-
Notifications
You must be signed in to change notification settings - Fork 1.7k
/
types.proto
5423 lines (4847 loc) · 216 KB
/
types.proto
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
// Copyright 2021 Gravitational, Inc
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
syntax = "proto3";
package types;
import "gogoproto/gogo.proto";
import "google/protobuf/timestamp.proto";
import "teleport/attestation/v1/attestation.proto";
import "teleport/legacy/types/wrappers/wrappers.proto";
option go_package = "github.com/gravitational/teleport/api/types";
option (gogoproto.goproto_getters_all) = false;
option (gogoproto.marshaler_all) = true;
option (gogoproto.unmarshaler_all) = true;
message KeepAlive {
// Name of the resource to keep alive.
string Name = 1 [(gogoproto.jsontag) = "server_name"];
// Namespace is the namespace of the resource.
string Namespace = 2 [(gogoproto.jsontag) = "namespace"];
// LeaseID is ID of the lease.
int64 LeaseID = 3 [(gogoproto.jsontag) = "lease_id"];
// Expires is set to update expiry time of the resource.
google.protobuf.Timestamp Expires = 4 [
(gogoproto.stdtime) = true,
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "expires"
];
// The type of a KeepAlive. When adding a new type, please double-check
// lib/usagereporter/teleport to see if we need any change in the resource
// heartbeat event.
enum KeepAliveType {
UNKNOWN = 0;
// "node", KindNode. For the sake of correct usage reporting, it shouldn't
// be used for OpenSSH nodes.
NODE = 1;
// "app_server", KindAppServer
APP = 2;
// "db_server", KindDatabaseServer
DATABASE = 3;
// "windows_desktop_service", KindWindowsDesktopService
WINDOWS_DESKTOP = 4;
// "kube_server", KindKubeServer
KUBERNETES = 5;
// "db_service", KindDatabaseService
DATABASE_SERVICE = 6;
}
// Type is the type (or kind) of the resource that's being kept alive.
KeepAliveType Type = 9 [(gogoproto.jsontag) = "type"];
// HostID is an optional UUID of the host the resource belongs to.
string HostID = 10 [(gogoproto.jsontag) = "host_id,omitempty"];
}
// Metadata is resource metadata
message Metadata {
// Name is an object name
string Name = 1 [(gogoproto.jsontag) = "name"];
// Namespace is object namespace. The field should be called "namespace"
// when it returns in Teleport 2.4.
string Namespace = 2 [(gogoproto.jsontag) = "-"];
// Description is object description
string Description = 3 [(gogoproto.jsontag) = "description,omitempty"];
// Labels is a set of labels
map<string, string> Labels = 5 [(gogoproto.jsontag) = "labels,omitempty"];
// Expires is a global expiry time header can be set on any resource in the
// system.
google.protobuf.Timestamp Expires = 6 [
(gogoproto.stdtime) = true,
(gogoproto.nullable) = true,
(gogoproto.jsontag) = "expires,omitempty"
];
// ID is a record ID
int64 ID = 7 [(gogoproto.jsontag) = "id,omitempty"];
}
// Rotation is a status of the rotation of the certificate authority
message Rotation {
option (gogoproto.goproto_stringer) = false;
option (gogoproto.stringer) = false;
// State could be one of "init" or "in_progress".
string State = 1 [(gogoproto.jsontag) = "state,omitempty"];
// Phase is the current rotation phase.
string Phase = 2 [(gogoproto.jsontag) = "phase,omitempty"];
// Mode sets manual or automatic rotation mode.
string Mode = 3 [(gogoproto.jsontag) = "mode,omitempty"];
// CurrentID is the ID of the rotation operation
// to differentiate between rotation attempts.
string CurrentID = 4 [(gogoproto.jsontag) = "current_id"];
// Started is set to the time when rotation has been started
// in case if the state of the rotation is "in_progress".
google.protobuf.Timestamp Started = 5 [
(gogoproto.nullable) = false,
(gogoproto.stdtime) = true,
(gogoproto.jsontag) = "started,omitempty"
];
// GracePeriod is a period during which old and new CA
// are valid for checking purposes, but only new CA is issuing certificates.
int64 GracePeriod = 6 [
(gogoproto.jsontag) = "grace_period,omitempty",
(gogoproto.casttype) = "Duration"
];
// LastRotated specifies the last time of the completed rotation.
google.protobuf.Timestamp LastRotated = 7 [
(gogoproto.nullable) = false,
(gogoproto.stdtime) = true,
(gogoproto.jsontag) = "last_rotated,omitempty"
];
// Schedule is a rotation schedule - used in
// automatic mode to switch between phases.
RotationSchedule Schedule = 8 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "schedule,omitempty"
];
}
// RotationSchedule is a rotation schedule setting time switches
// for different phases.
message RotationSchedule {
// UpdateClients specifies time to switch to the "Update clients" phase
google.protobuf.Timestamp UpdateClients = 1 [
(gogoproto.nullable) = false,
(gogoproto.stdtime) = true,
(gogoproto.jsontag) = "update_clients,omitempty"
];
// UpdateServers specifies time to switch to the "Update servers" phase.
google.protobuf.Timestamp UpdateServers = 2 [
(gogoproto.nullable) = false,
(gogoproto.stdtime) = true,
(gogoproto.jsontag) = "update_servers,omitempty"
];
// Standby specifies time to switch to the "Standby" phase.
google.protobuf.Timestamp Standby = 3 [
(gogoproto.nullable) = false,
(gogoproto.stdtime) = true,
(gogoproto.jsontag) = "standby,omitempty"
];
}
// ResourceHeader is a shared resource header
// used in cases when only type and name is known
message ResourceHeader {
// Kind is a resource kind
string Kind = 1 [(gogoproto.jsontag) = "kind,omitempty"];
// SubKind is an optional resource sub kind, used in some resources
string SubKind = 2 [(gogoproto.jsontag) = "sub_kind,omitempty"];
// Version is version
string Version = 3 [(gogoproto.jsontag) = "version,omitempty"];
// Metadata is resource metadata
Metadata Metadata = 4 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "metadata,omitempty"
];
}
// DatabaseServerV3 represents a database access server.
message DatabaseServerV3 {
option (gogoproto.goproto_stringer) = false;
option (gogoproto.stringer) = false;
// Kind is the database server resource kind.
string Kind = 1 [(gogoproto.jsontag) = "kind"];
// SubKind is an optional resource subkind.
string SubKind = 2 [(gogoproto.jsontag) = "sub_kind,omitempty"];
// Version is the resource version.
string Version = 3 [(gogoproto.jsontag) = "version"];
// Metadata is the database server metadata.
Metadata Metadata = 4 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "metadata"
];
// Spec is the database server spec.
DatabaseServerSpecV3 Spec = 5 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "spec"
];
}
// DatabaseServerSpecV3 is the database server spec.
message DatabaseServerSpecV3 {
// Description is a free-form text describing this database server.
//
// DEPRECATED: Moved to DatabaseSpecV3. DELETE IN 9.0.
string Description = 1 [
(gogoproto.jsontag) = "description,omitempty",
deprecated = true
];
// Protocol is the database type e.g. postgres, mysql, etc.
//
// DEPRECATED: Moved to DatabaseSpecV3. DELETE IN 9.0.
string Protocol = 2 [
(gogoproto.jsontag) = "protocol",
deprecated = true
];
// URI is the database connection address.
//
// DEPRECATED: Moved to DatabaseSpecV3. DELETE IN 9.0.
string URI = 3 [
(gogoproto.jsontag) = "uri",
deprecated = true
];
// CACert is an optional base64-encoded database CA certificate.
//
// DEPRECATED: Moved to DatabaseSpecV3. DELETE IN 9.0.
bytes CACert = 4 [
(gogoproto.jsontag) = "ca_cert,omitempty",
deprecated = true
];
// AWS contains AWS specific settings for RDS/Aurora databases.
//
// DEPRECATED: Moved to DatabaseSpecV3. DELETE IN 9.0.
AWS AWS = 5 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "aws",
deprecated = true
];
// Version is the Teleport version that the server is running.
string Version = 6 [(gogoproto.jsontag) = "version"];
// Hostname is the database server hostname.
string Hostname = 7 [(gogoproto.jsontag) = "hostname"];
// HostID is the ID of the host the database server is running on.
string HostID = 8 [(gogoproto.jsontag) = "host_id"];
// DynamicLabels is the database server dynamic labels.
//
// DEPRECATED: Moved to DatabaseSpecV3. DELETE IN 9.0.
map<string, CommandLabelV2> DynamicLabels = 9 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "dynamic_labels,omitempty",
deprecated = true
];
// Rotation contains the server CA rotation information.
Rotation Rotation = 10 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "rotation,omitempty"
];
// GCP contains parameters specific to GCP Cloud SQL databases.
//
// DEPRECATED: Moved to DatabaseSpecV3. DELETE IN 9.0.
GCPCloudSQL GCP = 11 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "gcp,omitempty",
deprecated = true
];
// Database is the database proxied by this database server.
DatabaseV3 Database = 12 [(gogoproto.jsontag) = "database,omitempty"];
// ProxyIDs is a list of proxy IDs this server is expected to be connected to.
repeated string ProxyIDs = 13 [(gogoproto.jsontag) = "proxy_ids,omitempty"];
}
// DatabaseV3List represents a list of databases.
message DatabaseV3List {
// Databases is a list of database resources.
repeated DatabaseV3 Databases = 1;
}
// DatabaseV3 represents a single proxied database.
message DatabaseV3 {
option (gogoproto.goproto_stringer) = false;
option (gogoproto.stringer) = false;
// Kind is the database resource kind.
string Kind = 1 [(gogoproto.jsontag) = "kind"];
// SubKind is an optional resource subkind.
string SubKind = 2 [(gogoproto.jsontag) = "sub_kind,omitempty"];
// Version is the resource version.
string Version = 3 [(gogoproto.jsontag) = "version"];
// Metadata is the database metadata.
Metadata Metadata = 4 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "metadata"
];
// Spec is the database spec.
DatabaseSpecV3 Spec = 5 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "spec"
];
// Status is the database runtime information.
DatabaseStatusV3 Status = 6 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "status"
];
}
// DatabaseSpecV3 is the database spec.
message DatabaseSpecV3 {
// Protocol is the database protocol: postgres, mysql, mongodb, etc.
string Protocol = 1 [(gogoproto.jsontag) = "protocol"];
// URI is the database connection endpoint.
string URI = 2 [(gogoproto.jsontag) = "uri"];
// CACert is the PEM-encoded database CA certificate.
//
// DEPRECATED: Moved to TLS.CACert. DELETE IN 10.0.
string CACert = 3 [
(gogoproto.jsontag) = "ca_cert,omitempty",
deprecated = true
];
// DynamicLabels is the database dynamic labels.
map<string, CommandLabelV2> DynamicLabels = 4 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "dynamic_labels,omitempty"
];
// AWS contains AWS specific settings for RDS/Aurora/Redshift databases.
AWS AWS = 5 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "aws,omitempty"
];
// GCP contains parameters specific to GCP Cloud SQL databases.
GCPCloudSQL GCP = 6 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "gcp,omitempty"
];
// Azure contains Azure specific database metadata.
Azure Azure = 7 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "azure,omitempty"
];
// TLS is the TLS configuration used when establishing connection to target database.
// Allows to provide custom CA cert or override server name.
DatabaseTLS TLS = 8 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "tls,omitempty"
];
// AD is the Active Directory configuration for the database.
AD AD = 9 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "ad,omitempty"
];
// MySQL is an additional section with MySQL database options.
MySQLOptions MySQL = 10 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "mysql,omitempty"
];
}
// DatabaseStatusV3 contains runtime information about the database.
message DatabaseStatusV3 {
// CACert is the auto-downloaded cloud database CA certificate.
string CACert = 1 [(gogoproto.jsontag) = "ca_cert,omitempty"];
// AWS is the auto-discovered AWS cloud database metadata.
AWS AWS = 2 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "aws"
];
// MySQL is an additional section with MySQL runtime database information.
MySQLOptions MySQL = 3 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "mysql,omitempty"
];
// ManagedUsers is a list of database users that are managed by Teleport.
repeated string ManagedUsers = 4 [(gogoproto.jsontag) = "managed_users,omitempty"];
// Azure is the auto-discovered Azure cloud database metadata.
Azure Azure = 5 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "azure"
];
}
// AWS contains AWS metadata about the database.
message AWS {
// Region is a AWS cloud region.
string Region = 1 [(gogoproto.jsontag) = "region,omitempty"];
// Redshift contains Redshift specific metadata.
Redshift Redshift = 2 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "redshift,omitempty"
];
// RDS contains RDS specific metadata.
RDS RDS = 3 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "rds,omitempty"
];
// AccountID is the AWS account ID this database belongs to.
string AccountID = 4 [(gogoproto.jsontag) = "account_id,omitempty"];
// ElastiCache contains AWS ElastiCache Redis specific metadata.
ElastiCache ElastiCache = 5 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "elasticache,omitempty"
];
// SecretStore contains secret store configurations.
SecretStore SecretStore = 6 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "secret_store,omitempty"
];
// MemoryDB contains AWS MemoryDB specific metadata.
MemoryDB MemoryDB = 7 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "memorydb,omitempty"
];
// RDSProxy contains AWS Proxy specific metadata.
RDSProxy RDSProxy = 8 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "rdsproxy,omitempty"
];
// RedshiftServerless contains AWS Redshift Serverless specific metadata.
RedshiftServerless RedshiftServerless = 9 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "redshift_serverless,omitempty"
];
// ExternalID is an optional AWS external ID used to enable assuming an AWS role across accounts.
string ExternalID = 10 [(gogoproto.jsontag) = "external_id,omitempty"];
}
// SecretStore contains secret store configurations.
message SecretStore {
// KeyPrefix specifies the secret key prefix.
string KeyPrefix = 1 [(gogoproto.jsontag) = "key_prefix,omitempty"];
// KMSKeyID specifies the AWS KMS key for encryption.
string KMSKeyID = 2 [(gogoproto.jsontag) = "kms_key_id,omitempty"];
}
// Redshift contains AWS Redshift specific database metadata.
message Redshift {
// ClusterID is the Redshift cluster identifier.
string ClusterID = 1 [(gogoproto.jsontag) = "cluster_id,omitempty"];
}
// RDS contains AWS RDS specific database metadata.
message RDS {
// InstanceID is the RDS instance identifier.
string InstanceID = 1 [(gogoproto.jsontag) = "instance_id,omitempty"];
// ClusterID is the RDS cluster (Aurora) identifier.
string ClusterID = 2 [(gogoproto.jsontag) = "cluster_id,omitempty"];
// ResourceID is the RDS instance resource identifier (db-xxx).
string ResourceID = 3 [(gogoproto.jsontag) = "resource_id,omitempty"];
// IAMAuth indicates whether database IAM authentication is enabled.
bool IAMAuth = 4 [(gogoproto.jsontag) = "iam_auth"];
}
// RDSProxy contains AWS RDS Proxy specific database metadata.
message RDSProxy {
// Name is the identifier of an RDS Proxy.
string Name = 1 [(gogoproto.jsontag) = "name,omitempty"];
// CustomEndpointName is the identifier of an RDS Proxy custom endpoint.
string CustomEndpointName = 2 [(gogoproto.jsontag) = "custom_endpoint_name,omitempty"];
// ResourceID is the RDS instance resource identifier (prx-xxx).
string ResourceID = 3 [(gogoproto.jsontag) = "resource_id,omitempty"];
}
// ElastiCache contains AWS ElastiCache Redis specific metadata.
message ElastiCache {
// ReplicationGroupID is the Redis replication group ID.
string ReplicationGroupID = 1 [(gogoproto.jsontag) = "replication_group_id,omitempty"];
// UserGroupIDs is a list of user group IDs.
repeated string UserGroupIDs = 2 [(gogoproto.jsontag) = "user_group_ids,omitempty"];
// TransitEncryptionEnabled indicates whether in-transit encryption (TLS) is enabled.
bool TransitEncryptionEnabled = 3 [(gogoproto.jsontag) = "transit_encryption_enabled,omitempty"];
// EndpointType is the type of the endpoint.
string EndpointType = 4 [(gogoproto.jsontag) = "endpoint_type,omitempty"];
}
// MemoryDB contains AWS MemoryDB specific metadata.
message MemoryDB {
// ClusterName is the name of the MemoryDB cluster.
string ClusterName = 1 [(gogoproto.jsontag) = "cluster_name,omitempty"];
// ACLName is the name of the ACL associated with the cluster.
string ACLName = 2 [(gogoproto.jsontag) = "acl_name,omitempty"];
// TLSEnabled indicates whether in-transit encryption (TLS) is enabled.
bool TLSEnabled = 3 [(gogoproto.jsontag) = "tls_enabled,omitempty"];
// EndpointType is the type of the endpoint.
string EndpointType = 4 [(gogoproto.jsontag) = "endpoint_type,omitempty"];
}
// RedshiftServerless contains AWS Redshift Serverless specific metadata.
message RedshiftServerless {
// WorkgroupName is the workgroup name.
string WorkgroupName = 1 [(gogoproto.jsontag) = "workgroup_name,omitempty"];
// EndpointName is the VPC endpoint name.
string EndpointName = 2 [(gogoproto.jsontag) = "endpoint_name,omitempty"];
// WorkgroupID is the workgroup ID.
string WorkgroupID = 3 [(gogoproto.jsontag) = "workgroup_id,omitempty"];
}
// GCPCloudSQL contains parameters specific to GCP Cloud SQL databases.
message GCPCloudSQL {
// ProjectID is the GCP project ID the Cloud SQL instance resides in.
string ProjectID = 1 [(gogoproto.jsontag) = "project_id,omitempty"];
// InstanceID is the Cloud SQL instance ID.
string InstanceID = 2 [(gogoproto.jsontag) = "instance_id,omitempty"];
}
// Azure contains Azure specific database metadata.
message Azure {
// Name is the Azure database server name.
string Name = 1 [(gogoproto.jsontag) = "name,omitempty"];
// ResourceID is the Azure fully qualified ID for the resource.
string ResourceID = 2 [(gogoproto.jsontag) = "resource_id,omitempty"];
// Redis contains Azure Cache for Redis specific database metadata.
AzureRedis Redis = 3 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "redis,omitempty"
];
// IsFlexiServer is true if the database is an Azure Flexible server.
bool IsFlexiServer = 4 [(gogoproto.jsontag) = "is_flexi_server,omitempty"];
}
// AzureRedis contains Azure Cache for Redis specific database metadata.
message AzureRedis {
// ClusteringPolicy is the clustering policy for Redis Enterprise.
string ClusteringPolicy = 1 [(gogoproto.jsontag) = "clustering_policy,omitempty"];
}
// AD contains Active Directory specific database configuration.
message AD {
// KeytabFile is the path to the Kerberos keytab file.
string KeytabFile = 1 [(gogoproto.jsontag) = "keytab_file,omitempty"];
// Krb5File is the path to the Kerberos configuration file. Defaults to /etc/krb5.conf.
string Krb5File = 2 [(gogoproto.jsontag) = "krb5_file,omitempty"];
// Domain is the Active Directory domain the database resides in.
string Domain = 3 [(gogoproto.jsontag) = "domain"];
// SPN is the service principal name for the database.
string SPN = 4 [(gogoproto.jsontag) = "spn"];
// LDAPCert is a certificate from Windows LDAP/AD, optional; only for x509 Authentication.
string LDAPCert = 5 [(gogoproto.jsontag) = "ldap_cert,omitempty"];
// KDCHostName is the host name for a KDC for x509 Authentication.
string KDCHostName = 6 [(gogoproto.jsontag) = "kdc_host_name,omitempty"];
}
// DatabaseTLSMode represents the level of TLS verification performed by
// DB agent when connecting to a database.
enum DatabaseTLSMode {
// VERIFY_FULL performs full certificate validation.
VERIFY_FULL = 0;
// VERIFY_CA works the same as VERIFY_FULL, but it skips the hostname check.
VERIFY_CA = 1;
// INSECURE accepts any certificate provided by server. This is the least secure option.
INSECURE = 2;
}
// DatabaseTLS contains TLS configuration options.
message DatabaseTLS {
// Mode is a TLS connection mode. See DatabaseTLSMode for details.
DatabaseTLSMode Mode = 1 [(gogoproto.jsontag) = "mode"];
// CACert is an optional user provided CA certificate used for verifying
// database TLS connection.
string CACert = 2 [(gogoproto.jsontag) = "ca_cert,omitempty"];
// ServerName allows to provide custom hostname. This value will override the
// servername/hostname on a certificate during validation.
string ServerName = 3 [(gogoproto.jsontag) = "server_name,omitempty"];
}
// MySQLOptions are additional MySQL database options.
message MySQLOptions {
// ServerVersion is the server version reported by DB proxy if the runtime information is
// not available.
string ServerVersion = 1 [(gogoproto.jsontag) = "server_version,omitempty"];
}
// InstanceV1 represents the state of a running teleport instance independent
// of the specific services that instance exposes.
message InstanceV1 {
ResourceHeader Header = 1 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "",
(gogoproto.embed) = true
];
InstanceSpecV1 Spec = 2 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "spec"
];
}
message InstanceSpecV1 {
// Version is the version of teleport this instance most recently advertised.
string Version = 1 [(gogoproto.jsontag) = "version,omitempty"];
// Services is the list of active services this instance most recently advertised.
repeated string Services = 2 [
(gogoproto.casttype) = "SystemRole",
(gogoproto.jsontag) = "services,omitemtpy"
];
// Hostname is the hostname this instance most recently advertised.
string Hostname = 3 [(gogoproto.jsontag) = "hostname,omitempty"];
// AuthID is the ID of the auth server that most recently observed this instance.
string AuthID = 4 [(gogoproto.jsontag) = "auth_id,omitempty"];
// LastSeen is the last time an auth server reported observing this instance.
google.protobuf.Timestamp LastSeen = 5 [
(gogoproto.stdtime) = true,
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "last_seen,omitempty"
];
// ControlLog is the log of recent important instance control events related to this instance. See comments
// on the InstanceControlLogEntry type for details.
repeated InstanceControlLogEntry ControlLog = 6 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "control_log,omitempty"
];
}
// InstanceControlLogEntry represents an entry in a given instance's control log. The control log of
// an instance is protected by CompareAndSwap semantics, allowing entries to function as a means of
// synchronization as well as recordkeeping. For example, an auth server intending to trigger an upgrade
// for a given instance can check its control log for 'upgrade-attempt' entries. If no such entry exists,
// it can attempt to write an 'upgrade-attempt' entry of its own. If that entry successfully writes without
// hitting a CompareFailed, the auth server knows that no other auth servers will make concurrent upgrade
// attempts while that entry persists.
//
// NOTE: Due to resource size and backend throughput limitations, care should be taken to minimize the
// use and size of instance control log entries.
//
message InstanceControlLogEntry {
// Type represents the type of control log entry this is (e.g. 'upgrade-attempt').
string Type = 1 [(gogoproto.jsontag) = "type,omitempty"];
// ID is a random identifier used to assist in uniquely identifying entries. This value may
// be unique, or it may be used to associate a collection of related entries (e.g. an upgrade
// attempt entry may use the same ID as an associated upgrade failure entry if appropriate).
uint64 ID = 2 [(gogoproto.jsontag) = "id,omitempty"];
// Time is the time at which the event represented by this entry occurred (used in determining
// ordering and expiry).
google.protobuf.Timestamp Time = 3 [
(gogoproto.stdtime) = true,
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "time,omitempty"
];
// TTL is an optional custom time to live for this control log entry. Some control log entries
// (e.g. an upgrade failure) may require longer than normal TTLs in order to ensure visibility.
// If a log entry's TTL results in it having an intended expiry further in the future than the
// expiry of the enclosing Instance resource, the instance resource's expiry will be bumped
// to accommodate preservation of the log. Because of this fact, custom entry TTLs should be
// used sparingly, as excess usage could result in unexpected backend growth for high churn
// clusters.
int64 TTL = 4 [
(gogoproto.jsontag) = "ttl,omitempty",
(gogoproto.casttype) = "time.Duration"
];
// Labels is an arbitrary collection of key-value pairs. The expected labels are determined by the
// type of the entry. Use of labels is preferable to adding new fields in some cases in order to
// preserve fields across auth downgrades (this is mostly relevant for the version-control system).
map<string, string> Labels = 5 [(gogoproto.jsontag) = "labels,omitempty"];
}
// InstanceFilter matches instance resources.
message InstanceFilter {
// ServerID matches exactly one instance by server ID if specified.
string ServerID = 1;
// Version matches instance version if specified.
string Version = 2;
// Services matches the instance services if specified. Note that this field matches all instances which
// expose *at least* one of the listed services. This is in contrast to service matching in version
// directives which match instances that expose a *at most* the listed services.
repeated string Services = 3 [(gogoproto.casttype) = "SystemRole"];
}
// ServerV2 represents a Node, App, Database, Proxy or Auth server in a Teleport cluster.
message ServerV2 {
option (gogoproto.goproto_stringer) = false;
option (gogoproto.stringer) = false;
// Kind is a resource kind
string Kind = 1 [(gogoproto.jsontag) = "kind"];
// SubKind is an optional resource sub kind, used in some resources
string SubKind = 2 [(gogoproto.jsontag) = "sub_kind,omitempty"];
// Version is version
string Version = 3 [(gogoproto.jsontag) = "version"];
// Metadata is resource metadata
Metadata Metadata = 4 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "metadata"
];
// Spec is a server spec
ServerSpecV2 Spec = 5 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "spec"
];
}
// ServerV2List is a list of servers.
// DELETE IN 8.0.0 only used in deprecated GetNodes rpc
message ServerV2List {
// Servers is a list of servers.
repeated ServerV2 Servers = 1;
}
// ServerSpecV2 is a specification for V2 Server
message ServerSpecV2 {
reserved 8;
// Addr is a host:port address where this server can be reached.
string Addr = 1 [(gogoproto.jsontag) = "addr"];
// PublicAddr is the public address where this server can be reached.
// DELETE IN 15.0. (joerger) Deprecated in favor of public_addrs.
string PublicAddr = 2 [(gogoproto.jsontag) = "public_addr,omitempty"];
// Hostname is server hostname
string Hostname = 3 [(gogoproto.jsontag) = "hostname"];
// CmdLabels is server dynamic labels
map<string, CommandLabelV2> CmdLabels = 4 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "cmd_labels,omitempty"
];
// Rotation specifies server rotation
Rotation Rotation = 5 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "rotation,omitempty"
];
// UseTunnel indicates that connections to this server should occur over a
// reverse tunnel.
bool UseTunnel = 6 [(gogoproto.jsontag) = "use_tunnel,omitempty"];
// TeleportVersion is the teleport version that the server is running on
string Version = 7 [(gogoproto.jsontag) = "version"];
// Apps is a list of applications this server is proxying.
//
// DELETE IN 9.0. Deprecated, moved to AppServerSpecV3.
repeated App Apps = 9 [
(gogoproto.jsontag) = "apps,omitempty",
deprecated = true
];
// KubernetesClusters is a list of kubernetes clusters provided by this
// Proxy or KubeService server.
//
// Important: jsontag must not be "kubernetes_clusters", because a
// different field with that jsontag existed in 4.4:
// https://github.com/gravitational/teleport/issues/4862
// DELETE IN 12.0.0. Deprecated, moved to KubernetesServerSpecV3.
repeated KubernetesCluster KubernetesClusters = 10 [(gogoproto.jsontag) = "kube_clusters,omitempty"];
// PeerAddr is the address a proxy server is reachable at by its peer proxies.
string PeerAddr = 11 [(gogoproto.jsontag) = "peer_addr,omitempty"];
// ProxyIDs is a list of proxy IDs this server is expected to be connected to.
repeated string ProxyIDs = 12 [(gogoproto.jsontag) = "proxy_ids,omitempty"];
// PublicAddrs is a list of public addresses where this server can be reached.
repeated string public_addrs = 13;
}
// AppServerV3 represents a single proxied web app.
message AppServerV3 {
option (gogoproto.goproto_stringer) = false;
option (gogoproto.stringer) = false;
// Kind is the app server resource kind. Always "app_server".
string Kind = 1 [(gogoproto.jsontag) = "kind"];
// SubKind is an optional resource subkind.
string SubKind = 2 [(gogoproto.jsontag) = "sub_kind,omitempty"];
// Version is the resource version.
string Version = 3 [(gogoproto.jsontag) = "version"];
// Metadata is the app server metadata.
Metadata Metadata = 4 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "metadata"
];
// Spec is the app server spec.
AppServerSpecV3 Spec = 5 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "spec"
];
}
// AppServerSpecV3 is the app access server spec.
message AppServerSpecV3 {
// Version is the Teleport version that the server is running.
string Version = 1 [(gogoproto.jsontag) = "version"];
// Hostname is the app server hostname.
string Hostname = 2 [(gogoproto.jsontag) = "hostname"];
// HostID is the app server host uuid.
string HostID = 3 [(gogoproto.jsontag) = "host_id"];
// Rotation contains the app server CA rotation information.
Rotation Rotation = 4 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "rotation,omitempty"
];
// App is the app proxied by this app server.
AppV3 App = 5 [(gogoproto.jsontag) = "app"];
// ProxyIDs is a list of proxy IDs this server is expected to be connected to.
repeated string ProxyIDs = 6 [(gogoproto.jsontag) = "proxy_ids,omitempty"];
}
// AppV3List represents a list of app resources.
message AppV3List {
// Apps is a list of app resources.
repeated AppV3 Apps = 1;
}
// AppV3 represents an app resource.
message AppV3 {
option (gogoproto.goproto_stringer) = false;
option (gogoproto.stringer) = false;
// Kind is the app resource kind. Always "app".
string Kind = 1 [(gogoproto.jsontag) = "kind"];
// SubKind is an optional resource subkind.
string SubKind = 2 [(gogoproto.jsontag) = "sub_kind,omitempty"];
// Version is the resource version.
string Version = 3 [(gogoproto.jsontag) = "version"];
// Metadata is the app resource metadata.
Metadata Metadata = 4 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "metadata"
];
// Spec is the app resource spec.
AppSpecV3 Spec = 5 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "spec"
];
}
// AppSpecV3 is the AppV3 resource spec.
message AppSpecV3 {
// URI is the web app endpoint.
string URI = 1 [(gogoproto.jsontag) = "uri"];
// PublicAddr is the public address the application is accessible at.
string PublicAddr = 2 [(gogoproto.jsontag) = "public_addr,omitempty"];
// DynamicLabels are the app's command labels.
map<string, CommandLabelV2> DynamicLabels = 3 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "dynamic_labels,omitempty"
];
// InsecureSkipVerify disables app's TLS certificate verification.
bool InsecureSkipVerify = 4 [(gogoproto.jsontag) = "insecure_skip_verify"];
// Rewrite is a list of rewriting rules to apply to requests and responses.
Rewrite Rewrite = 5 [(gogoproto.jsontag) = "rewrite,omitempty"];
// AWS contains additional options for AWS applications.
AppAWS AWS = 6 [(gogoproto.jsontag) = "aws,omitempty"];
// Cloud identifies the cloud instance the app represents.
string Cloud = 7 [(gogoproto.jsontag) = "cloud,omitempty"];
}
// App is a specific application that a server proxies.
//
// DELETE IN 9.0. Deprecated, use AppV3.
message App {
// Name is the name of the application.
string Name = 1 [(gogoproto.jsontag) = "name"];
// URI is the internal address the application is available at.
string URI = 2 [(gogoproto.jsontag) = "uri"];
// PublicAddr is the public address the application is accessible at.
string PublicAddr = 3 [(gogoproto.jsontag) = "public_addr,omitempty"];
// StaticLabels is map of static labels associated with an application.
// Used for RBAC.
map<string, string> StaticLabels = 4 [(gogoproto.jsontag) = "labels,omitempty"];
// DynamicLabels is map of dynamic labels associated with an application.
// Used for RBAC.
map<string, CommandLabelV2> DynamicLabels = 5 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "commands,omitempty"
];
// InsecureSkipVerify disables app's TLS certificate verification.
bool InsecureSkipVerify = 6 [(gogoproto.jsontag) = "insecure_skip_verify"];
// Rewrite is a list of rewriting rules to apply to requests and responses.
Rewrite Rewrite = 7 [(gogoproto.jsontag) = "rewrite,omitempty"];
// Description is an optional free-form app description.
string Description = 8 [(gogoproto.jsontag) = "description,omitempty"];
}
// Rewrite is a list of rewriting rules to apply to requests and responses.
message Rewrite {
// Redirect defines a list of hosts which will be rewritten to the public
// address of the application if they occur in the "Location" header.
repeated string Redirect = 1 [(gogoproto.jsontag) = "redirect,omitempty"];
// Headers is a list of headers to inject when passing the request over
// to the application.
repeated Header Headers = 2 [(gogoproto.jsontag) = "headers,omitempty"];
}
// Header represents a single http header passed over to the proxied application.
message Header {
// Name is the http header name.
string Name = 1 [(gogoproto.jsontag) = "name"];
// Value is the http header value.
string Value = 2 [(gogoproto.jsontag) = "value"];
}
// CommandLabelV2 is a label that has a value as a result of the
// output generated by running command, e.g. hostname
message CommandLabelV2 {
// Period is a time between command runs
int64 Period = 1 [
(gogoproto.jsontag) = "period",
(gogoproto.casttype) = "Duration"
];
// Command is a command to run
repeated string Command = 2 [(gogoproto.jsontag) = "command"];
// Result captures standard output
string Result = 3 [(gogoproto.jsontag) = "result"];
}
// AppAWS contains additional options for AWS applications.
message AppAWS {
// ExternalID is the AWS External ID used when assuming roles in this app.
string ExternalID = 1 [(gogoproto.jsontag) = "external_id,omitempty"];
}
// PrivateKeyType is the storage type of a private key.
enum PrivateKeyType {
// RAW is a plaintext private key.
RAW = 0;
// PKCS11 is a private key backed by a PKCS11 device such as HSM.
PKCS11 = 1;
// GCP_KMS is a private key backed by GCP KMS.
GCP_KMS = 2;
}
// SSHKeyPair is an SSH CA key pair.
message SSHKeyPair {
// PublicKey is the SSH public key.
bytes PublicKey = 1 [(gogoproto.jsontag) = "public_key,omitempty"];
// PrivateKey is the SSH private key.
bytes PrivateKey = 2 [(gogoproto.jsontag) = "private_key,omitempty"];
// PrivateKeyType is the type of the PrivateKey.
PrivateKeyType PrivateKeyType = 3 [(gogoproto.jsontag) = "private_key_type,omitempty"];
}
// TLSKeyPair is a TLS key pair
message TLSKeyPair {
// Cert is a PEM encoded TLS cert
bytes Cert = 1 [(gogoproto.jsontag) = "cert,omitempty"];
// Key is a PEM encoded TLS key
bytes Key = 2 [(gogoproto.jsontag) = "key,omitempty"];
// KeyType is the type of the Key.
PrivateKeyType KeyType = 3 [(gogoproto.jsontag) = "key_type,omitempty"];
}
// JWTKeyPair is a PEM encoded keypair used for signing JWT tokens.
message JWTKeyPair {
// PublicKey is a PEM encoded public key.
bytes PublicKey = 1 [(gogoproto.jsontag) = "public_key,omitempty"];
// PrivateKey is a PEM encoded private key.
bytes PrivateKey = 2 [(gogoproto.jsontag) = "private_key,omitempty"];
// PrivateKeyType is the type of the PrivateKey.
PrivateKeyType PrivateKeyType = 3 [(gogoproto.jsontag) = "private_key_type,omitempty"];
}
// CertAuthorityV2 is version 2 resource spec for Cert Authority
message CertAuthorityV2 {
option (gogoproto.goproto_stringer) = false;
option (gogoproto.stringer) = false;
// Kind is a resource kind
string Kind = 1 [(gogoproto.jsontag) = "kind"];
// SubKind is an optional resource sub kind, used in some resources
string SubKind = 2 [(gogoproto.jsontag) = "sub_kind,omitempty"];
// Version is version
string Version = 3 [(gogoproto.jsontag) = "version"];
// Metadata is connector metadata
Metadata Metadata = 4 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "metadata"
];
// Spec contains cert authority specification
CertAuthoritySpecV2 Spec = 5 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "spec"
];
}
// CertAuthoritySpecV2 is a host or user certificate authority that
// can check and if it has private key stored as well, sign it too
message CertAuthoritySpecV2 {
reserved 3, 4, 7, 10;
// Type is either user or host certificate authority
string Type = 1 [
(gogoproto.jsontag) = "type",
(gogoproto.casttype) = "CertAuthType"
];
// DELETE IN(2.7.0) this field is deprecated,
// as resource name matches cluster name after migrations.
// and this property is enforced by the auth server code.
// ClusterName identifies cluster name this authority serves,
// for host authorities that means base hostname of all servers,
// for user authorities that means organization name
string ClusterName = 2 [(gogoproto.jsontag) = "cluster_name"];
// Roles is a list of roles assumed by users signed by this CA
repeated string Roles = 5 [(gogoproto.jsontag) = "roles,omitempty"];
// RoleMap specifies role mappings to remote roles
repeated RoleMapping RoleMap = 6 [
(gogoproto.nullable) = false,
(gogoproto.jsontag) = "role_map,omitempty"
];
// Rotation is a status of the certificate authority rotation
Rotation Rotation = 8 [
(gogoproto.nullable) = true,
(gogoproto.jsontag) = "rotation,omitempty"
];
// SigningAlg is the algorithm used for signing new SSH certificates using
// SigningKeys.
enum SigningAlgType {
UNKNOWN = 0;
RSA_SHA1 = 1;
RSA_SHA2_256 = 2;