(v8) Add dynamic registration and discovery guides

docs/config.json

@@ -98,7 +98,8 @@
             { "title": "Connecting Apps", "slug": "/application-access/guides/connecting-apps/" },
             { "title": "Integrating with JWT", "slug": "/application-access/guides/jwt/" },
             { "title": "API Access", "slug": "/application-access/guides/api-access/" },
-            { "title": "AWS Console Access", "slug": "/application-access/guides/aws-console/" }
+            { "title": "AWS Console Access", "slug": "/application-access/guides/aws-console/" },
+            { "title": "Dynamic Registration", "slug": "/application-access/guides/dynamic-registration/" }
           ]
         },
         { "title": "Access Controls", "slug": "/application-access/controls/" },
@@ -174,8 +175,7 @@
           "title": "Guides",
           "slug": "/database-access/guides/",
           "entries": [
-            { "title": "AWS RDS/Aurora PostgreSQL", "slug": "/database-access/guides/postgres-aws/" },
-            { "title": "AWS RDS/Aurora MySQL", "slug": "/database-access/guides/mysql-aws/" },
+            { "title": "AWS RDS & Aurora", "slug": "/database-access/guides/rds/" },
             { "title": "AWS Redshift", "slug": "/database-access/guides/postgres-redshift/" },
             { "title": "GCP Cloud SQL PostgreSQL", "slug": "/database-access/guides/postgres-cloudsql/" },
             { "title": "GCP Cloud SQL MySQL", "slug": "/database-access/guides/mysql-cloudsql/" },
@@ -185,6 +185,7 @@
             { "title": "Self-Hosted MongoDB", "slug": "/database-access/guides/mongodb-self-hosted/" },
             { "title": "Self-Hosted CockroachDB", "slug": "/database-access/guides/cockroachdb-self-hosted/" },
             { "title": "Database GUI Clients", "slug": "/database-access/guides/gui-clients/" },
+            { "title": "Dynamic Registration", "slug": "/database-access/guides/dynamic-registration/" },
             { "title": "High Availability", "slug": "/database-access/guides/ha/" }
           ]
         },
@@ -196,7 +197,8 @@
           "entries": [
             { "title": "Configuration", "slug": "/database-access/reference/configuration/" },
             { "title": "CLI", "slug": "/database-access/reference/cli/" },
-            { "title": "Audit Events", "slug": "/database-access/reference/audit/" }
+            { "title": "Audit Events", "slug": "/database-access/reference/audit/" },
+            { "title": "AWS IAM", "slug": "/database-access/reference/aws/" }
           ]
         },
         { "title": "FAQ", "slug": "/database-access/faq/" }
@@ -559,6 +561,16 @@
       "source": "/quickstart-docker/",
       "destination": "/setup/guides/docker/",
       "permanent": true
+    },
+    {
+      "source": "/database-access/guides/postgres-aws/",
+      "destination": "/database-access/guides/rds/",
+      "permanent": true
+    },
+    {
+      "source": "/database-access/guides/mysql-aws/",
+      "destination": "/database-access/guides/rds/",
+      "permanent": true
     }
   ]
 }

docs/pages/application-access/guides.mdx

@@ -17,4 +17,7 @@ layout: tocless-doc
   <Tile icon="cloud" title="AWS Console Access" href="./guides/aws-console.mdx">
     How to access AWS Management Console with Teleport Application Access.
   </Tile>
+  <Tile icon="wrench" title="Dynamic Registration" href="./guides/dynamic-registration.mdx">
+    Register/unregister apps without restarting Teleport.
+  </Tile>
 </TileSet>

docs/pages/application-access/guides/dynamic-registration.mdx

@@ -0,0 +1,83 @@
+---
+title: Dynamic App Registration
+description: Register/unregister apps without restarting Teleport.
+---
+
+<Details
+  title="Version warning"
+  opened={true}
+  scope={["oss", "enterprise"]}
+  scopeOnly={true}
+  min="8.0"
+>
+  Dynamic app registration is available starting from Teleport `8.0`.
+</Details>
+
+Dynamic app registration allows Teleport administrators to register new apps
+(or update/unregister existing ones) without having to update the static
+configuration and restarting the app agents.
+
+To enable dynamic registration, include a `resources` section in your app
+agent configuration with a list of resource label selectors you'd like this
+agent to monitor:
+
+```yaml
+app_service:
+  enabled: "yes"
+  resources:
+  - labels:
+      "*": "*"
+```
+
+You can use a wildcard selector to monitor all app resources in the cluster,
+or provide a specific set of labels to monitor a subset:
+
+```yaml
+resources:
+- labels:
+    "env": "prod"
+- labels:
+    "env": "test"
+```
+
+Next define an application resource:
+
+```yaml
+kind: app
+version: v3
+metadata:
+  name: example
+  description: "Example app"
+  labels:
+    env: test
+spec:
+  uri: http://localhost:4321
+  public_addr: test.example.com
+```
+
+See the full app resource spec [reference](../reference.mdx#application-resource).
+
+To create an application resource, run:
+
+```code
+$ tctl create app.yaml
+```
+
+After the resource has been created, it will appear among the list of available
+apps (in `tsh app ls` or UI) as long as at least one application agent picks it
+up according to its label selectors.
+
+To update an existing application resource, run:
+
+```code
+$ tctl create -f app.yaml
+```
+
+If the updated resource's labels no longer match a particular app agent, it
+will unregister and stop proxying it.
+
+To delete an application resource, run:
+
+```code
+$ tctl rm app/example
+```

docs/pages/application-access/introduction.mdx

@@ -54,6 +54,9 @@ Get started with Application Access in a 10 minute [guide](./getting-started.mdx
   <Tile icon="cloud" title="AWS Console Access" href="./guides/aws-console.mdx">
     How to access AWS Management Console with Teleport Application Access.
   </Tile>
+  <Tile icon="wrench" title="Dynamic Registration" href="./guides/dynamic-registration.mdx">
+    Register/unregister apps without restarting Teleport.
+  </Tile>
 </TileSet>
 
 ## Example legacy apps

docs/pages/application-access/reference.mdx

@@ -3,8 +3,6 @@ title: Application Access Reference Documentation
 description: Configuration and CLI reference documentation for Teleport Application Access.
 ---
 
-# Application Access Reference
-
 ## Configuration
 
 (!docs/pages/includes/backup-warning.mdx!)
@@ -20,6 +18,10 @@ app_service:
   # working correctly. It'll output JWTs so it can be useful for when
   # extending your application.
   debug_app: true
+  # Matchers for application resources created with "tctl create" command.
+  resources:
+  - labels:
+      "*": "*"
   # This section contains definitions of all applications proxied by this
   # service. It can contain multiple items.
   apps:
@@ -37,6 +39,10 @@ app_service:
       # host with the public address of this application.
       redirect:
       - "grafana.internal.dev"
+      # Headers passthrough configuration.
+      headers:
+      - "X-Custom-Header: example"
+      - "X-External-Trait: {{external.env}}"
     # Disable application certificate validation.
     insecure_skip_verify: true
     # Optional static labels to assign to the app. Used in RBAC.
@@ -49,6 +55,45 @@ app_service:
       period: 1m0s
 ```
 
+## Application resource
+
+Full YAML spec of application resources managed by `tctl` resource commands:
+
+```yaml
+kind: app
+version: v3
+metadata:
+  # Application name.
+  name: example
+  # Application description.
+  description: "Example application"
+  # Application static labels.
+  labels:
+    env: local
+spec:
+  # URI and port application is available at.
+  uri: http://localhost:4321
+  # Optional application public address.
+  public_addr: test.example.com
+  # Disable application certificate validation.
+  insecure_skip_verify: true
+  # Rewrites configuration.
+  rewrite:
+    # Rewrite the "Location" header on redirect responses replacing the
+    # host with the public address of this application.
+    redirect:
+    - "grafana.internal.dev"
+    # Headers passthrough configuration.
+    headers:
+    - "X-Custom-Header: example"
+    - "X-External-Trait: {{external.env}}"
+  # Optional dynamic labels.
+  dynamic_labels:
+  - name: "hostname"
+    command: ["hostname"]
+    period: 1m0s
+```
+
 ## CLI
 
 This section shows CLI commands relevant for Application Access.

docs/pages/database-access/architecture.mdx

@@ -126,8 +126,8 @@ With RDS and Aurora database instances, the Database Service authenticates using
 The Database Service automatically generates an IAM token for each connection
 and uses the token as a password.
 
-See respective configuration guides for [PostgreSQL](./guides/postgres-aws.mdx) and
-[MySQL](./guides/mysql-aws.mdx) for details on configuring IAM authentication.
+See [RDS](./guides/rds.mdx) configuration guide for details on configuring IAM
+authentication.
 
 ## Next steps
 

docs/pages/database-access/getting-started.mdx

@@ -179,8 +179,7 @@ $ psql "service=<cluster>-aurora user=alice dbname=postgres"
 For the next steps, dive deeper into the topics relevant to your Database
 Access use-case, for example:
 
-- Learn in more detail about AWS hosted [PostgreSQL](./guides/postgres-aws.mdx), [MySQL](./guides/mysql-aws.mdx), or GCP hosted [PostgreSQL](./guides/postgres-cloudsql.mdx).
-- Learn how to connect to a self-hosted [PostgreSQL](./guides/postgres-self-hosted.mdx) or [MySQL](./guides/mysql-self-hosted.mdx).
+- Check out configuration [guides](./guides.mdx).
 - Learn how to configure [GUI clients](./guides/gui-clients.mdx).
 - Learn about Database Access [role-based access control](./rbac.mdx).
 - See [frequently asked questions](./faq.mdx).

docs/pages/database-access/guides.mdx

@@ -9,11 +9,8 @@ layout: tocless-doc
 ## Cloud-hosted guides
 
 <TileSet>
-  <Tile icon="cloud" title="AWS RDS PostgreSQL" href="./guides/postgres-aws.mdx">
-    Connect AWS RDS or Aurora PostgreSQL database.
-  </Tile>
-  <Tile icon="cloud" title="AWS RDS MySQL" href="./guides/mysql-aws.mdx">
-    Connect AWS RDS or Aurora MySQL database.
+  <Tile icon="cloud" title="AWS RDS & Aurora" href="./guides/rds.mdx">
+    Connect AWS RDS or Aurora PostgreSQL or MySQL database.
   </Tile>
   <Tile icon="cloud" title="AWS Redshift" href="./guides/postgres-redshift.mdx">
     Connect AWS Redshift database.
@@ -52,6 +49,9 @@ layout: tocless-doc
   <Tile icon="window" title="GUI clients" href="./guides/gui-clients.mdx">
     Configure database graphical clients.
   </Tile>
+  <Tile icon="wrench" title="Dynamic Registration" href="./guides/dynamic-registration.mdx">
+    Register/unregister databases without restarting Teleport.
+  </Tile>
   <Tile icon="integrations" title="High Availability" href="./guides/ha.mdx">
     Deploy database access in HA configuration.
   </Tile>

docs/pages/database-access/guides/cockroachdb-self-hosted.mdx

@@ -3,7 +3,15 @@ title: Database Access with Self-Hosted CockroachDB
 description: How to configure Teleport Database Access with self-hosted CockroachDB.
 ---
 
-# Self-Hosted CockroachDB
+<Details
+  title="Version warning"
+  opened={true}
+  scope={["oss", "enterprise"]}
+  scopeOnly={true}
+  min="8.0"
+>
+  CockroachDB support is available starting from Teleport `8.0`.
+</Details>
 
 This guide will help you to:
 

docs/pages/database-access/guides/dynamic-registration.mdx

@@ -0,0 +1,86 @@
+---
+title: Dynamic Database Registration
+description: Register/unregister databases without restarting Teleport.
+---
+
+<Details
+  title="Version warning"
+  opened={true}
+  scope={["oss", "enterprise"]}
+  scopeOnly={true}
+  min="8.0"
+>
+  Dynamic database registration is available starting from Teleport `8.0`.
+</Details>
+
+Dynamic database registration allows Teleport administrators to register new
+databases (or update/unregister existing ones) without having to update the
+static configuration and restarting the database agents.
+
+To enable dynamic registration, include a `resources` section in your database
+agent configuration with a list of resource label selectors you'd like this
+agent to monitor:
+
+```yaml
+db_service:
+  enabled: "yes"
+  resources:
+  - labels:
+      "*": "*"
+```
+
+You can use a wildcard selector to monitor all database resources in the cluster,
+or provide a specific set of labels to monitor a subset:
+
+```yaml
+resources:
+- labels:
+    "env": "prod"
+    "engine": "postgres"
+- labels:
+    "env": "test"
+    "engine": "mysql"
+```
+
+Next define a database resource:
+
+```yaml
+kind: db
+version: v3
+metadata:
+  name: example
+  description: "Example database"
+  labels:
+    env: prod
+    engine: postgres
+spec:
+  protocol: "postgres"
+  uri: "localhost:5432"
+```
+
+See the full database resource spec [reference](../reference/configuration.mdx#database-resource).
+
+To create a database resource, run:
+
+```code
+$ tctl create database.yaml
+```
+
+After the resource has been created, it will appear among the list of available
+databases (in `tsh db ls` or UI) as long as at least one database agent picks
+it up according to its label selectors.
+
+To update an existing database resource, run:
+
+```code
+$ tctl create -f database.yaml
+```
+
+If the updated resource's labels no longer match a particular database agent, it
+will unregister and stop proxying it.
+
+To delete a database resource, run:
+
+```code
+$ tctl rm db/example
+```