Oracle join method - Add docs (#52018)

This change adds documentation for the Oracle join method
gravitational · Mar 3, 2025 · 0242d56 · 0242d56
1 parent d646170
commit 0242d56
Show file tree

Hide file tree

Showing 7 changed files with 155 additions and 0 deletions.
diff --git a/docs/cspell.json b/docs/cspell.json
@@ -153,6 +153,7 @@
     "NOPASSWD",
     "NVGJ",
     "Näme",
+    "OCID",
     "ODBC",
     "OIDC",
     "OTLP",

diff --git a/docs/img/oracle/[email protected] b/docs/img/oracle/[email protected]
diff --git a/docs/img/oracle/[email protected] b/docs/img/oracle/[email protected]
diff --git a/...esources/agents/join-services-to-your-cluster/join-services-to-your-cluster.mdx b/...esources/agents/join-services-to-your-cluster/join-services-to-your-cluster.mdx
@@ -18,5 +18,6 @@ Service. Choose the method that best suits your infrastructure:
 |[Azure Managed Identity](azure.mdx)|A Teleport process demonstrates that it runs in your Azure subscription by sending a signed attested data document and access token to the Teleport Auth Service.|Your Teleport process will run on Azure.|
 |[Kubernetes ServiceAccount](kubernetes.mdx)|A Teleport process uses a Kubernetes-signed proof to establish a trust relationship with your Teleport cluster.|Your Teleport process will run on Kubernetes.|
 |[GCP IAM](gcp.mdx)|A Teleport process uses a GCP-signed token to establish a trust relationship with your Teleport cluster.|Your Teleport process will run on a GCP VM.|
+|[OCI IAM](oracle.mdx)|A Teleport process uses Oracle Cloud credentials to join the cluster.|Your Teleport process will run on an OCI Compute instance.|
 |[Join Token](join-token.mdx)|A Teleport process presents a join token provided when starting the service.|There is no other supported method for your cloud provider.|
 
diff --git a/docs/pages/enroll-resources/agents/join-services-to-your-cluster/oracle.mdx b/docs/pages/enroll-resources/agents/join-services-to-your-cluster/oracle.mdx
@@ -0,0 +1,115 @@
+---
+title: Join Services with Oracle Cloud
+description: Use the Oracle join method to add services to your Teleport cluster.
+---
+
+This guide will explain how to use the **Oracle join method** to configure
+Teleport processes to join your Teleport cluster without sharing any secrets
+when they are running in an Oracle Cloud Infrastructure (OCI) Compute instance.
+
+The Oracle join method is available to any Teleport process running on an
+OCI Compute instance.
+
+## Prerequisites
+
+(!docs/pages/includes/edition-prereqs-tabs.mdx version="17.3.0"!)
+
+- An OCI Compute instance to host a Teleport service.
+- (!docs/pages/includes/tctl.mdx!)
+
+## Step 1/5. Create the Oracle joining token
+
+Configure your Teleport Auth Service with a special dynamic token which will
+allow services from your OCI tenants to join your Teleport cluster.
+
+Under the hood, services will prove that they are running in your OCI
+tenant by sending a presigned self-authentication request to the OCI API
+for the Auth Service to execute.
+
+Create the following `token.yaml` file with an `oracle.allow` rule specifying
+the Oracle tenant(s), compartment(s), and region(s) in which your OCI
+Compute instances will run:
+
+(!docs/pages/includes/provision-token/oracle-spec.mdx!)
+
+Run the following command to create the token:
+
+```code
+$ tctl create token.yaml
+```
+
+## Step 2/5. Configure permissions
+
+Every OCI Compute instance needs permission to authenticate itself with the
+Oracle Cloud API so the presigned request can succeed.
+
+### Create a dynamic group
+
+In the OCI console, navigate to
+[Identity/Domains](https://cloud.oracle.com/identity/domains).
+Select your domain, then select **Dynamic groups**. Click **Create dynamic group**.
+Create a group with the following matching rule, using the OCID of the
+compartment your instance is in:
+```code
+Any {instance.compartment.id = '<Var name="compartment-id" />'}
+```
+
+![Create dynamic group](../../../../img/oracle/[email protected])
+
+<Notice type="tip">
+
+To minimize unnecessary permissions, configure your matching rules to match
+the rules in the token created in step 1.
+
+</Notice>
+
+### Add policy to group
+
+In the OCI console, navigate to
+[Identity/Domains/Policy](https://cloud.oracle.com/identity/domains/policies).
+Click **Create Policy**. Create the following policy, using the name of the
+selected identity domain:
+```code
+Allow dynamic-group '<Var name="identity-domain" />'/'join-teleport' to inspect authentication in tenancy
+```
+
+![Create policy](../../../../img/oracle/[email protected])
+
+## Step 3/5. Install Teleport
+
+Install Teleport on your OCI Compute instance.
+
+(!docs/pages/includes/install-linux.mdx!)
+
+## Step 4/5. Configure your services
+
+The Oracle join method can be used for Teleport processes running the SSH (`Node`), Proxy,
+Kubernetes, Application, Database, or Windows Desktop Services. The Teleport
+process should be run directly on an OCI Compute instance.
+
+Configure your Teleport process with a custom `teleport.yaml` file. Use the
+`join_params` section with `token_name` matching your token created in Step 1
+and `method: oracle` as shown in the following example config:
+
+```yaml
+# /etc/teleport.yaml
+version: v3
+teleport:
+  join_params:
+    token_name: oracle-token
+    method: oracle
+  proxy_server: https://teleport.example.com:443
+ssh_service:
+  enabled: yes
+auth_service:
+  enabled: no
+proxy_service:
+  enabled: no
+```
+
+## Step 5/5. Launch your Teleport process
+
+(!docs/pages/includes/start-teleport.mdx!)
+
+Once you have started Teleport, confirm that your service is able to connect to
+and join your cluster.
diff --git a/docs/pages/includes/provision-token/oracle-spec.mdx b/docs/pages/includes/provision-token/oracle-spec.mdx
@@ -0,0 +1,27 @@
+```yaml
+# token.yaml
+kind: token
+version: v2
+metadata:
+  # The token name is not a secret because instances must prove that they are
+  # running in your Oracle tenant to use this token.
+  name: oracle-token
+spec:
+  # Use the minimal set of roles required (e.g. Node, Proxy, App, Kube, DB, WindowsDesktop).
+  roles: [Node]
+
+  # Set the join method allowed for this token.
+  join_method: oracle
+
+  oracle:
+    allow:
+      # OCID of the tenancy to allow instances to join from. Required.
+      - tenancy: "ocid1.tenancy.oc1..<unique ID>"
+        # (Optional) OCIDs of compartments to allow instances to join from. Only the direct parent
+        # compartment applies; i.e. nested compartments are not taken into account.
+        # If empty, instances can join from any compartment in the tenancy.
+        parent_compartments: ["ocid1.compartment.oc1...<unique_ID>"]
+        # (Optional) Regions to allow instances to join from. Both full names ("us-phoenix-1")
+        # and abbreviations ("phx") are allowed. If empty, instances can join from any region.
+        regions: ["example-region"]
+```
diff --git a/docs/pages/reference/join-methods.mdx b/docs/pages/reference/join-methods.mdx
@@ -452,3 +452,14 @@ secrets.
 <Admonition type="note" title="See Also">
 - [Deploying Machine ID on Bitbucket Pipelines](../enroll-resources/machine-id/deployment/bitbucket.mdx)
 </Admonition>
+
+### Oracle Cloud: `oracle`
+
+The Oracle join method is available to any Teleport process running on an Oracle
+Cloud Compute instance.
+
+(!docs/pages/includes/provision-token/oracle-spec.mdx!)
+
+<Admonition type="note" title="See Also">
+- How to [Join Services with Oracle Cloud](../enroll-resources/agents/join-services-to-your-cluster/oracle.mdx).
+</Admonition>
-Original file line number
+Diff line change
@@ Expand Up / @@ -153,6 +153,7 @@ @@
         "NOPASSWD",
         "NVGJ",
         "Näme",
+        "OCID",
         "ODBC",
         "OIDC",
         "OTLP",
@@ Expand Down @@