moving local and remote port forwarding configs into their own messages

api/proto/teleport/legacy/types/types.proto

@@ -2923,22 +2923,38 @@ enum CreateDatabaseUserMode {
   DB_USER_MODE_BEST_EFFORT_DROP = 3;
 }
 
-// SSHPortForwardConfig defines which types of SSH port forwarding are permitted, if any.
-message SSHPortForwardConfig {
-  // Allow local port forwarding.
-  BoolValue Local = 1 [
+// SSHLocalPortForwarding configures access controls for local SSH port forwarding.
+message SSHLocalPortForwarding {
+  BoolValue Enabled = 1 [
     (gogoproto.nullable) = true,
-    (gogoproto.jsontag) = "local,omitempty",
+    (gogoproto.jsontag) = "enabled,omitempty",
     (gogoproto.customtype) = "BoolOption"
   ];
-  // Allow remote port forwarding.
-  BoolValue Remote = 2 [
+}
+
+// SSHRemotePortForwarding configures access controls for remote SSH port forwarding.
+message SSHRemotePortForwarding {
+  BoolValue Enabled = 1 [
     (gogoproto.nullable) = true,
-    (gogoproto.jsontag) = "remote,omitempty",
+    (gogoproto.jsontag) = "enabled,omitempty",
     (gogoproto.customtype) = "BoolOption"
   ];
 }
 
+// SSHPortForwarding configures what types of SSH port forwarding are allowed by a role.
+message SSHPortForwarding {
+  // Allow local port forwarding.
+  SSHLocalPortForwarding Local = 1 [
+    (gogoproto.nullable) = true,
+    (gogoproto.jsontag) = "local,omitempty"
+  ];
+  // Allow remote port forwarding.
+  SSHRemotePortForwarding Remote = 2 [
+    (gogoproto.nullable) = true,
+    (gogoproto.jsontag) = "remote,omitempty"
+  ];
+}
+
 // RoleOptions is a set of role options
 message RoleOptions {
   // ForwardAgent is SSH agent forwarding.
@@ -3123,8 +3139,8 @@ message RoleOptions {
   // CreateHostUserDefaultShell is used to configure the default shell for newly provisioned host users.
   string CreateHostUserDefaultShell = 31 [(gogoproto.jsontag) = "create_host_user_default_shell,omitempty"];
 
-  // SSHPortForwarding defines which types of SSH port forwarding are permitted, if any.
-  SSHPortForwardConfig SSHPortForwarding = 32 [
+  // SSHPortForwarding configures what types of SSH port forwarding are allowed by a role.
+  SSHPortForwarding SSHPortForwarding = 32 [
     (gogoproto.nullable) = true,
     (gogoproto.jsontag) = "ssh_port_forwarding,omitempty"
   ];

docs/pages/reference/operator-resources/resources.teleport.dev_roles.mdx

@@ -394,7 +394,7 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |request_prompt|string|RequestPrompt is an optional message which tells users what they aught to request.|
 |require_session_mfa|string or integer|RequireMFAType is the type of MFA requirement enforced for this user. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY", 3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN". Can be either the string or the integer representation of each option.|
 |ssh_file_copy|boolean|SSHFileCopy indicates whether remote file operations via SCP or SFTP are allowed over an SSH session. It defaults to true unless explicitly set to false.|
-|ssh_port_forwarding|[object](#specoptionsssh_port_forwarding)|SSHPortForwarding defines which types of SSH port forwarding are permitted, if any.|
+|ssh_port_forwarding|[object](#specoptionsssh_port_forwarding)|SSHPortForwarding configures what types of SSH port forwarding are allowed by a role.|
 
 ### spec.options.cert_extensions items
 
@@ -429,8 +429,20 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 
 |Field|Type|Description|
 |---|---|---|
-|local|boolean|Allow local port forwarding.|
-|remote|boolean|Allow remote port forwarding.|
+|local|[object](#specoptionsssh_port_forwardinglocal)|Allow local port forwarding.|
+|remote|[object](#specoptionsssh_port_forwardingremote)|Allow remote port forwarding.|
+
+### spec.options.ssh_port_forwarding.local
+
+|Field|Type|Description|
+|---|---|---|
+|enabled|boolean||
+
+### spec.options.ssh_port_forwarding.remote
+
+|Field|Type|Description|
+|---|---|---|
+|enabled|boolean||
 
 ## resources.teleport.dev/v6
 
@@ -815,7 +827,7 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |request_prompt|string|RequestPrompt is an optional message which tells users what they aught to request.|
 |require_session_mfa|string or integer|RequireMFAType is the type of MFA requirement enforced for this user. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY", 3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN". Can be either the string or the integer representation of each option.|
 |ssh_file_copy|boolean|SSHFileCopy indicates whether remote file operations via SCP or SFTP are allowed over an SSH session. It defaults to true unless explicitly set to false.|
-|ssh_port_forwarding|[object](#specoptionsssh_port_forwarding)|SSHPortForwarding defines which types of SSH port forwarding are permitted, if any.|
+|ssh_port_forwarding|[object](#specoptionsssh_port_forwarding)|SSHPortForwarding configures what types of SSH port forwarding are allowed by a role.|
 
 ### spec.options.cert_extensions items
 
@@ -850,6 +862,18 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 
 |Field|Type|Description|
 |---|---|---|
-|local|boolean|Allow local port forwarding.|
-|remote|boolean|Allow remote port forwarding.|
+|local|[object](#specoptionsssh_port_forwardinglocal)|Allow local port forwarding.|
+|remote|[object](#specoptionsssh_port_forwardingremote)|Allow remote port forwarding.|
+
+### spec.options.ssh_port_forwarding.local
+
+|Field|Type|Description|
+|---|---|---|
+|enabled|boolean||
+
+### spec.options.ssh_port_forwarding.remote
+
+|Field|Type|Description|
+|---|---|---|
+|enabled|boolean||
 

docs/pages/reference/operator-resources/resources.teleport.dev_rolesv6.mdx

@@ -394,7 +394,7 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |request_prompt|string|RequestPrompt is an optional message which tells users what they aught to request.|
 |require_session_mfa|string or integer|RequireMFAType is the type of MFA requirement enforced for this user. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY", 3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN". Can be either the string or the integer representation of each option.|
 |ssh_file_copy|boolean|SSHFileCopy indicates whether remote file operations via SCP or SFTP are allowed over an SSH session. It defaults to true unless explicitly set to false.|
-|ssh_port_forwarding|[object](#specoptionsssh_port_forwarding)|SSHPortForwarding defines which types of SSH port forwarding are permitted, if any.|
+|ssh_port_forwarding|[object](#specoptionsssh_port_forwarding)|SSHPortForwarding configures what types of SSH port forwarding are allowed by a role.|
 
 ### spec.options.cert_extensions items
 
@@ -429,6 +429,18 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 
 |Field|Type|Description|
 |---|---|---|
-|local|boolean|Allow local port forwarding.|
-|remote|boolean|Allow remote port forwarding.|
+|local|[object](#specoptionsssh_port_forwardinglocal)|Allow local port forwarding.|
+|remote|[object](#specoptionsssh_port_forwardingremote)|Allow remote port forwarding.|
+
+### spec.options.ssh_port_forwarding.local
+
+|Field|Type|Description|
+|---|---|---|
+|enabled|boolean||
+
+### spec.options.ssh_port_forwarding.remote
+
+|Field|Type|Description|
+|---|---|---|
+|enabled|boolean||
 

docs/pages/reference/operator-resources/resources.teleport.dev_rolesv7.mdx

@@ -394,7 +394,7 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |request_prompt|string|RequestPrompt is an optional message which tells users what they aught to request.|
 |require_session_mfa|string or integer|RequireMFAType is the type of MFA requirement enforced for this user. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY", 3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN". Can be either the string or the integer representation of each option.|
 |ssh_file_copy|boolean|SSHFileCopy indicates whether remote file operations via SCP or SFTP are allowed over an SSH session. It defaults to true unless explicitly set to false.|
-|ssh_port_forwarding|[object](#specoptionsssh_port_forwarding)|SSHPortForwarding defines which types of SSH port forwarding are permitted, if any.|
+|ssh_port_forwarding|[object](#specoptionsssh_port_forwarding)|SSHPortForwarding configures what types of SSH port forwarding are allowed by a role.|
 
 ### spec.options.cert_extensions items
 
@@ -429,6 +429,18 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 
 |Field|Type|Description|
 |---|---|---|
-|local|boolean|Allow local port forwarding.|
-|remote|boolean|Allow remote port forwarding.|
+|local|[object](#specoptionsssh_port_forwardinglocal)|Allow local port forwarding.|
+|remote|[object](#specoptionsssh_port_forwardingremote)|Allow remote port forwarding.|
+
+### spec.options.ssh_port_forwarding.local
+
+|Field|Type|Description|
+|---|---|---|
+|enabled|boolean||
+
+### spec.options.ssh_port_forwarding.remote
+
+|Field|Type|Description|
+|---|---|---|
+|enabled|boolean||
 

docs/pages/reference/terraform-provider/data-sources/role.mdx

@@ -439,7 +439,7 @@ Optional:
 - `request_prompt` (String) RequestPrompt is an optional message which tells users what they aught to request.
 - `require_session_mfa` (Number) RequireMFAType is the type of MFA requirement enforced for this user. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY", 3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN".
 - `ssh_file_copy` (Boolean) SSHFileCopy indicates whether remote file operations via SCP or SFTP are allowed over an SSH session. It defaults to true unless explicitly set to false.
-- `ssh_port_forwarding` (Attributes) SSHPortForwarding defines which types of SSH port forwarding are permitted, if any. (see [below for nested schema](#nested-schema-for-specoptionsssh_port_forwarding))
+- `ssh_port_forwarding` (Attributes) SSHPortForwarding configures what types of SSH port forwarding are allowed by a role. (see [below for nested schema](#nested-schema-for-specoptionsssh_port_forwarding))
 
 ### Nested Schema for `spec.options.cert_extensions`
 
@@ -478,6 +478,19 @@ Optional:
 
 Optional:
 
-- `local` (Boolean) Allow local port forwarding.
-- `remote` (Boolean) Allow remote port forwarding.
+- `local` (Attributes) Allow local port forwarding. (see [below for nested schema](#nested-schema-for-specoptionsssh_port_forwardinglocal))
+- `remote` (Attributes) Allow remote port forwarding. (see [below for nested schema](#nested-schema-for-specoptionsssh_port_forwardingremote))
+
+### Nested Schema for `spec.options.ssh_port_forwarding.local`
+
+Optional:
+
+- `enabled` (Boolean)
+
+
+### Nested Schema for `spec.options.ssh_port_forwarding.remote`
+
+Optional:
+
+- `enabled` (Boolean)
 

docs/pages/reference/terraform-provider/resources/role.mdx

@@ -493,7 +493,7 @@ Optional:
 - `request_prompt` (String) RequestPrompt is an optional message which tells users what they aught to request.
 - `require_session_mfa` (Number) RequireMFAType is the type of MFA requirement enforced for this user. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY", 3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN".
 - `ssh_file_copy` (Boolean) SSHFileCopy indicates whether remote file operations via SCP or SFTP are allowed over an SSH session. It defaults to true unless explicitly set to false.
-- `ssh_port_forwarding` (Attributes) SSHPortForwarding defines which types of SSH port forwarding are permitted, if any. (see [below for nested schema](#nested-schema-for-specoptionsssh_port_forwarding))
+- `ssh_port_forwarding` (Attributes) SSHPortForwarding configures what types of SSH port forwarding are allowed by a role. (see [below for nested schema](#nested-schema-for-specoptionsssh_port_forwarding))
 
 ### Nested Schema for `spec.options.cert_extensions`
 
@@ -532,6 +532,19 @@ Optional:
 
 Optional:
 
-- `local` (Boolean) Allow local port forwarding.
-- `remote` (Boolean) Allow remote port forwarding.
+- `local` (Attributes) Allow local port forwarding. (see [below for nested schema](#nested-schema-for-specoptionsssh_port_forwardinglocal))
+- `remote` (Attributes) Allow remote port forwarding. (see [below for nested schema](#nested-schema-for-specoptionsssh_port_forwardingremote))
+
+### Nested Schema for `spec.options.ssh_port_forwarding.local`
+
+Optional:
+
+- `enabled` (Boolean)
+
+
+### Nested Schema for `spec.options.ssh_port_forwarding.remote`
+
+Optional:
+
+- `enabled` (Boolean)
 

examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml

@@ -1320,16 +1320,24 @@ spec:
                       to true unless explicitly set to false.
                     type: boolean
                   ssh_port_forwarding:
-                    description: SSHPortForwarding defines which types of SSH port
-                      forwarding are permitted, if any.
+                    description: SSHPortForwarding configures what types of SSH port
+                      forwarding are allowed by a role.
                     nullable: true
                     properties:
                       local:
                         description: Allow local port forwarding.
-                        type: boolean
+                        nullable: true
+                        properties:
+                          enabled:
+                            type: boolean
+                        type: object
                       remote:
                         description: Allow remote port forwarding.
-                        type: boolean
+                        nullable: true
+                        properties:
+                          enabled:
+                            type: boolean
+                        type: object
                     type: object
                 type: object
             type: object
@@ -2711,16 +2719,24 @@ spec:
                       to true unless explicitly set to false.
                     type: boolean
                   ssh_port_forwarding:
-                    description: SSHPortForwarding defines which types of SSH port
-                      forwarding are permitted, if any.
+                    description: SSHPortForwarding configures what types of SSH port
+                      forwarding are allowed by a role.
                     nullable: true
                     properties:
                       local:
                         description: Allow local port forwarding.
-                        type: boolean
+                        nullable: true
+                        properties:
+                          enabled:
+                            type: boolean
+                        type: object
                       remote:
                         description: Allow remote port forwarding.
-                        type: boolean
+                        nullable: true
+                        properties:
+                          enabled:
+                            type: boolean
+                        type: object
                     type: object
                 type: object
             type: object

examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv6.yaml

@@ -1323,16 +1323,24 @@ spec:
                       to true unless explicitly set to false.
                     type: boolean
                   ssh_port_forwarding:
-                    description: SSHPortForwarding defines which types of SSH port
-                      forwarding are permitted, if any.
+                    description: SSHPortForwarding configures what types of SSH port
+                      forwarding are allowed by a role.
                     nullable: true
                     properties:
                       local:
                         description: Allow local port forwarding.
-                        type: boolean
+                        nullable: true
+                        properties:
+                          enabled:
+                            type: boolean
+                        type: object
                       remote:
                         description: Allow remote port forwarding.
-                        type: boolean
+                        nullable: true
+                        properties:
+                          enabled:
+                            type: boolean
+                        type: object
                     type: object
                 type: object
             type: object

examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv7.yaml

@@ -1323,16 +1323,24 @@ spec:
                       to true unless explicitly set to false.
                     type: boolean
                   ssh_port_forwarding:
-                    description: SSHPortForwarding defines which types of SSH port
-                      forwarding are permitted, if any.
+                    description: SSHPortForwarding configures what types of SSH port
+                      forwarding are allowed by a role.
                     nullable: true
                     properties:
                       local:
                         description: Allow local port forwarding.
-                        type: boolean
+                        nullable: true
+                        properties:
+                          enabled:
+                            type: boolean
+                        type: object
                       remote:
                         description: Allow remote port forwarding.
-                        type: boolean
+                        nullable: true
+                        properties:
+                          enabled:
+                            type: boolean
+                        type: object
                     type: object
                 type: object
             type: object