operator: Support expiring resources

[hugoShaka]

What would you like Teleport to do?

I would like to be able to create and manage expiring resources through the Teleport operator

What problem does this solve?

This allows me to create temporary resources like tokens as part of an automated deployment process.

If a workaround exists, please include it.

Delete the resource at the end of the deployment.

[hugoShaka]

Blocked by https://github.com/gravitational/teleport/issues/21416

[bsgrigorov]

can we get non-expiring token CRDs in the meantime?

[hugoShaka]

can we get non-expiring token CRDs in the meantime?

This was not possible when I wrote this issue, but @strideynet changed this in v13 (tokens were forcefully given an expiration). I'll see if I can rebase my old PR and use the new v13 token logic.

[bsgrigorov]

@hugoShaka I am wondering if this got into a release? We really need Token CRDs in order t configure the teleport cluster in a kubernetes native way.

[hugoShaka]

Teleport operator supports non-expiring ProvisionToken resources since 13.0.3 (but it had a few bugfixes since, so you might want to run the latest v13 release).

You can run kubectl explain provisiontoken to explore available fields.

[bsgrigorov]

What about bots? Can we create bots with CRDs? I know bots are users but I think there's a bit more that goes into bot creation compared to user creation.

[hugoShaka]

I confirmed with our machineID folks that a bot is not currently a real resource, so the operator cannot reconcile it. However, a bot comprises a user and a role, which you can create separately. If you create a bot with tctl, save its resulting user and role, and then delete it, you can create the appropriate user and role resources directly from the operator.

The only limitation is if you're using the token joining method for the bot: the last certificate revision is stored in the user resource labels, and the operator will currently override it; this can cause bot certificate renewals to fail. I will send a fix in the following weeks. If your bot uses other joining methods such as kubernetes , github , iam , ... you won't face this issue.