // Example: "MacBookPro9,2".
+ string model_identifier = 5;
+
+ // OS version number, without the leading 'v'.
+ // Example: "13.2.1".
+ string os_version = 6;
+
+ // OS build identifier. Augments the os_version.
+ // May match either the DeviceProfile os_build or os_build_supplemental.
+ // Example: "22D68" or "22F770820d".
+ string os_build = 7;
+
+ // OS username (distinct from the Teleport user).
+ string os_username = 8;
+
+ // Jamf binary version, without the leading 'v'.
+ // Example: "9.27" or "10.44.1-t1677509507".
+ string jamf_binary_version = 9;
+
+ // Unmodified output of `/usr/bin/profiles status -type enrollment`.
+ // Used to verify the presence of an enrollment profile.
+ string macos_enrollment_profiles = 10;
+
+ // The asset tag of the device as reported by the BIOS DMI Type 3. Tools
+ // used by customers to manage their fleet may set this value.
+ string reported_asset_tag = 11;
+
+ // The serial number of the "system" as reported by the BIOS DMI Type 1.
+ // This field can be empty if no value has been configured.
+ string system_serial_number = 12;
+
+ // The serial number of the "base board" as reported by BIOS DMI Type 2.
+ // This field can be empty if no value has been configured.
+ string base_board_serial_number = 13;
+
+ // If during the collection of this device data, the device performed a TPM
+ // platform attestation (e.g during enrollment or authentication), then this
+ // field holds the record of this attestation. This allows the state of the
+ // device to be compared to historical state, and allows for the platform
+ // attestations to be revalidated at a later date.
+ //
+ // This field is not explicitly sent up by the client, and any DCD sent by a
+ // client including this field should be rejected. The server should inject
+ // this field once verifying that the submitted platform attestation during
+ // the enrollment or authentication.
+ //
+ // System managed.
+ TPMPlatformAttestation tpm_platform_attestation = 14;
+
+ // OS identifier.
+ // Mainly used to differentiate Linux distros, as there is be no variation
+ // for systems like macOS or Windows.
+ // Example: "ubuntu", "centos", "fedora", "rhel".
+ string os_id = 15;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/devicetrust/v1/device_confirmation_token.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/devicetrust/v1/device_confirmation_token.proto
new file mode 100644
index 0000000000000..4fb6695026156
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/devicetrust/v1/device_confirmation_token.proto
@@ -0,0 +1,36 @@
+// Copyright 2024 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.devicetrust.v1;
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/devicetrust/v1;devicetrustv1";
+
+// A device confirmation token marks the last step of device web authentication.
+// It is acquired at the end of a successful AuthenticateDevice stream and
+// exchanged during the ConfirmDeviceWebAuthentication RPC.
+//
+// See
+// https://github.com/gravitational/teleport.e/blob/master/rfd/0009e-device-trust-web-support.md#device-confirmation-token.
+message DeviceConfirmationToken {
+ // Opaque token identifier.
+ // System-generated.
+ string id = 1;
+
+ // Opaque device confirmation token, in plaintext, encoded in
+ // base64.RawURLEncoding (so it is inherently safe for URl use).
+ // System-generated.
+ string token = 2;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/devicetrust/v1/device_enroll_token.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/devicetrust/v1/device_enroll_token.proto
new file mode 100644
index 0000000000000..429707962db7e
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/devicetrust/v1/device_enroll_token.proto
@@ -0,0 +1,32 @@
+// Copyright 2022 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.devicetrust.v1;
+
+import "google/protobuf/timestamp.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/devicetrust/v1;devicetrustv1";
+
+// DeviceEnrollToken encapsulates the permission, granted by a device
+// administrator to an user, to enroll a device.
+// An enrolled device allows its user to perform device-aware actions.
+message DeviceEnrollToken {
+ // Opaque enrollement token required by the EnrollDevice RPC.
+ string token = 1;
+
+ // Expiration time for the token.
+ google.protobuf.Timestamp expire_time = 2;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/devicetrust/v1/device_profile.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/devicetrust/v1/device_profile.proto
new file mode 100644
index 0000000000000..91d570aea127e
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/devicetrust/v1/device_profile.proto
@@ -0,0 +1,64 @@
+// Copyright 2023 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.devicetrust.v1;
+
+import "google/protobuf/timestamp.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/devicetrust/v1;devicetrustv1";
+
+// Device profile information acquired from an external source.
+// If present, it's used to further validate collected data.
+message DeviceProfile {
+ // Latest profile update time.
+ // System managed.
+ google.protobuf.Timestamp update_time = 1;
+
+ // Non-descriptive model identifier.
+ // Example: "MacBookPro9,2".
+ string model_identifier = 2;
+
+ // OS version number, without the leading 'v'.
+ // See the Device's os_type for the general OS category.
+ // Example: "13.2.1".
+ string os_version = 3;
+
+ // OS build identifier. Augments the os_version.
+ // Example: "22D68".
+ string os_build = 4;
+
+ // Known OS users (distinct from the Teleport user).
+ repeated string os_usernames = 5;
+
+ // Jamf binary version, without the leading 'v'.
+ // Example: "9.27" or "10.44.1-t1677509507".
+ string jamf_binary_version = 6;
+
+ // External device identifier, for example the Jamf or Intune ID.
+ string external_id = 7;
+
+ // OS build supplemental number.
+ // May match `sw_vers` BuildVersion more closely in certain situations, like
+ // macOS rapid security response builds.
+ // Example: "22F770820d".
+ string os_build_supplemental = 8;
+
+ // OS identifier.
+ // Mainly used to differentiate Linux distros, as there is be no variation
+ // for systems like macOS or Windows.
+ // Example: "ubuntu", "centos", "fedora", "rhel".
+ string os_id = 9;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/devicetrust/v1/device_source.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/devicetrust/v1/device_source.proto
new file mode 100644
index 0000000000000..1af88e47244a6
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/devicetrust/v1/device_source.proto
@@ -0,0 +1,47 @@
+// Copyright 2023 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.devicetrust.v1;
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/devicetrust/v1;devicetrustv1";
+
+// Source of device, for devices that are managed by external systems
+// (for example, MDMs).
+message DeviceSource {
+ // Name of the source.
+ // Matches the name of the corresponding MDM service, if applicable.
+ // Readonly.
+ string name = 1;
+
+ // Origin of the source.
+ // Readonly.
+ DeviceOrigin origin = 2;
+}
+
+// Origin of a device.
+enum DeviceOrigin {
+ // Unspecified or absent origin.
+ DEVICE_ORIGIN_UNSPECIFIED = 0;
+
+ // Devices originated from direct API usage.
+ DEVICE_ORIGIN_API = 1;
+
+ // Devices originated from Jamf sync.
+ DEVICE_ORIGIN_JAMF = 2;
+
+ // Source originated from Microsoft Intune sync.
+ DEVICE_ORIGIN_INTUNE = 3;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/devicetrust/v1/device_web_token.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/devicetrust/v1/device_web_token.proto
new file mode 100644
index 0000000000000..13d70dc55d81f
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/devicetrust/v1/device_web_token.proto
@@ -0,0 +1,63 @@
+// Copyright 2024 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.devicetrust.v1;
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/devicetrust/v1;devicetrustv1";
+
+// A device web token is a token used to device-authenticate a Web UI session.
+//
+// Tokens are generally acquired on login and exchanged for a single
+// on-behalf-of device authentication attempt, performed by Connect.
+//
+// See
+// https://github.com/gravitational/teleport.e/blob/master/rfd/0009e-device-trust-web-support.md#device-web-token.
+message DeviceWebToken {
+ // Opaque token identifier.
+ // Required for token usage.
+ // System-generated.
+ string id = 1;
+
+ // Opaque device web token, in plaintext, encoded in base64.RawURLEncoding
+ // (so it is inherently safe for URl use).
+ // Required for token usage.
+ // System-generated.
+ string token = 2;
+
+ // Identifier for the Web Session being device-authorized.
+ // Required for creation.
+ string web_session_id = 3;
+
+ // Browser user agent, as acquired from the Web UI browser.
+ // Used as part of expected device checks.
+ // Required for creation.
+ string browser_user_agent = 4;
+
+ // Browser public IP, as acquired from the Web UI browser.
+ // Used as part of expected device checks.
+ // Required for creation.
+ string browser_ip = 5;
+
+ // Owner of the Web Session and trusted device.
+ // Used internally by the Device Trust system.
+ // Transient.
+ string user = 6;
+
+ // ID of the devices allowed to perform on-behalf-of device authentication.
+ // Used internally by the Device Trust system.
+ // Transient.
+ repeated string expected_device_ids = 7;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/devicetrust/v1/devicetrust_service.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/devicetrust/v1/devicetrust_service.proto
new file mode 100644
index 0000000000000..d260317f561a8
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/devicetrust/v1/devicetrust_service.proto
@@ -0,0 +1,683 @@
+// Copyright 2022 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.devicetrust.v1;
+
+import "google/protobuf/empty.proto";
+import "google/protobuf/field_mask.proto";
+import "google/protobuf/timestamp.proto";
+import "google/rpc/status.proto";
+import "teleport/devicetrust/v1/authenticate_challenge.proto";
+import "teleport/devicetrust/v1/device.proto";
+import "teleport/devicetrust/v1/device_collected_data.proto";
+import "teleport/devicetrust/v1/device_confirmation_token.proto";
+import "teleport/devicetrust/v1/device_enroll_token.proto";
+import "teleport/devicetrust/v1/device_source.proto";
+import "teleport/devicetrust/v1/device_web_token.proto";
+import "teleport/devicetrust/v1/tpm.proto";
+import "teleport/devicetrust/v1/usage.proto";
+import "teleport/devicetrust/v1/user_certificates.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/devicetrust/v1;devicetrustv1";
+
+// DeviceTrustService provides methods to manage, enroll and authenticate
+// trusted devices.
+//
+// A trusted device is a device that is registered and enrolled with Teleport,
+// thus allowing the system to provide some guarantees about its provenance and
+// state.
+//
+// Managing devices requires the corresponding CRUD "device" permission.
+// Additionally, creating enrollment tokens requires the "create_enroll_token"
+// permission and enrolling devices requires the "enroll" permission. See
+// CreateDevice, CreateDeviceEnrollToken and EnrollDevice for reference.
+//
+// An authenticated, trusted device allows its user to perform device-aware
+// actions. Such actions include accessing an SSH node, managing sensitive
+// resources via `tctl`, etc. The enforcement mode is defined via cluster-wide
+// and/or per-role toggles. Device authentication is automatic for enrolled
+// devices communicating with Enterprise clusters. See AuthenticateDevice for
+// reference.
+//
+// Device Trust is a Teleport Enterprise feature. Open Source Teleport clusters
+// treat all Device RPCs as unimplemented (which, in fact, they are for OSS.)
+service DeviceTrustService {
+ // CreateDevice creates a device, effectively registering it on Teleport.
+ // Devices need to be registered before they can be enrolled.
+ //
+ // It is possible to create both a Device and a DeviceEnrollToken in a
+ // single invocation, see CreateDeviceRequest.create_enroll_token.
+ rpc CreateDevice(CreateDeviceRequest) returns (Device);
+
+ // UpdateDevice is a masked device update.
+ //
+ // Only certain fields may be updated, see Device for details.
+ rpc UpdateDevice(UpdateDeviceRequest) returns (Device);
+
+ // UpsertDevice creates or updates a device.
+ //
+ // UpsertDevice attempts a write of all mutable fields on updates, therefore
+ // reading a fresh copy of the device is recommended. Update semantics still
+ // apply.
+ rpc UpsertDevice(UpsertDeviceRequest) returns (Device);
+
+ // DeleteDevice hard-deletes a device, removing it and all collected data
+ // history from the system.
+ //
+ // Prefer locking the device instead (see the `tctl lock` command). Deleting a
+ // device doesn't invalidate existing device certificates, but does prevent
+ // new device authentication ceremonies from occurring.
+ //
+ // Use with caution.
+ rpc DeleteDevice(DeleteDeviceRequest) returns (google.protobuf.Empty);
+
+ // FindDevices retrieves devices by device ID and/or asset tag.
+ //
+ // It provides an in-between search between fetching a device by ID and
+ // listing all devices.
+ //
+ // ID matches are guaranteed to be present in the response.
+ rpc FindDevices(FindDevicesRequest) returns (FindDevicesResponse);
+
+ // GetDevice retrieves a device by ID.
+ rpc GetDevice(GetDeviceRequest) returns (Device);
+
+ // ListDevices lists all registered devices.
+ rpc ListDevices(ListDevicesRequest) returns (ListDevicesResponse);
+
+ // ListDevicesByUser lists all devices owned by the user
+ rpc ListDevicesByUser(ListDevicesByUserRequest) returns (ListDevicesByUserResponse);
+
+ // BulkCreateDevices is a bulk variant of CreateDevice.
+ //
+ // Unlike CreateDevice, it does not support creation of enrollment tokens, as
+ // it is meant for bulk inventory registration.
+ rpc BulkCreateDevices(BulkCreateDevicesRequest) returns (BulkCreateDevicesResponse);
+
+ // CreateDeviceEnrollToken creates a DeviceEnrollToken for a Device.
+ // An enrollment token is required for the enrollment ceremony. See
+ // EnrollDevice.
+ rpc CreateDeviceEnrollToken(CreateDeviceEnrollTokenRequest) returns (DeviceEnrollToken);
+
+ // EnrollDevice performs the device enrollment ceremony.
+ //
+ // Enrollment requires a previously-registered Device and a DeviceEnrollToken,
+ // see CreateDevice and CreateDeviceEnrollToken.
+ //
+ // An enrolled device is allowed, via AuthenticateDevice, to acquire
+ // certificates containing device extensions, thus gaining access to
+ // device-aware actions.
+ //
+ // macOS enrollment flow:
+ // -> EnrollDeviceInit (client)
+ // <- MacOSEnrollChallenge (server)
+ // -> MacOSEnrollChallengeResponse
+ // <- EnrollDeviceSuccess
+ //
+ // TPM enrollment flow:
+ // -> EnrollDeviceInit (client)
+ // <- TPMEnrollChallenge (server)
+ // -> TPMEnrollChallengeResponse
+ // <- EnrollDeviceSuccess
+ rpc EnrollDevice(stream EnrollDeviceRequest) returns (stream EnrollDeviceResponse);
+
+ // AuthenticateDevice performs the device authentication ceremony.
+ //
+ // Device authentication exchanges existing user certificates without device
+ // extensions for certificates augmented with device extensions. The new
+ // certificates allow the user to perform device-aware actions.
+ //
+ // Only registered and enrolled devices may perform device authentication.
+ rpc AuthenticateDevice(stream AuthenticateDeviceRequest) returns (stream AuthenticateDeviceResponse);
+
+ // ConfirmDeviceWebAuthentication finalizes the device web authentication
+ // ceremony started by the creation of a DeviceWebToken and subsequent
+ // AuthenticateDevice call.
+ //
+ // The DeviceConfirmationToken issued by AuthenticateDevice is spent in this
+ // method, which consequently augments the corresponding Web Session
+ // certificates with device extensions.
+ //
+ // This method must be called by the Teleport Proxy, and the Proxy itself must
+ // be called by the same browser that started the on-behalf-of authentication
+ // attempt. See the /webapi/device/webconfirm endpoint.
+ //
+ // See
+ // https://github.com/gravitational/teleport.e/blob/master/rfd/0009e-device-trust-web-support.md#device-web-authentication.
+ rpc ConfirmDeviceWebAuthentication(ConfirmDeviceWebAuthenticationRequest) returns (ConfirmDeviceWebAuthenticationResponse);
+
+ // Syncs device inventory from a source exterior to Teleport, for example an
+ // MDM.
+ // Allows both partial and full syncs; for the latter, devices missing from
+ // the external inventory are handled as specified.
+ // Authorized either by a valid MDM service certificate or the appropriate
+ // "device" permissions (create/update/delete).
+ rpc SyncInventory(stream SyncInventoryRequest) returns (stream SyncInventoryResponse);
+
+ // Superseded by ResourceUsageService.GetUsage.
+ rpc GetDevicesUsage(GetDevicesUsageRequest) returns (DevicesUsage) {
+ option deprecated = true;
+ }
+}
+
+// Request for CreateDevice.
+message CreateDeviceRequest {
+ // Device to create.
+ Device device = 1;
+
+ // If true, a DeviceEnrollToken is created along with the Device.
+ bool create_enroll_token = 2;
+
+ // If true, create the device as a Teleport resource, meaning that fields that
+ // are usually considered read-only or system managed are copied as provided
+ // to storage.
+ // Prefer using non-resource creation semantics if possible.
+ bool create_as_resource = 3;
+
+ // Custom expiration time for enrollment tokens.
+ // A short (for humans) server default is used if unset.
+ google.protobuf.Timestamp enroll_token_expire_time = 4;
+}
+
+// Request for UpdateDevice.
+message UpdateDeviceRequest {
+ // Device to update.
+ Device device = 1;
+
+ // Update mask applied to the resource.
+ // Fields are masked according to their proto name.
+ google.protobuf.FieldMask update_mask = 2;
+}
+
+// Request for UpsertDevice.
+message UpsertDeviceRequest {
+ // Device to create or update.
+ Device device = 1;
+
+ // If true, creates the device using resource semantics.
+ // Has no effect on device updates.
+ // See create_as_resource in CreateDeviceRequest.
+ bool create_as_resource = 2;
+}
+
+// Request for DeleteDevice.
+message DeleteDeviceRequest {
+ // ID of the Device to delete.
+ string device_id = 1;
+}
+
+// Request for FindDevices.
+//
+// Inspect the returned devices to determine whether the match was by ID or
+// asset tag.
+message FindDevicesRequest {
+ // Device ID or asset tag.
+ string id_or_tag = 1;
+}
+
+// Response for FindDevices.
+message FindDevicesResponse {
+ // Devices that matched the search.
+ // The number of resulting devices is expected to be low and may be
+ // artificially capped by the server otherwise.
+ repeated Device devices = 1;
+}
+
+// Request for GetDevice.
+message GetDeviceRequest {
+ // ID of the device.
+ string device_id = 1;
+}
+
+// Request for ListDevices.
+//
+// Follows the pagination semantics of
+// https://cloud.google.com/apis/design/standard_methods#list.
+message ListDevicesRequest {
+ // The maximum number of items to return.
+ // The server may impose a different page size at its discretion.
+ int32 page_size = 1;
+
+ // The next_page_token value returned from a previous List request, if any.
+ string page_token = 2;
+
+ // Specifies which fields of the resource should be returned in the response.
+ // Defaults to DEVICE_VIEW_LIST.
+ DeviceView view = 3;
+}
+
+// Response for ListDevices.
+message ListDevicesResponse {
+ // Devices that matched the search.
+ repeated Device devices = 1;
+
+ // Token to retrieve the next page of results, or empty if there are no
+ // more results in the list.
+ string next_page_token = 2;
+}
+
+// Request for ListDevicesByUser.
+//
+// Follows the pagination semantics of
+// https://cloud.google.com/apis/design/standard_methods#list.
+message ListDevicesByUserRequest {
+ reserved 3;
+ reserved "view";
+ // The maximum number of items to return.
+ // The server may impose a different page size at its discretion.
+ int32 page_size = 1;
+
+ // The next_page_token value returned from a previous List request, if any.
+ string page_token = 2;
+}
+
+// Response for ListDevicesByUser.
+message ListDevicesByUserResponse {
+ // Devices owned by the user.
+ repeated Device devices = 1;
+
+ // Token to retrieve the next page of results, or empty if there are no
+ // more results in the list.
+ string next_page_token = 2;
+}
+
+// DeviceView specifies which fields of returned devices should be present.
+enum DeviceView {
+ DEVICE_VIEW_UNSPECIFIED = 0;
+
+ // View for general device listings, like `tctl devices ls`.
+ // Contains only basic information, such as IDs and enrollment status.
+ DEVICE_VIEW_LIST = 1;
+
+ // View for detailed device queries, like `tctl get devices`.
+ // Presents a complete view of the device.
+ DEVICE_VIEW_RESOURCE = 2;
+}
+
+// Request for BulkCreateDevices.
+message BulkCreateDevicesRequest {
+ // Devices to create.
+ repeated Device devices = 1;
+
+ // If true, create the device as a Teleport resource, meaning that fields that
+ // are usually considered read-only or system managed are copied as provided
+ // to storage.
+ // Prefer using non-resource creation semantics if possible.
+ bool create_as_resource = 2;
+}
+
+// Response for BulkCreateDevices.
+message BulkCreateDevicesResponse {
+ // Created devices or a failure reason.
+ // Responses are sorted according to the request.
+ repeated DeviceOrStatus devices = 1;
+}
+
+// DeviceOrStatus contains either a device ID, in case of success, or a status
+// in case of failures.
+message DeviceOrStatus {
+ // Status of the operation.
+ // May either be absent or contain the OK code for successes, at the
+ // implementation's discretion.
+ google.rpc.Status status = 1;
+
+ // ID of the created device.
+ // Only present if the status is OK.
+ string id = 2;
+
+ // If true the action attempted against the device was a delete, instead of a
+ // create or update.
+ bool deleted = 3;
+}
+
+// Request for CreateDeviceEnrollToken.
+message CreateDeviceEnrollTokenRequest {
+ // ID of the device.
+ string device_id = 1;
+
+ // Device collected data.
+ // Used to authorize issuance of device enrollment tokens for auto-enrollment.
+ // Not required otherwise.
+ DeviceCollectedData device_data = 2;
+
+ // Custom expiration time for enrollment tokens.
+ // A short (for humans) server default is used if unset.
+ google.protobuf.Timestamp expire_time = 3;
+}
+
+// Request for EnrollDevice.
+message EnrollDeviceRequest {
+ oneof payload {
+ EnrollDeviceInit init = 1;
+ MacOSEnrollChallengeResponse macos_challenge_response = 2;
+ TPMEnrollChallengeResponse tpm_challenge_response = 3;
+ }
+}
+
+// Response for EnrollDevice.
+message EnrollDeviceResponse {
+ oneof payload {
+ EnrollDeviceSuccess success = 1;
+ MacOSEnrollChallenge macos_challenge = 2;
+ TPMEnrollChallenge tpm_challenge = 3;
+ }
+}
+
+// EnrollDeviceInit initiates the enrollment ceremony.
+message EnrollDeviceInit {
+ // Device enrollment token.
+ // See CreateDevice or CreateDeviceEnrollToken.
+ string token = 1;
+
+ // ID of the device credential.
+ string credential_id = 2;
+
+ // Device collected data.
+ // Matched against the device registration information and any previously
+ // collected data.
+ DeviceCollectedData device_data = 3;
+
+ // Payload for macOS-specific data.
+ MacOSEnrollPayload macos = 4;
+
+ // Payload for TPM-specific data. Used for Windows/Linux.
+ TPMEnrollPayload tpm = 5;
+}
+
+// EnrollDeviceSuccess marks a successful device enrollment ceremony.
+message EnrollDeviceSuccess {
+ // The enrolled device.
+ Device device = 1;
+}
+
+// MacOSEnrollPayload is the macOS-specific enrollment payload.
+message MacOSEnrollPayload {
+ // Device public key marshaled as a PKIX, ASN.1 DER.
+ bytes public_key_der = 2;
+}
+
+// MacOSEnrollChallenge is a macOS enrollment challenge.
+message MacOSEnrollChallenge {
+ // Randomly-generated, opaque challenge to be signed using the device key.
+ bytes challenge = 1;
+}
+
+// MacOSEnrollChallengeResponse is a macOS enrollment challenge response.
+message MacOSEnrollChallengeResponse {
+ // Signature over the challenge, using the device key.
+ bytes signature = 2;
+}
+
+// The payload containing TPM specific information required on device
+// enrollment.
+message TPMEnrollPayload {
+ oneof ek {
+ // The device's endorsement certificate in X509, ASN.1 DER form. This
+ // certificate contains the public key of the endorsement key. This is
+ // preferred to ek_key.
+ bytes ek_cert = 1;
+ // The device's public endorsement key in PKIX, ASN.1 DER form. This is
+ // used when a TPM does not contain any endorsement certificates.
+ bytes ek_key = 2;
+ }
+ // The attestation key and the parameters necessary to remotely verify it as
+ // related to the endorsement key.
+ TPMAttestationParameters attestation_parameters = 3;
+}
+
+// The attestation key and the parameters necessary to remotely verify it as
+// related to the endorsement key.
+// See https://pkg.go.dev/github.com/google/go-attestation/attest#AttestationParameters.
+// This message excludes the `UseTCSDActivationFormat` field from the link above
+// as it is TMP 1.x specific and always false.
+message TPMAttestationParameters {
+ // The encoded TPMT_PUBLIC structure containing the attestation public key
+ // and signing parameters.
+ bytes public = 1;
+ // The properties of the attestation key, encoded as a TPMS_CREATION_DATA
+ // structure.
+ bytes create_data = 2;
+ // An assertion as to the details of the key, encoded as a TPMS_ATTEST
+ // structure.
+ bytes create_attestation = 3;
+ // A signature of create_attestation, encoded as a TPMT_SIGNATURE structure.
+ bytes create_signature = 4;
+}
+
+// The challenge sent to the client by the server during enrollment.
+// The challenge involves two parts:
+// - Solving an encrypted credential with `ActivateCredential`.
+// - Producing a platform attestation using the provided nonce.
+message TPMEnrollChallenge {
+ // The encrypted credential for the client to prove possession of the EK and
+ // AK.
+ TPMEncryptedCredential encrypted_credential = 1;
+ // The nonce to use when producing the quotes over the PCRs with the TPM
+ // during the platform attestation.
+ bytes attestation_nonce = 2;
+}
+
+// These values are used by the TPM2.0 `ActivateCredential` command to produce
+// the solution which proves possession of the EK and AK.
+//
+// For a more in-depth description see:
+// - https://pkg.go.dev/github.com/google/go-attestation/attest#EncryptedCredential
+// - https://trustedcomputinggroup.org/wp-content/uploads/TCG_TPM2_r1p59_Part3_Commands_code_pub.pdf (Heading 12.5.1 "TPM2_ActivateCredential" "General Description")
+// - https://github.com/google/go-attestation/blob/v0.4.3/attest/activation.go#L199
+// - https://github.com/google/go-tpm/blob/v0.3.3/tpm2/credactivation/credential_activation.go#L61
+message TPMEncryptedCredential {
+ // The `credential_blob` parameter to be used with the `ActivateCredential`
+ // command. This is used with the decrypted value of `secret` in a
+ // cryptographic process to decrypt the solution.
+ bytes credential_blob = 1;
+ // The `secret` parameter to be used with `ActivateCredential`. This is a
+ // seed which can be decrypted with the EK. The decrypted seed is then used
+ // when decrypting `credential_blob`.
+ bytes secret = 2;
+}
+
+// The enrollment challenge response containing the solution returned by
+// calling the TPM2.0 `ActivateCredential` command on the client with the
+// parameters provided in `TPMEnrollChallenge`.
+message TPMEnrollChallengeResponse {
+ // The client's solution to `TPMEncryptedCredential` included in
+ // `TPMEnrollChallenge` using ActivateCredential.
+ bytes solution = 1;
+ // The result of the client's platform attestation with the nonce provided
+ // in `TPMEnrollChallenge`.
+ TPMPlatformParameters platform_parameters = 2;
+}
+
+// Request for AuthenticateDevice.
+//
+// Authentication ceremony flow:
+// -> AuthenticateDeviceInit (client)
+// <- AuthenticateDeviceChallenge (server)
+// -> AuthenticateDeviceChallengeResponse
+// <- UserCertificates (regular authn) or ConfirmationToken (web authn)
+message AuthenticateDeviceRequest {
+ oneof payload {
+ AuthenticateDeviceInit init = 1;
+ AuthenticateDeviceChallengeResponse challenge_response = 2;
+ TPMAuthenticateDeviceChallengeResponse tpm_challenge_response = 3;
+ }
+}
+
+// Response for AuthenticateDevice.
+message AuthenticateDeviceResponse {
+ oneof payload {
+ AuthenticateDeviceChallenge challenge = 1;
+
+ // User certificates are returned as the result of a successful device
+ // authentication attempt ("regular" or non-web authentication).
+ UserCertificates user_certificates = 2;
+
+ TPMAuthenticateDeviceChallenge tpm_challenge = 3;
+
+ // A confirmation token is returned as the result of a successful device web
+ // authentication.
+ //
+ // See AuthenticateDeviceInit.device_web_token.
+ DeviceConfirmationToken confirmation_token = 4;
+ }
+}
+
+// AuthenticateDeviceInit initiates the device authentication ceremony.
+message AuthenticateDeviceInit {
+ // In-band user certificates to augment with device extensions.
+ // - The x509 certificate is acquired from the mTLS connection, thus the
+ // in-band certificate is ignored.
+ // - All certificates must be valid and issued by the Teleport CA.
+ // - TLS and SSH certificates must match (same Teleport user, plus whatever
+ // additional checks the backend sees fit).
+ // - TLS and SSH certificates must either have matching public keys, or
+ // (TPM)AuthenticateDeviceChallengeResponse.SshSignature must be a valid
+ // signature over the challenge by the SSH private key.
+ // - Augmented certificates have the same expiration as the original
+ // certificates.
+ UserCertificates user_certificates = 1;
+
+ // ID of the enrolled device credential.
+ string credential_id = 2;
+
+ // Device collected data.
+ // Matched against the device registration information and any previously
+ // collected data.
+ DeviceCollectedData device_data = 3;
+
+ // If present, on-behalf-of device authentication is performed.
+ // The user_certificates input field is ignored and no certificate data is
+ // returned to the caller, instead a confirmation_token is returned in
+ // the last step.
+ //
+ // See ConfirmDeviceWebAuthentication.
+ DeviceWebToken device_web_token = 4;
+}
+
+// Request for ConfirmDeviceWebAuthentication.
+message ConfirmDeviceWebAuthenticationRequest {
+ // Confirmation token to be spent.
+ DeviceConfirmationToken confirmation_token = 1;
+
+ // Web Session identifier of the session that started this request, via
+ // Teleport Proxy.
+ //
+ // For the request to be successful the Web Session must match the session
+ // that started the authentication attempt.
+ string current_web_session_id = 2;
+}
+
+// Response for ConfirmDeviceWebAuthentication.
+message ConfirmDeviceWebAuthenticationResponse {}
+
+// Request for SyncInventory.
+//
+// A typical message sequence is as follows:
+// (-> means client-to-server, <- means server-to-client)
+// -> SyncInventoryStart
+// <- SyncInventoryAck
+// (loop)
+// -> SyncInventoryDevices (add/remove devices)
+// <- SyncInventoryResult
+// (end loop)
+// -> SyncInventoryEnd
+// (loop until server closes the stream, zero or more times)
+// <- SyncInventoryMissingDevices
+// -> SyncInventoryDevices (removals only)
+// <- SyncInventoryResult
+// (end loop)
+message SyncInventoryRequest {
+ oneof payload {
+ SyncInventoryStart start = 1;
+ SyncInventoryEnd end = 2;
+ SyncInventoryDevices devices_to_upsert = 3;
+ SyncInventoryDevices devices_to_remove = 4;
+ }
+}
+
+// Response for SyncInventory.
+message SyncInventoryResponse {
+ oneof payload {
+ SyncInventoryAck ack = 1;
+ SyncInventoryResult result = 2;
+ SyncInventoryMissingDevices missing_devices = 3;
+ }
+}
+
+// SyncInventoryStart starts the inventory sync.
+message SyncInventoryStart {
+ // Source of the inventory sync.
+ // Used for all devices. The `source` field in individual devices is ignored
+ // by this RPC.
+ DeviceSource source = 1;
+
+ reserved 2; // SyncInventoryMode mode
+ reserved "mode";
+
+ reserved 3; // SyncInventoryDeviceAction on_missing_action
+ reserved "on_missing_action";
+
+ // If true, the server keeps track of the devices upserted during the sync.
+ // After receiving the [SyncInventoryEnd] message, the server informs the
+ // client of all devices that are present in storage but not observed in the
+ // upserts.
+ // See [SyncInventoryRequest] and [SyncInventoryMissingDevices] for details.
+ bool track_missing_devices = 4;
+}
+
+// SyncInventoryEnd ends the inventory sync, signaling that no more
+// SyncInventoryDevices messages will be sent by the client.
+message SyncInventoryEnd {
+ reserved 1; // bool external_sync_successful
+ reserved "external_sync_successful";
+}
+
+// SyncInventoryDevices transports devices to add/update/remove.
+// Removals only need identifying fields to be set.
+message SyncInventoryDevices {
+ // Devices to sync.
+ repeated Device devices = 1;
+}
+
+// SyncInventoryAck is used to confirm successful processing of messages that
+// lack a more specific response.
+message SyncInventoryAck {}
+
+// SyncInventoryResult is the response for SyncInventoryDevices or
+// SyncInventoryEnd
+// It lists all synced/deleted devices.
+message SyncInventoryResult {
+ // Devices modified, in the same order as the input when applicable.
+ repeated DeviceOrStatus devices = 1;
+}
+
+// SyncInventoryMissingDevices informs the sync client of all stored devices
+// that were not observed in upserts during the sync.
+//
+// Requires `track_missing_devices` to be set in the [SyncInventoryStart]
+// message.
+//
+// The client must follow up with a [SyncInventoryDevices] message, including
+// any devices to be deleted.
+message SyncInventoryMissingDevices {
+ // Devices missing from the client-side sync.
+ // Guaranteed to have the following fields: id, os_type, asset_tag and
+ // profile.external_id.
+ repeated Device devices = 1;
+}
+
+// Superseded by ResourceUsageService.GetUsage.
+message GetDevicesUsageRequest {}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/devicetrust/v1/os_type.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/devicetrust/v1/os_type.proto
new file mode 100644
index 0000000000000..b5ababaadad06
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/devicetrust/v1/os_type.proto
@@ -0,0 +1,30 @@
+// Copyright 2022 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.devicetrust.v1;
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/devicetrust/v1;devicetrustv1";
+
+// OSType represents the operating system of a device.
+enum OSType {
+ OS_TYPE_UNSPECIFIED = 0;
+ // Linux.
+ OS_TYPE_LINUX = 1;
+ // macOS.
+ OS_TYPE_MACOS = 2;
+ // Windows.
+ OS_TYPE_WINDOWS = 3;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/devicetrust/v1/tpm.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/devicetrust/v1/tpm.proto
new file mode 100644
index 0000000000000..77b88b14e838c
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/devicetrust/v1/tpm.proto
@@ -0,0 +1,59 @@
+// Copyright 2023 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.devicetrust.v1;
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/devicetrust/v1;devicetrustv1";
+
+// Encapsulates the value of a PCR at a point at time.
+// See https://pkg.go.dev/github.com/google/go-attestation/attest#PCR
+message TPMPCR {
+ // the PCR index in the PCR bank
+ int32 index = 1;
+ // the digest currently held in the PCR
+ bytes digest = 2;
+ // the hash algorithm used to produce the digest in this PCR bank. This value
+ // is the underlying value of the Go crypto.Hash type.
+ uint64 digest_alg = 3;
+}
+
+// Encapsulates the result of a quote operation against the TPM over a PCR
+// using an attestation key.
+// See https://pkg.go.dev/github.com/google/go-attestation/attest#Quote
+message TPMQuote {
+ bytes quote = 1;
+ bytes signature = 2;
+}
+
+// The quotes, PCRs and event log from a TPM that attest to the booted state
+// of the machine.
+// See https://pkg.go.dev/github.com/google/go-attestation/attest#PlatformParameters
+// Excludes TPMVersion and Public since these are already known values.
+message TPMPlatformParameters {
+ repeated TPMQuote quotes = 1;
+ repeated TPMPCR pcrs = 2;
+ bytes event_log = 3;
+}
+
+// Holds the record of a TPM platform attestation, including the platform
+// parameters sent by the device and the nonce the server generated. This allows
+// a historical platform attestation to be revalidated and allows us to compare
+// the incoming state of a device (e.g during authentication) against the
+// historical state in order to detect potentially malicious actions.
+message TPMPlatformAttestation {
+ bytes nonce = 1;
+ TPMPlatformParameters platform_parameters = 2;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/devicetrust/v1/usage.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/devicetrust/v1/usage.proto
new file mode 100644
index 0000000000000..d30f11f21ba79
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/devicetrust/v1/usage.proto
@@ -0,0 +1,38 @@
+// Copyright 2023 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.devicetrust.v1;
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/devicetrust/v1;devicetrustv1";
+
+// Superseded by ResourceUsageService.GetUsage.
+enum AccountUsageType {
+ ACCOUNT_USAGE_TYPE_UNSPECIFIED = 0;
+ ACCOUNT_USAGE_TYPE_UNLIMITED = 1;
+ ACCOUNT_USAGE_TYPE_USAGE_BASED = 2;
+}
+
+// Superseded by ResourceUsageService.GetUsage.
+message DevicesUsage {
+ reserved 1; // AccountUsageType account_usage_type
+ reserved "account_usage_type";
+
+ reserved 2; // int32 devices_usage_limit
+ reserved "devices_usage_limit";
+
+ reserved 3; // int32 devices_in_use
+ reserved "devices_in_use";
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/devicetrust/v1/user_certificates.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/devicetrust/v1/user_certificates.proto
new file mode 100644
index 0000000000000..a08a4f527ef2b
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/devicetrust/v1/user_certificates.proto
@@ -0,0 +1,30 @@
+// Copyright 2022 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.devicetrust.v1;
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/devicetrust/v1;devicetrustv1";
+
+// UserCertificates is used to transport X.509 and SSH certificates during
+// device authentication.
+// See the AuthenticateDevice RPC.
+message UserCertificates {
+ // DER-encoded X.509 user certificate.
+ bytes x509_der = 1;
+
+ // SSH certificate marshaled in the authorized key format.
+ bytes ssh_authorized_key = 2;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/discoveryconfig/v1/discoveryconfig.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/discoveryconfig/v1/discoveryconfig.proto
new file mode 100644
index 0000000000000..d79acf82fda73
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/discoveryconfig/v1/discoveryconfig.proto
@@ -0,0 +1,111 @@
+// Copyright 2023 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.discoveryconfig.v1;
+
+import "google/protobuf/timestamp.proto";
+import "teleport/header/v1/resourceheader.proto";
+import "teleport/legacy/types/types.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/discoveryconfig/v1;discoveryconfigv1";
+
+// DiscoveryConfig is a resource that has Discovery Resource Matchers and a Discovery Group.
+//
+// Teleport Discovery Services will load the dynamic DiscoveryConfigs whose Discovery Group matches the discovery_group defined in their configuration.
+message DiscoveryConfig {
+ // Header is the resource header.
+ teleport.header.v1.ResourceHeader header = 1;
+
+ // Spec is an DiscoveryConfig specification.
+ DiscoveryConfigSpec spec = 2;
+
+ // Status is the resource Status
+ DiscoveryConfigStatus status = 3;
+}
+
+// DiscoveryConfigSpec contains properties required to create matchers to be used by discovery_service.
+// Those matchers are used by discovery_service to watch for cloud resources and create them in Teleport.
+message DiscoveryConfigSpec {
+ // DiscoveryGroup is used by discovery_service to add extra matchers.
+ // All the discovery_services that have the same discovery_group, will load the matchers of this resource.
+ string discovery_group = 1;
+
+ // AWS is a list of AWS Matchers.
+ repeated types.AWSMatcher aws = 2;
+ // Azure is a list of Azure Matchers.
+ repeated types.AzureMatcher azure = 3;
+ // GCP is a list of GCP Matchers.
+ repeated types.GCPMatcher gcp = 4;
+ // Kube is a list of Kubernetes Matchers.
+ repeated types.KubernetesMatcher kube = 5;
+ // AccessGraph is the configurations for syncing Cloud accounts into Access Graph.
+ types.AccessGraphSync access_graph = 6;
+}
+
+// DiscoveryConfigStatus holds dynamic information about the discovery configuration
+// running status such as errors, state and count of the resources.
+message DiscoveryConfigStatus {
+ // State reports the Discovery config state.
+ DiscoveryConfigState state = 1;
+ // error_message holds the error message when state is DISCOVERY_CONFIG_STATE_ERROR.
+ optional string error_message = 2;
+ // discovered_resources holds the count of the discovered resources in the previous iteration.
+ uint64 discovered_resources = 3;
+ // last_sync_time is the timestamp when the Discovery Config was last sync.
+ google.protobuf.Timestamp last_sync_time = 4;
+
+ reserved 5;
+ reserved "aws_ec2_instances_discovered";
+
+ // IntegrationDiscoveredResources maps an integration to discovered resources summary.
+ map integration_discovered_resources = 6;
+}
+
+// DiscoveryConfigState is the state of the discovery config resource.
+enum DiscoveryConfigState {
+ DISCOVERY_CONFIG_STATE_UNSPECIFIED = 0;
+ // DISCOVERY_CONFIG_STATE_RUNNING is used when the operation doesn't report
+ // incidents.
+ DISCOVERY_CONFIG_STATE_RUNNING = 1;
+ // DISCOVERY_CONFIG_STATE_ERROR is used when the operation reports
+ // incidents.
+ DISCOVERY_CONFIG_STATE_ERROR = 2;
+ // DISCOVERY_CONFIG_STATE_SYNCING is used when the discovery process has started but didn't finished yet.
+ DISCOVERY_CONFIG_STATE_SYNCING = 3;
+}
+
+// IntegrationDiscoveredSummary contains the a summary for each resource type that was discovered.
+message IntegrationDiscoveredSummary {
+ // AWSEC2 contains the summary for the AWS EC2 discovered instances.
+ ResourcesDiscoveredSummary aws_ec2 = 1;
+
+ // AWSRDS contains the summary for the AWS RDS discovered databases.
+ ResourcesDiscoveredSummary aws_rds = 2;
+
+ // AWSEKS contains the summary for the AWS EKS discovered clusters.
+ ResourcesDiscoveredSummary aws_eks = 3;
+}
+
+// ResourcesDiscoveredSummary represents the AWS resources that were discovered.
+message ResourcesDiscoveredSummary {
+ // Found holds the count of resources found.
+ // After a resource is found, it starts the sync process and ends in either an enrolled or a failed resource.
+ uint64 found = 1;
+ // Enrolled holds the count of the resources that were successfully enrolled.
+ uint64 enrolled = 2;
+ // Failed holds the count of the resources that failed to enroll.
+ uint64 failed = 3;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/discoveryconfig/v1/discoveryconfig_service.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/discoveryconfig/v1/discoveryconfig_service.proto
new file mode 100644
index 0000000000000..34ce7ff5133e9
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/discoveryconfig/v1/discoveryconfig_service.proto
@@ -0,0 +1,114 @@
+// Copyright 2023 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.discoveryconfig.v1;
+
+import "google/protobuf/empty.proto";
+import "teleport/discoveryconfig/v1/discoveryconfig.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/discoveryconfig/v1;discoveryconfigv1";
+
+// DiscoveryConfigService provides methods to manage Discovery Configs.
+//
+// Each Discovery Config has a set of matchers and a DiscoveryGroup.
+// DiscoveryServices also have a DiscoveryGroup which will be used to load all the matchers from
+// all the DiscoveryConfigs that have the same Group.
+service DiscoveryConfigService {
+ // ListDiscoveryConfigs returns a paginated list of Discovery Config resources.
+ rpc ListDiscoveryConfigs(ListDiscoveryConfigsRequest) returns (ListDiscoveryConfigsResponse);
+
+ // GetDiscoveryConfig returns the specified DiscoveryConfig resource.
+ rpc GetDiscoveryConfig(GetDiscoveryConfigRequest) returns (DiscoveryConfig);
+
+ // CreateDiscoveryConfig creates a new DiscoveryConfig resource.
+ rpc CreateDiscoveryConfig(CreateDiscoveryConfigRequest) returns (DiscoveryConfig);
+
+ // UpdateDiscoveryConfig updates an existing DiscoveryConfig resource.
+ rpc UpdateDiscoveryConfig(UpdateDiscoveryConfigRequest) returns (DiscoveryConfig);
+
+ // UpsertDiscoveryConfig creates or updates a DiscoveryConfig resource.
+ rpc UpsertDiscoveryConfig(UpsertDiscoveryConfigRequest) returns (DiscoveryConfig);
+
+ // DeleteDiscoveryConfig removes the specified DiscoveryConfig resource.
+ rpc DeleteDiscoveryConfig(DeleteDiscoveryConfigRequest) returns (google.protobuf.Empty);
+
+ // DeleteAllDiscoveryConfigs removes all DiscoveryConfigs.
+ rpc DeleteAllDiscoveryConfigs(DeleteAllDiscoveryConfigsRequest) returns (google.protobuf.Empty);
+
+ // UpdateDiscoveryConfigStatus updates an existing DiscoveryConfig resource status object.
+ rpc UpdateDiscoveryConfigStatus(UpdateDiscoveryConfigStatusRequest) returns (DiscoveryConfig);
+}
+
+// ListDiscoveryConfigsRequest is a request for a paginated list of DiscoveryConfigs.
+message ListDiscoveryConfigsRequest {
+ // page_size is the size of the page to request.
+ int32 page_size = 1;
+
+ // next_token is the page token.
+ string next_token = 2;
+}
+
+// ListDiscoveryConfigsResponse is the response for ListDiscoveryConfigsRequest.
+message ListDiscoveryConfigsResponse {
+ // DiscoveryConfigs is a list of DiscoveryConfigs.
+ repeated DiscoveryConfig discovery_configs = 1;
+ // NextKey is the key for the next page of DiscoveryConfigs.
+ string next_key = 2;
+ // TotalCount is the total number of discovery_config in all pages.
+ int32 total_count = 3;
+}
+
+// GetDiscoveryConfigRequest is a request for a specific DiscoveryConfig resource.
+message GetDiscoveryConfigRequest {
+ // Name is the name of the DiscoveryConfig to be requested.
+ string name = 1;
+}
+
+// CreateDiscoveryConfigRequest is the request to create the provided DiscoveryConfig.
+message CreateDiscoveryConfigRequest {
+ // DiscoveryConfig is the DiscoveryConfig to be created.
+ DiscoveryConfig discovery_config = 1;
+}
+
+// UpdateDiscoveryConfigRequest is the request to update the provided DiscoveryConfig.
+message UpdateDiscoveryConfigRequest {
+ // DiscoveryConfig is the DiscoveryConfig to be updated.
+ DiscoveryConfig discovery_config = 1;
+}
+
+// UpsertDiscoveryConfigRequest is the request to upsert the provided DiscoveryConfig.
+message UpsertDiscoveryConfigRequest {
+ // DiscoveryConfig is the DiscoveryConfig to be upserted.
+ DiscoveryConfig discovery_config = 1;
+}
+
+// DeleteDiscoveryConfigRequest is a request for deleting a specific DiscoveryConfig resource.
+message DeleteDiscoveryConfigRequest {
+ // Name is the name of the DiscoveryConfig to be deleted.
+ string name = 1;
+}
+
+// DeleteAllDiscoveryConfigsRequest is the request for deleting all DiscoveryConfigs.
+message DeleteAllDiscoveryConfigsRequest {}
+
+// UpdateDiscoveryConfigStatusRequest is the request to update the status field of the provided
+// Discovery Config.
+message UpdateDiscoveryConfigStatusRequest {
+ // Name is the name of the DiscoveryConfig to receive the status update.
+ string name = 1;
+ // status is the status payload to be persisted.
+ DiscoveryConfigStatus status = 2;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/dynamicwindows/v1/dynamicwindows_service.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/dynamicwindows/v1/dynamicwindows_service.proto
new file mode 100644
index 0000000000000..718cfb5145611
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/dynamicwindows/v1/dynamicwindows_service.proto
@@ -0,0 +1,90 @@
+/**
+ * Teleport
+ * Copyright (C) 2024 Gravitational, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see .
+ */
+
+syntax = "proto3";
+
+package teleport.dynamicwindows.v1;
+
+import "google/protobuf/empty.proto";
+import "teleport/legacy/types/types.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/dynamicwindows/v1;dynamicwindowsv1";
+
+// DynamicWindowsService provides methods to access dynamic Windows desktops.
+service DynamicWindowsService {
+ // GetDynamicWindowsDesktops returns all registered dynamic Windows desktops.
+ rpc ListDynamicWindowsDesktops(ListDynamicWindowsDesktopsRequest) returns (ListDynamicWindowsDesktopsResponse);
+ // GetDynamicWindowsDesktop returns registered dynamic Windows desktop by name.
+ rpc GetDynamicWindowsDesktop(GetDynamicWindowsDesktopRequest) returns (types.DynamicWindowsDesktopV1);
+ // CreateDynamicWindowsDesktop registers a new dynamic Windows desktop.
+ rpc CreateDynamicWindowsDesktop(CreateDynamicWindowsDesktopRequest) returns (types.DynamicWindowsDesktopV1);
+ // UpdateDynamicWindowsDesktop updates an existing dynamic Windows desktop.
+ rpc UpdateDynamicWindowsDesktop(UpdateDynamicWindowsDesktopRequest) returns (types.DynamicWindowsDesktopV1);
+ // UpsertDynamicWindowsDesktop updates an existing dynamic Windows desktop or creates new if it doesn't exist.
+ rpc UpsertDynamicWindowsDesktop(UpsertDynamicWindowsDesktopRequest) returns (types.DynamicWindowsDesktopV1);
+ // DeleteDynamicWindowsDesktop removes the specified dynamic Windows desktop.
+ rpc DeleteDynamicWindowsDesktop(DeleteDynamicWindowsDesktopRequest) returns (google.protobuf.Empty);
+}
+
+// ListDynamicWindowsDesktopsRequest is request to fetch single page of dynamic Windows desktops
+message ListDynamicWindowsDesktopsRequest {
+ // The maximum number of items to return.
+ // The server may impose a different page size at its discretion.
+ int32 page_size = 1;
+ // The next_page_token value returned from a previous List request, if any.
+ string page_token = 2;
+}
+
+// ListDynamicWindowsDesktopsRequest is single page of dynamic Windows desktops
+message ListDynamicWindowsDesktopsResponse {
+ // The page of DynamicWindowsDesktops that matched the request.
+ repeated types.DynamicWindowsDesktopV1 desktops = 1;
+ // Token to retrieve the next page of results, or empty if there are no
+ // more results in the list.
+ string next_page_token = 2;
+}
+
+// GetDynamicWindowsDesktopRequest is a request for a specific dynamic Windows desktop.
+message GetDynamicWindowsDesktopRequest {
+ // name is the name of the dynamic Windows desktop to be requested.
+ string name = 1;
+}
+
+// CreateDynamicWindowsDesktopRequest is used for creating new dynamic Windows desktops.
+message CreateDynamicWindowsDesktopRequest {
+ // desktop to be created
+ types.DynamicWindowsDesktopV1 desktop = 1;
+}
+
+// UpdateDynamicWindowsDesktopRequest is used for updating existing dynamic Windows desktops.
+message UpdateDynamicWindowsDesktopRequest {
+ // desktop to be updated
+ types.DynamicWindowsDesktopV1 desktop = 1;
+}
+
+// UpsertDynamicWindowsDesktopRequest is used for upserting dynamic Windows desktops.
+message UpsertDynamicWindowsDesktopRequest {
+ // desktop to be upserted
+ types.DynamicWindowsDesktopV1 desktop = 1;
+}
+
+// DeleteDynamicWindowsDesktopRequest is a request to delete a Windows desktop host.
+message DeleteDynamicWindowsDesktopRequest {
+ // name is the name of the Windows desktop host.
+ string name = 1;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/embedding/v1/embedding.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/embedding/v1/embedding.proto
new file mode 100644
index 0000000000000..cef7732aab551
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/embedding/v1/embedding.proto
@@ -0,0 +1,38 @@
+// Copyright 2023 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.embedding.v1;
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/embedding/v1;embeddingv1";
+
+// Embedding contains a Teleport resource embedding. Embeddings are small semantic
+// representations of larger and more complex data. Embeddings can be compared,
+// the smaller the distance between two vectors, the closer the concepts are.
+// Teleport Assist embeds resources to perform semantic search.
+message Embedding {
+ // EmbeddedKind is the kind of the embedded resource.
+ string embedded_kind = 1;
+
+ // EmbeddedId is the ID of the embedded resource.
+ string embedded_id = 2;
+
+ // EmbeddedHash is the hash of the embedded resource after serialization.
+ // This helps checking if the resource has changed and needs a new embedding.
+ bytes embedded_hash = 3;
+
+ // Vector is the embedding itself, as provided by the model.
+ repeated double vector = 4;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/externalauditstorage/v1/externalauditstorage.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/externalauditstorage/v1/externalauditstorage.proto
new file mode 100644
index 0000000000000..732d0fe64a625
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/externalauditstorage/v1/externalauditstorage.proto
@@ -0,0 +1,57 @@
+// Copyright 2023 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.externalauditstorage.v1;
+
+import "teleport/header/v1/resourceheader.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/externalauditstorage/v1;externalauditstoragev1";
+
+// ExternalAuditStorage contains External Audit Storage configuration.
+// It contains configuration that allows users to store audit events and session
+// recordings on customer-owned infra instead of in Teleport Cloud.
+message ExternalAuditStorage {
+ // Header is the header for the resource.
+ teleport.header.v1.ResourceHeader header = 1;
+ // Spec is the specification for external audit storage.
+ ExternalAuditStorageSpec spec = 2;
+}
+
+// ExternalAuditStorageConfigSpec is the specification of external audit storage.
+message ExternalAuditStorageSpec {
+ // IntegrationName is name of an existing AWS OIDC integration used to
+ // authenticate to the external AWS account.
+ string integration_name = 1;
+ // Region is the AWS region where the infrastructure is hosted.
+ string region = 2;
+ // SessionRecordingsURI is the S3 path used to store session recordings.
+ string session_recordings_uri = 3;
+ // AuditEventsLongTermURI is the S3 path used to store batched parquet files
+ // with audit events.
+ string audit_events_long_term_uri = 4;
+ // AthenaResultsURI is the S3 path used to store temporary results of Athena
+ // queries.
+ string athena_results_uri = 5;
+ // AthenaWorkgroup is the workgroup used for Athena audit log queries.
+ string athena_workgroup = 6;
+ // GlueDatabase is the database used for Athena audit log queries.
+ string glue_database = 7;
+ // GlueTable is the table used for Athena audit log queries.
+ string glue_table = 8;
+ // PolicyName is the name of the IAM policy attached to the OIDC integration
+ // role.
+ string policy_name = 9;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/externalauditstorage/v1/externalauditstorage_service.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/externalauditstorage/v1/externalauditstorage_service.proto
new file mode 100644
index 0000000000000..9e057a32fe3be
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/externalauditstorage/v1/externalauditstorage_service.proto
@@ -0,0 +1,186 @@
+// Copyright 2023 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.externalauditstorage.v1;
+
+import "google/protobuf/empty.proto";
+import "teleport/externalauditstorage/v1/externalauditstorage.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/externalauditstorage/v1;externalauditstoragev1";
+
+// ExternalAuditStorageService provides methods to manage External Audit Storage.
+//
+// The service supports singleton "draft" and "cluster" configurations, allowing
+// us to store state for an in-progress configuring and to test the connection
+// before enabling the feature in the cluster.
+//
+// After creating and testing a draft configuration call
+// PromoteToClusterExternalAuditStorage, which will clone the existing draft
+// ExternalAuditStorage into a new resource and upsert it as the new cluster
+// ExternalAuditStorage.
+// The promoted cluster resource can't be mutated, it can only be deleted or
+// replaced by promoting a new draft.
+service ExternalAuditStorageService {
+ // GetDraftExternalAuditStorage returns the draft external audit storage configuration resource.
+ rpc GetDraftExternalAuditStorage(GetDraftExternalAuditStorageRequest) returns (GetDraftExternalAuditStorageResponse);
+
+ // CreateDraftExternalAuditStorage creates a draft External Audit Storage
+ // resource if one does not already exist.
+ rpc CreateDraftExternalAuditStorage(CreateDraftExternalAuditStorageRequest) returns (CreateDraftExternalAuditStorageResponse);
+
+ // UpsertDraftExternalAuditStorage upserts a draft External Audit Storage resource.
+ rpc UpsertDraftExternalAuditStorage(UpsertDraftExternalAuditStorageRequest) returns (UpsertDraftExternalAuditStorageResponse);
+
+ // DeleteDraftExternalAuditStorage removes draft External Audit Storage resource.
+ rpc DeleteDraftExternalAuditStorage(DeleteDraftExternalAuditStorageRequest) returns (google.protobuf.Empty);
+
+ // PromoteToClusterExternalAuditStorage promotes the current draft External
+ // Audit Storage configuration to be used in the cluster.
+ // This method causes the Teleport Auth service to reload.
+ rpc PromoteToClusterExternalAuditStorage(PromoteToClusterExternalAuditStorageRequest) returns (PromoteToClusterExternalAuditStorageResponse);
+
+ // GetClusterExternalAuditStorage gets cluster external audit storage.
+ rpc GetClusterExternalAuditStorage(GetClusterExternalAuditStorageRequest) returns (GetClusterExternalAuditStorageResponse);
+
+ // DisableClusterExternalAuditStorage disables the external audit storage feature.
+ // This method causes the Teleport Auth service to reload.
+ rpc DisableClusterExternalAuditStorage(DisableClusterExternalAuditStorageRequest) returns (google.protobuf.Empty);
+
+ // GenerateDraftExternalAuditStorage generates a new external audit storage
+ // resource with randomized resource names and upserts it as the current
+ // draft.
+ rpc GenerateDraftExternalAuditStorage(GenerateDraftExternalAuditStorageRequest) returns (GenerateDraftExternalAuditStorageResponse);
+
+ // TestDraftExternalAuditStorageBuckets tests the connection to the current draft buckets.
+ rpc TestDraftExternalAuditStorageBuckets(TestDraftExternalAuditStorageBucketsRequest) returns (TestDraftExternalAuditStorageBucketsResponse);
+
+ // TestDraftExternalAuditStorageGlue tests the configuration to the current draft glue table and database.
+ rpc TestDraftExternalAuditStorageGlue(TestDraftExternalAuditStorageGlueRequest) returns (TestDraftExternalAuditStorageGlueResponse);
+
+ // TestDraftExternalAuditStorageAthena tests the configuration to the current draft athena.
+ rpc TestDraftExternalAuditStorageAthena(TestDraftExternalAuditStorageAthenaRequest) returns (TestDraftExternalAuditStorageAthenaResponse);
+}
+
+// GetDraftExternalAuditStorageRequest is a request to get the draft external
+// audit storage configuration.
+message GetDraftExternalAuditStorageRequest {}
+
+// GetDraftExternalAuditStorageResponse is a response to getting the draft
+// external audit storage configuration.
+message GetDraftExternalAuditStorageResponse {
+ // ExternalAuditStorage is the current draft ExternalAuditStorage.
+ ExternalAuditStorage external_audit_storage = 1;
+}
+
+// CreateDraftExternalAuditStorageRequest is a request to create the provided
+// draft external audit storage configuration if one does not already exist.
+message CreateDraftExternalAuditStorageRequest {
+ // ExternalAuditStorage is the ExternalAuditStorage to be created.
+ ExternalAuditStorage external_audit_storage = 1;
+}
+
+// CreateDraftExternalAuditStorageResponse is a response to creating the draft
+// external audit storage configuration.
+message CreateDraftExternalAuditStorageResponse {
+ // ExternalAuditStorage is the ExternalAuditStorage that was created.
+ ExternalAuditStorage external_audit_storage = 1;
+}
+
+// UpsertDraftExternalAuditStorageRequest is a request to upsert the provided
+// draft external audit storage configuration.
+message UpsertDraftExternalAuditStorageRequest {
+ // ExternalAuditStorage is the ExternalAuditStorage to be upserted.
+ ExternalAuditStorage external_audit_storage = 1;
+}
+
+// UpsertDraftExternalAuditStorageResponse is a response to upserting the draft
+// external audit storage configuration.
+message UpsertDraftExternalAuditStorageResponse {
+ // ExternalAuditStorage is the ExternalAuditStorage that was upserted.
+ ExternalAuditStorage external_audit_storage = 1;
+}
+
+// DeleteDraftExternalAuditStorageRequest is a request to delete a draft External
+// Audit Storage configuration.
+message DeleteDraftExternalAuditStorageRequest {}
+
+// PromoteToClusterExternalAuditStorageRequest is a request to promote the current
+// draft to cluster external audit storage.
+message PromoteToClusterExternalAuditStorageRequest {}
+
+// PromoteToClusterExternalAuditStorageResponse is a response of promote the
+// current draft to cluster external audit storage.
+message PromoteToClusterExternalAuditStorageResponse {
+ // ClusterExternalAuditStorage is the ExternalAuditStorage will be used in cluster.
+ ExternalAuditStorage cluster_external_audit_storage = 1;
+}
+
+// GetClusterExternalAuditStorageRequest is a request to get an cluster External
+// Audit Storage configuration.
+message GetClusterExternalAuditStorageRequest {}
+
+// GetClusterExternalAuditStorageResponse is a response of getting an cluster
+// external audit storage configuration.
+message GetClusterExternalAuditStorageResponse {
+ // ClusterExternalAuditStorage contains name of external audit storage.
+ ExternalAuditStorage cluster_external_audit_storage = 1;
+}
+
+// DisableClusterExternalAuditStorageRequest is a request for disabling cluster
+// external audit storage.
+message DisableClusterExternalAuditStorageRequest {}
+
+// GenerateDraftExternalAuditStorageRequest is a request for
+// GenerateDraftExternalAuditStorage.
+message GenerateDraftExternalAuditStorageRequest {
+ // IntegrationName is name of existing AWS OIDC integration used to get AWS
+ // credentials.
+ string integration_name = 1;
+ // Region is the AWS region where infrastructure is hosted.
+ string region = 2;
+}
+
+// GenerateDraftExternalAuditStorageResponse is a response for
+// GenerateDraftExternalAuditStorage.
+message GenerateDraftExternalAuditStorageResponse {
+ // ExternalAuditStorage is the generated ExternalAuditStorage that has been set as
+ // the current draft.
+ ExternalAuditStorage external_audit_storage = 1;
+}
+
+// TestDraftExternalAuditStorageBucketsRequest is a request to test the connection of
+// the current draft external audit storage configuration buckets.
+message TestDraftExternalAuditStorageBucketsRequest {}
+
+// TestDraftExternalAuditStorageBucketsResponse is a response from testing the connection
+// of the current draft external audit storage configuration buckets.
+message TestDraftExternalAuditStorageBucketsResponse {}
+
+// TestDraftExternalAuditStorageGlueRequest is a request to test the connection of
+// the current draft external audit storage configuration glue table.
+message TestDraftExternalAuditStorageGlueRequest {}
+
+// TestDraftExternalAuditStorageGlueResponse is a response from testing the connection
+// of the current draft external audit storage configuration glue table.
+message TestDraftExternalAuditStorageGlueResponse {}
+
+// TestDraftExternalAuditStorageAthenaRequest is a request to test the connection of
+// the current draft external audit storage configuration athena.
+message TestDraftExternalAuditStorageAthenaRequest {}
+
+// TestDraftExternalAuditStorageAthenaResponse is a response from testing the connection
+// of the current draft external audit storage configuration athena.
+message TestDraftExternalAuditStorageAthenaResponse {}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/gitserver/v1/git_server_service.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/gitserver/v1/git_server_service.proto
new file mode 100644
index 0000000000000..a23a6ab45a45e
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/gitserver/v1/git_server_service.proto
@@ -0,0 +1,97 @@
+// Copyright 2024 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.gitserver.v1;
+
+import "google/protobuf/empty.proto";
+import "teleport/legacy/types/types.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/gitserver/v1;gitserverv1";
+
+// GitServerService provides methods to manage Git server.
+service GitServerService {
+ // CreateGitServer is used to create a Git server object.
+ rpc CreateGitServer(CreateGitServerRequest) returns (types.ServerV2);
+ // GetGitServer is used to retrieve a Git server object.
+ rpc GetGitServer(GetGitServerRequest) returns (types.ServerV2);
+ // ListGitServers is used to query Git servers.
+ rpc ListGitServers(ListGitServersRequest) returns (ListGitServersResponse);
+ // UpdateGitServer is used to update a Git server object.
+ rpc UpdateGitServer(UpdateGitServerRequest) returns (types.ServerV2);
+ // UpsertGitServer is used to create or replace a Git server object.
+ rpc UpsertGitServer(UpsertGitServerRequest) returns (types.ServerV2);
+ // DeleteGitServer is used to delete a Git server object.
+ rpc DeleteGitServer(DeleteGitServerRequest) returns (google.protobuf.Empty);
+
+ // CreateGitHubAuthRequest starts GitHub OAuth flow for authenticated user.
+ rpc CreateGitHubAuthRequest(CreateGitHubAuthRequestRequest) returns (types.GithubAuthRequest);
+}
+
+// CreateGitServerRequest is a request to create a Git server.
+message CreateGitServerRequest {
+ // Server is the Git server to create.
+ types.ServerV2 server = 1;
+}
+
+// GetGitServerRequest is a request to get a Git server.
+message GetGitServerRequest {
+ // Name is the uuid of the server.
+ string name = 1;
+}
+
+// ListGitServersRequest is the request to list Git servers.
+message ListGitServersRequest {
+ // The maximum number of items to return.
+ // The server may impose a different page size at its discretion.
+ int32 page_size = 1;
+ // The page_token is the next_page_token value returned from a previous List request, if any.
+ string page_token = 2;
+}
+
+// ListGitServersResponse is the response to ListGitServers.
+message ListGitServersResponse {
+ // The page of Git servers that matched the request.
+ repeated types.ServerV2 servers = 1;
+ // Token to retrieve the next page of results, or empty if there are no
+ // more results in the list.
+ string next_page_token = 2;
+}
+
+// UpdateGitServerRequest is the request to update a Git server.
+message UpdateGitServerRequest {
+ // Server is the Git server to update.
+ types.ServerV2 server = 1;
+}
+
+// UpsertGitServerRequest is the request to upsert a Git server.
+message UpsertGitServerRequest {
+ // Server is the Git server to upsert.
+ types.ServerV2 server = 1;
+}
+
+// DeleteGitServerRequest is the request to delete a Git server.
+message DeleteGitServerRequest {
+ // Name is the uuid of the server.
+ string name = 1;
+}
+
+// CreateGitHubAuthRequestRequest is the request for CreateGitHubAuthRequest.
+message CreateGitHubAuthRequestRequest {
+ // Request is the basic GitHub auth request.
+ types.GithubAuthRequest request = 1;
+ // Organization is the GitHub organization that the user is accessing.
+ string organization = 2;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/healthcheckconfig/v1/health_check_config.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/healthcheckconfig/v1/health_check_config.proto
new file mode 100644
index 0000000000000..f28125bf74cc0
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/healthcheckconfig/v1/health_check_config.proto
@@ -0,0 +1,67 @@
+// Copyright 2025 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.healthcheckconfig.v1;
+
+import "google/protobuf/duration.proto";
+import "teleport/header/v1/metadata.proto";
+import "teleport/label/v1/label.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/healthcheckconfig/v1;healthcheckconfigv1";
+
+// HealthCheckConfig is the configuration for network health checks from an
+// agent to its proxied resource.
+message HealthCheckConfig {
+ // Kind is the resource kind. Must be "health_check_config".
+ string kind = 1;
+ // SubKind is an optional resource sub kind.
+ string sub_kind = 2;
+ // Version is the health check config version.
+ string version = 3;
+ // Metadata is the health check config resource's metadata.
+ teleport.header.v1.Metadata metadata = 4;
+
+ // Spec is the health check config specification.
+ HealthCheckConfigSpec spec = 5;
+}
+
+// HealthCheckConfigSpec is the health check spec.
+message HealthCheckConfigSpec {
+ // Match is used to select resources that these settings apply to.
+ Matcher match = 1;
+ // Timeout is the health check connection establishment timeout.
+ // An attempt that times out is a failed attempt.
+ google.protobuf.Duration timeout = 2;
+ // Interval is the time between each health check.
+ google.protobuf.Duration interval = 3;
+ // HealthyThreshold is the number of consecutive passing health checks after
+ // which a target's health status becomes "healthy".
+ uint32 healthy_threshold = 4;
+ // UnhealthyThreshold is the number of consecutive failing health checks after
+ // which a target's health status becomes "unhealthy".
+ uint32 unhealthy_threshold = 5;
+}
+
+// Matcher is a resource matcher for health check config.
+message Matcher {
+ // DBLabels matches database labels. An empty value is ignored. The match
+ // result is logically ANDed with DBLabelsExpression, if both are non-empty.
+ repeated teleport.label.v1.Label db_labels = 1;
+ // DBLabelsExpression is a label predicate expression to match databases. An
+ // empty value is ignored. The match result is logically ANDed with DBLabels,
+ // if both are non-empty.
+ string db_labels_expression = 2;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/healthcheckconfig/v1/health_check_config_service.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/healthcheckconfig/v1/health_check_config_service.proto
new file mode 100644
index 0000000000000..b647555a66103
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/healthcheckconfig/v1/health_check_config_service.proto
@@ -0,0 +1,91 @@
+// Copyright 2025 Gravitational, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.healthcheckconfig.v1;
+
+import "google/protobuf/empty.proto";
+import "teleport/healthcheckconfig/v1/health_check_config.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/healthcheckconfig/v1;healthcheckconfigv1";
+
+// HealthCheckConfigService provides CRUD ops for health check config resources.
+service HealthCheckConfigService {
+ // CreateHealthCheckConfig creates a new HealthCheckConfig.
+ rpc CreateHealthCheckConfig(CreateHealthCheckConfigRequest) returns (HealthCheckConfig);
+
+ // GetHealthCheckConfig returns the specified HealthCheckConfig.
+ rpc GetHealthCheckConfig(GetHealthCheckConfigRequest) returns (HealthCheckConfig);
+
+ // ListHealthCheckConfigs lists HealthCheckConfig resources.
+ rpc ListHealthCheckConfigs(ListHealthCheckConfigsRequest) returns (ListHealthCheckConfigsResponse);
+
+ // UpdateHealthCheckConfig updates an existing HealthCheckConfig.
+ rpc UpdateHealthCheckConfig(UpdateHealthCheckConfigRequest) returns (HealthCheckConfig);
+
+ // UpsertHealthCheckConfig creates or replaces a HealthCheckConfig.
+ rpc UpsertHealthCheckConfig(UpsertHealthCheckConfigRequest) returns (HealthCheckConfig);
+
+ // DeleteHealthCheckConfig deletes the specified HealthCheckConfig.
+ rpc DeleteHealthCheckConfig(DeleteHealthCheckConfigRequest) returns (google.protobuf.Empty);
+}
+
+// Request for CreateHealthCheckConfig.
+message CreateHealthCheckConfigRequest {
+ // Config is the resource to create.
+ HealthCheckConfig config = 1;
+}
+
+// GetHealthCheckConfigRequest is a request for GetHealthCheckConfig.
+message GetHealthCheckConfigRequest {
+ // Name is the name of the HealthCheckConfig to retrieve.
+ string name = 1;
+}
+
+// ListHealthCheckConfigsRequest is the request for ListHealthCheckConfigs.
+message ListHealthCheckConfigsRequest {
+ // PageSize is the maximum number of items to return.
+ // The server may impose a different page size at its discretion.
+ int32 page_size = 1;
+ // PageToken is the page token value returned from a prior list request, if any.
+ string page_token = 2;
+}
+
+// ListHealthCheckConfigsResponse is the response from ListHealthCheckConfigs.
+message ListHealthCheckConfigsResponse {
+ // Configs is a page of health check configs.
+ repeated HealthCheckConfig configs = 1;
+ // NextPageToken is the token that can be used to retrieve the next page of
+ // results or empty if there are no more pages.
+ string next_page_token = 2;
+}
+
+// Request for UpdateHealthCheckConfig.
+message UpdateHealthCheckConfigRequest {
+ // Config is the resource to update.
+ HealthCheckConfig config = 1;
+}
+
+// Request for UpsertHealthCheckConfig.
+message UpsertHealthCheckConfigRequest {
+ // Config is the resource to upsert.
+ HealthCheckConfig config = 1;
+}
+
+// Request for DeleteHealthCheckConfig.
+message DeleteHealthCheckConfigRequest {
+ // Name is the name of the HealthCheckConfig to delete.
+ string name = 1;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/identitycenter/v1/identitycenter.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/identitycenter/v1/identitycenter.proto
new file mode 100644
index 0000000000000..64c25c13aa27f
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/identitycenter/v1/identitycenter.proto
@@ -0,0 +1,217 @@
+// Copyright 2024 Gravitational, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.identitycenter.v1;
+
+import "teleport/header/v1/metadata.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/identitycenter/v1;identitycenterv1";
+
+// PermissionSetInfo represents a permission set that is available on a given
+// account. This is not intended to be a complete description of a PermissionSet,
+// but just enough to identify it for cross-referencing when included in an
+// Account record.
+message PermissionSetInfo {
+ // Arn is the unique ARN for this permission set
+ string arn = 1;
+
+ // Title is the human-readable name of the permission set
+ string name = 2;
+
+ // Role is an optional ARN indicating role provisioned to this account. May be
+ // empty if the permission set is not provisioned or is not relevant in the
+ string role = 3;
+
+ // AssignmentID is the name of a Teleport Account Assignment resource
+ // representing this permission set assigned to the enclosing Account.
+ string assignment_id = 4;
+}
+
+// AccountStatus represents any commonly-changing data about an Identity
+// Center account.
+message AccountStatus {}
+
+// Account is an Identity-Center-managed AWS account
+message Account {
+ string kind = 1;
+ string sub_kind = 2;
+ string version = 3;
+ teleport.header.v1.Metadata metadata = 4;
+ AccountSpec spec = 5;
+ AccountStatus status = 6;
+}
+
+// AccountSpec holds non-changing data about an AWS Account
+message AccountSpec {
+ // Id is the AWS-assigned PermissionSet ID
+ string id = 1;
+
+ // Arn is the unique ARN for this permission set
+ string arn = 2;
+
+ // Name is the human-readable name of the permission set
+ string name = 3;
+
+ // Description is a heman-readable description of the AWS Permission Set
+ string description = 4;
+
+ // StartUrl is the address of the AWS start page
+ string start_url = 5;
+
+ // PermissionSetInfo contains a list of the available Perission Sets on this
+ // account.
+ repeated PermissionSetInfo permission_set_info = 6;
+
+ // IsOrganizationOwner indicates that this account is the organisation owner,
+ // and may have restrictions about adding permission sets
+ bool is_organization_owner = 7;
+}
+
+// PermissionSet identifies a single permission set by name and ARN
+message PermissionSet {
+ string kind = 1;
+ string sub_kind = 2;
+ string version = 3;
+ teleport.header.v1.Metadata metadata = 4;
+ PermissionSetSpec spec = 5;
+}
+
+// PermissionSetSpec holds rarely-changing information about ans AWS pwermission
+// set
+message PermissionSetSpec {
+ // Arn is the unique ARN for this permission set
+ string arn = 1;
+
+ // Name is the human-readable name of the permission set
+ string name = 2;
+
+ // Description is a human-readable description of the AWS Permission Set
+ string description = 3;
+}
+
+// AccountAssignment captures the relationship between a PermissionSet
+// and an Identity Center Account. It represents two parts of a potential 3-part
+// Identity Center Account Assignment. This is the primary requestable resource
+// for a user and a user having access to an AccountAssignment resource implies
+// that there is a corresponding Account Assignment in AWS Identity Center that
+// grants that user the Permission Set specified in that resource, on the
+// AWS Account specified in that resource.
+message AccountAssignment {
+ string kind = 1;
+ string sub_kind = 2;
+ string version = 3;
+ teleport.header.v1.Metadata metadata = 4;
+ AccountAssignmentSpec spec = 5;
+}
+
+// AccountAssignmentSpec holds static information abount an AccountAssignment,
+// linking a Permission Set and an AWS account.
+message AccountAssignmentSpec {
+ string display = 1;
+ PermissionSetInfo permission_set = 2;
+ string account_name = 3;
+ string account_id = 4;
+}
+
+// PrincipalAssignment relates a collection of PermissionSets and Applications
+// to a given principal. This is the source of truth for all Account & Permission
+// Set assignments in AWS
+message PrincipalAssignment {
+ string kind = 1;
+ string sub_kind = 2;
+ string version = 3;
+ teleport.header.v1.Metadata metadata = 4;
+ PrincipalAssignmentSpec spec = 5;
+ PrincipalAssignmentStatus status = 6;
+}
+
+// PrincipalType indicates the type of principal represented by a PrincipalAssignment
+enum PrincipalType {
+ PRINCIPAL_TYPE_UNSPECIFIED = 0;
+ PRINCIPAL_TYPE_USER = 1;
+ PRINCIPAL_TYPE_ACCESS_LIST = 2;
+}
+
+// PrincipalAssignmentSpec holds information about the Account Assignments
+// assigned to the target principal.
+message PrincipalAssignmentSpec {
+ // PrincipalId identifies what kind of principal this assignment applies to, either
+ // a User or a Group (i.e. AccessList)
+ PrincipalType principal_type = 1;
+
+ // PrincipalId identifies the Teleport User or Access List that this assignment
+ // applies to
+ string principal_id = 2;
+
+ // ExternalIdSource
+ string external_id_source = 3;
+
+ // ExternalID identifies the user or group within AWS
+ string external_id = 4;
+}
+
+// ProvisioningState indicates the current stage of the Account-Assignment
+// provisioning pipeline a resource is in.
+enum ProvisioningState {
+ // PROVISIONING_STATE_UNSPECIFIED is the default empty state. This should never
+ // be used in practice.
+ PROVISIONING_STATE_UNSPECIFIED = 0;
+
+ // PROVISIONING_STATE_STALE indicates that Teleport has recalculated the
+ // principal's Account Assignment set, but this has not yet been reflected in
+ // AWS.
+ PROVISIONING_STATE_STALE = 1;
+
+ // PROVISIONING_STATE_PROVISIONED indicates that Teleport has synced the
+ // principal's Account Assignments with AWS, and no further work needs to be
+ // done.
+ PROVISIONING_STATE_PROVISIONED = 2;
+
+ // PROVISIONING_STATE_DELETED indicates that the principal as been deleted in
+ // Teleport and all account assignments need to be revoked in AWS and the
+ // Teleport PrincipalAssignment record needs to be deleted
+ PROVISIONING_STATE_DELETED = 3;
+}
+
+// AccountAssignmentRef is a minimal link between an AWS Account and a
+// permission set. Optionally contains human-readable metadata describing the
+// target AWS Account and Permission Set.
+message AccountAssignmentRef {
+ // AccountId holds the AWS account ID for the target AWS account. This will
+ // always be set
+ string account_id = 1;
+
+ // AccountName optionally holds the heman-readable name of the target AwS
+ // account
+ string account_name = 2;
+
+ // PermissionSetArn holds the target Permission Set ARN. This will always be
+ // set.
+ string permission_set_arn = 3;
+
+ // PermissionSetName optionally holds the human-readable name of the target
+ // AWS Permission Set.
+ string permission_set_name = 4;
+}
+
+// PrincipalAssignmentAssignmentStatus holds frequently-changing iinformation
+// about the PrincipalAssignment
+message PrincipalAssignmentStatus {
+ ProvisioningState provisioning_state = 1;
+ repeated AccountAssignmentRef assignments = 2;
+ repeated string applications = 3;
+ string error = 4;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/identitycenter/v1/identitycenter_service.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/identitycenter/v1/identitycenter_service.proto
new file mode 100644
index 0000000000000..5230c53040f60
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/identitycenter/v1/identitycenter_service.proto
@@ -0,0 +1,49 @@
+// Copyright 2024 Gravitational, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.identitycenter.v1;
+
+import "google/protobuf/empty.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/identitycenter/v1;identitycenterv1";
+
+// IdentityCenterService provides methods to manage Identity Center
+// resources.
+service IdentityCenterService {
+ // DeleteAllIdentityCenterAccounts deletes all Identity Center accounts.
+ rpc DeleteAllIdentityCenterAccounts(DeleteAllIdentityCenterAccountsRequest) returns (google.protobuf.Empty);
+
+ // DeleteAllAccountAssignments deletes all Identity Center Account assignments.
+ rpc DeleteAllAccountAssignments(DeleteAllAccountAssignmentsRequest) returns (google.protobuf.Empty);
+
+ // DeleteAllPrincipalAssignments deletes all Identity Center principal assignments.
+ rpc DeleteAllPrincipalAssignments(DeleteAllPrincipalAssignmentsRequest) returns (google.protobuf.Empty);
+
+ // DeleteAllPermissionSets deletes all Identity Center permission sets.
+ rpc DeleteAllPermissionSets(DeleteAllPermissionSetsRequest) returns (google.protobuf.Empty);
+}
+
+// DeleteAllIdentityCenterAccountsRequest is a request to delete all Identity Center imported accounts.
+message DeleteAllIdentityCenterAccountsRequest {}
+
+// DeleteAllAccountAssignmentsRequest is a request to delete all Identity Center account assignments.
+message DeleteAllAccountAssignmentsRequest {}
+
+// DeleteAllPrincipalAssignmentsRequest is a request to delete all Identity Center principal assignments.
+message DeleteAllPrincipalAssignmentsRequest {}
+
+// DeleteAllPermissionSetsRequest is a request to delete all Identity Center permission sets.
+message DeleteAllPermissionSetsRequest {}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/integration/v1/awsoidc_service.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/integration/v1/awsoidc_service.proto
new file mode 100644
index 0000000000000..fed5a7ffb63a8
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/integration/v1/awsoidc_service.proto
@@ -0,0 +1,605 @@
+// Copyright 2023 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.integration.v1;
+
+import "teleport/legacy/types/types.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/integration/v1;integrationv1";
+
+// AWSOIDCService provides access to AWS APIs using the AWS OIDC Integration.
+service AWSOIDCService {
+ // ListEICE returns a list of EC2 Instance Connect Endpoints.
+ // An optional NextToken that can be used to fetch the next page.
+ // It uses the following API:
+ // https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstanceConnectEndpoints.html
+ rpc ListEICE(ListEICERequest) returns (ListEICEResponse);
+
+ // CreateEICE creates multiple EC2 Instance Connect Endpoint using the provided Subnets and Security Group IDs.
+ // It uses the following API:
+ // https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateInstanceConnectEndpoint.html
+ rpc CreateEICE(CreateEICERequest) returns (CreateEICEResponse);
+
+ // ListDatabases calls the following AWS API:
+ // https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBClusters.html
+ // https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html
+ // It returns a list of Databases and an optional NextToken that can be used to fetch the next page
+ rpc ListDatabases(ListDatabasesRequest) returns (ListDatabasesResponse);
+
+ // ListSecurityGroups returns a list of AWS VPC SecurityGroups.
+ // It uses the following API:
+ // https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html
+ rpc ListSecurityGroups(ListSecurityGroupsRequest) returns (ListSecurityGroupsResponse);
+
+ // ListSubnets returns a list of AWS VPC subnets.
+ // It uses the following API:
+ // https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSubnets.html
+ rpc ListSubnets(ListSubnetsRequest) returns (ListSubnetsResponse);
+
+ // ListVPCs returns a list of AWS VPCs.
+ // It uses the following API:
+ // https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeVpcs.html
+ rpc ListVPCs(ListVPCsRequest) returns (ListVPCsResponse);
+
+ // DeployDatabaseService deploys a Database Services to Amazon ECS.
+ rpc DeployDatabaseService(DeployDatabaseServiceRequest) returns (DeployDatabaseServiceResponse);
+
+ // ListDeployedDatabaseServices returns the deployed Database Services in Amazon ECS.
+ rpc ListDeployedDatabaseServices(ListDeployedDatabaseServicesRequest) returns (ListDeployedDatabaseServicesResponse);
+
+ // DeployService deploys an ECS Service to Amazon ECS.
+ rpc DeployService(DeployServiceRequest) returns (DeployServiceResponse);
+
+ // EnrollEKSClusters enrolls EKS clusters by installing kube agent Helm chart.
+ rpc EnrollEKSClusters(EnrollEKSClustersRequest) returns (EnrollEKSClustersResponse);
+
+ // ListEC2 lists the EC2 instances of the AWS account per region.
+ // It uses the following API:
+ // https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html
+ rpc ListEC2(ListEC2Request) returns (ListEC2Response);
+
+ // ListEKSClusters retrieves a paginated list of EKS clusters in the specified AWS region for a specific account.
+ // It uses the following APIs:
+ // https://docs.aws.amazon.com/eks/latest/APIReference/API_ListClusters.html
+ // https://docs.aws.amazon.com/eks/latest/APIReference/API_DescribeCluster.html
+ rpc ListEKSClusters(ListEKSClustersRequest) returns (ListEKSClustersResponse);
+
+ // Ping does an health check for the integration.
+ // Returns the caller identity.
+ // It uses the following APIs:
+ // https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html
+ rpc Ping(PingRequest) returns (PingResponse);
+}
+
+// ListEICERequest is a request for a paginated list of AWS EC2 Instance Connect Endpoints.
+message ListEICERequest {
+ // Integration is the AWS OIDC Integration name.
+ // Required.
+ string integration = 1;
+ // Region is the AWS Region
+ // Required.
+ string region = 2;
+ // VPCIDs is used to filter for EICEs of those VPCs.
+ // Required.
+ repeated string vpc_ids = 3;
+ // NextToken is the token to be used to fetch the next page.
+ // If empty, the first page is fetched.
+ string next_token = 4;
+}
+
+// EC2InstanceConnectEndpoint is a representation of a Amazon VPC EC2 Instance Connect Endpoint.
+message EC2InstanceConnectEndpoint {
+ // Name is the endpoint name.
+ string name = 1;
+ // State is the endpoint state.
+ // Known values:
+ // create-in-progress | create-complete | create-failed | delete-in-progress | delete-complete | delete-failed
+ string state = 2;
+ // StateMessage contains a message describing the state of the EICE.
+ string state_message = 3;
+ // DashboardLink is a URL to AWS Console where the user can see the EC2 Instance Connect Endpoint.
+ string dashboard_link = 4;
+ // SubnetID is the subnet used by the endpoint.
+ string subnet_id = 5;
+ // VPCID is the VPC ID where the Endpoint is created.
+ string vpc_id = 6;
+}
+
+// ListEICEResponse contains a page of AWS EC2 Instance Connect Endpoints.
+message ListEICEResponse {
+ // EC2ICEs contains the page of EC2 Instance Connect Endpoints.
+ repeated EC2InstanceConnectEndpoint ec2ices = 1;
+ // DashboardLink is the URL for AWS Web Console that lists all the Endpoints for the queries VPCs.
+ string dashboard_link = 2;
+ // NextToken is used for pagination.
+ // If non-empty, it can be used to request the next page.
+ string next_token = 3;
+}
+
+// CreateEICERequest contains the required fields to create an AWS EC2 Instance Connect Endpoint.
+message CreateEICERequest {
+ // Integration is the AWS OIDC Integration name.
+ // Required.
+ string integration = 1;
+ // Region is the AWS Region
+ // Required.
+ string region = 2;
+ // Endpoints is is a list of EC2 Instance Connect Endpoints to be created.
+ // Required.
+ repeated EC2ICEndpoint endpoints = 3;
+}
+
+// EC2ICEndpoint contains the information for a single Endpoint to be created.
+message EC2ICEndpoint {
+ // Name is the endpoint name.
+ string name = 1;
+ // SubnetID is the Subnet where the Endpoint will be created.
+ string subnet_id = 2;
+ // SecurityGroupIDs is a list of SecurityGroups to assign to the Endpoint.
+ // If not specified, the Endpoint will receive the default SG for the Subnet's VPC.
+ repeated string security_group_ids = 3;
+}
+
+// CreateEICEResponse is a request to create a VPC Endpoint of EC2 Instance Connect Endpoint type.
+message CreateEICEResponse {
+ // Name is the Endpoint ID.
+ string name = 1;
+ // CreatedEndpoints contains the name of created endpoints and their Subnet.
+ repeated EC2ICEndpoint created_endpoints = 2;
+}
+
+// ListDatabasesRequest is a request for a paginated list of AWS Databases.
+message ListDatabasesRequest {
+ // Integration is the AWS OIDC Integration name.
+ // Required.
+ string integration = 1;
+ // Region is the AWS Region
+ // Required.
+ string region = 2;
+ // RDSType is either instance or cluster (for Aurora DBs).
+ // Required.
+ string rds_type = 3;
+ // Engines filters the returned Databases based on their engine.
+ // Eg, mysql, postgres, mariadb, aurora, aurora-mysql, aurora-postgresql
+ // Required.
+ repeated string engines = 4;
+ // NextToken is the token to be used to fetch the next page.
+ // If empty, the first page is fetched.
+ string next_token = 5;
+ // VPCID filters databases to only include those deployed in the VPC.
+ // If empty, no filtering is done.
+ string vpc_id = 6;
+}
+
+// ListDatabasesResponse contains a page of AWS Databases.
+message ListDatabasesResponse {
+ // Databases contains the page of Databases.
+ repeated types.DatabaseV3 databases = 1;
+ // NextToken is used for pagination.
+ // If non-empty, it can be used to request the next page.
+ string next_token = 2;
+}
+
+// ListSecurityGroupsRequest is a request for a paginated list of AWS SecurityGroups.
+message ListSecurityGroupsRequest {
+ // Integration is the AWS OIDC Integration name.
+ // Required.
+ string integration = 1;
+ // Region is the AWS Region
+ // Required.
+ string region = 2;
+ // VPCID is the VPC ID for listing SecurityGroups.
+ // Required.
+ string vpc_id = 3;
+ // NextToken is the token to be used to fetch the next page.
+ // If empty, the first page is fetched.
+ string next_token = 4;
+}
+
+// CIDR has a CIDR (IP Range) and a description for the value.
+message SecurityGroupRuleCIDR {
+ // CIDR is the IP range using CIDR notation.
+ string cidr = 1;
+ // Description contains a small text describing the CIDR.
+ string description = 2;
+}
+
+// SecurityGroupRuleGroupID has an allowed security group ID and a description
+// for the rule.
+message SecurityGroupRuleGroupID {
+ // GroupID is the allowed security group ID.
+ string group_id = 1;
+ // Description contains a small text describing the allowed security group.
+ string description = 2;
+}
+
+// SecurityGroupRule is a representation of a SecurityGroupRule.
+// Either for Inbound or Outbound rules.
+message SecurityGroupRule {
+ // IPProtocol is the protocol used to describe the rule.
+ // If the rule applies to all protocols, the "all" value is used.
+ // The IP protocol name ( tcp , udp , icmp , icmpv6 ) or number (see Protocol
+ // Numbers (http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml)).
+ string ip_protocol = 1;
+ // FromPort is the inclusive start of the Port range for the Rule.
+ int32 from_port = 2;
+ // ToPort is the inclusive end of the Port range for the Rule.
+ int32 to_port = 3;
+ // CIDRs contains a list of IP ranges that this rule applies to and a description for the value.
+ repeated SecurityGroupRuleCIDR cidrs = 4;
+ // GroupIds is a list of rules that allow another security group referenced
+ // by ID.
+ repeated SecurityGroupRuleGroupID group_ids = 5;
+}
+
+// SecurityGroup is a representation of a SecurityGroup
+message SecurityGroup {
+ // Name is the SecurityGroup name.
+ string name = 1;
+ // ID is the SecurityGroup ID.
+ string id = 2;
+ // Description is a small description of the SecurityGroup.
+ string description = 3;
+ // InboundRules describe the Security Group Inbound Rules.
+ // The CIDR of each rule represents the source IP that the rule applies to.
+ repeated SecurityGroupRule inbound_rules = 4;
+ // OutboundRules describe the Security Group Outbound Rules.
+ // The CIDR of each rule represents the destination IP that the rule applies to.
+ repeated SecurityGroupRule outbound_rules = 5;
+}
+
+// ListSecurityGroupsResponse contains a page of AWS SecurityGroups.
+message ListSecurityGroupsResponse {
+ // SecurityGroups contains the page of SecurityGroups.
+ repeated SecurityGroup security_groups = 1;
+ // NextToken is used for pagination.
+ // If non-empty, it can be used to request the next page.
+ string next_token = 2;
+}
+
+// ListSubnetsRequest is a request for a paginated list of AWS VPC subnets.
+message ListSubnetsRequest {
+ // Integration is the AWS OIDC Integration name.
+ // Required.
+ string integration = 1;
+ // Region is the AWS Region
+ // Required.
+ string region = 2;
+ // VPCID is the VPC ID for listing subnets.
+ // Required.
+ string vpc_id = 3;
+ // NextToken is the token to be used to fetch the next page.
+ // If empty, the first page is fetched.
+ string next_token = 4;
+}
+
+// Subnet is a representation of an AWS VPC subnet.
+message Subnet {
+ // Name is the subnet name. Can be empty.
+ string name = 1;
+ // ID is the subnet ID.
+ string id = 2;
+ // AvailabilityZone is the availability zone of the subnet.
+ string availability_zone = 3;
+}
+
+// ListSubnetsResponse contains a page of AWS VPC subnets.
+message ListSubnetsResponse {
+ // Subnets contains the page of subnets.
+ repeated Subnet subnets = 1;
+ // NextToken is used for pagination.
+ // If non-empty, it can be used to request the next page.
+ string next_token = 2;
+}
+
+// ListVPCsRequest is a request for a paginated list of AWS VPCs.
+message ListVPCsRequest {
+ // Integration is the AWS OIDC Integration name.
+ // Required.
+ string integration = 1;
+ // Region is the AWS Region
+ // Required.
+ string region = 2;
+ // NextToken is the token to be used to fetch the next page.
+ // If empty, the first page is fetched.
+ string next_token = 3;
+}
+
+// VPC is a representation of an AWS VPC.
+message VPC {
+ // Name is the VPC name. Can be empty.
+ string name = 1;
+ // ID is the VPC ID.
+ string id = 2;
+}
+
+// ListVPCsResponse contains a page of AWS VPCs.
+message ListVPCsResponse {
+ // VPCs contains the page of VPCs.
+ repeated VPC vpcs = 1;
+ // NextToken is used for pagination.
+ // If non-empty, it can be used to request the next page.
+ string next_token = 2;
+}
+
+// DeployDatabaseServiceRequest is a request to deploy .
+message DeployDatabaseServiceRequest {
+ // Integration is the AWS OIDC Integration name.
+ // Required.
+ string integration = 1;
+ // Region is the AWS Region
+ // Required.
+ string region = 2;
+ // TaskRoleARN is the AWS IAM Role received by the deployed service.
+ // Required.
+ string task_role_arn = 3;
+ // TeleportVersion is the teleport version to be deployed.
+ // This is used to fetch the correct tag for the teleport container image.
+ // Eg, 14.3.4 (no "v" prefix)
+ // Required.
+ string teleport_version = 4;
+ // DeploymentJoinTokenName is the Teleport IAM Join Token to be used by the deployed
+ // service to join the cluster.
+ // Required.
+ string deployment_join_token_name = 5;
+ // Deployments is a list of services that will be deployed.
+ repeated DeployDatabaseServiceDeployment deployments = 6;
+}
+
+// DeployDatabaseServiceDeployment represents a single deployment.
+message DeployDatabaseServiceDeployment {
+ // TeleportConfigString is the teleport.yaml configuration (base64 encoded) used by teleport.
+ // Required.
+ string teleport_config_string = 1;
+ // VpcId is the VPCID where the service is going to be deployed.
+ // Required.
+ string vpc_id = 2;
+ // SubnetIds are the subnets for the network configuration.
+ // They must belong to the VpcId above.
+ // Required.
+ repeated string subnet_ids = 3;
+ // SecurityGroups are the SecurityGroup IDs to associate with this particular deployment.
+ // If empty, the default security group for the VPC is going to be used.
+ repeated string security_groups = 4;
+}
+
+// DeployDatabaseServiceResponse contains information about the deployed service.
+message DeployDatabaseServiceResponse {
+ // ClusterArn identifies the cluster where the deployment was made.
+ string cluster_arn = 1;
+ // ClusterDashboardURL is a link to the Amazon ECS cluster dashboard or a
+ // specific cluster service if a single deployment was requested.
+ string cluster_dashboard_url = 2;
+}
+
+// ListDeployedDatabaseServicesRequest is a request for listing the deployed database services in Amazon ECS.
+message ListDeployedDatabaseServicesRequest {
+ // Integration is the AWS OIDC Integration name.
+ // Required.
+ string integration = 1;
+ // Region is the AWS Region
+ // Required.
+ string region = 2;
+ // NextToken is the token to be used to fetch the next page.
+ // If empty, the first page is fetched.
+ string next_token = 3;
+}
+
+// DeployedDatabaseService contains a database service that was deployed to Amazon ECS.
+message DeployedDatabaseService {
+ // Name is the Amazon ECS Service name.
+ string name = 1;
+ // ServiceDashboardURL is a link to the Amazon ECS Service dashboard.
+ string service_dashboard_url = 2;
+ // ContainerEntryPoint is the entry point for the container 0 that is running in the ECS Task.
+ repeated string container_entry_point = 3;
+ // ContainerCommand is the list of arguments that are passed into the ContainerEntryPoint.
+ repeated string container_command = 4;
+}
+
+// ListDeployedDatabaseServicesResponse contains the list of the database services that were deployed in Amazon ECS.
+message ListDeployedDatabaseServicesResponse {
+ // DeployedDatabaseServices contains a page of page of EC2.
+ repeated DeployedDatabaseService deployed_database_services = 1;
+ // NextToken is the token to be used to fetch the next page.
+ // If empty, the first page is fetched.
+ string next_token = 2;
+}
+
+// DeployServiceRequest is a request to deploy .
+message DeployServiceRequest {
+ // Integration is the AWS OIDC Integration name.
+ // Required.
+ string integration = 1;
+ // Region is the AWS Region
+ // Required.
+ string region = 2;
+ // DeploymentMode is the deployment name that should be applied when creating the ECS Service.
+ // Allowed modes: database-service
+ // Required.
+ string deployment_mode = 3;
+ // SecurityGroups to apply to the service's network configuration.
+ // If empty, the default security group for the VPC is going to be used.
+ repeated string security_groups = 4;
+ // SubnetIds are the subnets for the network configuration.
+ // Required.
+ repeated string subnet_ids = 5;
+ // TaskRoleARN is the AWS IAM Role received by the deployed service.
+ // Required.
+ string task_role_arn = 6;
+ // TeleportVersion is the teleport version to be deployed.
+ // This is used to fetch the correct tag for the teleport container image.
+ // Eg, 14.3.4 (no "v" prefix)
+ // Required.
+ string teleport_version = 7;
+ // DeploymentJoinTokenName is the Teleport IAM Join Token to be used by the deployed
+ // service to join the cluster.
+ // Required.
+ string deployment_join_token_name = 8;
+ // TeleportConfigString is the teleport.yaml configuration (base64 encoded) used by teleport.
+ // Required.
+ string teleport_config_string = 9;
+}
+
+// DeployServiceResponse contains information about the deployed service.
+message DeployServiceResponse {
+ // ClusterArn identifies the cluster where the deployment was made.
+ string cluster_arn = 1;
+ // ServiceARN is the Amazon ECS Cluster Service ARN created to run the task.
+ string service_arn = 2;
+ // TaskDefinitionARN is the Amazon ECS Task Definition ARN created to run the Service.
+ string task_definition_arn = 3;
+ // ServiceDashboardURL is a link to the service's Dashboard URL in Amazon Console.
+ string service_dashboard_url = 4;
+}
+
+// EnrollEKSClustersRequest is request to enroll EKS clusters.
+message EnrollEKSClustersRequest {
+ // Integration is the AWS OIDC Integration name.
+ // Required.
+ string integration = 1;
+ // Region is the AWS Region
+ // Required.
+ string region = 2;
+ // ClusterNames is names of EKS clusters to enroll.
+ // Required.
+ repeated string eks_cluster_names = 3;
+ // EnableAppDiscovery specifies if we should enable Kubernetes App Discovery inside the enrolled EKS cluster.
+ bool enable_app_discovery = 4;
+ // AgentVersion is version of agent Helm chart to install on the EKS cluster.
+ // Required.
+ string agent_version = 5;
+ // ExtraLabels added to the enrolled clusters.
+ map extra_labels = 6;
+}
+
+// EnrollEKSClusterResult contains result for a single cluster enrollment.
+message EnrollEKSClusterResult {
+ // ClusterName identifies what EKS cluster this result is for.
+ string eks_cluster_name = 1;
+ // ResourceID shows what internal resource ID label was used by the Helm chart.
+ string resource_id = 2;
+ // Error show what error happened during enrollment. Empty if no error happened.
+ string error = 3;
+ // IssueType contains the UserTask's issue type for well-known errors.
+ // Example of allowed values:
+ // - eks-status-not-active
+ // - eks-missing-endpoint-public-access
+ // - eks-authentication-mode-unsupported
+ // - eks-cluster-unreachable
+ // - eks-agent-not-connecting
+ // See usertasks.DiscoverEKSIssueTypes for a complete list of allowed values.
+ // Empty if no error happened, or the error is not yet handled.
+ string issue_type = 4;
+}
+
+// EnrollEKSClustersResponse is a response to enrolling EKS clusters.
+message EnrollEKSClustersResponse {
+ // Results shows result of enrollment for each requested EKS cluster.
+ repeated EnrollEKSClusterResult results = 1;
+}
+
+// ListEC2Request is a request for a paginated list of AWS EC2 instances.
+message ListEC2Request {
+ // Integration is the AWS OIDC Integration name.
+ // Required.
+ string integration = 1;
+ // Region is the AWS Region
+ // Required.
+ string region = 2;
+ // NextToken is the token to be used to fetch the next page.
+ // If empty, the first page is fetched.
+ string next_token = 3;
+}
+
+// ListEC2Response contains a page of AWS EC2 instances represented as Nodes.
+message ListEC2Response {
+ // Servers contains the page of EC2.
+ repeated types.ServerV2 servers = 1;
+ // NextToken is used for pagination.
+ // If non-empty, it can be used to request the next page.
+ string next_token = 2;
+}
+
+// ListEKSClustersRequest is a request for a paginated list of AWS EKS Clusters.
+message ListEKSClustersRequest {
+ // Integration is the AWS OIDC Integration name.
+ // Required.
+ string integration = 1;
+ // Region is the AWS Region
+ // Required.
+ string region = 2;
+ // NextToken is the token to be used to fetch the next page.
+ // If empty, the first page is fetched.
+ string next_token = 3;
+}
+
+// EKSCluster represents an Amazon EKS Cluster.
+message EKSCluster {
+ // Name is the name of AWS EKS cluster.
+ string name = 1;
+ // Region is an AWS region.
+ string region = 2;
+ // Arn is an AWS ARN identification of the EKS cluster.
+ string arn = 3;
+ // Labels are labels of a EKS cluster.
+ map labels = 4;
+ // JoinLabels are Teleport labels that should be injected into kube agent
+ // if the cluster will be enrolled into Teleport (agent installed on it).
+ map join_labels = 5;
+ // Status is a current status of an EKS cluster in AWS.
+ // Known values are:
+ // CREATING | ACTIVE | DELETING | FAILED | UPDATING | PENDING
+ string status = 6;
+ // EndpointPublicAccess indicates whether this EKS Cluster is accessible publicly.
+ // If only private access is available, then the EKS Cluster can't be enrolled from Teleport Cloud.
+ bool endpoint_public_access = 7;
+ // AuthenticationMode is the allowed authentication mode for the cluster.
+ // Known values are:
+ // API | API_AND_CONFIG_MAP | CONFIG_MAP
+ string authentication_mode = 8;
+}
+
+// ListEKSClustersResponse contains a page of AWS EKS Clusters.
+message ListEKSClustersResponse {
+ // Clusters contains the page of EKS Clusters.
+ repeated EKSCluster clusters = 1;
+ // NextToken is used for pagination.
+ // If non-empty, it can be used to request the next page.
+ string next_token = 2;
+}
+
+// PingRequest is a request for doing an health check against the configured integration.
+message PingRequest {
+ // Integration is the AWS OIDC Integration name.
+ // Required if ARN is empty.
+ string integration = 1;
+
+ // The AWS Role ARN to be used when generating the token.
+ // This is used to test another ARN before saving the Integration.
+ // Required if integration is empty.
+ string role_arn = 2;
+}
+
+// PingResponse contains the response for the Ping operation.
+message PingResponse {
+ // The AWS account ID number of the account that owns or contains the calling entity.
+ string account_id = 1;
+ // The AWS ARN associated with the calling entity.
+ string arn = 2;
+ // The unique identifier of the calling entity.
+ string user_id = 3;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/integration/v1/integration_service.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/integration/v1/integration_service.proto
new file mode 100644
index 0000000000000..5bd3de8cb1877
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/integration/v1/integration_service.proto
@@ -0,0 +1,175 @@
+// Copyright 2023 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.integration.v1;
+
+import "google/protobuf/duration.proto";
+import "google/protobuf/empty.proto";
+import "teleport/legacy/types/types.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/integration/v1;integrationv1";
+
+// IntegrationService provides methods to manage Integrations with 3rd party APIs.
+service IntegrationService {
+ // ListIntegrations returns a paginated list of Integration resources.
+ rpc ListIntegrations(ListIntegrationsRequest) returns (ListIntegrationsResponse);
+
+ // GetIntegration returns the specified Integration resource.
+ rpc GetIntegration(GetIntegrationRequest) returns (types.IntegrationV1);
+
+ // CreateIntegration creates a new Integration resource.
+ rpc CreateIntegration(CreateIntegrationRequest) returns (types.IntegrationV1);
+
+ // UpdateIntegration updates an existing Integration resource.
+ rpc UpdateIntegration(UpdateIntegrationRequest) returns (types.IntegrationV1);
+
+ // DeleteIntegration removes the specified Integration resource.
+ rpc DeleteIntegration(DeleteIntegrationRequest) returns (google.protobuf.Empty);
+
+ // DeleteAllIntegrations removes all Integrations.
+ // DEPRECATED: Can't delete all integrations over gRPC.
+ rpc DeleteAllIntegrations(DeleteAllIntegrationsRequest) returns (google.protobuf.Empty);
+
+ // GenerateAWSOIDCToken generates a token to be used when executing an AWS OIDC Integration action.
+ rpc GenerateAWSOIDCToken(GenerateAWSOIDCTokenRequest) returns (GenerateAWSOIDCTokenResponse);
+
+ // GenerateAzureOIDCToken generates a token to be used when executing an Azure OIDC Integration action.
+ rpc GenerateAzureOIDCToken(GenerateAzureOIDCTokenRequest) returns (GenerateAzureOIDCTokenResponse);
+
+ // GenerateGitHubUserCert signs a SSH certificate for GitHub integration.
+ rpc GenerateGitHubUserCert(GenerateGitHubUserCertRequest) returns (GenerateGitHubUserCertResponse);
+
+ // ExportIntegrationCertAuthorities exports cert authorities for an integration.
+ rpc ExportIntegrationCertAuthorities(ExportIntegrationCertAuthoritiesRequest) returns (ExportIntegrationCertAuthoritiesResponse);
+}
+
+// ListIntegrationsRequest is a request for a paginated list of Integrations.
+message ListIntegrationsRequest {
+ // Limit is the maximum amount of resources to retrieve.
+ int32 limit = 1;
+ // NextKey is the key for the next page of Integrations.
+ string next_key = 2;
+}
+
+// ListIntegrationsResponse is the response for ListIntegrationsRequest.
+message ListIntegrationsResponse {
+ // Integrations is a list of Integrations.
+ repeated types.IntegrationV1 integrations = 1;
+ // NextKey is the key for the next page of Integrations.
+ string next_key = 2;
+ // TotalCount is the total number of integrations in all pages.
+ int32 total_count = 3;
+}
+
+// GetIntegrationRequest is a request for a specific Integration resource.
+message GetIntegrationRequest {
+ // Name is the name of the Integration to be requested.
+ string name = 1;
+}
+
+// CreateIntegrationRequest is the request to create the provided integration.
+message CreateIntegrationRequest {
+ // Integration is the integration to be created.
+ types.IntegrationV1 integration = 1;
+}
+
+// UpdateIntegrationRequest is the request to update the provided integration.
+message UpdateIntegrationRequest {
+ // Integration is the integration to be created.
+ types.IntegrationV1 integration = 1;
+}
+
+// DeleteIntegrationRequest is a request for deleting a specific Integration resource.
+message DeleteIntegrationRequest {
+ // Name is the name of the Integration to be deleted.
+ string name = 1;
+ // DeleteAssociatedResources allows the request to search associated resources
+ // and attempt to delete them.
+ bool delete_associated_resources = 2;
+}
+
+// DeleteAllIntegrationsRequest is the request for deleting all integrations.
+// DEPRECATED: Can't delete all integrations over gRPC.
+message DeleteAllIntegrationsRequest {}
+
+// GenerateAWSOIDCTokenRequest are the parameters used to request an AWS OIDC
+// Integration token.
+message GenerateAWSOIDCTokenRequest {
+ // Issuer is the entity that is signing the JWT.
+ // This value must contain the AWS OIDC Integration configured provider (Teleport Proxy's Public URL)
+ //
+ // Deprecated: Ignored because value is calculated server side.
+ string issuer = 1 [deprecated = true];
+
+ // Integration is the AWS OIDC Integration name.
+ // Required.
+ string integration = 2;
+}
+
+// GenerateAWSOIDCTokenResponse contains a signed AWS OIDC Integration token.
+message GenerateAWSOIDCTokenResponse {
+ // Token is the signed JWT ready to be used
+ string token = 1;
+}
+
+// GenerateAzureOIDCTokenRequest are the parameters used to request an Azure OIDC
+// Integration token.
+message GenerateAzureOIDCTokenRequest {
+ // Integration is the Azure OIDC Integration name.
+ // Required.
+ string integration = 1;
+}
+
+// GenerateAzureOIDCTokenResponse contains a signed Azure OIDC Integration token.
+message GenerateAzureOIDCTokenResponse {
+ // Token is the signed JWT ready to be used
+ string token = 1;
+}
+
+// GenerateGitHubUserCertRequest is a request to sign a client certificate used by
+// GitHub integration to authenticate with GitHub enterprise.
+message GenerateGitHubUserCertRequest {
+ // Integration is the name of the integration;
+ string integration = 1;
+ // PublicKey is the public key to be signed.
+ bytes public_key = 2;
+ // UserId is the GitHub user id.
+ string user_id = 3;
+ // KeyId is the certificate ID, usually the Teleport username.
+ string key_id = 4;
+ // Ttl is the duration the certificate will be valid for.
+ google.protobuf.Duration ttl = 5;
+}
+
+// GenerateGitHubUserCertResponse contains a signed certificate.
+message GenerateGitHubUserCertResponse {
+ // AuthorizedKey is the signed certificate.
+ bytes authorized_key = 1;
+}
+
+// ExportIntegrationCertAuthoritiesRequest is the request to export cert
+// authorities for an integration.
+message ExportIntegrationCertAuthoritiesRequest {
+ // Integration is the name of the integration;
+ string integration = 1;
+}
+
+// ExportIntegrationCertAuthoritiesResponse is the response to
+// ExportIntegrationCertAuthorities.
+message ExportIntegrationCertAuthoritiesResponse {
+ // CertAuthorities are the CA key sets used to sign any new certificates.
+ types.CAKeySet cert_authorities = 1;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/kube/v1/kube_service.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/kube/v1/kube_service.proto
new file mode 100644
index 0000000000000..86654a82b3e4f
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/kube/v1/kube_service.proto
@@ -0,0 +1,79 @@
+// Copyright 2023 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.kube.v1;
+
+import "teleport/legacy/types/types.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/kube/v1;kubev1";
+
+// KubeService provides methods to list Kubernetes resources when users are not allowed
+// to access the underlying cluster or resources but their `search_as_roles` allow.
+//
+service KubeService {
+ // ListKubernetesResources lists the Kubernetes resources without leaking details.
+ rpc ListKubernetesResources(ListKubernetesResourcesRequest) returns (ListKubernetesResourcesResponse);
+}
+
+// ListKubernetesResourcesRequest defines a request to retrieve resources paginated. Only
+// one type of resource can be retrieved per request.
+//
+message ListKubernetesResourcesRequest {
+ // ResourceType is the Kubernetes resource that is going to be retrieved.
+ string resource_type = 1;
+ // Limit is the maximum amount of resources to retrieve.
+ int32 limit = 2;
+ // StartKey is used to start listing resources from a specific spot. It
+ // should be set to the previous NextKey value if using pagination, or
+ // left empty.
+ string start_key = 3;
+ // Labels is a label-based matcher if non-empty.
+ map labels = 4;
+ // PredicateExpression defines boolean conditions that will be matched against the resource.
+ string predicate_expression = 5;
+ // SearchKeywords is a list of search keywords to match against resource field values.
+ repeated string search_keywords = 6;
+ // SortBy describes which resource field and which direction to sort by.
+ types.SortBy sort_by = 7;
+ // NeedTotalCount indicates whether or not the caller also wants the total number of resources
+ // after filtering.
+ bool need_total_count = 8;
+ // UseSearchAsRoles indicates that the response should include all resources
+ // the caller is able to request access to using search_as_roles
+ bool use_search_as_roles = 9;
+ // UsePreviewAsRoles indicates that the response should include all resources
+ // the caller would be able to access with their preview_as_roles
+ bool use_preview_as_roles = 11;
+ // TeleportCluster is the Teleport Cluster name to route the request to.
+ string teleport_cluster = 12;
+ // Cluster is the Kubernetes Cluster to request the resources.
+ string kubernetes_cluster = 13;
+ // Namespace is the Kubernetes namespace where the resources must be located.
+ // To search on every Kubernetes Namespace, do not define the value.
+ string kubernetes_namespace = 14;
+}
+
+// ListKubernetesResourcesResponse is the response of ListKubernetesResources method.
+message ListKubernetesResourcesResponse {
+ // Resources is a list of resource.
+ repeated types.KubernetesResourceV1 resources = 1;
+ // NextKey is the next Key to use as StartKey in a ListResourcesRequest to
+ // continue retrieving pages of resource. If NextKey is empty, there are no
+ // more pages.
+ string next_key = 2;
+ // TotalCount is the total number of resources available after filter, if any.
+ int32 total_count = 3;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/kubewaitingcontainer/v1/kubewaitingcontainer.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/kubewaitingcontainer/v1/kubewaitingcontainer.proto
new file mode 100644
index 0000000000000..362f636762e09
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/kubewaitingcontainer/v1/kubewaitingcontainer.proto
@@ -0,0 +1,56 @@
+// Copyright 2024 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.kubewaitingcontainer.v1;
+
+import "teleport/header/v1/metadata.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/kubewaitingcontainer/v1;kubewaitingcontainerv1";
+
+// KubernetesWaitingContainer is a Kubernetes pod that has ephemeral containers
+// waiting to be created until moderated session requirements are met.
+message KubernetesWaitingContainer {
+ // kind is a resource kind
+ string kind = 1;
+ // sub_kind is an optional resource sub kind, used in some resources
+ string sub_kind = 2;
+ // version is the resource version. It must be specified.
+ // Supported values are: `v1`.
+ string version = 3;
+ // metadata is resource metadata
+ teleport.header.v1.Metadata metadata = 4;
+ // spec is the Kubernetes waiting container spec.
+ KubernetesWaitingContainerSpec spec = 5;
+}
+
+// KubernetesWaitingContainerSpec is the Kubernetes waiting ephemeral container spec.
+message KubernetesWaitingContainerSpec {
+ // username is the Teleport user that attempted to create the container
+ string username = 1;
+ // cluster is the Kubernetes cluster of this container
+ string cluster = 2;
+ // namespace is the Kubernetes namespace of this container
+ string namespace = 3;
+ // pod_name is the name of the parent pod
+ string pod_name = 4;
+ // container_name is the name of the ephemeral container
+ string container_name = 5;
+ // patch is the patch that should be applied to the parent pod
+ // to create this ephemeral container
+ bytes patch = 6;
+ // patch_type identifies the patch model to be applied.
+ string patch_type = 7;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/kubewaitingcontainer/v1/kubewaitingcontainer_service.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/kubewaitingcontainer/v1/kubewaitingcontainer_service.proto
new file mode 100644
index 0000000000000..51ca57d8ebcee
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/kubewaitingcontainer/v1/kubewaitingcontainer_service.proto
@@ -0,0 +1,91 @@
+// Copyright 2024 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.kubewaitingcontainer.v1;
+
+import "google/protobuf/empty.proto";
+import "teleport/kubewaitingcontainer/v1/kubewaitingcontainer.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/kubewaitingcontainer/v1;kubewaitingcontainerv1";
+
+// KubeWaitingContainersService manages Kubernetes ephemeral
+// containers that are waiting to be created until moderated
+// session conditions are met.
+service KubeWaitingContainersService {
+ // ListKubernetesWaitingContainers returns a Kubernetes ephemeral
+ // container that is waiting to be created.
+ rpc ListKubernetesWaitingContainers(ListKubernetesWaitingContainersRequest) returns (ListKubernetesWaitingContainersResponse);
+ // GetKubernetesWaitingContainer returns a Kubernetes ephemeral
+ // container that is waiting to be created.
+ rpc GetKubernetesWaitingContainer(GetKubernetesWaitingContainerRequest) returns (KubernetesWaitingContainer);
+ // CreateKubernetesWaitingContainer creates a Kubernetes ephemeral
+ // container that is waiting to be created.
+ rpc CreateKubernetesWaitingContainer(CreateKubernetesWaitingContainerRequest) returns (KubernetesWaitingContainer);
+ // DeleteKubernetesWaitingContainer deletes a Kubernetes ephemeral
+ // container that is waiting to be created.
+ rpc DeleteKubernetesWaitingContainer(DeleteKubernetesWaitingContainerRequest) returns (google.protobuf.Empty);
+}
+
+// ListKubernetesWaitingContainersRequest is the request for ListKubernetesWaitingContainers.
+message ListKubernetesWaitingContainersRequest {
+ // The maximum number of items to return.
+ // The server may impose a different page size at its discretion.
+ int32 page_size = 1;
+ // The next_page_token value returned from a previous ListFoo request, if any.
+ string page_token = 2;
+}
+
+// ListKubernetesWaitingContainersResponse is the response for ListKubernetesWaitingContainers.
+message ListKubernetesWaitingContainersResponse {
+ repeated KubernetesWaitingContainer waiting_containers = 1;
+ // Token to retrieve the next page of results, or empty if there are no
+ // more results exist.
+ string next_page_token = 2;
+}
+
+// GetKubernetesWaitingContainerRequest is the request for GetKubernetesWaitingContainer.
+message GetKubernetesWaitingContainerRequest {
+ // username is the Teleport user that attempted to create the container
+ string username = 1;
+ // cluster is the Kubernetes cluster of this container
+ string cluster = 2;
+ // namespace is the Kubernetes namespace of this container
+ string namespace = 3;
+ // pod_name is the name of the parent pod
+ string pod_name = 4;
+ // container_name is the name of the ephemeral container
+ string container_name = 5;
+}
+
+// CreateKubernetesWaitingContainerRequest is the request for CreateKubernetesWaitingContainer.
+message CreateKubernetesWaitingContainerRequest {
+ // waiting_container is the waiting container resource.
+ KubernetesWaitingContainer waiting_container = 1;
+}
+
+// DeleteKubernetesWaitingContainerRequest is the request for DeleteKubernetesWaitingContainer.
+message DeleteKubernetesWaitingContainerRequest {
+ // username is the Teleport user that attempted to create the container
+ string username = 1;
+ // cluster is the Kubernetes cluster of this container
+ string cluster = 2;
+ // namespace is the Kubernetes namespace of this container
+ string namespace = 3;
+ // pod_name is the name of the parent pod
+ string pod_name = 4;
+ // container_name is the name of the ephemeral container
+ string container_name = 5;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/label/v1/label.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/label/v1/label.proto
new file mode 100644
index 0000000000000..8bd67ceb685a4
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/label/v1/label.proto
@@ -0,0 +1,27 @@
+// Copyright 2024 Gravitational, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.label.v1;
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/label/v1;labelv1";
+
+// Label represents a single label key along with a set of possible values for it.
+message Label {
+ // The name of the label.
+ string name = 1;
+ // The values associated with the label.
+ repeated string values = 2;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/legacy/client/proto/authservice.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/legacy/client/proto/authservice.proto
index f6b278b056802..0d0b4c4aecce4 100644
--- a/integrations/operator/crdgen/testdata/protofiles/teleport/legacy/client/proto/authservice.proto
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/legacy/client/proto/authservice.proto
@@ -291,6 +291,13 @@ message UserCertsRequest {
teleport.attestation.v1.AttestationStatement SSHPublicKeyAttestationStatement = 25 [(gogoproto.jsontag) = "ssh_public_key_attestation_statement,omitempty"];
// TLSPublicKeyAttestationStatement is an attestation statement for TLSPublicKey.
teleport.attestation.v1.AttestationStatement TLSPublicKeyAttestationStatement = 26 [(gogoproto.jsontag) = "tls_public_key_attestation_statement,omitempty"];
+
+ // ReissuableRoleImpersonation is a flag that indicates whether or not a
+ // role impersonation certificate can be reissued. If set to true, the
+ // generated certificate will be re-issuable, by default, it will not be
+ // re-issuable. This flag is only applicable when UseRoleRequests is set to
+ // true.
+ bool ReissuableRoleImpersonation = 27 [(gogoproto.jsontag) = "reissuable_role_impersonation"];
}
// RouteToDatabase combines parameters for database service routing information.
@@ -2022,6 +2029,8 @@ message PaginatedResource {
types.AppServerOrSAMLIdPServiceProviderV1 AppServerOrSAMLIdPServiceProvider = 11 [deprecated = true];
// SAMLIdPServiceProvider represents a SAML IdP service provider resource.
types.SAMLIdPServiceProviderV1 SAMLIdPServiceProvider = 12 [(gogoproto.jsontag) = "saml_idp_service_provider,omitempty"];
+ // GitServer represents a Git server resource.
+ types.ServerV2 git_server = 15;
// IdentityCenterAccountAssignment represents a requestable Identity Center
// Account Assignment
IdentityCenterAccountAssignment IdentityCenterAccountAssignment = 16 [(gogoproto.jsontag) = "identity_center_account_assignment,omitempty"];
@@ -2142,6 +2151,36 @@ message ListResourcesRequest {
bool IncludeLogins = 13 [(gogoproto.jsontag) = "include_logins,omitempty"];
}
+// ResolveSSHTargetRequest provides details about a server to be resolved in
+// an equivalent manner to a ssh dial request.
+//
+// Resolution can happen in two modes:
+// 1) searching for hosts based on labels, a predicate expression, or keywords
+// 2) searching based on hostname
+//
+// If a Host is provided, resolution will only operate in the second mode and
+// will not perform any resolution based on labels. In order to resolve via
+// labels the Host must not be populated.
+message ResolveSSHTargetRequest {
+ // The target host as would be sent to the proxy during a dial request.
+ string host = 1;
+ // The ssh port. This value is optional, and both empty string and "0" are typically
+ // treated as meaning that any port should match.
+ string port = 2;
+ // If not empty, a label-based matcher.
+ map labels = 3;
+ // Boolean conditions that will be matched against the resource.
+ string predicate_expression = 4;
+ // A list of search keywords to match against resource field values.
+ repeated string search_keywords = 5;
+}
+
+// GetSSHTargetsResponse holds ssh servers that match an ssh targets request.
+message ResolveSSHTargetResponse {
+ // The target matching the supplied request.
+ types.ServerV2 server = 1;
+}
+
// GetSSHTargetsRequest gets all servers that might match an equivalent ssh dial request.
message GetSSHTargetsRequest {
// Host is the target host as would be sent to the proxy during a dial request.
@@ -3549,6 +3588,9 @@ service AuthService {
// but may result in confusing behavior if it is used outside of those contexts.
rpc GetSSHTargets(GetSSHTargetsRequest) returns (GetSSHTargetsResponse);
+ // ResolveSSHTarget returns the server that would be resolved in an equivalent ssh dial request.
+ rpc ResolveSSHTarget(ResolveSSHTargetRequest) returns (ResolveSSHTargetResponse);
+
// GetDomainName returns local auth domain of the current auth server
rpc GetDomainName(google.protobuf.Empty) returns (GetDomainNameResponse);
// GetClusterCACert returns the PEM-encoded TLS certs for the local cluster
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/legacy/client/proto/event.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/legacy/client/proto/event.proto
index e221a9c25ad14..ab1c0698c5dfa 100644
--- a/integrations/operator/crdgen/testdata/protofiles/teleport/legacy/client/proto/event.proto
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/legacy/client/proto/event.proto
@@ -35,6 +35,7 @@ import "teleport/userloginstate/v1/userloginstate.proto";
import "teleport/userprovisioning/v2/statichostuser.proto";
import "teleport/usertasks/v1/user_tasks.proto";
import "teleport/workloadidentity/v1/resource.proto";
+import "teleport/workloadidentity/v1/revocation_resource.proto";
option go_package = "github.com/gravitational/teleport/api/client/proto";
@@ -207,7 +208,11 @@ message Event {
// IdentityCenterAccountlAssignment is a resource representing a potential
// Permission Set grant on a specific AWS account.
teleport.identitycenter.v1.AccountAssignment IdentityCenterAccountAssignment = 74;
+ // PluginStaticCredentials is filled in PluginStaticCredentials related events
+ types.PluginStaticCredentialsV1 PluginStaticCredentials = 75;
// WorkloadIdentity is a resource for workload identity.
teleport.workloadidentity.v1.WorkloadIdentity WorkloadIdentity = 76;
+ // WorkloadIdentityX509Revocation is a resource for workload identity x509 revocation.
+ teleport.workloadidentity.v1.WorkloadIdentityX509Revocation WorkloadIdentityX509Revocation = 77;
}
}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/legacy/client/proto/joinservice.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/legacy/client/proto/joinservice.proto
index 4448558693d58..5d4c251805102 100644
--- a/integrations/operator/crdgen/testdata/protofiles/teleport/legacy/client/proto/joinservice.proto
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/legacy/client/proto/joinservice.proto
@@ -158,6 +158,42 @@ message TPMEncryptedCredential {
bytes secret = 2;
}
+// OracleSignedRequest holds the headers and payload for a signed request to
+// the Oracle API.
+message OracleSignedRequest {
+ // Headers is the signed headers for a request to the Oracle authorizeClient
+ // endpoint.
+ map headers = 1;
+ // PayloadHeaders is the signed headers that are the payload to the authorizeClient
+ // request signified by Headers.
+ map payload_headers = 2;
+}
+
+// RegisterUsingOracleMethodRequest is the request for registration via the
+// Oracle join method.
+message RegisterUsingOracleMethodRequest {
+ oneof request {
+ // RegisterUsingTokenRequest holds registration parameters common to all join
+ // methods.
+ types.RegisterUsingTokenRequest register_using_token_request = 1;
+ // OracleRequest holds the headers and payload for a signed request to
+ // the Oracle API.
+ OracleSignedRequest oracle_request = 2;
+ }
+}
+
+// RegisterUsingOracleMethodResponse is a stream response and will contain either
+// a Challenge or signed Certs to join the cluster.
+message RegisterUsingOracleMethodResponse {
+ oneof response {
+ // Challenge is a crypto-random string that should be included in the signed
+ // headers.
+ string challenge = 1;
+ // Certs is the returned signed certs.
+ Certs certs = 2;
+ }
+}
+
// JoinService provides methods which allow Teleport nodes, proxies, and other
// services to join the Teleport cluster by fetching signed cluster
// certificates. It is implemented on both the Auth and Proxy servers to serve
@@ -173,6 +209,9 @@ service JoinService {
// RegisterUsingTPMMethod allows registration of a new agent or Bot to the
// cluster using a known TPM.
rpc RegisterUsingTPMMethod(stream RegisterUsingTPMMethodRequest) returns (stream RegisterUsingTPMMethodResponse);
+ // RegisterUsingOracleMethod allows registration of a new node to the cluster
+ // using the Oracle join method.
+ rpc RegisterUsingOracleMethod(stream RegisterUsingOracleMethodRequest) returns (stream RegisterUsingOracleMethodResponse);
// RegisterUsingToken is used to register a new node to the cluster using one
// of the legacy join methods which do not yet have their own gRPC method.
rpc RegisterUsingToken(types.RegisterUsingTokenRequest) returns (Certs);
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/legacy/types/events/events.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/legacy/types/events/events.proto
index 86d5e0586fa9d..f97eb374b2b21 100644
--- a/integrations/operator/crdgen/testdata/protofiles/teleport/legacy/types/events/events.proto
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/legacy/types/events/events.proto
@@ -79,6 +79,24 @@ enum UserKind {
USER_KIND_BOT = 2;
}
+// UserOrigin is the origin of a user account.
+// Keep the values in sync with UserOrigin enum defined in
+// prehogv1 and prehogv1alpha.
+enum UserOrigin {
+ // Indicates a legacy cluster emitting events without a defined user origin.
+ USER_ORIGIN_UNSPECIFIED = 0;
+ // Indicates a local user.
+ USER_ORIGIN_LOCAL = 1;
+ // Indicates an SSO user originated from the SAML or OIDC connector.
+ USER_ORIGIN_SSO = 2;
+ // Indicates a user originated from the Okta integration.
+ USER_ORIGIN_OKTA = 3;
+ // Indicates a user originated from the SCIM integration.
+ USER_ORIGIN_SCIM = 4;
+ // Indicates a user originated from the EntraID integration.
+ USER_ORIGIN_ENTRAID = 5;
+}
+
// UserMetadata is a common user event metadata
message UserMetadata {
// User is teleport user name
@@ -119,6 +137,9 @@ message UserMetadata {
// BotInstanceID is the ID of the Bot Instance if this action is associated
// with one.
string BotInstanceID = 12 [(gogoproto.jsontag) = "bot_instance_id,omitempty"];
+
+ // UserOrigin specifies the origin of this user account.
+ UserOrigin UserOrigin = 13 [(gogoproto.jsontag) = "user_origin,omitempty"];
}
// Server is a server metadata
@@ -391,6 +412,12 @@ message SessionStart {
reserved "AccessRequests";
reserved 11;
// reserved jsontag "access_requests"
+
+ // Invited is a list of invited users to this session.
+ repeated string Invited = 12 [(gogoproto.jsontag) = "invited,omitempty"];
+
+ // Reason is the reason for starting this session.
+ string Reason = 13 [(gogoproto.jsontag) = "reason,omitempty"];
}
// SessionJoin emitted when another user joins a session
@@ -1547,6 +1574,33 @@ message AccessRequestCreate {
];
}
+// AccessRequestExpire is emitted when access request has expired.
+message AccessRequestExpire {
+ // Metadata is a common event metadata
+ Metadata Metadata = 1 [
+ (gogoproto.nullable) = false,
+ (gogoproto.embed) = true,
+ (gogoproto.jsontag) = ""
+ ];
+
+ // ResourceMetadata is a common resource event metadata
+ ResourceMetadata Resource = 2 [
+ (gogoproto.nullable) = false,
+ (gogoproto.embed) = true,
+ (gogoproto.jsontag) = ""
+ ];
+
+ // RequestID is access request ID
+ string RequestID = 3 [(gogoproto.jsontag) = "id"];
+
+ // ResourceExpiry is the time at which the access request resource will expire.
+ google.protobuf.Timestamp ResourceExpiry = 4 [
+ (gogoproto.stdtime) = true,
+ (gogoproto.nullable) = true,
+ (gogoproto.jsontag) = "expiry,omitempty"
+ ];
+}
+
// ResourceID is a unique identifier for a teleport resource. This is duplicated
// from api/types/types.proto to decouple the api and events types and because
// neither file currently imports the other.
@@ -4354,6 +4408,8 @@ message IntegrationMetadata {
AWSOIDCIntegrationMetadata AWSOIDC = 2 [(gogoproto.jsontag) = "aws_oidc,omitempty"];
// AzureOIDC contains metadata for Azure OIDC integrations.
AzureOIDCIntegrationMetadata AzureOIDC = 3 [(gogoproto.jsontag) = "azure_oidc,omitempty"];
+ // GitHub contains metadata for GitHub integrations.
+ GitHubIntegrationMetadata GitHub = 4 [(gogoproto.jsontag) = "github,omitempty"];
}
// AWSOIDCIntegrationMetadata contains metadata for AWS OIDC integrations.
@@ -4375,6 +4431,12 @@ message AzureOIDCIntegrationMetadata {
string ClientID = 2 [(gogoproto.jsontag) = "client_id,omitempty"];
}
+// GitHubIntegrationMetadata contains metadata for GitHub integrations.
+message GitHubIntegrationMetadata {
+ // Organization specifies the name of the organization for the GitHub integration.
+ string Organization = 1 [(gogoproto.jsontag) = "organization,omitempty"];
+}
+
// PluginCreate is emitted when a plugin resource is created.
message PluginCreate {
// Metadata is a common event metadata.
@@ -4705,7 +4767,13 @@ message OneOf {
events.WorkloadIdentityCreate WorkloadIdentityCreate = 194;
events.WorkloadIdentityUpdate WorkloadIdentityUpdate = 195;
events.WorkloadIdentityDelete WorkloadIdentityDelete = 196;
+ events.GitCommand GitCommand = 197;
events.UserLoginAccessListInvalid UserLoginAccessListInvalid = 198;
+ events.AccessRequestExpire AccessRequestExpire = 199;
+ events.StableUNIXUserCreate StableUNIXUserCreate = 200;
+ events.WorkloadIdentityX509RevocationCreate WorkloadIdentityX509RevocationCreate = 201;
+ events.WorkloadIdentityX509RevocationDelete WorkloadIdentityX509RevocationDelete = 202;
+ events.WorkloadIdentityX509RevocationUpdate WorkloadIdentityX509RevocationUpdate = 203;
}
}
@@ -7841,3 +7909,196 @@ enum ContactType {
CONTACT_TYPE_BUSINESS = 1;
CONTACT_TYPE_SECURITY = 2;
}
+
+// WorkloadIdentityX509RevocationCreate is emitted when a
+// WorkloadIdentityX509Revocation is created.
+message WorkloadIdentityX509RevocationCreate {
+ // Metadata is a common event metadata
+ Metadata Metadata = 1 [
+ (gogoproto.nullable) = false,
+ (gogoproto.embed) = true,
+ (gogoproto.jsontag) = ""
+ ];
+
+ // ResourceMetadata is a common resource event metadata
+ ResourceMetadata Resource = 2 [
+ (gogoproto.nullable) = false,
+ (gogoproto.embed) = true,
+ (gogoproto.jsontag) = ""
+ ];
+
+ // User is a common user event metadata
+ UserMetadata User = 3 [
+ (gogoproto.nullable) = false,
+ (gogoproto.embed) = true,
+ (gogoproto.jsontag) = ""
+ ];
+
+ // ConnectionMetadata holds information about the connection
+ ConnectionMetadata Connection = 4 [
+ (gogoproto.nullable) = false,
+ (gogoproto.embed) = true,
+ (gogoproto.jsontag) = ""
+ ];
+
+ // Reason is the specified reason for the revocation.
+ string Reason = 5 [(gogoproto.jsontag) = "reason"];
+}
+
+// WorkloadIdentityX509RevocationUpdate is emitted when a
+// WorkloadIdentityX509Revocation is updated.
+message WorkloadIdentityX509RevocationUpdate {
+ // Metadata is a common event metadata
+ Metadata Metadata = 1 [
+ (gogoproto.nullable) = false,
+ (gogoproto.embed) = true,
+ (gogoproto.jsontag) = ""
+ ];
+
+ // ResourceMetadata is a common resource event metadata
+ ResourceMetadata Resource = 2 [
+ (gogoproto.nullable) = false,
+ (gogoproto.embed) = true,
+ (gogoproto.jsontag) = ""
+ ];
+
+ // User is a common user event metadata
+ UserMetadata User = 3 [
+ (gogoproto.nullable) = false,
+ (gogoproto.embed) = true,
+ (gogoproto.jsontag) = ""
+ ];
+
+ // ConnectionMetadata holds information about the connection
+ ConnectionMetadata Connection = 4 [
+ (gogoproto.nullable) = false,
+ (gogoproto.embed) = true,
+ (gogoproto.jsontag) = ""
+ ];
+
+ // Reason is the specified reason for the revocation.
+ string Reason = 5 [(gogoproto.jsontag) = "reason"];
+}
+
+// WorkloadIdentityX509RevocationDelete is emitted when a
+// WorkloadIdentityX509Revocation is deleted.
+message WorkloadIdentityX509RevocationDelete {
+ // Metadata is a common event metadata
+ Metadata Metadata = 1 [
+ (gogoproto.nullable) = false,
+ (gogoproto.embed) = true,
+ (gogoproto.jsontag) = ""
+ ];
+
+ // ResourceMetadata is a common resource event metadata
+ ResourceMetadata Resource = 2 [
+ (gogoproto.nullable) = false,
+ (gogoproto.embed) = true,
+ (gogoproto.jsontag) = ""
+ ];
+
+ // User is a common user event metadata
+ UserMetadata User = 3 [
+ (gogoproto.nullable) = false,
+ (gogoproto.embed) = true,
+ (gogoproto.jsontag) = ""
+ ];
+
+ // ConnectionMetadata holds information about the connection
+ ConnectionMetadata Connection = 4 [
+ (gogoproto.nullable) = false,
+ (gogoproto.embed) = true,
+ (gogoproto.jsontag) = ""
+ ];
+}
+
+// GitCommand is emitted when a user performs a Git fetch or push command.
+message GitCommand {
+ // Metadata is a common event metadata
+ Metadata Metadata = 1 [
+ (gogoproto.nullable) = false,
+ (gogoproto.embed) = true,
+ (gogoproto.jsontag) = ""
+ ];
+
+ // User is a common user event metadata
+ UserMetadata User = 2 [
+ (gogoproto.nullable) = false,
+ (gogoproto.embed) = true,
+ (gogoproto.jsontag) = ""
+ ];
+
+ // ConnectionMetadata holds information about the connection
+ ConnectionMetadata Connection = 3 [
+ (gogoproto.nullable) = false,
+ (gogoproto.embed) = true,
+ (gogoproto.jsontag) = ""
+ ];
+
+ // SessionMetadata is a common event session metadata
+ SessionMetadata Session = 4 [
+ (gogoproto.nullable) = false,
+ (gogoproto.embed) = true,
+ (gogoproto.jsontag) = ""
+ ];
+
+ // ServerMetadata is a common server metadata
+ ServerMetadata Server = 5 [
+ (gogoproto.nullable) = false,
+ (gogoproto.embed) = true,
+ (gogoproto.jsontag) = ""
+ ];
+
+ // CommandMetadata is a common command metadata
+ CommandMetadata Command = 6 [
+ (gogoproto.nullable) = false,
+ (gogoproto.embed) = true,
+ (gogoproto.jsontag) = ""
+ ];
+
+ // Service is the type of the git request like git-upload-pack or
+ // git-receive-pack.
+ string service = 8 [(gogoproto.jsontag) = "service"];
+ // Path is the Git repo path, usually /.
+ string path = 9 [(gogoproto.jsontag) = "path"];
+
+ // Actions defines details for a Git push.
+ repeated GitCommandAction actions = 10 [(gogoproto.jsontag) = "actions,omitempty"];
+}
+
+// GitCommandAction defines details for a Git push.
+message GitCommandAction {
+ // Action type like create or update.
+ string Action = 1 [(gogoproto.jsontag) = "action,omitempty"];
+ // Reference name like ref/main/my_branch.
+ string Reference = 2 [(gogoproto.jsontag) = "reference,omitempty"];
+ // Old is the old hash.
+ string Old = 3 [(gogoproto.jsontag) = "old,omitempty"];
+ // New is the new hash.
+ string New = 4 [(gogoproto.jsontag) = "new,omitempty"];
+}
+
+// StableUNIXUserCreate is emitted whenever a new stable UNIX user is written in
+// the cluster state storage.
+message StableUNIXUserCreate {
+ // Metadata is common event metadata
+ Metadata Metadata = 1 [
+ (gogoproto.nullable) = false,
+ (gogoproto.embed) = true,
+ (gogoproto.jsontag) = ""
+ ];
+
+ // User is a common user event metadata
+ UserMetadata User = 2 [
+ (gogoproto.nullable) = false,
+ (gogoproto.embed) = true,
+ (gogoproto.jsontag) = ""
+ ];
+
+ StableUNIXUser stable_unix_user = 3;
+}
+
+message StableUNIXUser {
+ string username = 1;
+ int32 uid = 2;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/legacy/types/types.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/legacy/types/types.proto
index ff4aaf42890aa..ac3d329231d25 100644
--- a/integrations/operator/crdgen/testdata/protofiles/teleport/legacy/types/types.proto
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/legacy/types/types.proto
@@ -843,6 +843,9 @@ message ServerSpecV2 {
// CloudMetadata contains info about the cloud instance the server is running
// on, if any.
CloudMetadata CloudMetadata = 14 [(gogoproto.jsontag) = "cloud_metadata,omitempty"];
+ // GitHub contains info about GitHub proxies where each server represents a
+ // GitHub organization.
+ GitHubServerMetadata git_hub = 15 [(gogoproto.jsontag) = "github,omitempty"];
reserved 8;
reserved 10;
@@ -876,6 +879,15 @@ message CloudMetadata {
AWSInfo AWS = 1 [(gogoproto.jsontag) = "aws,omitempty"];
}
+// GitHubServerMetadata contains info about GitHub proxies where each server
+// represents a GitHub organization.
+message GitHubServerMetadata {
+ // Organization specifies the name of the organization for the GitHub integration.
+ string organization = 1 [(gogoproto.jsontag) = "organization,omitempty"];
+ // Integration is the integration that is associated with this Server.
+ string integration = 2 [(gogoproto.jsontag) = "integration,omitempty"];
+}
+
// AppServerV3 represents a single proxied web app.
message AppServerV3 {
option (gogoproto.goproto_stringer) = false;
@@ -973,7 +985,7 @@ message IdentityCenterPermissionSet {
// Name is the human-readable name of the Permission Set.
string Name = 2 [(gogoproto.jsontag) = "name,omitempty"];
- // AssignmentID is the ID of the Teelport Account Assignment resource that
+ // AssignmentID is the ID of the Teleport Account Assignment resource that
// represents this permission being assigned on the enclosing Account.
string AssignmentID = 3 [(gogoproto.jsontag) = "assignment_name,omitempty"];
}
@@ -1370,6 +1382,8 @@ message ProvisionTokenSpecV2 {
ProvisionTokenSpecV2TerraformCloud TerraformCloud = 16 [(gogoproto.jsontag) = "terraform_cloud,omitempty"];
// Bitbucket allows the configuration of options specific to the "bitbucket" join method.
ProvisionTokenSpecV2Bitbucket Bitbucket = 17 [(gogoproto.jsontag) = "bitbucket,omitempty"];
+ // Oracle allows the configuration of options specific to the "oracle" join method.
+ ProvisionTokenSpecV2Oracle Oracle = 18 [(gogoproto.jsontag) = "oracle,omitempty"];
}
// ProvisionTokenSpecV2TPM contains the TPM-specific part of the
@@ -1550,6 +1564,11 @@ message ProvisionTokenSpecV2GitLab {
// `gitlab.com` - but can be set to the domain of your self-hosted GitLab
// e.g `gitlab.example.com`.
string Domain = 2 [(gogoproto.jsontag) = "domain,omitempty"];
+ // StaticJWKS disables fetching of the GitLab signing keys via the JWKS/OIDC
+ // endpoints, and allows them to be directly specified. This allows joining
+ // from GitLab CI instances that are not reachable by the Teleport Auth
+ // Service.
+ string StaticJWKS = 3 [(gogoproto.jsontag) = "static_jwks,omitempty"];
}
// ProvisionTokenSpecV2CircleCI contains the CircleCI-specific part of the
@@ -1758,6 +1777,28 @@ message ProvisionTokenSpecV2Bitbucket {
string IdentityProviderURL = 3 [(gogoproto.jsontag) = "identity_provider_url,omitempty"];
}
+// ProvisionTokenSpecV2Oracle contains Oracle-specific parts of the
+// ProvisionTokenSpecV2.
+message ProvisionTokenSpecV2Oracle {
+ // Rule is a set of properties the Oracle instance might have to be allowed
+ // to use this ProvisionToken.
+ message Rule {
+ // Tenancy is the OCID of the instance's tenancy. Required.
+ string Tenancy = 1 [(gogoproto.jsontag) = "tenancy"];
+ // ParentCompartments is a list of the OCIDs of compartments an instance is
+ // allowed to join from. Only direct parents are allowed, i.e. no nested
+ // compartments. If empty, any compartment is allowed.
+ repeated string ParentCompartments = 2 [(gogoproto.jsontag) = "parent_compartments,omitempty"];
+ // Regions is a list of regions an instance is allowed to join from. Both
+ // full region names ("us-phoenix-1") and abbreviations ("phx") are allowed.
+ // If empty, any region is allowed.
+ repeated string Regions = 3 [(gogoproto.jsontag) = "regions,omitempty"];
+ }
+ // Allow is a list of Rules, nodes using this token must match one
+ // allow rule to use this token.
+ repeated Rule Allow = 1 [(gogoproto.jsontag) = "allow,omitempty"];
+}
+
// StaticTokensV2 implements the StaticTokens interface.
message StaticTokensV2 {
option (gogoproto.goproto_stringer) = false;
@@ -2202,6 +2243,25 @@ message AuthPreferenceSpecV2 {
// 1 is "otp", 2 is "webauthn", 3 is "sso",
// If unspecified, the current default value is [1], or ["otp"].
repeated SecondFactorType SecondFactors = 21 [(gogoproto.jsontag) = "second_factors,omitempty"];
+
+ // StableUnixUserConfig contains the cluster-wide configuration for stable
+ // UNIX users.
+ StableUNIXUserConfig stable_unix_user_config = 22;
+}
+
+// StableUNIXUserConfig contains the cluster-wide configuration for stable UNIX
+// users.
+message StableUNIXUserConfig {
+ // Enabled signifies that (UNIX) Teleport SSH hosts should obtain a UID from
+ // the control plane if they're about to provision a host user with no other
+ // configured UID.
+ bool enabled = 1;
+ // FirstUid is the start of the range of UIDs for autoprovisioned host users.
+ // The range is inclusive on both ends, so the specified UID can be assigned.
+ int32 first_uid = 2;
+ // LastUid is the end of the range of UIDs for autoprovisioned host users. The
+ // range is inclusive on both ends, so the specified UID can be assigned.
+ int32 last_uid = 3;
}
// SecondFactorType is a type of second factor.
@@ -2696,6 +2756,13 @@ message AccessRequestSpecV3 {
(gogoproto.nullable) = true,
(gogoproto.jsontag) = "assume_start_time,omitempty"
];
+
+ // ResourceExpiry is the time at which the access request resource will expire.
+ google.protobuf.Timestamp ResourceExpiry = 22 [
+ (gogoproto.stdtime) = true,
+ (gogoproto.nullable) = true,
+ (gogoproto.jsontag) = "expiry,omitempty"
+ ];
}
enum AccessRequestScope {
@@ -2787,6 +2854,7 @@ message RequestKubernetesResource {
}
// ResourceID is a unique identifier for a teleport resource.
+// Must be kept in sync with teleport.decision.v1alpha1.ResourceId.
message ResourceID {
// ClusterName is the name of the cluster the resource is in.
string ClusterName = 1 [(gogoproto.jsontag) = "cluster"];
@@ -3042,7 +3110,7 @@ message RoleOptions {
// concurrent sessions per connection.
int64 MaxSessions = 10 [(gogoproto.jsontag) = "max_sessions,omitempty"];
- // RequestAccess defines the request strategy (optional|note|always)
+ // RequestAccess defines the request strategy (optional|reason|always)
// where optional is the default.
string RequestAccess = 11 [
(gogoproto.jsontag) = "request_access,omitempty",
@@ -3401,6 +3469,12 @@ message RoleConditions {
(gogoproto.jsontag) = "account_assignments,omitempty"
];
+ // GitHubPermissions defines GitHub integration related permissions.
+ repeated GitHubPermission git_hub_permissions = 43 [
+ (gogoproto.nullable) = false,
+ (gogoproto.jsontag) = "github_permissions,omitempty"
+ ];
+
// WorkloadIdentityLabels controls whether or not specific WorkloadIdentity
// resources can be invoked. Further authorization controls exist on the
// WorkloadIdentity resource itself.
@@ -3421,6 +3495,11 @@ message IdentityCenterAccountAssignment {
string Account = 2 [(gogoproto.jsontag) = "account,omitempty"];
}
+// GitHubPermission defines GitHub integration related permissions.
+message GitHubPermission {
+ repeated string organizations = 1 [(gogoproto.jsontag) = "orgs,omitempty"];
+}
+
// SPIFFERoleCondition sets out which SPIFFE identities this role is allowed or
// denied to generate. The Path matcher is required, and is evaluated first. If,
// the Path does not match then the other matcher fields are not evaluated.
@@ -3843,6 +3922,10 @@ message ExternalIdentity {
// SAMLSingleLogoutURL is the SAML Single log-out URL to initiate SAML SLO (single log-out), if applicable.
string SAMLSingleLogoutURL = 3 [(gogoproto.jsontag) = "samlSingleLogoutUrl,omitempty"];
+
+ // UserID is the ID of the identity. Some connectors like GitHub have an
+ // unique ID apart from the username.
+ string UserID = 4 [(gogoproto.jsontag) = "user_id,omitempty"];
}
// LoginStatus is a login status of the user
@@ -5220,7 +5303,7 @@ message GithubAuthRequest {
string KubernetesCluster = 13 [(gogoproto.jsontag) = "kubernetes_cluster,omitempty"];
// SSOTestFlow indicates if the request is part of the test flow.
bool SSOTestFlow = 14 [(gogoproto.jsontag) = "sso_test_flow"];
- // ConnectorSpec is embedded connector spec for use in test flow.
+ // ConnectorSpec is embedded connector spec for use in test flow or authenticated user flow.
GithubConnectorSpecV3 ConnectorSpec = 15 [(gogoproto.jsontag) = "connector_spec,omitempty"];
// AttestationStatement is an attestation statement for the given public key.
//
@@ -5244,6 +5327,10 @@ message GithubAuthRequest {
teleport.attestation.v1.AttestationStatement ssh_attestation_statement = 21 [(gogoproto.jsontag) = "ssh_attestation_statement,omitempty"];
// TlsAttestationStatement is an attestation statement for the given TLS public key.
teleport.attestation.v1.AttestationStatement tls_attestation_statement = 22 [(gogoproto.jsontag) = "tls_attestation_statement,omitempty"];
+ // AuthenticatedUser is the username of an authenticated Teleport user. This
+ // OAuth flow is used to retrieve GitHub identity info which will be added to
+ // the existing user.
+ string authenticated_user = 23 [(gogoproto.jsontag) = "authenticated_user,omitempty"];
}
// SSOWarnings conveys a user-facing main message along with auxiliary warnings.
@@ -5414,6 +5501,12 @@ message GithubClaims {
// Teams is the users team membership
repeated string Teams = 3 [(gogoproto.jsontag) = "teams"];
+
+ // UserID is a global unique integer that is assigned to each GitHub user. The
+ // user ID is immutable (unlike the GitHub username) and can be found in APIs
+ // like get user.
+ // https://docs.github.com/en/rest/users/users
+ string UserID = 4 [(gogoproto.jsontag) = "user_id,omitempty"];
}
// TeamMapping represents a single team membership mapping.
@@ -6411,6 +6504,8 @@ message PluginSpecV1 {
PluginEmailSettings email = 17;
// Settings for the Microsoft Teams plugin
PluginMSTeamsSettings msteams = 18;
+ // Settings for the OpenTex NetIQ plugin.
+ PluginNetIQSettings net_iq = 19;
}
// generation contains a unique ID that should:
@@ -6557,7 +6652,8 @@ message PluginOktaCredentialsInfo {
message PluginOktaSyncSettings {
option (gogoproto.equal) = true;
- // SyncUsers controls the user sync in the Okta integration service.
+ // SyncUsers controls the user sync in the Okta integration service. The source of truth for the
+ // users is defined by UserSyncSource.
bool sync_users = 1;
// SSOConnectorID is the name of the Teleport SSO connector created and used by the Okta plugin
@@ -6572,8 +6668,7 @@ message PluginOktaSyncSettings {
// AppID is the Okta-assigned ID of the Okta App that Teleport uses as a
// gateway to interact with Okta for SAML login, SCIM provisioning and user
// sync. When set, user sync will pull users from the assignment list for this
- // app. When empty the plugin will fall back to the legacy behaviour of syncing
- // users from the entre organization.
+ // app.
string app_id = 5;
// GroupFilters are filters for which Okta groups to synchronize as access lists.
@@ -6603,6 +6698,19 @@ message PluginOktaSyncSettings {
// This is useful when the app groups are not needed in Teleport.
// and integration with Okta is only used for user sync.
bool disable_sync_app_groups = 9;
+
+ // DisableBidirectionalSync prevents syncing anything from Teleport to Okta. I.e. prevents
+ // creating Okta assignments.
+ bool disable_bidirectional_sync = 10;
+
+ // UserSyncSource defines the source of truth for Okta users. It can be one of "" (empty string),
+ // "saml_app" or "org". "saml_app" is set for all newly created plugins and indicates that source
+ // of truth for the sync are users assigned to the connector Okta SAML application. "org" is the
+ // legacy setting indicating that the source of truth for users are all the users from the Okta
+ // organization. If it's an empty string and UserSync is true, that means it's a legacy plugin
+ // that has not been yet updated and during the next update the value will be set to "org" if
+ // AppID is empty or "saml_app" if not.
+ string user_sync_source = 11;
}
// Defines a set of discord channel IDs
@@ -6716,13 +6824,32 @@ message PluginDatadogAccessSettings {
string fallback_recipient = 2;
}
+// AWSICCredentialsSource indicates where the AWS Identity Center plugin will
+// draw its AWS credentials from.
+//
+// DEPRECATED: Superceded by individual message types.
+// TODO(tcsc): Remove in Teleport 19+
+enum AWSICCredentialsSource {
+ // AWSIC_CREDENTIALS_SOURCE_UNKNOWN is used when the credentials source is not
+ // specified. For backwards compatability, UNKNOWN is handled as OIDC.
+ AWSIC_CREDENTIALS_SOURCE_UNKNOWN = 0;
+ // AWSIC_CREDENTIALS_SOURCE_OIDC indicates that the Identity Center plugin will
+ // draw its credentials from a configured Teleport OIDC integration and
+ // authenticate woth OIDC
+ AWSIC_CREDENTIALS_SOURCE_OIDC = 1;
+ // AWSIC_CREDENTIALS_SOURCE_SYSTEM indicates that the Identity Center plugin
+ // will rely on system-provided credentials
+ AWSIC_CREDENTIALS_SOURCE_SYSTEM = 2;
+}
+
// PluginAWSICSettings holds the settings for an AWS Identity Center integration.
message PluginAWSICSettings {
option (gogoproto.equal) = true;
// IntegrationName is the Teleport OIDC integration used to gain access to the
- // AWS account
- string integration_name = 1;
+ // AWS account. May be empty if [CredentialsSource] is `SYSTEM`.
+ // DEPRECATED: Use [Credentials] instead. DELETE in Teleport 19+
+ string integration_name = 1 [deprecated = true];
// Region is the AWS region the target Identity Center instance is configured in
string region = 2;
@@ -6730,7 +6857,7 @@ message PluginAWSICSettings {
// InstanceARN is the arn of the Identity Center instance to manage
string arn = 3;
- // Provisioning holds settings for provisioing users and groups into AWS
+ // Provisioning holds settings for provisioning users and groups into AWS
AWSICProvisioningSpec provisioning_spec = 4;
// AccessListDefaultOwners is a list of default owners for Access List created for
@@ -6740,6 +6867,94 @@ message PluginAWSICSettings {
// SAMLIdPServiceProviderName is the name of a SAML service provider created
// for the Identity Center.
string saml_idp_service_provider_name = 6;
+
+ // CredentialsSource indicates how the Identity Center plugin should source
+ // its AWS login credentials.
+ // DEPRECATED: Use [Credentials] instead. DELETE in Teleport 19+
+ AWSICCredentialsSource credentials_source = 7 [deprecated = true];
+
+ // UserSyncLabelsFilter specifies a map of key-value pairs used to filter users
+ // based on their metadata labels. These filtered users will be provisioned
+ // from Teleport to AWS IC via SCIM provisioning.
+ // If multiple user_sync_filters are provided the match is combined with OR operator.
+ //
+ // Example:
+ // If Okta is used as the Identity Source and only users originating from Okta
+ // should be synced, set the filter to:
+ // [{
+ // "okta/org": "https://trial-123456.okta.com",
+ // "teleport.dev/origin": "okta"
+ // }]
+ //
+ // If AWS IC uses Teleport as the Identity Provider, the filter should remain empty.
+ //
+ // NOTE: System users are always filtered out by default and will not be provisioned to AWS IC.
+ repeated AWSICUserSyncFilter user_sync_filters = 8 [(gogoproto.jsontag) = "user_sync_filters,omitempty"];
+
+ // AwsAccountFilters is an optional allow-list of AWS accounts to import and
+ // manage. An empty list implies that all accounts managed by the Identity Center
+ // instance will be imported and managed.
+ repeated AWSICResourceFilter aws_accounts_filters = 9;
+
+ // GroupSyncLabelsFilter is used to specify filters that determine which AWS groups
+ // should be included during synchronization.
+ repeated AWSICResourceFilter group_sync_filters = 10 [(gogoproto.jsontag) = "group_sync_filters,omitempty"];
+
+ // Credentials represents the AWS credentials used by the Identity Center
+ // integration
+ AWSICCredentials credentials = 11 [(gogoproto.jsontag) = "credentials,omitempty"];
+}
+
+// AWSICCredentials holds the credentials for authenticating with AWS
+message AWSICCredentials {
+ option (gogoproto.equal) = true;
+ oneof source {
+ AWSICCredentialSourceSystem system = 1;
+ AWSICCredentialSourceOIDC oidc = 2;
+ }
+}
+
+// AWSICCredentialSourceSystem holds AWSIC credentials drawn from the ambient
+// system configuration
+message AWSICCredentialSourceSystem {
+ option (gogoproto.equal) = true;
+
+ // AwsRoleArn is an optional AWS role for the IC client to assume, overriding
+ // any roles
+ string assume_role_arn = 1 [(gogoproto.jsontag) = "assume_role_arn,omitempty"];
+}
+
+// AWSICCredentialSourceSystem holds AWSIC credentials drawn from a Teleport
+// OIDC integration
+message AWSICCredentialSourceOIDC {
+ option (gogoproto.equal) = true;
+
+ // IntegrationName is the name of the Teleport OIDC integration used by the
+ // Identity Center integration to authenticate with AWS.
+ string integration_name = 1 [(gogoproto.jsontag) = "integration_name,omitempty"];
+}
+
+// AWSICResourceFilter is an entry in the AWS IC plugin settings' allow-list of
+// resources to import. The filter can specify inclusion either by account ID or
+// regex on the resource name.
+message AWSICResourceFilter {
+ option (gogoproto.equal) = true;
+
+ // Include describes the AWS Resource filter to apply
+ oneof include {
+ // Id indicates that the resource should be filtered by ID
+ string id = 1 [(gogoproto.jsontag) = "id,omitempty"];
+
+ // NameRegex indicates that the resource should be included its name matches
+ // the supplied regex.
+ string name_regex = 2 [(gogoproto.jsontag) = "name_regex,omitempty"];
+ }
+}
+
+// UserSyncFilter is a map of key-value pairs used to filter users based on their metadata labels.
+message AWSICUserSyncFilter {
+ option (gogoproto.equal) = true;
+ map labels = 8 [(gogoproto.jsontag) = "labels,omitempty"];
}
// AWSICProvisioningSpec holds provisioning-specific Identity Center settings
@@ -6781,6 +6996,9 @@ enum AWSICGroupImportStatusCode {
DONE = 1;
// FAILED denotes that the group and group members import met with an error.
FAILED = 2;
+ // REIMPORT_REQUESTED denotes that the user has requested that the import
+ // process be re-run.
+ REIMPORT_REQUESTED = 3;
}
// PluginEmailSettings holds the settings for an Email Access Request plugin.
@@ -6837,6 +7055,18 @@ message PluginMSTeamsSettings {
string default_recipient = 5;
}
+// PluginNetIQSettings defines the settings for a NetIQ integration plugin
+message PluginNetIQSettings {
+ option (gogoproto.equal) = true;
+ // oauth_issuer_endpoint is the NetIQ Oauth Issuer endpoint.
+ // Usually, it's equal to https://osp.domain.ext/a/idm/auth/oauth2
+ string oauth_issuer_endpoint = 1;
+ // api_endpoint is the IDM PROV Rest API location.
+ string api_endpoint = 2;
+ // insecure_skip_verify controls whether the NetIQ certificate validation should be skipped.
+ bool insecure_skip_verify = 3;
+}
+
message PluginBootstrapCredentialsV1 {
oneof credentials {
PluginOAuth2AuthorizationCodeCredentials oauth2_authorization_code = 1;
@@ -6875,6 +7105,8 @@ message PluginStatusV1 {
PluginOktaStatusV1 okta = 7;
// AWSIC holds status details for the AWS Identity Center plugin.
PluginAWSICStatusV1 aws_ic = 8;
+ // NetIQ holds status details for the NetIQ plugin.
+ PluginNetIQStatusV1 net_iq = 9;
}
// last_raw_error variable stores the most recent raw error message received from an API or service.
@@ -6884,6 +7116,18 @@ message PluginStatusV1 {
string last_raw_error = 6;
}
+// PluginNetIQStatusV1 is the status details for the NetIQ plugin.
+message PluginNetIQStatusV1 {
+ // imported_users is the number of users imported from NetIQ eDirectory.
+ uint32 imported_users = 1;
+ // imported_groups is the number of groups imported from NetIQ eDirectory.
+ uint32 imported_groups = 2;
+ // imported_roles is the number of roles imported from NetIQ eDirectory.
+ uint32 imported_roles = 3;
+ // imported_resources is the number of resources imported from NetIQ eDirectory.
+ uint32 imported_resources = 4;
+}
+
// PluginGitlabStatusV1 is the status details for the Gitlab plugin.
message PluginGitlabStatusV1 {
// imported_users is the number of users imported from Gitlab.
@@ -7146,6 +7390,7 @@ message PluginStaticCredentialsSpecV1 {
string APIToken = 1;
PluginStaticCredentialsBasicAuth BasicAuth = 2;
PluginStaticCredentialsOAuthClientSecret OAuthClientSecret = 3;
+ PluginStaticCredentialsSSHCertAuthorities SSHCertAuthorities = 4;
}
}
@@ -7167,6 +7412,14 @@ message PluginStaticCredentialsOAuthClientSecret {
string ClientSecret = 2 [(gogoproto.jsontag) = "client_secret"];
}
+// PluginStaticCredentialsSSHCertAuthorities contains the active SSH CAs used
+// for the integration or plugin.
+message PluginStaticCredentialsSSHCertAuthorities {
+ // CertAuthorities contains the active SSH CAs used for the integration or
+ // plugin.
+ repeated SSHKeyPair cert_authorities = 1;
+}
+
// SAMLIdPServiceProviderV1 is the representation of a SAML IdP service provider.
message SAMLIdPServiceProviderV1 {
option (gogoproto.goproto_stringer) = false;
@@ -7514,7 +7767,12 @@ message IntegrationSpecV1 {
AWSOIDCIntegrationSpecV1 AWSOIDC = 1 [(gogoproto.jsontag) = "aws_oidc,omitempty"];
// AzureOIDC contains the specific fields to handle the Azure OIDC Integration subkind
AzureOIDCIntegrationSpecV1 AzureOIDC = 2 [(gogoproto.jsontag) = "azure_oidc,omitempty"];
+ // GitHub contains the specific fields to handle the GitHub integration subkind.
+ GitHubIntegrationSpecV1 GitHub = 3 [(gogoproto.jsontag) = "github,omitempty"];
}
+
+ // Credentials contains credentials for the integration.
+ PluginCredentialsV1 credentials = 4;
}
// AWSOIDCIntegrationSpecV1 contains the spec properties for the AWS OIDC SubKind Integration.
@@ -7559,6 +7817,12 @@ message AzureOIDCIntegrationSpecV1 {
string ClientID = 2 [(gogoproto.jsontag) = "client_id,omitempty"];
}
+// GitHubIntegrationSpecV1 contains the specific fields to handle the GitHub integration subkind.
+message GitHubIntegrationSpecV1 {
+ // Organization specifies the name of the organization for the GitHub integration.
+ string Organization = 1 [(gogoproto.jsontag) = "organization,omitempty"];
+}
+
// HeadlessAuthentication holds data for an ongoing headless authentication attempt.
message HeadlessAuthentication {
// Header is the resource header.
@@ -7947,12 +8211,14 @@ message OktaOptions {
message AccessGraphSync {
// AWS is a configuration for AWS Access Graph service poll service.
repeated AccessGraphAWSSync AWS = 1 [(gogoproto.jsontag) = "aws,omitempty"];
- // PollInterval is the frequency at which to poll for AWS resources
+ // PollInterval is the frequency at which to poll for resources
google.protobuf.Duration PollInterval = 2 [
(gogoproto.jsontag) = "poll_interval,omitempty",
(gogoproto.nullable) = false,
(gogoproto.stdduration) = true
];
+ // Azure is a configuration for Azure Access Graph service poll service.
+ repeated AccessGraphAzureSync Azure = 3 [(gogoproto.jsontag) = "azure,omitempty"];
}
// AccessGraphAWSSync is a configuration for AWS Access Graph service poll service.
@@ -7964,3 +8230,11 @@ message AccessGraphAWSSync {
// Integration is the integration name used to generate credentials to interact with AWS APIs.
string Integration = 4 [(gogoproto.jsontag) = "integration,omitempty"];
}
+
+// AccessGraphAzureSync is a configuration for Azure Access Graph service poll service.
+message AccessGraphAzureSync {
+ // SubscriptionID Is the ID of the Azure subscription to sync resources from
+ string SubscriptionID = 1 [(gogoproto.jsontag) = "subscription_id,omitempty"];
+ // Integration is the integration name used to generate credentials to interact with AWS APIs.
+ string Integration = 2 [(gogoproto.jsontag) = "integration,omitempty"];
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/machineid/v1/bot.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/machineid/v1/bot.proto
new file mode 100644
index 0000000000000..976f68b910110
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/machineid/v1/bot.proto
@@ -0,0 +1,73 @@
+// Copyright 2023 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.machineid.v1;
+
+import "teleport/header/v1/metadata.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/machineid/v1;machineidv1";
+
+// A Bot is a Teleport identity intended to be used by Machines. The Bot
+// resource defines a Bot and configures its properties.
+message Bot {
+ // The kind of resource represented.
+ string kind = 1;
+ // Differentiates variations of the same kind. All resources should
+ // contain one, even if it is never populated.
+ string sub_kind = 2;
+ // The version of the resource being represented.
+ string version = 3;
+ // Common metadata that all resources share.
+ teleport.header.v1.Metadata metadata = 4;
+ // The configured properties of a Bot.
+ BotSpec spec = 5;
+ // Fields that are set by the server as results of operations. These should
+ // not be modified by users.
+ BotStatus status = 6;
+}
+
+// Trait is an individual trait that will be applied to the bot user.
+message Trait {
+ // The name of the trait. This is what allows the trait to be queried in
+ // role templates.
+ string name = 1;
+ // The values associated with the named trait.
+ repeated string values = 2;
+}
+
+// The configured properties of a Bot.
+message BotSpec {
+ // The roles that the bot should be able to impersonate.
+ repeated string roles = 1;
+ // The traits that will be associated with the bot for the purposes of role
+ // templating.
+ //
+ // Where multiple specified with the same name, these will be merged by the
+ // server.
+ repeated Trait traits = 2;
+}
+
+// Fields that are set by the server as results of operations. These should not
+// be modified by users.
+message BotStatus {
+ reserved 2;
+ reserved "role_role";
+
+ // The name of the user associated with the bot.
+ string user_name = 1;
+ // The name of the role associated with the bot.
+ string role_name = 3;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/machineid/v1/bot_instance.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/machineid/v1/bot_instance.proto
new file mode 100644
index 0000000000000..76a3820f2bfac
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/machineid/v1/bot_instance.proto
@@ -0,0 +1,133 @@
+// Copyright 2024 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.machineid.v1;
+
+import "google/protobuf/duration.proto";
+import "google/protobuf/struct.proto";
+import "google/protobuf/timestamp.proto";
+import "teleport/header/v1/metadata.proto";
+import "teleport/workloadidentity/v1/join_attrs.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/machineid/v1;machineidv1";
+
+// A BotInstance
+message BotInstance {
+ // The kind of resource represented.
+ string kind = 1;
+ // Differentiates variations of the same kind. All resources should
+ // contain one, even if it is never populated.
+ string sub_kind = 2;
+ // The version of the resource being represented.
+ string version = 3;
+ // Common metadata that all resources share.
+ teleport.header.v1.Metadata metadata = 4;
+ // The configured properties of a BotInstance.
+ BotInstanceSpec spec = 5;
+ // Fields that are set by the server as results of operations. These should
+ // not be modified by users.
+ BotInstanceStatus status = 6;
+}
+
+// BotInstanceSpec contains fields
+message BotInstanceSpec {
+ // The name of the bot associated with this instance.
+ string bot_name = 1;
+ // The unique identifier for this instance.
+ string instance_id = 2;
+
+ reserved 3;
+ reserved "ttl";
+}
+
+// BotInstanceStatusHeartbeat contains information self-reported by an instance
+// of a Bot. This information is not verified by the server and should not be
+// trusted.
+message BotInstanceStatusHeartbeat {
+ // The timestamp that the heartbeat was recorded by the Auth Server. Any
+ // value submitted by `tbot` for this field will be ignored.
+ google.protobuf.Timestamp recorded_at = 1;
+ // Indicates whether this is the heartbeat submitted by `tbot` on startup.
+ bool is_startup = 2;
+ // The version of `tbot` that submitted this heartbeat.
+ string version = 3;
+ // The hostname of the host that `tbot` is running on.
+ string hostname = 4;
+ // The duration that `tbot` has been running for when it submitted this
+ // heartbeat.
+ google.protobuf.Duration uptime = 5;
+ // The currently configured join_method.
+ string join_method = 6;
+ // Indicates whether `tbot` is running in one-shot mode.
+ bool one_shot = 7;
+ // The architecture of the host that `tbot` is running on, determined by
+ // runtime.GOARCH.
+ string architecture = 8;
+ // The OS of the host that `tbot` is running on, determined by runtime.GOOS.
+ string os = 9;
+ // In future iterations, additional information can be submitted here.
+ // For example, the configuration of `tbot` or the health of individual
+ // outputs.
+}
+
+// BotInstanceStatusAuthentication contains information about a join or renewal.
+// Ths information is entirely sourced by the Auth Server and can be trusted.
+message BotInstanceStatusAuthentication {
+ // The timestamp that the join or renewal was authenticated by the Auth
+ // Server.
+ google.protobuf.Timestamp authenticated_at = 1;
+ // The join method used for this join or renewal.
+ // Deprecated: prefer using join_attrs.meta.join_method
+ string join_method = 2;
+ // The join token used for this join or renewal. This is only populated for
+ // delegated join methods as the value for `token` join methods is sensitive.
+ // Deprecated: prefer using join_attrs.meta.join_token_name
+ string join_token = 3;
+ // The metadata sourced from the join method.
+ // Deprecated: prefer using join_attrs.
+ google.protobuf.Struct metadata = 4;
+
+ // On each renewal, this generation is incremented. For delegated join
+ // methods, this counter is not checked during renewal. For the `token` join
+ // method, this counter is checked during renewal and the Bot is locked out if
+ // the counter in the certificate does not match the counter of the last
+ // authentication.
+ int32 generation = 5;
+ // The public key of the Bot instance. This must be a PEM wrapped, PKIX DER
+ // encoded public key. This provides consistency and supports multiple types
+ // of public key algorithm.
+ bytes public_key = 6;
+
+ reserved 7;
+ reserved "fingerprint";
+
+ // The attributes generated during the join process. Typically, this is
+ // information from the join attestation process itself. This field will
+ // eventually replace the `metadata` field, which is structureless.
+ teleport.workloadidentity.v1.JoinAttrs join_attrs = 8;
+}
+
+// BotInstanceStatus holds the status of a BotInstance.
+message BotInstanceStatus {
+ // The initial authentication status for this bot instance.
+ BotInstanceStatusAuthentication initial_authentication = 1;
+ // The N most recent authentication status records for this bot instance.
+ repeated BotInstanceStatusAuthentication latest_authentications = 2;
+ // The initial heartbeat status for this bot instance.
+ BotInstanceStatusHeartbeat initial_heartbeat = 3;
+ // The N most recent heartbeats for this bot instance.
+ repeated BotInstanceStatusHeartbeat latest_heartbeats = 4;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/machineid/v1/bot_instance_service.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/machineid/v1/bot_instance_service.proto
new file mode 100644
index 0000000000000..eff01818599b7
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/machineid/v1/bot_instance_service.proto
@@ -0,0 +1,86 @@
+// Copyright 2024 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.machineid.v1;
+
+import "google/protobuf/empty.proto";
+import "teleport/machineid/v1/bot_instance.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/machineid/v1;machineidv1";
+
+// Request for GetBotInstance.
+message GetBotInstanceRequest {
+ // The name of the bot associated with the instance.
+ string bot_name = 1;
+ // The unique identifier of the bot instance to retrieve.
+ string instance_id = 2;
+}
+
+// Request for ListBotInstances.
+//
+// Follows the pagination semantics of
+// https://cloud.google.com/apis/design/standard_methods#list
+message ListBotInstancesRequest {
+ // The name of the Bot to list BotInstances for. If empty, all BotInstances
+ // will be listed.
+ string filter_bot_name = 1;
+ // The maximum number of items to return.
+ // The server may impose a different page size at its discretion.
+ int32 page_size = 2;
+ // The page_token value returned from a previous ListBotInstances request, if
+ // any.
+ string page_token = 3;
+}
+
+// Response for ListBotInstances.
+message ListBotInstancesResponse {
+ // BotInstance that matched the search.
+ repeated BotInstance bot_instances = 1;
+ // Token to retrieve the next page of results, or empty if there are no
+ // more results exist.
+ string next_page_token = 2;
+}
+
+// Request for DeleteBotInstance.
+message DeleteBotInstanceRequest {
+ // The name of the BotInstance to delete.
+ string bot_name = 1;
+ // The unique identifier of the bot instance to delete.
+ string instance_id = 2;
+}
+
+// The request for SubmitHeartbeat.
+message SubmitHeartbeatRequest {
+ // The heartbeat data to submit.
+ BotInstanceStatusHeartbeat heartbeat = 1;
+}
+
+// The response for SubmitHeartbeat.
+message SubmitHeartbeatResponse {
+ // Empty
+}
+
+// BotInstanceService provides functions to record and manage bot instances.
+service BotInstanceService {
+ // GetBotInstance returns the specified BotInstance resource.
+ rpc GetBotInstance(GetBotInstanceRequest) returns (BotInstance);
+ // ListBotInstances returns a page of BotInstance resources.
+ rpc ListBotInstances(ListBotInstancesRequest) returns (ListBotInstancesResponse);
+ // DeleteBotInstance hard deletes the specified BotInstance resource.
+ rpc DeleteBotInstance(DeleteBotInstanceRequest) returns (google.protobuf.Empty);
+ // SubmitHeartbeat submits a heartbeat for a BotInstance.
+ rpc SubmitHeartbeat(SubmitHeartbeatRequest) returns (SubmitHeartbeatResponse);
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/machineid/v1/bot_service.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/machineid/v1/bot_service.proto
new file mode 100644
index 0000000000000..f18e1c9f87614
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/machineid/v1/bot_service.proto
@@ -0,0 +1,101 @@
+// Copyright 2023 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.machineid.v1;
+
+import "google/protobuf/empty.proto";
+import "google/protobuf/field_mask.proto";
+import "teleport/machineid/v1/bot.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/machineid/v1;machineidv1";
+
+// BotService provides methods to manage Teleport Bots
+service BotService {
+ // GetBot is used to query a Bot resource by its name.
+ //
+ // This will return a NotFound error if the specified Bot does not exist.
+ rpc GetBot(GetBotRequest) returns (Bot);
+ // ListBots is used to query Bots.
+ //
+ // Follows the pagination semantics of
+ // https://cloud.google.com/apis/design/standard_methods#list.
+ rpc ListBots(ListBotsRequest) returns (ListBotsResponse);
+ // CreateBot is used to create a Bot.
+ //
+ // This will return an error if a Bot by that name already exists.
+ rpc CreateBot(CreateBotRequest) returns (Bot);
+ // UpdateBot is used to modify an existing Bot.
+ rpc UpdateBot(UpdateBotRequest) returns (Bot);
+ // UpsertBot is used to create or replace an existing Bot.
+ //
+ // Prefer using CreateBot and UpdateBot.
+ rpc UpsertBot(UpsertBotRequest) returns (Bot);
+ // DeleteBot is used to delete a specific Bot.
+ //
+ // This will return a NotFound error if the specified Bot does not exist.
+ rpc DeleteBot(DeleteBotRequest) returns (google.protobuf.Empty);
+}
+
+// The request for CreateBot.
+message CreateBotRequest {
+ // The bot to create.
+ Bot bot = 1;
+}
+
+// The request for GetBot.
+message GetBotRequest {
+ // The name of the bot to fetch.
+ string bot_name = 1;
+}
+
+// The request for ListBots.
+message ListBotsRequest {
+ // The maximum number of items to return.
+ // The server may impose a different page size at its discretion.
+ int32 page_size = 1;
+ // The next_page_token value returned from a previous List request, if any.
+ string page_token = 2;
+}
+
+// The response for ListBots.
+message ListBotsResponse {
+ // The page of Bots that matched the request.
+ repeated Bot bots = 1;
+ // Token to retrieve the next page of results, or empty if there are no
+ // more results in the list.
+ string next_page_token = 2;
+}
+
+// The request for UpdateBot.
+message UpdateBotRequest {
+ // The values to apply based on the update mask. The name must be specified.
+ Bot bot = 1;
+ // The update mask applied to a Bot.
+ // Fields are masked according to their proto name.
+ google.protobuf.FieldMask update_mask = 2;
+}
+
+// The request for UpsertBot.
+message UpsertBotRequest {
+ // The bot to create or replace.
+ Bot bot = 1;
+}
+
+// The request for DeleteBot.
+message DeleteBotRequest {
+ // The name of the bot to delete.
+ string bot_name = 1;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/machineid/v1/federation.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/machineid/v1/federation.proto
new file mode 100644
index 0000000000000..8d23553a0c548
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/machineid/v1/federation.proto
@@ -0,0 +1,92 @@
+// Copyright 2024 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.machineid.v1;
+
+import "google/protobuf/timestamp.proto";
+import "teleport/header/v1/metadata.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/machineid/v1;machineidv1";
+
+// SPIFFEFederation is a resource that represents the configuration of a trust
+// domain federation.
+message SPIFFEFederation {
+ // The kind of resource represented.
+ string kind = 1;
+ // Differentiates variations of the same kind. All resources should
+ // contain one, even if it is never populated.
+ string sub_kind = 2;
+ // The version of the resource being represented.
+ string version = 3;
+ // Common metadata that all resources share.
+ // Importantly, the name MUST match the name of the trust domain you federate
+ // with.
+ teleport.header.v1.Metadata metadata = 4;
+ // The configured properties of the trust domain federation
+ SPIFFEFederationSpec spec = 5;
+ // Fields that are set by the server as results of operations. These should
+ // not be modified by users.
+ SPIFFEFederationStatus status = 6;
+}
+
+// SPIFFEFederationBundleSourceStatic is a static bundle source. It should be an
+// option of last resort, as it requires manual updates.
+message SPIFFEFederationBundleSourceStatic {
+ // The SPIFFE JWKS bundle.
+ string bundle = 1;
+}
+
+// SPIFFEFederationBundleSourceHTTPSWeb is a bundle source that fetches the bundle
+// from a HTTPS endpoint that is protected by a Web PKI certificate.
+message SPIFFEFederationBundleSourceHTTPSWeb {
+ // The URL of the SPIFFE Bundle Endpoint.
+ string bundle_endpoint_url = 1;
+}
+
+// SPIFFEFederationBundleSource configures how the federation bundle is sourced.
+// Only one field can be set.
+message SPIFFEFederationBundleSource {
+ SPIFFEFederationBundleSourceStatic static = 1;
+ SPIFFEFederationBundleSourceHTTPSWeb https_web = 2;
+}
+
+// SPIFFEFederationSpec is the configuration of a trust domain federation.
+message SPIFFEFederationSpec {
+ // The source of the federation bundle.
+ SPIFFEFederationBundleSource bundle_source = 1;
+}
+
+// FederationStatus is the status of a trust domain federation.
+message SPIFFEFederationStatus {
+ reserved 3;
+ reserved "current_bundle_refresh_hint";
+
+ // The most recently fetched bundle from the federated trust domain.
+ string current_bundle = 1;
+ // The time that the most recently fetched bundle was obtained.
+ google.protobuf.Timestamp current_bundle_synced_at = 2;
+ // The time that this SPIFFE federation should be synced again. This is
+ // usually determined by the refresh hint provided within the current bundle
+ // but this can be overridden by the server where the provided refresh hint
+ // is not appropriate.
+ //
+ // A value of zero indicates that an automatic sync is not scheduled (e.g.
+ // because the bundle source is static).
+ google.protobuf.Timestamp next_sync_at = 4;
+ // The SPIFFEFederationBundleSource that was used for the currently synced
+ // bundle. This allows the bundle to be resynced if the source changes.
+ SPIFFEFederationBundleSource current_bundle_synced_from = 5;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/machineid/v1/federation_service.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/machineid/v1/federation_service.proto
new file mode 100644
index 0000000000000..18d0f3bf4ecbd
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/machineid/v1/federation_service.proto
@@ -0,0 +1,76 @@
+// Copyright 2024 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.machineid.v1;
+
+import "google/protobuf/empty.proto";
+import "teleport/machineid/v1/federation.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/machineid/v1;machineidv1";
+
+// GetSPIFFEFederationRequest is the request message for GetSPIFFEFederation.
+message GetSPIFFEFederationRequest {
+ // The name of the SPIFFEFederation resource to fetch.
+ string name = 1;
+}
+
+// Request for ListSPIFFEFederations.
+//
+// Follows the pagination semantics of
+// https://cloud.google.com/apis/design/standard_methods#list
+message ListSPIFFEFederationsRequest {
+ // The maximum number of items to return.
+ // The server may impose a different page size at its discretion.
+ int32 page_size = 1;
+ // The page_token value returned from a previous ListSPIFFEFederations
+ // request, if any.
+ string page_token = 2;
+}
+
+// ListSPIFFEFederationsResponse is the response message for ListSPIFFEFederations.
+message ListSPIFFEFederationsResponse {
+ repeated SPIFFEFederation spiffe_federations = 1;
+ // Token to retrieve the next page of results, or empty if there are no
+ // more results exist.
+ string next_page_token = 2;
+}
+
+// DeleteSPIFFEFederationRequest is the request message for DeleteSPIFFEFederation.
+message DeleteSPIFFEFederationRequest {
+ // The name of the SPIFFEFederation resource to delete.
+ string name = 1;
+}
+
+// CreateSPIFFEFederationRequest is the request message for CreateSPIFFEFederation.
+message CreateSPIFFEFederationRequest {
+ // The SPIFFEFederation resource to create.
+ SPIFFEFederation spiffe_federation = 1;
+}
+
+// SPIFFEFederationService provides methods to manage SPIFFE Federations
+// between trust domains.
+service SPIFFEFederationService {
+ // GetSPIFFEFederation returns a SPIFFEFederation resource by name.
+ rpc GetSPIFFEFederation(GetSPIFFEFederationRequest) returns (SPIFFEFederation);
+ // ListSPIFFEFederations returns a list of SPIFFEFederation resources.
+ // Follows the pagination semantics of
+ // https://cloud.google.com/apis/design/design_patterns#list_pagination
+ rpc ListSPIFFEFederations(ListSPIFFEFederationsRequest) returns (ListSPIFFEFederationsResponse);
+ // DeleteSPIFFEFederation deletes a SPIFFEFederation resource by name.
+ rpc DeleteSPIFFEFederation(DeleteSPIFFEFederationRequest) returns (google.protobuf.Empty);
+ // CreateSPIFFEFederation creates a SPIFFEFederation resource.
+ rpc CreateSPIFFEFederation(CreateSPIFFEFederationRequest) returns (SPIFFEFederation);
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/machineid/v1/workload_identity_service.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/machineid/v1/workload_identity_service.proto
new file mode 100644
index 0000000000000..4dc39bbe60187
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/machineid/v1/workload_identity_service.proto
@@ -0,0 +1,128 @@
+// Copyright 2023 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.machineid.v1;
+
+import "google/protobuf/duration.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/machineid/v1;machineidv1";
+
+// WorkloadIdentityService provides the signing of workload identity documents.
+// It currently only supports signing SPIFFE x509 SVIDs.
+service WorkloadIdentityService {
+ // SignX509SVIDs generates signed x509 SVIDs based on the SVIDs provided in
+ // the request.
+ rpc SignX509SVIDs(SignX509SVIDsRequest) returns (SignX509SVIDsResponse) {}
+ // SignJWTSVIDs generates signed JWT SVIDs based on the requested SVIDs.
+ rpc SignJWTSVIDs(SignJWTSVIDsRequest) returns (SignJWTSVIDsResponse) {}
+}
+
+// The request for an individual x509 SVID.
+message SVIDRequest {
+ // A PKIX, ASN.1 DER encoded public key that should be included in the x509
+ // SVID.
+ // Required.
+ bytes public_key = 1;
+ // The path that should be included in the SPIFFE ID.
+ // This should have a preceding slash and should not have a trailing slash.
+ // Required.
+ string spiffe_id_path = 2;
+ // The DNS SANs that should be included in the x509 SVID.
+ // Optional.
+ repeated string dns_sans = 3;
+ // The IP SANs that should be included in the x509 SVID.
+ // Optional.
+ repeated string ip_sans = 4;
+ // A hint that provides a way of distinguishing between SVIDs. These are
+ // user configured and are sent back to the actual workload.
+ // Optional.
+ string hint = 5;
+ // The TTL to use for the x509 SVID. A maximum value is enforced on this
+ // field. Callers should inspect the returned cert to determine if their
+ // requested TTL has been met, and if not, adjust their behaviour. If not
+ // supplied, the default TTL will be the maximum value.
+ google.protobuf.Duration ttl = 6;
+}
+
+// The generated x509 SVID.
+message SVIDResponse {
+ // A ASN.1 DER encoded x509 SVID.
+ bytes certificate = 1;
+ // The full SPIFFE ID that was included in the x509 SVID.
+ string spiffe_id = 2;
+ // The hint that was included in SVIDRequest in order to allow a workload to
+ // distinguish an individual SVID.
+ string hint = 3;
+}
+
+// The request for SignX509SVIDs.
+message SignX509SVIDsRequest {
+ // The SVIDs that should be generated. This is repeated to allow a bot to
+ // request multiple SVIDs at once and reduce the number of round trips.
+ // Must be non-zero length.
+ repeated SVIDRequest svids = 1;
+}
+
+// The response for SignX509SVIDs.
+message SignX509SVIDsResponse {
+ // The generated SVIDs.
+ repeated SVIDResponse svids = 1;
+}
+
+// The request for an individual JWT SVID.
+message JWTSVIDRequest {
+ // The path that should be included in the SPIFFE ID.
+ // This should have a preceding slash and should not have a trailing slash.
+ // Required.
+ string spiffe_id_path = 1;
+ // The value that should be included in the JWT SVID as the `aud` claim.
+ // Required.
+ repeated string audiences = 2;
+ // The TTL to use for the x509 SVID. A maximum value is enforced on this
+ // field. Callers should inspect the returned cert to determine if their
+ // requested TTL has been met, and if not, adjust their behaviour. If not
+ // supplied, the default TTL will be the maximum value.
+ google.protobuf.Duration ttl = 3;
+ // A hint that provides a way of distinguishing between SVIDs. These are
+ // user configured and are sent back to the actual workload.
+ // Optional.
+ string hint = 4;
+}
+
+// The generated JWT SVID.
+message JWTSVIDResponse {
+ // The JWT SVID.
+ string jwt = 1;
+ // The JTI that was included in the JWT.
+ string jti = 2;
+ // The full SPIFFE ID that was included in the x509 SVID.
+ string spiffe_id = 3;
+ // The audiences that were included in the JWT.
+ repeated string audiences = 4;
+ // The hint that was included in SVIDRequest in order to allow a workload to
+ // distinguish an individual SVID.
+ string hint = 5;
+}
+
+// The request for SignJWTSVIDs.
+message SignJWTSVIDsRequest {
+ repeated JWTSVIDRequest svids = 1;
+}
+
+// The response for SignJWTSVIDs.
+message SignJWTSVIDsResponse {
+ repeated JWTSVIDResponse svids = 1;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/mfa/v1/mfa.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/mfa/v1/mfa.proto
new file mode 100644
index 0000000000000..257557a31b22e
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/mfa/v1/mfa.proto
@@ -0,0 +1,85 @@
+// Copyright 2023 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.mfa.v1;
+
+import "gogoproto/gogo.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/mfa/v1;mfav1";
+option (gogoproto.marshaler_all) = true;
+option (gogoproto.unmarshaler_all) = true;
+
+// ChallengeExtensions contains MFA challenge extensions used by Teleport
+// during MFA authentication.
+message ChallengeExtensions {
+ // Scope is an authorization scope for this MFA challenge.
+ // Required.
+ ChallengeScope scope = 1;
+ // AllowReuse determines whether the MFA challenge allows reuse.
+ // Defaults to CHALLENGE_ALLOW_REUSE_NO.
+ //
+ // Note that reuse is only permitted for specific actions by the discretion
+ // of the server. See the server implementation for details.
+ ChallengeAllowReuse allow_reuse = 2;
+ // User verification requirement for the challenge.
+ //
+ // * https://www.w3.org/TR/webauthn-2/#enum-userVerificationRequirement.
+ // * https://pkg.go.dev/github.com/go-webauthn/webauthn/protocol#UserVerificationRequirement.
+ //
+ // Optional. Empty is equivalent to "discouraged".
+ string user_verification_requirement = 3;
+}
+
+// ChallengeScope is a scope authorized by an MFA challenge resolution.
+enum ChallengeScope {
+ // Scope unknown or not specified.
+ CHALLENGE_SCOPE_UNSPECIFIED = 0;
+ // Standard webauthn login.
+ CHALLENGE_SCOPE_LOGIN = 1;
+ // Passwordless webauthn login.
+ CHALLENGE_SCOPE_PASSWORDLESS_LOGIN = 2;
+ // Headless login.
+ CHALLENGE_SCOPE_HEADLESS_LOGIN = 3;
+ // MFA device management.
+ CHALLENGE_SCOPE_MANAGE_DEVICES = 4;
+ // Account recovery.
+ CHALLENGE_SCOPE_ACCOUNT_RECOVERY = 5;
+ // Used for per-session MFA and moderated session presence checks.
+ CHALLENGE_SCOPE_USER_SESSION = 6;
+ // Used for various administrative actions, such as adding, updating, or
+ // deleting administrative resources (users, roles, etc.).
+ //
+ // Note: this scope should not be used for new MFA capabilities that have
+ // more precise scope. Instead, new scopes should be added. This scope may
+ // also be split into multiple smaller scopes in the future.
+ CHALLENGE_SCOPE_ADMIN_ACTION = 7;
+ // Used for changing user's password.
+ CHALLENGE_SCOPE_CHANGE_PASSWORD = 8;
+}
+
+// ChallengeAllowReuse determines whether an MFA challenge response can be used
+// to authenticate the user more than once until the challenge expires.
+//
+// Reuse is only permitted for specific actions by the discretion of the server.
+// See the server implementation for details.
+enum ChallengeAllowReuse {
+ // Reuse unspecified, treated as CHALLENGE_ALLOW_REUSE_NO.
+ CHALLENGE_ALLOW_REUSE_UNSPECIFIED = 0;
+ // Reuse is permitted.
+ CHALLENGE_ALLOW_REUSE_YES = 1;
+ // Reuse is not permitted.
+ CHALLENGE_ALLOW_REUSE_NO = 2;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/notifications/v1/notifications.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/notifications/v1/notifications.proto
new file mode 100644
index 0000000000000..4d71cce500105
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/notifications/v1/notifications.proto
@@ -0,0 +1,202 @@
+/*
+ * Teleport
+ * Copyright (C) 2024 Gravitational, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see .
+ */
+
+syntax = "proto3";
+
+package teleport.notifications.v1;
+
+import "google/protobuf/timestamp.proto";
+import "teleport/header/v1/metadata.proto";
+import "teleport/legacy/types/types.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/notifications/v1;notificationsv1";
+
+// Notification represents a notification item.
+message Notification {
+ // kind is the resource kind ("notification").
+ string kind = 1;
+ // sub_kind represents the unique kind of notification this is, eg. `access-request-approved`
+ string sub_kind = 2;
+ // version is the resource version.
+ string version = 3;
+ // metadata is the notification's metadata. This contains the notification's labels, and expiry. All custom notification metadata should be stored in labels.
+ teleport.header.v1.Metadata metadata = 4;
+ // spec is the notification specification.
+ NotificationSpec spec = 5;
+}
+
+// NotificationSpec is the notification specification.
+message NotificationSpec {
+ reserved 1;
+ reserved "id";
+ // created is when the notification was created, in UNIX time.
+ google.protobuf.Timestamp created = 2;
+ // unscoped is whether the notification shouldn't be restricted to a specific audience. This is to prevent the potential future possibility that a user-specific notification contains information that the user should no longer be allowed to see. Default is true.
+ bool unscoped = 3;
+ // username is the username of the target user if this is a user-specific notification. Requests for global notifications with a username will be rejected.
+ string username = 4;
+}
+
+// GlobalNotification represents a global notification.
+message GlobalNotification {
+ // kind is the resource kind ("global_notification").
+ string kind = 1;
+ // sub_kind is the optional resource subkind. This is unused.
+ string sub_kind = 2;
+ // version is the resource version.
+ string version = 3;
+ // metadata is the user last seen notification object's metadata.
+ teleport.header.v1.Metadata metadata = 4;
+ // spec is the global notification's specification.
+ GlobalNotificationSpec spec = 5;
+}
+
+// GlobalNotificationSpec is the global notification's specification.
+message GlobalNotificationSpec {
+ // Matcher for determining the target of this notification.
+ oneof matcher {
+ // by_permissions represents the RoleConditions needed for a user to receive this notification.
+ // If multiple permissions are defined and `MatchAllConditions` is true, the user will need to have
+ // all of them to receive this notification.
+ ByPermissions by_permissions = 1;
+ // by_roles represents the roles targeted by this notification.
+ // If multiple roles are defined and `MatchAllConditions` is true, the user will need to have all
+ // of them to receive this notification.
+ ByRoles by_roles = 2;
+ // all represents whether to target all users, regardless of roles or permissions.
+ bool all = 3;
+ // by_users represents a list of usernames of the users targeted by this notification.
+ // If only one user is being targeted, please create a user-specific notification instead.
+ ByUsers by_users = 7;
+ }
+ // match_all_conditions is whether or not all the conditions specified by the matcher must be met,
+ // if false, only one of the conditions needs to be met.
+ bool match_all_conditions = 4;
+ // notification is the notification itself.
+ Notification notification = 5;
+ // exclude_users is a list of usernames of users who should never match this notification
+ // under any circumstances.
+ repeated string exclude_users = 6;
+}
+
+// ByPermissions represents the RoleConditions needed for a user to receive this notification.
+message ByPermissions {
+ repeated types.RoleConditions role_conditions = 1;
+}
+
+// ByRoles represents the roles targeted by this notification.
+message ByRoles {
+ repeated string roles = 1;
+}
+
+// ByUsers represents the users targeted by this notification.
+message ByUsers {
+ repeated string users = 1;
+}
+
+// UserNotificationState represents a notification's state for a user. This is to keep track
+// of whether the user has clicked on or dismissed the notification.
+message UserNotificationState {
+ // kind is the resource kind ("user_notification_state").
+ string kind = 1;
+ // sub_kind is the optional resource subkind. This is unused.
+ string sub_kind = 2;
+ // version is the resource version.
+ string version = 3;
+ // metadata is the user notification state's metadata.
+ teleport.header.v1.Metadata metadata = 4;
+ // spec is the user notification state's specification.
+ UserNotificationStateSpec spec = 5;
+ // status is the state of this user notification state, it contains the notification state itself which will be dynamically modified.
+ UserNotificationStateStatus status = 6;
+}
+
+// UserNotificationStateSpec is the user notification state's specification.
+message UserNotificationStateSpec {
+ // notification_id is the ID of the notification this state is for.
+ string notification_id = 1;
+ // username is the username of the user this notification state is for.
+ string username = 2;
+}
+
+// NotificationState the state of a notification for a user. This can represent either "clicked" or "dismissed".
+enum NotificationState {
+ NOTIFICATION_STATE_UNSPECIFIED = 0;
+ // NOTIFICATION_STATE_CLICKED marks this notification as having been clicked on by the user.
+ NOTIFICATION_STATE_CLICKED = 1;
+ // NOTIFICATION_STATE_DISMISSED marks this notification as having been dismissed by the user.
+ NOTIFICATION_STATE_DISMISSED = 2;
+}
+
+// UserNotificationStateStatus is the status of this user notification state, it contains the notification state itself which will be dynamically modified.
+message UserNotificationStateStatus {
+ // notification_state is the state of this notification for the user. This can represent either "clicked" or "dismissed".
+ NotificationState notification_state = 1;
+}
+
+// UserLastSeenNotification represents the timestamp of the last notification a user has seen.
+message UserLastSeenNotification {
+ // kind is the resource kind ("user_last_seen_notification").
+ string kind = 1;
+ // sub_kind is the optional resource subkind. This is unused.
+ string sub_kind = 2;
+ // version is the resource version.
+ string version = 3;
+ // metadata is the user last seen notification object's metadata.
+ teleport.header.v1.Metadata metadata = 4;
+ // UserLastSeenNotificationSpec is the user last seen notification item's specification.
+ UserLastSeenNotificationSpec spec = 5;
+ reserved 6;
+ reserved "time";
+ // status is the timestamp of this user's last seen notification, it contains the timestamp of the notification which will be dynamically modified.
+ UserLastSeenNotificationStatus status = 7;
+}
+
+// UserLastSeenNotificationSpec is a user last seen notification specification.
+message UserLastSeenNotificationSpec {}
+
+// UserLastSeenNotificationStatus is the timestamp of this user's last seen notification, it contains the timestamp of the notification which will be dynamically modified.
+message UserLastSeenNotificationStatus {
+ // last_seen_time is the timestamp of the last notification that the user has seen.
+ google.protobuf.Timestamp last_seen_time = 1;
+}
+
+// UniqueNotificationIdentifier represents a unique notification identifier.
+// This is a resource whose existence is used to keep track of whether a particular notification has already been created, in order to prevent duplicate notifications.
+// For example, if the unique identifier is "unique_notification_identifier/access_list_30d_reminder/1234", when a caller attempts to create a notification
+// for a 30 day reminder to review access list 1234, it will create this identifier resource as well, and any subsequent times it attempts to create the notification,
+// it will detect that the identifier already exists, and thus know not to create a duplicate.
+// Note that using this system does not always guarantee accuracy/concurrency, so this shouldn't be used for security critical notifications.
+message UniqueNotificationIdentifier {
+ // kind is the resource kind ("unique_notification_identifier").
+ string kind = 1;
+ // version is the resource version.
+ string version = 2;
+ // metadata is the unique notification identifier metadata.
+ teleport.header.v1.Metadata metadata = 3;
+ // spec is the unique notification identifier spec.
+ UniqueNotificationIdentifierSpec spec = 5;
+}
+
+// UniqueNotificationIdentifierSpec is the unique notification identifier specification.
+message UniqueNotificationIdentifierSpec {
+ // unique_identifier is the unique identifier string. This is what is used to keep track of the unique notification and what is used in the resource's backend key.
+ string unique_identifier = 1;
+ // unique_identifier_prefix is the prefix for this unique notiifcation identifier, this is used to group notification identifiers together, eg. "access_list_30d_reminder"
+ string unique_identifier_prefix = 2;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/notifications/v1/notifications_service.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/notifications/v1/notifications_service.proto
new file mode 100644
index 0000000000000..4edcbf5362789
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/notifications/v1/notifications_service.proto
@@ -0,0 +1,125 @@
+/*
+ * Teleport
+ * Copyright (C) 2024 Gravitational, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see .
+ */
+
+syntax = "proto3";
+
+package teleport.notifications.v1;
+
+import "google/protobuf/empty.proto";
+import "google/protobuf/timestamp.proto";
+import "teleport/notifications/v1/notifications.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/notifications/v1;notificationsv1";
+
+// NotificationService provides CRUD operations for notifications resources.
+service NotificationService {
+ // CreateUserNotification creates a user-specific notification.
+ rpc CreateUserNotification(CreateUserNotificationRequest) returns (Notification);
+ // DeleteUserNotification deletes a user-specific notification.
+ rpc DeleteUserNotification(DeleteUserNotificationRequest) returns (google.protobuf.Empty);
+
+ // CreateGlobalNotification creates a global notification.
+ rpc CreateGlobalNotification(CreateGlobalNotificationRequest) returns (GlobalNotification);
+ // DeleteGlobalNotification deletes a global notification.
+ rpc DeleteGlobalNotification(DeleteGlobalNotificationRequest) returns (google.protobuf.Empty);
+
+ // ListNotifications returns a paginated list of a user's notifications.
+ rpc ListNotifications(ListNotificationsRequest) returns (ListNotificationsResponse);
+
+ // UpsertUserNotificationState creates or updates a user notification state which records whether the user has clicked on or dismissed a notification.
+ rpc UpsertUserNotificationState(UpsertUserNotificationStateRequest) returns (UserNotificationState);
+
+ // UpsertUserLastSeenNotification creates or updates a user's last seen notification item.
+ rpc UpsertUserLastSeenNotification(UpsertUserLastSeenNotificationRequest) returns (UserLastSeenNotification);
+}
+
+// CreateUserNotificationRequest is the request for creating a user-specific notification.
+message CreateUserNotificationRequest {
+ // username is the username of the user the notification to create is for.
+ string username = 1;
+ // notification is the notification to create.
+ Notification notification = 2;
+}
+
+// DeleteUserNotificationRequest is the request for deleting a user-specific notification.
+message DeleteUserNotificationRequest {
+ // username is the username of the user the notification to delete is for.
+ string username = 1;
+ // notification_id is the ID of the notification to delete.
+ string notification_id = 2;
+}
+
+// ListNotificationsRequest is the request for listing a user's notifications.
+message ListNotificationsRequest {
+ // page_size is the size of the page to return.
+ int32 page_size = 1;
+ // page_token is the next_page_token value returned from a previous ListUserNotifications request, if any.
+ string page_token = 2;
+ // filters specify search criteria to limit which notifications should be returned. If omitted, the default behavior will be to list all notifications.
+ NotificationFilters filters = 3;
+}
+
+// NotificationFilters provide a mechanism to refine ListNotification results.
+message NotificationFilters {
+ // username is the username of the user the notifications being listed are for.
+ string username = 1;
+ // global_only is whether to only list global notifications (notifications capable of targetting multiple users).
+ bool global_only = 2;
+ // user_created_only is whether to only list user-created notifications (ie. notifications created by an admin via the tctl interface).
+ bool user_created_only = 3;
+ // labels is used to request only notifications with specific labels.
+ map labels = 4;
+}
+
+// ListNotificationsResponse is the response from listing a user's notifications.
+message ListNotificationsResponse {
+ // notifications is the notifications returned.
+ repeated Notification notifications = 1;
+ // next_page_token contains the next page token to use as the start key for the next page of notifications.
+ string next_page_token = 3;
+ // user_last_seen_notification_timestamp is the timestamp of the last notification the user has seen.
+ google.protobuf.Timestamp user_last_seen_notification_timestamp = 4;
+}
+
+// CreateGlobalNotificationRequest is the request for creating a global notification.
+message CreateGlobalNotificationRequest {
+ // global_notification is the global notification to create.
+ GlobalNotification global_notification = 1;
+}
+
+// DeleteGlobalNotificationRequest is the request for deleting a global notification.
+message DeleteGlobalNotificationRequest {
+ // notification_id is the ID of the notification to delete.
+ string notification_id = 1;
+}
+
+// UpsertUserNotificationStateRequest is the request for creating or updating a user notification state.
+message UpsertUserNotificationStateRequest {
+ // username is the username of the user.
+ string username = 1;
+ // user_notification_state is the user notification state to create.
+ UserNotificationState user_notification_state = 2;
+}
+
+// UpsertUserLastSeenNotificationRequest is the request for creating or updating a user's last seen notification.
+message UpsertUserLastSeenNotificationRequest {
+ // username is the username of the user.
+ string username = 1;
+ // user_notification_state is the updated user last seen notification item.
+ UserLastSeenNotification user_last_seen_notification = 2;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/okta/v1/okta_service.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/okta/v1/okta_service.proto
new file mode 100644
index 0000000000000..1be540f43ab85
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/okta/v1/okta_service.proto
@@ -0,0 +1,321 @@
+// Copyright 2023 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.okta.v1;
+
+import "google/protobuf/duration.proto";
+import "google/protobuf/empty.proto";
+import "teleport/legacy/types/types.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/okta/v1;oktav1";
+
+// OktaService provides CRUD methods for Okta resources.
+service OktaService {
+ // ListOktaImportRules returns a paginated list of all Okta import rule resources.
+ rpc ListOktaImportRules(ListOktaImportRulesRequest) returns (ListOktaImportRulesResponse);
+ // GetOktaImportRule returns the specified Okta import rule resources.
+ rpc GetOktaImportRule(GetOktaImportRuleRequest) returns (types.OktaImportRuleV1);
+ // CreateOktaImportRule creates a new Okta import rule resource.
+ rpc CreateOktaImportRule(CreateOktaImportRuleRequest) returns (types.OktaImportRuleV1);
+ // UpdateOktaImportRule updates an existing Okta import rule resource.
+ rpc UpdateOktaImportRule(UpdateOktaImportRuleRequest) returns (types.OktaImportRuleV1);
+ // DeleteOktaImportRule removes the specified Okta import rule resource.
+ rpc DeleteOktaImportRule(DeleteOktaImportRuleRequest) returns (google.protobuf.Empty);
+ // DeleteAllOktaImportRules removes all Okta import rules.
+ rpc DeleteAllOktaImportRules(DeleteAllOktaImportRulesRequest) returns (google.protobuf.Empty);
+
+ // ListOktaAssignments returns a paginated list of all Okta assignment resources.
+ rpc ListOktaAssignments(ListOktaAssignmentsRequest) returns (ListOktaAssignmentsResponse);
+ // GetOktaAssignment returns the specified Okta assignment resources.
+ rpc GetOktaAssignment(GetOktaAssignmentRequest) returns (types.OktaAssignmentV1);
+ // CreateOktaAssignment creates a new Okta assignment resource.
+ rpc CreateOktaAssignment(CreateOktaAssignmentRequest) returns (types.OktaAssignmentV1);
+ // UpdateOktaAssignment updates an existing Okta assignment resource.
+ rpc UpdateOktaAssignment(UpdateOktaAssignmentRequest) returns (types.OktaAssignmentV1);
+ // UpdateOktaAssignmentStatus will update the status for an Okta assignment.
+ rpc UpdateOktaAssignmentStatus(UpdateOktaAssignmentStatusRequest) returns (google.protobuf.Empty);
+ // DeleteOktaAssignment removes the specified Okta assignment resource.
+ rpc DeleteOktaAssignment(DeleteOktaAssignmentRequest) returns (google.protobuf.Empty);
+ // DeleteAllOktaAssignments removes all Okta assignments.
+ rpc DeleteAllOktaAssignments(DeleteAllOktaAssignmentsRequest) returns (google.protobuf.Empty);
+
+ // ValidateClientCredentials checks if the provided client credentials are valid.
+ rpc ValidateClientCredentials(ValidateClientCredentialsRequest) returns (ValidateClientCredentialsResponse);
+ // EnrollIntegration enrolls a new integration with the specified parameters.
+ rpc CreateIntegration(CreateIntegrationRequest) returns (CreateIntegrationResponse);
+ // UpdateIntegration updates the settings or properties of an existing integration.
+ rpc UpdateIntegration(UpdateIntegrationRequest) returns (UpdateIntegrationResponse);
+ // GetApps retrieves a list of apps from Okta based on specified filter criteria.
+ rpc GetApps(GetAppsRequest) returns (GetAppsResponse);
+ // GetGroups retrieves a list of apps from Okta based on specified filter criteria.
+ rpc GetGroups(GetGroupsRequest) returns (GetGroupsResponse);
+}
+
+// GetAppsRequest is the request message for filtering apps.
+message GetAppsRequest {
+ // URL of the Okta organization.
+ string okta_organization_url = 1;
+ // Credentials to access the Okta API.
+ OktaAPICredentials api_credentials = 2;
+ // List of filters to apply when fetching apps.
+ repeated string filters = 3;
+}
+
+// GetAppsResponse is the response message for filtering apps.
+message GetAppsResponse {
+ // App contains details of an individual Okta app.
+ message App {
+ // Name of the app.
+ string name = 1;
+ // Description of the app.
+ string description = 2;
+ }
+ // List of apps that match the filter criteria.
+ repeated App apps = 1;
+}
+
+// GetGroupsRequest is the request message.
+message GetGroupsRequest {
+ // URL of the Okta organization.
+ string okta_organization_url = 1;
+ // Credentials to access the Okta API.
+ OktaAPICredentials api_credentials = 2;
+ // List of filters to apply when fetching groups.
+ repeated string filters = 3;
+}
+
+// GetGroupsResponse is the response message for filtering groups.
+message GetGroupsResponse {
+ // Group contains details of an individual Okta group.
+ message Group {
+ // Name of the group.
+ string name = 1;
+ // Description of the group.
+ string description = 2;
+ }
+ // List of groups that match the filter criteria.
+ repeated Group groups = 1;
+}
+
+// CreateIntegrationRequest is the request message for enrolling a new Okta integration.
+message CreateIntegrationRequest {
+ // URL of the Okta organization.
+ string okta_organization_url = 1;
+ // Credentials to access the Okta API.
+ OktaAPICredentials api_credentials = 2;
+ // SCIM token for integration.
+ string scim_token = 3;
+ // Enable synchronization of access lists.
+ bool enable_access_list_sync = 4;
+ // Enable user synchronization from Okta to Teleport.
+ bool enable_user_sync = 5;
+ // Enable synchronization of app groups from Okta to Teleport.
+ bool enable_app_group_sync = 6;
+ // Settings related to access list synchronization.
+ AccessListSettings access_list_settings = 7;
+ // Option to reuse an existing connector.
+ string reuse_connector = 8;
+ // SSO metadata URL for integration.
+ string sso_metadata_url = 9;
+ // Enable sync from Teleport to Okta. If disabled it will prevent creating Okta assignments which
+ // in turn will disable JIT Access Requests. Makes sense only when apps and groups sync is
+ // enabled.
+ bool enable_bidirectional_sync = 10;
+}
+
+// UpdateIntegrationRequest is the request message for updating an existing Okta integration.
+message UpdateIntegrationRequest {
+ // Credentials to access the Okta API.
+ OktaAPICredentials api_credentials = 2;
+ // SCIM token for integration.
+ string scim_token = 3;
+ // Enable synchronization of access lists.
+ bool enable_access_list_sync = 4;
+ // Enable user synchronization from Okta to Teleport.
+ bool enable_user_sync = 5;
+ // Enable synchronization of app groups from Okta to Teleport.
+ bool enable_app_group_sync = 6;
+ // Settings related to access list synchronization.
+ AccessListSettings access_list_settings = 7;
+ // Option to reuse an existing connector.
+ string reuse_connector = 8;
+ // SSO metadata URL for integration.
+ string sso_metadata_url = 9;
+ // Enable sync from Teleport to Okta. If disabled it will prevent creating Okta assignments which
+ // in turn will disable JIT Access Requests. Makes sense only when apps and groups sync is
+ // enabled.
+ bool enable_bidirectional_sync = 10;
+}
+
+// AccessListSettings contains the settings for access list synchronization.
+message AccessListSettings {
+ // Filters for groups to include in the access list.
+ repeated string group_filters = 2;
+ // Filters for apps to include in the access list.
+ repeated string app_filters = 3;
+ // Default owner for access list items.
+ repeated string default_owner = 4;
+}
+
+// OktaAPICredentials provides the authentication details for accessing Okta API.
+message OktaAPICredentials {
+ oneof auth {
+ // OAuth ClientID for authentication.
+ string oauth_id = 1;
+ // SSWS Bearer token for authentication.
+ string ssws_bearer_token = 2;
+ }
+}
+
+// CreateIntegrationResponse is the response message for enrolling a new Okta integration.
+message CreateIntegrationResponse {
+ // Plugin information.
+ types.PluginV1 plugin = 1;
+ // Details of the connector.
+ ConnectorInfo connector_info = 2;
+}
+
+// UpdateIntegrationResponse is the request for listing paginated Okta import rules.
+message UpdateIntegrationResponse {
+ // Plugin information.
+ types.PluginV1 plugin = 1;
+ // Details of the connector.
+ ConnectorInfo connector_info = 2;
+}
+
+// ConnectorInfo contains information about the connector.
+message ConnectorInfo {
+ // Okta application ID.
+ string okta_app_id = 1;
+ // Name of the Okta application.
+ string okta_app_name = 2;
+ // Labels associated with the Okta application.
+ string okta_app_labels = 3;
+ // Name of the Teleport connector.
+ string teleport_connector_name = 4;
+}
+
+// ValidateClientCredentialsRequest is the request message for validating client credentials.
+message ValidateClientCredentialsRequest {
+ // URL of the Okta organization.
+ string okta_organization_url = 1;
+ // Credentials to access the Okta API.
+ OktaAPICredentials api_credentials = 2;
+}
+
+// ValidateClientCredentialsResponse is the response message for validating client credentials.
+message ValidateClientCredentialsResponse {}
+
+// ListOktaImportRulesRequest is the request for listing paginated Okta import rules.
+message ListOktaImportRulesRequest {
+ // page_size is the number of results to return. If page_size is 0, a default page size of 200 will be chosen.
+ int32 page_size = 1;
+
+ // page_token is the next_token value returned from a previous List request if any.
+ string page_token = 2;
+}
+
+// ListOktaImportRulesResponse is the response for listing paginated Okta import rules.
+message ListOktaImportRulesResponse {
+ // import_rules is the list of import rules.
+ repeated types.OktaImportRuleV1 import_rules = 1;
+
+ // next_page_token is the next page token. If there are no more results, it will be empty.
+ string next_page_token = 2;
+}
+
+// GetOktaImportRuleRequest is the request for retrieving an Okta import rule.
+message GetOktaImportRuleRequest {
+ // name is the name of the Okta import rule.
+ string name = 1;
+}
+
+// CreateOktaImportRuleRequest is a request for creating an Okta import rule.
+message CreateOktaImportRuleRequest {
+ // import_rule is the Okta import rule to create.
+ types.OktaImportRuleV1 import_rule = 1;
+}
+
+// UpdateOktaImportRuleRequest is a request for updating an Okta import rule.
+message UpdateOktaImportRuleRequest {
+ // import_rule is the Okta import rule to update.
+ types.OktaImportRuleV1 import_rule = 1;
+}
+
+// DeleteOktaImportRuleRequest is the request for deleting an Okta import rule.
+message DeleteOktaImportRuleRequest {
+ // name is the name of the Okta import rule.
+ string name = 1;
+}
+
+// DeleteAllOktaImportRulesRequest is the request for deleting all Okta import rules.
+message DeleteAllOktaImportRulesRequest {}
+
+// ListOktaAssignmentsRequest is the request for listing paginated Okta assignments.
+message ListOktaAssignmentsRequest {
+ // page_size is the number of results to return. If page_size is 0, a default page size of 200 will be chosen.
+ int32 page_size = 1;
+
+ // page_token is the next page token to use when retrieving results.
+ string page_token = 2;
+}
+
+// ListOktaAssignmentsResponse is the response for listing paginated Okta assignments.
+message ListOktaAssignmentsResponse {
+ // assignments is the list of assignments.
+ repeated types.OktaAssignmentV1 assignments = 1;
+
+ // next_page_token is the next page token. If there are no more results, it will be empty.
+ string next_page_token = 2;
+}
+
+// GetOktaAssignmentRequest is the request for retrieving an Okta assignment.
+message GetOktaAssignmentRequest {
+ // name is the name of the Okta assignment.
+ string name = 1;
+}
+
+// CreateOktaAssignmentRequest is a request for creating an Okta assignment.
+message CreateOktaAssignmentRequest {
+ // assignment is the Okta assignment to create.
+ types.OktaAssignmentV1 assignment = 1;
+}
+
+// UpdateOktaAssignmentRequest is a request for updating an Okta assignment.
+message UpdateOktaAssignmentRequest {
+ // assignment is the Okta assignment to update.
+ types.OktaAssignmentV1 assignment = 1;
+}
+
+// UpdateOktaAssignmentStatusRequest is a request for updating an Okta assignment status.
+message UpdateOktaAssignmentStatusRequest {
+ // name is the name of the Okta assignment.
+ string name = 1;
+ // status is the status to update the assignment to.
+ types.OktaAssignmentSpecV1.OktaAssignmentStatus status = 2;
+ // timeHasPassed is the amount of time that must have passed since the last transition
+ // in order to set the new transition.
+ google.protobuf.Duration time_has_passed = 3;
+}
+
+// DeleteOktaAssignmentRequest is the request for deleting an Okta assignment.
+message DeleteOktaAssignmentRequest {
+ // name is the name of the Okta assignment.
+ string name = 1;
+}
+
+// DeleteAllOktaAssignmentsRequest is the request for deleting all Okta assignments.
+message DeleteAllOktaAssignmentsRequest {}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/plugins/v1/plugin_service.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/plugins/v1/plugin_service.proto
new file mode 100644
index 0000000000000..95599618cd811
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/plugins/v1/plugin_service.proto
@@ -0,0 +1,219 @@
+// Copyright 2023 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.plugins.v1;
+
+import "google/protobuf/empty.proto";
+import "teleport/legacy/types/types.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/plugins/v1;pluginsv1";
+
+// PluginType represents a single type of hosted plugin
+// that can be onboarded.
+message PluginType {
+ // Type is a string corresponding to api.PluginTypeXXX constants
+ string type = 1;
+
+ // OAuthClientID contains the client ID of the OAuth application
+ // that is used with this plugin's API provider.
+ // For plugins that are not authenticated via OAuth,
+ // this will be empty.
+ string oauth_client_id = 2;
+}
+
+// CreatePluginRequest creates a new plugin from the given spec and initial
+// credentials.
+message CreatePluginRequest {
+ // Plugin is the plugin object without live credentials.
+ types.PluginV1 plugin = 1;
+ // BootstrapCredentials are the initial credentials
+ // issued by e.g. OAuth2 authorization code flow.
+ // In the scope of processing this request, these are exchanged for
+ // short-lived renewable credentials, which are stored in the Plugin.
+ types.PluginBootstrapCredentialsV1 bootstrap_credentials = 2;
+
+ // StaticCredentials are an optional static credential to supply to the
+ // plugin.
+ types.PluginStaticCredentialsV1 static_credentials = 3;
+
+ // StaticCredentials are an optional collection of static credentials
+ // to supply to the plugin. Ignored if `StaticCredentials` is set.
+ repeated types.PluginStaticCredentialsV1 static_credentials_list = 4;
+
+ // CredentialLabels are a collection of labels used to identify the
+ // credentials secified in the StaticCredentialsList. Ignored if
+ // StaticCredentials is used
+ map credential_labels = 5;
+}
+
+// GetPluginRequest is a request to return a plugin instance by name.
+message GetPluginRequest {
+ // Name is the name of the plugin instance.
+ string name = 1;
+
+ // WithSecrets indicates whether plugin secrets (credentials) are requested
+ bool with_secrets = 2;
+}
+
+// UpdatePluginRequest is a request to update a plugin instance.
+message UpdatePluginRequest {
+ // Plugin is the plugin object to update.
+ types.PluginV1 plugin = 1;
+}
+
+// ListPluginsRequest is a paginated request to list all plugin instances.
+message ListPluginsRequest {
+ // PageSize is the maximum number of plugins to return in a single response.
+ int32 page_size = 1;
+
+ // StartKey is the value of NextKey received in the last ListPluginsResponse.
+ // When making the initial request, this should be left empty.
+ string start_key = 2;
+
+ // WithSecrets indicates whether plugin secrets (credentials) are requested
+ bool with_secrets = 3;
+}
+
+// ListPluginsResponse is a paginated response to a ListPluginsRequest.
+message ListPluginsResponse {
+ // Plugins is the list of plugins.
+ repeated types.PluginV1 plugins = 1;
+
+ // NextKey is a token to retrieve the next page of results, or empty
+ // if there are no more results.
+ string next_key = 2;
+}
+
+// DeletePluginRequest is a request to delete a plugin instance by name.
+message DeletePluginRequest {
+ // Name is the name of the plugin instance.
+ string name = 1;
+}
+
+// SetPluginCredentialsRequest is a request to set credentials for an existing
+// plugin
+message SetPluginCredentialsRequest {
+ // Name is the name of the plugin instance.
+ string name = 1;
+ // Credentials are the credentials obtained after exchanging the initial
+ // credentials, and after successive credential renewals.
+ types.PluginCredentialsV1 credentials = 2;
+}
+
+// SetPluginStatusRequest is a request to set the status for an existing plugin
+message SetPluginStatusRequest {
+ // Name is the name of the plugin instance.
+ string name = 1;
+ // Status is the plugin status.
+ types.PluginStatusV1 status = 2;
+}
+
+// GetAvailablePluginTypesRequest is the request type for
+// GetAvailablePluginTypes
+message GetAvailablePluginTypesRequest {}
+
+// GetAvailablePluginTypesResponse is a response to for GetAvailablePluginTypes
+message GetAvailablePluginTypesResponse {
+ // PluginTypes is a list of hosted plugins
+ // that the auth service supports.
+ repeated PluginType plugin_types = 1;
+}
+
+// SearchPluginStaticCredentialsRequest is the request type for
+// SearchPluginStaticCredentials. The labels here are attached to a plugin and
+// search credential object at creation time. Labels can be provided to the
+// plugin credentials object and then, during plugin creation, a reference to
+// those labels augmented along with a uniquely identifying ID will ensure a
+// unique mapping between credentials and plugins.
+message SearchPluginStaticCredentialsRequest {
+ // Labels are matched against static credentials objects and returned.
+ map labels = 1;
+}
+
+// SearchPluginStaticCredentialsResponse is the response type for
+// SearchPluginStaticCredentials
+message SearchPluginStaticCredentialsResponse {
+ // Credentials are the list of credentials matching the requested labels.
+ repeated types.PluginStaticCredentialsV1 credentials = 1;
+}
+
+// NeedsCleanupRequest is the request type for NeedsCleanup.
+message NeedsCleanupRequest {
+ // Type is the plugin type. We only need the string representation of the
+ // plugin type and not the PluginType message, as we don't want the oauth
+ // client ID here.
+ string type = 1;
+}
+
+// NeedsCleanupResponse is the response type for NeedsCleanup.
+message NeedsCleanupResponse {
+ // NeedsCleanup will be set to true if the plugin needs cleanup.
+ bool needs_cleanup = 1;
+
+ // ResourcesToCleanup are the resources that need to be cleaned up.
+ repeated types.ResourceID resources_to_cleanup = 2;
+
+ // PluginActive returns true if the plugin is currently active.
+ bool plugin_active = 3;
+}
+
+// CleanupRequest is the request type for NeedsCleanup.
+message CleanupRequest {
+ // Type is the plugin type. We only need the string representation of the
+ // plugin type and not the PluginType message, as we don't want the oauth
+ // client ID here.
+ string type = 1;
+}
+
+// PluginService provides CRUD operations for Plugin resources.
+service PluginService {
+ // CreatePlugin creates a new plugin instance.
+ rpc CreatePlugin(CreatePluginRequest) returns (google.protobuf.Empty);
+
+ // GetPlugin returns a plugin instance by name.
+ rpc GetPlugin(GetPluginRequest) returns (types.PluginV1);
+
+ // UpdatePlugin updates a plugin instance.
+ rpc UpdatePlugin(UpdatePluginRequest) returns (types.PluginV1);
+
+ // DeletePlugin removes the specified plugin instance.
+ rpc DeletePlugin(DeletePluginRequest) returns (google.protobuf.Empty);
+
+ // ListPlugins returns a paginated view of plugin instances.
+ rpc ListPlugins(ListPluginsRequest) returns (ListPluginsResponse);
+
+ // SetPluginCredentials sets the credentials for the given plugin.
+ rpc SetPluginCredentials(SetPluginCredentialsRequest) returns (google.protobuf.Empty);
+
+ // SetPluginCredentials sets the status for the given plugin.
+ rpc SetPluginStatus(SetPluginStatusRequest) returns (google.protobuf.Empty);
+
+ // GetAvailablePluginTypes returns the types of plugins
+ // that the auth server supports onboarding.
+ rpc GetAvailablePluginTypes(GetAvailablePluginTypesRequest) returns (GetAvailablePluginTypesResponse);
+
+ // SearchPluginStaticCredentials returns static credentials that are searched
+ // for. Only accessible by RoleAdmin and, in the case of Teleport Assist,
+ // RoleProxy.
+ rpc SearchPluginStaticCredentials(SearchPluginStaticCredentialsRequest) returns (SearchPluginStaticCredentialsResponse);
+
+ // NeedsCleanup will indicate whether a plugin of the given type needs cleanup
+ // before it can be created.
+ rpc NeedsCleanup(NeedsCleanupRequest) returns (NeedsCleanupResponse);
+
+ // Cleanup will clean up the resources for the given plugin type.
+ rpc Cleanup(CleanupRequest) returns (google.protobuf.Empty);
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/presence/v1/service.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/presence/v1/service.proto
new file mode 100644
index 0000000000000..325d5b68ee093
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/presence/v1/service.proto
@@ -0,0 +1,117 @@
+// Copyright 2024 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.presence.v1;
+
+import "google/protobuf/empty.proto";
+import "google/protobuf/field_mask.proto";
+import "teleport/legacy/types/types.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/presence/v1;presencev1";
+
+// PresenceService provides methods to manage presence of RemoteClusters
+service PresenceService {
+ // GetRemoteCluster retrieves a RemoteCluster by name.
+ rpc GetRemoteCluster(GetRemoteClusterRequest) returns (types.RemoteClusterV3);
+ // ListRemoteClusters retrieves a page of RemoteClusters.
+ rpc ListRemoteClusters(ListRemoteClustersRequest) returns (ListRemoteClustersResponse);
+ // UpdateRemoteCluster updates an existing RemoteCluster.
+ rpc UpdateRemoteCluster(UpdateRemoteClusterRequest) returns (types.RemoteClusterV3);
+ // DeleteRemoteCluster removes an existing RemoteCluster by name.
+ rpc DeleteRemoteCluster(DeleteRemoteClusterRequest) returns (google.protobuf.Empty);
+
+ // ListReverseTunnels retrieves a page of ReverseTunnels.
+ rpc ListReverseTunnels(ListReverseTunnelsRequest) returns (ListReverseTunnelsResponse);
+ // UpsertReverseTunnel upserts a ReverseTunnel.
+ rpc UpsertReverseTunnel(UpsertReverseTunnelRequest) returns (types.ReverseTunnelV2);
+ // DeleteReverseTunnel removes an existing ReverseTunnel by name.
+ rpc DeleteReverseTunnel(DeleteReverseTunnelRequest) returns (google.protobuf.Empty);
+}
+
+// Request for GetRemoteCluster
+message GetRemoteClusterRequest {
+ // Name is the name of the RemoteCluster to retrieve.
+ string name = 1;
+}
+
+// Request for ListRemoteClusters
+message ListRemoteClustersRequest {
+ // The maximum number of items to return.
+ // The server may impose a different page size at its discretion.
+ int32 page_size = 1;
+
+ // The page_token is the next_page_token value returned from a previous List
+ // request, if any.
+ string page_token = 2;
+}
+
+// Response for ListRemoteClusters
+message ListRemoteClustersResponse {
+ // RemoteClusters is the list of RemoteClusters that were retrieved.
+ repeated types.RemoteClusterV3 remote_clusters = 1;
+
+ // Token to retrieve the next page of results, or empty if there are no
+ // more results in the list.
+ string next_page_token = 2;
+}
+
+// Request for UpdateRemoteCluster
+message UpdateRemoteClusterRequest {
+ // RemoteCluster is the RemoteCluster to update.
+ types.RemoteClusterV3 remote_cluster = 1;
+ // The update mask applied to the RemoteCluster.
+ // Fields are masked according to their proto name.
+ google.protobuf.FieldMask update_mask = 2;
+}
+
+// Request for DeleteRemoteCluster
+message DeleteRemoteClusterRequest {
+ // Name is the name of the RemoteCluster to delete.
+ string name = 1;
+}
+
+// Request for ListReverseTunnels
+message ListReverseTunnelsRequest {
+ // The maximum number of items to return.
+ // The server may impose a different page size at its discretion.
+ int32 page_size = 1;
+
+ // The page_token is the next_page_token value returned from a previous List
+ // request, if any.
+ string page_token = 2;
+}
+
+// Response for ListReverseTunnels
+message ListReverseTunnelsResponse {
+ // ReverseTunnels is the list of ReverseTunnels that were retrieved.
+ repeated types.ReverseTunnelV2 reverse_tunnels = 1;
+
+ // Token to retrieve the next page of results, or empty if there are no
+ // more results in the list.
+ string next_page_token = 2;
+}
+
+// Request for UpsertReverseTunnel
+message UpsertReverseTunnelRequest {
+ // ReverseTunnel is the ReverseTunnel to upsert.
+ types.ReverseTunnelV2 reverse_tunnel = 1;
+}
+
+// Request for DeleteReverseTunnel
+message DeleteReverseTunnelRequest {
+ // Name is the name of the ReverseTunnel to delete.
+ string name = 1;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/provisioning/v1/provisioning.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/provisioning/v1/provisioning.proto
new file mode 100644
index 0000000000000..4f1e8e0686d70
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/provisioning/v1/provisioning.proto
@@ -0,0 +1,119 @@
+// Copyright 2024 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.provisioning.v1;
+
+import "google/protobuf/timestamp.proto";
+import "teleport/header/v1/metadata.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/provisioning/v1;provisioningv1";
+
+// PrincipalState describes the provisioning state of a Teleport user in a
+// downstream system
+message PrincipalState {
+ string kind = 1;
+ string sub_kind = 2;
+ string version = 3;
+ teleport.header.v1.Metadata metadata = 4;
+ PrincipalStateSpec spec = 5;
+ PrincipalStateStatus status = 6;
+}
+
+// ProvisioningState indicates the current stage of the provisioning pipeline a
+// resource is in.
+enum ProvisioningState {
+ // PROVISIONING_STATE_UNSPECIFIED is the `unset` default value. This should
+ // never be used in practice.
+ PROVISIONING_STATE_UNSPECIFIED = 0;
+
+ // PROVISIONING_STATE_STALE indicates that Teleport has detected a change in
+ // the principal resource, but that has not yet been reflected in the
+ // downstream system.
+ PROVISIONING_STATE_STALE = 1;
+
+ // PROVISIONING_STATE_PROVISIONED indicates that the principal has been synced
+ // with the downstram system and no further work is necessary.
+ PROVISIONING_STATE_PROVISIONED = 2;
+
+ // PROVISIONING_STATE_DELETED indicates that the principal has been deleted in
+ // Teleport, and must be de-provisioned in the downstream system and the
+ // provisioning state record deleted.
+ PROVISIONING_STATE_DELETED = 3;
+}
+
+// PrincipalType indicates the type of principal represented by a PrincipalState
+enum PrincipalType {
+ // PRINCIPAL_TYPE_UNSPECIFIED is the `unset` default value. This should
+ // never be used in practice.
+ PRINCIPAL_TYPE_UNSPECIFIED = 0;
+
+ // PRINCIPAL_TYPE_USER indicates that the target principal is a Teleport user
+ PRINCIPAL_TYPE_USER = 1;
+
+ // PRINCIPAL_TYPE_USER indicates that the target principal is a Teleport
+ // Access List
+ PRINCIPAL_TYPE_ACCESS_LIST = 2;
+}
+
+// PrincipalStateSpec describes the current state of a provisioning operation. It
+// serves as a Teleport-local record of the downstream state.
+message PrincipalStateSpec {
+ // DownstreamId identifies the downstream service that this state applies to.
+ string downstream_id = 1;
+
+ // PrincipalType identifies what kind of principal this state applies to, either
+ // a User or a Group (i.e. AccessList)
+ PrincipalType principal_type = 2;
+
+ // PrincipalId identifies the Teleport User or Access List that this state
+ // applies to
+ string principal_id = 3;
+}
+
+// PrincipalStateStatus contains the runtime-writable status block for the
+// PrincipalState resource
+message PrincipalStateStatus {
+ // Renamed status value (and it's type) to "provisioning_state" for clarity
+ reserved "status";
+ reserved 1;
+
+ // ProvisioningState indicates the resource's current state in the
+ // provisioning process state machine.
+ ProvisioningState provisioning_state = 5;
+
+ // ExternalID holds the ID used by the downstream system to represent this
+ // principal
+ string external_id = 2;
+
+ // LastProvisioned records the last time this record was provisioined into
+ // the downstream system.
+ google.protobuf.Timestamp last_provisioned = 3;
+
+ // Error holds a description of the last provisioing error, if any.
+ string error = 4;
+
+ // Revision holds the revision of the principal record provisioned into the
+ // downstream system. Used to assert that the latest revision of the principal
+ // is provisioned downstream and detect changes in the principal that require
+ // re-provisoning.
+ string provisioned_principal_revision = 6;
+
+ // ActiveLocks holds the list of known active locks on the principal. Used to
+ // store the lock state across restarts of Teleport in order to detect state
+ // changes that may happen while Teleport is not running (e.g. a storage
+ // backend deleting an expired lock record while Teleport is offline)
+ repeated string active_locks = 7;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/provisioning/v1/provisioning_service.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/provisioning/v1/provisioning_service.proto
new file mode 100644
index 0000000000000..a477786bd0698
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/provisioning/v1/provisioning_service.proto
@@ -0,0 +1,34 @@
+// Copyright 2024 Gravitational, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.provisioning.v1;
+
+import "google/protobuf/empty.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/provisioning/v1;provisioningv1";
+
+// ProvisioningService provides methods to manage Provisioning resources.
+service ProvisioningService {
+ // DeleteDownstreamProvisioningStates deletes all Identity Center provisioning state for a given downstream.
+ rpc DeleteDownstreamProvisioningStates(DeleteDownstreamProvisioningStatesRequest) returns (google.protobuf.Empty);
+}
+
+// DeleteDownstreamProvisioningStatesRequest is a request to delete all provisioning states for
+// a given DownstreamId.
+message DeleteDownstreamProvisioningStatesRequest {
+ // DownstreamId identifies the downstream service that this state applies to.
+ string downstream_id = 1;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/resourceusage/v1/access_requests.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/resourceusage/v1/access_requests.proto
new file mode 100644
index 0000000000000..f1b14aa1fe7f2
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/resourceusage/v1/access_requests.proto
@@ -0,0 +1,28 @@
+// Copyright 2023 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.resourceusage.v1;
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/resourceusage/v1;resourceusagev1";
+
+// AccessRequestsUsage defines the usage limits for access requests.
+// Usage is limited on the basis of access requests used per calendar month.
+message AccessRequestsUsage {
+ // MonthlyLimit is the amount of requests that are allowed per month
+ int32 monthly_limit = 1;
+ // MonthlyUsed is the amount of requests that have been used this month
+ int32 monthly_used = 2;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/resourceusage/v1/account_usage_type.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/resourceusage/v1/account_usage_type.proto
new file mode 100644
index 0000000000000..8670419ecd9f6
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/resourceusage/v1/account_usage_type.proto
@@ -0,0 +1,27 @@
+// Copyright 2023 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.resourceusage.v1;
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/resourceusage/v1;resourceusagev1";
+
+// AccountUsageType is the type of the underlying account, either limitless or
+// limit-based.
+enum AccountUsageType {
+ ACCOUNT_USAGE_TYPE_UNSPECIFIED = 0;
+ ACCOUNT_USAGE_TYPE_UNLIMITED = 1;
+ ACCOUNT_USAGE_TYPE_USAGE_BASED = 2;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/resourceusage/v1/device_trust.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/resourceusage/v1/device_trust.proto
new file mode 100644
index 0000000000000..a6cf8ce81c136
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/resourceusage/v1/device_trust.proto
@@ -0,0 +1,31 @@
+// Copyright 2023 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.resourceusage.v1;
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/resourceusage/v1;resourceusagev1";
+
+// DevicesUsage holds aggregated information about trusted device usage.
+message DevicesUsage {
+ // Devices usage limit.
+ // Always zero if the account usage type is ACCOUNT_USAGE_TYPE_UNLIMITED.
+ int32 devices_usage_limit = 1;
+
+ // Devices in use.
+ // May be greater than [devices_usage_limit] in some cases.
+ // Always zero if the account usage type is ACCOUNT_USAGE_TYPE_UNLIMITED.
+ int32 devices_in_use = 2;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/resourceusage/v1/resourceusage_service.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/resourceusage/v1/resourceusage_service.proto
new file mode 100644
index 0000000000000..5952ba0393910
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/resourceusage/v1/resourceusage_service.proto
@@ -0,0 +1,45 @@
+// Copyright 2023 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.resourceusage.v1;
+
+import "teleport/resourceusage/v1/access_requests.proto";
+import "teleport/resourceusage/v1/account_usage_type.proto";
+import "teleport/resourceusage/v1/device_trust.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/resourceusage/v1;resourceusagev1";
+
+// ResourceUsageService is a service to fetch information about the usage of limited resources on usage-billed plans.
+service ResourceUsageService {
+ // GetUsage returns usage information for all limited resources.
+ rpc GetUsage(GetUsageRequest) returns (GetUsageResponse);
+}
+
+// GetUsageRequest is the request for GetUsage.
+message GetUsageRequest {}
+
+// GetUsageResponse is the response for GetUsage.
+message GetUsageResponse {
+ AccessRequestsUsage access_requests = 1;
+
+ // Usage type of the underlying account.
+ // UNLIMITED accounts have no usage limits, therefore any numbers should be
+ // disconsidered for those accounts.
+ AccountUsageType account_usage_type = 2;
+
+ // DevicesUsage contains limits for trusted devices / Device Trust.
+ DevicesUsage devices_usage = 3;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/samlidp/v1/samlidp.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/samlidp/v1/samlidp.proto
new file mode 100644
index 0000000000000..de50371658f0c
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/samlidp/v1/samlidp.proto
@@ -0,0 +1,84 @@
+// Copyright 2021-2022 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.samlidp.v1;
+
+import "google/protobuf/timestamp.proto";
+import "teleport/legacy/client/proto/authservice.proto";
+import "teleport/legacy/types/types.proto";
+import "teleport/legacy/types/wrappers/wrappers.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/samlidp/v1;samlidpv1";
+
+// ProcessSAMLIdPRequestRequest is a request to create and sign the SAML IdP response
+// to a SAML IdP auth request.
+message ProcessSAMLIdPRequestRequest {
+ // destination is the destination of the response.
+ string destination = 1;
+ // request_id is the request ID.
+ string request_id = 2;
+ // request_time is the time the request was made.
+ google.protobuf.Timestamp request_time = 3;
+ // Metadata_url is the metadata URL of the SAML IdP.
+ string metadata_url = 4;
+ // signature_method is the signature method to use.
+ string signature_method = 5;
+ // assertion is the SAML assertion to sign.
+ bytes assertion = 6;
+ // service_provider_sso_descriptor is the raw bytes of the service provider's SSO descriptor.
+ bytes service_provider_sso_descriptor = 7;
+ // mfa_response is an mfa challenge response used to verify the user.
+ proto.MFAAuthenticateResponse mfa_response = 8;
+}
+
+// ProcessSAMLIdPRequestResponse is a response to processing the SAML IdP auth request.
+message ProcessSAMLIdPRequestResponse {
+ // response is the SAML response.
+ bytes response = 1;
+}
+
+// SAMLIdPService provides utility methods for the SAML identity provider.
+service SAMLIdPService {
+ // ProcessSAMLIdPRequest processes the SAML auth request.
+ rpc ProcessSAMLIdPRequest(ProcessSAMLIdPRequestRequest) returns (ProcessSAMLIdPRequestResponse);
+ // TestSAMLIdPAttributeMapping tests SAML attribute mapping configuration.
+ rpc TestSAMLIdPAttributeMapping(TestSAMLIdPAttributeMappingRequest) returns (TestSAMLIdPAttributeMappingResponse);
+}
+
+// TestSAMLIdPAttributeMappingRequest is a request to test attribute mapping.
+message TestSAMLIdPAttributeMappingRequest {
+ // service_provider is a SAML service provider with attribute mapping.
+ types.SAMLIdPServiceProviderV1 service_provider = 1;
+ // users is a list of users whose details will be used
+ // to evaluate attribute mapping.
+ repeated types.UserV2 users = 2;
+}
+
+// TestSAMLIdPAttributeMappingResponse is a response to attribute mapping test request.
+message TestSAMLIdPAttributeMappingResponse {
+ // mapped_attributes is the result of attribute mapping evaluation.
+ repeated MappedAttribute mapped_attributes = 1;
+}
+
+// MappedAttribute is a result of attribute mapping with username
+// of a user whose username, role and traits are used for evaluation.
+message MappedAttribute {
+ // username is username of user whose detail is used for attribute mapping.
+ string username = 1;
+ // mapped_values is a result of attribute mapping where key is requested
+ // attribute name and value is result of evaluated predicate expression.
+ map mapped_values = 2;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/scim/v1/scim_service.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/scim/v1/scim_service.proto
new file mode 100644
index 0000000000000..dbdd26beeb6ca
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/scim/v1/scim_service.proto
@@ -0,0 +1,150 @@
+// Copyright 2024 Gravitational, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.scim.v1;
+
+import "google/protobuf/empty.proto";
+import "google/protobuf/struct.proto";
+import "google/protobuf/timestamp.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/scim/v1;scimv1";
+
+// SCIMService implements a SCIM gateway for external IDPs for user provisioning
+service SCIMService {
+ // List fetches all (or a subset of all) resources resources of a given type
+ rpc ListSCIMResources(ListSCIMResourcesRequest) returns (ResourceList);
+
+ // GetSCIMResource fetches a single SCIM resource from the server by name
+ rpc GetSCIMResource(GetSCIMResourceRequest) returns (Resource);
+
+ // CreateSCIResource creates a new SCIM resource based on a supplied
+ // resource description
+ rpc CreateSCIMResource(CreateSCIMResourceRequest) returns (Resource);
+
+ // UpdateResource handles a request to update a resource, returning a
+ // representation of the updated resource
+ rpc UpdateSCIMResource(UpdateSCIMResourceRequest) returns (Resource);
+
+ // DeleteSCIMResource deletes a SCIM-managed resource
+ rpc DeleteSCIMResource(DeleteSCIMResourceRequest) returns (google.protobuf.Empty);
+}
+
+// ListSCIMResourcesRequest represents a request to fetch multiple resources
+message ListSCIMResourcesRequest {
+ // Target describes the set of requested by the client, vy integration and
+ // resource type.
+ RequestTarget target = 1;
+
+ // Page is an optional request to retrieve a page of results. Returns all
+ // appropriate results if not set.
+ Page page = 2;
+
+ // Filter is an optional filter to apply to any retrieved results.
+ string filter = 3;
+}
+
+// GetSCIMResourceRequest describes a request to fetch a specific resource
+message GetSCIMResourceRequest {
+ // Target is the owner, type and ID if the resource targeted by the request.
+ RequestTarget target = 1;
+}
+
+// CreateSCIMResourceRequest contains a request for the SCIM server to create a
+// new resource
+message CreateSCIMResourceRequest {
+ // Target is the owner & type of the resource targeted by the request.
+ RequestTarget target = 1;
+
+ // Resource describes the resource to be created
+ Resource resource = 2;
+}
+
+// UpdateSCIMResourceRequest describes an update to a given resource
+message UpdateSCIMResourceRequest {
+ // Target is the owner, type and ID if the resource targeted by the request.
+ RequestTarget target = 1;
+
+ // Resource is a representation of the updated resource that the server needs
+ // to conform with
+ Resource resource = 2;
+}
+
+// DeleteSCIMResourceRequest describes a request to delete a SCIM-mamanged
+// resource
+message DeleteSCIMResourceRequest {
+ // Target is the owner, type and ID if the resource targeted by the request.
+ RequestTarget target = 1;
+}
+
+// Resource represents an arbitrary SCIM resource, as per RFC7643
+// Section 3.1.
+//
+// See https://datatracker.ietf.org/doc/html/rfc7643#section-3.1
+message Resource {
+ repeated string schemas = 1;
+ string id = 2;
+ string external_id = 3;
+ Meta meta = 4;
+ google.protobuf.Struct attributes = 5;
+}
+
+// Meta holds resource metadata as per RFC7643 Section 3.1.
+//
+// See https://datatracker.ietf.org/doc/html/rfc7643#section-3.1
+message Meta {
+ string resource_type = 1;
+ google.protobuf.Timestamp created = 2;
+ google.protobuf.Timestamp modified = 3;
+ string location = 4;
+ string version = 5;
+}
+
+// ResourceList encapsulates a list of resources as per RFC7644
+// Section 3.4.2
+//
+// See https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2
+message ResourceList {
+ int32 total_results = 1;
+ int32 start_index = 2;
+ int32 items_per_page = 3;
+ repeated Resource resources = 4;
+}
+
+// RequestTarget describes the target resource set of a given request. Common to
+// all request types.
+message RequestTarget {
+ // Authorization is the contents of the HTTP Authorization header supplied by
+ // the SCIM client, used to authenticate the request against the targeted
+ // interation.
+ string authorization = 1;
+
+ // PluginID is the name of the integration to interact with
+ string plugin_id = 2;
+
+ // ResourceType is the name of the type of resource to interact with.
+ // Expecting either "User" or "Group"
+ string resource_type = 3;
+
+ // ResourceID is the name of a specific resource to interact with. If blank,
+ // treat the request as a bulk query
+ string resource_id = 4;
+}
+
+// Page represents an optional range to set in GET request
+message Page {
+ uint64 start_index = 1;
+ uint64 count = 2;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/secreports/v1/secreports.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/secreports/v1/secreports.proto
new file mode 100644
index 0000000000000..9088dedf1e02d
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/secreports/v1/secreports.proto
@@ -0,0 +1,79 @@
+// Copyright 2023 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.secreports.v1;
+
+import "teleport/header/v1/resourceheader.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/secreports/v1;secreportsv1";
+
+// AuditQuery is audit query resource.
+message AuditQuery {
+ // header is the header for //the resource.
+ teleport.header.v1.ResourceHeader header = 1;
+ // spec is audit query spec.
+ AuditQuerySpec spec = 2;
+}
+
+// AuditQuerySpec is audit query spec.
+message AuditQuerySpec {
+ // name is the name of the audit query.
+ string name = 1;
+ // title is the title of the audit query.
+ string title = 2;
+ // query is the SQL Query for the audit query.
+ string query = 3;
+ // description is the description of the audit query.
+ string description = 4;
+}
+
+// Report is security report resource.
+message Report {
+ // header is the header for the resource.
+ teleport.header.v1.ResourceHeader header = 1;
+ // spec is the security report spec.
+ ReportSpec spec = 2;
+}
+
+// ReportSpec is security report spec.
+message ReportSpec {
+ // name is the name of the security report.
+ string name = 1;
+ // title is the title of the security report.
+ string description = 2;
+ // description is the description of the security report
+ repeated AuditQuerySpec audit_queries = 3;
+ // title is the title of the security report.
+ string title = 4;
+ // version is the version of the security report.
+ string version = 5;
+}
+
+// ReportState is security report state resource.
+message ReportState {
+ // header is the header for the resource.
+ teleport.header.v1.ResourceHeader header = 1;
+ // spec is the security report state spec.
+ ReportStateSpec spec = 2;
+}
+
+// ReportStateSpec is security report state spec.
+message ReportStateSpec {
+ // state is the state of the security report.
+ string state = 1;
+ // updated_at is the time when the security report state was updated.
+ string updated_at = 2;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/secreports/v1/secreports_service.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/secreports/v1/secreports_service.proto
new file mode 100644
index 0000000000000..1aa243f5d588d
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/secreports/v1/secreports_service.proto
@@ -0,0 +1,293 @@
+// Copyright 2023 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.secreports.v1;
+
+import "google/protobuf/empty.proto";
+import "teleport/header/v1/resourceheader.proto";
+import "teleport/secreports/v1/secreports.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/secreports/v1;secreportsv1";
+
+// SecReportsService is a service that manages security reports.
+service SecReportsService {
+ // UpsertAuditQuery upsets an audit query.
+ rpc UpsertAuditQuery(UpsertAuditQueryRequest) returns (google.protobuf.Empty);
+ // GetAuditQuery returns an audit query.
+ rpc GetAuditQuery(GetAuditQueryRequest) returns (AuditQuery);
+ // ListAuditQueries returns a paginated list of all Okta import rule resources.
+ rpc ListAuditQueries(ListAuditQueriesRequest) returns (ListAuditQueriesResponse);
+ // DeleteAuditQuery deletes an audit query.
+ rpc DeleteAuditQuery(DeleteAuditQueryRequest) returns (google.protobuf.Empty);
+
+ // UpsertReport upsets a report.
+ rpc UpsertReport(UpsertReportRequest) returns (google.protobuf.Empty);
+ // GetReport returns a report.
+ rpc GetReport(GetReportRequest) returns (Report);
+ // ListReports returns a paginated list of all Okta import rule resources.
+ rpc ListReports(ListReportsRequest) returns (ListReportsResponse);
+ // DeleteReport deletes a security report.
+ rpc DeleteReport(DeleteReportRequest) returns (google.protobuf.Empty);
+
+ // RunAuditQuery runs an audit query.
+ rpc RunAuditQuery(RunAuditQueryRequest) returns (RunAuditQueryResponse);
+ // GetAuditQueryResult returns an audit query result.
+ rpc GetAuditQueryResult(GetAuditQueryResultRequest) returns (GetAuditQueryResultResponse);
+
+ // RunReport runs a security report.
+ rpc RunReport(RunReportRequest) returns (google.protobuf.Empty);
+ // GetReportResult returns a security report result.
+ rpc GetReportResult(GetReportResultRequest) returns (GetReportResultResponse);
+ // GetReportState returns a security report state.
+ rpc GetReportState(GetReportStateRequest) returns (ReportState);
+
+ // GetSchema returns a schema of audit query.
+ rpc GetSchema(GetSchemaRequest) returns (GetSchemaResponse);
+}
+
+// GetAuditQueryResultRequest is a request for GetAuditQueryResult.
+message GetAuditQueryResultRequest {
+ // result_id is a unique id of the result.
+ string result_id = 1;
+ // next_token is a token for pagination.
+ string next_token = 2;
+ // max_results is a maximum number of results to return.
+ int32 max_results = 3;
+}
+
+// QueryResultColumnInfo is a column info.
+message QueryResultColumnInfo {
+ // name is name of the column.
+ string name = 1;
+ // type is type of the column.
+ string type = 2;
+}
+
+// QueryRowResult is a row result.
+message QueryRowResult {
+ // data is a list of values.
+ repeated string data = 1;
+}
+
+// QueryResultSet is a result set.
+message QueryResultSet {
+ // column_info contains information about columns.
+ repeated QueryResultColumnInfo column_info = 1;
+ // rows is a list of rows containing values.
+ repeated QueryRowResult rows = 2;
+}
+
+// GetAuditQueryResultResponse contains an audit query result.
+message GetAuditQueryResultResponse {
+ // result is a result set.
+ QueryResultSet result = 1;
+ // next_token is a token for pagination.
+ string next_token = 2;
+ // result_id is a unique id of the result.
+ string result_id = 3;
+}
+
+// RunReportRequest is a request for RunReport.
+message RunReportRequest {
+ // name is a name of the security report.
+ string name = 1;
+ // days is a time range is days.
+ uint32 days = 2;
+}
+
+// GetStateRequest is a request for GetReportState.
+message GetReportStateRequest {
+ // name is a name of the security report.
+ string name = 1;
+ // days is a time range is days.
+ uint32 days = 2;
+}
+
+// DeleteAuditQueryRequest is audit query delete request.
+message DeleteAuditQueryRequest {
+ // name is the name of the audit query to delete.
+ string name = 1;
+}
+
+// DeleteReportRequest is security report delete request.
+message DeleteReportRequest {
+ // name is the name of the security report to delete.
+ string name = 1;
+}
+
+// RunAuditQueryRequest is audit query run request.
+message RunAuditQueryRequest {
+ // name is the name of the audit query to run.
+ string query = 1;
+ // days is a time range is days.
+ int32 days = 2;
+}
+
+// UpsertAuditQueryRequest is audit query upsert request.
+message UpsertAuditQueryRequest {
+ // audit_query is the audit query to upsert.
+ AuditQuery audit_query = 1;
+}
+
+// UpsertReportRequest is security report upsert request.
+message UpsertReportRequest {
+ // report is the security report to upsert.
+ Report report = 1;
+}
+
+// GetAuditQueryRequest is audit query get request.
+message GetAuditQueryRequest {
+ // name is the name of the audit query to get.
+ string name = 1;
+}
+
+// GetReportRequest is security report get request.
+message GetReportRequest {
+ // name is the name of the security report to get.
+ string name = 1;
+}
+
+// GetReportResultRequest is report get request.
+message GetReportResultRequest {
+ // name is the name of the security report to get.
+ string name = 1;
+ // days is a time range is days.
+ uint32 days = 2;
+ // execution_id is a unique id of the execution.
+ string execution_id = 3;
+}
+
+// ListAuditQueriesRequest is audit query list request.
+message ListAuditQueriesRequest {
+ // page_size is the number of results to return.
+ int32 page_size = 1;
+ // page_token is the next_token value returned from a previous List request if any.
+ string page_token = 2;
+}
+
+// ListAuditQueryResponse is audit query list response.
+message ListReportsRequest {
+ // page_size is the number of results to return.
+ int32 page_size = 1;
+ // page_token is the next_token value returned from a previous List request if any.
+ string page_token = 2;
+}
+
+// ListAuditQueriesResponse is audit query list response.
+message ListAuditQueriesResponse {
+ // queries is a list of audit queries.
+ repeated AuditQuery queries = 1;
+ // next_page_token is the next page token. If there are no more results, it will be empty.
+ string next_page_token = 2;
+}
+
+// GetSchemaRequest is a request for GetSchema.
+message GetSchemaRequest {}
+
+// GetSchemaResponse is a response for GetSchema.
+message GetSchemaResponse {
+ // ViewDesc is a description of view.
+ message ViewDesc {
+ // ColumnDesc is a description of column.
+ message ColumnDesc {
+ // name is the name of the column.
+ string name = 1;
+ // type is the type of the column.
+ string type = 2;
+ // desc is the description of the column.
+ string desc = 3;
+ }
+ // name is the name of the view.
+ string name = 1;
+ // desc is the description of the view.
+ string desc = 2;
+ // columns is the list of columns.
+ repeated ColumnDesc columns = 3;
+ }
+ // views is the list of views.
+ repeated ViewDesc views = 1;
+}
+
+// RunAuditQueryResponse is audit query run response.
+message RunAuditQueryResponse {
+ // result_id is a unique id of the result.
+ string result_id = 1;
+}
+
+// ListReportResponse is security report list response.
+message ListReportsResponse {
+ // reports is a list of security reports.
+ repeated Report reports = 1;
+ // next_page_token is the next page token. If there are no more results, it will be empty.
+ string next_page_token = 2;
+}
+
+// GetReportResultResponse is report result get response.
+message GetReportResultResponse {
+ // result is a report execution result.
+ ReportResult result = 1;
+}
+
+// Report is the result of security report.
+message ReportResult {
+ // name is a name of the security report.
+ string name = 1;
+ // description is a description of the security report.
+ string description = 2;
+ // AuditQueryResult is a result of audit query.
+ message AuditQueryResult {
+ // audit_query is the audit query spec containing information about audit query.
+ AuditQuerySpec audit_query = 1;
+ // result is the result set.
+ QueryResultSet result = 2;
+ // result_id is a unique id of the result.
+ string result_id = 3;
+ // execution_time_in_millis is a time in milliseconds when the audit query was executed.
+ int64 execution_time_in_millis = 4;
+ // data_scanned_in_bytes is a number of bytes scanned.
+ int64 data_scanned_in_bytes = 5;
+ }
+ // audit_query_results is a list of audit query results.
+ repeated AuditQueryResult audit_query_results = 3;
+ // updated_at is a time when the security report was updated.
+ string updated_at = 4;
+
+ // total_execution_time_in_millis is a time in milliseconds when the security report was executed.
+ int64 total_execution_time_in_millis = 5;
+ // total_data_scanned_in_bytes is a number of bytes scanned.
+ int64 total_data_scanned_in_bytes = 6;
+}
+
+// Report is a security report.
+message ReportSate {
+ // name is a name of the security report.
+ enum State {
+ // STATE_UNSPECIFIED is an unspecified state.
+ STATE_UNSPECIFIED = 0;
+ // STATE_ERROR is an error state.
+ STATE_ERROR = 1;
+ // STATE_SUCCESS is a success state.
+ STATE_SUCCESS = 2;
+ // STATE_RUNNING is a running state.
+ STATE_RUNNING = 3;
+ }
+ // header is a resource header.
+ teleport.header.v1.ResourceHeader header = 1;
+ // state is a state of the security report.
+ State state = 2;
+ // updated_at is a time when the security report state was updated.
+ string updated_at = 3;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/stableunixusers/v1/stableunixusers.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/stableunixusers/v1/stableunixusers.proto
new file mode 100644
index 0000000000000..96563bb1d4d26
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/stableunixusers/v1/stableunixusers.proto
@@ -0,0 +1,70 @@
+// Copyright 2025 Gravitational, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.stableunixusers.v1;
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/stableunixusers/v1;stableunixusersv1";
+
+// contains the RPCs related to the stable UNIX users functionality
+service StableUNIXUsersService {
+ // returns the assigned stable UID for a given UNIX username, assigning one
+ // from the configured UID range if necessary; if the feature is disabled or
+ // the available UID range is full the returned error will be
+ // RESOURCE_EXHAUSTED (i.e. trace.LimitExceededError), whereas an error caused
+ // by high concurrent access to the storage will be (incorrectly, alas)
+ // signaled by a FAILED_PRECONDITION error (i.e. trace.CompareFailedError)
+ rpc ObtainUIDForUsername(ObtainUIDForUsernameRequest) returns (ObtainUIDForUsernameResponse) {
+ option idempotency_level = IDEMPOTENT;
+ }
+
+ // returns a page of username/UID pairs from the collection of stable UID assignments
+ rpc ListStableUNIXUsers(ListStableUNIXUsersRequest) returns (ListStableUNIXUsersResponse) {
+ option idempotency_level = NO_SIDE_EFFECTS;
+ }
+}
+
+// request message for ObtainUIDForUsername
+message ObtainUIDForUsernameRequest {
+ string username = 1;
+}
+
+// response message for ObtainUIDForUsername
+message ObtainUIDForUsernameResponse {
+ int32 uid = 1;
+}
+
+// request message for ListStableUNIXUsers
+message ListStableUNIXUsersRequest {
+ // if left unset, the page size will default to a reasonable value chosen by
+ // the server
+ int32 page_size = 1;
+ // if unset or blank, the rpc will return the first page
+ string page_token = 2;
+}
+
+// a pair of stable UNIX username and UID
+message StableUNIXUser {
+ string username = 1;
+ int32 uid = 2;
+}
+
+// response message for ListStableUNIXUsers
+message ListStableUNIXUsersResponse {
+ repeated StableUNIXUser stable_unix_users = 1;
+ // if empty, the listing has reached the end; otherwise, ListStableUNIXUsers
+ // can be called again with the new page_token to get more data
+ string next_page_token = 2;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/transport/v1/transport_service.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/transport/v1/transport_service.proto
new file mode 100644
index 0000000000000..850f7e01647c1
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/transport/v1/transport_service.proto
@@ -0,0 +1,132 @@
+// Copyright 2023 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.transport.v1;
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/transport/v1;transportv1";
+
+// TransportService provides methods to proxy connections to various Teleport instances.
+//
+// All connections are operate on top of a bidirectional stream which transports
+// raw payloads from higher level protocols (i.e. SSH). Clients must send an initial
+// message on the stream to set up the connections accordingly. After the initial
+// request either side may freely send data in any order until the stream is terminated.
+service TransportService {
+ // GetClusterDetails provides cluster information that may affect how transport
+ // should occur.
+ rpc GetClusterDetails(GetClusterDetailsRequest) returns (GetClusterDetailsResponse);
+
+ // ProxySSH establishes an SSH connection to the target host over a bidirectional stream.
+ //
+ // The client must first send a DialTarget before the connection is established. Agent frames
+ // will be populated if SSH Agent forwarding is enabled for the connection. SSH frames contain
+ // raw SSH payload to be processed by an x/crypto/ssh.Client or x/crypto/ssh.Server.
+ rpc ProxySSH(stream ProxySSHRequest) returns (stream ProxySSHResponse);
+
+ // ProxyCluster establishes a connection to the target cluster.
+ //
+ // The client must first send a ProxyClusterRequest with the desired cluster name before the
+ // connection is established. After which the connection can be used to construct a new
+ // auth.Client to the tunneled cluster.
+ rpc ProxyCluster(stream ProxyClusterRequest) returns (stream ProxyClusterResponse);
+}
+
+// Request for ProxySSH
+//
+// In order for proxying to begin the client must send a request with the
+// TargetHost populated. Creating the stream doesn't actually open the SSH connection.
+// Any attempts to exchange frames prior to the client sending a TargetHost message will
+// result in the stream being terminated.
+message ProxySSHRequest {
+ // Contains the information required to dial the target.
+ // Must be populated on the initial request so that SSH connection can be established.
+ TargetHost dial_target = 1;
+ // Payload from SSH/SSH Agent Protocols
+ oneof frame {
+ // Raw SSH payload
+ Frame ssh = 2;
+ // Raw SSH Agent payload, populated for agent forwarding
+ Frame agent = 3;
+ }
+}
+
+// Response for ProxySSH
+//
+// The first response from the server will contain ClusterDetails
+// so that clients may get information about a particular cluster
+// without needing to call GetClusterDetails first. All subsequent
+// response will only contain Frames.
+message ProxySSHResponse {
+ // Cluster information returned *ONLY* with the first frame
+ ClusterDetails details = 1;
+ // Payload from SSH/SSH Agent Protocols
+ oneof frame {
+ // SSH payload
+ Frame ssh = 2;
+ // SSH Agent payload, populated for agent forwarding
+ Frame agent = 3;
+ }
+}
+
+// Request for ProxyCluster
+//
+// In order for proxying to begin the client must send a request with the
+// cluster name populated. Creating the stream doesn't actually open the connection.
+// Any attempts to exchange frames prior to the client sending a cluster name will
+// result in the stream being terminated. All subsequent messages only need to
+// provide a Frame.
+message ProxyClusterRequest {
+ // Name of the cluster to connect to. Must
+ // be sent first so the connection can be established.
+ string cluster = 1;
+ // Raw payload
+ Frame frame = 2;
+}
+
+// Response for ProxyCluster
+message ProxyClusterResponse {
+ // Raw payload
+ Frame frame = 1;
+}
+
+// Encapsulates protocol specific payloads
+message Frame {
+ // The raw packet of data
+ bytes payload = 1;
+}
+
+// TargetHost indicates which server the connection is for
+message TargetHost {
+ // The hostname/ip/uuid:port of the remote host.
+ string host_port = 1;
+ // The cluster the server is a member of
+ string cluster = 2;
+}
+
+// Request for GetClusterDetails.
+message GetClusterDetailsRequest {}
+
+// Response for GetClusterDetails.
+message GetClusterDetailsResponse {
+ // Cluster configuration details
+ ClusterDetails details = 1;
+}
+
+// ClusterDetails contains cluster configuration information
+message ClusterDetails {
+ // If the cluster is running in FIPS mode
+ bool fips_enabled = 1;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/trust/v1/trust_service.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/trust/v1/trust_service.proto
new file mode 100644
index 0000000000000..7d8748f2375f7
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/trust/v1/trust_service.proto
@@ -0,0 +1,176 @@
+// Copyright 2023 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.trust.v1;
+
+import "google/protobuf/duration.proto";
+import "google/protobuf/empty.proto";
+import "google/protobuf/timestamp.proto";
+import "teleport/legacy/types/types.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/trust/v1;trustv1";
+
+// TrustService provides methods to manage certificate authorities.
+service TrustService {
+ // GetCertAuthority returns a cert authority by type and domain.
+ rpc GetCertAuthority(GetCertAuthorityRequest) returns (types.CertAuthorityV2);
+ // GetCertAuthorities returns all cert authorities with the specified type.
+ rpc GetCertAuthorities(GetCertAuthoritiesRequest) returns (GetCertAuthoritiesResponse);
+ // DeleteCertAuthority deletes the matching cert authority.
+ rpc DeleteCertAuthority(DeleteCertAuthorityRequest) returns (google.protobuf.Empty);
+ // UpsertCertAuthority creates or updates the provided cert authority.
+ rpc UpsertCertAuthority(UpsertCertAuthorityRequest) returns (types.CertAuthorityV2);
+ // RotateCertAuthority is a request to start rotation of the certificate authority.
+ rpc RotateCertAuthority(RotateCertAuthorityRequest) returns (RotateCertAuthorityResponse);
+ // RotateExternalCertAuthority rotates an external cert authority.
+ rpc RotateExternalCertAuthority(RotateExternalCertAuthorityRequest) returns (RotateExternalCertAuthorityResponse);
+ // GenerateHostCert takes a public key in the OpenSSH `authorized_keys` format and returns
+ // a SSH certificate signed by the Host CA.
+ rpc GenerateHostCert(GenerateHostCertRequest) returns (GenerateHostCertResponse);
+
+ // UpsertTrustedCluster upserts a Trusted Cluster in a backend.
+ rpc UpsertTrustedCluster(UpsertTrustedClusterRequest) returns (types.TrustedClusterV2);
+ // CreateTrustedCluster creates a Trusted Cluster in a backend.
+ rpc CreateTrustedCluster(CreateTrustedClusterRequest) returns (types.TrustedClusterV2);
+ // UpdateTrustedCluster updates a Trusted Cluster in a backend.
+ rpc UpdateTrustedCluster(UpdateTrustedClusterRequest) returns (types.TrustedClusterV2);
+}
+
+// Request for UpsertTrustedCluster.
+message UpsertTrustedClusterRequest {
+ // TrustedCluster specifies a Trusted Cluster resource.
+ types.TrustedClusterV2 trusted_cluster = 1;
+}
+
+// Request for CreateTrustedCluster.
+message CreateTrustedClusterRequest {
+ // TrustedCluster specifies a Trusted Cluster resource.
+ types.TrustedClusterV2 trusted_cluster = 1;
+}
+
+// Request for UpdateTrustedCluster.
+message UpdateTrustedClusterRequest {
+ // TrustedCluster specifies a Trusted Cluster resource.
+ types.TrustedClusterV2 trusted_cluster = 1;
+}
+
+// Request for GetCertAuthority
+message GetCertAuthorityRequest {
+ // Type of certificate authority.
+ string type = 1;
+ // The domain for the certificate authority.
+ string domain = 2;
+ // Whether the private key should be included in the response.
+ bool include_key = 3;
+}
+
+// Request for GetCertAuthorities
+message GetCertAuthoritiesRequest {
+ // Type of certificate authority.
+ string type = 1;
+ // Whether the private key should be included in the response.
+ bool include_key = 2;
+}
+
+// Response for GetCertAuthorities
+message GetCertAuthoritiesResponse {
+ // The matching certificate authorities.
+ repeated types.CertAuthorityV2 cert_authorities_v2 = 1;
+}
+
+// Request for DeleteCertAuthority
+message DeleteCertAuthorityRequest {
+ // Type of certificate authority.
+ string type = 1;
+ // The domain for the certificate authority.
+ string domain = 2;
+}
+
+// Request for UpsertCertAuthority
+message UpsertCertAuthorityRequest {
+ // The certificate authority to create or update.
+ types.CertAuthorityV2 cert_authority = 1;
+}
+
+// Request for RotateCertAuthority.
+message RotateCertAuthorityRequest {
+ // Type is a certificate authority type, if omitted, both user and host CA
+ // will be rotated.
+ string type = 1;
+ // GracePeriod is used to generate cert rotation schedule that defines
+ // times at which different rotation phases will be applied by the auth server
+ // in auto mode. It is not used in manual rotation mode.
+ // If omitted, default value is set, if 0 is supplied, it is interpreted as
+ // forcing rotation of all certificate authorities with no grace period,
+ // all existing users and hosts will have to re-login and re-added
+ // into the cluster.
+ google.protobuf.Duration grace_period = 2;
+ // TargetPhase sets desired rotation phase to move to, if not set
+ // will be set automatically, it is a required argument
+ // for manual rotation.
+ string target_phase = 3;
+ // Mode sets manual or auto rotation mode.
+ string mode = 4;
+ // Schedule is an optional rotation schedule,
+ // autogenerated based on GracePeriod parameter if not set.
+ RotationSchedule schedule = 5;
+}
+
+// RotationSchedule is a rotation schedule setting time switches for different phases.
+message RotationSchedule {
+ // UpdateClients specifies time to switch to the "Update clients" phase
+ google.protobuf.Timestamp update_clients = 1;
+ // UpdateServers specifies time to switch to the "Update servers" phase.
+ google.protobuf.Timestamp update_servers = 2;
+ // Standby specifies time to switch to the "Standby" phase.
+ google.protobuf.Timestamp standby = 3;
+}
+
+// Response for RotateCertAuthority.
+message RotateCertAuthorityResponse {}
+
+// Request for RotateExternalCertAuthority.
+message RotateExternalCertAuthorityRequest {
+ // The certificate authority to rotate.
+ types.CertAuthorityV2 cert_authority = 1;
+}
+
+// Response for RotateExternalCertAuthority.
+message RotateExternalCertAuthorityResponse {}
+
+// GenerateHostCertRequest is the request for GenerateHostCert.
+message GenerateHostCertRequest {
+ // key is the SSH public key that the certificate should include.
+ bytes key = 1;
+ // host_id is the ID of the host the certificate should include.
+ string host_id = 2;
+ // node_name is the name of the node the certificate should include.
+ string node_name = 3;
+ // principals is a list of principals that the certificate should include.
+ repeated string principals = 4;
+ // cluster_name is a list of principals that the certificate should include.
+ string cluster_name = 5;
+ // role is a system role assigned to the host that will be included on the certificate.
+ string role = 6;
+ // ttl is the duration the certificate will be valid for. This may be zero for indefinite.
+ google.protobuf.Duration ttl = 7;
+}
+
+// GenerateHostCertResponse is the response for GenerateHostCert.
+message GenerateHostCertResponse {
+ // ssh_certificate is the encoded bytes of the SSH certificate generated by the RPC.
+ bytes ssh_certificate = 1;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/usageevents/v1/usageevents.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/usageevents/v1/usageevents.proto
new file mode 100644
index 0000000000000..6a81aa4fff6b4
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/usageevents/v1/usageevents.proto
@@ -0,0 +1,915 @@
+// Copyright 2022 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.usageevents.v1;
+
+import "teleport/accesslist/v1/accesslist.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/usageevents/v1;usageeventsv1";
+
+// UIBannerClickEvent is a usage event sent by the UI when the upgrade
+// banner is clicked.
+message UIBannerClickEvent {
+ // The cluster alert name.
+ string alert = 1;
+}
+
+// UIOnboardCompleteGoToDashboardClickEvent is a UI event sent when initial
+// registration is complete.
+message UIOnboardCompleteGoToDashboardClickEvent {
+ // The event username. Not extracted from identity as this is pre-registration.
+ string username = 1;
+}
+
+// UIOnboardAddFirstResourceClickEvent is a UI event sent when a user clicks the
+// "add first resource" button.
+message UIOnboardAddFirstResourceClickEvent {}
+
+// UIOnboardAddFirstResourceLaterClickEvent is a UI event sent when a user
+// clicks the "add first resource later" button.
+message UIOnboardAddFirstResourceLaterClickEvent {}
+
+// UIOnboardSetCredentialSubmitEvent is a UI event sent during registration when
+// users configure their credentials.
+message UIOnboardSetCredentialSubmitEvent {
+ // The event username. Not extracted from identity as this is pre-registration.
+ string username = 1;
+}
+
+// UIOnboardQuestionnaireSubmitEvent is a UI event sent during registration when
+// the user submits their onboarding questionnaire.
+message UIOnboardQuestionnaireSubmitEvent {
+ // The event username. Not extracted from identity as this is pre-registration.
+ string username = 1;
+}
+
+// UIOnboardRegisterChallengeSubmitEvent is a UI event sent during registration
+// when the MFA challenge is completed.
+message UIOnboardRegisterChallengeSubmitEvent {
+ // The event username. Not extracted from identity as this is pre-registration.
+ string username = 1;
+ // The type of MFA used.
+ string mfa_type = 2;
+ // The type of login used.
+ string login_flow = 3;
+}
+
+// UIRecoveryCodesContinueClickEvent is a UI event sent during
+// registration when the user configures cluster recovery codes.
+message UIRecoveryCodesContinueClickEvent {
+ // The event username. Not extracted from identity as this is pre-registration.
+ string username = 1;
+}
+
+// UIRecoveryCodesCopyClickEvent is a UI event sent during
+// registration when the user copies recovery codes.
+message UIRecoveryCodesCopyClickEvent {
+ // The event username. Not extracted from identity as this is pre-registration.
+ string username = 1;
+}
+
+// UIRecoveryCodesPrintClickEvent is a UI event sent during
+// registration when the user prints recovery codes.
+message UIRecoveryCodesPrintClickEvent {
+ // The event username. Not extracted from identity as this is pre-registration.
+ string username = 1;
+}
+
+// DiscoverMetadata contains common metadata for Discover related events.
+message DiscoverMetadata {
+ // Uniquely identifies Discover wizard "session". Will allow to correlate
+ // events within the same Discover wizard run.
+ string id = 1;
+}
+
+// DiscoverResource represents a resource type.
+enum DiscoverResource {
+ DISCOVER_RESOURCE_UNSPECIFIED = 0;
+ DISCOVER_RESOURCE_SERVER = 1;
+ DISCOVER_RESOURCE_KUBERNETES = 2;
+ DISCOVER_RESOURCE_DATABASE_POSTGRES_SELF_HOSTED = 3;
+ DISCOVER_RESOURCE_DATABASE_MYSQL_SELF_HOSTED = 4;
+ DISCOVER_RESOURCE_DATABASE_MONGODB_SELF_HOSTED = 5;
+ DISCOVER_RESOURCE_DATABASE_POSTGRES_RDS = 6;
+ DISCOVER_RESOURCE_DATABASE_MYSQL_RDS = 7;
+ DISCOVER_RESOURCE_APPLICATION_HTTP = 8;
+ DISCOVER_RESOURCE_APPLICATION_TCP = 9;
+ DISCOVER_RESOURCE_WINDOWS_DESKTOP = 10;
+ DISCOVER_RESOURCE_DATABASE_SQLSERVER_RDS = 11;
+ DISCOVER_RESOURCE_DATABASE_POSTGRES_REDSHIFT = 12;
+ DISCOVER_RESOURCE_DATABASE_SQLSERVER_SELF_HOSTED = 13;
+ DISCOVER_RESOURCE_DATABASE_REDIS_SELF_HOSTED = 14;
+ DISCOVER_RESOURCE_DATABASE_POSTGRES_GCP = 15;
+ DISCOVER_RESOURCE_DATABASE_MYSQL_GCP = 16;
+ DISCOVER_RESOURCE_DATABASE_SQLSERVER_GCP = 17;
+
+ DISCOVER_RESOURCE_DATABASE_POSTGRES_REDSHIFT_SERVERLESS = 18;
+ DISCOVER_RESOURCE_DATABASE_POSTGRES_AZURE = 19;
+ DISCOVER_RESOURCE_DATABASE_DYNAMODB = 20;
+ DISCOVER_RESOURCE_DATABASE_CASSANDRA_KEYSPACES = 21;
+ DISCOVER_RESOURCE_DATABASE_CASSANDRA_SELF_HOSTED = 22; // Cassandra & ScyllaDb
+ DISCOVER_RESOURCE_DATABASE_ELASTICSEARCH_SELF_HOSTED = 23;
+ DISCOVER_RESOURCE_DATABASE_REDIS_ELASTICACHE = 24; // Elasticache & MemoryDb
+ DISCOVER_RESOURCE_DATABASE_REDIS_MEMORYDB = 25;
+ DISCOVER_RESOURCE_DATABASE_REDIS_AZURE_CACHE = 26;
+ DISCOVER_RESOURCE_DATABASE_REDIS_CLUSTER_SELF_HOSTED = 27;
+
+ DISCOVER_RESOURCE_DATABASE_MYSQL_AZURE = 28;
+ DISCOVER_RESOURCE_DATABASE_SQLSERVER_AZURE = 29;
+ DISCOVER_RESOURCE_DATABASE_SQLSERVER_MICROSOFT = 30;
+ DISCOVER_RESOURCE_DATABASE_COCKROACHDB_SELF_HOSTED = 31;
+ DISCOVER_RESOURCE_DATABASE_MONGODB_ATLAS = 32;
+ DISCOVER_RESOURCE_DATABASE_SNOWFLAKE = 33;
+
+ DISCOVER_RESOURCE_DOC_DATABASE_RDS_PROXY = 34;
+ DISCOVER_RESOURCE_DOC_DATABASE_HIGH_AVAILABILITY = 35;
+ DISCOVER_RESOURCE_DOC_DATABASE_DYNAMIC_REGISTRATION = 36;
+
+ DISCOVER_RESOURCE_SAML_APPLICATION = 37;
+
+ DISCOVER_RESOURCE_EC2_INSTANCE = 38;
+
+ DISCOVER_RESOURCE_DOC_WINDOWS_DESKTOP_NON_AD = 39;
+
+ DISCOVER_RESOURCE_KUBERNETES_EKS = 40;
+
+ DISCOVER_RESOURCE_APPLICATION_AWS_CONSOLE = 41;
+}
+
+// DiscoverResourceMetadata contains common metadata identifying resource type being added.
+message DiscoverResourceMetadata {
+ // Resource type that is being added.
+ DiscoverResource resource = 1;
+}
+
+// DiscoverStatus represents a Discover Step outcome.
+enum DiscoverStatus {
+ DISCOVER_STATUS_UNSPECIFIED = 0;
+ // The user tried to complete the action and it succeeded.
+ DISCOVER_STATUS_SUCCESS = 1;
+ // The system skipped the step.
+ // For example:
+ // When setting up a Database and there's already a Database Service proxying the DB.
+ // In this case the Database Agent installation is skipped.
+ DISCOVER_STATUS_SKIPPED = 2;
+ // The user tried to complete the action and it failed.
+ DISCOVER_STATUS_ERROR = 3;
+ // The user did not complete the action and left the wizard.
+ DISCOVER_STATUS_ABORTED = 4;
+}
+
+// DiscoverStepStatus contains fields that track a particular step outcome,
+// for example connection test failed or succeeded, or user aborted the step.
+message DiscoverStepStatus {
+ // Indicates the step outcome.
+ DiscoverStatus status = 1;
+ // Contains error details in case of Error Status.
+ // We have to be careful to not include any identifyable infomation like server addresses here.
+ string error = 2;
+}
+
+// UIDiscoverStartedEvent is emitted when the wizard opens.
+message UIDiscoverStartedEvent {
+ DiscoverMetadata metadata = 1;
+ DiscoverStepStatus status = 2;
+}
+
+// UIDiscoverResourceSelectionEvent is emitted when user selected resource type to add
+// and proceeded to the next step.
+message UIDiscoverResourceSelectionEvent {
+ DiscoverMetadata metadata = 1;
+ DiscoverResourceMetadata resource = 2;
+ DiscoverStepStatus status = 3;
+}
+
+// UIDiscoverIntegrationAWSOIDCConnectEvent is emitted when a user is finished with the step
+// that asks user to setup aws integration or select from a list of existing
+// aws integrations.
+message UIDiscoverIntegrationAWSOIDCConnectEvent {
+ DiscoverMetadata metadata = 1;
+ DiscoverResourceMetadata resource = 2;
+ DiscoverStepStatus status = 3;
+}
+
+// UIDiscoverDatabaseRDSEnrollEvent is emitted when a user is finished with
+// the step that asks user to select from a list of RDS databases.
+message UIDiscoverDatabaseRDSEnrollEvent {
+ DiscoverMetadata metadata = 1;
+ DiscoverResourceMetadata resource = 2;
+ DiscoverStepStatus status = 3;
+ int64 selected_resources_count = 4;
+}
+
+// UIDiscoverKubeEKSEnrollEvent is emitted when a user is finished with
+// the step that asks user to select from a list of EKS clusters.
+message UIDiscoverKubeEKSEnrollEvent {
+ DiscoverMetadata metadata = 1;
+ DiscoverResourceMetadata resource = 2;
+ DiscoverStepStatus status = 3;
+}
+
+// UICallToActionClickEvent is emmited when a user clicks a Teleport Web UI's CTA.
+message UICallToActionClickEvent {
+ CTA cta = 1;
+}
+
+// CTA represents teleport web UI's call to action buttons.
+// We can't use prehog.v1alpha.CTA here because AuthService (and thus this file)
+// is generated with gogofast, so we just copy the enum definition here instead.
+// Make sure you update both.
+enum CTA {
+ CTA_UNSPECIFIED = 0;
+ CTA_AUTH_CONNECTOR = 1;
+ CTA_ACTIVE_SESSIONS = 2;
+ CTA_ACCESS_REQUESTS = 3;
+ CTA_PREMIUM_SUPPORT = 4;
+ CTA_TRUSTED_DEVICES = 5;
+ CTA_UPGRADE_BANNER = 6;
+ CTA_BILLING_SUMMARY = 7;
+ CTA_ACCESS_LIST = 8;
+ CTA_ACCESS_MONITORING = 9;
+ CTA_EXTERNAL_AUDIT_STORAGE = 10;
+ CTA_OKTA_USER_SYNC = 11;
+ CTA_ENTRA_ID = 12;
+ CTA_OKTA_SCIM = 13;
+}
+
+// UIDiscoverDeployServiceEvent is emitted after the user installs a Teleport Agent.
+// For SSH this is the Teleport 'install-node' script.
+//
+// For Kubernetes this is the teleport-agent helm chart installation.
+//
+// For Database Access this step is the installation of the teleport 'install-db' script.
+// It can be skipped if the cluster already has a Database Service capable of proxying the database.
+message UIDiscoverDeployServiceEvent {
+ DiscoverMetadata metadata = 1;
+ DiscoverResourceMetadata resource = 2;
+ DiscoverStepStatus status = 3;
+
+ // DeployMethod describes the method used to deploy a service.
+ enum DeployMethod {
+ // DEPLOY_METHOD_UNSPECIFIED means there was an existing service
+ // so deploying step got skipped.
+ DEPLOY_METHOD_UNSPECIFIED = 0;
+ // DEPLOY_METHOD_AUTO means Teleport deployed a service for the user.
+ DEPLOY_METHOD_AUTO = 1;
+ // DEPLOY_METHOD_MANUAL means a user deployed a service by themselves.
+ DEPLOY_METHOD_MANUAL = 2;
+ }
+
+ DeployMethod deploy_method = 4;
+
+ // DeployType describes the type of deployment.
+ enum DeployType {
+ // DEPLOY_METHOD_UNSPECIFIED means there was an existing service
+ // so deploying step got skipped.
+ DEPLOY_TYPE_UNSPECIFIED = 0;
+ // DEPLOY_TYPE_INSTALL_SCRIPT means service was deployed using an
+ // install script.
+ DEPLOY_TYPE_INSTALL_SCRIPT = 1;
+ // DEPLOY_TYPE_AMAZON_ECS means service was deployed using amazon's
+ // elastic container service.
+ DEPLOY_TYPE_AMAZON_ECS = 2;
+ }
+
+ DeployType deploy_type = 5;
+}
+
+// UIDiscoverCreateDiscoveryConfigEvent is emitted when a discovery config is successfully created.
+message UIDiscoverCreateDiscoveryConfigEvent {
+ DiscoverMetadata metadata = 1;
+ DiscoverResourceMetadata resource = 2;
+ DiscoverStepStatus status = 3;
+
+ // ConfigMethod describes how the discovery config is configured.
+ enum ConfigMethod {
+ // CONFIG_METHOD_UNSPECIFIED means config method unspecified/unset.
+ CONFIG_METHOD_UNSPECIFIED = 0;
+ // CONFIG_METHOD_SSM means EC2 auto discovery configured with ssm.
+ CONFIG_METHOD_AWS_EC2_SSM = 1;
+ // CONFIG_METHOD_SSM means auto discovery configured for EC2 using EICE.
+ CONFIG_METHOD_AWS_EC2_EICE = 2;
+ // CONFIG_METHOD_SSM means auto discovery configured for RDS using ECS.
+ CONFIG_METHOD_AWS_RDS_ECS = 3;
+ // CONFIG_METHOD_SSM means auto discovery configured for EKS.
+ CONFIG_METHOD_AWS_EKS = 4;
+ }
+
+ ConfigMethod config_method = 4;
+}
+
+// UIDiscoverDatabaseRegisterEvent is emitted when a user is finished with the step that registers a database resource.
+message UIDiscoverDatabaseRegisterEvent {
+ DiscoverMetadata metadata = 1;
+ DiscoverResourceMetadata resource = 2;
+ DiscoverStepStatus status = 3;
+}
+
+// UIDiscoverDatabaseConfigureMTLSEvent is emitted when a user is finished with the step that configures mutual TLS for a self-hosted database.
+message UIDiscoverDatabaseConfigureMTLSEvent {
+ DiscoverMetadata metadata = 1;
+ DiscoverResourceMetadata resource = 2;
+ DiscoverStepStatus status = 3;
+}
+
+// UIDiscoverDesktopActiveDirectoryToolsInstallEvent is emitted when the user is finished with the step that asks user to run the install Active Directory tools script for the Desktop flow.
+message UIDiscoverDesktopActiveDirectoryToolsInstallEvent {
+ DiscoverMetadata metadata = 1;
+ DiscoverResourceMetadata resource = 2;
+ DiscoverStepStatus status = 3;
+}
+
+// UIDiscoverDesktopActiveDirectoryConfigureEvent is emitted when the user is finished with the step that asks user to run the Configure Active Directory script for the Desktop flow.
+message UIDiscoverDesktopActiveDirectoryConfigureEvent {
+ DiscoverMetadata metadata = 1;
+ DiscoverResourceMetadata resource = 2;
+ DiscoverStepStatus status = 3;
+}
+
+// UIDiscoverAutoDiscoveredResourcesEvent is emitted when the user is finished with the step that auto discovers resources (waiting until resources show up).
+// resources_count field must reflect the latest amount of discovered resources (get the number after user is finished with this step).
+message UIDiscoverAutoDiscoveredResourcesEvent {
+ DiscoverMetadata metadata = 1;
+ DiscoverResourceMetadata resource = 2;
+ DiscoverStepStatus status = 3;
+ int64 resources_count = 4;
+}
+
+// UIDiscoverEC2InstanceSelectionEvent is emitted when the user is finished with the step that asks the user to select an EC2 Instance to enroll.
+message UIDiscoverEC2InstanceSelectionEvent {
+ DiscoverMetadata metadata = 1;
+ DiscoverResourceMetadata resource = 2;
+ DiscoverStepStatus status = 3;
+}
+
+// UIDiscoverDeployEICEEvent is emitted when the user deploys an EC2 Instance Connect Endpoint.
+message UIDiscoverDeployEICEEvent {
+ DiscoverMetadata metadata = 1;
+ DiscoverResourceMetadata resource = 2;
+ DiscoverStepStatus status = 3;
+}
+
+// UIDiscoverCreateNodeEvent is emitted when the node is created in Teleport.
+message UIDiscoverCreateNodeEvent {
+ DiscoverMetadata metadata = 1;
+ DiscoverResourceMetadata resource = 2;
+ DiscoverStepStatus status = 3;
+}
+
+// UIDiscoverCreateAppServerEvent is emitted when an app server is created.
+message UIDiscoverCreateAppServerEvent {
+ DiscoverMetadata metadata = 1;
+ DiscoverResourceMetadata resource = 2;
+ DiscoverStepStatus status = 3;
+}
+
+// UIDiscoverDatabaseConfigureIAMPolicyEvent is emitted when a user is finished with the step that configures IAM policy for an RDS database.
+message UIDiscoverDatabaseConfigureIAMPolicyEvent {
+ DiscoverMetadata metadata = 1;
+ DiscoverResourceMetadata resource = 2;
+ DiscoverStepStatus status = 3;
+}
+
+// UIDiscoverPrincipalsConfigureEvent is emitted when a user is finished with the step that allows user to update their principals (setting up access).
+message UIDiscoverPrincipalsConfigureEvent {
+ DiscoverMetadata metadata = 1;
+ DiscoverResourceMetadata resource = 2;
+ DiscoverStepStatus status = 3;
+}
+
+// UIDiscoverTestConnectionEvent emitted on the "Test Connection" screen
+// when the user clicked tested connection to their resource.
+message UIDiscoverTestConnectionEvent {
+ DiscoverMetadata metadata = 1;
+ DiscoverResourceMetadata resource = 2;
+ DiscoverStepStatus status = 3;
+}
+
+// UIDiscoverCompletedEvent is emitted when user completes the Discover wizard.
+message UIDiscoverCompletedEvent {
+ DiscoverMetadata metadata = 1;
+ DiscoverResourceMetadata resource = 2;
+ DiscoverStepStatus status = 3;
+}
+
+// UICreateNewRoleClickEvent is an event that can be triggered during custom role creation
+message UICreateNewRoleClickEvent {}
+
+// UICreateNewRoleSaveClickEvent is an event that can be triggered during custom role creation
+message UICreateNewRoleSaveClickEvent {}
+
+// UICreateNewRoleCancelClickEvent is an event that can be triggered during custom role creation
+message UICreateNewRoleCancelClickEvent {}
+
+// UICreateNewRoleViewDocumentationClickEvent is an event that can be triggered during custom role creation
+message UICreateNewRoleViewDocumentationClickEvent {}
+
+// AssistCompletionEvent is an event that is emitted when a completion occurs in the Assistant
+message AssistCompletionEvent {
+ // ConversationId is the UUID that identifies a single Assist conversation
+ string conversation_id = 1;
+ // TotalTokens is the total amount of token used to satisfy this request
+ int64 total_tokens = 2;
+ // PromptTokens is the amount of estimated tokens used by the prompt
+ int64 prompt_tokens = 3;
+ // CompletionTokens is the amount of tokens that the completion response consists of
+ int64 completion_tokens = 4;
+}
+
+// AssistExecutionEvent is an event that is emitted when an Assist command
+// execution is triggered by the user.
+message AssistExecutionEvent {
+ // ConversationId is the UUID that identifies a single Assist conversation
+ string conversation_id = 1;
+ // NodeCount is the number of nodes the command was executed on
+ int64 node_count = 2;
+ // TotalTokens is the total amount of token used to satisfy this request
+ int64 total_tokens = 3;
+ // PromptTokens is the amount of estimated tokens used by the prompt
+ int64 prompt_tokens = 4;
+ // CompletionTokens is the amount of tokens that the completion response consists of
+ int64 completion_tokens = 5;
+}
+
+// AssistNewConversationEvent is an event that is emitted for each new Assist
+// conversation and contains the conversation category.
+message AssistNewConversationEvent {
+ // Category is the conversation category. This represents what kind of request
+ // the user is asking Assist.
+ string category = 1;
+}
+
+// AssistAccessRequest is an event that is emitted when a user requests access
+// to a resource via Assist.
+message AssistAccessRequest {
+ // ResourceType describes the type of resource the user is requesting access to, e.g. "node", "db", "k8s" or "role".
+ string resource_type = 1;
+ // TotalTokens is the total amount of token used to generate the command summary
+ int64 total_tokens = 2;
+ // PromptTokens is the amount of estimated tokens used by the prompt to generate the command summary
+ int64 prompt_tokens = 3;
+ // CompletionTokens is the amount of tokens that the summary completion response consists of
+ int64 completion_tokens = 4;
+}
+
+// AssistAction is an event that is emitted when a user triggers an action (SSH command generation, output explain, etc.)
+// via Assist.
+message AssistAction {
+ // Action is the action that was triggered, e.g. "ssh-explain", "ssh-command-generate", etc.
+ string action = 1;
+ // TotalTokens is the total amount of token used to generate the command summary
+ int64 total_tokens = 2;
+ // PromptTokens is the amount of estimated tokens used by the prompt to generate the command summary
+ int64 prompt_tokens = 3;
+ // CompletionTokens is the amount of tokens that the summary completion response consists of
+ int64 completion_tokens = 4;
+}
+
+// AccessListMetadata contains common metadata for Access List related events.
+message AccessListMetadata {
+ // Uniquely identifies an Access List. Will allow correlation of events within an access list.
+ string id = 1;
+}
+
+// AccessListMemberMetadata contains common metadata for Access List Member related events.
+message AccessListMemberMetadata {
+ // name is the name of the member.
+ string name = 1;
+ // membership_kind is the type of membership in the parent access list.
+ teleport.accesslist.v1.MembershipKind membership_kind = 2;
+}
+
+// AccessListCreate is an event that is emitted when an access list is created.
+message AccessListCreate {
+ AccessListMetadata metadata = 1;
+}
+
+// AccessListUpdate is an event that is emitted when an access list is updated.
+message AccessListUpdate {
+ AccessListMetadata metadata = 1;
+}
+
+// AccessListDelete is an event that is emitted when an access list is deleted.
+message AccessListDelete {
+ AccessListMetadata metadata = 1;
+}
+
+// AccessListMemberCreate is an event that is emitted when a member is added to an access list.
+message AccessListMemberCreate {
+ AccessListMetadata metadata = 1;
+ AccessListMemberMetadata member_metadata = 2;
+}
+
+// AccessListMemberCreate is an event that is emitted when a member is updated in an access list.
+message AccessListMemberUpdate {
+ AccessListMetadata metadata = 1;
+ AccessListMemberMetadata member_metadata = 2;
+}
+
+// AccessListMemberDelete is an event that is emitted when a member is removed from an access list.
+message AccessListMemberDelete {
+ AccessListMetadata metadata = 1;
+ AccessListMemberMetadata member_metadata = 2;
+}
+
+// AccessListGrantsToUser is an event that is emitted when access list permissions are granted to a user
+// on login.
+message AccessListGrantsToUser {
+ // count_roles_granted is the number of roles granted to a user.
+ int32 count_roles_granted = 1;
+
+ // count_inherited_roles_granted is the number of roles granted to a user inherited from nested access lists.
+ int32 count_inherited_roles_granted = 3;
+
+ // count_traits_granted is the number of traits granted to a user.
+ int32 count_traits_granted = 2;
+
+ // count_inherited_traits_granted is the number of traits granted to a user inherited from nested access lists.
+ int32 count_inherited_traits_granted = 4;
+
+ // user_name is the Teleport username of the user for whom a role or trait was granted for.
+ string user_name = 5;
+}
+
+// AccessListReviewCreate is an event that is emitted when an access list review is created.
+message AccessListReviewCreate {
+ AccessListMetadata metadata = 1;
+
+ // days_past_next_audit_date is how many days past the next audit date the review came in. Can be negative.
+ int32 days_past_next_audit_date = 2;
+
+ // membership_requirements_changed indicates that the membership requirements were changed.
+ bool membership_requirements_changed = 3;
+
+ // review_frequency_changed indicates that the review frequency was changed.
+ bool review_frequency_changed = 4;
+
+ // review_day_of_month_changed indicates that the review day of month was changed.
+ bool review_day_of_month_changed = 5;
+
+ // number_of_removed_members is how many members were removed as part of this review.
+ int32 number_of_removed_members = 6;
+}
+
+// AccessListReviewDelete is an event that is emitted when an access list review is deleted.
+message AccessListReviewDelete {
+ AccessListMetadata metadata = 1;
+
+ // access_list_review_id is the unique identifier for the access list review.
+ string access_list_review_id = 2;
+}
+
+// IntegrationEnrollKind represents the types of integration that
+// can be enrolled.
+//
+// Note: IntegrationEnrollKind enum must be kept in sync with the values defined
+// in proto/prehog/v1alpha/teleport.proto. Values 18-25 have become out of sync
+// and are manually mapped to each other.
+enum IntegrationEnrollKind {
+ INTEGRATION_ENROLL_KIND_UNSPECIFIED = 0;
+ INTEGRATION_ENROLL_KIND_SLACK = 1;
+ INTEGRATION_ENROLL_KIND_AWS_OIDC = 2;
+ INTEGRATION_ENROLL_KIND_PAGERDUTY = 3;
+ INTEGRATION_ENROLL_KIND_EMAIL = 4;
+ INTEGRATION_ENROLL_KIND_JIRA = 5;
+ INTEGRATION_ENROLL_KIND_DISCORD = 6;
+ INTEGRATION_ENROLL_KIND_MATTERMOST = 7;
+ INTEGRATION_ENROLL_KIND_MS_TEAMS = 8;
+ INTEGRATION_ENROLL_KIND_OPSGENIE = 9;
+ INTEGRATION_ENROLL_KIND_OKTA = 10;
+ INTEGRATION_ENROLL_KIND_JAMF = 11;
+ INTEGRATION_ENROLL_KIND_MACHINE_ID = 12;
+ INTEGRATION_ENROLL_KIND_MACHINE_ID_GITHUB_ACTIONS = 13;
+ INTEGRATION_ENROLL_KIND_MACHINE_ID_CIRCLECI = 14;
+ INTEGRATION_ENROLL_KIND_MACHINE_ID_GITLAB = 15;
+ INTEGRATION_ENROLL_KIND_MACHINE_ID_JENKINS = 16;
+ INTEGRATION_ENROLL_KIND_MACHINE_ID_ANSIBLE = 17;
+ INTEGRATION_ENROLL_KIND_SERVICENOW = 18;
+ INTEGRATION_ENROLL_KIND_ENTRA_ID = 19;
+ INTEGRATION_ENROLL_KIND_DATADOG_INCIDENT_MANAGEMENT = 20;
+ INTEGRATION_ENROLL_KIND_MACHINE_ID_AWS = 21;
+ INTEGRATION_ENROLL_KIND_MACHINE_ID_GCP = 22;
+ INTEGRATION_ENROLL_KIND_MACHINE_ID_AZURE = 23;
+ INTEGRATION_ENROLL_KIND_MACHINE_ID_SPACELIFT = 24;
+ INTEGRATION_ENROLL_KIND_MACHINE_ID_KUBERNETES = 25;
+ INTEGRATION_ENROLL_KIND_AWS_IDENTITY_CENTER = 26;
+ INTEGRATION_ENROLL_KIND_GITHUB_REPO_ACCESS = 27;
+}
+
+// IntegrationEnrollMetadata contains common metadata
+// for Integration Enroll related events.
+message IntegrationEnrollMetadata {
+ // id is used as a unique identifier to correlate events within the
+ // same enroll wizard run.
+ string id = 1;
+ // kind identifies what type of integration the user clicked on to enroll.
+ IntegrationEnrollKind kind = 2;
+ // user_name is anonymized.
+ string user_name = 3;
+}
+
+// UIIntegrationEnrollEvent is an event that is emitted when a user
+// clicks on a integration to enroll.
+message UIIntegrationEnrollStartEvent {
+ IntegrationEnrollMetadata metadata = 1;
+}
+
+// UIIntegrationEnrollEvent is an event that is emitted when a user
+// completed enrolling an integration.
+message UIIntegrationEnrollCompleteEvent {
+ IntegrationEnrollMetadata metadata = 1;
+}
+
+// IntegrationEnrollStep defines inner configuration steps
+// for a given integration type.
+enum IntegrationEnrollStep {
+ INTEGRATION_ENROLL_STEP_UNSPECIFIED = 0;
+
+ // AWSIC denotes AWS Identity Center integration.
+ INTEGRATION_ENROLL_STEP_AWSIC_CONNECT_OIDC = 1;
+ INTEGRATION_ENROLL_STEP_AWSIC_SET_ACCESSLIST_DEFAULT_OWNER = 2;
+ INTEGRATION_ENROLL_STEP_AWSIC_UPLOAD_AWS_SAML_SP_METADATA = 3;
+ INTEGRATION_ENROLL_STEP_AWSIC_TEST_SCIM_CONNECTION = 4;
+
+ // GITHUBRA denotes GitHub Repo Access.
+ INTEGRATION_ENROLL_STEP_GITHUBRA_CREATE_INTEGRATION = 5;
+ INTEGRATION_ENROLL_STEP_GITHUBRA_CREATE_GIT_SERVER = 6;
+ INTEGRATION_ENROLL_STEP_GITHUBRA_CONFIGURE_SSH_CERT = 7;
+ INTEGRATION_ENROLL_STEP_GITHUBRA_CREATE_ROLE = 8;
+}
+
+// IntegrationEnrollStatusCode defines status code for an integration enroll step.
+enum IntegrationEnrollStatusCode {
+ INTEGRATION_ENROLL_STATUS_CODE_UNSPECIFIED = 0;
+ // The user tried to complete the action and it succeeded.
+ INTEGRATION_ENROLL_STATUS_CODE_SUCCESS = 1;
+ // The user or system skipped the step.
+ // For example:
+ // When setting up an AWS IAM Identity Center integration, we allow reusing
+ // OIDC integrationn if it was previously created for the Identity Center.
+ INTEGRATION_ENROLL_STATUS_CODE_SKIPPED = 2;
+ // The user tried to complete the action and it failed.
+ INTEGRATION_ENROLL_STATUS_CODE_ERROR = 3;
+ // The user did not complete the action and left the wizard.
+ INTEGRATION_ENROLL_STATUS_CODE_ABORTED = 4;
+}
+
+// IntegrationEnrollStepStatus defines fields that track a particular step outcome,
+// for example connection test failed or succeeded, or user aborted the step.
+message IntegrationEnrollStepStatus {
+ // Code indicates the step outcome.
+ IntegrationEnrollStatusCode code = 1;
+ // Error contains error details in case of an error status code.
+ // Error message should not include any identifiable information
+ // like server address.
+ string error = 2;
+}
+
+// UIIntegrationEnrollStepEvent defines configuration step event
+// with a status for a specific integration enroll kind.
+message UIIntegrationEnrollStepEvent {
+ // Metadata is the metadata of an event.
+ IntegrationEnrollMetadata metadata = 1;
+ // Step is the name of the step for a given integration kind.
+ IntegrationEnrollStep step = 2;
+ // Status is the status of the step outcome.
+ IntegrationEnrollStepStatus status = 3;
+}
+
+// ResourceCreateEvent is emitted when a resource is created.
+message ResourceCreateEvent {
+ // resource_type is the type of resource ("node", "node.openssh", "db", "k8s", "app").
+ string resource_type = 1;
+ // resource_origin is the origin of the resource ("cloud", "kubernetes").
+ string resource_origin = 2;
+ // cloud_provider is the cloud provider the resource came from ("AWS", "Azure", "GCP")
+ // if resource_origin == "cloud".
+ string cloud_provider = 3;
+ // database contains additional database information if resource_type == "db".
+ DiscoveredDatabaseMetadata database = 4;
+}
+
+// DiscoveredDatabaseMetadata contains additional database information.
+message DiscoveredDatabaseMetadata {
+ // database type.
+ string db_type = 1;
+ // database protocol.
+ string db_protocol = 2;
+}
+
+// FeatureRecommendationEvent captures event emitted when a feature is recommended to user or
+// when user completes the desired CTA for the feature.
+//
+// PostHost event: tp.ui.feature.recommendation
+message FeatureRecommendationEvent {
+ // anonymized Teleport username, 32 bytes (HMAC-SHA-256) encoded in base64;
+ //
+ // PostHog property: tp.user_name
+ string user_name = 1;
+ // feature is name of the Teleport feature.
+ //
+ // PostHost property: tp.feature
+ Feature feature = 2;
+ // feature_recommendation_status records recommendation state, which can be 'NOTIFIED' (feature is recommended)
+ // OR 'DONE' (user completes desired CTA)
+ //
+ // PostHost property: tp.feature_recommendation_status
+ FeatureRecommendationStatus feature_recommendation_status = 3;
+}
+
+// Feature is name of Teleport feature
+enum Feature {
+ FEATURE_UNSPECIFIED = 0;
+ FEATURE_TRUSTED_DEVICES = 1;
+}
+
+// FeatureRecommendationStatus is feature recommendation status.
+enum FeatureRecommendationStatus {
+ FEATURE_RECOMMENDATION_STATUS_UNSPECIFIED = 0;
+ // FEATURE_RECOMMENDATION_STATUS_NOTIFIED is emitted when a feature is recommended (notified in UI) to user.
+ FEATURE_RECOMMENDATION_STATUS_NOTIFIED = 1;
+ // FEATURE_RECOMMENDATION_STATUS_DONE is emitted when user completes the desired CTA.
+ FEATURE_RECOMMENDATION_STATUS_DONE = 2;
+}
+
+// TAGExecuteQueryEvent is an event that is emitted
+// when a single query is executed in the Teleport Access Graph.
+// This event is emitted for both successful and failed queries and for
+// successful queries, the total number of nodes and edges is reported.
+message TAGExecuteQueryEvent {
+ // total_nodes is the total amount of nodes returned by the query.
+ int64 total_nodes = 1;
+ // total_edges is the total amount of edges returned by the query.
+ int64 total_edges = 2;
+ // is_success is true if the query was successful and false it if failed.
+ bool is_success = 3;
+}
+
+// AccessGraphAWSScanEvent is emitted when the Access Graph
+// AWS scan is enabled.
+message AccessGraphAWSScanEvent {
+ // total_ec2_instances is the total amount of EC2 instances found in the AWS scan.
+ uint64 total_ec2_instances = 1;
+ // total_users is the total amount of users found in the AWS scan.
+ uint64 total_users = 2;
+ // total_groups is the total amount of groups found in the AWS scan.
+ uint64 total_groups = 3;
+ // total_roles is the total amount of roles found in the AWS scan.
+ uint64 total_roles = 4;
+ // total_policies is the total amount of policies found in the AWS scan.
+ uint64 total_policies = 5;
+ // total_eks_clusters is the total amount of EKS clusters found in the AWS scan.
+ uint64 total_eks_clusters = 6;
+ // total_rds_instances is the total amount of RDS instances found in the AWS scan.
+ uint64 total_rds_instances = 7;
+ // total_s3_buckets is the total amount of S3 buckets found in the AWS scan.
+ uint64 total_s3_buckets = 8;
+ // total_saml_providers is the total amount of SAML providers found in the AWS scan.
+ uint64 total_saml_providers = 9;
+ // total_oidc_providers is the total amount of OIDC providers found in the AWS scan.
+ uint64 total_oidc_providers = 10;
+ // total_accounts is the total amount of accounts synchronized in the AWS scan.
+ uint64 total_accounts = 11;
+}
+
+// UIAccessGraphCrownJewelDiffViewEvent is emitted when a user reviews the output of a Crown Jewel access path dff.
+message UIAccessGraphCrownJewelDiffViewEvent {
+ // affected_resource_source is the source of the affected resource.
+ string affected_resource_source = 1;
+ // affected_resource_type is the type of the affected resource.
+ string affected_resource_type = 2;
+}
+
+// SecurityReportGetResultEvent is emitted when the user requests a security report.
+message SecurityReportGetResultEvent {
+ // name is the name of the security report.
+ string name = 1;
+ // days is the time range of the security reports in days.
+ int32 days = 2;
+}
+
+// DiscoveryFetchEvent is emitted when a DiscoveryService polls for new resources of a given type
+message DiscoveryFetchEvent {
+ // cloud_provider is the cloud provider used to fetch resources
+ // Eg, AWS, Azure, GCP, Kubernetes
+ string cloud_provider = 1;
+
+ // resource_type is the type of resource that this fetch is polling.
+ // It depends on the Cloud Provider (defined above).
+ // Eg, rds, ec2, vm, aks, gce, app
+ string resource_type = 2;
+}
+
+// UserTaskStateEvent is emitted when a UserTask state changes.
+// This can happen when the Task is created, when it's manually
+// resolved by the user or when it changes back to being open
+// when the issue happens again.
+//
+// PostHog event: tp.usertask.state
+message UserTaskStateEvent {
+ // task_type is the identifier for the type of task.
+ // Eg, discover-ec2
+ //
+ // PostHog property: tp.usertask.task_type
+ string task_type = 1;
+
+ // issue_type is the identifier for the type of issue that occurred.
+ //
+ // PostHog property: tp.usertask.issue_type
+ string issue_type = 2;
+
+ // state identifies the new state for this task.
+ // One of: OPEN, RESOLVED
+ //
+ // PostHog property: tp.usertask.state
+ string state = 3;
+
+ // instances_count contains the number of instances that were affected by the issue
+ // This field is only present for the following task_types:
+ // - discover-ec2
+ //
+ // PostHog property: tp.usertask.discover_ec2.instances_count
+ int32 instances_count = 4;
+}
+
+// UsageEventOneOf is a message that can accept a oneof of any supported
+// external usage event.
+message UsageEventOneOf {
+ oneof event {
+ UIBannerClickEvent ui_banner_click = 1;
+ UIOnboardCompleteGoToDashboardClickEvent ui_onboard_complete_go_to_dashboard_click = 3;
+ UIOnboardAddFirstResourceClickEvent ui_onboard_add_first_resource_click = 4;
+ UIOnboardAddFirstResourceLaterClickEvent ui_onboard_add_first_resource_later_click = 5;
+ UIOnboardSetCredentialSubmitEvent ui_onboard_set_credential_submit = 6;
+ UIOnboardRegisterChallengeSubmitEvent ui_onboard_register_challenge_submit = 7;
+ UIRecoveryCodesContinueClickEvent ui_recovery_codes_continue_click = 8;
+ UIRecoveryCodesCopyClickEvent ui_recovery_codes_copy_click = 9;
+ UIRecoveryCodesPrintClickEvent ui_recovery_codes_print_click = 10;
+ UIDiscoverStartedEvent ui_discover_started_event = 11;
+ UIDiscoverResourceSelectionEvent ui_discover_resource_selection_event = 12;
+ UIDiscoverDeployServiceEvent ui_discover_deploy_service_event = 13;
+ UIDiscoverDatabaseRegisterEvent ui_discover_database_register_event = 14;
+ UIDiscoverDatabaseConfigureMTLSEvent ui_discover_database_configure_mtls_event = 15;
+ UIDiscoverDesktopActiveDirectoryToolsInstallEvent ui_discover_desktop_active_directory_tools_install_event = 16;
+ UIDiscoverDesktopActiveDirectoryConfigureEvent ui_discover_desktop_active_directory_configure_event = 17;
+ UIDiscoverAutoDiscoveredResourcesEvent ui_discover_auto_discovered_resources_event = 18;
+ UIDiscoverDatabaseConfigureIAMPolicyEvent ui_discover_database_configure_iam_policy_event = 19;
+ UIDiscoverPrincipalsConfigureEvent ui_discover_principals_configure_event = 20;
+ UIDiscoverTestConnectionEvent ui_discover_test_connection_event = 21;
+ UIDiscoverCompletedEvent ui_discover_completed_event = 22;
+ UICreateNewRoleClickEvent ui_create_new_role_click = 23;
+ UICreateNewRoleSaveClickEvent ui_create_new_role_save_click = 24;
+ UICreateNewRoleCancelClickEvent ui_create_new_role_cancel_click = 25;
+ UICreateNewRoleViewDocumentationClickEvent ui_create_new_role_view_documentation_click = 26;
+ UIDiscoverIntegrationAWSOIDCConnectEvent ui_discover_integration_aws_oidc_connect_event = 27;
+ UIDiscoverDatabaseRDSEnrollEvent ui_discover_database_rds_enroll_event = 28;
+ UICallToActionClickEvent ui_call_to_action_click_event = 29;
+ AssistCompletionEvent assist_completion = 30;
+ UIIntegrationEnrollStartEvent ui_integration_enroll_start_event = 31;
+ UIIntegrationEnrollCompleteEvent ui_integration_enroll_complete_event = 32;
+ UIOnboardQuestionnaireSubmitEvent ui_onboard_questionnaire_submit = 33;
+ AssistExecutionEvent assist_execution = 34;
+ AssistNewConversationEvent assist_new_conversation = 35;
+ ResourceCreateEvent resource_create_event = 36;
+ FeatureRecommendationEvent feature_recommendation_event = 37;
+ AssistAccessRequest assist_access_request = 38;
+ AssistAction assist_action = 39;
+ AccessListCreate access_list_create = 40;
+ AccessListUpdate access_list_update = 41;
+ AccessListDelete access_list_delete = 42;
+ AccessListMemberCreate access_list_member_create = 43;
+ AccessListMemberUpdate access_list_member_update = 44;
+ AccessListMemberDelete access_list_member_delete = 45;
+ AccessListGrantsToUser access_list_grants_to_user = 46;
+ UIDiscoverEC2InstanceSelectionEvent ui_discover_ec2_instance_selection = 47;
+ UIDiscoverDeployEICEEvent ui_discover_deploy_eice = 48;
+ UIDiscoverCreateNodeEvent ui_discover_create_node = 49;
+ TAGExecuteQueryEvent tag_execute_query = 50;
+ SecurityReportGetResultEvent security_report_get_result = 51;
+ AccessListReviewCreate access_list_review_create = 52;
+ AccessListReviewDelete access_list_review_delete = 53;
+ DiscoveryFetchEvent discovery_fetch_event = 54;
+ UIDiscoverCreateDiscoveryConfigEvent ui_discover_create_discovery_config = 55;
+ UIDiscoverKubeEKSEnrollEvent ui_discover_kube_eks_enroll_event = 56;
+ UIDiscoverCreateAppServerEvent ui_discover_create_app_server_event = 57;
+ AccessGraphAWSScanEvent access_graph_aws_scan_event = 58;
+ UIAccessGraphCrownJewelDiffViewEvent ui_access_graph_crown_jewel_diff_view = 59;
+ UserTaskStateEvent user_task_state_event = 60;
+ UIIntegrationEnrollStepEvent ui_integration_enroll_step_event = 61;
+ }
+ reserved 2; //UIOnboardGetStartedClickEvent
+ reserved "ui_onboard_get_started_click";
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/userloginstate/v1/userloginstate.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/userloginstate/v1/userloginstate.proto
new file mode 100644
index 0000000000000..85e8401161b80
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/userloginstate/v1/userloginstate.proto
@@ -0,0 +1,63 @@
+// Copyright 2023 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.userloginstate.v1;
+
+import "teleport/header/v1/resourceheader.proto";
+import "teleport/trait/v1/trait.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/userloginstate/v1;userloginstatev1";
+
+// UserLoginState describes the ephemeral user login state for a user.
+message UserLoginState {
+ // header is the header for the resource.
+ teleport.header.v1.ResourceHeader header = 1;
+
+ // spec is the specification for the user login state.
+ Spec spec = 2;
+}
+
+// Spec is the specification for a user login state.
+message Spec {
+ // roles are the user roles attached to the user.
+ repeated string roles = 1;
+
+ // traits are the traits attached to the user.
+ repeated teleport.trait.v1.Trait traits = 2;
+
+ // user_type is the type of user this state represents.
+ string user_type = 3;
+
+ // original_roles are the user roles that are part of the user's static definition. These roles are
+ // not affected by access granted by access lists and are obtained prior to granting access list access.
+ repeated string original_roles = 4;
+
+ // original_traits are the user traits that are part of the user's static definition. These traits are
+ // not affected by access granted by access lists and are obtained prior to granting access list access.
+ repeated teleport.trait.v1.Trait original_traits = 5;
+
+ // GitHubIdentity is the external identity attached to this user state.
+ ExternalIdentity git_hub_identity = 6;
+}
+
+// ExternalIdentity defines an external identity attached to this user state.
+message ExternalIdentity {
+ // UserId is the unique identifier of the external identity such as GitHub user
+ // ID.
+ string user_id = 1;
+ // Username is the username of the external identity.
+ string username = 2;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/userloginstate/v1/userloginstate_service.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/userloginstate/v1/userloginstate_service.proto
new file mode 100644
index 0000000000000..2c2d203d4efa5
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/userloginstate/v1/userloginstate_service.proto
@@ -0,0 +1,66 @@
+// Copyright 2023 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.userloginstate.v1;
+
+import "google/protobuf/empty.proto";
+import "teleport/userloginstate/v1/userloginstate.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/userloginstate/v1;userloginstatev1";
+
+// UserLoginStateService provides CRUD methods for user login state resources.
+service UserLoginStateService {
+ // GetUserLoginStates returns a list of all user login states.
+ rpc GetUserLoginStates(GetUserLoginStatesRequest) returns (GetUserLoginStatesResponse);
+ // GetUserLoginState returns the specified user login state resource.
+ rpc GetUserLoginState(GetUserLoginStateRequest) returns (UserLoginState);
+ // UpsertUserLoginState creates or updates a user login state resource.
+ rpc UpsertUserLoginState(UpsertUserLoginStateRequest) returns (UserLoginState);
+ // DeleteUserLoginState hard deletes the specified user login state resource.
+ rpc DeleteUserLoginState(DeleteUserLoginStateRequest) returns (google.protobuf.Empty);
+ // DeleteAllUserLoginStates hard deletes all user login states.
+ rpc DeleteAllUserLoginStates(DeleteAllUserLoginStatesRequest) returns (google.protobuf.Empty);
+}
+
+// GetUserLoginStatesRequest is the request for getting all user login states.
+message GetUserLoginStatesRequest {}
+
+// GetUserLoginStatesResponse is the response for getting all user login states.
+message GetUserLoginStatesResponse {
+ // user_login_states is the list of user login states.
+ repeated UserLoginState user_login_states = 1;
+}
+
+// GetUserLoginStateRequest is the request for retrieving a user login state.
+message GetUserLoginStateRequest {
+ // name is the name of the user login state to retrieve.
+ string name = 1;
+}
+
+// UpsertUserLoginStateRequest is the request for upserting a user login state.
+message UpsertUserLoginStateRequest {
+ // user_login_state is the user login state to upsert.
+ UserLoginState user_login_state = 1;
+}
+
+// DeleteUserLoginStateRequest is the request for deleting a user login state.
+message DeleteUserLoginStateRequest {
+ // name is the name of the user login state to delete.
+ string name = 1;
+}
+
+// DeleteAllUserLoginStatesRequest is the request for deleting all user login states.
+message DeleteAllUserLoginStatesRequest {}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/userpreferences/v1/access_graph.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/userpreferences/v1/access_graph.proto
new file mode 100644
index 0000000000000..bc3c0f5728664
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/userpreferences/v1/access_graph.proto
@@ -0,0 +1,26 @@
+// Copyright 2023 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.userpreferences.v1;
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/userpreferences/v1;userpreferencesv1";
+
+// AccessGraphUserPreferences is the user preferences for Access Graph.
+message AccessGraphUserPreferences {
+ // has_been_redirected is true if the user has already been redirected to the Access Graph
+ // on login, after having signed up for a trial from the Teleport Policy page.
+ bool has_been_redirected = 1;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/userpreferences/v1/assist.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/userpreferences/v1/assist.proto
new file mode 100644
index 0000000000000..2897dfad5ad96
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/userpreferences/v1/assist.proto
@@ -0,0 +1,40 @@
+// Copyright 2023 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.userpreferences.v1;
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/userpreferences/v1;userpreferencesv1";
+
+// AssistViewMode is the way the assistant is displayed.
+enum AssistViewMode {
+ ASSIST_VIEW_MODE_UNSPECIFIED = 0;
+ // DOCKED is the assistant is docked to the right hand side of the screen.
+ ASSIST_VIEW_MODE_DOCKED = 1;
+ // POPUP is the assistant is displayed as a popup.
+ ASSIST_VIEW_MODE_POPUP = 2;
+ // POPUP_EXPANDED is the assistant is displayed as a popup and expanded.
+ ASSIST_VIEW_MODE_POPUP_EXPANDED = 3;
+ // POPUP_EXPANDED_SIDEBAR_VISIBLE is the assistant is displayed as a popup and expanded with the sidebar visible.
+ ASSIST_VIEW_MODE_POPUP_EXPANDED_SIDEBAR_VISIBLE = 4;
+}
+
+// AssistUserPreferences is the user preferences for Assist.
+message AssistUserPreferences {
+ // preferredLogins is an array of the logins a user would prefer to use when running a command, ordered by preference.
+ repeated string preferred_logins = 1;
+ // viewMode is the way the assistant is displayed.
+ AssistViewMode view_mode = 2;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/userpreferences/v1/cluster_preferences.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/userpreferences/v1/cluster_preferences.proto
new file mode 100644
index 0000000000000..cd9d6cc1b7d64
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/userpreferences/v1/cluster_preferences.proto
@@ -0,0 +1,32 @@
+// Copyright 2023 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.userpreferences.v1;
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/userpreferences/v1;userpreferencesv1";
+
+// PinnedResourcesUserPreferences is a collection of resource IDs that will be
+// displayed in the user's pinned resources tab in the Web UI.
+message PinnedResourcesUserPreferences {
+ // resource_ids is a list of unified resource name sort keys.
+ repeated string resource_ids = 1;
+}
+
+// ClusterUserPreferences are user preferences saved per cluster.
+message ClusterUserPreferences {
+ // pinned_resources is a list of pinned resources.
+ PinnedResourcesUserPreferences pinned_resources = 1;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/userpreferences/v1/discover_resource_preferences.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/userpreferences/v1/discover_resource_preferences.proto
new file mode 100644
index 0000000000000..97431bcea1307
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/userpreferences/v1/discover_resource_preferences.proto
@@ -0,0 +1,33 @@
+// Copyright 2025 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.userpreferences.v1;
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/userpreferences/v1;userpreferencesv1";
+
+// DiscoverGuide defines preferences related to discover guides.
+message DiscoverGuide {
+ // pinned is a list of ids of pinned guides.
+ repeated string pinned = 1;
+}
+
+// DiscoverResourcePreferences holds preferences related to discovering resource.
+message DiscoverResourcePreferences {
+ reserved 1;
+ reserved "pinned_guides";
+ // discover_guide defines preferences related to discover guides.
+ DiscoverGuide discover_guide = 2;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/userpreferences/v1/onboard.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/userpreferences/v1/onboard.proto
new file mode 100644
index 0000000000000..352f0366b1820
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/userpreferences/v1/onboard.proto
@@ -0,0 +1,51 @@
+// Copyright 2023 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.userpreferences.v1;
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/userpreferences/v1;userpreferencesv1";
+
+// Resources are the Resource options in the onboarding questionnaire
+enum Resource {
+ RESOURCE_UNSPECIFIED = 0;
+ RESOURCE_WINDOWS_DESKTOPS = 1;
+ RESOURCE_SERVER_SSH = 2;
+ RESOURCE_DATABASES = 3;
+ RESOURCE_KUBERNETES = 4;
+ RESOURCE_WEB_APPLICATIONS = 5;
+}
+
+// MarketingParams are the parameters associated with a user via marketing campaign at the time of sign up.
+// They contain both traditional Urchin Tracking Module (UTM) parameters as well as custom parameters.
+message MarketingParams {
+ // campaign is the UTM campaign parameter which identifies a specific product promotion
+ string campaign = 1;
+ // source is the UTM source parameter which identifies which site sent the traffic
+ string source = 2;
+ // medium is the UTM medium parameter which identifies what type of link was used
+ string medium = 3;
+ // intent is the internal query param, which identifies any additional marketing intentions
+ // via internally set and directed parameters.
+ string intent = 4;
+}
+
+// OnboardUserPreferences is the user preferences selected during onboarding.
+message OnboardUserPreferences {
+ // preferredResources is an array of the resources a user selected during their onboarding questionnaire.
+ repeated Resource preferred_resources = 1;
+ // marketingParams are the parameters associated with a user via marketing campaign at the time of sign up
+ MarketingParams marketing_params = 2;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/userpreferences/v1/sidenav_preferences.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/userpreferences/v1/sidenav_preferences.proto
new file mode 100644
index 0000000000000..728b90c4d3598
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/userpreferences/v1/sidenav_preferences.proto
@@ -0,0 +1,28 @@
+// Copyright 2024 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.userpreferences.v1;
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/userpreferences/v1;userpreferencesv1";
+
+// SideNavDrawerMode is the sidenav drawer behavior preference in the frontend.
+enum SideNavDrawerMode {
+ SIDE_NAV_DRAWER_MODE_UNSPECIFIED = 0;
+ // SIDE_NAV_DRAWER_MODE_COLLAPSED means the sidenav drawer collapses automatically when no longer hovering over it.
+ SIDE_NAV_DRAWER_MODE_COLLAPSED = 1;
+ // SIDE_NAV_DRAWER_MODE_STICKY means the sidenav drawer remains expanded at all times.
+ SIDE_NAV_DRAWER_MODE_STICKY = 2;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/userpreferences/v1/theme.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/userpreferences/v1/theme.proto
new file mode 100644
index 0000000000000..236c71a54b7a4
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/userpreferences/v1/theme.proto
@@ -0,0 +1,28 @@
+// Copyright 2023 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.userpreferences.v1;
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/userpreferences/v1;userpreferencesv1";
+
+// Theme is a frontend theme.
+enum Theme {
+ THEME_UNSPECIFIED = 0;
+ // THEME_LIGHT is the light theme.
+ THEME_LIGHT = 1;
+ // THEME_DARK is the dark theme.
+ THEME_DARK = 2;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/userpreferences/v1/unified_resource_preferences.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/userpreferences/v1/unified_resource_preferences.proto
new file mode 100644
index 0000000000000..076ee0857a9e1
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/userpreferences/v1/unified_resource_preferences.proto
@@ -0,0 +1,67 @@
+// Copyright 2023 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.userpreferences.v1;
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/userpreferences/v1;userpreferencesv1";
+
+// UnifiedResourcePreferences are preferences used in the Unified Resource web UI
+message UnifiedResourcePreferences {
+ // default_tab is the default tab selected in the unified resource web UI
+ DefaultTab default_tab = 1;
+ // view_mode is the view mode selected in the unified resource Web UI
+ ViewMode view_mode = 2;
+ // labels_view_mode is whether the labels for resources should all be collapsed or expanded in the unified resource Web UI list view.
+ LabelsViewMode labels_view_mode = 3;
+ // available_resource_mode specifies which option in the availability filter menu the user has selected, if any
+ AvailableResourceMode available_resource_mode = 4;
+}
+
+// DefaultTab is the default tab selected in the unified resource web UI
+enum DefaultTab {
+ DEFAULT_TAB_UNSPECIFIED = 0;
+ // ALL is all resources
+ DEFAULT_TAB_ALL = 1;
+ // PINNED is only pinned resources
+ DEFAULT_TAB_PINNED = 2;
+}
+
+// ViewMode is the view mode selected in the unified resource Web UI
+enum ViewMode {
+ VIEW_MODE_UNSPECIFIED = 0;
+ // CARD is the card view
+ VIEW_MODE_CARD = 1;
+ // LIST is the list view
+ VIEW_MODE_LIST = 2;
+}
+
+/** LabelsViewMode is whether the labels for resources should all be collapsed or expanded. This only applies to the list view. */
+enum LabelsViewMode {
+ LABELS_VIEW_MODE_UNSPECIFIED = 0;
+ // EXPANDED is the expanded state which shows all labels for every resource.
+ LABELS_VIEW_MODE_EXPANDED = 1;
+ // COLLAPSED is the collapsed state which hides all labels for every resource.
+ LABELS_VIEW_MODE_COLLAPSED = 2;
+}
+
+/** AvailableResourceMode specifies which option in the availability filter menu the user has selected, if any */
+enum AvailableResourceMode {
+ AVAILABLE_RESOURCE_MODE_UNSPECIFIED = 0;
+ AVAILABLE_RESOURCE_MODE_ALL = 1;
+ AVAILABLE_RESOURCE_MODE_ACCESSIBLE = 2;
+ AVAILABLE_RESOURCE_MODE_REQUESTABLE = 3;
+ AVAILABLE_RESOURCE_MODE_NONE = 4;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/userpreferences/v1/userpreferences.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/userpreferences/v1/userpreferences.proto
new file mode 100644
index 0000000000000..b2926d07f1098
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/userpreferences/v1/userpreferences.proto
@@ -0,0 +1,78 @@
+// Copyright 2023 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.userpreferences.v1;
+
+import "google/protobuf/empty.proto";
+import "teleport/userpreferences/v1/access_graph.proto";
+import "teleport/userpreferences/v1/cluster_preferences.proto";
+import "teleport/userpreferences/v1/discover_resource_preferences.proto";
+import "teleport/userpreferences/v1/onboard.proto";
+import "teleport/userpreferences/v1/sidenav_preferences.proto";
+import "teleport/userpreferences/v1/theme.proto";
+import "teleport/userpreferences/v1/unified_resource_preferences.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/userpreferences/v1;userpreferencesv1";
+
+// UserPreferences is a collection of different user changeable preferences for the frontend.
+message UserPreferences {
+ // assist is the preferences for the Teleport Assist.
+ reserved 1;
+ reserved "assist";
+ // theme is the theme of the frontend.
+ Theme theme = 2;
+ // onboard is the preferences from the onboarding questionnaire.
+ v1.OnboardUserPreferences onboard = 3;
+ // cluster_preferences are user preferences saved per cluster.
+ v1.ClusterUserPreferences cluster_preferences = 4;
+ // unified_resource_preferences are user preferences saved for the Unified Resource web UI
+ UnifiedResourcePreferences unified_resource_preferences = 5;
+ // access_graph is the preferences for Access Graph.
+ AccessGraphUserPreferences access_graph = 6;
+ // side_nav_drawer_mode is the sidenav drawer behavior preference in the frontend.
+ SideNavDrawerMode side_nav_drawer_mode = 7;
+ // discover_resource_preferences are user preferences saved for the discover resource web UI.
+ DiscoverResourcePreferences discover_resource_preferences = 8;
+}
+
+// GetUserPreferencesRequest is a request to get the user preferences.
+message GetUserPreferencesRequest {
+ reserved 1;
+ reserved "username";
+}
+
+// GetUserPreferencesResponse is a response to get the user preferences.
+message GetUserPreferencesResponse {
+ // preferences is the user preferences.
+ UserPreferences preferences = 1;
+}
+
+// UpsertUserPreferencesRequest is a request to create or update the user preferences.
+message UpsertUserPreferencesRequest {
+ // preferences is the new user preferences to set.
+ UserPreferences preferences = 1;
+
+ reserved 2;
+ reserved "username";
+}
+
+// UserPreferencesService is a service that stores user settings.
+service UserPreferencesService {
+ // GetUserPreferences returns the user preferences for a given user.
+ rpc GetUserPreferences(GetUserPreferencesRequest) returns (GetUserPreferencesResponse);
+ // UpsertUserPreferences creates or updates user preferences for a given username.
+ rpc UpsertUserPreferences(UpsertUserPreferencesRequest) returns (google.protobuf.Empty);
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/userprovisioning/v2/statichostuser.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/userprovisioning/v2/statichostuser.proto
new file mode 100644
index 0000000000000..8c1757debc724
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/userprovisioning/v2/statichostuser.proto
@@ -0,0 +1,65 @@
+// Copyright 2024 Gravitational, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.userprovisioning.v2;
+
+import "teleport/header/v1/metadata.proto";
+import "teleport/label/v1/label.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/userprovisioning/v2;userprovisioningv2";
+
+// StaticHostUser is a resource that represents host users that should be
+// created on matching nodes.
+message StaticHostUser {
+ // kind is a resource kind.
+ string kind = 1;
+ // sub_kind is an optional resource sub kind, used in some resources.
+ string sub_kind = 2;
+ // version is the resource version. It must be specified.
+ // Supported values are: `v2`.
+ string version = 3;
+ // metadata is resource metadata.
+ teleport.header.v1.Metadata metadata = 4;
+ // spec is the static host user spec.
+ StaticHostUserSpec spec = 5;
+}
+
+// Matcher is a matcher for nodes to add the user to.
+message Matcher {
+ // node_labels is a map of node labels that will create a user from this
+ // resource.
+ repeated teleport.label.v1.Label node_labels = 1;
+ // node_labels_expression is a predicate expression to create a user from
+ // this resource.
+ string node_labels_expression = 2;
+ // groups is a list of additional groups to add the user to.
+ repeated string groups = 3;
+ // sudoers is a list of sudoer entries to add.
+ repeated string sudoers = 4;
+ // uid is the new user's uid.
+ int64 uid = 5;
+ // gid is the new user's gid.
+ int64 gid = 6;
+ // default_shell is the new user's default shell
+ string default_shell = 7;
+ // take_ownership_if_user_exists will take ownership of existing, unmanaged users
+ bool take_ownership_if_user_exists = 8;
+}
+
+// StaticHostUserSpec is the static host user spec.
+message StaticHostUserSpec {
+ repeated Matcher matchers = 1;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/userprovisioning/v2/statichostuser_service.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/userprovisioning/v2/statichostuser_service.proto
new file mode 100644
index 0000000000000..a6b116502f292
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/userprovisioning/v2/statichostuser_service.proto
@@ -0,0 +1,91 @@
+// Copyright 2024 Gravitational, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.userprovisioning.v2;
+
+import "google/protobuf/empty.proto";
+import "teleport/userprovisioning/v2/statichostuser.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/userprovisioning/v2;userprovisioningv2";
+
+// StaticHostUsersService provides methods to manage static host users.
+service StaticHostUsersService {
+ // GetStaticHostUser retrieves a static host user resource by name.
+ rpc GetStaticHostUser(GetStaticHostUserRequest) returns (StaticHostUser);
+ // ListStaticHostUsers gets all existing static host users.
+ rpc ListStaticHostUsers(ListStaticHostUsersRequest) returns (ListStaticHostUsersResponse);
+ // CreateStaticHostUser creates a static host user if one does not already exist.
+ rpc CreateStaticHostUser(CreateStaticHostUserRequest) returns (StaticHostUser);
+ // UpdateStaticHostUser updates an existing static host user.
+ rpc UpdateStaticHostUser(UpdateStaticHostUserRequest) returns (StaticHostUser);
+ // UpsertStaticHostUser creates a new static host user or forcefully updates an existing static host user.
+ rpc UpsertStaticHostUser(UpsertStaticHostUserRequest) returns (StaticHostUser);
+ // DeleteStaticHostUser removes an existing static host user resource by name.
+ rpc DeleteStaticHostUser(DeleteStaticHostUserRequest) returns (google.protobuf.Empty);
+}
+
+// Request for GetStaticHostUser.
+message GetStaticHostUserRequest {
+ // Name of the user to retrieve, this take priority over current_user.
+ string name = 1;
+}
+
+// Request for ListStaticHostUsers.
+//
+// Follows the pagination semantics of
+// https://cloud.google.com/apis/design/standard_methods#list.
+message ListStaticHostUsersRequest {
+ // The maximum number of items to return.
+ // The server may impose a different page size at its discretion.
+ int32 page_size = 1;
+
+ // The next_page_token value returned from a previous List request, if any.
+ string page_token = 2;
+}
+
+// Response for ListStaticHostUsers.
+message ListStaticHostUsersResponse {
+ // Static host users that matched the search.
+ repeated StaticHostUser users = 1;
+
+ // Token to retrieve the next page of results, or empty if there are no
+ // more results in the list.
+ string next_page_token = 2;
+}
+
+// Request for CreateStaticHostUser.
+message CreateStaticHostUserRequest {
+ // The static host user resource to create.
+ StaticHostUser user = 1;
+}
+
+// Request for UpdateStaticHostUser.
+message UpdateStaticHostUserRequest {
+ // The static host user resource to update.
+ StaticHostUser user = 2;
+}
+
+// Request for UpsertStaticHostUser.
+message UpsertStaticHostUserRequest {
+ // The static host user resource to upsert.
+ StaticHostUser user = 2;
+}
+
+// Request for DeleteStaticHostUser.
+message DeleteStaticHostUserRequest {
+ // Name of the user resource to remove.
+ string name = 1;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/users/v1/users_service.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/users/v1/users_service.proto
new file mode 100644
index 0000000000000..20ac9c60e79c5
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/users/v1/users_service.proto
@@ -0,0 +1,128 @@
+// Copyright 2022 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.users.v1;
+
+import "google/protobuf/empty.proto";
+import "teleport/legacy/types/types.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/users/v1;usersv1";
+
+// UsersService provides methods to manage Teleport users.
+service UsersService {
+ // GetUser retrieves a user by name or looks up the current user if requested.
+ rpc GetUser(GetUserRequest) returns (GetUserResponse);
+ // ListUsers gets all existing users.
+ rpc ListUsers(ListUsersRequest) returns (ListUsersResponse);
+ // CreateUser creates a user if one does not already exist.
+ rpc CreateUser(CreateUserRequest) returns (CreateUserResponse);
+ // UpdateUser updates an existing user.
+ rpc UpdateUser(UpdateUserRequest) returns (UpdateUserResponse);
+ // UpsertUser creates a new user or forcefully updates an existing user.
+ rpc UpsertUser(UpsertUserRequest) returns (UpsertUserResponse);
+ // DeleteUser removes an existing user by name.
+ rpc DeleteUser(DeleteUserRequest) returns (google.protobuf.Empty);
+}
+
+// Request for GetUser.
+message GetUserRequest {
+ // Name of the user to retrieve, this take priority over current_user.
+ string name = 1;
+
+ // Whether to return the current user. If the name is provided
+ // then this field is ignored.
+ bool current_user = 2;
+
+ // Specifies whether to load associated secrets(password, mfa devices, etc.).
+ bool with_secrets = 3;
+}
+
+// Response for GetUser.
+message GetUserResponse {
+ // The user matching the request filters.
+ types.UserV2 user = 1;
+}
+
+// Request for ListUsers.
+//
+// Follows the pagination semantics of
+// https://cloud.google.com/apis/design/standard_methods#list.
+message ListUsersRequest {
+ // The maximum number of items to return.
+ // The server may impose a different page size at its discretion.
+ int32 page_size = 1;
+
+ // The next_page_token value returned from a previous List request, if any.
+ string page_token = 2;
+
+ // Specifies whether to load associated secrets(password, mfa devices, etc.).
+ bool with_secrets = 3;
+
+ // Filter matches users.
+ types.UserFilter filter = 4;
+}
+
+// Response for ListUsers.
+message ListUsersResponse {
+ // Users that matched the search.
+ repeated types.UserV2 users = 1;
+
+ // Token to retrieve the next page of results, or empty if there are no
+ // more results in the list.
+ string next_page_token = 2;
+}
+
+// Request for CreateUser.
+message CreateUserRequest {
+ // The user resource to create.
+ types.UserV2 user = 1;
+}
+
+// Response for CreateUser.
+message CreateUserResponse {
+ // The created user with any server side generated fields populated.
+ types.UserV2 user = 1;
+}
+
+// Request for UpdateUser.
+message UpdateUserRequest {
+ // The user resource to update.
+ types.UserV2 user = 2;
+}
+
+// Response for UpdateUser.
+message UpdateUserResponse {
+ // The updated user with any server side generated fields populated.
+ types.UserV2 user = 1;
+}
+
+// Request for UpsertUser.
+message UpsertUserRequest {
+ // The user resource to upsert.
+ types.UserV2 user = 2;
+}
+
+// Response for UpsertUser.
+message UpsertUserResponse {
+ // The upserted user with any server side generated fields populated.
+ types.UserV2 user = 1;
+}
+
+// Request for DeleteUser.
+message DeleteUserRequest {
+ // Name of the user to remove.
+ string name = 1;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/usertasks/v1/user_tasks.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/usertasks/v1/user_tasks.proto
new file mode 100644
index 0000000000000..546b265e65768
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/usertasks/v1/user_tasks.proto
@@ -0,0 +1,167 @@
+// Copyright 2024 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.usertasks.v1;
+
+import "google/protobuf/timestamp.proto";
+import "teleport/header/v1/metadata.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/usertasks/v1;usertasksv1";
+
+// UserTask is a resource that represents an action to be completed by the user.
+// UserTasks are a unit of work for users to act upon issues related to other resources.
+// As an example, when auto-enrolling EC2 instances using the Discovery Service
+// a UserTask is created to let the user know that something failed on a set of instances.
+// The user can then mark the task as resolved after following the recommendation/fixing steps.
+message UserTask {
+ // The kind of resource represented.
+ string kind = 1;
+ // Mandatory field for all resources. Not populated for this resource type.
+ string sub_kind = 2;
+ // The version of the resource being represented.
+ string version = 3;
+ // Common metadata that all resources share.
+ teleport.header.v1.Metadata metadata = 4;
+ // The configured properties of UserTask.
+ UserTaskSpec spec = 5;
+ // The current status for this UserTask.
+ UserTaskStatus status = 6;
+}
+
+// UserTaskSpec contains the properties of the UserTask.
+message UserTaskSpec {
+ // Integration is the integration name that originated this task.
+ string integration = 1;
+ // TaskType indicates the type of task.
+ // Examples: discover-ec2, discover-rds, discover-eks
+ string task_type = 2;
+ // IssueType is an identifier for the type of issue that happened.
+ // Example for discover-ec2: SSM_AGENT_NOT_AVAILABLE
+ string issue_type = 3;
+ // State indicates the task state.
+ // When the task is created, it starts with OPEN.
+ // Users can mark it as RESOLVED.
+ // If the issue happens again (eg, new discover iteration faces the same error), it will move to OPEN again.
+ string state = 4;
+ // DiscoverEC2 contains the AWS EC2 instances that failed to auto enroll into the cluster.
+ // Present when TaskType is discover-ec2.
+ DiscoverEC2 discover_ec2 = 5;
+ // DiscoverEKS contains the AWS EKS clusters that failed to auto enroll into the cluster.
+ // Present when TaskType is discover-eks.
+ DiscoverEKS discover_eks = 6;
+ // DiscoverRDS contains the AWS RDS databases that failed to auto enroll into the cluster.
+ // Present when TaskType is discover-rds.
+ DiscoverRDS discover_rds = 7;
+}
+
+// UserTaskStatus contains the current status for the UserTask.
+message UserTaskStatus {
+ // LastStateChange is the timestamp when the UserTask state was last modified.
+ google.protobuf.Timestamp last_state_change = 1;
+}
+
+// DiscoverEC2 contains the instances that failed to auto-enroll into the cluster.
+message DiscoverEC2 {
+ // Instances maps an instance id to the result of enrolling that instance into teleport.
+ map instances = 1;
+ // AccountID is the AWS Account ID for the instances.
+ string account_id = 2;
+ // Region is the AWS Region where Teleport failed to enroll EC2 instances.
+ string region = 3;
+ // SSMDocument is the Amazon Systems Manager SSM Document name that was used to install teleport on the instance.
+ // In Amazon console, the document is at:
+ // https://REGION.console.aws.amazon.com/systems-manager/documents/SSM_DOCUMENT/description
+ string ssm_document = 4;
+ // InstallerScript is the Teleport installer script that was used to install teleport on the instance.
+ string installer_script = 5;
+}
+
+// DiscoverEC2Instance contains the result of enrolling an AWS EC2 Instance.
+message DiscoverEC2Instance {
+ // AccountID and Region were moved into the DiscoverEC2 message.
+ reserved 3, 4;
+ reserved "account_id", "region";
+
+ // InstanceID is the EC2 Instance ID that uniquely identifies the instance.
+ string instance_id = 1;
+ // Name is the instance Name.
+ // Might be empty, if the instance doesn't have the Name tag.
+ string name = 2;
+ // InvocationURL is the URL that points to the invocation.
+ // Empty if there was an error before installing the
+ string invocation_url = 5;
+ // DiscoveryConfig is the discovery config name that originated this instance enrollment.
+ string discovery_config = 6;
+ // DiscoveryGroup is the DiscoveryGroup name that originated this task.
+ string discovery_group = 7;
+ // SyncTime is the timestamp when the error was produced.
+ google.protobuf.Timestamp sync_time = 8;
+}
+
+// DiscoverEKS contains the clusters that failed to auto-enroll into the cluster.
+message DiscoverEKS {
+ // Clusters maps a cluster name to the result of enrolling that cluster into teleport.
+ map clusters = 1;
+ // AccountID is the AWS Account ID for the cluster.
+ string account_id = 2;
+ // Region is the AWS Region where Teleport failed to enroll EKS Clusters.
+ string region = 3;
+ // AppAutoDiscover indicates whether the Kubernetes agent should auto enroll HTTP services as Teleport Apps.
+ bool app_auto_discover = 4;
+}
+
+// DiscoverEKSCluster contains the result of enrolling an AWS EKS Cluster.
+message DiscoverEKSCluster {
+ // Name is the cluster Name.
+ string name = 1;
+ // DiscoveryConfig is the discovery config name that originated this cluster enrollment.
+ string discovery_config = 2;
+ // DiscoveryGroup is the DiscoveryGroup name that originated this task.
+ string discovery_group = 3;
+ // SyncTime is the timestamp when the error was produced.
+ google.protobuf.Timestamp sync_time = 4;
+}
+
+// DiscoverRDS contains the databases that failed to auto-enroll into teleport.
+message DiscoverRDS {
+ // Databases maps a database resource id to the result of enrolling that database into teleport.
+ // For RDS Aurora Clusters, this is the DBClusterIdentifier.
+ // For other RDS databases, this is the DBInstanceIdentifier.
+ map databases = 1;
+ // AccountID is the AWS Account ID for the database.
+ string account_id = 2;
+ // Region is the AWS Region where Teleport failed to enroll RDS databases.
+ string region = 3;
+}
+
+// DiscoverRDSDatabase contains the result of enrolling an AWS RDS database.
+message DiscoverRDSDatabase {
+ // Name is the database identifier.
+ // For RDS Aurora Clusters, this is the DBClusterIdentifier.
+ // For other RDS databases, this is the DBInstanceIdentifier.
+ string name = 1;
+ // IsCluster indicates whether this database is a cluster or a single instance.
+ bool is_cluster = 2;
+ // Engine indicates the engine name for this RDS.
+ // Eg, aurora-postgresql, postgresql
+ string engine = 3;
+ // DiscoveryConfig is the discovery config name that originated this database enrollment.
+ string discovery_config = 4;
+ // DiscoveryGroup is the DiscoveryGroup name that originated this task.
+ string discovery_group = 5;
+ // SyncTime is the timestamp when the error was produced.
+ google.protobuf.Timestamp sync_time = 6;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/usertasks/v1/user_tasks_service.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/usertasks/v1/user_tasks_service.proto
new file mode 100644
index 0000000000000..6ab8b8b371586
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/usertasks/v1/user_tasks_service.proto
@@ -0,0 +1,113 @@
+// Copyright 2024 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.usertasks.v1;
+
+import "google/protobuf/empty.proto";
+import "teleport/usertasks/v1/user_tasks.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/usertasks/v1;usertasksv1";
+
+// UserTaskService is a service that provides methods to manage User Tasks.
+service UserTaskService {
+ // CreateUserTask creates a User Task.
+ rpc CreateUserTask(CreateUserTaskRequest) returns (teleport.usertasks.v1.UserTask);
+ // UpsertUserTask creates or updates User Task.
+ rpc UpsertUserTask(UpsertUserTaskRequest) returns (teleport.usertasks.v1.UserTask);
+ // GetUserTask gets a UserTask by name.
+ rpc GetUserTask(GetUserTaskRequest) returns (teleport.usertasks.v1.UserTask);
+ // ListUserTasks returns a list of UserTasks. It supports pagination and filters.
+ rpc ListUserTasks(ListUserTasksRequest) returns (ListUserTasksResponse);
+ // ListUserTasksByIntegration returns a list of UserTasks filtered by an integration and other optional fields. It supports pagination.
+ // Deprecated: Use ListUserTasks instead.
+ rpc ListUserTasksByIntegration(ListUserTasksByIntegrationRequest) returns (ListUserTasksResponse) {
+ // TODO(marco): DELETE IN v19.0.0
+ option deprecated = true;
+ }
+ // UpdateUserTask updates an existing User Task.
+ rpc UpdateUserTask(UpdateUserTaskRequest) returns (teleport.usertasks.v1.UserTask);
+ // DeleteUserTask deletes a User Task.
+ rpc DeleteUserTask(DeleteUserTaskRequest) returns (google.protobuf.Empty);
+}
+
+// CreateUserTaskRequest is a request to create a User Task.
+message CreateUserTaskRequest {
+ teleport.usertasks.v1.UserTask user_task = 1;
+}
+
+// UpsertUserTaskRequest is a request to create or update a User Task.
+message UpsertUserTaskRequest {
+ teleport.usertasks.v1.UserTask user_task = 1;
+}
+
+// GetUserTaskRequest is a request to get a User Task by name.
+message GetUserTaskRequest {
+ // Name is the name of the UserTask to get.
+ string name = 1;
+}
+
+// ListUserTasksRequest is a request to get a list of User Tasks.
+message ListUserTasksRequest {
+ // page_size is the maximum number of items to return.
+ // The server may impose a different page size at its discretion.
+ int64 page_size = 1;
+ // page_token is the next_page_token value returned from a previous List request, if any.
+ string page_token = 2;
+ // filters is the set of filters to apply when listing User Tasks.
+ ListUserTasksFilters filters = 3;
+}
+
+// ListUserTasksFilters is a set of filters to apply when listing User Tasks.
+// All fields must match for a User Task to be included in the list.
+message ListUserTasksFilters {
+ // integration is the integration name that will be used to filter the returned list.
+ // If empty, this filter is not applied.
+ string integration = 1;
+ // task_state filters the returned tasks by their state.
+ // If empty, this filter is not applied.
+ string task_state = 2;
+}
+
+// ListUserTasksByIntegrationRequest is a request to get a list of User Tasks filtered by an Integration.
+message ListUserTasksByIntegrationRequest {
+ // page_size is the maximum number of items to return.
+ // The server may impose a different page size at its discretion.
+ int64 page_size = 1;
+ // page_token is the next_page_token value returned from a previous List request, if any.
+ string page_token = 2;
+ // integration is the integration name that will be used to filter the returned list.
+ string integration = 3;
+}
+
+// ListUserTasksResponse is a response to ListUserTasks.
+message ListUserTasksResponse {
+ repeated teleport.usertasks.v1.UserTask user_tasks = 1;
+
+ // Token to retrieve the next page of results, or empty if there are no
+ // more results in the list.
+ string next_page_token = 2;
+}
+
+// UpdateUserTaskRequest is a request to update an existing User Task.
+message UpdateUserTaskRequest {
+ teleport.usertasks.v1.UserTask user_task = 1;
+}
+
+// DeleteUserTaskRequest is a request to delete a User Task.
+message DeleteUserTaskRequest {
+ // Name is the name of the User Task to delete.
+ string name = 1;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/vnet/v1/vnet_config.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/vnet/v1/vnet_config.proto
new file mode 100644
index 0000000000000..883993294b1ab
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/vnet/v1/vnet_config.proto
@@ -0,0 +1,47 @@
+// Copyright 2024 Gravitational, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.vnet.v1;
+
+import "teleport/header/v1/metadata.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/vnet/v1;vnet";
+
+// VnetConfig is a resource that holds configuration parameters for Teleport VNet.
+message VnetConfig {
+ string kind = 1;
+ string sub_kind = 2;
+ string version = 3;
+ teleport.header.v1.Metadata metadata = 4;
+
+ VnetConfigSpec spec = 5;
+}
+
+// VnetConfigSpec defines configuration parameters for VNet.
+message VnetConfigSpec {
+ // Ipv4CidrRange defines the IPv4 CIDR range that all IPv4 addresses for VNet
+ // apps in this cluster will be assigned from. The default is "100.64.0.0/10".
+ string ipv4_cidr_range = 1;
+ // CustomDnsZones defines a list of DNS zones that VNet should resolve requests for in addition to the
+ // cluster's public proxy address.
+ repeated CustomDNSZone custom_dns_zones = 2;
+}
+
+// CustomDNSZone defines parameters for custom DNS zones.
+message CustomDNSZone {
+ // Suffix is the hostname suffix that defines this zone.
+ string suffix = 1;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/vnet/v1/vnet_config_service.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/vnet/v1/vnet_config_service.proto
new file mode 100644
index 0000000000000..7e8a8b7b2b2fc
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/vnet/v1/vnet_config_service.proto
@@ -0,0 +1,64 @@
+// Copyright 2024 Gravitational, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.vnet.v1;
+
+import "google/protobuf/empty.proto";
+import "teleport/vnet/v1/vnet_config.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/vnet/v1;vnet";
+
+// VnetConfigService provides an API to manage the singleton VnetConfig.
+service VnetConfigService {
+ // GetVnetConfig returns the specified VnetConfig.
+ rpc GetVnetConfig(GetVnetConfigRequest) returns (VnetConfig);
+
+ // CreateVnetConfig creates a new VnetConfig.
+ rpc CreateVnetConfig(CreateVnetConfigRequest) returns (VnetConfig);
+
+ // UpdateVnetConfig updates an existing VnetConfig.
+ rpc UpdateVnetConfig(UpdateVnetConfigRequest) returns (VnetConfig);
+
+ // UpsertVnetConfig creates a new VnetConfig or replaces an existing VnetConfig.
+ rpc UpsertVnetConfig(UpsertVnetConfigRequest) returns (VnetConfig);
+
+ // DeleteVnetConfig hard deletes the specified VnetConfig.
+ rpc DeleteVnetConfig(DeleteVnetConfigRequest) returns (google.protobuf.Empty);
+}
+
+// Request for GetVnetConfig.
+message GetVnetConfigRequest {}
+
+// Request for CreateVnetConfig.
+message CreateVnetConfigRequest {
+ // The VnetConfig resource to create.
+ VnetConfig vnet_config = 1;
+}
+
+// Request for UpdateVnetConfig.
+message UpdateVnetConfigRequest {
+ // The VnetConfig resource to create.
+ VnetConfig vnet_config = 1;
+}
+
+// Request for UpsertVnetConfig.
+message UpsertVnetConfigRequest {
+ // The VnetConfig resource to create.
+ VnetConfig vnet_config = 1;
+}
+
+// Request for DeleteVnetConfig.
+message DeleteVnetConfigRequest {}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/workloadidentity/v1/attrs.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/workloadidentity/v1/attrs.proto
new file mode 100644
index 0000000000000..4635ed23cd903
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/workloadidentity/v1/attrs.proto
@@ -0,0 +1,151 @@
+// Copyright 2024 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.workloadidentity.v1;
+
+import "teleport/trait/v1/trait.proto";
+import "teleport/workloadidentity/v1/join_attrs.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/workloadidentity/v1;workloadidentityv1";
+
+// Attributes sourced from the Kubernetes workload attestor.
+message WorkloadAttrsKubernetes {
+ // Whether the workload passed Kubernetes attestation.
+ bool attested = 1;
+ // The namespace of the workload pod.
+ string namespace = 2;
+ // The name of the workload pod.
+ string pod_name = 3;
+ // The service account of the workload pod.
+ string service_account = 4;
+ // The UID of the workload pod.
+ string pod_uid = 5;
+ // The labels of the workload pod.
+ map labels = 6;
+}
+
+// Attributes sourced from the Unix workload attestor.
+message WorkloadAttrsUnix {
+ // Whether the workload passed Unix attestation.
+ bool attested = 1;
+ // The PID of the workload process.
+ int32 pid = 2;
+ // The primary user ID of the workload process.
+ uint32 gid = 3;
+ // The primary group ID of the workload process.
+ uint32 uid = 4;
+}
+
+// Attributes sourced from the Podman workload attestor.
+message WorkloadAttrsPodman {
+ // Whether the workload passed Podman attestation.
+ bool attested = 1;
+ // Attributes of the container.
+ WorkloadAttrsPodmanContainer container = 2;
+ // Attributes of the pod, if the container is in one.
+ optional WorkloadAttrsPodmanPod pod = 3;
+}
+
+// Attributes of the container sourced from the Podman workload attestation.
+message WorkloadAttrsPodmanContainer {
+ // The name of the container.
+ string name = 1;
+ // The image the container is running.
+ string image = 2;
+ // The labels attached to the container.
+ map labels = 3;
+}
+
+// Attributes of the pod sourced from the Podman workload attestation.
+message WorkloadAttrsPodmanPod {
+ // The name of the pod.
+ string name = 1;
+ // The labels attached to the pod.
+ map labels = 2;
+}
+
+// Attributes sourced from the Docker workload attestor.
+message WorkloadAttrsDocker {
+ // Whether the workload passed Docker attestation.
+ bool attested = 1;
+ // Attributes of the container.
+ WorkloadAttrsDockerContainer container = 2;
+}
+
+// Attributes of the container sourced from the Docker workload attestation.
+message WorkloadAttrsDockerContainer {
+ // The name of the container.
+ string name = 1;
+ // The image the container is running.
+ string image = 2;
+ // The labels attached to the container.
+ map labels = 3;
+}
+
+// Attributes sourced from the Systemd workload attestor.
+message WorkloadAttrsSystemd {
+ // Whether the workload passed Systemd attestation.
+ bool attested = 1;
+ // The systemd service name.
+ string service = 2;
+}
+
+// The attributes provided by `tbot` regarding the workload's attestation.
+// This will be mostly unset if the workload has not requested credentials via
+// the SPIFFE Workload API.
+message WorkloadAttrs {
+ // The Unix-specific attributes.
+ WorkloadAttrsUnix unix = 1;
+ // The Kubernetes-specific attributes.
+ WorkloadAttrsKubernetes kubernetes = 2;
+ // The Podman-specific attributes.
+ WorkloadAttrsPodman podman = 3;
+ // The Docker-specific attributes.
+ WorkloadAttrsDocker docker = 4;
+ // The Systemd-specific attributes.
+ WorkloadAttrsSystemd systemd = 5;
+}
+
+// Attributes related to the user/bot making the request for a workload
+// identity.
+message UserAttrs {
+ // The name of the user.
+ string name = 1;
+ // Whether the user is a bot.
+ bool is_bot = 2;
+ // If the user is a bot, the name of the bot.
+ string bot_name = 3;
+ // If the user is a bot, the instance ID of the bot.
+ string bot_instance_id = 4;
+ // Labels of the user.
+ map labels = 5;
+ // Traits of the user.
+ repeated teleport.trait.v1.Trait traits = 6;
+}
+
+// The attributes of a principal requesting a workload identity. These
+// attributes can be leveraged in rules, expressions and templating within the
+// WorkloadIdentity resource.
+message Attrs {
+ // Attributes sourced by workload attestation performed by `tbot`.
+ WorkloadAttrs workload = 1;
+ // Attributes sourced from the user/bot making the request for a workload
+ // identity credential.
+ UserAttrs user = 2;
+ // Attributes sourced from the join process that the Bot underwent. This will
+ // be unset if the principal making the request is not a Bot.
+ JoinAttrs join = 3;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/workloadidentity/v1/issuance_service.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/workloadidentity/v1/issuance_service.proto
new file mode 100644
index 0000000000000..161124a251e64
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/workloadidentity/v1/issuance_service.proto
@@ -0,0 +1,151 @@
+// Copyright 2024 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.workloadidentity.v1;
+
+import "google/protobuf/duration.proto";
+import "google/protobuf/timestamp.proto";
+import "teleport/workloadidentity/v1/attrs.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/workloadidentity/v1;workloadidentityv1";
+
+// WorkloadIdentityIssuanceService is the service that issues workload identity
+// credentials.
+service WorkloadIdentityIssuanceService {
+ // IssueWorkloadIdentity issues a workload identity credential for the named
+ // WorkloadIdentity resource. If it is unable to issue a credential,
+ // an error will be returned.
+ rpc IssueWorkloadIdentity(IssueWorkloadIdentityRequest) returns (IssueWorkloadIdentityResponse);
+ // IssueWorkloadIdentities can issue multiple workload identity credentials
+ // based on label selectors for the WorkloadIdentity resources.
+ rpc IssueWorkloadIdentities(IssueWorkloadIdentitiesRequest) returns (IssueWorkloadIdentitiesResponse);
+}
+
+// The parameters for issuing an X509 SVID.
+message X509SVIDParams {
+ // The PKIX, ASN.1 DER public key to encode into the X509 SVID.
+ bytes public_key = 1;
+}
+
+// The parameters for issuing a JWT SVID.
+message JWTSVIDParams {
+ // The audiences to encode into the JWT SVID as the `aud` claim.
+ repeated string audiences = 1;
+}
+
+// The issued X509 SVID credential and any X509 SVID specific metadata.
+message X509SVIDCredential {
+ // The X509 SVID that was issued.
+ // ASN.1 DER encoded X.509 certificate. No PEM.
+ bytes cert = 1;
+ // The serial number of the X509 SVID.
+ string serial_number = 2;
+}
+
+// The issued JWT SVID credential and any JWT SVID specific metadata.
+message JWTSVIDCredential {
+ // The signed JWT
+ string jwt = 1;
+ // The JTI of the JWT
+ string jti = 2;
+}
+
+// A credential, and its metadata, that has been issued by Teleport Workload
+// Identity.
+message Credential {
+ // The TTL that was chosen by the server.
+ google.protobuf.Duration ttl = 1;
+ // The time that the TTL is reached for this credential.
+ google.protobuf.Timestamp expires_at = 2;
+ // The hint configured for this Workload Identity - if any. This is provided
+ // to workloads using the SPIFFE Workload API to fetch credentials.
+ string hint = 3;
+ // The name of the Workload Identity resource used to issue this credential.
+ string workload_identity_name = 4;
+ // The revision of the Workload Identity resource used to issue this
+ // credential.
+ string workload_identity_revision = 5;
+ // The fully qualified SPIFFE ID that was encoded into the SVID.
+ string spiffe_id = 6;
+
+ oneof credential {
+ // The X509 SVID that was issued.
+ X509SVIDCredential x509_svid = 7;
+ // The JWT SVID that was issued.
+ JWTSVIDCredential jwt_svid = 8;
+ }
+}
+
+// The request for the IssueWorkloadIdentity RPC.
+message IssueWorkloadIdentityRequest {
+ // The name of the WorkloadIdentity resource to use for issuing the credential.
+ string name = 1;
+ // The parameters for issuing the credential, varying by credential type.
+ oneof credential {
+ // The parameters for issuing an X509 SVID.
+ X509SVIDParams x509_svid_params = 2;
+ // The parameters for issuing a JWT SVID.
+ JWTSVIDParams jwt_svid_params = 3;
+ }
+ // The workload attributes to encode into the credential.
+ WorkloadAttrs workload_attrs = 4;
+ // The TTL that the client is requesting for the resulting credentials.
+ // This may be adjusted by the server and therefore the client MUST check the
+ // returned TTL rather than assuming that the requested TTL was granted.
+ google.protobuf.Duration requested_ttl = 5;
+}
+
+// The response for the IssueWorkloadIdentity RPC.
+message IssueWorkloadIdentityResponse {
+ // The issued credential.
+ Credential credential = 1;
+}
+
+// A key-values pair for selecting WorkloadIdentity resources based on their
+// labels.
+message LabelSelector {
+ // The key to match.
+ // If this is wildcard, then a single value of wildcard must also be provided.
+ string key = 1;
+ // Any of the acceptable matching values.
+ repeated string values = 2;
+}
+
+// The request for the IssueWorkloadIdentities RPC.
+message IssueWorkloadIdentitiesRequest {
+ // The label selectors to use for selecting WorkloadIdentity resources.
+ // At least one selector must be provided.
+ repeated LabelSelector label_selectors = 1;
+ // The parameters for issuing the credentials, varying by credential type.
+ oneof credential {
+ // The parameters for issuing an X509 SVID.
+ X509SVIDParams x509_svid_params = 2;
+ // The parameters for issuing a JWT SVID.
+ JWTSVIDParams jwt_svid_params = 3;
+ }
+ // The workload attributes to encode into the credentials.
+ WorkloadAttrs workload_attrs = 4;
+ // The TTL that the client is requesting for the resulting credentials.
+ // This may be adjusted by the server and therefore the client MUST check the
+ // returned TTL rather than assuming that the requested TTL was granted.
+ google.protobuf.Duration requested_ttl = 5;
+}
+
+// The response for the IssueWorkloadIdentities RPC.
+message IssueWorkloadIdentitiesResponse {
+ // The issued credentials.
+ repeated Credential credentials = 1;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/workloadidentity/v1/join_attrs.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/workloadidentity/v1/join_attrs.proto
new file mode 100644
index 0000000000000..369bb46dd0336
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/workloadidentity/v1/join_attrs.proto
@@ -0,0 +1,312 @@
+// Copyright 2025 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.workloadidentity.v1;
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/workloadidentity/v1;workloadidentityv1";
+
+// The collection of attributes that result from the join process.
+message JoinAttrs {
+ // The collection of attributes that result from the join process but are not
+ // specific to any particular join method.
+ JoinAttrsMeta meta = 1;
+ // Attributes that are specific to the GitLab (`gitlab`) join method.
+ JoinAttrsGitLab gitlab = 2;
+ // Attributes that are specific to the GitHub (`github`) join method.
+ JoinAttrsGitHub github = 3;
+ // Attributes that are specific to the AWS IAM (`iam`) join method.
+ JoinAttrsAWSIAM iam = 4;
+ // Attributes that are specific to the TPM (`tpm`) join method.
+ JoinAttrsTPM tpm = 5;
+ // Attributes that are specific to the Azure (`azure`) join method.
+ JoinAttrsAzure azure = 6;
+ // Attributes that are specific to the CircleCI (`circleci`) join method.
+ JoinAttrsCircleCI circleci = 7;
+ // Attributes that are specific to the Bitbucket (`bitbucket`) join method.
+ JoinAttrsBitbucket bitbucket = 8;
+ // Attributes that are specific to the Terraform Cloud (`terraform_cloud`) join method.
+ JoinAttrsTerraformCloud terraform_cloud = 9;
+ // Attributes that are specific to the Spacelift (`spacelift`) join method.
+ JoinAttrsSpacelift spacelift = 10;
+ // Attributes that are specific to the GCP (`gcp`) join method.
+ JoinAttrsGCP gcp = 11;
+ // Attributes that are specific to the Kubernetes (`kubernetes`) join method.
+ JoinAttrsKubernetes kubernetes = 12;
+}
+
+// The collection of attributes that result from the join process but are not
+// specific to any particular join method.
+message JoinAttrsMeta {
+ // The name of the join token that was used to join.
+ //
+ // This field is omitted if the join token that was used to join was of the
+ // `token` method as in this case, the name of the join token is sensitive.
+ //
+ // Example: `my-gitlab-join-token`
+ string join_token_name = 1;
+ // The name of the join method that was used to join.
+ //
+ // Example: `gitlab`
+ string join_method = 2;
+}
+
+// Attributes that are specific to the GitLab join method.
+//
+// Typically, these are mapped directly from the claims of the GitLab JWT that
+// was used to join. You can view the documentation for those claims at:
+// https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html#token-payload
+message JoinAttrsGitLab {
+ // The `sub` claim of the GitLab JWT that was used to join.
+ // For example: `project_path:mygroup/my-project:ref_type:branch:ref:main`
+ string sub = 1;
+ // The ref that the pipeline is running against.
+ // For example: `main`
+ string ref = 2;
+ // The type of ref that the pipeline is running against.
+ // This is typically `branch` or `tag`.
+ string ref_type = 3;
+ // Whether or not the ref that the pipeline is running against is protected.
+ bool ref_protected = 4;
+ // The path of the namespace of the project that the pipeline is running within.
+ // For example: `mygroup`
+ string namespace_path = 5;
+ // The full qualified path of the project that the pipeline is running within.
+ // This includes the namespace path.
+ // For example: `mygroup/my-project`
+ string project_path = 6;
+ // The name of the user that triggered the pipeline run.
+ string user_login = 7;
+ // The email of the user that triggered the pipeline run.
+ string user_email = 8;
+ // The ID of the pipeline.
+ string pipeline_id = 9;
+ // The source of the pipeline.
+ // For example: `push` or `web`
+ string pipeline_source = 10;
+ // The environment the pipeline is running against, if any.
+ string environment = 11;
+ // Whether or not the pipeline is running against a protected environment.
+ // If there is no configured environment, this field is false.
+ bool environment_protected = 12;
+ // The ID of the runner that this pipeline is running on.
+ int64 runner_id = 13;
+ // The type of runner that is processing the pipeline.
+ // Either `gitlab-hosted` or `self-hosted`.
+ string runner_environment = 14;
+ // The SHA of the commit that triggered the pipeline run.
+ string sha = 15;
+ // The ref URI of the CI config configuring the pipeline.
+ string ci_config_ref_uri = 16;
+ // The Git SHA of the CI config ref configuring the pipeline.
+ string ci_config_sha = 17;
+}
+
+// Attributes that are specific to the GitHub (`github`) join method.
+//
+// Typically, these are mapped directly from the claims of the GitHub JWT that
+// was used to join. You can view the documentation for those claims at:
+// https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token
+message JoinAttrsGitHub {
+ // The `sub` claim of the GitHub JWT that was used to join.
+ string sub = 1;
+ // The username of the actor that initiated the workflow run.
+ string actor = 2;
+ // The name of the environment that the workflow is running against, if any.
+ string environment = 3;
+ // The ref that the workflow is running against.
+ string ref = 4;
+ // The type of ref that the workflow is running against.
+ // For example, `branch`.
+ string ref_type = 5;
+ // The name of the repository that the workflow is running within.
+ string repository = 6;
+ // The name of the owner of the repository that the workflow is running within.
+ string repository_owner = 7;
+ // The name of the workflow that is running.
+ string workflow = 8;
+ // The name of the event that triggered the workflow run.
+ string event_name = 9;
+ // The SHA of the commit that triggered the workflow run.
+ string sha = 10;
+ // The ID of this GitHub actions workflow run.
+ string run_id = 11;
+}
+
+// Attributes that are specific to the AWS IAM (`iam`) join method.
+//
+// Typically, these are mapped directly from the results of the
+// STS GetCallerIdentity call that is made as part of the join process.
+message JoinAttrsAWSIAM {
+ // The identifier of the account that the joining entity is a part of.
+ // For example: `123456789012`
+ string account = 1;
+ // The AWS ARN of the joining entity.
+ // For example: `arn:aws:sts::123456789012:assumed-role/my-role-name/my-role-session-name`
+ string arn = 2;
+}
+
+// Attributes that are specific to the TPM (`tpm`) join method.
+message JoinAttrsTPM {
+ // The SHA256 hash of the PKIX formatted EK public key, encoded in hex.
+ // This effectively identifies a specific TPM.
+ string ek_pub_hash = 1;
+ // The serial number of the EK certificate, if present.
+ string ek_cert_serial = 2;
+ // Whether or not the EK certificate was verified against a certificate
+ // authority.
+ bool ek_cert_verified = 3;
+}
+
+// Attributes that are specific to the Azure (`azure`) join method.
+message JoinAttrsAzure {
+ // The subscription ID of the Azure account that the joining entity is a part of.
+ string subscription = 1;
+ // The resource group of the Azure account that the joining entity is a part of.
+ string resource_group = 2;
+}
+
+// Attributes that are specific to the CircleCI (`circleci`) join method.
+// These are mapped from the claims of the JWT issued by CircleCI to runs,
+// which is documented at: https://circleci.com/docs/openid-connect-tokens/
+message JoinAttrsCircleCI {
+ // The `sub` claim of the CircleCI JWT that was used to join.
+ // For example: `org/ORGANIZATION_ID/project/PROJECT_ID/user/USER_ID`
+ string sub = 1;
+ // The UUIDs of the contexts used in the job.
+ repeated string context_ids = 2;
+ // The UUID of the project in which the job is running.
+ string project_id = 3;
+}
+
+// Attributes that are specific to the Bitbucket (`bitbucket`) join method.
+// These are mapped from the claims of the JWT issued by BitBucket to runs,
+// which is documented at: https://support.atlassian.com/bitbucket-cloud/docs/integrate-pipelines-with-resource-servers-using-oidc/
+message JoinAttrsBitbucket {
+ // The `sub` claim of the Bitbucket JWT that was used to join.
+ string sub = 1;
+ // The UUID of the pipeline step.
+ string step_uuid = 2;
+ // The UUID of the repository the pipeline step is running within.
+ string repository_uuid = 3;
+ // The UUID of the pipeline the step is running within.
+ string pipeline_uuid = 4;
+ // The UUID of the workspace the pipeline belongs to.
+ string workspace_uuid = 5;
+ // The UUID of the deployment environment the pipeline is running against.
+ string deployment_environment_uuid = 6;
+ // The name of the branch the pipeline is running against.
+ string branch_name = 7;
+}
+
+// Attributes that are specific to the Terraform Cloud (`terraform_cloud`) join method.
+// These are mapped from the claims of the JWT issued by Terraform Cloud to runs,
+// which is documented at: https://developer.hashicorp.com/terraform/enterprise/workspaces/dynamic-provider-credentials/workload-identity-tokens
+message JoinAttrsTerraformCloud {
+ // The `sub` claim of the Terraform Cloud JWT that was used to join.
+ string sub = 1;
+ // The name of the organization the project and workspace belong to.
+ string organization_name = 2;
+ // The name of the project the workspace belongs to.
+ string project_name = 3;
+ // The name of the workspace that the plan/apply is running within.
+ string workspace_name = 4;
+ // The fully qualified workspace path, including the organization and project
+ // name.
+ // For example: `organization::project::workspace:`
+ string full_workspace = 5;
+ // The ID of the run that is being executed.
+ string run_id = 6;
+ // The phase of the run that is being executed, either `plan` or `apply`.
+ string run_phase = 7;
+}
+
+// Attributes that are specific to the Spacelift (`spacelift`) join method.
+// These are mapped from the claims of the JWT issued by Spacelift to runs,
+// which is documented at: https://docs.spacelift.io/integrations/cloud-providers/oidc/#standard-claims
+message JoinAttrsSpacelift {
+ // The `sub` claim of the Spacelift JWT that was used to join.
+ string sub = 1;
+ // The ID of the space in which the run is executing.
+ string space_id = 2;
+ // The type of the caller that owns the run, either `stack` or `module`.
+ string caller_type = 3;
+ // The ID of the caller that generated the run.
+ string caller_id = 4;
+ // The type of the run, either `PROPOSED`, `TRACKED`, `TASK`, `TESTING` or `DESTROY`.
+ string run_type = 5;
+ // The ID of the run.
+ string run_id = 6;
+ // The configured scope of the token, either `read` or `write`.
+ string scope = 7;
+}
+
+// Attributes specific to the GCP join method when the joining entity is on a
+// GCE instance.
+message JoinAttrsGCPGCE {
+ // The name of the GCE instance that the joining entity is running on.
+ string name = 1;
+ // The zone of the GCE instance that the joining entity is running on.
+ string zone = 2;
+ // The ID of the GCE instance that the joining entity is running on.
+ string id = 3;
+ // The project ID of the GCP project that the instance is running within.
+ string project = 4;
+}
+
+// Attributes that are specific to the GCP (`gcp`) join method.
+// These are mapped from the claims of the JWT instance identity token, which
+// is documented at: https://cloud.google.com/compute/docs/instances/verifying-instance-identity#payload
+message JoinAttrsGCP {
+ // The service account email of the service account that the instance is running as.
+ string service_account = 1;
+ // Attributes specific to the GCP join method when the joining entity is on a
+ // GCE instance. This may not be present if the joining entity is not on
+ // GCE.
+ JoinAttrsGCPGCE gce = 2;
+}
+
+// Attributes that are specific to the Kubernetes (`kubernetes`) join method
+// when a pod-bound service account token is used.
+message JoinAttrsKubernetesPod {
+ // The name of the service account that the joining entity is running as.
+ string name = 1;
+}
+
+// Attributes that are specific to the Kubernetes (`kubernetes`) join method
+// when a service account token is used.
+message JoinAttrsKubernetesServiceAccount {
+ // The name of the service account that the joining entity is running as.
+ string name = 1;
+ // The namespace of the service account that the joining entity is running as.
+ string namespace = 2;
+}
+
+// Attributes that are specific to the Kubernetes (`kubernetes`) join method.
+message JoinAttrsKubernetes {
+ // The fully qualified identifier of the entity based on the Kubernetes
+ // token. For a service account, this takes the form of
+ // `system:serviceaccount::`.
+ string subject = 1;
+ // Attributes specific to the Kubernetes join method when the joining entity
+ // is a service account token. This will only be present if the joining entity
+ // is a service account (as opposed to a human user or similar).
+ JoinAttrsKubernetesServiceAccount service_account = 2;
+ // Attributes specific to the Kubernetes join method when the joining entity
+ // is a pod-bound service account token. This will only be present if the
+ // joining entity is a service account, and, the token has been bound to a
+ // pod.
+ JoinAttrsKubernetesPod pod = 3;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/workloadidentity/v1/resource.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/workloadidentity/v1/resource.proto
new file mode 100644
index 0000000000000..3068b26bc6aee
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/workloadidentity/v1/resource.proto
@@ -0,0 +1,170 @@
+// Copyright 2024 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.workloadidentity.v1;
+
+import "google/protobuf/struct.proto";
+import "teleport/header/v1/metadata.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/workloadidentity/v1;workloadidentityv1";
+
+// WorkloadIdentity represents a single, or group of similar, workload
+// identities and configures the structure of workload identity credentials and
+// authorization rules. is a resource that represents the configuration of a trust
+// domain federation.
+message WorkloadIdentity {
+ // The kind of resource represented.
+ string kind = 1;
+ // Differentiates variations of the same kind. All resources should
+ // contain one, even if it is never populated.
+ string sub_kind = 2;
+ // The version of the resource being represented.
+ string version = 3;
+ // Common metadata that all resources share.
+ teleport.header.v1.Metadata metadata = 4;
+ // The configured properties of the WorkloadIdentity
+ WorkloadIdentitySpec spec = 5;
+}
+
+// The attribute casted to a string must be equal to the value.
+message WorkloadIdentityConditionEq {
+ // The value to compare the attribute against.
+ string value = 1;
+}
+
+// The attribute casted to a string must not be equal to the value.
+message WorkloadIdentityConditionNotEq {
+ // The value to compare the attribute against.
+ string value = 1;
+}
+
+// The attribute casted to a string must be in the list of values.
+message WorkloadIdentityConditionIn {
+ // The list of values to compare the attribute against.
+ repeated string values = 1;
+}
+
+// The attribute casted to a string must not be in the list of values.
+message WorkloadIdentityConditionNotIn {
+ // The list of values to compare the attribute against.
+ repeated string values = 1;
+}
+
+// The individual conditions that make up a rule.
+message WorkloadIdentityCondition {
+ reserved 2;
+ reserved "equals";
+ // The name of the attribute to evaluate the condition against.
+ string attribute = 1;
+ oneof operator {
+ // The attribute casted to a string must be equal to the value.
+ WorkloadIdentityConditionEq eq = 3;
+ // The attribute casted to a string must not be equal to the value.
+ WorkloadIdentityConditionNotEq not_eq = 4;
+ // The attribute casted to a string must be in the list of values.
+ WorkloadIdentityConditionIn in = 5;
+ // The attribute casted to a string must not be in the list of values.
+ WorkloadIdentityConditionNotIn not_in = 6;
+ }
+}
+
+// An individual rule that is evaluated during the issuance of a WorkloadIdentity.
+message WorkloadIdentityRule {
+ // The conditions that must be met for this rule to be considered passed.
+ //
+ // Mutually exclusive with expression.
+ repeated WorkloadIdentityCondition conditions = 1;
+
+ // An expression written in Teleport's predicate language that must evaluate
+ // to true for this rule to be considered passed.
+ //
+ // Mutually exclusive with conditions.
+ string expression = 2;
+}
+
+// The rules which are evaluated before the WorkloadIdentity can be issued.
+message WorkloadIdentityRules {
+ // A list of rules used to determine if a WorkloadIdentity can be issued.
+ // If none are provided, it will be considered a pass. If any are provided,
+ // then at least one must pass for the rules to be considered passed.
+ repeated WorkloadIdentityRule allow = 1;
+}
+
+// Template for an X509 Distinguished Name (DN).
+// Each field is optional, and, if provided, supports templating using attributes.
+message X509DistinguishedNameTemplate {
+ // Common Name (CN) - 2.5.4.3
+ // If empty, the RDN will be omitted from the DN.
+ string common_name = 1;
+ // Organization (O) - 2.5.4.10
+ // If empty, the RDN will be omitted from the DN.
+ string organization = 2;
+ // Organizational Unit (OU) - 2.5.4.11
+ // If empty, the RDN will be omitted from the DN.
+ string organizational_unit = 3;
+}
+
+// Configuration specific to the issuance of X509-SVIDs.
+message WorkloadIdentitySPIFFEX509 {
+ // The DNS Subject Alternative Names (SANs) that should be included in an
+ // X509-SVID issued using this WorkloadIdentity.
+ //
+ // Each entry in this list supports templating using attributes.
+ repeated string dns_sans = 1;
+
+ // Used to configure the Subject Distinguished Name (DN) of the X509-SVID.
+ //
+ // In most circumstances, it is recommended to prefer relying on the SPIFFE ID
+ // encoded in the URI SAN. However, the Subject DN may be needed to support
+ // legacy systems designed for X509 and not SPIFFE/WIMSE.
+ //
+ // If not provided, the X509-SVID will be issued with an empty Subject DN.
+ X509DistinguishedNameTemplate subject_template = 2;
+}
+
+// Configuration specific to the issuance of JWT-SVIDs.
+message WorkloadIdentitySPIFFEJWT {
+ // Additional claims that will be added to the JWT.
+ google.protobuf.Struct extra_claims = 1;
+}
+
+// Configuration pertaining to the issuance of SPIFFE-compatible workload
+// identity credentials.
+message WorkloadIdentitySPIFFE {
+ // The path of the SPIFFE ID that will be issued to the workload.
+ //
+ // This should be prefixed with a forward-slash ("/").
+ //
+ // This field supports templating using attributes.
+ string id = 1;
+ // A freeform text field which is provided to workloads along with a
+ // credential produced by this WorkloadIdentity. This can be used to provide
+ // additional context that can be used to select between multiple credentials.
+ string hint = 2;
+ // Configuration specific to X509-SVIDs.
+ WorkloadIdentitySPIFFEX509 x509 = 3;
+ // Configuration specific to JWT-SVIDs.
+ WorkloadIdentitySPIFFEJWT jwt = 4;
+}
+
+// The spec for the WorkloadIdentity resource.
+message WorkloadIdentitySpec {
+ // The rules which are evaluated before the WorkloadIdentity can be issued.
+ WorkloadIdentityRules rules = 1;
+ // Configuration pertaining to the issuance of SPIFFE-compatible workload
+ // identity credentials.
+ WorkloadIdentitySPIFFE spiffe = 2;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/workloadidentity/v1/resource_service.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/workloadidentity/v1/resource_service.proto
new file mode 100644
index 0000000000000..71d41996ec745
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/workloadidentity/v1/resource_service.proto
@@ -0,0 +1,95 @@
+// Copyright 2024 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.workloadidentity.v1;
+
+import "google/protobuf/empty.proto";
+import "teleport/workloadidentity/v1/resource.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/workloadidentity/v1;workloadidentityv1";
+
+// WorkloadIdentityResourceService provides methods to manage the
+// WorkloadIdentity resource.
+service WorkloadIdentityResourceService {
+ // CreateWorkloadIdentity creates a new workload identity, it will refuse to
+ // create a workload identity if one already exists with the same name.
+ rpc CreateWorkloadIdentity(CreateWorkloadIdentityRequest) returns (WorkloadIdentity);
+ // UpdateWorkloadIdentity updates an existing workload identity, it will refuse
+ // to update a workload identity if one does not already exist with the same name.
+ //
+ // ConditionalUpdate semantics are applied, e.g, the update will only succeed
+ // if the revision of the provided WorkloadIdentity matches the revision of
+ // the existing WorkloadIdentity.
+ rpc UpdateWorkloadIdentity(UpdateWorkloadIdentityRequest) returns (WorkloadIdentity);
+ // UpsertWorkloadIdentity creates or updates a workload identity. You should
+ // prefer to call Create or Update.
+ rpc UpsertWorkloadIdentity(UpsertWorkloadIdentityRequest) returns (WorkloadIdentity);
+ // GetWorkloadIdentity retrieves a workload identity by name.
+ rpc GetWorkloadIdentity(GetWorkloadIdentityRequest) returns (WorkloadIdentity);
+ // DeleteWorkloadIdentity deletes a workload identity by name.
+ rpc DeleteWorkloadIdentity(DeleteWorkloadIdentityRequest) returns (google.protobuf.Empty);
+ // ListWorkloadIdentities of all workload identities, pagination semantics are
+ // applied.
+ rpc ListWorkloadIdentities(ListWorkloadIdentitiesRequest) returns (ListWorkloadIdentitiesResponse);
+}
+
+// The request for CreateWorkloadIdentity.
+message CreateWorkloadIdentityRequest {
+ // The workload identity to create.
+ WorkloadIdentity workload_identity = 1;
+}
+
+// The request for UpdateWorkloadIdentity.
+message UpdateWorkloadIdentityRequest {
+ // The workload identity to update.
+ WorkloadIdentity workload_identity = 1;
+}
+
+// The request for UpsertWorkloadIdentityRequest.
+message UpsertWorkloadIdentityRequest {
+ // The workload identity to upsert.
+ WorkloadIdentity workload_identity = 1;
+}
+
+// The request for GetWorkloadIdentity.
+message GetWorkloadIdentityRequest {
+ // The name of the workload identity to retrieve.
+ string name = 1;
+}
+
+// The request for DeleteWorkloadIdentity.
+message DeleteWorkloadIdentityRequest {
+ // The name of the workload identity to delete.
+ string name = 1;
+}
+
+// The request for ListWorkloadIdentities.
+message ListWorkloadIdentitiesRequest {
+ // The maximum number of items to return.
+ // The server may impose a different page size at its discretion.
+ int32 page_size = 1;
+ // The page_token value returned from a previous ListWorkloadIdentities request, if any.
+ string page_token = 2;
+}
+
+// The response for ListWorkloadIdentities.
+message ListWorkloadIdentitiesResponse {
+ // The page of workload identities that matched the request.
+ repeated WorkloadIdentity workload_identities = 1;
+ // Token to retrieve the next page of results, or empty if there are no
+ // more results in the list.
+ string next_page_token = 2;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/workloadidentity/v1/revocation_resource.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/workloadidentity/v1/revocation_resource.proto
new file mode 100644
index 0000000000000..46b9897337907
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/workloadidentity/v1/revocation_resource.proto
@@ -0,0 +1,54 @@
+// Copyright 2025 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.workloadidentity.v1;
+
+import "google/protobuf/timestamp.proto";
+import "teleport/header/v1/metadata.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/workloadidentity/v1;workloadidentityv1";
+
+// WorkloadIdentityX509Revocation represents the revocation of a single X509
+// workload identity credential. Creating or deleting these resources triggers
+// the regeneration of the trust domain CRL.
+//
+// The name of a WorkloadIdentityX509Revocation must be the base16, lower case,
+// encoded serial number of the revoked X509 certificate. Therefore, only a
+// single revocation entry can exist for a given certificate.
+message WorkloadIdentityX509Revocation {
+ // The kind of resource represented. For WorkloadIdentityX509Revocation
+ // resources, this is always `workload_identity_x509_revocation`.
+ string kind = 1;
+ // Differentiates variations of the same kind. All resources should
+ // contain one, even if it is never populated.
+ string sub_kind = 2;
+ // The version of the resource being represented.
+ string version = 3;
+ // Common metadata that all resources share.
+ teleport.header.v1.Metadata metadata = 4;
+ // The configured properties of the WorkloadIdentityX509Revocation
+ WorkloadIdentityX509RevocationSpec spec = 5;
+}
+
+// Configuration specific to WorkloadIdentityX509Revocation.
+message WorkloadIdentityX509RevocationSpec {
+ // Describes why this revocation entry was created.
+ // Required.
+ string reason = 1;
+ // The time at which the revocation entry was created.
+ // Required.
+ google.protobuf.Timestamp revoked_at = 2;
+}
diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/workloadidentity/v1/revocation_service.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/workloadidentity/v1/revocation_service.proto
new file mode 100644
index 0000000000000..6a5a3cef2ce8f
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/protofiles/teleport/workloadidentity/v1/revocation_service.proto
@@ -0,0 +1,124 @@
+// Copyright 2025 Gravitational, Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package teleport.workloadidentity.v1;
+
+import "google/protobuf/empty.proto";
+import "teleport/workloadidentity/v1/revocation_resource.proto";
+
+option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/workloadidentity/v1;workloadidentityv1";
+
+// WorkloadIdentityRevocationService provides methods to manage the
+// revocation of issued workload identity credentials.
+//
+// The revocation of X509 credentials produces a RFC 5280 Certificate Revocation
+// List (CRL), which is signed by the SPIFFE CA and can be streamed by clients
+// using the StreamSignedCRL method.
+service WorkloadIdentityRevocationService {
+ // CreateWorkloadIdentityX509Revocation creates a new revocation for an X509
+ // workload identity credential. It will refuse to revoke a credential which
+ // has already been revoked.
+ rpc CreateWorkloadIdentityX509Revocation(CreateWorkloadIdentityX509RevocationRequest) returns (WorkloadIdentityX509Revocation);
+ // UpsertWorkloadIdentityX509Revocation creates or updates an X509 workload
+ // identity revocation.
+ // You should prefer to call Create or Update.
+ rpc UpsertWorkloadIdentityX509Revocation(UpsertWorkloadIdentityX509RevocationRequest) returns (WorkloadIdentityX509Revocation);
+ // UpdateWorkloadIdentityX509Revocation updates an existing X509 workload
+ // identity revocation, it will refuse to update a workload identity
+ // revocation if one does not already exist with the same name.
+ //
+ // ConditionalUpdate semantics are applied, e.g, the update will only succeed
+ // if the revision of the provided WorkloadIdentityX509Revocation matches the
+ // revision of the existing WorkloadIdentity.
+ rpc UpdateWorkloadIdentityX509Revocation(UpdateWorkloadIdentityX509RevocationRequest) returns (WorkloadIdentityX509Revocation);
+ // GetWorkloadIdentityX509Revocation retrieves a X509 workload identity
+ // revocation by name.
+ rpc GetWorkloadIdentityX509Revocation(GetWorkloadIdentityX509RevocationRequest) returns (WorkloadIdentityX509Revocation);
+ // DeleteWorkloadIdentityX509Revocation deletes a X509 workload identity
+ // revocation by name.
+ rpc DeleteWorkloadIdentityX509Revocation(DeleteWorkloadIdentityX509RevocationRequest) returns (google.protobuf.Empty);
+ // ListWorkloadIdentityX509Revocations returns a list of X509 workload
+ // identity revocations, pagination semantics are applied.
+ rpc ListWorkloadIdentityX509Revocations(ListWorkloadIdentityX509RevocationsRequest) returns (ListWorkloadIdentityX509RevocationsResponse);
+ // StreamSignedCRL returns the current signed Certificate Revocation List
+ // (CRL) for the cluster to the client. If any new revocations are added or
+ // any existing revocations are updated, for as long as the client is
+ // connected, the server will send them the full updated signed CRL.
+ rpc StreamSignedCRL(StreamSignedCRLRequest) returns (stream StreamSignedCRLResponse);
+}
+
+// The request for CreateWorkloadIdentityX509Revocation.
+message CreateWorkloadIdentityX509RevocationRequest {
+ // The X509 workload identity revocation to create.
+ WorkloadIdentityX509Revocation workload_identity_x509_revocation = 1;
+}
+
+// The request for UpdateWorkloadIdentityX509Revocation.
+message UpdateWorkloadIdentityX509RevocationRequest {
+ // The X509 workload identity revocation to update.
+ WorkloadIdentityX509Revocation workload_identity_x509_revocation = 1;
+}
+
+// The request for UpsertWorkloadIdentityX509Revocation.
+message UpsertWorkloadIdentityX509RevocationRequest {
+ // The X509 workload identity revocation to upsert.
+ WorkloadIdentityX509Revocation workload_identity_x509_revocation = 1;
+}
+
+// The request for GetWorkloadIdentityX509Revocation.
+message GetWorkloadIdentityX509RevocationRequest {
+ // The name of the X509 workload identity revocation to retrieve.
+ string name = 1;
+}
+
+// The request for DeleteWorkloadIdentityX509Revocation.
+message DeleteWorkloadIdentityX509RevocationRequest {
+ // The name of the workload identity to delete.
+ string name = 1;
+}
+
+// The request for ListWorkloadIdentityX509Revocations.
+message ListWorkloadIdentityX509RevocationsRequest {
+ // The maximum number of items to return.
+ // The server may impose a different page size at its discretion.
+ int32 page_size = 1;
+ // The page_token value returned from a previous ListWorkloadIdentities request, if any.
+ string page_token = 2;
+}
+
+// The response for ListWorkloadIdentityX509Revocations.
+message ListWorkloadIdentityX509RevocationsResponse {
+ // The page of workload identities that matched the request.
+ repeated WorkloadIdentityX509Revocation workload_identity_x509_revocations = 1;
+ // Token to retrieve the next page of results, or empty if there are no
+ // more results in the list.
+ string next_page_token = 2;
+}
+
+// The request for StreamSignedCRL.
+message StreamSignedCRLRequest {}
+
+// The response for StreamSignedCRL.
+message StreamSignedCRLResponse {
+ // The signed Certificate Revocation List (CRL).
+ //
+ // The syntax of the CRL is defined at https://www.rfc-editor.org/rfc/rfc5280.html#section-5
+ // This field is encoded in DER ASN.1 without any PEM wrapping.
+ //
+ // When a new signed CRL is available, the full new CRL will be sent to the
+ // client again using this field.
+ bytes crl = 1;
+}
diff --git a/integrations/operator/hack/fixture-operator-role.yaml b/integrations/operator/hack/fixture-operator-role.yaml
index ac6e88a6dfbd1..8666e7cc14a83 100644
--- a/integrations/operator/hack/fixture-operator-role.yaml
+++ b/integrations/operator/hack/fixture-operator-role.yaml
@@ -81,5 +81,13 @@ spec:
- read
- update
- delete
+ - resources:
+ - bot
+ verbs:
+ - list
+ - create
+ - read
+ - update
+ - delete
deny: {}
version: v7