diff --git a/api/gen/proto/go/teleport/workloadidentity/v1/resource.pb.go b/api/gen/proto/go/teleport/workloadidentity/v1/resource.pb.go index 250a07506727e..25f442a7fb8c6 100644 --- a/api/gen/proto/go/teleport/workloadidentity/v1/resource.pb.go +++ b/api/gen/proto/go/teleport/workloadidentity/v1/resource.pb.go @@ -274,6 +274,56 @@ func (x *WorkloadIdentityRules) GetAllow() []*WorkloadIdentityRule { return nil } +// Configuration specific to the issuance of X509-SVIDs. +type WorkloadIdentitySPIFFEX509 struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // The DNS Subject Alternative Names (SANs) that should be included in an + // X509-SVID issued using this WorkloadIdentity. + // + // Each entry in this list supports templating using attributes. + DnsSans []string `protobuf:"bytes,1,rep,name=dns_sans,json=dnsSans,proto3" json:"dns_sans,omitempty"` +} + +func (x *WorkloadIdentitySPIFFEX509) Reset() { + *x = WorkloadIdentitySPIFFEX509{} + mi := &file_teleport_workloadidentity_v1_resource_proto_msgTypes[4] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *WorkloadIdentitySPIFFEX509) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*WorkloadIdentitySPIFFEX509) ProtoMessage() {} + +func (x *WorkloadIdentitySPIFFEX509) ProtoReflect() protoreflect.Message { + mi := &file_teleport_workloadidentity_v1_resource_proto_msgTypes[4] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use WorkloadIdentitySPIFFEX509.ProtoReflect.Descriptor instead. +func (*WorkloadIdentitySPIFFEX509) Descriptor() ([]byte, []int) { + return file_teleport_workloadidentity_v1_resource_proto_rawDescGZIP(), []int{4} +} + +func (x *WorkloadIdentitySPIFFEX509) GetDnsSans() []string { + if x != nil { + return x.DnsSans + } + return nil +} + // Configuration pertaining to the issuance of SPIFFE-compatible workload // identity credentials. type WorkloadIdentitySPIFFE struct { @@ -291,11 +341,13 @@ type WorkloadIdentitySPIFFE struct { // credential produced by this WorkloadIdentity. This can be used to provide // additional context that can be used to select between multiple credentials. Hint string `protobuf:"bytes,2,opt,name=hint,proto3" json:"hint,omitempty"` + // Configuration specific to X509-SVIDs. + X509 *WorkloadIdentitySPIFFEX509 `protobuf:"bytes,3,opt,name=x509,proto3" json:"x509,omitempty"` } func (x *WorkloadIdentitySPIFFE) Reset() { *x = WorkloadIdentitySPIFFE{} - mi := &file_teleport_workloadidentity_v1_resource_proto_msgTypes[4] + mi := &file_teleport_workloadidentity_v1_resource_proto_msgTypes[5] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -307,7 +359,7 @@ func (x *WorkloadIdentitySPIFFE) String() string { func (*WorkloadIdentitySPIFFE) ProtoMessage() {} func (x *WorkloadIdentitySPIFFE) ProtoReflect() protoreflect.Message { - mi := &file_teleport_workloadidentity_v1_resource_proto_msgTypes[4] + mi := &file_teleport_workloadidentity_v1_resource_proto_msgTypes[5] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -320,7 +372,7 @@ func (x *WorkloadIdentitySPIFFE) ProtoReflect() protoreflect.Message { // Deprecated: Use WorkloadIdentitySPIFFE.ProtoReflect.Descriptor instead. func (*WorkloadIdentitySPIFFE) Descriptor() ([]byte, []int) { - return file_teleport_workloadidentity_v1_resource_proto_rawDescGZIP(), []int{4} + return file_teleport_workloadidentity_v1_resource_proto_rawDescGZIP(), []int{5} } func (x *WorkloadIdentitySPIFFE) GetId() string { @@ -337,6 +389,13 @@ func (x *WorkloadIdentitySPIFFE) GetHint() string { return "" } +func (x *WorkloadIdentitySPIFFE) GetX509() *WorkloadIdentitySPIFFEX509 { + if x != nil { + return x.X509 + } + return nil +} + // The spec for the WorkloadIdentity resource. type WorkloadIdentitySpec struct { state protoimpl.MessageState @@ -352,7 +411,7 @@ type WorkloadIdentitySpec struct { func (x *WorkloadIdentitySpec) Reset() { *x = WorkloadIdentitySpec{} - mi := &file_teleport_workloadidentity_v1_resource_proto_msgTypes[5] + mi := &file_teleport_workloadidentity_v1_resource_proto_msgTypes[6] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -364,7 +423,7 @@ func (x *WorkloadIdentitySpec) String() string { func (*WorkloadIdentitySpec) ProtoMessage() {} func (x *WorkloadIdentitySpec) ProtoReflect() protoreflect.Message { - mi := &file_teleport_workloadidentity_v1_resource_proto_msgTypes[5] + mi := &file_teleport_workloadidentity_v1_resource_proto_msgTypes[6] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -377,7 +436,7 @@ func (x *WorkloadIdentitySpec) ProtoReflect() protoreflect.Message { // Deprecated: Use WorkloadIdentitySpec.ProtoReflect.Descriptor instead. func (*WorkloadIdentitySpec) Descriptor() ([]byte, []int) { - return file_teleport_workloadidentity_v1_resource_proto_rawDescGZIP(), []int{5} + return file_teleport_workloadidentity_v1_resource_proto_rawDescGZIP(), []int{6} } func (x *WorkloadIdentitySpec) GetRules() *WorkloadIdentityRules { @@ -436,29 +495,37 @@ var file_teleport_workloadidentity_v1_resource_proto_rawDesc = []byte{ 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x52, 0x75, 0x6c, 0x65, 0x52, 0x05, - 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x22, 0x3c, 0x0a, 0x16, 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, - 0x64, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x53, 0x50, 0x49, 0x46, 0x46, 0x45, 0x12, - 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, - 0x12, 0x0a, 0x04, 0x68, 0x69, 0x6e, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x68, - 0x69, 0x6e, 0x74, 0x22, 0xaf, 0x01, 0x0a, 0x14, 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, - 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x53, 0x70, 0x65, 0x63, 0x12, 0x49, 0x0a, 0x05, - 0x72, 0x75, 0x6c, 0x65, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x33, 0x2e, 0x74, 0x65, + 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x22, 0x37, 0x0a, 0x1a, 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, + 0x64, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x53, 0x50, 0x49, 0x46, 0x46, 0x45, 0x58, + 0x35, 0x30, 0x39, 0x12, 0x19, 0x0a, 0x08, 0x64, 0x6e, 0x73, 0x5f, 0x73, 0x61, 0x6e, 0x73, 0x18, + 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x07, 0x64, 0x6e, 0x73, 0x53, 0x61, 0x6e, 0x73, 0x22, 0x8a, + 0x01, 0x0a, 0x16, 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x49, 0x64, 0x65, 0x6e, 0x74, + 0x69, 0x74, 0x79, 0x53, 0x50, 0x49, 0x46, 0x46, 0x45, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, + 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x68, 0x69, 0x6e, + 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x68, 0x69, 0x6e, 0x74, 0x12, 0x4c, 0x0a, + 0x04, 0x78, 0x35, 0x30, 0x39, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x38, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x57, 0x6f, 0x72, 0x6b, 0x6c, - 0x6f, 0x61, 0x64, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x52, 0x75, 0x6c, 0x65, 0x73, - 0x52, 0x05, 0x72, 0x75, 0x6c, 0x65, 0x73, 0x12, 0x4c, 0x0a, 0x06, 0x73, 0x70, 0x69, 0x66, 0x66, - 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x34, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, - 0x72, 0x74, 0x2e, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, - 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x49, - 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x53, 0x50, 0x49, 0x46, 0x46, 0x45, 0x52, 0x06, 0x73, - 0x70, 0x69, 0x66, 0x66, 0x65, 0x42, 0x64, 0x5a, 0x62, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, - 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x72, 0x61, 0x76, 0x69, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x61, - 0x6c, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x67, - 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, - 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, - 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2f, 0x76, 0x31, 0x3b, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, - 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, - 0x74, 0x6f, 0x33, + 0x6f, 0x61, 0x64, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x53, 0x50, 0x49, 0x46, 0x46, + 0x45, 0x58, 0x35, 0x30, 0x39, 0x52, 0x04, 0x78, 0x35, 0x30, 0x39, 0x22, 0xaf, 0x01, 0x0a, 0x14, + 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, + 0x53, 0x70, 0x65, 0x63, 0x12, 0x49, 0x0a, 0x05, 0x72, 0x75, 0x6c, 0x65, 0x73, 0x18, 0x01, 0x20, + 0x01, 0x28, 0x0b, 0x32, 0x33, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x77, + 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, + 0x76, 0x31, 0x2e, 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x49, 0x64, 0x65, 0x6e, 0x74, + 0x69, 0x74, 0x79, 0x52, 0x75, 0x6c, 0x65, 0x73, 0x52, 0x05, 0x72, 0x75, 0x6c, 0x65, 0x73, 0x12, + 0x4c, 0x0a, 0x06, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, + 0x34, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x77, 0x6f, 0x72, 0x6b, 0x6c, + 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x57, + 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x53, + 0x50, 0x49, 0x46, 0x46, 0x45, 0x52, 0x06, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x42, 0x64, 0x5a, + 0x62, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x72, 0x61, 0x76, + 0x69, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, + 0x72, 0x74, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, + 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x77, 0x6f, 0x72, + 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2f, 0x76, 0x31, + 0x3b, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, + 0x79, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -473,28 +540,30 @@ func file_teleport_workloadidentity_v1_resource_proto_rawDescGZIP() []byte { return file_teleport_workloadidentity_v1_resource_proto_rawDescData } -var file_teleport_workloadidentity_v1_resource_proto_msgTypes = make([]protoimpl.MessageInfo, 6) +var file_teleport_workloadidentity_v1_resource_proto_msgTypes = make([]protoimpl.MessageInfo, 7) var file_teleport_workloadidentity_v1_resource_proto_goTypes = []any{ - (*WorkloadIdentity)(nil), // 0: teleport.workloadidentity.v1.WorkloadIdentity - (*WorkloadIdentityCondition)(nil), // 1: teleport.workloadidentity.v1.WorkloadIdentityCondition - (*WorkloadIdentityRule)(nil), // 2: teleport.workloadidentity.v1.WorkloadIdentityRule - (*WorkloadIdentityRules)(nil), // 3: teleport.workloadidentity.v1.WorkloadIdentityRules - (*WorkloadIdentitySPIFFE)(nil), // 4: teleport.workloadidentity.v1.WorkloadIdentitySPIFFE - (*WorkloadIdentitySpec)(nil), // 5: teleport.workloadidentity.v1.WorkloadIdentitySpec - (*v1.Metadata)(nil), // 6: teleport.header.v1.Metadata + (*WorkloadIdentity)(nil), // 0: teleport.workloadidentity.v1.WorkloadIdentity + (*WorkloadIdentityCondition)(nil), // 1: teleport.workloadidentity.v1.WorkloadIdentityCondition + (*WorkloadIdentityRule)(nil), // 2: teleport.workloadidentity.v1.WorkloadIdentityRule + (*WorkloadIdentityRules)(nil), // 3: teleport.workloadidentity.v1.WorkloadIdentityRules + (*WorkloadIdentitySPIFFEX509)(nil), // 4: teleport.workloadidentity.v1.WorkloadIdentitySPIFFEX509 + (*WorkloadIdentitySPIFFE)(nil), // 5: teleport.workloadidentity.v1.WorkloadIdentitySPIFFE + (*WorkloadIdentitySpec)(nil), // 6: teleport.workloadidentity.v1.WorkloadIdentitySpec + (*v1.Metadata)(nil), // 7: teleport.header.v1.Metadata } var file_teleport_workloadidentity_v1_resource_proto_depIdxs = []int32{ - 6, // 0: teleport.workloadidentity.v1.WorkloadIdentity.metadata:type_name -> teleport.header.v1.Metadata - 5, // 1: teleport.workloadidentity.v1.WorkloadIdentity.spec:type_name -> teleport.workloadidentity.v1.WorkloadIdentitySpec + 7, // 0: teleport.workloadidentity.v1.WorkloadIdentity.metadata:type_name -> teleport.header.v1.Metadata + 6, // 1: teleport.workloadidentity.v1.WorkloadIdentity.spec:type_name -> teleport.workloadidentity.v1.WorkloadIdentitySpec 1, // 2: teleport.workloadidentity.v1.WorkloadIdentityRule.conditions:type_name -> teleport.workloadidentity.v1.WorkloadIdentityCondition 2, // 3: teleport.workloadidentity.v1.WorkloadIdentityRules.allow:type_name -> teleport.workloadidentity.v1.WorkloadIdentityRule - 3, // 4: teleport.workloadidentity.v1.WorkloadIdentitySpec.rules:type_name -> teleport.workloadidentity.v1.WorkloadIdentityRules - 4, // 5: teleport.workloadidentity.v1.WorkloadIdentitySpec.spiffe:type_name -> teleport.workloadidentity.v1.WorkloadIdentitySPIFFE - 6, // [6:6] is the sub-list for method output_type - 6, // [6:6] is the sub-list for method input_type - 6, // [6:6] is the sub-list for extension type_name - 6, // [6:6] is the sub-list for extension extendee - 0, // [0:6] is the sub-list for field type_name + 4, // 4: teleport.workloadidentity.v1.WorkloadIdentitySPIFFE.x509:type_name -> teleport.workloadidentity.v1.WorkloadIdentitySPIFFEX509 + 3, // 5: teleport.workloadidentity.v1.WorkloadIdentitySpec.rules:type_name -> teleport.workloadidentity.v1.WorkloadIdentityRules + 5, // 6: teleport.workloadidentity.v1.WorkloadIdentitySpec.spiffe:type_name -> teleport.workloadidentity.v1.WorkloadIdentitySPIFFE + 7, // [7:7] is the sub-list for method output_type + 7, // [7:7] is the sub-list for method input_type + 7, // [7:7] is the sub-list for extension type_name + 7, // [7:7] is the sub-list for extension extendee + 0, // [0:7] is the sub-list for field type_name } func init() { file_teleport_workloadidentity_v1_resource_proto_init() } @@ -508,7 +577,7 @@ func file_teleport_workloadidentity_v1_resource_proto_init() { GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: file_teleport_workloadidentity_v1_resource_proto_rawDesc, NumEnums: 0, - NumMessages: 6, + NumMessages: 7, NumExtensions: 0, NumServices: 0, }, diff --git a/api/proto/teleport/workloadidentity/v1/resource.proto b/api/proto/teleport/workloadidentity/v1/resource.proto index 69c7467417cb4..b0faf7f94b99e 100644 --- a/api/proto/teleport/workloadidentity/v1/resource.proto +++ b/api/proto/teleport/workloadidentity/v1/resource.proto @@ -60,6 +60,15 @@ message WorkloadIdentityRules { repeated WorkloadIdentityRule allow = 1; } +// Configuration specific to the issuance of X509-SVIDs. +message WorkloadIdentitySPIFFEX509 { + // The DNS Subject Alternative Names (SANs) that should be included in an + // X509-SVID issued using this WorkloadIdentity. + // + // Each entry in this list supports templating using attributes. + repeated string dns_sans = 1; +} + // Configuration pertaining to the issuance of SPIFFE-compatible workload // identity credentials. message WorkloadIdentitySPIFFE { @@ -73,6 +82,8 @@ message WorkloadIdentitySPIFFE { // credential produced by this WorkloadIdentity. This can be used to provide // additional context that can be used to select between multiple credentials. string hint = 2; + // Configuration specific to X509-SVIDs. + WorkloadIdentitySPIFFEX509 x509 = 3; } // The spec for the WorkloadIdentity resource. diff --git a/docs/pages/reference/terraform-provider/data-sources/workload_identity.mdx b/docs/pages/reference/terraform-provider/data-sources/workload_identity.mdx index 2298d5363d77c..7c7e1a05a5af0 100644 --- a/docs/pages/reference/terraform-provider/data-sources/workload_identity.mdx +++ b/docs/pages/reference/terraform-provider/data-sources/workload_identity.mdx @@ -66,4 +66,11 @@ Optional: - `hint` (String) A freeform text field which is provided to workloads along with a credential produced by this WorkloadIdentity. This can be used to provide additional context that can be used to select between multiple credentials. - `id` (String) The path of the SPIFFE ID that will be issued to the workload. This should be prefixed with a forward-slash ("/"). This field supports templating using attributes. +- `x509` (Attributes) Configuration specific to X509-SVIDs. (see [below for nested schema](#nested-schema-for-specspiffex509)) + +### Nested Schema for `spec.spiffe.x509` + +Optional: + +- `dns_sans` (List of String) The DNS Subject Alternative Names (SANs) that should be included in an X509-SVID issued using this WorkloadIdentity. Each entry in this list supports templating using attributes. diff --git a/docs/pages/reference/terraform-provider/resources/workload_identity.mdx b/docs/pages/reference/terraform-provider/resources/workload_identity.mdx index a9d3da4bc7a73..fbbeb1306abd8 100644 --- a/docs/pages/reference/terraform-provider/resources/workload_identity.mdx +++ b/docs/pages/reference/terraform-provider/resources/workload_identity.mdx @@ -91,4 +91,11 @@ Optional: - `hint` (String) A freeform text field which is provided to workloads along with a credential produced by this WorkloadIdentity. This can be used to provide additional context that can be used to select between multiple credentials. - `id` (String) The path of the SPIFFE ID that will be issued to the workload. This should be prefixed with a forward-slash ("/"). This field supports templating using attributes. +- `x509` (Attributes) Configuration specific to X509-SVIDs. (see [below for nested schema](#nested-schema-for-specspiffex509)) + +### Nested Schema for `spec.spiffe.x509` + +Optional: + +- `dns_sans` (List of String) The DNS Subject Alternative Names (SANs) that should be included in an X509-SVID issued using this WorkloadIdentity. Each entry in this list supports templating using attributes. diff --git a/integrations/terraform/tfschema/workloadidentity/v1/resource_terraform.go b/integrations/terraform/tfschema/workloadidentity/v1/resource_terraform.go index f6510d28f7294..5a76525cde345 100644 --- a/integrations/terraform/tfschema/workloadidentity/v1/resource_terraform.go +++ b/integrations/terraform/tfschema/workloadidentity/v1/resource_terraform.go @@ -134,6 +134,15 @@ func GenSchemaWorkloadIdentity(ctx context.Context) (github_com_hashicorp_terraf Optional: true, Type: github_com_hashicorp_terraform_plugin_framework_types.StringType, }, + "x509": { + Attributes: github_com_hashicorp_terraform_plugin_framework_tfsdk.SingleNestedAttributes(map[string]github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{"dns_sans": { + Description: "The DNS Subject Alternative Names (SANs) that should be included in an X509-SVID issued using this WorkloadIdentity. Each entry in this list supports templating using attributes.", + Optional: true, + Type: github_com_hashicorp_terraform_plugin_framework_types.ListType{ElemType: github_com_hashicorp_terraform_plugin_framework_types.StringType}, + }}), + Description: "Configuration specific to X509-SVIDs.", + Optional: true, + }, }), Description: "Configuration pertaining to the issuance of SPIFFE-compatible workload identity credentials.", Optional: true, @@ -501,6 +510,51 @@ func CopyWorkloadIdentityFromTerraform(_ context.Context, tf github_com_hashicor } } } + { + a, ok := tf.Attrs["x509"] + if !ok { + diags.Append(attrReadMissingDiag{"WorkloadIdentity.spec.spiffe.x509"}) + } else { + v, ok := a.(github_com_hashicorp_terraform_plugin_framework_types.Object) + if !ok { + diags.Append(attrReadConversionFailureDiag{"WorkloadIdentity.spec.spiffe.x509", "github.com/hashicorp/terraform-plugin-framework/types.Object"}) + } else { + obj.X509 = nil + if !v.Null && !v.Unknown { + tf := v + obj.X509 = &github_com_gravitational_teleport_api_gen_proto_go_teleport_workloadidentity_v1.WorkloadIdentitySPIFFEX509{} + obj := obj.X509 + { + a, ok := tf.Attrs["dns_sans"] + if !ok { + diags.Append(attrReadMissingDiag{"WorkloadIdentity.spec.spiffe.x509.dns_sans"}) + } else { + v, ok := a.(github_com_hashicorp_terraform_plugin_framework_types.List) + if !ok { + diags.Append(attrReadConversionFailureDiag{"WorkloadIdentity.spec.spiffe.x509.dns_sans", "github.com/hashicorp/terraform-plugin-framework/types.List"}) + } else { + obj.DnsSans = make([]string, len(v.Elems)) + if !v.Null && !v.Unknown { + for k, a := range v.Elems { + v, ok := a.(github_com_hashicorp_terraform_plugin_framework_types.String) + if !ok { + diags.Append(attrReadConversionFailureDiag{"WorkloadIdentity.spec.spiffe.x509.dns_sans", "github_com_hashicorp_terraform_plugin_framework_types.String"}) + } else { + var t string + if !v.Null && !v.Unknown { + t = string(v.Value) + } + obj.DnsSans[k] = t + } + } + } + } + } + } + } + } + } + } } } } @@ -1053,6 +1107,91 @@ func CopyWorkloadIdentityToTerraform(ctx context.Context, obj *github_com_gravit tf.Attrs["hint"] = v } } + { + a, ok := tf.AttrTypes["x509"] + if !ok { + diags.Append(attrWriteMissingDiag{"WorkloadIdentity.spec.spiffe.x509"}) + } else { + o, ok := a.(github_com_hashicorp_terraform_plugin_framework_types.ObjectType) + if !ok { + diags.Append(attrWriteConversionFailureDiag{"WorkloadIdentity.spec.spiffe.x509", "github.com/hashicorp/terraform-plugin-framework/types.ObjectType"}) + } else { + v, ok := tf.Attrs["x509"].(github_com_hashicorp_terraform_plugin_framework_types.Object) + if !ok { + v = github_com_hashicorp_terraform_plugin_framework_types.Object{ + + AttrTypes: o.AttrTypes, + Attrs: make(map[string]github_com_hashicorp_terraform_plugin_framework_attr.Value, len(o.AttrTypes)), + } + } else { + if v.Attrs == nil { + v.Attrs = make(map[string]github_com_hashicorp_terraform_plugin_framework_attr.Value, len(tf.AttrTypes)) + } + } + if obj.X509 == nil { + v.Null = true + } else { + obj := obj.X509 + tf := &v + { + a, ok := tf.AttrTypes["dns_sans"] + if !ok { + diags.Append(attrWriteMissingDiag{"WorkloadIdentity.spec.spiffe.x509.dns_sans"}) + } else { + o, ok := a.(github_com_hashicorp_terraform_plugin_framework_types.ListType) + if !ok { + diags.Append(attrWriteConversionFailureDiag{"WorkloadIdentity.spec.spiffe.x509.dns_sans", "github.com/hashicorp/terraform-plugin-framework/types.ListType"}) + } else { + c, ok := tf.Attrs["dns_sans"].(github_com_hashicorp_terraform_plugin_framework_types.List) + if !ok { + c = github_com_hashicorp_terraform_plugin_framework_types.List{ + + ElemType: o.ElemType, + Elems: make([]github_com_hashicorp_terraform_plugin_framework_attr.Value, len(obj.DnsSans)), + Null: true, + } + } else { + if c.Elems == nil { + c.Elems = make([]github_com_hashicorp_terraform_plugin_framework_attr.Value, len(obj.DnsSans)) + } + } + if obj.DnsSans != nil { + t := o.ElemType + if len(obj.DnsSans) != len(c.Elems) { + c.Elems = make([]github_com_hashicorp_terraform_plugin_framework_attr.Value, len(obj.DnsSans)) + } + for k, a := range obj.DnsSans { + v, ok := tf.Attrs["dns_sans"].(github_com_hashicorp_terraform_plugin_framework_types.String) + if !ok { + i, err := t.ValueFromTerraform(ctx, github_com_hashicorp_terraform_plugin_go_tftypes.NewValue(t.TerraformType(ctx), nil)) + if err != nil { + diags.Append(attrWriteGeneralError{"WorkloadIdentity.spec.spiffe.x509.dns_sans", err}) + } + v, ok = i.(github_com_hashicorp_terraform_plugin_framework_types.String) + if !ok { + diags.Append(attrWriteConversionFailureDiag{"WorkloadIdentity.spec.spiffe.x509.dns_sans", "github.com/hashicorp/terraform-plugin-framework/types.String"}) + } + v.Null = string(a) == "" + } + v.Value = string(a) + v.Unknown = false + c.Elems[k] = v + } + if len(obj.DnsSans) > 0 { + c.Null = false + } + } + c.Unknown = false + tf.Attrs["dns_sans"] = c + } + } + } + } + v.Unknown = false + tf.Attrs["x509"] = v + } + } + } } v.Unknown = false tf.Attrs["spiffe"] = v diff --git a/lib/auth/machineid/workloadidentityv1/decision.go b/lib/auth/machineid/workloadidentityv1/decision.go index 53a1a9c1bc5f6..4e959efe6ee12 100644 --- a/lib/auth/machineid/workloadidentityv1/decision.go +++ b/lib/auth/machineid/workloadidentityv1/decision.go @@ -27,6 +27,7 @@ import ( "google.golang.org/protobuf/reflect/protoreflect" workloadidentityv1pb "github.com/gravitational/teleport/api/gen/proto/go/teleport/workloadidentity/v1" + "github.com/gravitational/teleport/lib/utils" ) type decision struct { @@ -65,6 +66,23 @@ func decide( } d.templatedWorkloadIdentity.Spec.Spiffe.Hint = templated + for i, san := range wi.GetSpec().GetSpiffe().GetX509().GetDnsSans() { + templated, err = templateString(san, attrs) + if err != nil { + d.reason = trace.Wrap(err, "templating spec.spiffe.x509.dns_sans[%d]", i) + return d + } + if !utils.IsValidHostname(templated) { + d.reason = trace.BadParameter( + "templating spec.spiffe.x509.dns_sans[%d] resulted in an invalid DNS name %q", + i, + templated, + ) + return d + } + d.templatedWorkloadIdentity.Spec.Spiffe.X509.DnsSans[i] = templated + } + // Yay - made it to the end! d.shouldIssue = true return d diff --git a/lib/auth/machineid/workloadidentityv1/decision_test.go b/lib/auth/machineid/workloadidentityv1/decision_test.go index bf18594416609..e8cb267bb0879 100644 --- a/lib/auth/machineid/workloadidentityv1/decision_test.go +++ b/lib/auth/machineid/workloadidentityv1/decision_test.go @@ -17,6 +17,7 @@ package workloadidentityv1 import ( + "context" "testing" "github.com/stretchr/testify/require" @@ -26,6 +27,55 @@ import ( "github.com/gravitational/teleport/api/types" ) +func Test_decide(t *testing.T) { + standardAttrs := &workloadidentityv1pb.Attrs{ + User: &workloadidentityv1pb.UserAttrs{ + Name: "jeff", + }, + Workload: &workloadidentityv1pb.WorkloadAttrs{ + Kubernetes: &workloadidentityv1pb.WorkloadAttrsKubernetes{ + PodName: "pod1", + Namespace: "default", + }, + }, + } + tests := []struct { + name string + wid *workloadidentityv1pb.WorkloadIdentity + attrs *workloadidentityv1pb.Attrs + wantIssue bool + assertReason require.ErrorAssertionFunc + }{ + { + name: "invalid dns name", + wid: &workloadidentityv1pb.WorkloadIdentity{ + Spec: &workloadidentityv1pb.WorkloadIdentitySpec{ + Spiffe: &workloadidentityv1pb.WorkloadIdentitySPIFFE{ + Id: "/valid", + X509: &workloadidentityv1pb.WorkloadIdentitySPIFFEX509{ + DnsSans: []string{ + "//imvalid;;", + }, + }, + }, + }, + }, + attrs: standardAttrs, + wantIssue: false, + assertReason: func(t require.TestingT, err error, i ...interface{}) { + require.ErrorContains(t, err, "templating spec.spiffe.x509.dns_sans[0] resulted in an invalid DNS name") + }, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + d := decide(context.Background(), tt.wid, tt.attrs) + require.Equal(t, tt.wantIssue, d.shouldIssue) + tt.assertReason(t, d.reason) + }) + } +} + func Test_getFieldStringValue(t *testing.T) { tests := []struct { name string diff --git a/lib/auth/machineid/workloadidentityv1/issuer_service.go b/lib/auth/machineid/workloadidentityv1/issuer_service.go index 7b498f7f16d9a..eb75befe32b0b 100644 --- a/lib/auth/machineid/workloadidentityv1/issuer_service.go +++ b/lib/auth/machineid/workloadidentityv1/issuer_service.go @@ -356,6 +356,7 @@ func x509Template( notBefore time.Time, notAfter time.Time, spiffeID spiffeid.ID, + dnsSANs []string, ) *x509.Certificate { return &x509.Certificate{ SerialNumber: serialNumber, @@ -383,7 +384,8 @@ func x509Template( // - The corresponding SPIFFE ID is set as a URI type in the Subject Alternative Name extension // - An X.509 SVID MUST contain exactly one URI SAN, and by extension, exactly one SPIFFE ID. // - An X.509 SVID MAY contain any number of other SAN field types, including DNS SANs. - URIs: []*url.URL{spiffeID.URL()}, + URIs: []*url.URL{spiffeID.URL()}, + DNSNames: dnsSANs, } } @@ -484,7 +486,13 @@ func (s *IssuanceService) issueX509SVID( certBytes, err := x509.CreateCertificate( rand.Reader, - x509Template(certSerial, notBefore, notAfter, spiffeID), + x509Template( + certSerial, + notBefore, + notAfter, + spiffeID, + wid.GetSpec().GetSpiffe().GetX509().GetDnsSans(), + ), ca.Cert, pubKey, ca.Signer, @@ -496,6 +504,7 @@ func (s *IssuanceService) issueX509SVID( evt := baseEvent(ctx, wid, spiffeID) evt.SVIDType = "x509" evt.SerialNumber = serialString + evt.DNSSANs = wid.GetSpec().GetSpiffe().GetX509().GetDnsSans() if err := s.emitter.EmitAuditEvent(ctx, evt); err != nil { s.logger.WarnContext( ctx, diff --git a/lib/auth/machineid/workloadidentityv1/workloadidentityv1_test.go b/lib/auth/machineid/workloadidentityv1/workloadidentityv1_test.go index 617d382bf47f3..3f615c2749c89 100644 --- a/lib/auth/machineid/workloadidentityv1/workloadidentityv1_test.go +++ b/lib/auth/machineid/workloadidentityv1/workloadidentityv1_test.go @@ -218,6 +218,12 @@ func TestIssueWorkloadIdentity(t *testing.T) { Spiffe: &workloadidentityv1pb.WorkloadIdentitySPIFFE{ Id: "/example/{{user.name}}/{{ workload.kubernetes.namespace }}/{{ workload.kubernetes.service_account }}", Hint: "Wow - what a lovely hint, {{user.name}}!", + X509: &workloadidentityv1pb.WorkloadIdentitySPIFFEX509{ + DnsSans: []string{ + "example.com", + "{{user.name}}.example.com", + }, + }, }, }, }) @@ -386,6 +392,7 @@ func TestIssueWorkloadIdentity(t *testing.T) { require.WithinDuration(t, tp.clock.Now().Add(-1*time.Minute), cert.NotBefore, time.Second) // Check cert TTL require.Equal(t, cert.NotAfter.Sub(cert.NotBefore), wantTTL+time.Minute) + require.Equal(t, []string{"example.com", "dog.example.com"}, cert.DNSNames) // Check against SPIFFE SPEC // References are to https://github.com/spiffe/spiffe/blob/main/standards/X509-SVID.md @@ -433,6 +440,10 @@ func TestIssueWorkloadIdentity(t *testing.T) { Hint: "Wow - what a lovely hint, dog!", WorkloadIdentity: full.GetMetadata().GetName(), WorkloadIdentityRevision: full.GetMetadata().GetRevision(), + DNSSANs: []string{ + "example.com", + "dog.example.com", + }, }, cmpopts.IgnoreFields( events.SPIFFESVIDIssued{},