diff --git a/docs/pages/reference/operator-resources/resources-teleport-dev-appsv3.mdx b/docs/pages/reference/operator-resources/resources-teleport-dev-appsv3.mdx
index c49e726ab3f96..a3d3402959e21 100644
--- a/docs/pages/reference/operator-resources/resources-teleport-dev-appsv3.mdx
+++ b/docs/pages/reference/operator-resources/resources-teleport-dev-appsv3.mdx
@@ -2,6 +2,9 @@
title: TeleportAppV3
description: Provides a comprehensive list of fields in the TeleportAppV3 resource available through the Teleport Kubernetes operator
tocDepth: 3
+labels:
+ - reference
+ - platform-wide
---
{/*Auto-generated file. Do not edit.*/}
diff --git a/docs/pages/reference/operator-resources/resources-teleport-dev-databasesv3.mdx b/docs/pages/reference/operator-resources/resources-teleport-dev-databasesv3.mdx
new file mode 100644
index 0000000000000..ec92a412c19af
--- /dev/null
+++ b/docs/pages/reference/operator-resources/resources-teleport-dev-databasesv3.mdx
@@ -0,0 +1,231 @@
+---
+title: TeleportDatabaseV3
+description: Provides a comprehensive list of fields in the TeleportDatabaseV3 resource available through the Teleport Kubernetes operator
+tocDepth: 3
+labels:
+ - reference
+ - platform-wide
+---
+
+{/*Auto-generated file. Do not edit.*/}
+{/*To regenerate, navigate to integrations/operator and run "make crd-docs".*/}
+
+This guide is a comprehensive reference to the fields in the `TeleportDatabaseV3`
+resource, which you can apply after installing the Teleport Kubernetes operator.
+
+
+## resources.teleport.dev/v1
+
+**apiVersion:** resources.teleport.dev/v1
+
+|Field|Type|Description|
+|---|---|---|
+|apiVersion|string|APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources|
+|kind|string|Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds|
+|metadata|object||
+|spec|[object](#spec)|Database resource definition v3 from Teleport|
+
+### spec
+
+|Field|Type|Description|
+|---|---|---|
+|ad|[object](#specad)|AD is the Active Directory configuration for the database.|
+|admin_user|[object](#specadmin_user)|AdminUser is the database admin user for automatic user provisioning.|
+|aws|[object](#specaws)|AWS contains AWS specific settings for RDS/Aurora/Redshift databases.|
+|azure|[object](#specazure)|Azure contains Azure specific database metadata.|
+|ca_cert|string|CACert is the PEM-encoded database CA certificate. DEPRECATED: Moved to TLS.CACert. DELETE IN 10.0.|
+|dynamic_labels|[object](#specdynamic_labels)|DynamicLabels is the database dynamic labels.|
+|gcp|[object](#specgcp)|GCP contains parameters specific to GCP Cloud SQL databases.|
+|mongo_atlas|[object](#specmongo_atlas)|MongoAtlas contains Atlas metadata about the database.|
+|mysql|[object](#specmysql)|MySQL is an additional section with MySQL database options.|
+|oracle|[object](#specoracle)|Oracle is an additional Oracle configuration options.|
+|protocol|string|Protocol is the database protocol: postgres, mysql, mongodb, etc.|
+|tls|[object](#spectls)|TLS is the TLS configuration used when establishing connection to target database. Allows to provide custom CA cert or override server name.|
+|uri|string|URI is the database connection endpoint.|
+
+### spec.ad
+
+|Field|Type|Description|
+|---|---|---|
+|domain|string|Domain is the Active Directory domain the database resides in.|
+|kdc_host_name|string|KDCHostName is the host name for a KDC for x509 Authentication.|
+|keytab_file|string|KeytabFile is the path to the Kerberos keytab file.|
+|krb5_file|string|Krb5File is the path to the Kerberos configuration file. Defaults to /etc/krb5.conf.|
+|ldap_cert|string|LDAPCert is a certificate from Windows LDAP/AD, optional; only for x509 Authentication.|
+|ldap_service_account_name|string|LDAPServiceAccountName is the name of service account for performing LDAP queries. Required for x509 Auth / PKINIT.|
+|ldap_service_account_sid|string|LDAPServiceAccountSID is the SID of service account for performing LDAP queries. Required for x509 Auth / PKINIT.|
+|spn|string|SPN is the service principal name for the database.|
+
+### spec.admin_user
+
+|Field|Type|Description|
+|---|---|---|
+|default_database|string|DefaultDatabase is the database that the privileged database user logs into by default. Depending on the database type, this database may be used to store procedures or data for managing database users.|
+|name|string|Name is the username of the privileged database user.|
+
+### spec.aws
+
+|Field|Type|Description|
+|---|---|---|
+|account_id|string|AccountID is the AWS account ID this database belongs to.|
+|assume_role_arn|string|AssumeRoleARN is an optional AWS role ARN to assume when accessing a database. Set this field and ExternalID to enable access across AWS accounts.|
+|docdb|[object](#specawsdocdb)|DocumentDB contains Amazon DocumentDB-specific metadata.|
+|elasticache|[object](#specawselasticache)|ElastiCache contains Amazon ElastiCache Redis-specific metadata.|
+|external_id|string|ExternalID is an optional AWS external ID used to enable assuming an AWS role across accounts.|
+|iam_policy_status|string or integer|IAMPolicyStatus indicates whether the IAM Policy is configured properly for database access. If not, the user must update the AWS profile identity to allow access to the Database. Eg for an RDS Database: the underlying AWS profile allows for `rds-db:connect` for the Database. Can be either the string or the integer representation of each option.|
+|memorydb|[object](#specawsmemorydb)|MemoryDB contains AWS MemoryDB specific metadata.|
+|opensearch|[object](#specawsopensearch)|OpenSearch contains AWS OpenSearch specific metadata.|
+|rds|[object](#specawsrds)|RDS contains RDS specific metadata.|
+|rdsproxy|[object](#specawsrdsproxy)|RDSProxy contains AWS Proxy specific metadata.|
+|redshift|[object](#specawsredshift)|Redshift contains Redshift specific metadata.|
+|redshift_serverless|[object](#specawsredshift_serverless)|RedshiftServerless contains Amazon Redshift Serverless-specific metadata.|
+|region|string|Region is a AWS cloud region.|
+|secret_store|[object](#specawssecret_store)|SecretStore contains secret store configurations.|
+|session_tags|[object](#specawssession_tags)|SessionTags is a list of AWS STS session tags.|
+
+### spec.aws.docdb
+
+|Field|Type|Description|
+|---|---|---|
+|cluster_id|string|ClusterID is the cluster identifier.|
+|endpoint_type|string|EndpointType is the type of the endpoint.|
+|instance_id|string|InstanceID is the instance identifier.|
+
+### spec.aws.elasticache
+
+|Field|Type|Description|
+|---|---|---|
+|endpoint_type|string|EndpointType is the type of the endpoint.|
+|replication_group_id|string|ReplicationGroupID is the Redis replication group ID.|
+|transit_encryption_enabled|boolean|TransitEncryptionEnabled indicates whether in-transit encryption (TLS) is enabled.|
+|user_group_ids|[]string|UserGroupIDs is a list of user group IDs.|
+
+### spec.aws.memorydb
+
+|Field|Type|Description|
+|---|---|---|
+|acl_name|string|ACLName is the name of the ACL associated with the cluster.|
+|cluster_name|string|ClusterName is the name of the MemoryDB cluster.|
+|endpoint_type|string|EndpointType is the type of the endpoint.|
+|tls_enabled|boolean|TLSEnabled indicates whether in-transit encryption (TLS) is enabled.|
+
+### spec.aws.opensearch
+
+|Field|Type|Description|
+|---|---|---|
+|domain_id|string|DomainID is the ID of the domain.|
+|domain_name|string|DomainName is the name of the domain.|
+|endpoint_type|string|EndpointType is the type of the endpoint.|
+
+### spec.aws.rds
+
+|Field|Type|Description|
+|---|---|---|
+|cluster_id|string|ClusterID is the RDS cluster (Aurora) identifier.|
+|iam_auth|boolean|IAMAuth indicates whether database IAM authentication is enabled.|
+|instance_id|string|InstanceID is the RDS instance identifier.|
+|resource_id|string|ResourceID is the RDS instance resource identifier (db-xxx).|
+|security_groups|[]string|SecurityGroups is a list of attached security groups for the RDS instance.|
+|subnets|[]string|Subnets is a list of subnets for the RDS instance.|
+|vpc_id|string|VPCID is the VPC where the RDS is running.|
+
+### spec.aws.rdsproxy
+
+|Field|Type|Description|
+|---|---|---|
+|custom_endpoint_name|string|CustomEndpointName is the identifier of an RDS Proxy custom endpoint.|
+|name|string|Name is the identifier of an RDS Proxy.|
+|resource_id|string|ResourceID is the RDS instance resource identifier (prx-xxx).|
+
+### spec.aws.redshift
+
+|Field|Type|Description|
+|---|---|---|
+|cluster_id|string|ClusterID is the Redshift cluster identifier.|
+
+### spec.aws.redshift_serverless
+
+|Field|Type|Description|
+|---|---|---|
+|endpoint_name|string|EndpointName is the VPC endpoint name.|
+|workgroup_id|string|WorkgroupID is the workgroup ID.|
+|workgroup_name|string|WorkgroupName is the workgroup name.|
+
+### spec.aws.secret_store
+
+|Field|Type|Description|
+|---|---|---|
+|key_prefix|string|KeyPrefix specifies the secret key prefix.|
+|kms_key_id|string|KMSKeyID specifies the AWS KMS key for encryption.|
+
+### spec.aws.session_tags
+
+|Field|Type|Description|
+|---|---|---|
+|key|string||
+|value|string||
+
+### spec.azure
+
+|Field|Type|Description|
+|---|---|---|
+|is_flexi_server|boolean|IsFlexiServer is true if the database is an Azure Flexible server.|
+|name|string|Name is the Azure database server name.|
+|redis|[object](#specazureredis)|Redis contains Azure Cache for Redis specific database metadata.|
+|resource_id|string|ResourceID is the Azure fully qualified ID for the resource.|
+
+### spec.azure.redis
+
+|Field|Type|Description|
+|---|---|---|
+|clustering_policy|string|ClusteringPolicy is the clustering policy for Redis Enterprise.|
+
+### spec.dynamic_labels
+
+|Field|Type|Description|
+|---|---|---|
+|key|string||
+|value|[object](#specdynamic_labelsvalue)||
+
+### spec.dynamic_labels.value
+
+|Field|Type|Description|
+|---|---|---|
+|command|[]string|Command is a command to run|
+|period|string|Period is a time between command runs|
+|result|string|Result captures standard output|
+
+### spec.gcp
+
+|Field|Type|Description|
+|---|---|---|
+|instance_id|string|InstanceID is the Cloud SQL instance ID.|
+|project_id|string|ProjectID is the GCP project ID the Cloud SQL instance resides in.|
+
+### spec.mongo_atlas
+
+|Field|Type|Description|
+|---|---|---|
+|name|string|Name is the Atlas database instance name.|
+
+### spec.mysql
+
+|Field|Type|Description|
+|---|---|---|
+|server_version|string|ServerVersion is the server version reported by DB proxy if the runtime information is not available.|
+
+### spec.oracle
+
+|Field|Type|Description|
+|---|---|---|
+|audit_user|string|AuditUser is the Oracle database user privilege to access internal Oracle audit trail.|
+
+### spec.tls
+
+|Field|Type|Description|
+|---|---|---|
+|ca_cert|string|CACert is an optional user provided CA certificate used for verifying database TLS connection.|
+|mode|string or integer|Mode is a TLS connection mode. 0 is "verify-full"; 1 is "verify-ca", 2 is "insecure". Can be either the string or the integer representation of each option.|
+|server_name|string|ServerName allows to provide custom hostname. This value will override the servername/hostname on a certificate during validation.|
+|trust_system_cert_pool|boolean|TrustSystemCertPool allows Teleport to trust certificate authorities available on the host system. If not set (by default), Teleport only trusts self-signed databases with TLS certificates signed by Teleport's Database Server CA or the ca_cert specified in this TLS setting. For cloud-hosted databases, Teleport downloads the corresponding required CAs for validation.|
+
diff --git a/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_databasesv3.yaml b/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_databasesv3.yaml
new file mode 100644
index 0000000000000..c0ccd5205ab2e
--- /dev/null
+++ b/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_databasesv3.yaml
@@ -0,0 +1,464 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ creationTimestamp: null
+ name: teleportdatabasesv3.resources.teleport.dev
+spec:
+ group: resources.teleport.dev
+ names:
+ kind: TeleportDatabaseV3
+ listKind: TeleportDatabaseV3List
+ plural: teleportdatabasesv3
+ shortNames:
+ - databasev3
+ - databasesv3
+ singular: teleportdatabasev3
+ scope: Namespaced
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ description: DatabaseV3 is the Schema for the databasesv3 API
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Database resource definition v3 from Teleport
+ properties:
+ ad:
+ description: AD is the Active Directory configuration for the database.
+ properties:
+ domain:
+ description: Domain is the Active Directory domain the database
+ resides in.
+ type: string
+ kdc_host_name:
+ description: KDCHostName is the host name for a KDC for x509 Authentication.
+ type: string
+ keytab_file:
+ description: KeytabFile is the path to the Kerberos keytab file.
+ type: string
+ krb5_file:
+ description: Krb5File is the path to the Kerberos configuration
+ file. Defaults to /etc/krb5.conf.
+ type: string
+ ldap_cert:
+ description: LDAPCert is a certificate from Windows LDAP/AD, optional;
+ only for x509 Authentication.
+ type: string
+ ldap_service_account_name:
+ description: LDAPServiceAccountName is the name of service account
+ for performing LDAP queries. Required for x509 Auth / PKINIT.
+ type: string
+ ldap_service_account_sid:
+ description: LDAPServiceAccountSID is the SID of service account
+ for performing LDAP queries. Required for x509 Auth / PKINIT.
+ type: string
+ spn:
+ description: SPN is the service principal name for the database.
+ type: string
+ type: object
+ admin_user:
+ description: AdminUser is the database admin user for automatic user
+ provisioning.
+ nullable: true
+ properties:
+ default_database:
+ description: DefaultDatabase is the database that the privileged
+ database user logs into by default. Depending on the database
+ type, this database may be used to store procedures or data
+ for managing database users.
+ type: string
+ name:
+ description: Name is the username of the privileged database user.
+ type: string
+ type: object
+ aws:
+ description: AWS contains AWS specific settings for RDS/Aurora/Redshift
+ databases.
+ properties:
+ account_id:
+ description: AccountID is the AWS account ID this database belongs
+ to.
+ type: string
+ assume_role_arn:
+ description: AssumeRoleARN is an optional AWS role ARN to assume
+ when accessing a database. Set this field and ExternalID to
+ enable access across AWS accounts.
+ type: string
+ docdb:
+ description: DocumentDB contains Amazon DocumentDB-specific metadata.
+ properties:
+ cluster_id:
+ description: ClusterID is the cluster identifier.
+ type: string
+ endpoint_type:
+ description: EndpointType is the type of the endpoint.
+ type: string
+ instance_id:
+ description: InstanceID is the instance identifier.
+ type: string
+ type: object
+ elasticache:
+ description: ElastiCache contains Amazon ElastiCache Redis-specific
+ metadata.
+ properties:
+ endpoint_type:
+ description: EndpointType is the type of the endpoint.
+ type: string
+ replication_group_id:
+ description: ReplicationGroupID is the Redis replication group
+ ID.
+ type: string
+ transit_encryption_enabled:
+ description: TransitEncryptionEnabled indicates whether in-transit
+ encryption (TLS) is enabled.
+ type: boolean
+ user_group_ids:
+ description: UserGroupIDs is a list of user group IDs.
+ items:
+ type: string
+ nullable: true
+ type: array
+ type: object
+ external_id:
+ description: ExternalID is an optional AWS external ID used to
+ enable assuming an AWS role across accounts.
+ type: string
+ iam_policy_status:
+ description: 'IAMPolicyStatus indicates whether the IAM Policy
+ is configured properly for database access. If not, the user
+ must update the AWS profile identity to allow access to the
+ Database. Eg for an RDS Database: the underlying AWS profile
+ allows for `rds-db:connect` for the Database.'
+ x-kubernetes-int-or-string: true
+ memorydb:
+ description: MemoryDB contains AWS MemoryDB specific metadata.
+ properties:
+ acl_name:
+ description: ACLName is the name of the ACL associated with
+ the cluster.
+ type: string
+ cluster_name:
+ description: ClusterName is the name of the MemoryDB cluster.
+ type: string
+ endpoint_type:
+ description: EndpointType is the type of the endpoint.
+ type: string
+ tls_enabled:
+ description: TLSEnabled indicates whether in-transit encryption
+ (TLS) is enabled.
+ type: boolean
+ type: object
+ opensearch:
+ description: OpenSearch contains AWS OpenSearch specific metadata.
+ properties:
+ domain_id:
+ description: DomainID is the ID of the domain.
+ type: string
+ domain_name:
+ description: DomainName is the name of the domain.
+ type: string
+ endpoint_type:
+ description: EndpointType is the type of the endpoint.
+ type: string
+ type: object
+ rds:
+ description: RDS contains RDS specific metadata.
+ properties:
+ cluster_id:
+ description: ClusterID is the RDS cluster (Aurora) identifier.
+ type: string
+ iam_auth:
+ description: IAMAuth indicates whether database IAM authentication
+ is enabled.
+ type: boolean
+ instance_id:
+ description: InstanceID is the RDS instance identifier.
+ type: string
+ resource_id:
+ description: ResourceID is the RDS instance resource identifier
+ (db-xxx).
+ type: string
+ security_groups:
+ description: SecurityGroups is a list of attached security
+ groups for the RDS instance.
+ items:
+ type: string
+ nullable: true
+ type: array
+ subnets:
+ description: Subnets is a list of subnets for the RDS instance.
+ items:
+ type: string
+ nullable: true
+ type: array
+ vpc_id:
+ description: VPCID is the VPC where the RDS is running.
+ type: string
+ type: object
+ rdsproxy:
+ description: RDSProxy contains AWS Proxy specific metadata.
+ properties:
+ custom_endpoint_name:
+ description: CustomEndpointName is the identifier of an RDS
+ Proxy custom endpoint.
+ type: string
+ name:
+ description: Name is the identifier of an RDS Proxy.
+ type: string
+ resource_id:
+ description: ResourceID is the RDS instance resource identifier
+ (prx-xxx).
+ type: string
+ type: object
+ redshift:
+ description: Redshift contains Redshift specific metadata.
+ properties:
+ cluster_id:
+ description: ClusterID is the Redshift cluster identifier.
+ type: string
+ type: object
+ redshift_serverless:
+ description: RedshiftServerless contains Amazon Redshift Serverless-specific
+ metadata.
+ properties:
+ endpoint_name:
+ description: EndpointName is the VPC endpoint name.
+ type: string
+ workgroup_id:
+ description: WorkgroupID is the workgroup ID.
+ type: string
+ workgroup_name:
+ description: WorkgroupName is the workgroup name.
+ type: string
+ type: object
+ region:
+ description: Region is a AWS cloud region.
+ type: string
+ secret_store:
+ description: SecretStore contains secret store configurations.
+ properties:
+ key_prefix:
+ description: KeyPrefix specifies the secret key prefix.
+ type: string
+ kms_key_id:
+ description: KMSKeyID specifies the AWS KMS key for encryption.
+ type: string
+ type: object
+ session_tags:
+ description: SessionTags is a list of AWS STS session tags.
+ nullable: true
+ properties:
+ key:
+ type: string
+ value:
+ type: string
+ type: object
+ type: object
+ azure:
+ description: Azure contains Azure specific database metadata.
+ properties:
+ is_flexi_server:
+ description: IsFlexiServer is true if the database is an Azure
+ Flexible server.
+ type: boolean
+ name:
+ description: Name is the Azure database server name.
+ type: string
+ redis:
+ description: Redis contains Azure Cache for Redis specific database
+ metadata.
+ properties:
+ clustering_policy:
+ description: ClusteringPolicy is the clustering policy for
+ Redis Enterprise.
+ type: string
+ type: object
+ resource_id:
+ description: ResourceID is the Azure fully qualified ID for the
+ resource.
+ type: string
+ type: object
+ ca_cert:
+ description: 'CACert is the PEM-encoded database CA certificate. DEPRECATED:
+ Moved to TLS.CACert. DELETE IN 10.0.'
+ type: string
+ dynamic_labels:
+ description: DynamicLabels is the database dynamic labels.
+ properties:
+ key:
+ type: string
+ value:
+ nullable: true
+ properties:
+ command:
+ description: Command is a command to run
+ items:
+ type: string
+ nullable: true
+ type: array
+ period:
+ description: Period is a time between command runs
+ format: duration
+ type: string
+ result:
+ description: Result captures standard output
+ type: string
+ type: object
+ type: object
+ gcp:
+ description: GCP contains parameters specific to GCP Cloud SQL databases.
+ properties:
+ instance_id:
+ description: InstanceID is the Cloud SQL instance ID.
+ type: string
+ project_id:
+ description: ProjectID is the GCP project ID the Cloud SQL instance
+ resides in.
+ type: string
+ type: object
+ mongo_atlas:
+ description: MongoAtlas contains Atlas metadata about the database.
+ properties:
+ name:
+ description: Name is the Atlas database instance name.
+ type: string
+ type: object
+ mysql:
+ description: MySQL is an additional section with MySQL database options.
+ properties:
+ server_version:
+ description: ServerVersion is the server version reported by DB
+ proxy if the runtime information is not available.
+ type: string
+ type: object
+ oracle:
+ description: Oracle is an additional Oracle configuration options.
+ properties:
+ audit_user:
+ description: AuditUser is the Oracle database user privilege to
+ access internal Oracle audit trail.
+ type: string
+ type: object
+ protocol:
+ description: 'Protocol is the database protocol: postgres, mysql,
+ mongodb, etc.'
+ type: string
+ tls:
+ description: TLS is the TLS configuration used when establishing connection
+ to target database. Allows to provide custom CA cert or override
+ server name.
+ properties:
+ ca_cert:
+ description: CACert is an optional user provided CA certificate
+ used for verifying database TLS connection.
+ type: string
+ mode:
+ description: Mode is a TLS connection mode. 0 is "verify-full";
+ 1 is "verify-ca", 2 is "insecure".
+ x-kubernetes-int-or-string: true
+ server_name:
+ description: ServerName allows to provide custom hostname. This
+ value will override the servername/hostname on a certificate
+ during validation.
+ type: string
+ trust_system_cert_pool:
+ description: TrustSystemCertPool allows Teleport to trust certificate
+ authorities available on the host system. If not set (by default),
+ Teleport only trusts self-signed databases with TLS certificates
+ signed by Teleport's Database Server CA or the ca_cert specified
+ in this TLS setting. For cloud-hosted databases, Teleport downloads
+ the corresponding required CAs for validation.
+ type: boolean
+ type: object
+ uri:
+ description: URI is the database connection endpoint.
+ type: string
+ type: object
+ status:
+ description: Status defines the observed state of the Teleport resource
+ properties:
+ conditions:
+ description: Conditions represent the latest available observations
+ of an object's state
+ items:
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ teleportResourceID:
+ format: int64
+ type: integer
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
diff --git a/examples/chart/teleport-cluster/charts/teleport-operator/templates/role.yaml b/examples/chart/teleport-cluster/charts/teleport-operator/templates/role.yaml
index 2400735e26b8b..7eb76a1200975 100644
--- a/examples/chart/teleport-cluster/charts/teleport-operator/templates/role.yaml
+++ b/examples/chart/teleport-cluster/charts/teleport-operator/templates/role.yaml
@@ -48,6 +48,10 @@ rules:
- teleportautoupdateconfigsv1/status
- teleportautoupdateversionsv1
- teleportautoupdateversionsv1/status
+ - teleportappsv3
+ - teleportappsv3/status
+ - teleportdatabasesv3
+ - teleportdatabasesv3/status
verbs:
- get
- list
diff --git a/examples/chart/teleport-cluster/templates/auth/config.yaml b/examples/chart/teleport-cluster/templates/auth/config.yaml
index 355bf05b8db7d..1dfa1f995bead 100644
--- a/examples/chart/teleport-cluster/templates/auth/config.yaml
+++ b/examples/chart/teleport-cluster/templates/auth/config.yaml
@@ -66,6 +66,15 @@ data:
name: operator
spec:
allow:
+ # The operator role can see all nodes.
+ # This is required to reconcile OpenSSH and OpenSSHEICE nodes.
+ # However, it has no login set, so it cannot SSH on them
+ node_labels:
+ "*": ["*"]
+ app_labels:
+ "*": ["*"]
+ db_labels:
+ "*": ["*"]
rules:
- resources:
- role
@@ -155,6 +164,14 @@ data:
- read
- update
- delete
+ - resources:
+ - app
+ verbs:
+ - list
+ - create
+ - read
+ - update
+ - delete
- resources:
- autoupdate_version
verbs:
@@ -171,6 +188,14 @@ data:
- read
- update
- delete
+ - resources:
+ - db
+ verbs:
+ - list
+ - create
+ - read
+ - update
+ - delete
deny: {}
version: v7
---
diff --git a/integrations/operator/apis/resources/v1/appv3_types.go b/integrations/operator/apis/resources/v1/appv3_types.go
new file mode 100644
index 0000000000000..f6782f00029fc
--- /dev/null
+++ b/integrations/operator/apis/resources/v1/appv3_types.go
@@ -0,0 +1,95 @@
+/*
+ * Teleport
+ * Copyright (C) 2023 Gravitational, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see .
+ */
+
+package v1
+
+import (
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+ "github.com/gravitational/teleport/api/types"
+ "github.com/gravitational/teleport/integrations/operator/apis/resources"
+)
+
+func init() {
+ SchemeBuilder.Register(&TeleportAppV3{}, &TeleportAppV3List{})
+}
+
+// TeleportAppV3Spec defines the desired state of TeleportAppV3
+type TeleportAppV3Spec types.AppSpecV3
+
+//+kubebuilder:object:root=true
+//+kubebuilder:subresource:status
+
+// TeleportAppV3 is the Schema for the roles API
+type TeleportAppV3 struct {
+ metav1.TypeMeta `json:",inline"`
+ metav1.ObjectMeta `json:"metadata,omitempty"`
+
+ Spec TeleportAppV3Spec `json:"spec,omitempty"`
+ Status resources.Status `json:"status,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+
+// TeleportAppV3List contains a list of TeleportAppV3
+type TeleportAppV3List struct {
+ metav1.TypeMeta `json:",inline"`
+ metav1.ListMeta `json:"metadata,omitempty"`
+ Items []TeleportAppV3 `json:"items"`
+}
+
+func (r TeleportAppV3) ToTeleport() types.Application {
+ return &types.AppV3{
+ Kind: types.KindApp,
+ Version: types.V3,
+ Metadata: types.Metadata{
+ Name: r.Name,
+ Labels: r.Labels,
+ Description: r.Annotations[resources.DescriptionKey],
+ },
+ Spec: types.AppSpecV3(r.Spec),
+ }
+}
+
+// Marshal serializes a spec into binary data.
+func (spec *TeleportAppV3Spec) Marshal() ([]byte, error) {
+ return (*types.AppSpecV3)(spec).Marshal()
+}
+
+// Unmarshal deserializes a spec from binary data.
+func (spec *TeleportAppV3Spec) Unmarshal(data []byte) error {
+ return (*types.AppSpecV3)(spec).Unmarshal(data)
+}
+
+// DeepCopyInto deep-copies one role spec into another.
+// Required to satisfy runtime.Object interface.
+func (spec *TeleportAppV3Spec) DeepCopyInto(out *TeleportAppV3Spec) {
+ data, err := spec.Marshal()
+ if err != nil {
+ panic(err)
+ }
+ *out = TeleportAppV3Spec{}
+ if err = out.Unmarshal(data); err != nil {
+ panic(err)
+ }
+}
+
+// StatusConditions returns a pointer to Status.Conditions slice.
+func (r *TeleportAppV3) StatusConditions() *[]metav1.Condition {
+ return &r.Status.Conditions
+}
diff --git a/integrations/operator/apis/resources/v1/databasev3_types.go b/integrations/operator/apis/resources/v1/databasev3_types.go
new file mode 100644
index 0000000000000..c000e231c37b0
--- /dev/null
+++ b/integrations/operator/apis/resources/v1/databasev3_types.go
@@ -0,0 +1,95 @@
+/*
+ * Teleport
+ * Copyright (C) 2023 Gravitational, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see .
+ */
+
+package v1
+
+import (
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+ "github.com/gravitational/teleport/api/types"
+ "github.com/gravitational/teleport/integrations/operator/apis/resources"
+)
+
+func init() {
+ SchemeBuilder.Register(&TeleportDatabaseV3{}, &TeleportDatabaseV3List{})
+}
+
+// TeleportDatabaseV3Spec defines the desired state of TeleportDatabaseV3
+type TeleportDatabaseV3Spec types.DatabaseSpecV3
+
+//+kubebuilder:object:root=true
+//+kubebuilder:subresource:status
+
+// TeleportDatabaseV3 is the Schema for the roles API
+type TeleportDatabaseV3 struct {
+ metav1.TypeMeta `json:",inline"`
+ metav1.ObjectMeta `json:"metadata,omitempty"`
+
+ Spec TeleportDatabaseV3Spec `json:"spec,omitempty"`
+ Status resources.Status `json:"status,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+
+// TeleportDatabaseV3List contains a list of TeleportDatabaseV3
+type TeleportDatabaseV3List struct {
+ metav1.TypeMeta `json:",inline"`
+ metav1.ListMeta `json:"metadata,omitempty"`
+ Items []TeleportDatabaseV3 `json:"items"`
+}
+
+func (r TeleportDatabaseV3) ToTeleport() types.Database {
+ return &types.DatabaseV3{
+ Kind: types.KindDatabase,
+ Version: types.V3,
+ Metadata: types.Metadata{
+ Name: r.Name,
+ Labels: r.Labels,
+ Description: r.Annotations[resources.DescriptionKey],
+ },
+ Spec: types.DatabaseSpecV3(r.Spec),
+ }
+}
+
+// Marshal serializes a spec into binary data.
+func (spec *TeleportDatabaseV3Spec) Marshal() ([]byte, error) {
+ return (*types.DatabaseSpecV3)(spec).Marshal()
+}
+
+// Unmarshal deserializes a spec from binary data.
+func (spec *TeleportDatabaseV3Spec) Unmarshal(data []byte) error {
+ return (*types.DatabaseSpecV3)(spec).Unmarshal(data)
+}
+
+// DeepCopyInto deep-copies one role spec into another.
+// Required to satisfy runtime.Object interface.
+func (spec *TeleportDatabaseV3Spec) DeepCopyInto(out *TeleportDatabaseV3Spec) {
+ data, err := spec.Marshal()
+ if err != nil {
+ panic(err)
+ }
+ *out = TeleportDatabaseV3Spec{}
+ if err = out.Unmarshal(data); err != nil {
+ panic(err)
+ }
+}
+
+// StatusConditions returns a pointer to Status.Conditions slice.
+func (r *TeleportDatabaseV3) StatusConditions() *[]metav1.Condition {
+ return &r.Status.Conditions
+}
diff --git a/integrations/operator/apis/resources/v1/zz_generated.deepcopy.go b/integrations/operator/apis/resources/v1/zz_generated.deepcopy.go
index cb03975acd04b..827087f54b140 100644
--- a/integrations/operator/apis/resources/v1/zz_generated.deepcopy.go
+++ b/integrations/operator/apis/resources/v1/zz_generated.deepcopy.go
@@ -95,6 +95,75 @@ func (in *TeleportAccessListSpec) DeepCopy() *TeleportAccessListSpec {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TeleportAppV3) DeepCopyInto(out *TeleportAppV3) {
+ *out = *in
+ out.TypeMeta = in.TypeMeta
+ in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+ in.Spec.DeepCopyInto(&out.Spec)
+ in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TeleportAppV3.
+func (in *TeleportAppV3) DeepCopy() *TeleportAppV3 {
+ if in == nil {
+ return nil
+ }
+ out := new(TeleportAppV3)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *TeleportAppV3) DeepCopyObject() runtime.Object {
+ if c := in.DeepCopy(); c != nil {
+ return c
+ }
+ return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TeleportAppV3List) DeepCopyInto(out *TeleportAppV3List) {
+ *out = *in
+ out.TypeMeta = in.TypeMeta
+ in.ListMeta.DeepCopyInto(&out.ListMeta)
+ if in.Items != nil {
+ in, out := &in.Items, &out.Items
+ *out = make([]TeleportAppV3, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TeleportAppV3List.
+func (in *TeleportAppV3List) DeepCopy() *TeleportAppV3List {
+ if in == nil {
+ return nil
+ }
+ out := new(TeleportAppV3List)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *TeleportAppV3List) DeepCopyObject() runtime.Object {
+ if c := in.DeepCopy(); c != nil {
+ return c
+ }
+ return nil
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TeleportAppV3Spec.
+func (in *TeleportAppV3Spec) DeepCopy() *TeleportAppV3Spec {
+ if in == nil {
+ return nil
+ }
+ out := new(TeleportAppV3Spec)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TeleportAutoupdateConfigV1) DeepCopyInto(out *TeleportAutoupdateConfigV1) {
*out = *in
@@ -311,6 +380,75 @@ func (in *TeleportBotV1Spec) DeepCopy() *TeleportBotV1Spec {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TeleportDatabaseV3) DeepCopyInto(out *TeleportDatabaseV3) {
+ *out = *in
+ out.TypeMeta = in.TypeMeta
+ in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+ in.Spec.DeepCopyInto(&out.Spec)
+ in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TeleportDatabaseV3.
+func (in *TeleportDatabaseV3) DeepCopy() *TeleportDatabaseV3 {
+ if in == nil {
+ return nil
+ }
+ out := new(TeleportDatabaseV3)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *TeleportDatabaseV3) DeepCopyObject() runtime.Object {
+ if c := in.DeepCopy(); c != nil {
+ return c
+ }
+ return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TeleportDatabaseV3List) DeepCopyInto(out *TeleportDatabaseV3List) {
+ *out = *in
+ out.TypeMeta = in.TypeMeta
+ in.ListMeta.DeepCopyInto(&out.ListMeta)
+ if in.Items != nil {
+ in, out := &in.Items, &out.Items
+ *out = make([]TeleportDatabaseV3, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TeleportDatabaseV3List.
+func (in *TeleportDatabaseV3List) DeepCopy() *TeleportDatabaseV3List {
+ if in == nil {
+ return nil
+ }
+ out := new(TeleportDatabaseV3List)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *TeleportDatabaseV3List) DeepCopyObject() runtime.Object {
+ if c := in.DeepCopy(); c != nil {
+ return c
+ }
+ return nil
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TeleportDatabaseV3Spec.
+func (in *TeleportDatabaseV3Spec) DeepCopy() *TeleportDatabaseV3Spec {
+ if in == nil {
+ return nil
+ }
+ out := new(TeleportDatabaseV3Spec)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TeleportLoginRule) DeepCopyInto(out *TeleportLoginRule) {
*out = *in
diff --git a/integrations/operator/config/crd/bases/resources.teleport.dev_databasesv3.yaml b/integrations/operator/config/crd/bases/resources.teleport.dev_databasesv3.yaml
new file mode 100644
index 0000000000000..c0ccd5205ab2e
--- /dev/null
+++ b/integrations/operator/config/crd/bases/resources.teleport.dev_databasesv3.yaml
@@ -0,0 +1,464 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ creationTimestamp: null
+ name: teleportdatabasesv3.resources.teleport.dev
+spec:
+ group: resources.teleport.dev
+ names:
+ kind: TeleportDatabaseV3
+ listKind: TeleportDatabaseV3List
+ plural: teleportdatabasesv3
+ shortNames:
+ - databasev3
+ - databasesv3
+ singular: teleportdatabasev3
+ scope: Namespaced
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ description: DatabaseV3 is the Schema for the databasesv3 API
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Database resource definition v3 from Teleport
+ properties:
+ ad:
+ description: AD is the Active Directory configuration for the database.
+ properties:
+ domain:
+ description: Domain is the Active Directory domain the database
+ resides in.
+ type: string
+ kdc_host_name:
+ description: KDCHostName is the host name for a KDC for x509 Authentication.
+ type: string
+ keytab_file:
+ description: KeytabFile is the path to the Kerberos keytab file.
+ type: string
+ krb5_file:
+ description: Krb5File is the path to the Kerberos configuration
+ file. Defaults to /etc/krb5.conf.
+ type: string
+ ldap_cert:
+ description: LDAPCert is a certificate from Windows LDAP/AD, optional;
+ only for x509 Authentication.
+ type: string
+ ldap_service_account_name:
+ description: LDAPServiceAccountName is the name of service account
+ for performing LDAP queries. Required for x509 Auth / PKINIT.
+ type: string
+ ldap_service_account_sid:
+ description: LDAPServiceAccountSID is the SID of service account
+ for performing LDAP queries. Required for x509 Auth / PKINIT.
+ type: string
+ spn:
+ description: SPN is the service principal name for the database.
+ type: string
+ type: object
+ admin_user:
+ description: AdminUser is the database admin user for automatic user
+ provisioning.
+ nullable: true
+ properties:
+ default_database:
+ description: DefaultDatabase is the database that the privileged
+ database user logs into by default. Depending on the database
+ type, this database may be used to store procedures or data
+ for managing database users.
+ type: string
+ name:
+ description: Name is the username of the privileged database user.
+ type: string
+ type: object
+ aws:
+ description: AWS contains AWS specific settings for RDS/Aurora/Redshift
+ databases.
+ properties:
+ account_id:
+ description: AccountID is the AWS account ID this database belongs
+ to.
+ type: string
+ assume_role_arn:
+ description: AssumeRoleARN is an optional AWS role ARN to assume
+ when accessing a database. Set this field and ExternalID to
+ enable access across AWS accounts.
+ type: string
+ docdb:
+ description: DocumentDB contains Amazon DocumentDB-specific metadata.
+ properties:
+ cluster_id:
+ description: ClusterID is the cluster identifier.
+ type: string
+ endpoint_type:
+ description: EndpointType is the type of the endpoint.
+ type: string
+ instance_id:
+ description: InstanceID is the instance identifier.
+ type: string
+ type: object
+ elasticache:
+ description: ElastiCache contains Amazon ElastiCache Redis-specific
+ metadata.
+ properties:
+ endpoint_type:
+ description: EndpointType is the type of the endpoint.
+ type: string
+ replication_group_id:
+ description: ReplicationGroupID is the Redis replication group
+ ID.
+ type: string
+ transit_encryption_enabled:
+ description: TransitEncryptionEnabled indicates whether in-transit
+ encryption (TLS) is enabled.
+ type: boolean
+ user_group_ids:
+ description: UserGroupIDs is a list of user group IDs.
+ items:
+ type: string
+ nullable: true
+ type: array
+ type: object
+ external_id:
+ description: ExternalID is an optional AWS external ID used to
+ enable assuming an AWS role across accounts.
+ type: string
+ iam_policy_status:
+ description: 'IAMPolicyStatus indicates whether the IAM Policy
+ is configured properly for database access. If not, the user
+ must update the AWS profile identity to allow access to the
+ Database. Eg for an RDS Database: the underlying AWS profile
+ allows for `rds-db:connect` for the Database.'
+ x-kubernetes-int-or-string: true
+ memorydb:
+ description: MemoryDB contains AWS MemoryDB specific metadata.
+ properties:
+ acl_name:
+ description: ACLName is the name of the ACL associated with
+ the cluster.
+ type: string
+ cluster_name:
+ description: ClusterName is the name of the MemoryDB cluster.
+ type: string
+ endpoint_type:
+ description: EndpointType is the type of the endpoint.
+ type: string
+ tls_enabled:
+ description: TLSEnabled indicates whether in-transit encryption
+ (TLS) is enabled.
+ type: boolean
+ type: object
+ opensearch:
+ description: OpenSearch contains AWS OpenSearch specific metadata.
+ properties:
+ domain_id:
+ description: DomainID is the ID of the domain.
+ type: string
+ domain_name:
+ description: DomainName is the name of the domain.
+ type: string
+ endpoint_type:
+ description: EndpointType is the type of the endpoint.
+ type: string
+ type: object
+ rds:
+ description: RDS contains RDS specific metadata.
+ properties:
+ cluster_id:
+ description: ClusterID is the RDS cluster (Aurora) identifier.
+ type: string
+ iam_auth:
+ description: IAMAuth indicates whether database IAM authentication
+ is enabled.
+ type: boolean
+ instance_id:
+ description: InstanceID is the RDS instance identifier.
+ type: string
+ resource_id:
+ description: ResourceID is the RDS instance resource identifier
+ (db-xxx).
+ type: string
+ security_groups:
+ description: SecurityGroups is a list of attached security
+ groups for the RDS instance.
+ items:
+ type: string
+ nullable: true
+ type: array
+ subnets:
+ description: Subnets is a list of subnets for the RDS instance.
+ items:
+ type: string
+ nullable: true
+ type: array
+ vpc_id:
+ description: VPCID is the VPC where the RDS is running.
+ type: string
+ type: object
+ rdsproxy:
+ description: RDSProxy contains AWS Proxy specific metadata.
+ properties:
+ custom_endpoint_name:
+ description: CustomEndpointName is the identifier of an RDS
+ Proxy custom endpoint.
+ type: string
+ name:
+ description: Name is the identifier of an RDS Proxy.
+ type: string
+ resource_id:
+ description: ResourceID is the RDS instance resource identifier
+ (prx-xxx).
+ type: string
+ type: object
+ redshift:
+ description: Redshift contains Redshift specific metadata.
+ properties:
+ cluster_id:
+ description: ClusterID is the Redshift cluster identifier.
+ type: string
+ type: object
+ redshift_serverless:
+ description: RedshiftServerless contains Amazon Redshift Serverless-specific
+ metadata.
+ properties:
+ endpoint_name:
+ description: EndpointName is the VPC endpoint name.
+ type: string
+ workgroup_id:
+ description: WorkgroupID is the workgroup ID.
+ type: string
+ workgroup_name:
+ description: WorkgroupName is the workgroup name.
+ type: string
+ type: object
+ region:
+ description: Region is a AWS cloud region.
+ type: string
+ secret_store:
+ description: SecretStore contains secret store configurations.
+ properties:
+ key_prefix:
+ description: KeyPrefix specifies the secret key prefix.
+ type: string
+ kms_key_id:
+ description: KMSKeyID specifies the AWS KMS key for encryption.
+ type: string
+ type: object
+ session_tags:
+ description: SessionTags is a list of AWS STS session tags.
+ nullable: true
+ properties:
+ key:
+ type: string
+ value:
+ type: string
+ type: object
+ type: object
+ azure:
+ description: Azure contains Azure specific database metadata.
+ properties:
+ is_flexi_server:
+ description: IsFlexiServer is true if the database is an Azure
+ Flexible server.
+ type: boolean
+ name:
+ description: Name is the Azure database server name.
+ type: string
+ redis:
+ description: Redis contains Azure Cache for Redis specific database
+ metadata.
+ properties:
+ clustering_policy:
+ description: ClusteringPolicy is the clustering policy for
+ Redis Enterprise.
+ type: string
+ type: object
+ resource_id:
+ description: ResourceID is the Azure fully qualified ID for the
+ resource.
+ type: string
+ type: object
+ ca_cert:
+ description: 'CACert is the PEM-encoded database CA certificate. DEPRECATED:
+ Moved to TLS.CACert. DELETE IN 10.0.'
+ type: string
+ dynamic_labels:
+ description: DynamicLabels is the database dynamic labels.
+ properties:
+ key:
+ type: string
+ value:
+ nullable: true
+ properties:
+ command:
+ description: Command is a command to run
+ items:
+ type: string
+ nullable: true
+ type: array
+ period:
+ description: Period is a time between command runs
+ format: duration
+ type: string
+ result:
+ description: Result captures standard output
+ type: string
+ type: object
+ type: object
+ gcp:
+ description: GCP contains parameters specific to GCP Cloud SQL databases.
+ properties:
+ instance_id:
+ description: InstanceID is the Cloud SQL instance ID.
+ type: string
+ project_id:
+ description: ProjectID is the GCP project ID the Cloud SQL instance
+ resides in.
+ type: string
+ type: object
+ mongo_atlas:
+ description: MongoAtlas contains Atlas metadata about the database.
+ properties:
+ name:
+ description: Name is the Atlas database instance name.
+ type: string
+ type: object
+ mysql:
+ description: MySQL is an additional section with MySQL database options.
+ properties:
+ server_version:
+ description: ServerVersion is the server version reported by DB
+ proxy if the runtime information is not available.
+ type: string
+ type: object
+ oracle:
+ description: Oracle is an additional Oracle configuration options.
+ properties:
+ audit_user:
+ description: AuditUser is the Oracle database user privilege to
+ access internal Oracle audit trail.
+ type: string
+ type: object
+ protocol:
+ description: 'Protocol is the database protocol: postgres, mysql,
+ mongodb, etc.'
+ type: string
+ tls:
+ description: TLS is the TLS configuration used when establishing connection
+ to target database. Allows to provide custom CA cert or override
+ server name.
+ properties:
+ ca_cert:
+ description: CACert is an optional user provided CA certificate
+ used for verifying database TLS connection.
+ type: string
+ mode:
+ description: Mode is a TLS connection mode. 0 is "verify-full";
+ 1 is "verify-ca", 2 is "insecure".
+ x-kubernetes-int-or-string: true
+ server_name:
+ description: ServerName allows to provide custom hostname. This
+ value will override the servername/hostname on a certificate
+ during validation.
+ type: string
+ trust_system_cert_pool:
+ description: TrustSystemCertPool allows Teleport to trust certificate
+ authorities available on the host system. If not set (by default),
+ Teleport only trusts self-signed databases with TLS certificates
+ signed by Teleport's Database Server CA or the ca_cert specified
+ in this TLS setting. For cloud-hosted databases, Teleport downloads
+ the corresponding required CAs for validation.
+ type: boolean
+ type: object
+ uri:
+ description: URI is the database connection endpoint.
+ type: string
+ type: object
+ status:
+ description: Status defines the observed state of the Teleport resource
+ properties:
+ conditions:
+ description: Conditions represent the latest available observations
+ of an object's state
+ items:
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ teleportResourceID:
+ format: int64
+ type: integer
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
diff --git a/integrations/operator/controllers/resources/appv3_controller.go b/integrations/operator/controllers/resources/appv3_controller.go
new file mode 100644
index 0000000000000..71297ea8ae786
--- /dev/null
+++ b/integrations/operator/controllers/resources/appv3_controller.go
@@ -0,0 +1,75 @@
+/*
+ * Teleport
+ * Copyright (C) 2024 Gravitational, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see .
+ */
+
+package resources
+
+import (
+ "context"
+
+ "github.com/gravitational/trace"
+ kclient "sigs.k8s.io/controller-runtime/pkg/client"
+
+ "github.com/gravitational/teleport/api/client"
+ "github.com/gravitational/teleport/api/types"
+ resourcesv1 "github.com/gravitational/teleport/integrations/operator/apis/resources/v1"
+ "github.com/gravitational/teleport/integrations/operator/controllers"
+ "github.com/gravitational/teleport/integrations/operator/controllers/reconcilers"
+)
+
+// appClient implements TeleportResourceClient and offers CRUD methods needed to reconcile apps
+// Currently the same client is used by all app versions. If we need to treat
+// them differently at some point, for example by adding a Mutate function
+// functions, we can always split the client into separate clients.
+type appClient struct {
+ teleportClient *client.Client
+}
+
+// Get gets the Teleport app of a given name
+func (r appClient) Get(ctx context.Context, name string) (types.Application, error) {
+ app, err := r.teleportClient.GetApp(ctx, name)
+ return app, trace.Wrap(err)
+}
+
+// Create creates a Teleport app
+func (r appClient) Create(ctx context.Context, app types.Application) error {
+ return trace.Wrap(r.teleportClient.CreateApp(ctx, app))
+}
+
+// Update updates a Teleport app
+func (r appClient) Update(ctx context.Context, app types.Application) error {
+ return trace.Wrap(r.teleportClient.UpdateApp(ctx, app))
+}
+
+// Delete deletes a Teleport app
+func (r appClient) Delete(ctx context.Context, name string) error {
+ return trace.Wrap(r.teleportClient.DeleteApp(ctx, name))
+}
+
+// NewAppV3Reconciler instantiates a new Kubernetes controller reconciling app v6 resources
+func NewAppV3Reconciler(client kclient.Client, tClient *client.Client) (controllers.Reconciler, error) {
+ appClient := &appClient{
+ teleportClient: tClient,
+ }
+
+ resourceReconciler, err := reconcilers.NewTeleportResourceWithLabelsReconciler[types.Application, *resourcesv1.TeleportAppV3](
+ client,
+ appClient,
+ )
+
+ return resourceReconciler, trace.Wrap(err, "building teleport resource reconciler")
+}
diff --git a/integrations/operator/controllers/resources/appv3_controller_test.go b/integrations/operator/controllers/resources/appv3_controller_test.go
new file mode 100644
index 0000000000000..d84c41822c466
--- /dev/null
+++ b/integrations/operator/controllers/resources/appv3_controller_test.go
@@ -0,0 +1,139 @@
+/*
+ * Teleport
+ * Copyright (C) 2024 Gravitational, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see .
+ */
+
+package resources_test
+
+import (
+ "context"
+ "testing"
+
+ "github.com/google/go-cmp/cmp"
+ "github.com/gravitational/trace"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ kclient "sigs.k8s.io/controller-runtime/pkg/client"
+
+ "github.com/gravitational/teleport/api/types"
+ resourcesv1 "github.com/gravitational/teleport/integrations/operator/apis/resources/v1"
+ "github.com/gravitational/teleport/integrations/operator/controllers/reconcilers"
+ "github.com/gravitational/teleport/integrations/operator/controllers/resources/testlib"
+)
+
+var appV3Spec = types.AppSpecV3{
+ URI: "http://test.namespace.svc.cluster.local:8080",
+ Rewrite: &types.Rewrite{
+ Headers: []*types.Header{
+ {
+ Name: "C-Custom-Header",
+ Value: "example",
+ },
+ },
+ },
+}
+
+type appV3TestingPrimitives struct {
+ setup *testSetup
+ reconcilers.ResourceWithLabelsAdapter[types.Application]
+}
+
+func (g *appV3TestingPrimitives) Init(setup *testSetup) {
+ g.setup = setup
+}
+
+func (g *appV3TestingPrimitives) SetupTeleportFixtures(ctx context.Context) error {
+ return nil
+}
+
+func (g *appV3TestingPrimitives) CreateTeleportResource(ctx context.Context, name string) error {
+ meta := types.Metadata{
+ Name: name,
+ }
+ app, err := types.NewAppV3(meta, appV3Spec)
+ if err != nil {
+ return trace.Wrap(err)
+ }
+ app.SetOrigin(types.OriginKubernetes)
+ return trace.Wrap(g.setup.TeleportClient.CreateApp(ctx, app))
+}
+
+func (g *appV3TestingPrimitives) GetTeleportResource(ctx context.Context, name string) (types.Application, error) {
+ return g.setup.TeleportClient.GetApp(ctx, name)
+}
+
+func (g *appV3TestingPrimitives) DeleteTeleportResource(ctx context.Context, name string) error {
+ return trace.Wrap(g.setup.TeleportClient.DeleteApp(ctx, name))
+}
+
+func (g *appV3TestingPrimitives) CreateKubernetesResource(ctx context.Context, name string) error {
+ app := &resourcesv1.TeleportAppV3{
+ ObjectMeta: metav1.ObjectMeta{
+ Name: name,
+ Namespace: g.setup.Namespace.Name,
+ },
+ Spec: resourcesv1.TeleportAppV3Spec(appV3Spec),
+ }
+ return trace.Wrap(g.setup.K8sClient.Create(ctx, app))
+}
+
+func (g *appV3TestingPrimitives) DeleteKubernetesResource(ctx context.Context, name string) error {
+ app := &resourcesv1.TeleportAppV3{
+ ObjectMeta: metav1.ObjectMeta{
+ Name: name,
+ Namespace: g.setup.Namespace.Name,
+ },
+ }
+ return trace.Wrap(g.setup.K8sClient.Delete(ctx, app))
+}
+
+func (g *appV3TestingPrimitives) GetKubernetesResource(ctx context.Context, name string) (*resourcesv1.TeleportAppV3, error) {
+ app := &resourcesv1.TeleportAppV3{}
+ obj := kclient.ObjectKey{
+ Name: name,
+ Namespace: g.setup.Namespace.Name,
+ }
+ err := g.setup.K8sClient.Get(ctx, obj, app)
+ return app, trace.Wrap(err)
+}
+
+func (g *appV3TestingPrimitives) ModifyKubernetesResource(ctx context.Context, name string) error {
+ app, err := g.GetKubernetesResource(ctx, name)
+ if err != nil {
+ return trace.Wrap(err)
+ }
+ app.Spec.Rewrite.Headers = append(app.Spec.Rewrite.Headers, &types.Header{Name: "Content-Type", Value: "application/json"})
+ return g.setup.K8sClient.Update(ctx, app)
+}
+
+func (g *appV3TestingPrimitives) CompareTeleportAndKubernetesResource(tResource types.Application, kubeResource *resourcesv1.TeleportAppV3) (bool, string) {
+ diff := cmp.Diff(tResource, kubeResource.ToTeleport(), testlib.CompareOptions()...)
+ return diff == "", diff
+}
+
+func TestTeleportAppV3Creation(t *testing.T) {
+ test := &appV3TestingPrimitives{}
+ testlib.ResourceCreationTest[types.Application, *resourcesv1.TeleportAppV3](t, test)
+}
+
+func TestTeleportAppV3DeletionDrift(t *testing.T) {
+ test := &appV3TestingPrimitives{}
+ testlib.ResourceDeletionDriftTest[types.Application, *resourcesv1.TeleportAppV3](t, test)
+}
+
+func TestTeleportAppV3Update(t *testing.T) {
+ test := &appV3TestingPrimitives{}
+ testlib.ResourceUpdateTest[types.Application, *resourcesv1.TeleportAppV3](t, test)
+}
diff --git a/integrations/operator/controllers/resources/databasev3_controller.go b/integrations/operator/controllers/resources/databasev3_controller.go
new file mode 100644
index 0000000000000..7987e3d434186
--- /dev/null
+++ b/integrations/operator/controllers/resources/databasev3_controller.go
@@ -0,0 +1,75 @@
+/*
+ * Teleport
+ * Copyright (C) 2024 Gravitational, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see .
+ */
+
+package resources
+
+import (
+ "context"
+
+ "github.com/gravitational/trace"
+ kclient "sigs.k8s.io/controller-runtime/pkg/client"
+
+ "github.com/gravitational/teleport/api/client"
+ "github.com/gravitational/teleport/api/types"
+ resourcesv1 "github.com/gravitational/teleport/integrations/operator/apis/resources/v1"
+ "github.com/gravitational/teleport/integrations/operator/controllers"
+ "github.com/gravitational/teleport/integrations/operator/controllers/reconcilers"
+)
+
+// databaseClient implements TeleportResourceClient and offers CRUD methods needed to reconcile databases
+// Currently the same client is used by all database versions. If we need to treat
+// them differently at some point, for example by adding a Mutate function
+// functions, we can always split the client into separate clients.
+type databaseClient struct {
+ teleportClient *client.Client
+}
+
+// Get gets the Teleport database of a given name
+func (r databaseClient) Get(ctx context.Context, name string) (types.Database, error) {
+ database, err := r.teleportClient.GetDatabase(ctx, name)
+ return database, trace.Wrap(err)
+}
+
+// Create creates a Teleport database
+func (r databaseClient) Create(ctx context.Context, database types.Database) error {
+ return trace.Wrap(r.teleportClient.CreateDatabase(ctx, database))
+}
+
+// Update updates a Teleport database
+func (r databaseClient) Update(ctx context.Context, database types.Database) error {
+ return trace.Wrap(r.teleportClient.UpdateDatabase(ctx, database))
+}
+
+// Delete deletes a Teleport database
+func (r databaseClient) Delete(ctx context.Context, name string) error {
+ return trace.Wrap(r.teleportClient.DeleteDatabase(ctx, name))
+}
+
+// NewDatabaseV3Reconciler instantiates a new Kubernetes controller reconciling database v6 resources
+func NewDatabaseV3Reconciler(client kclient.Client, tClient *client.Client) (controllers.Reconciler, error) {
+ databaseClient := &databaseClient{
+ teleportClient: tClient,
+ }
+
+ resourceReconciler, err := reconcilers.NewTeleportResourceWithLabelsReconciler[types.Database, *resourcesv1.TeleportDatabaseV3](
+ client,
+ databaseClient,
+ )
+
+ return resourceReconciler, trace.Wrap(err, "building teleport resource reconciler")
+}
diff --git a/integrations/operator/controllers/resources/databasev3_controller_test.go b/integrations/operator/controllers/resources/databasev3_controller_test.go
new file mode 100644
index 0000000000000..73c899da1a7da
--- /dev/null
+++ b/integrations/operator/controllers/resources/databasev3_controller_test.go
@@ -0,0 +1,132 @@
+/*
+ * Teleport
+ * Copyright (C) 2024 Gravitational, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see .
+ */
+
+package resources_test
+
+import (
+ "context"
+ "testing"
+
+ "github.com/google/go-cmp/cmp"
+ "github.com/gravitational/trace"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ kclient "sigs.k8s.io/controller-runtime/pkg/client"
+
+ "github.com/gravitational/teleport/api/types"
+ resourcesv1 "github.com/gravitational/teleport/integrations/operator/apis/resources/v1"
+ "github.com/gravitational/teleport/integrations/operator/controllers/reconcilers"
+ "github.com/gravitational/teleport/integrations/operator/controllers/resources/testlib"
+)
+
+var databaseV3Spec = types.DatabaseSpecV3{
+ Protocol: types.DatabaseProtocolPostgreSQL,
+ URI: "database.namespace.svc.cluster.local:5432",
+}
+
+type databaseV3TestingPrimitives struct {
+ setup *testSetup
+ reconcilers.ResourceWithLabelsAdapter[types.Database]
+}
+
+func (g *databaseV3TestingPrimitives) Init(setup *testSetup) {
+ g.setup = setup
+}
+
+func (g *databaseV3TestingPrimitives) SetupTeleportFixtures(ctx context.Context) error {
+ return nil
+}
+
+func (g *databaseV3TestingPrimitives) CreateTeleportResource(ctx context.Context, name string) error {
+ meta := types.Metadata{
+ Name: name,
+ }
+ database, err := types.NewDatabaseV3(meta, databaseV3Spec)
+ if err != nil {
+ return trace.Wrap(err)
+ }
+ database.SetOrigin(types.OriginKubernetes)
+ return trace.Wrap(g.setup.TeleportClient.CreateDatabase(ctx, database))
+}
+
+func (g *databaseV3TestingPrimitives) GetTeleportResource(ctx context.Context, name string) (types.Database, error) {
+ return g.setup.TeleportClient.GetDatabase(ctx, name)
+}
+
+func (g *databaseV3TestingPrimitives) DeleteTeleportResource(ctx context.Context, name string) error {
+ return trace.Wrap(g.setup.TeleportClient.DeleteDatabase(ctx, name))
+}
+
+func (g *databaseV3TestingPrimitives) CreateKubernetesResource(ctx context.Context, name string) error {
+ database := &resourcesv1.TeleportDatabaseV3{
+ ObjectMeta: metav1.ObjectMeta{
+ Name: name,
+ Namespace: g.setup.Namespace.Name,
+ },
+ Spec: resourcesv1.TeleportDatabaseV3Spec(databaseV3Spec),
+ }
+ return trace.Wrap(g.setup.K8sClient.Create(ctx, database))
+}
+
+func (g *databaseV3TestingPrimitives) DeleteKubernetesResource(ctx context.Context, name string) error {
+ database := &resourcesv1.TeleportDatabaseV3{
+ ObjectMeta: metav1.ObjectMeta{
+ Name: name,
+ Namespace: g.setup.Namespace.Name,
+ },
+ }
+ return trace.Wrap(g.setup.K8sClient.Delete(ctx, database))
+}
+
+func (g *databaseV3TestingPrimitives) GetKubernetesResource(ctx context.Context, name string) (*resourcesv1.TeleportDatabaseV3, error) {
+ database := &resourcesv1.TeleportDatabaseV3{}
+ obj := kclient.ObjectKey{
+ Name: name,
+ Namespace: g.setup.Namespace.Name,
+ }
+ err := g.setup.K8sClient.Get(ctx, obj, database)
+ return database, trace.Wrap(err)
+}
+
+func (g *databaseV3TestingPrimitives) ModifyKubernetesResource(ctx context.Context, name string) error {
+ database, err := g.GetKubernetesResource(ctx, name)
+ if err != nil {
+ return trace.Wrap(err)
+ }
+ database.Spec.Protocol = types.DatabaseProtocolMySQL
+ return g.setup.K8sClient.Update(ctx, database)
+}
+
+func (g *databaseV3TestingPrimitives) CompareTeleportAndKubernetesResource(tResource types.Database, kubeResource *resourcesv1.TeleportDatabaseV3) (bool, string) {
+ diff := cmp.Diff(tResource, kubeResource.ToTeleport(), testlib.CompareOptions()...)
+ return diff == "", diff
+}
+
+func TestTeleportDatabaseV3Creation(t *testing.T) {
+ test := &databaseV3TestingPrimitives{}
+ testlib.ResourceCreationTest[types.Database, *resourcesv1.TeleportDatabaseV3](t, test)
+}
+
+func TestTeleportDatabaseV3DeletionDrift(t *testing.T) {
+ test := &databaseV3TestingPrimitives{}
+ testlib.ResourceDeletionDriftTest[types.Database, *resourcesv1.TeleportDatabaseV3](t, test)
+}
+
+func TestTeleportDatabaseV3Update(t *testing.T) {
+ test := &databaseV3TestingPrimitives{}
+ testlib.ResourceUpdateTest[types.Database, *resourcesv1.TeleportDatabaseV3](t, test)
+}
diff --git a/integrations/operator/controllers/resources/setup.go b/integrations/operator/controllers/resources/setup.go
index d446cf88eaeb7..0a1a20526ac9e 100644
--- a/integrations/operator/controllers/resources/setup.go
+++ b/integrations/operator/controllers/resources/setup.go
@@ -53,6 +53,8 @@ func SetupAllControllers(log logr.Logger, mgr manager.Manager, teleportClient *c
{"TeleportWorkloadIdentityV1", NewWorkloadIdentityV1Reconciler},
{"TeleportAutoupdateConfigV1", NewAutoUpdateConfigV1Reconciler},
{"TeleportAutoupdateVersionV1", NewAutoUpdateVersionV1Reconciler},
+ {"TeleportAppV3", NewAppV3Reconciler},
+ {"TeleportDatabaseV3", NewDatabaseV3Reconciler},
}
oidc := modules.GetProtoEntitlement(features, entitlements.OIDC)
diff --git a/integrations/operator/controllers/resources/testlib/env.go b/integrations/operator/controllers/resources/testlib/env.go
index d178c3a3c8b32..b5bde2934844b 100644
--- a/integrations/operator/controllers/resources/testlib/env.go
+++ b/integrations/operator/controllers/resources/testlib/env.go
@@ -129,7 +129,9 @@ func defaultTeleportServiceConfig(t *testing.T) (*helpers.TeleInstance, string)
Allow: types.RoleConditions{
// the operator has wildcard noe labs to be able to see them
// but has no login allowed, so it cannot SSH into them
- NodeLabels: types.Labels{"*": []string{"*"}},
+ NodeLabels: types.Labels{"*": []string{"*"}},
+ AppLabels: types.Labels{"*": []string{"*"}},
+ DatabaseLabels: types.Labels{"*": []string{"*"}},
Rules: []types.Rule{
types.NewRule(types.KindRole, unrestricted),
types.NewRule(types.KindUser, unrestricted),
@@ -144,6 +146,8 @@ func defaultTeleportServiceConfig(t *testing.T) (*helpers.TeleInstance, string)
types.NewRule(types.KindWorkloadIdentity, unrestricted),
types.NewRule(types.KindAutoUpdateConfig, unrestricted),
types.NewRule(types.KindAutoUpdateVersion, unrestricted),
+ types.NewRule(types.KindApp, unrestricted),
+ types.NewRule(types.KindDatabase, unrestricted),
},
},
})
diff --git a/integrations/operator/crdgen/handlerequest.go b/integrations/operator/crdgen/handlerequest.go
index 040f30e08f29a..29e5a3394b3aa 100644
--- a/integrations/operator/crdgen/handlerequest.go
+++ b/integrations/operator/crdgen/handlerequest.go
@@ -177,6 +177,8 @@ func generateSchema(file *File, groupName string, format crdFormatFunc, resp *go
// Role V7 and V8 is using the RoleV6 message
{name: "RoleV6", opts: []resourceSchemaOption{withVersionOverride(types.V7), withVersionInKindOverride()}},
{name: "RoleV6", opts: []resourceSchemaOption{withVersionOverride(types.V8), withVersionInKindOverride()}},
+ {name: "AppV3", opts: []resourceSchemaOption{withVersionOverride(types.V3), withVersionInKindOverride()}},
+ {name: "DatabaseV3", opts: []resourceSchemaOption{withVersionOverride(types.V3), withVersionInKindOverride()}},
{name: "SAMLConnectorV2"},
{name: "OIDCConnectorV3"},
{name: "GithubConnectorV3"},
diff --git a/integrations/operator/hack/fixture-operator-role.yaml b/integrations/operator/hack/fixture-operator-role.yaml
index f0c91a5db57f7..11c71c82b18d2 100644
--- a/integrations/operator/hack/fixture-operator-role.yaml
+++ b/integrations/operator/hack/fixture-operator-role.yaml
@@ -8,6 +8,10 @@ spec:
# However, it has no login set, so it cannot SSH on them
node_labels:
"*": ["*"]
+ app_labels:
+ "*": ["*"]
+ db_labels:
+ "*": ["*"]
rules:
- resources:
- role
@@ -97,6 +101,14 @@ spec:
- read
- update
- delete
+ - resources:
+ - app
+ verbs:
+ - list
+ - create
+ - read
+ - update
+ - delete
- resources:
- autoupdate_version
verbs:
@@ -113,5 +125,13 @@ spec:
- read
- update
- delete
+ - resources:
+ - db
+ verbs:
+ - list
+ - create
+ - read
+ - update
+ - delete
deny: {}
version: v7