Opened in error #13285
Closed
Opened in error #13285
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This change aims to make the Cloud Downloads page a bit neater looking.
Co-authored-by: Paul Gottschling <[email protected]>
457a99e0 update webapps to support more MySQL audit events (gravitational/webapps#729) (gravitational/webapps#737) gravitational/webapps@457a99e0 [source: -w teleport-v9] [target: -t branch/v9]
Backports #11838 * Edit four Access Controls guides for Cloud users See #10638 Per-session MFA - Add scoped Tabs to the Prerequisites section - Add a ScopedBlock so Cloud users don't see the option to enable per-session MFA via static config - Minor copy-edits and organization edits. For example, turn a section that refers to an example in another section into an Admonition. Dual Authorization - Add scoped Tabs to the Prerequisites - Use a scoped Notice for the edition warning - Style/clarity/grammar edits - Hide the Troubleshooting section for Cloud users Moderated Sessions - Change the edition warning to a scoped Notice. Since this guide is a conceptual guide rather than a step-by-step tutorial, there's no other scope-irrelevant information to hide. Impersonation - Add scoped Tabs to the Prerequisites - Used ScopedBlocks to hide minor scope-irrelevant details - Minor style/grammar/clarity edits * Respond to PR feedback * Respond to PR feedback
See #10633 Labels - Turn the Prerequisites into a Tabs box for different editions. This means that users of one edition will not need to see information intended for users of another edition. - Add misc. clarity, grammar, and style edits. Local Users - Use Tabs for the Prerequisites so users of one edition don't see information for another edition - SSO was briefly mentioned without elaboration, so I added this to a Further Reading section with scoped tabs - Use Tabs for Proxy connection instructions Troubleshooting - Add a note re: the relevance of the guide for Cloud users - Add Tabs for the Getting help section so commercial or OSS users don't see irrelevant information - General clarity, grammar, and style tweaks Graceful Restarts - Add a notice indicating how this guide is relevant for Cloud users - Misc clarity, grammar, and style tweaks
Since we can now adjust the visibility of Admonitions based on scope, this change explains how the `scope` and `scopeOnly` attributes work in the Admonition component within the docs UI reference.
Fix race condition reported by TestIntegrations - Disconnection Backport of #11737
#10817 states in the docs that the default for `authenticationSecondFactor.secondfactor` is `otp`, but it didn't actually update the values.yaml file to make this change the default. This PR addresses that mistake and brings the chart in-line with the docs.
* Delete app sessions on logout (#9873) * feat: delete app web sessions during logout * Apply suggestions from code review Co-authored-by: Roman Tkachenko <[email protected]> * refactor(auth): add VerbList action to delete user app sessions Co-authored-by: Roman Tkachenko <[email protected]> * test(local): change `newIdentityService` arguments Co-authored-by: Roman Tkachenko <[email protected]>
Using the OIDC connector with Okta would fail due to an issue in our fork of go-oidc. Update this dependency to get the fix. Additionally, clean up the logic for syncing the connector configuration, which was using a context.Context in order to implement a timeout. This can be expressed in a simpler way with time.After()
* Edit the Database Access GUI guide for Cloud users See #10637 - Add a Prerequisites section with tabs for different scopes - Use a ScopedBlock so the "Get connection information" section only shows connection options that are relevant to a particular scope. - Where the guide refers to a particular "tsh" command that doesn't apply to all scopes, refer to the "Get connection information" section instead. - Light copy-edits for style, clarity, and grammar * Respond to PR feedback
Backports #11710 While editing guides in certain sections to accommodate Cloud users (#10631), I introduced some inconsistencies into the way the Prerequisites sections in these guides provide instructions for users of Cloud, Open Source, and Enterprise Teleport. This change adds a partial that provides tabbed instructions to users of different Teleport editions when a guide requires a running Auth and Proxy Service. It then includes this partial where relevant in guides that fall under the scope of #10631. This helps ensure that cross-edition instructions are consistent in our guides, and makes it easier to edit additional guides to accommodate users of different editions. Caveats: - Since this change covers a lot of guides, it aims to be as small as possible. While all of these guides included links in their Prerequisites sections, for example, replacing these links with full instructions was out of the scope of this guide. This change should still make it easier to make further edits, e.g., in response to #11538. - We still need to change other elements of some guides to accommodate Cloud users. The current change only aims to standardize the Prerequisites section.
This is the docs counterpart to #11718 Backports #11948 Co-authored-by: Paul Gottschling <[email protected]>
Backports #10920 * Prepare five guides for Cloud users Configuration reference - Add a tabbed warning box, which incorporates the existing warnings into a single Admonition (to avoid Admonition clutter) and add instructions for Cloud users. Backends Add a compatibility note for Cloud users. There is little else we can do at this point since it is not currently possible to adjust the visibility of an entire page of the docs site based on the scope selector. EC2 node labels guide - Add Tabs to the Prerequisites section so users don't see scope- irrelevant content. - Misc. clarity/style/grammar edits. Audit Logs guide - Prevent Cloud, Enterprise, or OSS users from seeing scope-irrelevant information by using Tabs. - Note that this change does not attempt to update the list of audit event types, since doing so would exceed the time I allotted for updating this guide. Docker setup guide - Remove the image.mdx partial, since it is only used once. - Create a partial for the Enterprise Docker image table. - Use Tabs to display different instructions for users of different Teleport editions. * Respond to PR feedback * Respond to PR feedback
* Edit three guides to support Cloud users See #10633 Upgrading - Misc. grammar/style/clarity tweaks - Add details re: checking the Cloud Proxy/Auth versions for Cloud users - Add a scoped Tabs component for the upgrade sequence - Remove the "upgrading to Teleport 4.0+" section since we no longer support this version Backup and restore - Add scoped Tabs components where instructions vary between editions - Misc clarity/grammar/style improvements Authentication Use Tabs to ensure that readers who have selected one scope don't see content that is relevant only for other scopes. * Respond to PR feedback * Respond to PR feedback
* Edit three Setup guides for Cloud users Teleport Daemon - Use a Notice for a warning re: the Auth Service scoped to self-hosted users - Misc grammar/style/clarity tweaks Move the Enterprise License File page The page does not belong in the Setup section, since it does not apply to Cloud and OSS users. I have moved the page into the Enterprise section. Networking guide - Add tabbed instructions so users who have selected a given scope don't see content for other scopes. - Mention auth_service.proxy_listener_mode instead of tls_routing_enabled for self-hosted readers - Misc grammar, style, and clarity edits Scaling We already added an edition warning in a Details box, but I thought a Notice would be more prominent. I've also added some minor grammar, style, and clarity tweaks. * Address PR feedback - Imply that there are non-Auth/Proxy services beside Nodes - Remove "shell" where it is unnecessary - Revert the "HTTP CONNECT" section to where it was before this change. The copy-edits were inaccurate, but I don't have time to perform the edits agin more carefully. * Address PR feedback Simplify the HTTP CONNECT section by bringing the example closer to the explanation of this functionality and removing some ambiguity over whether one or both of HTTPS_PROXY and HTTP_PROXY are required. The original text suggested that either is required, then that both are required. The new text says to assign both, then explains why.
* Prepare more Setup guides for Cloud users TLS Routing Migration Added a compatibility note for Cloud users. Unfortunately there is nothing else we can do until we can come up with a way to adjust the visibility of whole pages based on the scope picker. Running Teleport on GCP and IBM Cloud Both of these guides assume throughout that you are deploying the Auth Service, Proxy Service, and Auth Service storage backend. There is very little relevant information for Cloud users. Since making these guides relevant for Cloud users would require research and rewriting, which is out of scope for issue #10633, this change adds a Notice component to these guides explaining their relevance. Reducing the Blast Radius This guide already includes instructions for Cloud users. This change includes the tctl.mdx partial to ensure that Cloud users know to log in first before running tctl commands. Resources reference - Add Tabs in the introduction where guidance differs for Cloud and Self-Hosted users. - Include the tctl.mdx partial in the Introduction so users know how to connect to their Teleport cluster in order to perform tctl commands. - Edit the introductory sections of the post for clarity and style. Note that this change does not attempt to fill in missing dynamic resource types within the reference list, as this would be outside the time I allotted to work on issue #10633. CLI reference - Add instructions for Cloud users via a Notice above the roles table and tabbed instructions above the tctl section. - Add an entry for the Windows Desktop Service in the roles table. - Perform some light copy editing, e.g., removing somewhat confusing links from H4 headings and making minor style tweaks. A comprehensive refresh of the CLI reference is out of scope of my work on issue #10633. * Respond to PR feedback * Address PR feedback
* Demonstrate usage of `golden` for tbot template generation tests. (#12898) * Refactor tbot (#12855) * start refactoring tbot to have a core struct * refactor tbot into lib/ * move `tbot` subpackages to `lib/tbot` * remove mutex pointer * move `tshwrap` to `lib/` from `/tool/tbot/` * move new template ssh client render test to lib/ * address pr feedback * add request changed
* Make the Daemon guide easier to follow See #11841 This change organizes the Daemon guide into a step-by-step tutorial that users can follow more easily. - Clarify the title a bit more. - Remove the table of commands. This is covered more fully in the CLI reference (which this links to) and isn't strictly relevant to the purpose of this guide, setting up Teleport as a systemd unit. - Add a Prerequisites section. - Organize body sections into steps. - Add installation and "teleport configure" commands, which are necessary for the systemd service to run. * Respond to PR feedback
Signed-off-by: Michael McAllister <[email protected]>
This change fixes a bug in EC2 labels (#12593) involving concurrent writes to the labels map. This is fixed by making EC2.Get() return a copy instead of the actual label map.
The instance metadata client added in #12593 significantly slows down integration tests. This change adds a disabled client to integration tests to improve performance.
This change skips over EC2 tag keys that aren't valid Teleport label keys.
* Make the Adding Nodes guide more usable See: #11841 This change makes the Adding Nodes guide more usable for self-hosted clusters based on manual testing. - Make it clearer that you can use tctl on your local machine with a self-hosted cluster. For convenience, all instructions in this guide assume you are using tctl from a local machine. - Misc. minor edits for clarity. - Move different methods of using tokens into Details boxes, since following the guide only requires the first "tctl nodes add" command. - Use environment variables to store the CA pin, invite token, and Proxy/Auth address, making it slightly more convenient to copy the "teleport start" command and run it on the Node. - Turn the Node Tunneling section into a Details box below the instruction to assign the Auth/Proxy address to an environment variable, and better integrate the text into the guide. Previously, the Node Tunneling section also advised the reader to create a token, which they would have doe already at this point in the guide. * Respond to PR feedback Also remove some erroneous command output
If a reader uses the docs version picker to select "Older Versions", they will navigate to a page where the current version is still the version they had previously selected. This change adds a link to the main docs site to make navigation easier. This is a provisional solution to tide us over until we have a better way to handle unsupported versions in our docs version picker.
* Flesh out CAP instructions Closes #11840 Since Cloud accounts begin with a cluster_auth_preference resource, you need to obtain your current resource via tctl get and make changes, rather than creating a fresh one. This changes Cloud instructions in several guides to reflect this. Also use the same instructions for self-hosted users. If a CAP does not exist on the backend, the shell redirection used in the "tctl get" command will result in an empty file, which follows the existing instructions with minimal changes. Also update the instructions related to u2f in the Reducing the Blast Radius guide. * Respond to PR feedback
Backports #12525 * Edit tctl instructions to clarify remote login Closes #11464 - Ensure that all example tctl commands are accompanied either by instructions to log in to the cluster or the tctl.mdx partial. - Edit the guides in the Architecture section to remove notes that tctl can only be used locally to the Auth Service. - Edit the user-client-rereqs partial to mention tctl for all editions, since you can log in to tctl remotely for all editions. Not editing guides where: - tctl is run via kubectl exec - tctl is not mentioned in a code block, i.e., only in passing, and a reader isn't expected to run the command on their own while following the guide. - The user is already expected to run tctl on the Auth Service. The docker-compose Getting Started guide is an example of this. * Respond to PR feedback - Provide more context on authenticating with tctl in the CLI reference - Update the link to more information re: tctl in the architecture overview, and indicate that tctl users must authenticate. - Minor tweaks. * Respond to PR feedback - Rephrase the authentication paragraph in the Architecture Overview.
Currently, the main body content of the docs home page links to sections related to individual resources (Server Access, Application Access, etc.). For users visiting the docs for the first time, it's difficult to determine what is involved in getting started with Teleport. This change organizes the docs landing page to imply that there is a progression from one stage of the user's setup to the next. See #12787 - Add headings for different stages of setting up Teleport. - Add links to a Getting Started guide for each edition that includes a "scope" query so users are given the appropriate scope (this partially addresses #12773). - Edit the initial list of Teleport benefits to be more general and encompass more functionality. - Very light copy-editing of the text in the tile lists at the bottom of the page.
* Label desktops based on the content of LDAP attributes This allows users to configure an optional set of LDAP attributes which will be included in all LDAP queries. Teleport uses these attributes when labeling desktops. Updates #12326
* docs: Fix proxy config for GCP * Additional proxy config, plus ACME * Update docs/pages/setup/deployments/gcp.mdx
Searched for all locations where s3:ListBucketMultipartUploads is currently required and added it. Co-authored-by: Gus Luxton <[email protected]>
bbb35a39 Fix null role response from users fetch (gravitational/webapps#871) (gravitational/webapps#872) gravitational/webapps@bbb35a39 [source: -w teleport-v9] [target: -t branch/v9]
The PodSecurityPolicy specifies `MustRunAsNonRoot` but the image runs as root. `Error: container has runAsNonRoot and image will run as root (pod: "<redacted>", container: teleport).` We expose the securityContext to allow forcing to run as a non-root user such as 99 (nobody) and respect the psp. Co-authored-by: daquinoaldo <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
tctl auth sign([v9] Display correct error message when host is missing intctl auth sign#10739)KindWindowsDesktopstoListResources(AddKindWindowsDesktopstoListResources#10769) ([v9 backport] AddKindWindowsDesktopstoListResources(#10769) #10912)httpsscheme for--proxyargument intctl auth sign(Default tohttpsscheme for--proxyargument intctl auth sign#10844) ([v9] Default tohttpsscheme for--proxyargument intctl auth sign#10911)tbot initsubcommand and ACL management #10289 ([v9] Implementtbot initsubcommand and ACL management (#10289) #11030)bot_namein bot join tokens (Fix meaning ofbot_namein bot join tokens #11039) ([v9] Fix meaning ofbot_namein bot join tokens (#11039) #11047)tsh aws ecrInternal Server Error (Fixtsh aws ecrInternal Server Error #10475) ([v9] Fixtsh aws ecrInternal Server Error (#10475) #11108)public_addrfield for dynamic apps (Automatically calculatepublic_addrfield for dynamic apps #10941). (Automatically calculatepublic_addrfield for dynamic apps (#10941). #10943) ([v9] Automatically calculatepublic_addrfield for dynamic apps (#10941) #11139)FromCLIConf()(Fix improper default value check in tbot'sFromCLIConf()#11169) ([v9] Fix improper default value check in tbot'sFromCLIConf()(#11169) #11206)tbot init --owner(Fix outdated CLI help fortbot init --owner#11158) ([v9] Fix outdated CLI help fortbot init --owner(#11158) #11167)tsherror message if mysql client is missing ([v9] Improvetsherror message if mysql client is missing #11215)localSitemultimap) #11184)tsh lsfor node/app/db/kube to accept new filter flags (Updatestsh lsfor nodes, apps, dbs, and kubes to accept new filter flags #10980) ([v9.1 backport] Updatestsh lsfor node/app/db/kube to accept new filter flags #11016)tctl auth signtctl get roles/proc/self/exeon Linux (Reexec with/proc/self/exeon Linux #11283) ([v9] backport #11283 (Linux reexec) #11453)ad-keytab-fileflag on sqlserver docs (Fixad-keytab-fileflag on sqlserver docs #11581) ([v9] Fixad-keytab-fileflag on sqlserver docs (#11581) #11605)FULLfor the sqlite backend #11387 (in-memory cache and sqlite sync) ([v9] backport #11386 #11387 (in-memory cache and sqlite sync) #11658)UploadCompleterload (Spread outUploadCompleterload #11590) ([branch/v9] Spread outUploadCompleterload (#11590) #11698)TeleportReadyEventis not emitted #11725 Ensure stateOK is reported only when all components have sent updates #11249 MakePortList.Pop()thread-safe #11799 to branch/v9 (Backport #11725 #11249 #11799 to branch/v9 #11795)types.WatchKindsandproto.WatchEventsare in sync (Ensure Cachetypes.WatchKindsandproto.WatchEventsare in sync #11692) ([branch/v9] Ensure Cachetypes.WatchKindsandproto.WatchEventsare in sync (#11692) #11927)httprouterand enableUseRawPathoption (Switch to forkedhttprouterand enableUseRawPathoption #11068) ([v9] Switch to forkedhttprouterand enableUseRawPathoption (#11068) #12080)tsh db lslists available db users. (Maketsh db lslists available db users. #10458) ([v9] Maketsh db lslists available db users. (#10458) #11942)tbot start(Improve error handling intbot start#11756) ([v9] Improve error handling intbot start(#11756) #12012)ListResourcesin the webapi layer for pagination and filtering #11019 (ListResourcesin the webapi layer) ([v9] backport #11019 (ListResourcesin the webapi layer) #12106)CertAuthority.Clonebecause of non-UTC times. #12057 (panic inCertAuthority.Clone) ([v9] backport #12057 (panic inCertAuthority.Clone) #12004)ProxyKubereadiness) #12152)tsh ssh(docs: Add example for label usage withtsh ssh#12110) ([v9] Backport #12110 #12158)TeleportReadyEventis not emitted #11725 Ensure stateOK is reported only when all components have sent updates #11249 MakePortList.Pop()thread-safe #11799 to branch/v9 (Backport #11725 #11249 #11799 to branch/v9 #11795)" (Revert "Backport #11725 #11249 #11799 to branch/v9 (#11795)" #12243)teleport configurecommand (Add flags toteleport configurecommand #11766) ([V9] Add flags toteleport configurecommand (#11766) #12267)proxy_hostand temporaryactual_namefields to the cluster response object ([v9] Backport add clusterproxy_hostand temporaryactual_name#12291)tsh db lsin case fetching roles fails. ([v9] Gracefully degradetsh db lsin case fetching roles fails. (#12318) #12320)NodeNameinauth.ReRegister([v9] Specify theNodeNameinauth.ReRegister#12333)--tlsUseSystemCAand--tlsCAFiletogether withmongosh([v9] Never use--tlsUseSystemCAand--tlsCAFiletogether withmongosh#12363)add tokencommand and allow token removal from thermcommand. (Update help message foradd tokencommand and allow token removal from thermcommand. #12118) ([v9] Update help message foradd tokencommand and allow token removal from thermcommand. (#12118) #12439)tbotfor databases and identity files (Add new config templates totbotfor databases and identity files #11596) ([v9] Add new config templates totbotfor databases and identity files (#11596) #12500)tctlbuild #12572)/etc/tsh.yaml(Implement global tsh config file:/etc/tsh.yaml#12598) ([v9] Implement global tsh config file:/etc/tsh.yaml(#12598) #12626)tbot configurecommand for assisting Machine ID configuration (tbot configurecommand for assisting Machine ID configuration #12517) ([v9]tbot configurecommand for assisting Machine ID configuration (#12517) #12576)docsredirects from nginx-redirects.conf #12528, adds indexing page (Backports redirects from #12528, adds indexing page #12655)tsh db lsfor remote clusters. (Fixtsh db lsfor remote clusters. #12281) ([v9] Fixtsh db lsfor remote clusters. (#12281) #12853)TELEPORT_ETCD_TEST=yes. (#12784) #12851)teleport configureto accept non existent--data-dirdirectory (maketeleport configurenot fail when provided an non existing data-dir #12673) ([v9] make teleport configure not fail when provided an non existing data-dir #12806)tctloutputs all debug log messages #12920)tbot proxyandtbot dbwrapper commands (Addtbot proxyandtbot dbwrapper commands #12687) ([v9] Addtbot proxyandtbot dbwrapper commands (#12687) #12990)kindsconfig field to tbot with a deprecation warning ([v9] Re-addkindsconfig field to tbot with a deprecation warning #13000)--typeflag ([v9] Fix CA rotation docs inconsistently providing--typeflag #12929)tshwrap(Fix broken version check in tbot'stshwrap#13034) ([v9] Fix broken version check in tbot'stshwrap(#13034) #13037)goldenfortbottemplate generation tests. #12898 Refactor tbot #12855 (V9: Backport #12898 #12855 #13065)