Update docs version vars for v13 #25230
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Currently, when multiple discovery services are running with different selectors, they will race against each other and delete the other resources. This PR fixes that behavior if the databases or kube clusters existent in auth do not match the current selectors, they will be ignored. This has a slight problem when a user stops a discovery agent, he must manually delete the resources created, otherwise they will be available forever. Fixes #23699
* Kubernetes License check for root clusters This PR ensures that a given Teleport root cluster is licensed for Kubernetes access when forwarding credentials to leaf clusters. Previously, the root Kube proxy would call auth server to generate a new cert-key pair with the user identity and during the call Auth ensured that it was licensed for Kubernetes usage. Given the recent developments for #22533, the call mentioned was removed and it's now possible for a root enterprise cluster to forward requests to a OSS leaf cluster without validating its license. Auth server already enforces Kubernetes license for Kubernetes service when it tries to heartbeat the cluster. If the cluster is not properly licensed, it's not possible to register kubernetes clusters. Part of #22533 * remove watcher and use in process.getClusterFeatures callback * add test to validate kube api license enforcement * move err code to forbidden
* Make audit log details dialog larger. * Remove empty line
* Tweak protogen to not change protos from cloud * Use strategy: all whenever possible
- Ignore the messaging linter in the changelog. The changelog uses a different heading convention than the rest of the docs (title case instead of sentence case), so it's difficult to apply the same standards consistently. - Minor edits to the Manual AD guide
* Checks proxy server and token set for join openssh * Update if else logic for parameters * Improve paramater info * lint comment fix * Update error messages to not be ?s * Update error language
* Add docs subsection about joining services Closes #21851 Also see #21305 Restructure the "Adding Nodes" guide to make joining Teleport processes via the Proxy Service the default approach. Make it easier for users to put these instructions in the context of our other joining methods by creating a separate docs subsection for our joining guides. This change also updates the previous "Adding Nodes" guide based on testing. This also renames "Node" to "Teleport process" and clarifies the distinction between running a Teleport process and running services on the process. * Respond to zmb3 feedback * Respond to alexfornuto feedback * Improve the "Join Token" guide descriptionA Makes this guide consistent with df3e36e * Move the Kubernetes guide * Fix spelling * Linter fixes
* Use CompareAndSwap for OktaAssignments instead of lock. CompareAndSwap should be used for the OktaAssignment updates instead of a lock, as it's lighter wait and fits the intended problem better. * Use currentAssignment instead of backendAssignment. * Update the last transition time. * Set Metadata during update.
…nstructions (#24654) * docs: make consistent helm configuration and instructions * Language updates and identity file fix * fix identity file refs * label as Teleport Enterprise Cloud, not Teleport Cloud
This PR fixes a memory leak on Kubernetes access when using the SPDY protocol - used by `kubectl`. The memory leak happens when a new connection is established using the SPDY's HTTPStreams. Each time a new connection is created locally, `kubectl` creates two streams for it - one for data and another for returning errors. When the multiplexed streams finish, they weren't properly cleanup from the SPDY connection and, although closed, their memory was kept alive and reachable for the duration of the SPDY long-lived connection. This ends up leaking memory and results in OOM events for the Proxy and Kubernetes services if a large number of connections are established within the same port-forwarding session. Fixes #10966
* local proxy not required for mysql separate port * Explain MySQL TLS routing local proxy requirement * Speedup TestDatabaseLogin * clone profile dir to run subtests in parallel * fix ini global var data race
* Order sudoers lines by role name * Add a warning in the docs to explain order sudoers roles are written as * Resolve comments * Resolve comments * fix lints
* AWSOIDC Integration: ListDatabases
This PR adds a new Action for the AWSOIDC Integration: ListDatabases
The goal of this action is to provide the User a list of RDS Databases
from which the User will pick one to be added as a Teleport Database
Resource.
This way, the user doesn't need to copy/paste DB name, endpoints and
labels.
Before being able to call this action, the User has to set up an AWS
OIDC integration.
How does it work:
```
Client (web app)
│ ▲
│ │4. Returns list of DBs
1. List Databases │ │ (name, tags, status, endpoint)
│ │
│ │
│ │
│ │
▼ │ 3. rds.DescribeDBInstances
┌───────────┴────┐ (auth: token) ┌─────────┐
│ ├─────────────────────────────────►│ │
│ Teleport Proxy │ │ AWS │
│ │ 3.1. Get OIDC Config │ │
│ │◄─────────────────────────────────┤ │
│ │ 3.2. Get RSA Public Key │ │
│ │◄─────────────────────────────────┤ ├─────────┐ 3.3.
│ │ │ │ │Validates token signature
│ │ │ │ │with received public key
│ │ 3.4 Returns list of DBs │ │◄────────┘
│ │◄─────────────────────────────────┤ │
└─┬──────────────┘ └─────────┘
│
│ 2. Sign Token
│
▼
┌───────────────────┐
│ │
│ Teleport Auth │
│ RSA Private Key │
└───────────────────┘
```
* add resource and account ids to DB resource
* move api namespaces
* use types.Database instead of custom database format
* add database uri
* fix comments and rate limiter
* test name override when converting RDS V2 DBs
* fix webapi database URI field
* TestClusterDatabasesGet: add parallel
* Add initial opsgenie client * Embed opsgenie client config in client and move some helper funcs * Fix mod and sum and call to opsgenie client buildalertbody * Add more godocs and use vendored teleport plugins lib * Rename opsgenie client and config to prevent repetition * Fix struct tag in opsgenie alertbody * Fix misleading comment * Add tests to opsgenie client to check note bodies are formatted * Wrap errs with more descriptive types * Close response bodies and fix error handling * Add missing godoc and fix defer and return order * Add missing godocs to opsgenie types * Change opsgenie client test to not depend on json indent etc * Add example of api url to godoc * Undo unnecessary mod and sum changes * Fix go sum * Move opsgenie client code to integrations/lib * Fix typos
* document error with older SSM agent version * add unmarshal to dictionary
This PR updates the RFD 117 header and updates the RFD 98 and 117 state to implemented.
Signed-off-by: Evan Freed <[email protected]>
* TLS routing behind LB support for IAM join * minor beautify * add test for verifyALPNUpgradedConn * use getHostAddresses(params)[0]
* Update headless tsh command descriptions * update request ID parameter description Co-authored-by: Zac Bergquist <[email protected]> --------- Co-authored-by: Zac Bergquist <[email protected]>
* docs: Login Rule k8s operator docs * apply Tiago's suggestions * minor edits * add loginrules to cspell.json * address code review comments * explicitly mention enterprise instructions * fix lint * consolidate CRD check into prereq bullet --------- Co-authored-by: alexfornuto <[email protected]>
* athena audit logs - delete from sqs * rework to table tests
* Avoid prompting users for mfa when using `tsh ssh --headless` * add mfa+headless test
* Clean up aws oidc integration instructions * Change ResourceSpec icon type from ReactElement to string When storing state into location URL, it doesn't allow storing ReactElement, so I changed the icon element into string that refers to the correct icon. Also adds rds aurora tiles to Select Resources screen. * Fix the expected backend aws status value for RDS list * For RDS list, allow refreshing the table Helpful when user makes changes to the RDS instance (eg. tags) and needs to get the most up to date listing * Update rds db setup access text info * Make create database dialog more consistent btwn states * Fix label matching Previously we required the agent matcher labels be an exact match of registered db labels otherwise we prevented the user from deploying an agent (which was wrong). Now the only requirement is that the matcher labels are all able to match against registered db labels. * Implement resuming discover flow from where user left of * Enable integration access and rds flow * Strip 443 ports from cluster uri * Use the labels returned from polling db instaed * Various touch ups - Make label matching error less confusing by showing error upon user trying to generate command - Make label messaging clearer - Emit errors when failing to fetch rds dbs * Address CR and update test
The SAML IdP feature has been added to the test plan.
We're regularly seeing workflows queue for 40 minutes and then fail to finish within the 1 hour timeout window. The teleport repo has a hard limit configured at 3 hours. So 2:30 gives plenty of leeway for checkout before and sending the slack notification after.
* Pin the plugins/slack image for dronegen pipelines The latest version of this image has a regression where it reports builds as successful even when they've failed. Fixes https://github.com/gravitational/SecOps/issues/317 * Rework slack notifications in dronegen Remove the call to action language, and leave only the relevant links. Flatten several short lines into one longer line. This allows the entire message to render without needing to expand it. * Rework slack notifications in unmanaged pipelines Remove the call to action language, and leave only the relevant links. Flatten several short lines into one longer line. This allows the entire message to render without needing to expand it.
* Adjust copy of db action * Use retryWithRelogin when getting db usernames * useAsync: Remove unnecessary useCallback The state setter coming from useState is always stable. https://legacy.reactjs.org/docs/hooks-reference.html#usestate * useAsync: Expand docs with `run` return value example * useSearch: Rename `restrictions` to `filters` * useSearch: Remove unnecessary useState calls * Refactor lockOpen into pauseUserInteraction lockOpen worked great when we were concerned only about user interaction with a modal closing the search bar as well. However, in the next commit I'm going to add a login modal that's shown if the search fails with a retryable error. In that scenario, pressing Enter in the modal wouldn't work, as it would be captured by the window listener that ResultList adds. To work around this problem, I refactored lockOpen into pauseUserInteraction. It still works pretty much the same way. But then instead of having checking isLockedOpen in the close function, we have a new addWindowEventListener function. addWindowEventListener automatically removes the listener after pauseUserInteraction is called. This solves both the problem of closing the modal and the problem of using the enter key in the modal. * Relogin & retry resource search if current workspace cert has expired * addWindowEventListener: Name the cleanup function * Make addWindowEventListener a prop of ResultList
…e search bar (#25061) * Render ExtraTopComponent based on computed action picker status * Fix formatting * Use named args for getActionPickerStatus * Use const for nonRetryableResourceSearchErrors * Fix logic behind determining remaining filters
* Fix logout sequence * Adjust `useLoggedInUser` documentation * Mark clusters as disconnected after logging out * Refactor `ClusterLogout` to not use the hook/container pattern * Run prettier * Fix test * Use `routing.belongsToProfile`
* Simplify Okta assignment statuses. The Okta assignment statuses have been simplfieid so that there's only a status on the Okta assignment object itself and the number of states is reduced. * Fix tests, remove unused code. * Add in Duration for update statuses to prevent changing status too soon. * Make sure LastTransition is UTC. * Remove actions in favor of targets, make cleanup time non-nullable.
Update e ref so that enterprise is compatible with the changes to the OktaAssignment object.
This is a partial fix for #25017 The latest version of the YubiHSM2 SDK has changed the behavior for keys longer than 2 bytes, which used to be silently truncated for all operations. This causes an unfortunate interaction with `DeleteUnusedKeys` when the SDK is upgraded in an active Teleport cluster. Because none of the active keys can be queried from the HSM individually by their ID, but they can be listed by their label, all of the active keys end up being deleted. Yeah that's bad. `DeleteUnusedKeys` is written this way in an attempt to be "stateless". Trying to synchronously delete keys at the instant they are rotated out during a CA rotation would be error-prone. If the auth server were to restart or crash at the wrong moment, you could be left with an orphaned key on your HSM forever, with no reference to it stored by Teleport or anywhere else. Instead, the Auth server labels all keys it creates with its own host UUID. Then periodically (during startup) it lists all keys in the HSM that are labeled with its own UUID, and if they are not currently active, deletes them. This goes catastrophically wrong when individual lookup operations fail, but list operations succeed. The fix here is to avoid deleting any keys if any single lookup fails. The YubiHSM2 SDK version 2023.1 is still not supported, but with this fix at least we won't delete any active keys.
github-actions
bot
requested review from
alexfornuto,
r0mant,
xinding33 and
zmb3
Closed
|
Should we skip straight to 14.0.0-dev on master? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We can merge this when we're ready to release v13