diff --git a/api/proto/teleport/legacy/types/types.proto b/api/proto/teleport/legacy/types/types.proto index 0e52c27170bc2..84e13ec12c6bd 100644 --- a/api/proto/teleport/legacy/types/types.proto +++ b/api/proto/teleport/legacy/types/types.proto @@ -1414,7 +1414,7 @@ message ProvisionTokenSpecV2GitHub { // StaticJWKS disables fetching of the GHES signing keys via the JWKS/OIDC // endpoints, and allows them to be directly specified. This allows joining // from GitHub Actions in GHES instances that are not reachable by the - // Teleport Auth Server. + // Teleport Auth Service. string StaticJWKS = 4 [(gogoproto.jsontag) = "static_jwks,omitempty"]; } diff --git a/api/types/types.pb.go b/api/types/types.pb.go index ff84144c87b0e..8584c4bb8431b 100644 --- a/api/types/types.pb.go +++ b/api/types/types.pb.go @@ -4559,7 +4559,7 @@ type ProvisionTokenSpecV2GitHub struct { // StaticJWKS disables fetching of the GHES signing keys via the JWKS/OIDC // endpoints, and allows them to be directly specified. This allows joining // from GitHub Actions in GHES instances that are not reachable by the - // Teleport Auth Server. + // Teleport Auth Service. StaticJWKS string `protobuf:"bytes,4,opt,name=StaticJWKS,proto3" json:"static_jwks,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` diff --git a/docs/pages/reference/operator-resources/resources.teleport.dev_provisiontokens.mdx b/docs/pages/reference/operator-resources/resources.teleport.dev_provisiontokens.mdx index 72e70231fff96..9f50131d3e622 100644 --- a/docs/pages/reference/operator-resources/resources.teleport.dev_provisiontokens.mdx +++ b/docs/pages/reference/operator-resources/resources.teleport.dev_provisiontokens.mdx @@ -100,7 +100,7 @@ resource, which you can apply after installing the Teleport Kubernetes operator. |allow|[][object](#specgithuballow-items)|Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token.| |enterprise_server_host|string|EnterpriseServerHost allows joining from runners associated with a GitHub Enterprise Server instance. When unconfigured, tokens will be validated against github.com, but when configured to the host of a GHES instance, then the tokens will be validated against host. This value should be the hostname of the GHES instance, and should not include the scheme or a path. The instance must be accessible over HTTPS at this hostname and the certificate must be trusted by the Auth Service.| |enterprise_slug|string|EnterpriseSlug allows the slug of a GitHub Enterprise organisation to be included in the expected issuer of the OIDC tokens. This is for compatibility with the `include_enterprise_slug` option in GHE. This field should be set to the slug of your enterprise if this is enabled. If this is not enabled, then this field must be left empty. This field cannot be specified if `enterprise_server_host` is specified. See https://docs.github.com/en/enterprise-cloud@latest/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#customizing-the-issuer-value-for-an-enterprise for more information about customized issuer values.| -|static_jwks|string|StaticJWKS disables fetching of the GHES signing keys via the JWKS/OIDC endpoints, and allows them to be directly specified. This allows joining from GitHub Actions in GHES instances that are not reachable by the Teleport Auth Server.| +|static_jwks|string|StaticJWKS disables fetching of the GHES signing keys via the JWKS/OIDC endpoints, and allows them to be directly specified. This allows joining from GitHub Actions in GHES instances that are not reachable by the Teleport Auth Service.| ### spec.github.allow items diff --git a/docs/pages/reference/terraform-provider/data-sources/provision_token.mdx b/docs/pages/reference/terraform-provider/data-sources/provision_token.mdx index 4a66253417c86..1d53357168957 100644 --- a/docs/pages/reference/terraform-provider/data-sources/provision_token.mdx +++ b/docs/pages/reference/terraform-provider/data-sources/provision_token.mdx @@ -111,7 +111,7 @@ Optional: - `allow` (Attributes List) Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token. (see [below for nested schema](#nested-schema-for-specgithuballow)) - `enterprise_server_host` (String) EnterpriseServerHost allows joining from runners associated with a GitHub Enterprise Server instance. When unconfigured, tokens will be validated against github.com, but when configured to the host of a GHES instance, then the tokens will be validated against host. This value should be the hostname of the GHES instance, and should not include the scheme or a path. The instance must be accessible over HTTPS at this hostname and the certificate must be trusted by the Auth Service. - `enterprise_slug` (String) EnterpriseSlug allows the slug of a GitHub Enterprise organisation to be included in the expected issuer of the OIDC tokens. This is for compatibility with the `include_enterprise_slug` option in GHE. This field should be set to the slug of your enterprise if this is enabled. If this is not enabled, then this field must be left empty. This field cannot be specified if `enterprise_server_host` is specified. See https://docs.github.com/en/enterprise-cloud@latest/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#customizing-the-issuer-value-for-an-enterprise for more information about customized issuer values. -- `static_jwks` (String) StaticJWKS disables fetching of the GHES signing keys via the JWKS/OIDC endpoints, and allows them to be directly specified. This allows joining from GitHub Actions in GHES instances that are not reachable by the Teleport Auth Server. +- `static_jwks` (String) StaticJWKS disables fetching of the GHES signing keys via the JWKS/OIDC endpoints, and allows them to be directly specified. This allows joining from GitHub Actions in GHES instances that are not reachable by the Teleport Auth Service. ### Nested Schema for `spec.github.allow` diff --git a/docs/pages/reference/terraform-provider/resources/provision_token.mdx b/docs/pages/reference/terraform-provider/resources/provision_token.mdx index 4646674b4cbb1..c5da1147e1036 100644 --- a/docs/pages/reference/terraform-provider/resources/provision_token.mdx +++ b/docs/pages/reference/terraform-provider/resources/provision_token.mdx @@ -145,7 +145,7 @@ Optional: - `allow` (Attributes List) Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token. (see [below for nested schema](#nested-schema-for-specgithuballow)) - `enterprise_server_host` (String) EnterpriseServerHost allows joining from runners associated with a GitHub Enterprise Server instance. When unconfigured, tokens will be validated against github.com, but when configured to the host of a GHES instance, then the tokens will be validated against host. This value should be the hostname of the GHES instance, and should not include the scheme or a path. The instance must be accessible over HTTPS at this hostname and the certificate must be trusted by the Auth Service. - `enterprise_slug` (String) EnterpriseSlug allows the slug of a GitHub Enterprise organisation to be included in the expected issuer of the OIDC tokens. This is for compatibility with the `include_enterprise_slug` option in GHE. This field should be set to the slug of your enterprise if this is enabled. If this is not enabled, then this field must be left empty. This field cannot be specified if `enterprise_server_host` is specified. See https://docs.github.com/en/enterprise-cloud@latest/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#customizing-the-issuer-value-for-an-enterprise for more information about customized issuer values. -- `static_jwks` (String) StaticJWKS disables fetching of the GHES signing keys via the JWKS/OIDC endpoints, and allows them to be directly specified. This allows joining from GitHub Actions in GHES instances that are not reachable by the Teleport Auth Server. +- `static_jwks` (String) StaticJWKS disables fetching of the GHES signing keys via the JWKS/OIDC endpoints, and allows them to be directly specified. This allows joining from GitHub Actions in GHES instances that are not reachable by the Teleport Auth Service. ### Nested Schema for `spec.github.allow` diff --git a/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_provisiontokens.yaml b/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_provisiontokens.yaml index 91e5e127fb32c..462856edb980a 100644 --- a/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_provisiontokens.yaml +++ b/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_provisiontokens.yaml @@ -204,6 +204,12 @@ spec: if `enterprise_server_host` is specified. See https://docs.github.com/en/enterprise-cloud@latest/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#customizing-the-issuer-value-for-an-enterprise for more information about customized issuer values. type: string + static_jwks: + description: StaticJWKS disables fetching of the GHES signing + keys via the JWKS/OIDC endpoints, and allows them to be directly + specified. This allows joining from GitHub Actions in GHES instances + that are not reachable by the Teleport Auth Service. + type: string type: object gitlab: description: GitLab allows the configuration of options specific to diff --git a/integrations/operator/config/crd/bases/resources.teleport.dev_provisiontokens.yaml b/integrations/operator/config/crd/bases/resources.teleport.dev_provisiontokens.yaml index 91e5e127fb32c..462856edb980a 100644 --- a/integrations/operator/config/crd/bases/resources.teleport.dev_provisiontokens.yaml +++ b/integrations/operator/config/crd/bases/resources.teleport.dev_provisiontokens.yaml @@ -204,6 +204,12 @@ spec: if `enterprise_server_host` is specified. See https://docs.github.com/en/enterprise-cloud@latest/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#customizing-the-issuer-value-for-an-enterprise for more information about customized issuer values. type: string + static_jwks: + description: StaticJWKS disables fetching of the GHES signing + keys via the JWKS/OIDC endpoints, and allows them to be directly + specified. This allows joining from GitHub Actions in GHES instances + that are not reachable by the Teleport Auth Service. + type: string type: object gitlab: description: GitLab allows the configuration of options specific to diff --git a/integrations/terraform/tfschema/token/types_terraform.go b/integrations/terraform/tfschema/token/types_terraform.go index 6bceb6515909a..576da0f47d911 100644 --- a/integrations/terraform/tfschema/token/types_terraform.go +++ b/integrations/terraform/tfschema/token/types_terraform.go @@ -275,7 +275,7 @@ func GenSchemaProvisionTokenV2(ctx context.Context) (github_com_hashicorp_terraf Type: github_com_hashicorp_terraform_plugin_framework_types.StringType, }, "static_jwks": { - Description: "StaticJWKS disables fetching of the GHES signing keys via the JWKS/OIDC endpoints, and allows them to be directly specified. This allows joining from GitHub Actions in GHES instances that are not reachable by the Teleport Auth Server.", + Description: "StaticJWKS disables fetching of the GHES signing keys via the JWKS/OIDC endpoints, and allows them to be directly specified. This allows joining from GitHub Actions in GHES instances that are not reachable by the Teleport Auth Service.", Optional: true, Type: github_com_hashicorp_terraform_plugin_framework_types.StringType, },