self-hosted/teleport
self-hosted/teleport
1
0
Fork 0
mirror of https://github.com/gravitational/teleport synced 2024-10-19 16:53:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

Edit forScopes configurations and edit guides (#28443)

Browse source 
* Edit forScopes configurations and edit guides

Closes #26500

This change requires merging gravitational/docs#326 to add a Team scope
to the docs.

This updates pages within the docs so that:

- Each page's `forScopes` configuration is accurate, especially with
  regard to support for Teleport Team.
- All scoped components match the `forScopes` configuration for each
  page. For this, I used the linter introduced by
  gravitational/docs#327.

* Respond to alexfornuto feedback
This commit is contained in:
Paul Gottschling 2023-07-05 16:58:08 -04:00 committed by GitHub
parent 1687b2cc12
commit c5ced551eb
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
76 changed files with 631 additions and 368 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

69
docs/config.json
View file

@ -31,7 +31,7 @@
{
"title": "Teleport Assist",
"slug": "/ai-assist/",
"forScopes": ["oss"]
"forScopes": ["oss", "team"]
}
]
},
@ -45,7 +45,8 @@
},
{
"title": "Teleport Team",
"slug": "/choose-an-edition/teleport-team/"
"slug": "/choose-an-edition/teleport-team/",
"forScopes": ["team"]
},
{
"title": "Teleport Enterprise Cloud",
@ -99,7 +100,8 @@
"entries": [
{
"title": "Introduction",
"slug": "/deploy-a-cluster/introduction/"
"slug": "/deploy-a-cluster/introduction/",
"forScopes": ["oss", "enterprise"]
},
{
"title": "High Availability Deployments",
@ -246,7 +248,7 @@
{
"title": "Single Sign-On (SSO)",
"slug": "/access-controls/sso/",
"forScopes": ["enterprise", "oss", "cloud"],
"forScopes": ["oss", "team", "enterprise", "cloud"],
"entries": [
{
"title": "Active Directory (ADFS)",
@ -260,8 +262,7 @@
},
{
"title": "GitHub",
"slug": "/access-controls/sso/github-sso/",
"forScopes": ["enterprise", "cloud", "oss"]
"slug": "/access-controls/sso/github-sso/"
},
{
"title": "GitLab",
@ -293,22 +294,22 @@
{
"title": "Teleport as an IdP",
"slug": "/access-controls/idps/",
"forScopes": ["enterprise", "cloud"],
"forScopes": ["enterprise", "cloud", "team"],
"entries": [
{
"title": "SAML Identity Provider Guide",
"slug": "/access-controls/idps/saml-guide/",
"forScopes": ["enterprise", "cloud"]
"forScopes": ["enterprise", "cloud", "team"]
},
{
"title": "Authenticate to Grafana with Teleport SAML",
"slug": "/access-controls/idps/saml-grafana/",
"forScopes": ["enterprise", "cloud"]
"forScopes": ["enterprise", "cloud", "team"]
},
{
"title": "SAML Identity Provider Reference",
"slug": "/access-controls/idps/saml-reference/",
"forScopes": ["enterprise", "cloud"]
"forScopes": ["enterprise", "cloud", "team"]
}
]
},
@ -380,7 +381,8 @@
"entries": [
{
"title": "Role Requests",
"slug": "/access-controls/access-requests/role-requests/"
"slug": "/access-controls/access-requests/role-requests/",
"forScopes": ["enterprise", "cloud"]
},
{
"title": "Resource Requests",
@ -390,7 +392,7 @@
{
"title": "Role Requests in OSS Teleport",
"slug": "/access-controls/access-requests/oss-role-requests/",
"forScopes": ["oss", "enterprise", "cloud"]
"forScopes": ["oss"]
}
]
},
@ -473,7 +475,8 @@
"entries": [
{
"title": "Kubernetes Operator (Preview)",
"slug": "/management/dynamic-resources/teleport-operator/"
"slug": "/management/dynamic-resources/teleport-operator/",
"forScopes": ["oss","enterprise"]
},
{
"title": "Terraform Provider",
@ -499,8 +502,7 @@
},
{
"title": "Troubleshooting",
"slug": "/management/admin/troubleshooting/",
"forScopes": ["oss", "enterprise", "cloud"]
"slug": "/management/admin/troubleshooting/"
},
{
"title": "Upgrading the Teleport Binary",
@ -512,7 +514,8 @@
},
{
"title": "Run Teleport with Self-Signed Certificates",
"slug": "/management/admin/self-signed-certs/"
"slug": "/management/admin/self-signed-certs/",
"forScopes": ["oss", "enterprise"]
},
{
"title": "Uninstall Teleport",
@ -535,8 +538,7 @@
},
{
"title": "Backup and Restore",
"slug": "/management/operations/backup-restore/",
"forScopes": ["oss", "enterprise"]
"slug": "/management/operations/backup-restore/"
},
{
"title": "Cert Authority Rotation",
@ -553,12 +555,12 @@
"forScopes": ["enterprise"]
},
{
"title": "Self-hosted automatic updates",
"title": "Self-Hosted Automatic Updates",
"slug": "/management/operations/self-hosted-automatic-agent-updates/",
"forScopes": ["enterprise"]
},
{
"title": "Enroll agent in automatic updates",
"title": "Enroll Agents in Automatic Updates",
"slug": "/management/operations/enroll-agent-into-automatic-updates/",
"forScopes": ["enterprise", "cloud"]
}
@ -620,23 +622,19 @@
"entries": [
{
"title": "Export Audit Events to Fluentd",
"slug": "/management/export-audit-events/fluentd/",
"forScopes": ["enterprise", "cloud"]
"slug": "/management/export-audit-events/fluentd/"
},
{
"title": "Export Audit Events to Datadog",
"slug": "/management/export-audit-events/datadog/",
"forScopes": ["enterprise", "cloud"]
"slug": "/management/export-audit-events/datadog/"
},
{
"title": "Export Audit Events to the Elastic Stack",
"slug": "/management/export-audit-events/elastic-stack/",
"forScopes": ["enterprise", "cloud"]
"slug": "/management/export-audit-events/elastic-stack/"
},
{
"title": "Export Audit Events to Splunk",
"slug": "/management/export-audit-events/splunk/",
"forScopes": ["enterprise", "cloud"]
"slug": "/management/export-audit-events/splunk/"
}
]
}
@ -686,7 +684,8 @@
"entries": [
{
"title": "Via AWS EC2",
"slug": "/agents/join-services-to-your-cluster/aws-ec2/"
"slug": "/agents/join-services-to-your-cluster/aws-ec2/",
"forScopes": ["oss", "enterprise"]
},
{
"title": "Via AWS IAM",
@ -1317,7 +1316,8 @@
},
{
"title": "How to Build an Access Request Plugin",
"slug": "/api/access-plugin/"
"slug": "/api/access-plugin/",
"forScopes": ["enterprise", "cloud"]
},
{
"title": "Automatically Register Teleport Agents",
@ -1388,7 +1388,11 @@
"entries": [
{
"title": "teleport-cluster",
"slug": "/reference/helm-reference/teleport-cluster/"
"slug": "/reference/helm-reference/teleport-cluster/",
"forScopes": [
"oss",
"enterprise"
]
},
{
"title": "teleport-kube-agent",
@ -1456,7 +1460,8 @@
},
{
"title": "Proxy Peering (Preview)",
"slug": "/architecture/proxy-peering/"
"slug": "/architecture/proxy-peering/",
"forScopes": ["enterprise"]
},
{
"title": "Agent Update Management",

4
docs/pages/access-controls/access-request-plugins/ssh-approval-discord.mdx
View file

@ -286,7 +286,7 @@ Once Teleport is running, you've created the Discord app, and the plugin is
configured, you can now run the plugin and test the workflow.
<Tabs>
<TabItem label="Executable" scope={["oss", "enterprise"]}>
<TabItem label="Executable">
Start the plugin:
```code
@ -301,7 +301,7 @@ INFO Starting Teleport Access Discord Plugin 7.2.1: discord/app.go:80
INFO Plugin is ready discord/app.go:101
```
</TabItem>
<TabItem label="Helm Chart" scope={["oss", "enterprise"]}>
<TabItem label="Helm Chart">
Install the plugin:
```code

13
docs/pages/access-controls/access-request-plugins/ssh-approval-email.mdx
View file

@ -38,20 +38,23 @@ in your Teleport cluster.
## Step 2/7. Install the Teleport email plugin
<ScopedBlock scope={["enterprise", "oss"]}>
In this step, you will install the Teleport email plugin.
<Tabs>
<TabItem label="Teleport Enterprise" scope={["enterprise"]}>
We recommend installing Teleport plugins on the same host as the Teleport Proxy
Service. This is an ideal location as plugins have a low memory footprint, and
will require both public internet access and Teleport Auth Service access.
</ScopedBlock>
<ScopedBlock scope="cloud">
</TabItem>
<TabItem scope="cloud" label="Teleport Enterprise Cloud">
Install the Teleport email plugin on a host that can access both your
Teleport Cloud tenant and your SMTP service.
</ScopedBlock>
</TabItem>
</Tabs>
<Details title="Using a local SMTP server?">

8
docs/pages/access-controls/access-request-plugins/ssh-approval-mattermost.mdx
View file

@ -152,7 +152,7 @@ Edit the configuration as explained below:
### `[mattermost]`
<Tabs>
<TabItem label="Executable" scope={["oss", "enterprise"]}>
<TabItem label="Executable">
**`url`**: Include the scheme (`https://`) and fully qualified domain name of
your Mattermost deployment.
@ -183,7 +183,7 @@ recipients = [
```
</TabItem>
<TabItem label="Helm Chart" scope={["oss", "enterprise"]}>
<TabItem label="Helm Chart">
**`url`**: Include the scheme (`https://`) and fully qualified domain name of
your Mattermost deployment.
@ -275,7 +275,7 @@ severity = "INFO" # Logger severity. Could be "INFO", "ERROR", "DEBUG" or "WARN"
## Step 7/8. Test your Mattermost bot
<Tabs>
<TabItem label="Executable" scope={["oss", "enterprise"]}>
<TabItem label="Executable">
After modifying your configuration, run the bot with the following command:
```code
@ -294,7 +294,7 @@ DEBU Watcher connected mattermost/main.go:260
DEBU Mattermost API health check finished ok mattermost/main.go:19
```
</TabItem>
<TabItem label="Helm Chart" scope={["oss", "enterprise"]}>
<TabItem label="Helm Chart">
After modifying your configuration, run the bot with the following command:
```code

17
docs/pages/access-controls/access-request-plugins/ssh-approval-pagerduty.mdx
View file

@ -32,20 +32,21 @@ PagerDuty.
- Either a Linux host or Kubernetes cluster where you will run the PagerDuty plugin.
<ScopedBlock scope={["enterprise", "oss"]}>
<Tabs>
<TabItem label="Teleport Enterprise" scope={["enterprise"]}>
We recommend installing Teleport plugins on the same host as the Teleport Proxy
Service. This is an ideal location as plugins have a low memory footprint, and
will require both public internet access and Teleport Auth Service access.
</ScopedBlock>
<ScopedBlock scope="cloud">
</TabItem>
<TabItem label="Teleport Enterprise Cloud" scope="cloud">
Install the Teleport PagerDuty plugin on a host that can access both your
Teleport Cloud tenant and PagerDuty.
</ScopedBlock>
</TabItem>
</Tabs>
- (!docs/pages/includes/tctl.mdx!)
@ -521,7 +522,7 @@ The final configuration should resemble the following:
## Step 7/8. Test the PagerDuty plugin
<Tabs>
<TabItem label="Executable" scope={["oss", "enterprise"]}>
<TabItem label="Executable">
After you configure the PagerDuty plugin, run the following command to start it.
The `-d` flag will provide debug information to ensure that the plugin can
connect to PagerDuty and your Teleport cluster:
@ -539,7 +540,7 @@ $ teleport-pagerduty start -d
# DEBU Setting up the webhook extensions pagerduty/main.go:178
```
</TabItem>
<TabItem label="Helm Chart" scope={["oss", "enterprise"]}>
<TabItem label="Helm Chart">
After modifying your configuration, run the bot with the following command:
```code
@ -597,7 +598,7 @@ should still check the Teleport audit log to ensure that the right users are
reviewing the right requests.
When auditing Access Request reviews, check for events with the type `Access
Request Reviewed` in the Teleport Web UI <ScopedBlock scope={["oss",
Request Reviewed` in the Teleport Web UI <ScopedBlock scope={[
"enterprise"]}>and `access_request.review` if reviewing the audit log on the
Auth Service host</ScopedBlock>.

4
docs/pages/access-controls/access-request-plugins/ssh-approval-slack.mdx
View file

@ -339,7 +339,7 @@ Once Teleport is running, you've created the Slack app, and the plugin is
configured, you can now run the plugin and test the workflow.
<Tabs>
<TabItem label="Executable" scope={["oss", "enterprise"]}>
<TabItem label="Executable">
Start the plugin:
```code
@ -354,7 +354,7 @@ INFO Starting Teleport Access Slack Plugin 7.2.1: slack/app.go:80
INFO Plugin is ready slack/app.go:101
```
</TabItem>
<TabItem label="Helm Chart" scope={["oss", "enterprise"]}>
<TabItem label="Helm Chart">
Install the plugin:
```code

2
docs/pages/access-controls/access-requests/role-requests.mdx
View file

@ -10,7 +10,7 @@ via ChatOps or anywhere else via our flexible Authorization Workflow API.
## Prerequisites
(!docs/pages/includes/edition-prereqs-tabs.mdx!)
(!docs/pages/includes/commercial-prereqs-tabs.mdx!)
- (!docs/pages/includes/tctl.mdx!)

9
docs/pages/access-controls/compliance-frameworks/soc2.mdx
View file

@ -7,13 +7,12 @@ h1: SOC 2 Compliance for SSH, Kubernetes, Databases, Desktops, and Web Apps
Teleport is designed to meet SOC 2 requirements for the purposes of accessing infrastructure, change management, and system operations. This document outlines a high
level overview of how Teleport can be used to help your company to become SOC 2 compliant.
<ScopedBlock
scope={["oss"]}
>
<Notice type="warning">
This guide requires Teleport Cloud or Teleport Enterprise.
SOC 2 compliance features are only available for Teleport Enterprise and
Teleport Enterprise Cloud.
</ScopedBlock>
</Notice>
## Achieving SOC 2 Compliance with Teleport
SOC 2 or Service Organization Controls were developed by the American Institute of CPAs (AICPA). They are based on five trust services criteria: security, availability, processing integrity, confidentiality, and privacy.

21
docs/pages/access-controls/guides/dual-authz.mdx
View file

@ -10,20 +10,19 @@ Here are the most common scenarios:
- Improve the security of your system and prevent one successful phishing attack from compromising your system.
- Satisfy FedRAMP AC-3 Dual authorization control that requires approval of two authorized individuals.
In this guide, we will set up Teleport's Just-in-Time Access Requests to require the approval
of two team members for a privileged role `dbadmin`.
In this guide, we will set up Teleport's Just-in-Time Access Requests to require
the approval of two team members for a privileged role `dbadmin`.
<ScopedBlock scope="oss">
The steps below describe how to use Teleport with Mattermost. You can also
[integrate with many other providers](../access-requests.mdx).
This guide requires a commercial edition of Teleport. The open source
edition of Teleport only supports [GitHub](../../access-controls/sso/github-sso.mdx) as
an SSO provider.
<Notice type="warning">
</ScopedBlock>
This guide requires a commercial edition of Teleport. The open source edition of
Teleport only supports [GitHub](../../access-controls/sso/github-sso.mdx) as an
SSO provider.
<Admonition title="Note" type="tip">
The steps below describe how to use Teleport with Mattermost. You can also [integrate with many other providers](../access-requests.mdx).
</Admonition>
</Notice>
## Prerequisites
@ -211,7 +210,7 @@ Bob can also assume granted Access Request roles using Web UI:
{/* TODO: This H2 will show up in the table of contents when this section is invisible.
We need a way to hide invisible H2s from the TOC. */}
<ScopedBlock scope={["oss", "enterprise"]}>
<ScopedBlock scope={["enterprise"]}>
## Troubleshooting

2
docs/pages/access-controls/guides/hardware-key-support.mdx
View file

@ -54,7 +54,7 @@ Additionally, this feature can be configured to require touch for every Teleport
## Prerequisites
(!docs/pages/includes/edition-prereqs-tabs.mdx!)
(!docs/pages/includes/commercial-prereqs-tabs.mdx!)
- A series 5+ YubiKey

6
docs/pages/access-controls/guides/moderated-sessions.mdx
View file

@ -14,11 +14,11 @@ the session, and terminate the session at will.
In addition, Teleport administrators can [define rules](#join_sessions) that allow users to join each other's
sessions from `tsh` and the Web UI.
<ScopedBlock scope="oss">
<Notice type="warning">
Moderated Sessions requires Teleport Enterprise or Teleport Cloud.
Moderated Sessions requires Teleport Enterprise or Teleport Enterprise Cloud.
</ScopedBlock>
</Notice>
### Use cases

2
docs/pages/access-controls/guides/webauthn.mdx
View file

@ -28,7 +28,7 @@ WebAuthn is disabled by default. To enable WebAuthn support, update your
Teleport configuration as below:
<Tabs>
<TabItem label="Dynamic resources" scope={["oss", "enterprise", "cloud"]}>
<TabItem label="Dynamic resources" scope={["team", "cloud"]}>
Edit the `cluster_auth_preference` resource:

2
docs/pages/access-controls/idps/saml-grafana.mdx
View file

@ -15,7 +15,7 @@ not just those running behind the Teleport App Service.
- An instance of Grafana Enterprise, with edit access to `grafana.ini`.
- A trusted certificate authority to create TLS certificates/keys for the SAML connection.
(!docs/pages/includes/commercial-prereqs-tabs.mdx!)
(!docs/pages/includes/no-oss-prereqs-tabs.mdx!)
- (!docs/pages/includes/tctl.mdx!)

4
docs/pages/access-controls/idps/saml-guide.mdx
View file

@ -11,7 +11,7 @@ authenticate to external services.
## Prerequisites
(!docs/pages/includes/commercial-prereqs-tabs.mdx!)
(!docs/pages/includes/no-oss-prereqs-tabs.mdx!)
- (!docs/pages/includes/tctl.mdx!)
- If you're new to SAML, consider reviewing our [SAML Identity Provider
@ -126,4 +126,4 @@ are logged in, you should be re-routed to a success page on samltest.id.
This has verified service provider initiated SSO. To verify identity provider initiated
SSO, navigate to `https://<proxy-address>/enterprise/saml-idp/login/samltest-id`,
where `samltest-id` is the friendly name of the service provider object created earlier.
You should be redirected to the same successful login page seen earlier.
You should be redirected to the same successful login page seen earlier.

4
docs/pages/access-controls/sso.mdx
View file

@ -241,7 +241,7 @@ scope={["enterprise"]}>either modify your Auth Service configuration file
or </ScopedBlock>create a `cluster_auth_preference` resource.
<Tabs>
<TabItem label="Static Config (Self-Hosted)" scope={["enterprise"]}>
<TabItem label="Static Config (Self-Hosted)" scope={["enterprise","oss"]}>
Update `/etc/teleport.yaml` in the `auth_service` section and restart the `teleport` daemon.
```yaml
auth_service:
@ -252,7 +252,7 @@ or </ScopedBlock>create a `cluster_auth_preference` resource.
(!docs/pages/includes/sso/idp-initiated.mdx!)
</TabItem>
<TabItem scope={["cloud"]} label="Dynamic Resources (All Editions)">
<TabItem scope={["cloud","team"]} label="Dynamic Resources (All Editions)">
Create a file called `cap.yaml`:
```yaml
kind: cluster_auth_preference

4
docs/pages/access-controls/sso/google-workspace.mdx
View file

@ -221,7 +221,7 @@ Create the OIDC connector resource using `tctl`. We will explain how to choose
values for fields within the resource spec below:
<Tabs>
<TabItem scope={["oss", "enterprise", "cloud"]} label="Embedded JSON">
<TabItem label="Embedded JSON">
Use this method to define the service account JSON in the connector resource.
This method doesn't require providing the JSON file to the host(s) running the
@ -274,7 +274,7 @@ version: v3
```
</TabItem>
<TabItem scope={["oss", "enterprise"]} label="Uploaded JSON file">
<TabItem label="Uploaded JSON file">
Use this method for single self-hosted Teleport Auth instances, or when you can
easily and reliably make the JSON file available to all hosts running the Auth

22
docs/pages/agents/join-services-to-your-cluster/aws-ec2.mdx
View file

@ -7,27 +7,25 @@ This guide will explain how to use the **EC2 join method** to configure Teleport
processes to join your Teleport cluster without sharing any secrets when they
are running in AWS.
<ScopedBlock scope="cloud">
The EC2 join method is not available in Teleport Enterprise Cloud. Teleport
Enterprise Cloud customers can use the [IAM join method](./aws-iam.mdx) or
[secret tokens](join-token.mdx).
</ScopedBlock>
The EC2 join method is available to any Teleport process running on an EC2
instance. Only one Teleport process per EC2 instance may use the EC2 join
instance. Only one Teleport process per EC2 instance may use the EC2 join
method.
IAM credentials with `ec2:DescribeInstances` permissions are required on your
Teleport Auth Service. No IAM credentials are required on the Teleport processes
joining the cluster.
<Notice type="warning">
The EC2 join method is not available in Teleport Enterprise Cloud and Teleport
Team. Teleport Enterprise Cloud and Team customers can use the [IAM join
method](./aws-iam.mdx) or [secret tokens](join-token.mdx).
</Notice>
<Details
opened
title="Other AWS joining methods"
scope={["oss", "enterprise"]}
scopeOnly
>
There are two other AWS join methods available depending on your use case.
@ -46,7 +44,7 @@ AWS-specific APIs.
## Prerequisites
(!docs/pages/includes/edition-prereqs-tabs.mdx!)
(!docs/pages/includes/self-hosted-prereqs-tabs.mdx!)
- (!docs/pages/includes/tctl.mdx!)
- An AWS EC2 instance to host a Teleport process, with the Teleport binary

2
docs/pages/architecture/proxy-peering.mdx
View file

@ -6,8 +6,6 @@ description: How Teleport implements more efficient networking with Proxy Peerin
<Details
title="Version warning"
opened={true}
scope={["oss", "enterprise"]}
scopeOnly={true}
min="10.0"
>
Proxy Peering is available in Preview starting from Teleport `10.0`.

6
docs/pages/choose-an-edition/teleport-enterprise/gcp-kms.mdx
View file

@ -38,11 +38,7 @@ only ever exists in KMS when this feature is enabled.
Read on to [migrating an existing cluster](#migrating-an-existing-cluster) to
learn more.
<ScopedBlock scope={["oss", "cloud"]}>
This guide is intended for self-hosted Teleport Enterprise users.
</ScopedBlock>
(!docs/pages/includes/cloud/call-to-action.mdx!)
## Prerequisites

2
docs/pages/contributing/documentation/reference.mdx
View file

@ -573,7 +573,7 @@ Here is the result:
Enterprise.
</TabItem>
<TabItem label="Teleport Cloud" scope="cloud">
<TabItem label="Cloud-Hosted" scope={["cloud","team"]}>
Here are instructions for Teleport Cloud users.

6
docs/pages/database-access/faq.mdx
View file

@ -52,10 +52,10 @@ This is useful when the Teleport Web UI is running behind an L7 load balancer
on a plain TCP load balancer (e.g. NLB in AWS).
</TabItem>
<TabItem scope={["cloud"]} label="Teleport Cloud">
<TabItem scope={["cloud","team"]} label="Cloud-Hosted">
In Teleport Cloud, the Proxy Service uses the following ports for
Database Service client traffic:
In Teleport Team and Teleport Enterprise Cloud, the Proxy Service uses the
following ports for Database Service client traffic:
|Configuration setting|Port|
|---|---|

1
docs/pages/database-access/guides/azure-postgres-mysql.mdx
View file

@ -65,6 +65,7 @@ Create the Database Service configuration.
<TabItem label="MySQL">
- Specify the region for your database(s) in `--azure-mysql-discovery`.
- Replace the `--proxy` value with your Teleport proxy address or Teleport cloud
URI (e.g. `mytenant.teleport.sh:443`):

2
docs/pages/database-access/guides/mongodb-atlas.mdx
View file

@ -299,7 +299,7 @@ $ tsh db ls
```
</TabItem>
<TabItem scope={["cloud"]} label="Cloud">
<TabItem scope={["cloud", "team"]} label="Cloud-Hosted">
```code
$ tsh login --proxy=mytenant.teleport.sh --user=alice
$ tsh db ls

90
docs/pages/database-access/guides/oracle-self-hosted.mdx
View file

@ -31,7 +31,34 @@ This guide will help you to:
(!docs/pages/includes/database-access/token.mdx!)
(!docs/pages/includes/database-access/create-user.mdx!)
<Admonition type="tip">
To modify an existing user to provide access to the Database Service, see [Database Access Access Controls](../../database-access/rbac.mdx)
</Admonition>
Create a local Teleport user with the built-in `access` and `requester` roles:
```code
$ tctl users add \
--roles=access,requester \
--db-users=\* \
--db-names=\* \
alice
```
| Flag | Description |
|--------------|------------------------------------------------------------------------------------------------------------------------------------------|
| `--roles` | List of roles to assign to the user. The builtin `access` role allows them to connect to any database server registered with Teleport. |
| `--db-users` | List of database usernames the user will be allowed to use when connecting to the databases. A wildcard allows any user. |
| `--db-names` | List of logical databases (aka schemas) the user will be allowed to connect to within a database server. A wildcard allows any database. |
<Admonition type="warning">
Database names are only enforced for PostgreSQL and MongoDB databases.
</Admonition>
For more detailed information about database access controls and how to restrict
access see [RBAC](../../database-access/rbac.mdx) documentation.
## Step 2/5. Create a certificate/key pair and Teleport Oracle Wallet
@ -92,7 +119,7 @@ Install and configure Teleport where you will run the Teleport Database Service:
<Tabs>
<TabItem label="Linux Server">
(!docs/pages/includes/install-linux.mdx!)
(!docs/pages/includes/install-linux-enterprise.mdx!)
(!docs/pages/includes/database-access/db-configure-start.mdx dbName="oracle" dbProtocol="oracle" databaseAddress="oracle.example.com:2484" dbName="oracle" !)
@ -102,7 +129,48 @@ Install and configure Teleport where you will run the Teleport Database Service:
(!docs/pages/kubernetes-access/helm/includes/helm-repo-add.mdx!)
(!docs/pages/includes/database-access/db-helm-install.mdx dbName="oracle" dbProtocol="oracle" databaseAddress="oracle.example.com:2484" dbName="oracle" !)
<Tabs>
<TabItem label="Teleport Enterprise" scope={["enterprise"]}>
Install the Teleport Kube Agent into your Kubernetes Cluster
with the Teleport Database Service configuration.
```code
$ JOIN_TOKEN=$(cat /tmp/token)
$ helm install teleport-kube-agent teleport/teleport-kube-agent \
--create-namespace \
--namespace teleport-agent \
--set roles=db \
--set proxyAddr=teleport.example.com:443 \
--set authToken=${JOIN_TOKEN?} \
--set "databases[0].name=oracle" \
--set "databases[0].uri=oracle.example.com:2484" \
--set "databases[0].protocol=oracle" \
--set "labels.env=dev" \
--version (=teleport.version=)
```
</TabItem>
<TabItem label="Teleport Enterprise Cloud" scope={["cloud"]}>
Install the Teleport Kube Agent into your Kubernetes Cluster
with the Teleport Database Service configuration.
```code
$ JOIN_TOKEN=$(cat /tmp/token)
$ helm install teleport-kube-agent teleport/teleport-kube-agent \
--create-namespace \
--namespace teleport-agent \
--set roles=db \
--set proxyAddr=mytenant.teleport.sh:443 \
--set authToken=${JOIN_TOKEN?} \
--set "databases[0].name=oracle" \
--set "databases[0].uri=oracle.example.com:2484" \
--set "databases[0].protocol=oracle" \
--set "labels.env=dev" \
--version (=cloud.version=)
```
</TabItem>
</Tabs>
</TabItem>
</Tabs>
@ -113,24 +181,15 @@ Install and configure Teleport where you will run the Teleport Database Service:
Once the Database Service has joined the cluster, log in to see the available
databases:
<ScopedBlock scope={["oss", "enterprise"]}>
```code
$ tsh login --proxy=teleport.example.com --user=alice
$ tsh login --proxy=<Var name="mytenant.teleport.sh" /> --user=alice
$ tsh db ls
# Name Description Allowed Users Labels Connect
# ------ -------------- ------------- ------- -------
# oracle Oracle Example [*] env=dev
```
</ScopedBlock>
<ScopedBlock scope={["cloud"]}>
```code
$ tsh login --proxy=mytenant.teleport.sh --user=alice
$ tsh db ls
# Name Description Allowed Users Labels Connect
# ------ -------------- ------------- ------- -------
# oracle Oracle Example [*] env=dev
```
</ScopedBlock>
Connect to the database:
```code
$ tsh db connect --db-user=alice --db-name=XE oracle
@ -146,6 +205,7 @@ $ tsh db connect --db-user=alice --db-name=XE oracle
#
# SQL>
```
To log out of the database and remove credentials:
```code

2
docs/pages/database-access/guides/redis-aws.mdx
View file

@ -12,7 +12,7 @@ This guide will help you to:
<ScopedBlock scope={["oss", "enterprise"]}>
![Teleport Database Access RDS Self-Hosted](../../../img/database-access/guides/redis_elasticache_selfhosted.png)
</ScopedBlock>
<ScopedBlock scope={["cloud"]}>
<ScopedBlock scope={["cloud","team"]}>
![Teleport Database Access RDS Cloud](../../../img/database-access/guides/redis_elasticache_cloud.png)
</ScopedBlock>

2
docs/pages/database-access/guides/redis-cluster.mdx
View file

@ -14,7 +14,7 @@ This guide will help you to:
<ScopedBlock scope={["oss", "enterprise"]}>
![Teleport Database Access Redis Cluster Self-Hosted](../../../img/database-access/guides/rediscluster_selfhosted.png)
</ScopedBlock>
<ScopedBlock scope={["cloud"]}>
<ScopedBlock scope={["cloud","team"]}>
![Teleport Database Access Redis Cluster Cloud](../../../img/database-access/guides/rediscluster_cloud.png)
</ScopedBlock>

2
docs/pages/database-access/guides/redis.mdx
View file

@ -14,7 +14,7 @@ This guide will help you to:
<ScopedBlock scope={["oss", "enterprise"]}>
![Teleport Database Access Redis Self-Hosted](../../../img/database-access/guides/redis_selfhosted.png)
</ScopedBlock>
<ScopedBlock scope={["cloud"]}>
<ScopedBlock scope={["cloud","team"]}>
![Teleport Database Access Redis Cloud](../../../img/database-access/guides/redis_cloud.png)
</ScopedBlock>

2
docs/pages/database-access/guides/snowflake.mdx
View file

@ -118,7 +118,7 @@ Log in to your Teleport cluster and see the available databases:
# example-snowflake Example Snowflake ❄ env=dev
```
</TabItem>
<TabItem scope={["cloud"]} label="Teleport Cloud">
<TabItem scope={["cloud","team"]} label="Cloud-Hosted">
```code
$ tsh login --proxy=mytenant.teleport.sh --user=alice
$ tsh db ls

10
docs/pages/database-access/reference/configuration.mdx
View file

@ -58,12 +58,12 @@ proxy_service:
```
</TabItem>
<TabItem scope={["cloud"]} label="Teleport Cloud">
<TabItem scope={["team","cloud"]} label="Cloud-Hosted">
Teleport Cloud automatically configures the Teleport Proxy Service with the
following settings that are relevant to database access. This reference
configuration uses `mytenant.teleport.sh` in place of your Teleport Cloud tenant
address.
Teleport Team and Teleport Enterprise Cloud automatically configure the Teleport
Proxy Service with the following settings that are relevant to database access.
This reference configuration uses `mytenant.teleport.sh` in place of your
Teleport Team/Enterprise Cloud tenant address.
```yaml
proxy_service:

16
docs/pages/deploy-a-cluster/deployments/gcp.mdx
View file

@ -3,16 +3,10 @@ title: Running Teleport on GCP
description: How to install and configure Teleport on GCP
---
We've created this guide to give customers an overview of how to use Teleport on
[Google Cloud](https://cloud.google.com/gcp/) (GCP). This guide provides a
high-level introduction to setting up and running Teleport in production.
<ScopedBlock scope="cloud">
This guide shows you how to deploy the Auth Service and Proxy Service, which
Teleport Cloud manages for you.
</ScopedBlock>
We've created this guide to give customers an overview of how to deploy a
self-hosted Teleport cluster on [Google Cloud](https://cloud.google.com/gcp/)
(GCP). This guide provides a high-level introduction to setting up and running
Teleport in production.
We have split this guide into:
@ -225,7 +219,7 @@ Follow install instructions from our [installation page](../../installation.mdx#
We recommend configuring Teleport as per the below steps:
<Tabs>
<TabItem label="Open Source">
<TabItem label="Open Source" scope="oss">
**1. Configure Teleport Auth Server** using the below example `teleport.yaml`,and start it
using [systemd](../../management/admin/daemon.mdx). The DEB/RPM installations will
automatically include the `systemd` configuration.

7
docs/pages/deploy-a-cluster/deployments/ibm.mdx
View file

@ -7,13 +7,6 @@ We've created this guide to give customers an overview of how to use Teleport on
[IBM Cloud](https://www.ibm.com/cloud). This guide provides a high-level
introduction to setting up and running Teleport in production.
<ScopedBlock scope="cloud">
This guide shows you how to deploy the Auth Service and Proxy Service, which
Teleport Cloud manages for you.
</ScopedBlock>
We have split this guide into:
- [Teleport on IBM FAQ](#teleport-on-ibm-cloud-faq)

4
docs/pages/deploy-a-cluster/helm-deployments/aws.mdx
View file

@ -276,7 +276,7 @@ $ kubectl -n teleport create secret generic license --from-file=license.pem
Next, configure the `teleport-cluster` Helm chart to use the `aws` mode. Create
a file called `aws-values.yaml` and write the values you've chosen above to it:
<ScopedBlock scope={["oss", "cloud"]}>
<ScopedBlock scope={["oss"]}>
<Tabs>
<TabItem label="cert-manager">
@ -627,4 +627,4 @@ users and setting up RBAC.
See the [high availability section of our Helm chart reference](../../reference/helm-reference/teleport-cluster.mdx#highavailability) for more details on high availability.
Read the [`cert-manager` documentation](https://cert-manager.io/docs/).
Read the [`cert-manager` documentation](https://cert-manager.io/docs/).

2
docs/pages/deploy-a-cluster/helm-deployments/gcp.mdx
View file

@ -301,7 +301,7 @@ Next, configure the `teleport-cluster` Helm chart to use the `gcp` mode. Create
file called `gcp-values.yaml` file and write the values you've chosen above to
it:
<ScopedBlock scope={["oss", "cloud"]}>
<ScopedBlock scope={["oss"]}>
```yaml
chartMode: gcp

2
docs/pages/deploy-a-cluster/helm-deployments/kubernetes-cluster.mdx
View file

@ -138,7 +138,7 @@ will use to receive notifications from Let's Encrypt, which provides TLS
credentials for the Teleport Proxy Service's HTTPS endpoint.
<Tabs>
<TabItem label="Open Source">
<TabItem label="Open Source" scope="oss">
Write a values file (`teleport-cluster-values.yaml`) which will configure a single node Teleport cluster and
provision a cert using ACME.

9
docs/pages/desktop-access/active-directory-manual.mdx
View file

@ -566,10 +566,11 @@ ssh_service:
```
</TabItem>
<TabItem scope={["cloud"]} label="Cloud">
For Teleport Cloud, Windows Desktop Service should establish a reverse tunnel to
the hosted proxy. This requires setting `proxy_server` to your cloud tenant and
providing a join token.
<TabItem scope={["cloud","team"]} label="Cloud-Hosted">
For Teleport Team and Teleport Enterprise Cloud, the Windows Desktop Service
should establish a reverse tunnel to the hosted Teleport Proxy Service. This
requires setting `proxy_server` to your cloud tenant and providing a join token.
First, generate a join token with the following command:

4
docs/pages/desktop-access/getting-started.mdx
View file

@ -20,8 +20,6 @@ with the static host definitions described below.
<Details
title="Version warning"
opened={true}
scope={["oss", "enterprise"]}
scopeOnly={true}
min="12.0"
>
Passwordless access for local users is available starting from Teleport `v12`.
@ -91,7 +89,7 @@ for detailed information on configuring Teleport Desktop Access with this token.
Copy the token to the Linux host where you will run the Desktop service as `/tmp/token`.
(!docs/pages/includes/install-linux.mdx!)
(!docs/pages/includes/install-linux-enterprise.mdx!)
Create `/etc/teleport.yaml` and configure it for desktop access. Update the `proxy_server`
value to your Teleport proxy service or cloud tenant, and put the Windows machine address

1
docs/pages/includes/cloud/call-to-action.mdx
View file

@ -1,6 +1,5 @@
<Notice
type="tip"
scope={["oss", "enterprise"]}
>
Teleport Team takes care of this setup for you so you can provide secure access

5
docs/pages/includes/configure-event-handler.mdx
View file

@ -1,8 +1,9 @@
<Tabs>
<TabItem scope={["cloud"]} label="Teleport Enterprise Cloud">
<TabItem scope={["cloud","team"]} label="Cloud-Hosted">
Run the `configure` command to generate a sample configuration. Replace
`mytenant.teleport.sh` with the DNS name of your Teleport Enterprise Cloud tenant:
`mytenant.teleport.sh` with the DNS name of your Teleport Team or Teleport
Enterprise Cloud tenant:
```code
$ teleport-event-handler configure . mytenant.teleport.sh:443

10
docs/pages/includes/database-access/create-user.mdx
View file

@ -4,7 +4,8 @@ To modify an existing user to provide access to the Database Service, see [Datab
</Admonition>
<ScopedBlock scope={["oss"]}>
<Tabs>
<TabItem scope={["oss","team"]} label="Teleport Team/Community Edition">
Create a local Teleport user with the built-in `access` role:
```code
@ -14,8 +15,8 @@ $ tctl users add \
--db-names=\* \
alice
```
</ScopedBlock>
<ScopedBlock scope={["enterprise", "cloud"]}>
</TabItem>
<TabItem scope={["enterprise", "cloud"]} label="Teleport Enterprise/Enterprise Cloud">
Create a local Teleport user with the built-in `access` and `requester` roles:
```code
@ -25,7 +26,8 @@ $ tctl users add \
--db-names=\* \
alice
```
</ScopedBlock>
</TabItem>
</Tabs>
| Flag | Description |
|--------------|------------------------------------------------------------------------------------------------------------------------------------------|

88
docs/pages/includes/database-access/db-configure-start.mdx
View file

@ -1,6 +1,4 @@
{{ dbName="test" }}
<Tabs>
<TabItem label="Using a config file">
On the host where you will run the Teleport Database Service, start Teleport
with the appropriate configuration.
@ -12,7 +10,8 @@ your terminal, and manually adjust `/etc/teleport.yaml`.
Generate a configuration file at `/etc/teleport.yaml` for the Database Service:
<ScopedBlock scope={["oss", "enterprise"]}>
<Tabs>
<TabItem scope={["oss", "enterprise"]} label="Teleport Enterprise/Enterprise Cloud">
```code
$ teleport db configure create \
@ -25,8 +24,8 @@ $ teleport db configure create \
--labels=env=dev
```
</ScopedBlock>
<ScopedBlock scope={["cloud"]}>
</TabItem>
<TabItem scope={["cloud","team"]} label="Teleport Team/Community Edition">
```code
$ teleport db configure create \
@ -39,84 +38,7 @@ $ teleport db configure create \
--labels=env=dev
```
</ScopedBlock>
Configure the Database Service to start automatically when the host boots up by
creating a systemd service for it. The instructions depend on how you installed
the Database Service.
<Tabs>
<TabItem label="Package Manager">
On the host where you will run {{ service }}, start Teleport:
```code
$ sudo systemctl enable teleport
$ sudo systemctl start teleport
```
</TabItem>
<TabItem label="TAR Archive">
On the host where you will run {{ service }}, create a systemd service
configuration for Teleport, enable the Teleport service, and start Teleport:
```code
$ sudo teleport install systemd -o /etc/systemd/system/teleport.service
$ sudo systemctl enable teleport
$ sudo systemctl start teleport
```
</TabItem>
</Tabs>
</TabItem>
<TabItem label="With CLI flags">
You can start the Teleport Database Service without configuration file using a
CLI command:
<ScopedBlock scope={["oss", "enterprise"]}>
```code
$ teleport db start \
--token=/tmp/token \
--auth-server=teleport.example.com:443 \
--name={{ dbName }} \
--protocol={{ dbProtocol }} \
--uri={{ databaseAddress }} \
--labels=env=dev
```
Note that the `--auth-server` flag must point to the Teleport cluster's Proxy
Service endpoint because the Database Service always connects back to the
cluster over a reverse tunnel.
</ScopedBlock>
<ScopedBlock scope={["cloud"]}>
```code
$ teleport db start \
--token=/tmp/token \
--auth-server=mytenant.teleport.sh:443 \
--name={{ dbName }} \
--protocol={{ dbProtocol }} \
--uri={{ databaseAddress }} \
--labels=env=dev
```
Note that the `--auth-server` flag must point to your Teleport Cloud tenant
address.
</ScopedBlock>
</TabItem>
</Tabs>
<Admonition type="note">
The `--auth-server` flag must point to the Teleport cluster's Proxy Service
endpoint because the Database Service always connects back to the cluster over a
reverse tunnel.
</Admonition>
(!docs/pages/includes/start-teleport.mdx service="the Teleport Database Service"!)

10
docs/pages/includes/database-access/db-helm-install.mdx
View file

@ -1,5 +1,6 @@
{{ dbName="test" }}
<ScopedBlock scope={["oss", "enterprise"]}>
<Tabs>
<TabItem label="Self-Hosted" scope={["oss", "enterprise"]}>
Install the Teleport Kube Agent into your Kubernetes Cluster
with the Teleport Database Service configuration.
@ -18,8 +19,8 @@ $ helm install teleport-kube-agent teleport/teleport-kube-agent \
--version (=teleport.version=)
```
</ScopedBlock>
<ScopedBlock scope={["cloud"]}>
</TabItem>
<TabItem label="Cloud-Hosted"scope={["cloud","team"]}>
Install the Teleport Kube Agent into your Kubernetes Cluster
with the Teleport Database Service configuration.
@ -38,4 +39,5 @@ $ helm install teleport-kube-agent teleport/teleport-kube-agent \
--version (=cloud.version=)
```
</ScopedBlock>
</TabItem>
</Tabs>

2
docs/pages/includes/database-access/redis-connect.mdx
View file

@ -10,7 +10,7 @@ Log into your Teleport cluster and see available databases:
# example-redis Example Redis env=dev
```
</TabItem>
<TabItem scope={["cloud"]} label="Teleport Cloud">
<TabItem scope={["cloud","team"]} label="Cloud-Hosted">
```code
$ tsh login --proxy=mytenant.teleport.sh --user=alice
$ tsh db ls

24
docs/pages/includes/edition-prereqs-tabs.mdx
View file

@ -1,5 +1,23 @@
<Tabs>
<TabItem scope={["oss"]} label="Open Source">
<TabItem scope="team" label="Teleport Team">
- A Teleport Team account. If you do not have one, visit the [signup
page](https://goteleport.com/signup/) to begin your free trial.
- The `tctl` admin tool and `tsh` client tool version >= (=teleport.version=).
```code
$ tctl version
# Teleport v(=teleport.version=) go(=teleport.golang=)
$ tsh version
# Teleport v(=teleport.version=) go(=teleport.golang=)
```
See [Installation](../installation.mdx) for details.
</TabItem>
<TabItem scope={["oss"]} label="Teleport Community Edition">
- A running Teleport cluster. For details on how to set this up, see our
[Getting Started](../index.mdx) guide.
@ -18,7 +36,7 @@
</TabItem>
<TabItem
scope={["enterprise"]} label="Enterprise">
scope={["enterprise"]} label="Teleport Enterprise">
- A running Teleport Enterprise cluster. For details on how to set this up, see our Enterprise
[Getting Started](../choose-an-edition/teleport-enterprise/introduction.mdx) guide.
@ -36,7 +54,7 @@
</TabItem>
<TabItem scope={["cloud"]}
label="Teleport Cloud">
label="Teleport Enterprise Cloud">
- A Teleport Enterprise Cloud account. If you do not have one, visit the [signup
page](https://goteleport.com/signup/) to begin a free trial of Teleport Team

2
docs/pages/includes/enterprise/oidcauthentication.mdx
View file

@ -1,7 +1,7 @@
Configure Teleport to use OIDC authentication as the default instead of the local
user database.
<ScopedBlock scope={["oss", "enterprise"]}>
<ScopedBlock scope={["enterprise"]}>
You can either edit your Teleport configuration file or create a dynamic
resource.

9
docs/pages/includes/enterprise/samlauthentication.mdx
View file

@ -2,13 +2,8 @@
- Configure Teleport to use SAML authentication as the default instead of the local
user database.
<ScopedBlock scope={["oss", "enterprise"]}>
You can either edit the Teleport Auth Service configuration file or create a dynamic
resource.
</ScopedBlock>
<Tabs>
<TabItem scope={["cloud", "oss", "enterprise"]} label="Dynamic Resources (All Editions)">
<TabItem scope={["cloud"]} label="Dynamic Resources (All Editions)">
Use `tctl` to edit the `cluster_auth_preference` value:
@ -37,7 +32,7 @@ user database.
```
</TabItem>
<TabItem label="Static Config (Self-Hosted)" scope={["oss", "enterprise"]}>
<TabItem label="Static Config (Self-Hosted)" scope={["enterprise"]}>
Update `/etc/teleport.yaml` in the `auth_service` section and restart the `teleport` daemon.

125
docs/pages/includes/install-linux-enterprise.mdx Normal file
View file

@ -0,0 +1,125 @@
Use the appropriate commands for your environment to install your package:
<Tabs dropdownView dropdownCaption="Teleport Edition">
<TabItem label="Enterprise" scope="enterprise">
<Tabs>
<TabItem label="Debian 8+/Ubuntu 16.04+ (apt)">
```code
# Download Teleport's PGP public key
$ sudo curl https://apt.releases.teleport.dev/gpg \
-o /usr/share/keyrings/teleport-archive-keyring.asc
# Source variables about OS version
$ source /etc/os-release
# Add the Teleport APT repository for v(=teleport.major_version=). You'll need to update this
# file for each major release of Teleport.
$ echo "deb [signed-by=/usr/share/keyrings/teleport-archive-keyring.asc] \
https://apt.releases.teleport.dev/${ID?} ${VERSION_CODENAME?} stable/v(=teleport.major_version=)" \
| sudo tee /etc/apt/sources.list.d/teleport.list > /dev/null
$ sudo apt-get update
$ sudo apt-get install teleport-ent
```
For FedRAMP/FIPS-compliant installations, install the `teleport-ent-fips` package instead:
```code
$ sudo apt-get install teleport-ent-fips
```
</TabItem>
<TabItem label="Amazon Linux 2/RHEL 7 (yum)">
```code
# Source variables about OS version
$ source /etc/os-release
# Add the Teleport YUM repository for v(=teleport.major_version=). You'll need to update this
# file for each major release of Teleport.
# First, get the major version from $VERSION_ID so this fetches the correct
# package version.
$ VERSION_ID=$(echo $VERSION_ID | grep -Eo "^[0-9]+")
$ sudo yum-config-manager --add-repo "$(rpm --eval "https://yum.releases.teleport.dev/$ID/$VERSION_ID/Teleport/%{_arch}/stable/v(=teleport.major_version=)/teleport.repo")"
$ sudo yum install teleport-ent
#
# Tip: Add /usr/local/bin to path used by sudo (so 'sudo tctl users add' will work as per the docs)
# echo "Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin" > /etc/sudoers.d/secure_path
```
For FedRAMP/FIPS-compliant installations, install the `teleport-ent-fips` package instead:
```code
$ sudo yum install teleport-ent-fips
```
</TabItem>
<TabItem label="Amazon Linux 2023/RHEL 8+ (dnf)">
```code
# Source variables about OS version
$ source /etc/os-release
# Add the Teleport YUM repository for v(=teleport.major_version=). You'll need to update this
# file for each major release of Teleport.
# Use the dnf config manager plugin to add the teleport RPM repo
$ sudo dnf config-manager --add-repo "$(rpm --eval "https://yum.releases.teleport.dev/$ID/$VERSION_ID/Teleport/%{_arch}/stable/v(=teleport.major_version=)/teleport.repo")"
# Install teleport
$ sudo dnf install teleport-ent
# Tip: Add /usr/local/bin to path used by sudo (so 'sudo tctl users add' will work as per the docs)
# echo "Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin" > /etc/sudoers.d/secure_path
```
For FedRAMP/FIPS-compliant installations, install the `teleport-ent-fips` package instead:
```code
$ sudo dnf install teleport-ent-fips
```
</TabItem>
<TabItem label="Tarball" >
In the example commands below, update `$SYSTEM_ARCH` with the appropriate
value (`amd64`, `arm64`, or `arm`). All example commands using this variable
will update after one is filled out.
```code
$ curl https://get.gravitational.com/teleport-ent-v(=teleport.version=)-linux-<Var name="$SYSTEM_ARCH"/>-bin.tar.gz.sha256
# <checksum> <filename>
$ curl -O https://cdn.teleport.dev/teleport-ent-v(=teleport.version=)-linux-<Var name="$SYSTEM_ARCH"/>-bin.tar.gz
$ shasum -a 256 teleport-ent-v(=teleport.version=)-linux-<Var name="$SYSTEM_ARCH"/>-bin.tar.gz
# Verify that the checksums match
$ tar -xvf teleport-ent-v(=teleport.version=)-linux-<Var name="$SYSTEM_ARCH"/>-bin.tar.gz
$ cd teleport-ent
$ sudo ./install
```
For FedRAMP/FIPS-compliant installations of Teleport Enterprise, package URLs
will be slightly different:
```code
$ curl https://get.gravitational.com/teleport-ent-v(=teleport.version=)-linux-<Var name="$SYSTEM_ARCH"/>-fips-bin.tar.gz.sha256
# <checksum> <filename>
$ curl -O https://cdn.teleport.dev/teleport-ent-v(=teleport.version=)-linux-<Var name="$SYSTEM_ARCH"/>-fips-bin.tar.gz
$ shasum -a 256 teleport-ent-v(=teleport.version=)-linux-<Var name="$SYSTEM_ARCH"/>-fips-bin.tar.gz
# Verify that the checksums match
$ tar -xvf teleport-ent-v(=teleport.version=)-linux-<Var name="$SYSTEM_ARCH"/>-fips-bin.tar.gz
$ cd teleport-ent
$ sudo ./install
```
</TabItem>
</Tabs>
</TabItem>
<TabItem label="Enterprise Cloud" scope="cloud">
(!docs/pages/includes/cloud/install-linux-cloud.mdx!)
<Details title="Is my Teleport instance compatible with Teleport Enterprise Cloud?">
Before installing a `teleport` binary with a version besides v(=cloud.major_version=),
read our compatibility rules to ensure that the binary is compatible with
Teleport Enterprise Cloud.
(!docs/pages/includes/compatibility.mdx!)
</Details>
</TabItem>
</Tabs>

31
docs/pages/includes/install-linux.mdx
View file

@ -1,6 +1,23 @@
Use the appropriate commands for your environment to install your package:
<Tabs dropdownView dropdownCaption="Teleport Edition">
<TabItem label="Teleport Team" scope="team">
```code
$ curl https://goteleport.com/static/install.sh | bash -s (=cloud.version=)
```
<Details title="Is my Teleport instance compatible with Teleport Team?">
Before installing a `teleport` binary with a version besides
v(=cloud.major_version=), read our compatibility rules to ensure that the
binary is compatible with Teleport Cloud.
(!docs/pages/includes/compatibility.mdx!)
</Details>
</TabItem>
<TabItem label="Open Source" scope="oss">
```code
@ -10,7 +27,7 @@ Use the appropriate commands for your environment to install your package:
</TabItem>
<TabItem label="Enterprise" scope="enterprise">
<Tabs>
<TabItem label="Debian 8+/Ubuntu 16.04+ (apt)" scope="enterprise">
<TabItem label="Debian 8+/Ubuntu 16.04+ (apt)">
```code
# Download Teleport's PGP public key
@ -35,7 +52,7 @@ Use the appropriate commands for your environment to install your package:
```
</TabItem>
<TabItem label="Amazon Linux 2/RHEL 7 (yum)" scope="enterprise">
<TabItem label="Amazon Linux 2/RHEL 7 (yum)">
```code
# Source variables about OS version
@ -59,7 +76,7 @@ Use the appropriate commands for your environment to install your package:
```
</TabItem>
<TabItem label="Amazon Linux 2023/RHEL 8+ (dnf)" scope="enterprise">
<TabItem label="Amazon Linux 2023/RHEL 8+ (dnf)">
```code
# Source variables about OS version
@ -83,7 +100,7 @@ Use the appropriate commands for your environment to install your package:
```
</TabItem>
<TabItem label="Tarball" scope="enterprise">
<TabItem label="Tarball" >
In the example commands below, update `$SYSTEM_ARCH` with the appropriate
value (`amd64`, `arm64`, or `arm`). All example commands using this variable
@ -117,13 +134,13 @@ Use the appropriate commands for your environment to install your package:
</TabItem>
</Tabs>
</TabItem>
<TabItem label="Cloud" scope="cloud">
<TabItem label="Enterprise Cloud" scope="cloud">
(!docs/pages/includes/cloud/install-linux-cloud.mdx!)
<Details title="Is my Teleport instance compatible with Teleport Cloud?">
<Details title="Is my Teleport instance compatible with Teleport Enterprise Cloud?">
Before installing a `teleport` binary with a version besides v(=cloud.major_version=),
read our compatibility rules to ensure that the binary is compatible with
Teleport Cloud.
Teleport Enterprise Cloud.
(!docs/pages/includes/compatibility.mdx!)

19
docs/pages/includes/install-windows.mdx
View file

@ -4,20 +4,25 @@ can be run under `cmd.exe`, PowerShell, and Windows Terminal.
To install `tsh` on Windows, run the following commands in **PowerShell** (these commands will not work in `cmd.exe`):
<Tabs dropdownView dropdownCaption="Teleport Edition">
<TabItem label="Open Source" scope="oss">
<TabItem label="Teleport Community Edition" scope="oss">
(!docs/pages/includes/install-windows-tsh.mdx version="(=teleport.version=)" !)
</TabItem>
<TabItem label="Enterprise" scope="enterprise">
</TabItem>
<TabItem label="Teleport Team" scope="team">
(!docs/pages/includes/install-windows-tsh.mdx version="(=teleport.version=)" !)
</TabItem>
</TabItem>
<TabItem label="Teleport Enterprise" scope="enterprise">
<TabItem label="Cloud" scope="cloud">
(!docs/pages/includes/install-windows-tsh.mdx version="(=teleport.version=)" !)
</TabItem>
<TabItem label="Teleport Enterprise Cloud" scope="cloud">
(!docs/pages/includes/install-windows-tsh.mdx version="(=cloud.version=)" !)
</TabItem>
</Tabs>
</TabItem>
</Tabs>

56
docs/pages/includes/no-oss-prereqs-tabs.mdx Normal file
View file

@ -0,0 +1,56 @@
<Tabs>
<TabItem scope="team" label="Teleport Team">
- A Teleport Team account. If you do not have one, visit the [signup
page](https://goteleport.com/signup/) to begin your free trial.
- The `tctl` admin tool and `tsh` client tool version >= (=teleport.version=).
```code
$ tctl version
# Teleport v(=teleport.version=) go(=teleport.golang=)
$ tsh version
# Teleport v(=teleport.version=) go(=teleport.golang=)
```
See [Installation](../installation.mdx) for details.
</TabItem>
<TabItem
scope={["enterprise"]} label="Teleport Enterprise">
- A running Teleport Enterprise cluster. For details on how to set this up, see our Enterprise
[Getting Started](../choose-an-edition/teleport-enterprise/introduction.mdx) guide.
- The Enterprise `tctl` admin tool and `tsh` client tool version >= (=teleport.version=),
which you can download by visiting your [Teleport account](https://teleport.sh).
```code
$ tctl version
# Teleport Enterprise v(=teleport.version=) go(=teleport.golang=)
$ tsh version
# Teleport v(=teleport.version=) go(=teleport.golang=)
```
</TabItem>
<TabItem scope={["cloud"]}
label="Teleport Enterprise Cloud">
- A Teleport Enterprise Cloud account. If you do not have one, visit the [signup
page](https://goteleport.com/signup/) to begin your free trial.
- The Enterprise `tctl` admin tool and `tsh` client tool version >= (=cloud.version=).
To download these tools, visit the [Downloads](../choose-an-edition/teleport-cloud/downloads.mdx) page.
```code
$ tctl version
# Teleport Enterprise v(=cloud.version=) go(=teleport.golang=)
$ tsh version
# Teleport v(=cloud.version=) go(=teleport.golang=)
```
</TabItem>
</Tabs>

38
docs/pages/includes/self-hosted-prereqs-tabs.mdx Normal file
View file

@ -0,0 +1,38 @@
<Tabs>
<TabItem scope={["oss"]} label="Teleport Community Edition">
- A running Teleport cluster. For details on how to set this up, see our
[Getting Started](../index.mdx) guide.
- The `tctl` admin tool and `tsh` client tool version >= (=teleport.version=).
```code
$ tctl version
# Teleport v(=teleport.version=) go(=teleport.golang=)
$ tsh version
# Teleport v(=teleport.version=) go(=teleport.golang=)
```
See [Installation](../installation.mdx) for details.
</TabItem>
<TabItem
scope={["enterprise"]} label="Teleport Enterprise">
- A running Teleport Enterprise cluster. For details on how to set this up, see our Enterprise
[Getting Started](../choose-an-edition/teleport-enterprise/introduction.mdx) guide.
- The Enterprise `tctl` admin tool and `tsh` client tool version >= (=teleport.version=),
which you can download by visiting your [Teleport account](https://teleport.sh).
```code
$ tctl version
# Teleport Enterprise v(=teleport.version=) go(=teleport.golang=)
$ tsh version
# Teleport v(=teleport.version=) go(=teleport.golang=)
```
</TabItem>
</Tabs>

6
docs/pages/includes/sso/loginerrortroubleshooting.mdx
View file

@ -1,9 +1,9 @@
Troubleshooting SSO configuration can be challenging. Usually a Teleport administrator
must be able to:
<ScopedBlock scope={["oss","enterprise"]}>
- Ensure that HTTP/TLS certificates are configured properly for both Teleport
proxy and the SSO provider.
<ScopedBlock scope={["enterprise"]}>
- Ensure that HTTP/TLS certificates are configured properly for both the Teleport
Proxy Service and the SSO provider.
</ScopedBlock>
- Be able to see what SAML/OIDC claims and values are getting exported and passed
by the SSO provider to Teleport.

6
docs/pages/includes/tctl.mdx
View file

@ -1,6 +1,9 @@
Make sure you can connect to Teleport. Log in to your cluster using `tsh`, then use `tctl`
remotely:
{/* Ignoring scope linting since we use this partial throughout the docs and
cannot guarantee that it will line up with a page's configured scopes*/}
{/*lint ignore scopes*/}
<ScopedBlock scope={["oss", "enterprise"]}>
```code
@ -16,7 +19,8 @@ You can run subsequent `tctl` commands in this guide on your local machine.
For full privileges, you can also run `tctl` commands on your Auth Service host.
</ScopedBlock>
<ScopedBlock scope="cloud">
{/*lint ignore scopes*/}
<ScopedBlock scope={["cloud","team"]}>
```code
$ tsh login --proxy=myinstance.teleport.sh --user=email@example.com

8
docs/pages/installation.mdx
View file

@ -153,7 +153,7 @@ either:
`(=teleport.version=)`.
<Tabs>
<TabItem label="Open Source" scope={["cloud", "enterprise"]}>
<TabItem label="Teleport Team/Community Edition" scope={["oss", "team"]}>
|Image name|Troubleshooting Tools?|Image base|
|-|-|-|
@ -169,7 +169,7 @@ repository](https://gallery.ecr.aws/gravitational/teleport-ent). Their use is
considered deprecated, and they may be removed in future releases.
</TabItem>
<TabItem label="Enterprise" scope={["cloud", "enterprise"]}>
<TabItem label="Teleport Enterprise Cloud/Enterprise" scope={["cloud", "enterprise"]}>
| Image name | Includes troubleshooting tools | Image base |
| - | - | - |
@ -346,7 +346,7 @@ chart.
## macOS
<Tabs dropdownView dropdownCaption="Teleport Edition">
<TabItem label="Open Source" scope="oss">
<TabItem label="Teleport Team/Community Edition" scope={["oss","team"]}>
<Tabs>
<TabItem label="Teleport package" >
You can download one of the following .pkg installers for macOS:
@ -418,7 +418,7 @@ chart.
(!docs/pages/includes/enterprise/install-macos.mdx!)
</TabItem>
<TabItem label="Cloud" scope="cloud">
<TabItem label="Enterprise Cloud" scope="cloud">
(!docs/pages/includes/cloud/install-macos.mdx!)

2
docs/pages/kubernetes-access/getting-started.mdx
View file

@ -77,7 +77,7 @@ or up to one major version back. You can set the version override with the overr
(!docs/pages/kubernetes-access/helm/includes/helm-repo-add.mdx!)
<Tabs>
<TabItem scope={["oss"]} label="Open Source">
<TabItem scope={["oss","team"]} label="Teleport Team/Community Edition">
Switch `kubectl` to the Kubernetes cluster `cookie` and run the following
commands, assigning `PROXY_ADDR` to the address of your Auth Service or Proxy

4
docs/pages/kubernetes-access/manage-access/federation.mdx
View file

@ -42,7 +42,7 @@ $ tsh --proxy=main.example.com login east
```
</TabItem>
<TabItem scope={["cloud"]} label="Teleport Cloud">
<TabItem scope={["cloud","team"]} label="Cloud-Hosted">
When multiple Trusted Clusters are present behind the Teleport Proxy Service, the
`kubeconfig` generated by [tsh login](../../reference/cli.mdx#tsh-login) will contain the
@ -52,7 +52,7 @@ login](../../reference/cli.mdx#tsh-login).
For example, consider the following setup:
- There are two Teleport/Kubernetes clusters, `east` and `west`. These are the names set in `cluster_name` setting in their configuration files.
- The clusters `east` and `west` are Trusted Clusters for a Teleport Cloud tenant, `mytenant.teleport.sh`.
- The clusters `east` and `west` are Trusted Clusters for a Teleport Team or Enterprise Cloud tenant, `mytenant.teleport.sh`.
- Users always authenticate against `mytenant.teleport.sh` but use their certificates to access
SSH nodes and the Kubernetes API in all three clusters.

4
docs/pages/management/admin/troubleshooting.mdx
View file

@ -150,11 +150,11 @@ Teleport v9.0.4 git: go1.18
### Pose your question
<Tabs>
<TabItem scope={["cloud", "enterprise"]} label="Commercial">
<TabItem scope={["cloud", "enterprise","team"]} label="Commercial Teleport Editions">
If you need help, please ask on our [community forum](https://github.com/gravitational/teleport/discussions). You can also open an [issue on GitHub](https://github.com/gravitational/teleport/issues) or create a ticket through your [Teleport account](https://teleport.sh).
</TabItem>
<TabItem scope={["oss"]} label="Open Source">
<TabItem scope={["oss"]} label="Teleport Community Edition">
If you need help, please ask on our [community forum](https://github.com/gravitational/teleport/discussions). You can also open an [issue on GitHub](https://github.com/gravitational/teleport/issues).
For more information about custom features, or to try our [Enterprise edition](../../choose-an-edition/teleport-enterprise/introduction.mdx) of Teleport, please reach out to us at [sales](https://goteleport.com/signup/enterprise/).

25
docs/pages/management/admin/trustedclusters.mdx
View file

@ -42,6 +42,26 @@ This guide will explain how to:
## Prerequisites
<Tabs>
<TabItem scope="team" label="Teleport Team">
- A Teleport Team account. If you do not have one, visit the [signup
page](https://goteleport.com/signup/) to begin your free trial.
- A second Teleport cluster, which will act as the leaf cluster. For details on
how to set up this cluster, see our [Getting Started](../../index.mdx)
guide.
As an alternative, you can set up a second Teleport Team account.
- (!docs/pages/includes/cloud/tctl-tsh-prerequisite.mdx!)
- A Teleport Node that is joined to one of your clusters. We will refer to this
cluster as the **leaf cluster** throughout this guide.
See [Join Services to your Cluster](../../agents/join-services-to-your-cluster.mdx) for
how to launch a Teleport Node in your cluster.
</TabItem>
<TabItem scope={["oss"]} label="Open Source">
- Two running Teleport clusters. For details on how to set up your clusters, see
@ -76,7 +96,7 @@ This guide will explain how to:
</TabItem>
<TabItem scope={["cloud"]}
label="Teleport Cloud">
label="Teleport Enterprise Cloud">
- A Teleport Enterprise Cloud account. If you do not have one, visit the [sign
up page](https://goteleport.com/signup/) to begin a free trial of Teleport
@ -981,7 +1001,7 @@ should check to see the following:
cluster. Check the audit log messages on both clusters to get answers for the
questions above.
</TabItem>
<TabItem scope={["cloud"]} label="Teleport Cloud">
<TabItem scope={["cloud", "team"]} label="Cloud-Hosted">
Troubleshooting "access denied" messages can be challenging. A Teleport administrator
should check to see the following:
@ -995,6 +1015,7 @@ should check to see the following:
</Tabs>
## Further reading
- Read more about how Trusted Clusters fit into Teleport's overall architecture:
[Architecture Introduction](../../architecture/trustedclusters.mdx).

34
docs/pages/management/admin/uninstall-teleport.mdx
View file

@ -70,9 +70,9 @@ $ docker stop teleport
## Step 2/3. Remove Teleport binaries
<Tabs dropdownView dropdownCaption="Teleport Edition">
<TabItem label="Open Source" scope="oss">
<TabItem label="Teleport Community Edition/Teleport Team" scope={["oss","team"]}>
<Tabs>
<TabItem label="Debian/Ubuntu Linux (DEB)" scope="oss">
<TabItem label="Debian/Ubuntu Linux (DEB)">
Uninstall the Teleport binary using APT:
@ -95,7 +95,7 @@ $ docker stop teleport
</Admonition>
</TabItem>
<TabItem label="Amazon Linux 2/RHEL (RPM)" scope="oss">
<TabItem label="Amazon Linux 2/RHEL (RPM)">
Uninstall the Teleport binary using YUM:
@ -120,7 +120,7 @@ $ docker stop teleport
</Admonition>
</TabItem>
<TabItem label="Linux Tarball" scope="oss">
<TabItem label="Linux Tarball">
<Admonition type="notice">
These are the default paths to the Teleport binaries. If you have changed these from the defaults on your system, substitute those paths here.
@ -137,7 +137,7 @@ $ docker stop teleport
```
</TabItem>
<TabItem label="MacOS" scope="oss">
<TabItem label="MacOS">
<Admonition type="notice">
These are the default paths to the Teleport binaries. If you have changed these from the defaults on your system, substitute those paths here.
@ -163,7 +163,7 @@ $ docker stop teleport
</Admonition>
</TabItem>
<TabItem label="Windows" scope="oss">
<TabItem label="Windows">
Remove the `tsh.exe` binary from the machine:
@ -179,7 +179,7 @@ $ docker stop teleport
<TabItem label="Enterprise" scope="enterprise">
<Tabs>
<TabItem label="Debian/Ubuntu Linux (DEB)" scope="enterprise">
<TabItem label="Debian/Ubuntu Linux (DEB)">
Uninstall the Teleport binary using APT:
@ -207,7 +207,7 @@ $ docker stop teleport
</Admonition>
</TabItem>
<TabItem label="Amazon Linux 2/RHEL (RPM)" scope="enterprise">
<TabItem label="Amazon Linux 2/RHEL (RPM)">
Uninstall the Teleport binary using YUM:
@ -238,7 +238,7 @@ $ docker stop teleport
</Admonition>
</TabItem>
<TabItem label="Linux Tarball" scope="enterprise">
<TabItem label="Linux Tarball">
<Admonition type="notice">
These are the default paths to the Teleport binaries. If you have changed these from the defaults on your system, substitute those paths here.
@ -255,7 +255,7 @@ $ docker stop teleport
```
</TabItem>
<TabItem label="MacOS" scope="enterprise">
<TabItem label="MacOS">
<Admonition type="notice">
These are the default paths to the Teleport binaries. If you have changed these from the defaults on your system, substitute those paths here.
@ -281,7 +281,7 @@ $ docker stop teleport
</Admonition>
</TabItem>
<TabItem label="Windows" scope="enterprise">
<TabItem label="Windows">
Remove the `tsh.exe` binary from the machine:
@ -294,10 +294,10 @@ $ docker stop teleport
</TabItem>
</Tabs>
</TabItem>
<TabItem label="Cloud" scope="cloud">
<TabItem label="Teleport Enterprise Cloud" scope="cloud">
<Tabs>
<TabItem label="Debian/Ubuntu Linux (DEB)" scope="cloud">
<TabItem label="Debian/Ubuntu Linux (DEB)">
Uninstall the Teleport binary using APT:
@ -324,7 +324,7 @@ $ docker stop teleport
</Admonition>
</TabItem>
<TabItem label="Amazon Linux 2/RHEL (RPM)" scope="cloud">
<TabItem label="Amazon Linux 2/RHEL (RPM)">
Uninstall the Teleport binary using YUM:
@ -354,7 +354,7 @@ $ docker stop teleport
</Admonition>
</TabItem>
<TabItem label="Linux Tarball" scope="cloud">
<TabItem label="Linux Tarball">
<Admonition type="notice">
These are the default paths to the Teleport binaries. If you have changed these from the defaults on your system, substitute those paths here.
@ -371,7 +371,7 @@ $ docker stop teleport
```
</TabItem>
<TabItem label="MacOS" scope="cloud">
<TabItem label="MacOS">
<Admonition type="notice">
These are the default paths to the Teleport binaries. If you have changed these from the defaults on your system, substitute those paths here.
@ -397,7 +397,7 @@ $ docker stop teleport
</Admonition>
</TabItem>
<TabItem label="Windows" scope="cloud">
<TabItem label="Windows">
Remove the `tsh.exe` binary from the machine:

4
docs/pages/management/admin/users.mdx
View file

@ -112,7 +112,7 @@ $ tctl users rm joe
## Next steps
<Tabs>
<TabItem scope={["enterprise", "cloud"]} label="Commercial">
<TabItem scope={["enterprise", "cloud"]} label="Teleport Enterprise/Enterprise Cloud">
In addition to users, you can use `tctl` to manage roles and other dynamic
resources. See our [Teleport Resources Reference](../../reference/resources.mdx).
@ -125,7 +125,7 @@ For more information, see:
- [Single Sign-On](../../access-controls/sso.mdx)
</TabItem>
<TabItem scope={["oss"]} label="Open Source">
<TabItem scope={["oss","team"]} label="Teleport Team/Community Edition">
In addition to users, you can use `tctl` to manage roles and other dynamic
resources. See our [Teleport Resources Reference](../../reference/resources.mdx).

2
docs/pages/management/dynamic-resources/teleport-operator.mdx
View file

@ -34,7 +34,7 @@ This guide covers how to:
## Prerequisites
(!docs/pages/includes/edition-prereqs-tabs.mdx!)
(!docs/pages/includes/self-hosted-prereqs-tabs.mdx!)
- Kubernetes cluster (with or without `teleport-cluster` Helm chart already deployed);
- [Helm](https://helm.sh/docs/intro/quickstart/)

2
docs/pages/management/dynamic-resources/terraform-provider.mdx
View file

@ -138,7 +138,7 @@ Paste the following into a file called `main.tf` to define an example user and
role using Terraform.
<Tabs>
<TabItem scope={["cloud"]} label="Teleport Cloud">
<TabItem scope={["cloud","team"]} label="Cloud-Hosted">
```
(!examples/resources/terraform/terraform-user-role-cloud.tf!)
```

8
docs/pages/management/export-audit-events/datadog.mdx
View file

@ -48,7 +48,7 @@ d-->h(Datadog)
## Prerequisites
(!docs/pages/includes/commercial-prereqs-tabs.mdx!)
(!docs/pages/includes/edition-prereqs-tabs.mdx!)
- A [Datadog](https://www.datadoghq.com/) account.
- A server, virtual machine, Kubernetes cluster, or Docker environment to run the
@ -125,12 +125,12 @@ read events. We export an identity file for the user with the `tctl auth sign`
command.
<Tabs>
<TabItem label="Executable" scope={["oss","enterprise"]}>
<TabItem label="Executable">
(!docs/pages/includes/plugins/identity-export.mdx user="teleport-event-handler"!)
</TabItem>
<TabItem label="Helm Chart" scope={["cloud"]}>
<TabItem label="Helm Chart">
(!docs/pages/includes/plugins/identity-export.mdx user="teleport-event-handler"!)
@ -217,7 +217,7 @@ Earlier, we generated a file called `teleport-event-handler.toml` to configure
the Fluentd event handler. This file includes setting similar to the following:
<Tabs>
<TabItem scope={["cloud"]} label="Teleport Cloud">
<TabItem scope={["cloud","team"]} label="Cloud-Hosted">
```toml
storage = "./storage"

2
docs/pages/management/export-audit-events/elastic-stack.mdx
View file

@ -15,7 +15,7 @@ stores them in Elasticsearch for visualization and alerting in Kibana.
## Prerequisites
(!docs/pages/includes/commercial-prereqs-tabs.mdx!)
(!docs/pages/includes/edition-prereqs-tabs.mdx!)
- Logstash version 8.4.1 or above running on a Linux host. Logstash must be
listening on a TCP port that is open to traffic from <ScopedBlock

6
docs/pages/management/export-audit-events/fluentd.mdx
View file

@ -131,7 +131,7 @@ connection to the Auth Service. The plugin uses this reverse tunnel, along with
your TLS credentials, to connect to the Auth Service's gRPC endpoint.
</TabItem>
<TabItem label="Teleport Cloud" scope={["cloud"]}>
<TabItem label="Cloud-Hosted" scope={["cloud","team"]}>
```code
$ tctl auth sign --user=teleport-event-handler --out=identity
```
@ -143,7 +143,7 @@ connection to the Auth Service. The plugin uses this reverse tunnel, along with
your TLS credentials, to connect to the Auth Service's gRPC endpoint.
</TabItem>
<TabItem label="Helm Chart" scope={["cloud"]}>
<TabItem label="Helm Chart" scope={["cloud","team","oss","enterprise"]}>
If you are planning to use the Helm Chart, you'll need to generate the keys
with the `file` format, then create a secret in Kubernetes.
@ -235,7 +235,7 @@ Earlier, we generated a file called `teleport-event-handler.toml` to configure
the Fluentd event handler. This file includes setting similar to the following:
<Tabs>
<TabItem scope={["cloud"]} label="Teleport Cloud">
<TabItem scope={["cloud","team"]} label="Cloud-Hosted">
```toml
storage = "./storage"

2
docs/pages/management/export-audit-events/splunk.mdx
View file

@ -16,7 +16,7 @@ visualization and alerting.
## Prerequisites
(!docs/pages/includes/commercial-prereqs-tabs.mdx!)
(!docs/pages/includes/edition-prereqs-tabs.mdx!)
- Splunk Cloud Platform or Splunk Enterprise v9.0.1 or above.

12
docs/pages/management/operations/backup-restore.mdx
View file

@ -47,9 +47,10 @@ Teleport audit logs, logged events have a TTL of 1 year.
| Firestore | [Follow GCP's guidelines for automated backups](https://firebase.google.com/docs/database/backups) |
</TabItem>
<TabItem scope={["cloud"]} label="Teleport Cloud">
<TabItem scope={["cloud","team"]} label="Cloud-Hosted">
Teleport Cloud manages all Auth Service and Proxy Service backups.
Teleport Team and Teleport Enterprise Cloud manage all Auth Service and Proxy
Service backups.
While Teleport Nodes are stateless, you should ensure that you can restore their
configuration files.
@ -80,7 +81,7 @@ If you're running Teleport at scale, your teams need to have an automated way to
if a resource already exists, so this command can be run regularly.
</TabItem>
<TabItem scope={["cloud"]} label="Teleport Cloud">
<TabItem scope={["cloud","team"]} label="Cloud-Hosted">
- Store your dynamic resource configurations as discrete files in a git
repository.
@ -224,9 +225,10 @@ also apply to a new cluster being bootstrapped from the state of an old cluster:
dynamically will need to be re-invited.
</TabItem>
<TabItem scope={["cloud"]} label="Teleport Cloud">
<TabItem scope={["cloud","team"]} label="Team/Enterprise Cloud">
In Teleport Cloud, backend data is managed for you automatically.
In Teleport Team and Teleport Enterprise Cloud, backend data is managed for you
automatically.
If you would like to migrate configuration resources to a self-hosted Teleport
cluster, follow our recommended backup practice of storing configuration

9
docs/pages/management/operations/scaling.mdx
View file

@ -4,14 +4,7 @@ description: How to configure Teleport for large-scale deployments
---
This section explains the recommended configuration settings for large-scale
deployments of Teleport.
<ScopedBlock scope="cloud">
For Teleport Cloud customers, the settings in this guide are configured
automatically.
</ScopedBlock>
self-hosted deployments of Teleport.
(!docs/pages/includes/cloud/call-to-action.mdx!)

2
docs/pages/management/operations/upgrading.mdx
View file

@ -89,7 +89,7 @@ When upgrading multiple clusters:
2. Upgrade the Trusted Clusters.
</TabItem>
<TabItem scope={["cloud"]} label="Teleport Cloud">
<TabItem scope={["cloud","team"]} label="Cloud-Hosted">
The Teleport Auth Service and Proxy Service are upgraded automatically. When
upgrading resource services, you may upgrade in any sequence or at the same

6
docs/pages/management/security/reduce-blast-radius.mdx
View file

@ -22,7 +22,7 @@ Teleport lets you make it mandatory for a user to enroll an MFA device when they
To do so, make the following changes depending on your environment:
<Tabs>
<TabItem label="Self-hosted" scope={["oss","enterprise"]}>
<TabItem label="Self-Hosted" scope={["oss","enterprise"]}>
Ensure that the value of `auth_service.authentication.second_factor` is `otp`,
`webauthn`, or `on`:
@ -34,7 +34,7 @@ auth_service:
```
</TabItem>
<TabItem label="Teleport Cloud" scope={["cloud"]}>
<TabItem label="Cloud-Hosted" scope={["cloud","team"]}>
Obtain your existing `cluster_auth_preference` resource:
@ -99,7 +99,7 @@ auth_service:
require_session_mfa: yes
```
</TabItem>
<TabItem label="Teleport Cloud" scope={["cloud"]}>
<TabItem label="Cloud-Hosted" scope={["cloud", "team"]}>
Create the following `cluster_auth_preference` dynamic resource:
```yaml

13
docs/pages/reference/audit.mdx
View file

@ -16,7 +16,7 @@ There are two components of the audit log:
but can be configured to be done by the proxy.
</TabItem>
<TabItem scope={["cloud"]} label="Teleport Cloud">
<TabItem scope={["cloud","team"]} label="Cloud-Hosted">
1. **Cluster Events:** Teleport logs events like successful user logins along
with metadata like remote IP address, time, and the session ID.
@ -72,10 +72,10 @@ $ ls -l /var/lib/teleport/log/
```
</TabItem>
<TabItem scope={["cloud"]} label="Teleport Cloud">
<TabItem scope={["cloud", "team"]} label="Cloud-Hosted">
Teleport Cloud manages the storage of audit logs for you. You can access your
audit logs via the Teleport Web UI by clicking:
Teleport Team and Teleport Enterprise Cloud manage the storage of audit logs for
you. You can access your audit logs via the Teleport Web UI by clicking:
**Activity** > **Audit Log**
@ -180,9 +180,10 @@ $ tsh play 4c146ec8-eab6-11e6-b1b3-40167e68e931 --format=json
```
</TabItem>
<TabItem scope={["cloud"]} label="Teleport Cloud">
<TabItem scope={["cloud","team"]} label="Cloud-Hosted">
Teleport Cloud automatically stores recorded sessions.
Teleport Team and Teleport Enterprise Cloud automatically store recorded
sessions.
You can replay recorded sessions using the [`tsh play`](./cli.mdx#tsh-play) command or the Web
UI.

28
docs/pages/reference/authentication.mdx
View file

@ -79,12 +79,11 @@ Create the `cluster_auth_preference` resource via `tctl`:
$ tctl create -f cap.yaml
```
</TabItem>
<TabItem scope={["cloud"]} label="Teleport Cloud">
<TabItem scope={["cloud","team"]} label="Cloud-Hosted">
You can modify these settings using dynamic configuration resources.
Log in to Teleport from your local machine so you can use the Enterprise
edition of the `tctl` admin tool:
Log in to Teleport from your local machine so you can use the `tctl` admin tool:
```code
$ tsh login --proxy=myinstance.teleport.sh
@ -168,7 +167,28 @@ The user will now be unblocked from login attempts and can attempt to authentica
## Authentication connectors
<Tabs>
<TabItem scope={["cloud"]} label="Teleport Cloud">
<TabItem scope="team" label="Teleport Team">
### GitHub
This connector implements GitHub's OAuth 2.0 authentication flow. Please refer to GitHub's documentation on [Creating an OAuth App](https://developer.github.com/apps/building-oauth-apps/creating-an-oauth-app/)
to learn how to create and register an OAuth app.
Here is an example of this setting in a `cluster_auth_preference` resource:
```yaml
kind: cluster_auth_preference
metadata:
name: cluster-auth-preference
spec:
type: github
version: v2
```
See [GitHub OAuth 2.0](../access-controls/sso/github-sso.mdx) for details on how to configure it.
</TabItem>
<TabItem scope={["cloud"]} label="Teleport Enterprise Cloud">
### GitHub

12
docs/pages/reference/backends.mdx
View file

@ -4,15 +4,11 @@ description: How to configure Teleport deployment for high-availability using st
---
A Teleport cluster stores different types of data in different locations. By
default everything is stored in a local directory at the Auth server.
Integration with other storage types is implemented based on the nature of the
stored data (size, read/write ratio, mutability, etc.).
default everything is stored in a local directory on the Auth Service host.
<ScopedBlock scope={["cloud"]}>
Teleport Cloud manages Auth Service and Proxy Service data for you, so there is
no need to configure a backend.
</ScopedBlock>
For self-hosted Teleport deployments, you can configure Teleport to integrate
with other storage types based on the nature of the stored data (size,
read/write ratio, mutability, etc.).
| Data type | Description | Supported storage backends |
| - | - | - |

6
docs/pages/reference/cli.mdx
View file

@ -1575,7 +1575,7 @@ which could result in the error,
`ERROR: open /var/lib/teleport/host_uuid: permission denied`.
</TabItem>
<TabItem scope={["cloud"]} label="Teleport Cloud">
<TabItem scope={["cloud", "team"]} label="Cloud-Hosted">
When running `tctl` commands, administrators must authenticate to a Teleport
cluster. This can be done in two ways:
@ -2982,7 +2982,7 @@ Starts the Machine ID client `tbot`, fetching and writing certificates to disk a
#### Examples
<Tabs>
<TabItem scope={["Cloud"]} label="Teleport Cloud">
<TabItem scope={["cloud", "team"]} label="Cloud-Hosted">
```code
$ tbot start \
@ -2995,7 +2995,7 @@ $ tbot start \
```
</TabItem>
<TabItem scope={["Enterprise/OSS"]} label="Enterprise/OSS">
<TabItem scope={["enterprise", "oss"]} label="Self-Hosted">
```code
$ tbot start \

4
docs/pages/reference/networking.mdx
View file

@ -25,7 +25,7 @@ following use cases:
- You want Teleport to issue an SSH certificate for the service with additional
principals, e.g., host names.
</TabItem>
<TabItem scope={["cloud"]} label="Cloud-Hosted Teleport">
<TabItem scope={["cloud", "team"]} label="Cloud-Hosted">
All Teleport services (e.g., the Application Service and Database Service) have
an optional `public_addr` property that you can modify in each service's
@ -157,7 +157,7 @@ In those cases, they can set up separate listeners in the config file.
| 3025 | All Teleport services | TLS port used by the Auth Service to serve its gRPC API to other Teleport services in a cluster.|
</TabItem>
<TabItem scope={["cloud"]} label="Cloud-Hosted Teleport">
<TabItem scope={["cloud", "team"]} label="Cloud-Hosted">
### Proxy Service ports

2
docs/pages/server-access/guides/bpf-session-recording.mdx
View file

@ -241,7 +241,7 @@ To quickly check the status of the audit log, you can simply tail the logs with
`tail -f /var/lib/teleport/log/events.log`. The resulting capture from Teleport will
be a JSON log for each command and network request.
</TabItem>
<TabItem scope={["cloud"]} label="Teleport Cloud">
<TabItem scope={["cloud","team"]} label="Cloud-Hosted">
Enhanced session recording events will be shown in Teleport's audit log, which
you can inspect by visiting Teleport's Web UI.

6
docs/pages/server-access/guides/recording-proxy-mode.mdx
View file

@ -15,14 +15,14 @@ when gradually transitioning large server fleets to Teleport.
![Teleport OpenSSH Recording Proxy](../../../img/server-access/openssh-proxy.svg)
</Figure>
<ScopedBlock scope={["cloud"]}>
<Notice type="warning">
Teleport Cloud only supports session recording at the Node level. If you are
interested in setting up session recording, read our
[Server Access Getting Started Guide](../getting-started.mdx) so you can start
replacing your OpenSSH servers with Teleport Nodes.
</ScopedBlock>
</Notice>
We consider Recording Proxy Mode to be less secure than recording at the Node
level for two reasons:
@ -34,7 +34,7 @@ The Teleport Proxy Service should be available to clients and set up with TLS.
## Prerequisites
(!docs/pages/includes/edition-prereqs-tabs.mdx!)
(!docs/pages/includes/self-hosted-prereqs-tabs.mdx!)
- A host where you will run an OpenSSH server.
- (!docs/pages/includes/tctl.mdx!)