Skip to content

feat: oracle join tokens scoped to specific instance IDs#60888

Merged
nklaassen merged 2 commits intomasterfrom
nklaassen/oracle-instance
Nov 5, 2025
Merged

feat: oracle join tokens scoped to specific instance IDs#60888
nklaassen merged 2 commits intomasterfrom
nklaassen/oracle-instance

Conversation

@nklaassen
Copy link
Copy Markdown
Contributor

@nklaassen nklaassen commented Oct 31, 2025

This PR enables oracle join tokens to specify exact instance IDs that should be allowed to join. This gets feature parity with our IAM join method, which allows specifying the exact ARN of the IAM identities allowed to join.

I'll add docs in a following PR.

changelog: Added an option to restrict Oracle join tokens to specific instance IDs

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Oct 31, 2025
edited
Loading

Amplify deployment status

Branch Commit Job ID Status Preview Updated (UTC)
nklaassen/oracle-instance ebab773 6 ✅SUCCEED nklaassen-oracle-instance 2025-11-05 17:01:38

rosstimothy
rosstimothy approved these changes Nov 3, 2025
View reviewed changes
Comment thread api/proto/teleport/legacy/types/types.proto
repeated string Regions = 3 [(gogoproto.jsontag) = "regions,omitempty"];
// Instances is a list of the OCIDs of specific instances that are allowed
// to join. If empty, any instance matching the other fields in the rule is allowed.
repeated string Instances = 4 [(gogoproto.jsontag) = "instances,omitempty"];
Copy link
Copy Markdown
Contributor

@rosstimothy rosstimothy Nov 3, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there an upper bound that we will enforce?

Copy link
Copy Markdown
Contributor Author

@nklaassen nklaassen Nov 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

on the length of this list? I haven't put an explicit upper bound. This field is also within a list of oracle allow rules with no explicit length limit. I'm not sure a list is even the best option tbh, I think this would mostly be useful for

a) automation that creates a token for a specific instance
b) some sort of discover flow for a adding a single oci instance

@rosstimothy what do you think, I could make it a single string per oracle allow rule? or add some arbitrary upper bound like 100

Copy link
Copy Markdown
Contributor

@rosstimothy rosstimothy Nov 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hrm good question. From a UX perspective it seems like a single rule which limits N instances in the same compartment, regions, etc would be less work than a new rule per instance.

If we don't enforce any limitations here, gRPC will eventually do that for us.

Copy link
Copy Markdown
Contributor Author

@nklaassen nklaassen Nov 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added an explicit cap of 100 instance IDs per rule

@nklaassen nklaassen force-pushed the nklaassen/oracle-cache branch from 79fb7ee to 9cfd08f Compare November 3, 2025 18:14
@nklaassen nklaassen force-pushed the nklaassen/oracle-instance branch from fd35ac3 to 8c6fe5d Compare November 3, 2025 18:17
@nklaassen nklaassen changed the base branch from nklaassen/oracle-cache to master November 3, 2025 18:17
@nklaassen nklaassen force-pushed the nklaassen/oracle-instance branch from 703be6e to ebab773 Compare November 5, 2025 16:56
@nklaassen nklaassen enabled auto-merge November 5, 2025 17:00
@nklaassen nklaassen added this pull request to the merge queue Nov 5, 2025
Merged via the queue into master with commit 8fae14b Nov 5, 2025
45 checks passed
@nklaassen nklaassen deleted the nklaassen/oracle-instance branch November 5, 2025 17:40
nklaassen added a commit that referenced this pull request Nov 6, 2025
@nklaassen
[v18] feat: oracle join tokens scoped to specific instance IDs
ddb3ef3 
Backport #60888 to branch/v18
@nklaassen nklaassen mentioned this pull request Nov 6, 2025
Merged
nklaassen added a commit that referenced this pull request Nov 13, 2025
@nklaassen
[v18] feat: oracle join tokens scoped to specific instance IDs
c07ab21 
Backport #60888 to branch/v18
github-merge-queue bot pushed a commit that referenced this pull request Nov 13, 2025
@nklaassen
[v18] feat: oracle join tokens scoped to specific instance IDs (#61078)
2a9476b 
Backport #60888 to branch/v18
mmcallister pushed a commit that referenced this pull request Nov 19, 2025
@nklaassen @mmcallister
feat: oracle join tokens scoped to specific instance IDs (#60888)
3738aed 
* feat: oracle join tokens scoped to specific instance IDs

* validate instance ID and cap at 100 per rule
mmcallister pushed a commit that referenced this pull request Nov 20, 2025
@nklaassen @mmcallister
feat: oracle join tokens scoped to specific instance IDs (#60888)
fa08d8b 
* feat: oracle join tokens scoped to specific instance IDs

* validate instance ID and cap at 100 per rule
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rosstimothy rosstimothy rosstimothy approved these changes

@kshi36 kshi36 kshi36 approved these changes

Assignees

No one assigned

Labels

backport-required size/md

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@nklaassen @rosstimothy @kshi36