Dynamic App Registration
Dynamic app registration is available starting from Teleport
Dynamic app registration allows Teleport administrators to register new apps (or update/unregister existing ones) without having to update the static configuration and restarting the app agents.
To enable dynamic registration, include a
resources section in your app
agent configuration with a list of resource label selectors you'd like this
agent to monitor:
app_service: enabled: "yes" resources: - labels: "*": "*"
You can use a wildcard selector to monitor all app resources in the cluster, or provide a specific set of labels to monitor a subset:
resources: - labels: "env": "prod" - labels: "env": "test"
Next define an application resource:
kind: app version: v3 metadata: name: example description: "Example app" labels: env: test spec: uri: http://localhost:4321 public_addr: test.example.com
See the full app resource spec reference.
The user creating the dynamic registration needs to have a role with access to the
application labels and the
app resource. In this example role the user can only
create and maintain application services labeled
kind: role metadata: name: dynamicappregexample spec: allow: app_labels: env: test rules: - resources: - app verbs: - list - create - read - update - delete version: v5
To create an application resource, run:
Log in to your cluster with tsh so you can use tctl from your local machine.
You can also run tctl on your Auth Service host without running "tsh login"
first.tsh login --proxy=teleport.example.com --user=myusertctl create app.yaml
After the resource has been created, it will appear among the list of available
tsh apps ls or UI) as long as at least one Application Service
instance picks it up according to its label selectors.
To update an existing application resource, run:
tctl create -f app.yaml
If the updated resource's labels no longer match a particular app agent, it will unregister and stop proxying it.
To delete an application resource, run:
tctl rm app/example