-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
operator: support storing SSO connector client secret in a Kubernetes Secret #46699
Conversation
🤖 Vercel preview here: https://docs-gy730te5k-goteleport.vercel.app/docs/ver/preview |
🤖 Vercel preview here: https://docs-nfzay6sn4-goteleport.vercel.app/docs/ver/preview |
docs/pages/admin-guides/infrastructure-as-code/teleport-operator.mdx
Outdated
Show resolved
Hide resolved
docs/pages/admin-guides/infrastructure-as-code/teleport-operator/secret-lookup.mdx
Outdated
Show resolved
Hide resolved
docs/pages/admin-guides/infrastructure-as-code/teleport-operator/secret-lookup.mdx
Outdated
Show resolved
Hide resolved
@@ -29,7 +29,7 @@ resource, which you can apply after installing the Teleport Kubernetes operator. | |||
|api_endpoint_url|string|APIEndpointURL is the URL of the API endpoint of the Github instance this connector is for.| | |||
|client_id|string|ClientID is the Github OAuth app client ID.| | |||
|client_redirect_settings|[object](#specclient_redirect_settings)|ClientRedirectSettings defines which client redirect URLs are allowed for non-browser SSO logins other than the standard localhost ones.| | |||
|client_secret|string|ClientSecret is the Github OAuth app client secret.| | |||
|client_secret|string|ClientSecret is the Github OAuth app client secret. This field supports secret lookup. See the operator documentation for more details.| |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: I'd add a link to "operator documentation" to user can easily navigate.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will be an absolute link because it will be displayed in kubectl explain teleportgithubconnector.spec
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The doc linter blocks me from puttin an absolute link,it wants a relative one. Relative links make no sense in the CRD so I will revert this change and remove the link.
docs/pages/reference/operator-resources/resources.teleport.dev_oidcconnectors.mdx
Show resolved
Hide resolved
integrations/operator/controllers/resources/secretlookup/secretlookup.go
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approved with grammar and style feedback
docs/pages/admin-guides/infrastructure-as-code/teleport-operator.mdx
Outdated
Show resolved
Hide resolved
docs/pages/admin-guides/infrastructure-as-code/teleport-operator.mdx
Outdated
Show resolved
Hide resolved
docs/pages/admin-guides/infrastructure-as-code/teleport-operator/secret-lookup.mdx
Show resolved
Hide resolved
docs/pages/admin-guides/infrastructure-as-code/teleport-operator/secret-lookup.mdx
Outdated
Show resolved
Hide resolved
docs/pages/admin-guides/infrastructure-as-code/teleport-operator/secret-lookup.mdx
Outdated
Show resolved
Hide resolved
docs/pages/admin-guides/infrastructure-as-code/teleport-operator/secret-lookup.mdx
Outdated
Show resolved
Hide resolved
docs/pages/admin-guides/infrastructure-as-code/teleport-operator/secret-lookup.mdx
Outdated
Show resolved
Hide resolved
docs/pages/admin-guides/infrastructure-as-code/teleport-operator/secret-lookup.mdx
Outdated
Show resolved
Hide resolved
How does this play with #46041? |
Teleport is not aware of the secret:// scheme, the operator replaces the secret:// uri by the secret value. Any other scheme is passed as-is. If you were to set |
Great, sounds like we can merge both PRs without any issues then. |
Co-authored-by: Paul Gottschling <[email protected]> Co-authored-by: Roman Tkachenko <[email protected]>
🤖 Vercel preview here: https://docs-8l9cfisam-goteleport.vercel.app/docs/ver/preview |
🤖 Vercel preview here: https://docs-4oym9b189-goteleport.vercel.app/docs/ver/preview |
This reverts commit cd812eb.
🤖 Vercel preview here: https://docs-q947jrwr2-goteleport.vercel.app/docs/ver/preview |
… Secret (#46699) * Allow operator secret lookup * Document which fields can lookup secrets * operator: support secret lookup * fixup! operator: support secret lookup * Apply suggestions from code review Co-authored-by: Paul Gottschling <[email protected]> Co-authored-by: Roman Tkachenko <[email protected]> * lint * add link to operator docs * address feedback * Revert "add link to operator docs" This reverts commit cd812eb. --------- Co-authored-by: Paul Gottschling <[email protected]> Co-authored-by: Roman Tkachenko <[email protected]>
@hugoShaka See the table below for backport results.
|
Fixes: #6815
Changelog: The Teleport Kubernetes Operator is now able to lookup the GitHub and OIDC connector
client_secret
value from a Kubernetes Secret.