Fork me on GitHub

Teleport

Dynamic App Registration

Improve

Dynamic app registration is available starting from Teleport 8.0.

Dynamic app registration allows Teleport administrators to register new apps (or update/unregister existing ones) without having to update the static configuration and restarting the app agents.

To enable dynamic registration, include a resources section in your app agent configuration with a list of resource label selectors you'd like this agent to monitor:

app_service:
  enabled: "yes"
  resources:
  - labels:
      "*": "*"

You can use a wildcard selector to monitor all app resources in the cluster, or provide a specific set of labels to monitor a subset:

resources:
- labels:
    "env": "prod"
- labels:
    "env": "test"

Next define an application resource:

kind: app
version: v3
metadata:
  name: example
  description: "Example app"
  labels:
    env: test
spec:
  uri: http://localhost:4321
  public_addr: test.example.com

See the full app resource spec reference.

The user creating the dynamic registration needs to have a role with access to the application labels and the app resource. In this example role the user can only create and maintain application services labeled env: test.

kind: role
metadata:
  name: dynamicappregexample
spec:
  allow:
    app_labels:      
      env: test
    rules:
    - resources:
      - app
      verbs:
      - list
      - create
      - read
      - update
      - delete
version: v5

To create an application resource, run:

Log in to your cluster with tsh so you can use tctl from your local machine.

You can also run tctl on your Auth Service host without running "tsh login"

first.

tsh login --proxy=teleport.example.com --user=myuser
tctl create app.yaml

After the resource has been created, it will appear among the list of available apps (in tsh app ls or UI) as long as at least one Application Service instance picks it up according to its label selectors.

To update an existing application resource, run:

tctl create -f app.yaml

If the updated resource's labels no longer match a particular app agent, it will unregister and stop proxying it.

To delete an application resource, run:

tctl rm app/example
0