docs: update request_access description in roles spec (#40749)

docs/pages/includes/role-spec.mdx

@@ -19,7 +19,7 @@ spec:
     ssh_file_copy: false
     # client_idle_timeout determines if SSH sessions to cluster nodes are
     # forcefully terminated after no activity from a client (idle client).
-    # it overrides the global cluster setting. examples: "30m", "1h" or "1h30m"
+    # it overrides the global cluster setting. examples: '30m', '1h' or '1h30m'
     client_idle_timeout: never
     # Determines if the clients will be forcefully disconnected when their
     # certificates expire in the middle of an active session.
@@ -42,14 +42,14 @@ spec:
     # require_session_mfa require per-session MFA for any assigned user of this role
     require_session_mfa: true
     # lock sets locking mode for user of this role,
-    # valid values are "strict" or "best_effort"
+    # valid values are 'strict' or 'best_effort'
     lock: strict
-    # enterprise-only request_access field is either 'always' or 'reason'. If set to always, it instructs
-    # tsh or the web UI clients to always create an Access Request on login. If it is
+    # enterprise-only request_access field is 'optional', 'always' or 'reason'. If set to always or reason,
+    # it instructs tsh or the web UI clients to always create an Access Request. If it is
     # set to 'reason', the user will be required to indicate why they are
     # generating the Access Request.
     request_access: reason
-    # the `request_prompt` field can be used to tell the user what should
+    # the 'request_prompt' field can be used to tell the user what should
     # be supplied in the request reason field.
     request_prompt: Please provide your ticket ID
     # enterprise-only max_connections field sets a limit of concurrent sessions within a
@@ -59,10 +59,10 @@ spec:
     # limit number of concurrent Kubernetes sessions per user
     max_kubernetes_connections: 1
     # Define how Teleport deals with session recording failures, such as a full
-    # disk error. The value can be set to either `best_effort` or `strict`. If
-    # set to `strict`, the session will terminate immediately. If set to
-    # `best_effort`, the session won’t be terminated, and the recording will be
-    # disabled. The configuration is done per service (currently, only `ssh` is
+    # disk error. The value can be set to either 'best_effort' or 'strict'. If
+    # set to 'strict', the session will terminate immediately. If set to
+    # 'best_effort', the session won’t be terminated, and the recording will be
+    # disabled. The configuration is done per service (currently, only 'ssh' is
     # supported).
     record_session:
       # Specify whether or not to record the user's desktop sessions.
@@ -88,14 +88,14 @@ spec:
     # network. The default is false.
     pin_source_ip: true
     # Specify a list of names and associated values to be included in user SSH keys.
-    # The key type can only be "ssh" and the mode can only be "extension".
+    # The key type can only be 'ssh' and the mode can only be 'extension'.
     # The name and value fields can be arbitrary strings and the value field
     # supports variable interpolation.
     cert_extensions:
      - type: ssh
        mode: extension
        name: [email protected]
-       value: "{{ external.github_login }}"
+       value: '{{ external.github_login }}'
     # Controls whether this role supports auto provisioning of SSH users.
     # Options: drop (remove user on session end), keep (keep users at session end)
     #          and off (disable host user creation)
@@ -129,7 +129,7 @@ spec:
     node_labels:
       # literal strings:
       'env': 'test'
-      # the wildcard ('*') means "any node"
+      # the wildcard ('*') means any node
       '*': '*'
       # a list of alternative options:
       'region': ['us-west-1', 'eu-central-1']
@@ -141,9 +141,9 @@ spec:
       'reg': '^us-west-1|eu-central-1$'
 
     # kubernetes_groups specifies Kubernetes groups a user with this role will assume.
-    # You can refer to a SAML/OIDC trait via the "external" property bag.
+    # You can refer to a SAML/OIDC trait via the 'external' property bag.
     # This allows you to specify Kubernetes group membership in an identity manager:
-    kubernetes_groups: ["system:masters", "{{external.trait_name}}"]
+    kubernetes_groups: ['system:masters', '{{external.trait_name}}']
 
     # kubernetes_users is an optional field that specifies kubernetes users
     # this role can assume.
@@ -191,16 +191,16 @@ spec:
         # - ingress
       - kind: '*'
         # The name of the Kubernetes namespace in which to allow access the
-        # resources you specify with "name" and "kind".
-        # The wildcard character "*" matches any sequence of characters.
-        # If the value begins with "^" and ends with "$", the Kubernetes
+        # resources you specify with 'name' and 'kind'.
+        # The wildcard character '*' matches any sequence of characters.
+        # If the value begins with '^' and ends with '$', the Kubernetes
         # Service will treat it as a regular expression.
-        namespace: "*"
+        namespace: '*'
         # The name of the resource to allow access to.
-        # The wildcard character "*" matches any sequence of characters.
-        # If the value begins with "^" and ends with "$", the Kubernetes
+        # The wildcard character '*' matches any sequence of characters.
+        # If the value begins with '^' and ends with '$', the Kubernetes
         # Service will treat it as a regular expression.
-        name: "^nginx-[a-z0-9-]+$"
+        name: '^nginx-[a-z0-9-]+$'
         # The verbs that the user is allowed to perform on the resource.
         # Teleport currently supports:
         # - * (all verbs)
@@ -221,7 +221,7 @@ spec:
     db_names: ['{{external.db_names}}']
     db_roles: ['{{external.db_roles}}']
     db_labels:
-      'env': '{{regexp.replace(external.env, "^(staging)$", "$1")}}'
+      'env': '{{regexp.replace(external.env, '^(staging)$', '$1')}}'
 
     # app_labels: a user with this role will be allowed to connect to
     # applications with labels matching below.
@@ -254,8 +254,8 @@ spec:
     # A user with this role will be allowed to access nodes if they are in the
     # staging environment *or* if they belong to one of the user's own teams.
     node_labels_expression: |
-      labels["env"] == "staging" ||
-      contains(user.spec.traits["teams"] , labels["team"])
+      labels['env'] == 'staging' ||
+      contains(user.spec.traits['teams'] , labels['team'])
 
     # The below <kind>_labels_expression fields have the same purpose of the
     # matching <kind>_labels fields, but support predicate expressions instead
@@ -283,8 +283,8 @@ spec:
       # where is an optional where condition
       # further limiting the scope for matching users and roles
       where: >
-        contains(user.spec.traits["group"], impersonate_role.metadata.labels["group"]) &&
-        contains(user.spec.traits["group"], impersonate_user.metadata.labels["group"])
+        contains(user.spec.traits['group'], impersonate_role.metadata.labels['group']) &&
+        contains(user.spec.traits['group'], impersonate_user.metadata.labels['group'])
 
     # review_requests allows a user holding this role
     # to approve or deny Access Requests (enterprise-only)
@@ -299,10 +299,10 @@ spec:
     # request allows a user user request roles matching
     # expressions below
     request:
-      # the `roles` list can be a mixture of literals and wildcard matchers
+      # the 'roles' list can be a mixture of literals and wildcard matchers
       roles: ['common', 'dev-*']
 
-      # `search_as_roles` allows users to search for and request access to
+      # 'search_as_roles' allows users to search for and request access to
       # resources accessible by the listed roles (enterprise-only)
       search_as_roles: ['access']
 
@@ -319,17 +319,17 @@ spec:
       # The maximum duration is 7 days.
       max_duration: 7d
 
-      # the `claims_to_roles` mapping works the same as it does in
+      # the 'claims_to_roles' mapping works the same as it does in
       # the OIDC connector, with the added benefit that the roles being mapped to
       # can also be matchers.
       #
       # This example leverages Teleport's regular expression support, which allows
       # for dynamic mapping from claims. The below mapping says that users with
-      # claims that match "projects: product-(.*)" can request roles that match
-      # "$1-admin", where "$1" is the first capture group in the
+      # claims that match 'projects: product-(.*)' can request roles that match
+      # '$1-admin', where '$1' is the first capture group in the
       # regular expression.
-      # Example: the "projects: product-foo" claim allows a user to request the
-      # "foo-admin" role
+      # Example: the 'projects: product-foo' claim allows a user to request the
+      # 'foo-admin' role
       claims_to_roles:
         - claim: 'projects'
           # matches all group names with a leading 'product-'
@@ -362,8 +362,8 @@ spec:
         # in order to satisfy the policy.
         count: 1
         # The action to take if a moderator leaves a session, causing the policy to no longer be satisfied.
-        # This may be either "terminate" or "pause". An empty or unknown value will default to "terminate".
-        on_leave: "terminate"
+        # This may be either 'terminate' or 'pause'. An empty or unknown value will default to 'terminate'.
+        on_leave: 'terminate'
 
     # Moderated Sessions policy that dictates the ability to join sessions
     join_sessions: