Document support for local users in the Kubernetes Operator

[MarkCupitt]

Applies To

Details

Docs describe HOW to create USers and Roles, However, usually there is a url for a user to create a password .. Can not see any way to find this

Related Issues

[MarkCupitt]

It appears that only Github, oidc and saml users are supported, not local users based on the CRDS at https://github.com/gravitational/teleport/blob/master/integrations/operator/config/crd/bases/resources.teleport.dev_users.yaml

apiVersion: resources.teleport.dev/v2
kind: TeleportUser
metadata:
  name: mark
spec:
  github_identities: []
  oidc_identities: []
  saml_identities: []
  roles: ["access","auditor","editor"]
  traits: {}

It would probably save people a LOT of time ot maker that clears in the docs, unless we missed something here

[hugoShaka]

The operator does support creating local users. It seems the confusion came from the decorrelation between user creation and the initial password reset token creation.

When you do tctl users add, it first creates a user, then creates a reset token for this user. The operator ensures the user exists and has the correct properties. It does not create the temporary reset token.

Password resets are a one-time thing, this conflicts with the stateless operator pattern and the operator has no easy way to securely send back the token to the user. If you want to achieve a fully-automated and secure password reset flow you need to write glue code that will validate the user identity from a trusted source (slack, email, ...) and execute a password reset on their behalf. This can be done through tctl users reset or by calling the API with api/cllient.GetResetPasswordToken.

Thank you for the report, I will make sure the documentation explicitly mentions the operator doesn't reset the user password.