Merge branch 'branch/v16' into tigrato/sec-scan-v16

.github/workflows/post-release.yaml

@@ -104,7 +104,8 @@ jobs:
               .variables.teleport.latest_oss_docker_image |= sub(":.*";":")+$version |
               .variables.teleport.latest_oss_debug_docker_image |= sub(":.*";":")+$version |
               .variables.teleport.latest_ent_docker_image |= sub(":.*";":")+$version |
-              .variables.teleport.latest_ent_debug_docker_image |= sub(":.*";":")+$version' \
+              .variables.teleport.latest_ent_debug_docker_image |= sub(":.*";":")+$version |
+              .variables.teleport.teleport_install_script_url |=  sub("install-v.*.sh"; "install-v"+$version+".sh")' \
               docs/config.json > docs/confignew.json
           cat docs/confignew.json
           mv docs/confignew.json docs/config.json

Makefile

@@ -11,7 +11,7 @@
 #   Stable releases:   "1.0.0"
 #   Pre-releases:      "1.0.0-alpha.1", "1.0.0-beta.2", "1.0.0-rc.3"
 #   Master/dev branch: "1.0.0-dev"
-VERSION=16.1.0
+VERSION=16.1.4
 
 DOCKER_IMAGE ?= teleport
 

api/client/webclient/webconfig.go

@@ -72,45 +72,71 @@ type WebConfig struct {
 	// PlayableDatabaseProtocols is a list of database protocols which session
 	// recordings can be played.
 	PlayableDatabaseProtocols []string `json:"playable_db_protocols"`
-	// HideInaccessibleFeatures is true when features should be undiscoverable to users without the necessary permissions.
-	// Usually, in order to encourage discoverability of features, we show UI elements even if the user doesn't have permission to access them,
-	// this flag disables that behavior.
-	HideInaccessibleFeatures bool `json:"hideInaccessibleFeatures"`
 	// CustomTheme is a string that represents the name of the custom theme that the WebUI should use.
 	CustomTheme string `json:"customTheme"`
+	// Questionnaire indicates whether cluster users should get an onboarding questionnaire
+	Questionnaire bool `json:"questionnaire"`
+	// IsStripeManaged indicates if the cluster billing & lifecycle is managed via Stripe
+	IsStripeManaged bool `json:"isStripeManaged"`
+	// PremiumSupport indicates whether the customer has premium support
+	PremiumSupport bool `json:"premiumSupport"`
+	// Edition is the edition of Teleport
+	Edition string `json:"edition"`
+	// entitlements define a customer’s access to a specific features
+	Entitlements map[string]EntitlementInfo `json:"entitlements,omitempty"`
+
+	// Deprecated Fields
 	// Deprecated: IsTeam is true if [Features.ProductType] = Team
 	// Prefer checking the cluster features over this flag, as this will be removed.
 	IsTeam bool `json:"isTeam"`
+	// HideInaccessibleFeatures is true when features should be undiscoverable to users without the necessary permissions.
+	// Usually, in order to encourage discoverability of features, we show UI elements even if the user doesn't have permission to access them,
+	// this flag disables that behavior.
+	// Deprecated, use entitlements
+	HideInaccessibleFeatures bool `json:"hideInaccessibleFeatures"`
 	// IsIGSEnabled is true if [Features.IdentityGovernance] = true
+	// Deprecated, use entitlements
 	IsIGSEnabled bool `json:"isIgsEnabled"`
 	// IsPolicyEnabled is true if [Features.Policy] = true
+	// Deprecated, use entitlements
 	IsPolicyEnabled bool `json:"isPolicyEnabled"`
 	// featureLimits define limits for features.
 	// Typically used with feature teasers if feature is not enabled for the
 	// product type eg: Team product contains teasers to upgrade to Enterprise.
+	// Deprecated, use entitlements
 	FeatureLimits FeatureLimits `json:"featureLimits"`
-	// Questionnaire indicates whether cluster users should get an onboarding questionnaire
-	Questionnaire bool `json:"questionnaire"`
-	// IsStripeManaged indicates if the cluster billing & lifecycle is managed via Stripe
-	IsStripeManaged bool `json:"isStripeManaged"`
 	// ExternalAuditStorage indicates whether the EAS feature is enabled in the cluster.
+	// Deprecated, use entitlements
 	ExternalAuditStorage bool `json:"externalAuditStorage"`
-	// PremiumSupport indicates whether the customer has premium support
-	PremiumSupport bool `json:"premiumSupport"`
 	// JoinActiveSessions indicates whether joining active sessions via web UI is enabled
+	// Deprecated, use entitlements
 	JoinActiveSessions bool `json:"joinActiveSessions"`
 	// AccessRequests indicates whether access requests are enabled
+	// Deprecated, use entitlements
 	AccessRequests bool `json:"accessRequests"`
 	// TrustedDevices indicates whether trusted devices page is enabled
+	// Deprecated, use entitlements
 	TrustedDevices bool `json:"trustedDevices"`
 	// OIDC indicates whether the OIDC integration flow is enabled
+	// Deprecated, use entitlements
 	OIDC bool `json:"oidc"`
 	// SAML indicates whether the SAML integration flow is enabled
+	// Deprecated, use entitlements
 	SAML bool `json:"saml"`
 	// MobileDeviceManagement indicates whether adding Jamf plugin is enabled
+	// Deprecated, use entitlements
 	MobileDeviceManagement bool `json:"mobileDeviceManagement"`
-	// Edition is the edition of Teleport
-	Edition string `json:"edition"`
+}
+
+// EntitlementInfo is the state and limits of a particular entitlement; Example for feature X:
+// { Enabled: true,  Limit: 0 }   => unlimited access to feature X
+// { Enabled: true,  Limit: >0 }  => limited access to feature X
+// { Enabled: false, Limit: >=0 } => no access to feature X
+type EntitlementInfo struct {
+	// Enabled indicates the feature is 'on' if true; feature is disabled if false
+	Enabled bool `json:"enabled"`
+	// Limit indicates the allotted amount of use when limited; if 0 use is unlimited
+	Limit int32 `json:"limit"`
 }
 
 // featureLimits define limits for features.