|
1 | 1 | --- |
2 | | -title: WorkloadIdentity Resource Configuration Experience |
3 | | -description: Migrating to the new WorkloadIdentity resource configuration experience |
| 2 | +title: WorkloadIdentity Configuration Resource migration |
| 3 | +description: Migrating to the new WorkloadIdentity resource configuration |
4 | 4 | --- |
5 | 5 |
|
| 6 | +The way that you configure Teleport Workload Identity is changing. If you are |
| 7 | +currently using Workload Identity, you will need to migrate to the new |
| 8 | +configuration experience by V19.0.0 when support for the old configuration |
| 9 | +will be removed. |
| 10 | + |
| 11 | +## Overview |
| 12 | + |
| 13 | +Previously, the details of the credentials (e.g X509 SVID/JWT SVID) you wished |
| 14 | +to issue were defined directly within `tbot`. Controlling what credentials were |
| 15 | +allowed to be issued was done by configuring the `spec.allow.spiffe` field of |
| 16 | +the role resource. |
| 17 | + |
| 18 | +The new configuration experience introduces a new resource type, `WorkloadIdentity`, |
| 19 | +which allows you to define the structure of an identity credential that can be |
| 20 | +issued to workloads and the rules around what workloads it can be issued to. |
| 21 | + |
| 22 | +This provides the following benefits over the previous configuration experience: |
| 23 | + |
| 24 | +- Centralized control of the structure of the identity credential, which |
| 25 | + simplifies the configuration of `tbot`. |
| 26 | +- The ability to specify rules based on the attributes of the workload, such as |
| 27 | + the name of the Kubernetes namespace or service account, that is more fine |
| 28 | + grained than the previous configuration. |
| 29 | +- The ability to use templating to dynamically generate elements of the identity |
| 30 | + credential - allowing a single WorkloadIdentity resource to be used to serve |
| 31 | + multiple workloads. |
| 32 | + |
| 33 | +You can read the full details of the new WorkloadIdentity resource in the |
| 34 | +[WorkloadIdentity Resource](./workload-identity-resource.mdx) reference. |
| 35 | + |
| 36 | +## Migrating `tbot` |
| 37 | + |
| 38 | +The following CLI commands have been replaced: |
| 39 | + |
| 40 | +- `tbot start spiffe-svid` is now `tbot start workload-identity-x509`. |
| 41 | + |
| 42 | +The following new additional CLI commands have been introduced: |
| 43 | + |
| 44 | +- `tbot start workload-identity-api` to start a listener for the Workload |
| 45 | + Identity API. |
| 46 | +- `tbot start workload-identity-jwt` to issue a JWT SVID. |
| 47 | + |
| 48 | +You can read more about the new CLI commands in the |
| 49 | +[`tbot` CLI reference](../cli/tbot.mdx). |
| 50 | + |
| 51 | +The following service types have been replaced: |
| 52 | + |
| 53 | +- `spiffe-workload-api` is now `workload-identity-api`. |
| 54 | +- `spiffe-x509-svid` is now `workload-identity-x509`. |
| 55 | + |
| 56 | +The following new additional service types have been introduced: |
| 57 | + |
| 58 | +- `workload-identity-jwt` to issue JWT SVIDs. |
| 59 | + |
| 60 | +You can read more about the new service types in the |
| 61 | +[`tbot` configuration reference](../machine-id/configuration.mdx). |
0 commit comments