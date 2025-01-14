WorkloadIdentity Configuration Resource migration
The way that you configure Teleport Workload Identity is changing. If you are currently using Workload Identity, you will need to migrate to the new configuration experience by V19.0.0 when support for the old configuration will be removed.
Overview
Previously, the details of the credentials (e.g X509 SVID/JWT SVID) you wished
to issue were defined directly within
tbot. Controlling what credentials were
allowed to be issued was done by configuring the
spec.allow.spiffe field of
the role resource.
The new configuration experience introduces a new resource type,
WorkloadIdentity,
which allows you to define the structure of an identity credential that can be
issued to workloads and the rules around what workloads it can be issued to.
This provides the following benefits over the previous configuration experience:
- Centralized control of the structure of the identity credential, which
simplifies the configuration of
tbot.
- The ability to specify rules based on the attributes of the workload, such as the name of the Kubernetes namespace or service account, that is more fine grained than the previous configuration.
- The ability to use templating to dynamically generate elements of the identity credential - allowing a single WorkloadIdentity resource to be used to serve multiple workloads.
You can read the full details of the new WorkloadIdentity resource in the WorkloadIdentity Resource reference.
Migrating
tbot
The following CLI commands have been replaced:
tbot start spiffe-svidis now
tbot start workload-identity-x509.
The following new additional CLI commands have been introduced:
tbot start workload-identity-apito start a listener for the Workload Identity API.
tbot start workload-identity-jwtto issue a JWT SVID.
You can read more about the new CLI commands in the
tbot CLI reference.
The following service types have been replaced:
spiffe-workload-apiis now
workload-identity-api.
spiffe-x509-svidis now
workload-identity-x509.
The following new additional service types have been introduced:
workload-identity-jwtto issue JWT SVIDs.
You can read more about the new service types in the
tbot configuration reference.