mirror of
https://github.com/gravitational/teleport
synced 2024-10-19 16:53:57 +00:00
Edit forScopes configurations and edit guides (#28443)
* Edit forScopes configurations and edit guides Closes #26500 This change requires merging gravitational/docs#326 to add a Team scope to the docs. This updates pages within the docs so that: - Each page's `forScopes` configuration is accurate, especially with regard to support for Teleport Team. - All scoped components match the `forScopes` configuration for each page. For this, I used the linter introduced by gravitational/docs#327. * Respond to alexfornuto feedback
This commit is contained in:
parent
1687b2cc12
commit
c5ced551eb
|
@ -31,7 +31,7 @@
|
|||
{
|
||||
"title": "Teleport Assist",
|
||||
"slug": "/ai-assist/",
|
||||
"forScopes": ["oss"]
|
||||
"forScopes": ["oss", "team"]
|
||||
}
|
||||
]
|
||||
},
|
||||
|
@ -45,7 +45,8 @@
|
|||
},
|
||||
{
|
||||
"title": "Teleport Team",
|
||||
"slug": "/choose-an-edition/teleport-team/"
|
||||
"slug": "/choose-an-edition/teleport-team/",
|
||||
"forScopes": ["team"]
|
||||
},
|
||||
{
|
||||
"title": "Teleport Enterprise Cloud",
|
||||
|
@ -99,7 +100,8 @@
|
|||
"entries": [
|
||||
{
|
||||
"title": "Introduction",
|
||||
"slug": "/deploy-a-cluster/introduction/"
|
||||
"slug": "/deploy-a-cluster/introduction/",
|
||||
"forScopes": ["oss", "enterprise"]
|
||||
},
|
||||
{
|
||||
"title": "High Availability Deployments",
|
||||
|
@ -246,7 +248,7 @@
|
|||
{
|
||||
"title": "Single Sign-On (SSO)",
|
||||
"slug": "/access-controls/sso/",
|
||||
"forScopes": ["enterprise", "oss", "cloud"],
|
||||
"forScopes": ["oss", "team", "enterprise", "cloud"],
|
||||
"entries": [
|
||||
{
|
||||
"title": "Active Directory (ADFS)",
|
||||
|
@ -260,8 +262,7 @@
|
|||
},
|
||||
{
|
||||
"title": "GitHub",
|
||||
"slug": "/access-controls/sso/github-sso/",
|
||||
"forScopes": ["enterprise", "cloud", "oss"]
|
||||
"slug": "/access-controls/sso/github-sso/"
|
||||
},
|
||||
{
|
||||
"title": "GitLab",
|
||||
|
@ -293,22 +294,22 @@
|
|||
{
|
||||
"title": "Teleport as an IdP",
|
||||
"slug": "/access-controls/idps/",
|
||||
"forScopes": ["enterprise", "cloud"],
|
||||
"forScopes": ["enterprise", "cloud", "team"],
|
||||
"entries": [
|
||||
{
|
||||
"title": "SAML Identity Provider Guide",
|
||||
"slug": "/access-controls/idps/saml-guide/",
|
||||
"forScopes": ["enterprise", "cloud"]
|
||||
"forScopes": ["enterprise", "cloud", "team"]
|
||||
},
|
||||
{
|
||||
"title": "Authenticate to Grafana with Teleport SAML",
|
||||
"slug": "/access-controls/idps/saml-grafana/",
|
||||
"forScopes": ["enterprise", "cloud"]
|
||||
"forScopes": ["enterprise", "cloud", "team"]
|
||||
},
|
||||
{
|
||||
"title": "SAML Identity Provider Reference",
|
||||
"slug": "/access-controls/idps/saml-reference/",
|
||||
"forScopes": ["enterprise", "cloud"]
|
||||
"forScopes": ["enterprise", "cloud", "team"]
|
||||
}
|
||||
]
|
||||
},
|
||||
|
@ -380,7 +381,8 @@
|
|||
"entries": [
|
||||
{
|
||||
"title": "Role Requests",
|
||||
"slug": "/access-controls/access-requests/role-requests/"
|
||||
"slug": "/access-controls/access-requests/role-requests/",
|
||||
"forScopes": ["enterprise", "cloud"]
|
||||
},
|
||||
{
|
||||
"title": "Resource Requests",
|
||||
|
@ -390,7 +392,7 @@
|
|||
{
|
||||
"title": "Role Requests in OSS Teleport",
|
||||
"slug": "/access-controls/access-requests/oss-role-requests/",
|
||||
"forScopes": ["oss", "enterprise", "cloud"]
|
||||
"forScopes": ["oss"]
|
||||
}
|
||||
]
|
||||
},
|
||||
|
@ -473,7 +475,8 @@
|
|||
"entries": [
|
||||
{
|
||||
"title": "Kubernetes Operator (Preview)",
|
||||
"slug": "/management/dynamic-resources/teleport-operator/"
|
||||
"slug": "/management/dynamic-resources/teleport-operator/",
|
||||
"forScopes": ["oss","enterprise"]
|
||||
},
|
||||
{
|
||||
"title": "Terraform Provider",
|
||||
|
@ -499,8 +502,7 @@
|
|||
},
|
||||
{
|
||||
"title": "Troubleshooting",
|
||||
"slug": "/management/admin/troubleshooting/",
|
||||
"forScopes": ["oss", "enterprise", "cloud"]
|
||||
"slug": "/management/admin/troubleshooting/"
|
||||
},
|
||||
{
|
||||
"title": "Upgrading the Teleport Binary",
|
||||
|
@ -512,7 +514,8 @@
|
|||
},
|
||||
{
|
||||
"title": "Run Teleport with Self-Signed Certificates",
|
||||
"slug": "/management/admin/self-signed-certs/"
|
||||
"slug": "/management/admin/self-signed-certs/",
|
||||
"forScopes": ["oss", "enterprise"]
|
||||
},
|
||||
{
|
||||
"title": "Uninstall Teleport",
|
||||
|
@ -535,8 +538,7 @@
|
|||
},
|
||||
{
|
||||
"title": "Backup and Restore",
|
||||
"slug": "/management/operations/backup-restore/",
|
||||
"forScopes": ["oss", "enterprise"]
|
||||
"slug": "/management/operations/backup-restore/"
|
||||
},
|
||||
{
|
||||
"title": "Cert Authority Rotation",
|
||||
|
@ -553,12 +555,12 @@
|
|||
"forScopes": ["enterprise"]
|
||||
},
|
||||
{
|
||||
"title": "Self-hosted automatic updates",
|
||||
"title": "Self-Hosted Automatic Updates",
|
||||
"slug": "/management/operations/self-hosted-automatic-agent-updates/",
|
||||
"forScopes": ["enterprise"]
|
||||
},
|
||||
{
|
||||
"title": "Enroll agent in automatic updates",
|
||||
"title": "Enroll Agents in Automatic Updates",
|
||||
"slug": "/management/operations/enroll-agent-into-automatic-updates/",
|
||||
"forScopes": ["enterprise", "cloud"]
|
||||
}
|
||||
|
@ -620,23 +622,19 @@
|
|||
"entries": [
|
||||
{
|
||||
"title": "Export Audit Events to Fluentd",
|
||||
"slug": "/management/export-audit-events/fluentd/",
|
||||
"forScopes": ["enterprise", "cloud"]
|
||||
"slug": "/management/export-audit-events/fluentd/"
|
||||
},
|
||||
{
|
||||
"title": "Export Audit Events to Datadog",
|
||||
"slug": "/management/export-audit-events/datadog/",
|
||||
"forScopes": ["enterprise", "cloud"]
|
||||
"slug": "/management/export-audit-events/datadog/"
|
||||
},
|
||||
{
|
||||
"title": "Export Audit Events to the Elastic Stack",
|
||||
"slug": "/management/export-audit-events/elastic-stack/",
|
||||
"forScopes": ["enterprise", "cloud"]
|
||||
"slug": "/management/export-audit-events/elastic-stack/"
|
||||
},
|
||||
{
|
||||
"title": "Export Audit Events to Splunk",
|
||||
"slug": "/management/export-audit-events/splunk/",
|
||||
"forScopes": ["enterprise", "cloud"]
|
||||
"slug": "/management/export-audit-events/splunk/"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
@ -686,7 +684,8 @@
|
|||
"entries": [
|
||||
{
|
||||
"title": "Via AWS EC2",
|
||||
"slug": "/agents/join-services-to-your-cluster/aws-ec2/"
|
||||
"slug": "/agents/join-services-to-your-cluster/aws-ec2/",
|
||||
"forScopes": ["oss", "enterprise"]
|
||||
},
|
||||
{
|
||||
"title": "Via AWS IAM",
|
||||
|
@ -1317,7 +1316,8 @@
|
|||
},
|
||||
{
|
||||
"title": "How to Build an Access Request Plugin",
|
||||
"slug": "/api/access-plugin/"
|
||||
"slug": "/api/access-plugin/",
|
||||
"forScopes": ["enterprise", "cloud"]
|
||||
},
|
||||
{
|
||||
"title": "Automatically Register Teleport Agents",
|
||||
|
@ -1388,7 +1388,11 @@
|
|||
"entries": [
|
||||
{
|
||||
"title": "teleport-cluster",
|
||||
"slug": "/reference/helm-reference/teleport-cluster/"
|
||||
"slug": "/reference/helm-reference/teleport-cluster/",
|
||||
"forScopes": [
|
||||
"oss",
|
||||
"enterprise"
|
||||
]
|
||||
},
|
||||
{
|
||||
"title": "teleport-kube-agent",
|
||||
|
@ -1456,7 +1460,8 @@
|
|||
},
|
||||
{
|
||||
"title": "Proxy Peering (Preview)",
|
||||
"slug": "/architecture/proxy-peering/"
|
||||
"slug": "/architecture/proxy-peering/",
|
||||
"forScopes": ["enterprise"]
|
||||
},
|
||||
{
|
||||
"title": "Agent Update Management",
|
||||
|
|
|
@ -286,7 +286,7 @@ Once Teleport is running, you've created the Discord app, and the plugin is
|
|||
configured, you can now run the plugin and test the workflow.
|
||||
|
||||
<Tabs>
|
||||
<TabItem label="Executable" scope={["oss", "enterprise"]}>
|
||||
<TabItem label="Executable">
|
||||
Start the plugin:
|
||||
|
||||
```code
|
||||
|
@ -301,7 +301,7 @@ INFO Starting Teleport Access Discord Plugin 7.2.1: discord/app.go:80
|
|||
INFO Plugin is ready discord/app.go:101
|
||||
```
|
||||
</TabItem>
|
||||
<TabItem label="Helm Chart" scope={["oss", "enterprise"]}>
|
||||
<TabItem label="Helm Chart">
|
||||
Install the plugin:
|
||||
|
||||
```code
|
||||
|
|
|
@ -38,20 +38,23 @@ in your Teleport cluster.
|
|||
|
||||
## Step 2/7. Install the Teleport email plugin
|
||||
|
||||
<ScopedBlock scope={["enterprise", "oss"]}>
|
||||
In this step, you will install the Teleport email plugin.
|
||||
|
||||
<Tabs>
|
||||
<TabItem label="Teleport Enterprise" scope={["enterprise"]}>
|
||||
|
||||
We recommend installing Teleport plugins on the same host as the Teleport Proxy
|
||||
Service. This is an ideal location as plugins have a low memory footprint, and
|
||||
will require both public internet access and Teleport Auth Service access.
|
||||
|
||||
</ScopedBlock>
|
||||
|
||||
<ScopedBlock scope="cloud">
|
||||
</TabItem>
|
||||
<TabItem scope="cloud" label="Teleport Enterprise Cloud">
|
||||
|
||||
Install the Teleport email plugin on a host that can access both your
|
||||
Teleport Cloud tenant and your SMTP service.
|
||||
|
||||
</ScopedBlock>
|
||||
</TabItem>
|
||||
</Tabs>
|
||||
|
||||
<Details title="Using a local SMTP server?">
|
||||
|
||||
|
|
|
@ -152,7 +152,7 @@ Edit the configuration as explained below:
|
|||
### `[mattermost]`
|
||||
|
||||
<Tabs>
|
||||
<TabItem label="Executable" scope={["oss", "enterprise"]}>
|
||||
<TabItem label="Executable">
|
||||
|
||||
**`url`**: Include the scheme (`https://`) and fully qualified domain name of
|
||||
your Mattermost deployment.
|
||||
|
@ -183,7 +183,7 @@ recipients = [
|
|||
```
|
||||
|
||||
</TabItem>
|
||||
<TabItem label="Helm Chart" scope={["oss", "enterprise"]}>
|
||||
<TabItem label="Helm Chart">
|
||||
|
||||
**`url`**: Include the scheme (`https://`) and fully qualified domain name of
|
||||
your Mattermost deployment.
|
||||
|
@ -275,7 +275,7 @@ severity = "INFO" # Logger severity. Could be "INFO", "ERROR", "DEBUG" or "WARN"
|
|||
## Step 7/8. Test your Mattermost bot
|
||||
|
||||
<Tabs>
|
||||
<TabItem label="Executable" scope={["oss", "enterprise"]}>
|
||||
<TabItem label="Executable">
|
||||
After modifying your configuration, run the bot with the following command:
|
||||
|
||||
```code
|
||||
|
@ -294,7 +294,7 @@ DEBU Watcher connected mattermost/main.go:260
|
|||
DEBU Mattermost API health check finished ok mattermost/main.go:19
|
||||
```
|
||||
</TabItem>
|
||||
<TabItem label="Helm Chart" scope={["oss", "enterprise"]}>
|
||||
<TabItem label="Helm Chart">
|
||||
After modifying your configuration, run the bot with the following command:
|
||||
|
||||
```code
|
||||
|
|
|
@ -32,20 +32,21 @@ PagerDuty.
|
|||
|
||||
- Either a Linux host or Kubernetes cluster where you will run the PagerDuty plugin.
|
||||
|
||||
<ScopedBlock scope={["enterprise", "oss"]}>
|
||||
<Tabs>
|
||||
<TabItem label="Teleport Enterprise" scope={["enterprise"]}>
|
||||
|
||||
We recommend installing Teleport plugins on the same host as the Teleport Proxy
|
||||
Service. This is an ideal location as plugins have a low memory footprint, and
|
||||
will require both public internet access and Teleport Auth Service access.
|
||||
|
||||
</ScopedBlock>
|
||||
|
||||
<ScopedBlock scope="cloud">
|
||||
</TabItem>
|
||||
<TabItem label="Teleport Enterprise Cloud" scope="cloud">
|
||||
|
||||
Install the Teleport PagerDuty plugin on a host that can access both your
|
||||
Teleport Cloud tenant and PagerDuty.
|
||||
|
||||
</ScopedBlock>
|
||||
</TabItem>
|
||||
</Tabs>
|
||||
|
||||
- (!docs/pages/includes/tctl.mdx!)
|
||||
|
||||
|
@ -521,7 +522,7 @@ The final configuration should resemble the following:
|
|||
## Step 7/8. Test the PagerDuty plugin
|
||||
|
||||
<Tabs>
|
||||
<TabItem label="Executable" scope={["oss", "enterprise"]}>
|
||||
<TabItem label="Executable">
|
||||
After you configure the PagerDuty plugin, run the following command to start it.
|
||||
The `-d` flag will provide debug information to ensure that the plugin can
|
||||
connect to PagerDuty and your Teleport cluster:
|
||||
|
@ -539,7 +540,7 @@ $ teleport-pagerduty start -d
|
|||
# DEBU Setting up the webhook extensions pagerduty/main.go:178
|
||||
```
|
||||
</TabItem>
|
||||
<TabItem label="Helm Chart" scope={["oss", "enterprise"]}>
|
||||
<TabItem label="Helm Chart">
|
||||
After modifying your configuration, run the bot with the following command:
|
||||
|
||||
```code
|
||||
|
@ -597,7 +598,7 @@ should still check the Teleport audit log to ensure that the right users are
|
|||
reviewing the right requests.
|
||||
|
||||
When auditing Access Request reviews, check for events with the type `Access
|
||||
Request Reviewed` in the Teleport Web UI <ScopedBlock scope={["oss",
|
||||
Request Reviewed` in the Teleport Web UI <ScopedBlock scope={[
|
||||
"enterprise"]}>and `access_request.review` if reviewing the audit log on the
|
||||
Auth Service host</ScopedBlock>.
|
||||
|
||||
|
|
|
@ -339,7 +339,7 @@ Once Teleport is running, you've created the Slack app, and the plugin is
|
|||
configured, you can now run the plugin and test the workflow.
|
||||
|
||||
<Tabs>
|
||||
<TabItem label="Executable" scope={["oss", "enterprise"]}>
|
||||
<TabItem label="Executable">
|
||||
Start the plugin:
|
||||
|
||||
```code
|
||||
|
@ -354,7 +354,7 @@ INFO Starting Teleport Access Slack Plugin 7.2.1: slack/app.go:80
|
|||
INFO Plugin is ready slack/app.go:101
|
||||
```
|
||||
</TabItem>
|
||||
<TabItem label="Helm Chart" scope={["oss", "enterprise"]}>
|
||||
<TabItem label="Helm Chart">
|
||||
Install the plugin:
|
||||
|
||||
```code
|
||||
|
|
|
@ -10,7 +10,7 @@ via ChatOps or anywhere else via our flexible Authorization Workflow API.
|
|||
|
||||
## Prerequisites
|
||||
|
||||
(!docs/pages/includes/edition-prereqs-tabs.mdx!)
|
||||
(!docs/pages/includes/commercial-prereqs-tabs.mdx!)
|
||||
|
||||
- (!docs/pages/includes/tctl.mdx!)
|
||||
|
||||
|
|
|
@ -7,13 +7,12 @@ h1: SOC 2 Compliance for SSH, Kubernetes, Databases, Desktops, and Web Apps
|
|||
Teleport is designed to meet SOC 2 requirements for the purposes of accessing infrastructure, change management, and system operations. This document outlines a high
|
||||
level overview of how Teleport can be used to help your company to become SOC 2 compliant.
|
||||
|
||||
<ScopedBlock
|
||||
scope={["oss"]}
|
||||
>
|
||||
<Notice type="warning">
|
||||
|
||||
This guide requires Teleport Cloud or Teleport Enterprise.
|
||||
SOC 2 compliance features are only available for Teleport Enterprise and
|
||||
Teleport Enterprise Cloud.
|
||||
|
||||
</ScopedBlock>
|
||||
</Notice>
|
||||
|
||||
## Achieving SOC 2 Compliance with Teleport
|
||||
SOC 2 or Service Organization Controls were developed by the American Institute of CPAs (AICPA). They are based on five trust services criteria: security, availability, processing integrity, confidentiality, and privacy.
|
||||
|
|
|
@ -10,20 +10,19 @@ Here are the most common scenarios:
|
|||
- Improve the security of your system and prevent one successful phishing attack from compromising your system.
|
||||
- Satisfy FedRAMP AC-3 Dual authorization control that requires approval of two authorized individuals.
|
||||
|
||||
In this guide, we will set up Teleport's Just-in-Time Access Requests to require the approval
|
||||
of two team members for a privileged role `dbadmin`.
|
||||
In this guide, we will set up Teleport's Just-in-Time Access Requests to require
|
||||
the approval of two team members for a privileged role `dbadmin`.
|
||||
|
||||
<ScopedBlock scope="oss">
|
||||
The steps below describe how to use Teleport with Mattermost. You can also
|
||||
[integrate with many other providers](../access-requests.mdx).
|
||||
|
||||
This guide requires a commercial edition of Teleport. The open source
|
||||
edition of Teleport only supports [GitHub](../../access-controls/sso/github-sso.mdx) as
|
||||
an SSO provider.
|
||||
<Notice type="warning">
|
||||
|
||||
</ScopedBlock>
|
||||
This guide requires a commercial edition of Teleport. The open source edition of
|
||||
Teleport only supports [GitHub](../../access-controls/sso/github-sso.mdx) as an
|
||||
SSO provider.
|
||||
|
||||
<Admonition title="Note" type="tip">
|
||||
The steps below describe how to use Teleport with Mattermost. You can also [integrate with many other providers](../access-requests.mdx).
|
||||
</Admonition>
|
||||
</Notice>
|
||||
|
||||
## Prerequisites
|
||||
|
||||
|
@ -211,7 +210,7 @@ Bob can also assume granted Access Request roles using Web UI:
|
|||
|
||||
{/* TODO: This H2 will show up in the table of contents when this section is invisible.
|
||||
We need a way to hide invisible H2s from the TOC. */}
|
||||
<ScopedBlock scope={["oss", "enterprise"]}>
|
||||
<ScopedBlock scope={["enterprise"]}>
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
|
|
|
@ -54,7 +54,7 @@ Additionally, this feature can be configured to require touch for every Teleport
|
|||
|
||||
## Prerequisites
|
||||
|
||||
(!docs/pages/includes/edition-prereqs-tabs.mdx!)
|
||||
(!docs/pages/includes/commercial-prereqs-tabs.mdx!)
|
||||
|
||||
- A series 5+ YubiKey
|
||||
|
||||
|
|
|
@ -14,11 +14,11 @@ the session, and terminate the session at will.
|
|||
In addition, Teleport administrators can [define rules](#join_sessions) that allow users to join each other's
|
||||
sessions from `tsh` and the Web UI.
|
||||
|
||||
<ScopedBlock scope="oss">
|
||||
<Notice type="warning">
|
||||
|
||||
Moderated Sessions requires Teleport Enterprise or Teleport Cloud.
|
||||
Moderated Sessions requires Teleport Enterprise or Teleport Enterprise Cloud.
|
||||
|
||||
</ScopedBlock>
|
||||
</Notice>
|
||||
|
||||
### Use cases
|
||||
|
||||
|
|
|
@ -28,7 +28,7 @@ WebAuthn is disabled by default. To enable WebAuthn support, update your
|
|||
Teleport configuration as below:
|
||||
|
||||
<Tabs>
|
||||
<TabItem label="Dynamic resources" scope={["oss", "enterprise", "cloud"]}>
|
||||
<TabItem label="Dynamic resources" scope={["team", "cloud"]}>
|
||||
|
||||
Edit the `cluster_auth_preference` resource:
|
||||
|
||||
|
|
|
@ -15,7 +15,7 @@ not just those running behind the Teleport App Service.
|
|||
- An instance of Grafana Enterprise, with edit access to `grafana.ini`.
|
||||
- A trusted certificate authority to create TLS certificates/keys for the SAML connection.
|
||||
|
||||
(!docs/pages/includes/commercial-prereqs-tabs.mdx!)
|
||||
(!docs/pages/includes/no-oss-prereqs-tabs.mdx!)
|
||||
|
||||
- (!docs/pages/includes/tctl.mdx!)
|
||||
|
||||
|
|
|
@ -11,7 +11,7 @@ authenticate to external services.
|
|||
|
||||
## Prerequisites
|
||||
|
||||
(!docs/pages/includes/commercial-prereqs-tabs.mdx!)
|
||||
(!docs/pages/includes/no-oss-prereqs-tabs.mdx!)
|
||||
|
||||
- (!docs/pages/includes/tctl.mdx!)
|
||||
- If you're new to SAML, consider reviewing our [SAML Identity Provider
|
||||
|
@ -126,4 +126,4 @@ are logged in, you should be re-routed to a success page on samltest.id.
|
|||
This has verified service provider initiated SSO. To verify identity provider initiated
|
||||
SSO, navigate to `https://<proxy-address>/enterprise/saml-idp/login/samltest-id`,
|
||||
where `samltest-id` is the friendly name of the service provider object created earlier.
|
||||
You should be redirected to the same successful login page seen earlier.
|
||||
You should be redirected to the same successful login page seen earlier.
|
||||
|
|
|
@ -241,7 +241,7 @@ scope={["enterprise"]}>either modify your Auth Service configuration file
|
|||
or </ScopedBlock>create a `cluster_auth_preference` resource.
|
||||
|
||||
<Tabs>
|
||||
<TabItem label="Static Config (Self-Hosted)" scope={["enterprise"]}>
|
||||
<TabItem label="Static Config (Self-Hosted)" scope={["enterprise","oss"]}>
|
||||
Update `/etc/teleport.yaml` in the `auth_service` section and restart the `teleport` daemon.
|
||||
```yaml
|
||||
auth_service:
|
||||
|
@ -252,7 +252,7 @@ or </ScopedBlock>create a `cluster_auth_preference` resource.
|
|||
|
||||
(!docs/pages/includes/sso/idp-initiated.mdx!)
|
||||
</TabItem>
|
||||
<TabItem scope={["cloud"]} label="Dynamic Resources (All Editions)">
|
||||
<TabItem scope={["cloud","team"]} label="Dynamic Resources (All Editions)">
|
||||
Create a file called `cap.yaml`:
|
||||
```yaml
|
||||
kind: cluster_auth_preference
|
||||
|
|
|
@ -221,7 +221,7 @@ Create the OIDC connector resource using `tctl`. We will explain how to choose
|
|||
values for fields within the resource spec below:
|
||||
|
||||
<Tabs>
|
||||
<TabItem scope={["oss", "enterprise", "cloud"]} label="Embedded JSON">
|
||||
<TabItem label="Embedded JSON">
|
||||
|
||||
Use this method to define the service account JSON in the connector resource.
|
||||
This method doesn't require providing the JSON file to the host(s) running the
|
||||
|
@ -274,7 +274,7 @@ version: v3
|
|||
```
|
||||
|
||||
</TabItem>
|
||||
<TabItem scope={["oss", "enterprise"]} label="Uploaded JSON file">
|
||||
<TabItem label="Uploaded JSON file">
|
||||
|
||||
Use this method for single self-hosted Teleport Auth instances, or when you can
|
||||
easily and reliably make the JSON file available to all hosts running the Auth
|
||||
|
|
|
@ -7,27 +7,25 @@ This guide will explain how to use the **EC2 join method** to configure Teleport
|
|||
processes to join your Teleport cluster without sharing any secrets when they
|
||||
are running in AWS.
|
||||
|
||||
<ScopedBlock scope="cloud">
|
||||
|
||||
The EC2 join method is not available in Teleport Enterprise Cloud. Teleport
|
||||
Enterprise Cloud customers can use the [IAM join method](./aws-iam.mdx) or
|
||||
[secret tokens](join-token.mdx).
|
||||
|
||||
</ScopedBlock>
|
||||
|
||||
The EC2 join method is available to any Teleport process running on an EC2
|
||||
instance. Only one Teleport process per EC2 instance may use the EC2 join
|
||||
instance. Only one Teleport process per EC2 instance may use the EC2 join
|
||||
method.
|
||||
|
||||
IAM credentials with `ec2:DescribeInstances` permissions are required on your
|
||||
Teleport Auth Service. No IAM credentials are required on the Teleport processes
|
||||
joining the cluster.
|
||||
|
||||
<Notice type="warning">
|
||||
|
||||
The EC2 join method is not available in Teleport Enterprise Cloud and Teleport
|
||||
Team. Teleport Enterprise Cloud and Team customers can use the [IAM join
|
||||
method](./aws-iam.mdx) or [secret tokens](join-token.mdx).
|
||||
|
||||
</Notice>
|
||||
|
||||
<Details
|
||||
opened
|
||||
title="Other AWS joining methods"
|
||||
scope={["oss", "enterprise"]}
|
||||
scopeOnly
|
||||
>
|
||||
|
||||
There are two other AWS join methods available depending on your use case.
|
||||
|
@ -46,7 +44,7 @@ AWS-specific APIs.
|
|||
|
||||
## Prerequisites
|
||||
|
||||
(!docs/pages/includes/edition-prereqs-tabs.mdx!)
|
||||
(!docs/pages/includes/self-hosted-prereqs-tabs.mdx!)
|
||||
|
||||
- (!docs/pages/includes/tctl.mdx!)
|
||||
- An AWS EC2 instance to host a Teleport process, with the Teleport binary
|
||||
|
|
|
@ -6,8 +6,6 @@ description: How Teleport implements more efficient networking with Proxy Peerin
|
|||
<Details
|
||||
title="Version warning"
|
||||
opened={true}
|
||||
scope={["oss", "enterprise"]}
|
||||
scopeOnly={true}
|
||||
min="10.0"
|
||||
>
|
||||
Proxy Peering is available in Preview starting from Teleport `10.0`.
|
||||
|
|
|
@ -38,11 +38,7 @@ only ever exists in KMS when this feature is enabled.
|
|||
Read on to [migrating an existing cluster](#migrating-an-existing-cluster) to
|
||||
learn more.
|
||||
|
||||
<ScopedBlock scope={["oss", "cloud"]}>
|
||||
|
||||
This guide is intended for self-hosted Teleport Enterprise users.
|
||||
|
||||
</ScopedBlock>
|
||||
(!docs/pages/includes/cloud/call-to-action.mdx!)
|
||||
|
||||
## Prerequisites
|
||||
|
||||
|
|
|
@ -573,7 +573,7 @@ Here is the result:
|
|||
Enterprise.
|
||||
|
||||
</TabItem>
|
||||
<TabItem label="Teleport Cloud" scope="cloud">
|
||||
<TabItem label="Cloud-Hosted" scope={["cloud","team"]}>
|
||||
|
||||
Here are instructions for Teleport Cloud users.
|
||||
|
||||
|
|
|
@ -52,10 +52,10 @@ This is useful when the Teleport Web UI is running behind an L7 load balancer
|
|||
on a plain TCP load balancer (e.g. NLB in AWS).
|
||||
|
||||
</TabItem>
|
||||
<TabItem scope={["cloud"]} label="Teleport Cloud">
|
||||
<TabItem scope={["cloud","team"]} label="Cloud-Hosted">
|
||||
|
||||
In Teleport Cloud, the Proxy Service uses the following ports for
|
||||
Database Service client traffic:
|
||||
In Teleport Team and Teleport Enterprise Cloud, the Proxy Service uses the
|
||||
following ports for Database Service client traffic:
|
||||
|
||||
|Configuration setting|Port|
|
||||
|---|---|
|
||||
|
|
|
@ -65,6 +65,7 @@ Create the Database Service configuration.
|
|||
<TabItem label="MySQL">
|
||||
|
||||
- Specify the region for your database(s) in `--azure-mysql-discovery`.
|
||||
|
||||
- Replace the `--proxy` value with your Teleport proxy address or Teleport cloud
|
||||
URI (e.g. `mytenant.teleport.sh:443`):
|
||||
|
||||
|
|
|
@ -299,7 +299,7 @@ $ tsh db ls
|
|||
```
|
||||
|
||||
</TabItem>
|
||||
<TabItem scope={["cloud"]} label="Cloud">
|
||||
<TabItem scope={["cloud", "team"]} label="Cloud-Hosted">
|
||||
```code
|
||||
$ tsh login --proxy=mytenant.teleport.sh --user=alice
|
||||
$ tsh db ls
|
||||
|
|
|
@ -31,7 +31,34 @@ This guide will help you to:
|
|||
|
||||
(!docs/pages/includes/database-access/token.mdx!)
|
||||
|
||||
(!docs/pages/includes/database-access/create-user.mdx!)
|
||||
<Admonition type="tip">
|
||||
|
||||
To modify an existing user to provide access to the Database Service, see [Database Access Access Controls](../../database-access/rbac.mdx)
|
||||
|
||||
</Admonition>
|
||||
|
||||
Create a local Teleport user with the built-in `access` and `requester` roles:
|
||||
|
||||
```code
|
||||
$ tctl users add \
|
||||
--roles=access,requester \
|
||||
--db-users=\* \
|
||||
--db-names=\* \
|
||||
alice
|
||||
```
|
||||
|
||||
| Flag | Description |
|
||||
|--------------|------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| `--roles` | List of roles to assign to the user. The builtin `access` role allows them to connect to any database server registered with Teleport. |
|
||||
| `--db-users` | List of database usernames the user will be allowed to use when connecting to the databases. A wildcard allows any user. |
|
||||
| `--db-names` | List of logical databases (aka schemas) the user will be allowed to connect to within a database server. A wildcard allows any database. |
|
||||
|
||||
<Admonition type="warning">
|
||||
Database names are only enforced for PostgreSQL and MongoDB databases.
|
||||
</Admonition>
|
||||
|
||||
For more detailed information about database access controls and how to restrict
|
||||
access see [RBAC](../../database-access/rbac.mdx) documentation.
|
||||
|
||||
## Step 2/5. Create a certificate/key pair and Teleport Oracle Wallet
|
||||
|
||||
|
@ -92,7 +119,7 @@ Install and configure Teleport where you will run the Teleport Database Service:
|
|||
<Tabs>
|
||||
<TabItem label="Linux Server">
|
||||
|
||||
(!docs/pages/includes/install-linux.mdx!)
|
||||
(!docs/pages/includes/install-linux-enterprise.mdx!)
|
||||
|
||||
(!docs/pages/includes/database-access/db-configure-start.mdx dbName="oracle" dbProtocol="oracle" databaseAddress="oracle.example.com:2484" dbName="oracle" !)
|
||||
|
||||
|
@ -102,7 +129,48 @@ Install and configure Teleport where you will run the Teleport Database Service:
|
|||
|
||||
(!docs/pages/kubernetes-access/helm/includes/helm-repo-add.mdx!)
|
||||
|
||||
(!docs/pages/includes/database-access/db-helm-install.mdx dbName="oracle" dbProtocol="oracle" databaseAddress="oracle.example.com:2484" dbName="oracle" !)
|
||||
<Tabs>
|
||||
<TabItem label="Teleport Enterprise" scope={["enterprise"]}>
|
||||
Install the Teleport Kube Agent into your Kubernetes Cluster
|
||||
with the Teleport Database Service configuration.
|
||||
|
||||
```code
|
||||
$ JOIN_TOKEN=$(cat /tmp/token)
|
||||
$ helm install teleport-kube-agent teleport/teleport-kube-agent \
|
||||
--create-namespace \
|
||||
--namespace teleport-agent \
|
||||
--set roles=db \
|
||||
--set proxyAddr=teleport.example.com:443 \
|
||||
--set authToken=${JOIN_TOKEN?} \
|
||||
--set "databases[0].name=oracle" \
|
||||
--set "databases[0].uri=oracle.example.com:2484" \
|
||||
--set "databases[0].protocol=oracle" \
|
||||
--set "labels.env=dev" \
|
||||
--version (=teleport.version=)
|
||||
```
|
||||
|
||||
</TabItem>
|
||||
<TabItem label="Teleport Enterprise Cloud" scope={["cloud"]}>
|
||||
Install the Teleport Kube Agent into your Kubernetes Cluster
|
||||
with the Teleport Database Service configuration.
|
||||
|
||||
```code
|
||||
$ JOIN_TOKEN=$(cat /tmp/token)
|
||||
$ helm install teleport-kube-agent teleport/teleport-kube-agent \
|
||||
--create-namespace \
|
||||
--namespace teleport-agent \
|
||||
--set roles=db \
|
||||
--set proxyAddr=mytenant.teleport.sh:443 \
|
||||
--set authToken=${JOIN_TOKEN?} \
|
||||
--set "databases[0].name=oracle" \
|
||||
--set "databases[0].uri=oracle.example.com:2484" \
|
||||
--set "databases[0].protocol=oracle" \
|
||||
--set "labels.env=dev" \
|
||||
--version (=cloud.version=)
|
||||
```
|
||||
|
||||
</TabItem>
|
||||
</Tabs>
|
||||
</TabItem>
|
||||
</Tabs>
|
||||
|
||||
|
@ -113,24 +181,15 @@ Install and configure Teleport where you will run the Teleport Database Service:
|
|||
Once the Database Service has joined the cluster, log in to see the available
|
||||
databases:
|
||||
|
||||
<ScopedBlock scope={["oss", "enterprise"]}>
|
||||
```code
|
||||
$ tsh login --proxy=teleport.example.com --user=alice
|
||||
$ tsh login --proxy=<Var name="mytenant.teleport.sh" /> --user=alice
|
||||
$ tsh db ls
|
||||
# Name Description Allowed Users Labels Connect
|
||||
# ------ -------------- ------------- ------- -------
|
||||
# oracle Oracle Example [*] env=dev
|
||||
```
|
||||
</ScopedBlock>
|
||||
<ScopedBlock scope={["cloud"]}>
|
||||
```code
|
||||
$ tsh login --proxy=mytenant.teleport.sh --user=alice
|
||||
$ tsh db ls
|
||||
# Name Description Allowed Users Labels Connect
|
||||
# ------ -------------- ------------- ------- -------
|
||||
# oracle Oracle Example [*] env=dev
|
||||
```
|
||||
</ScopedBlock>
|
||||
|
||||
Connect to the database:
|
||||
|
||||
```code
|
||||
$ tsh db connect --db-user=alice --db-name=XE oracle
|
||||
|
@ -146,6 +205,7 @@ $ tsh db connect --db-user=alice --db-name=XE oracle
|
|||
#
|
||||
# SQL>
|
||||
```
|
||||
|
||||
To log out of the database and remove credentials:
|
||||
|
||||
```code
|
||||
|
|
|
@ -12,7 +12,7 @@ This guide will help you to:
|
|||
<ScopedBlock scope={["oss", "enterprise"]}>
|
||||
![Teleport Database Access RDS Self-Hosted](../../../img/database-access/guides/redis_elasticache_selfhosted.png)
|
||||
</ScopedBlock>
|
||||
<ScopedBlock scope={["cloud"]}>
|
||||
<ScopedBlock scope={["cloud","team"]}>
|
||||
![Teleport Database Access RDS Cloud](../../../img/database-access/guides/redis_elasticache_cloud.png)
|
||||
</ScopedBlock>
|
||||
|
||||
|
|
|
@ -14,7 +14,7 @@ This guide will help you to:
|
|||
<ScopedBlock scope={["oss", "enterprise"]}>
|
||||
![Teleport Database Access Redis Cluster Self-Hosted](../../../img/database-access/guides/rediscluster_selfhosted.png)
|
||||
</ScopedBlock>
|
||||
<ScopedBlock scope={["cloud"]}>
|
||||
<ScopedBlock scope={["cloud","team"]}>
|
||||
![Teleport Database Access Redis Cluster Cloud](../../../img/database-access/guides/rediscluster_cloud.png)
|
||||
</ScopedBlock>
|
||||
|
||||
|
|
|
@ -14,7 +14,7 @@ This guide will help you to:
|
|||
<ScopedBlock scope={["oss", "enterprise"]}>
|
||||
![Teleport Database Access Redis Self-Hosted](../../../img/database-access/guides/redis_selfhosted.png)
|
||||
</ScopedBlock>
|
||||
<ScopedBlock scope={["cloud"]}>
|
||||
<ScopedBlock scope={["cloud","team"]}>
|
||||
![Teleport Database Access Redis Cloud](../../../img/database-access/guides/redis_cloud.png)
|
||||
</ScopedBlock>
|
||||
|
||||
|
|
|
@ -118,7 +118,7 @@ Log in to your Teleport cluster and see the available databases:
|
|||
# example-snowflake Example Snowflake ❄ env=dev
|
||||
```
|
||||
</TabItem>
|
||||
<TabItem scope={["cloud"]} label="Teleport Cloud">
|
||||
<TabItem scope={["cloud","team"]} label="Cloud-Hosted">
|
||||
```code
|
||||
$ tsh login --proxy=mytenant.teleport.sh --user=alice
|
||||
$ tsh db ls
|
||||
|
|
|
@ -58,12 +58,12 @@ proxy_service:
|
|||
```
|
||||
|
||||
</TabItem>
|
||||
<TabItem scope={["cloud"]} label="Teleport Cloud">
|
||||
<TabItem scope={["team","cloud"]} label="Cloud-Hosted">
|
||||
|
||||
Teleport Cloud automatically configures the Teleport Proxy Service with the
|
||||
following settings that are relevant to database access. This reference
|
||||
configuration uses `mytenant.teleport.sh` in place of your Teleport Cloud tenant
|
||||
address.
|
||||
Teleport Team and Teleport Enterprise Cloud automatically configure the Teleport
|
||||
Proxy Service with the following settings that are relevant to database access.
|
||||
This reference configuration uses `mytenant.teleport.sh` in place of your
|
||||
Teleport Team/Enterprise Cloud tenant address.
|
||||
|
||||
```yaml
|
||||
proxy_service:
|
||||
|
|
|
@ -3,16 +3,10 @@ title: Running Teleport on GCP
|
|||
description: How to install and configure Teleport on GCP
|
||||
---
|
||||
|
||||
We've created this guide to give customers an overview of how to use Teleport on
|
||||
[Google Cloud](https://cloud.google.com/gcp/) (GCP). This guide provides a
|
||||
high-level introduction to setting up and running Teleport in production.
|
||||
|
||||
<ScopedBlock scope="cloud">
|
||||
|
||||
This guide shows you how to deploy the Auth Service and Proxy Service, which
|
||||
Teleport Cloud manages for you.
|
||||
|
||||
</ScopedBlock>
|
||||
We've created this guide to give customers an overview of how to deploy a
|
||||
self-hosted Teleport cluster on [Google Cloud](https://cloud.google.com/gcp/)
|
||||
(GCP). This guide provides a high-level introduction to setting up and running
|
||||
Teleport in production.
|
||||
|
||||
We have split this guide into:
|
||||
|
||||
|
@ -225,7 +219,7 @@ Follow install instructions from our [installation page](../../installation.mdx#
|
|||
We recommend configuring Teleport as per the below steps:
|
||||
|
||||
<Tabs>
|
||||
<TabItem label="Open Source">
|
||||
<TabItem label="Open Source" scope="oss">
|
||||
**1. Configure Teleport Auth Server** using the below example `teleport.yaml`,and start it
|
||||
using [systemd](../../management/admin/daemon.mdx). The DEB/RPM installations will
|
||||
automatically include the `systemd` configuration.
|
||||
|
|
|
@ -7,13 +7,6 @@ We've created this guide to give customers an overview of how to use Teleport on
|
|||
[IBM Cloud](https://www.ibm.com/cloud). This guide provides a high-level
|
||||
introduction to setting up and running Teleport in production.
|
||||
|
||||
<ScopedBlock scope="cloud">
|
||||
|
||||
This guide shows you how to deploy the Auth Service and Proxy Service, which
|
||||
Teleport Cloud manages for you.
|
||||
|
||||
</ScopedBlock>
|
||||
|
||||
We have split this guide into:
|
||||
|
||||
- [Teleport on IBM FAQ](#teleport-on-ibm-cloud-faq)
|
||||
|
|
|
@ -276,7 +276,7 @@ $ kubectl -n teleport create secret generic license --from-file=license.pem
|
|||
Next, configure the `teleport-cluster` Helm chart to use the `aws` mode. Create
|
||||
a file called `aws-values.yaml` and write the values you've chosen above to it:
|
||||
|
||||
<ScopedBlock scope={["oss", "cloud"]}>
|
||||
<ScopedBlock scope={["oss"]}>
|
||||
|
||||
<Tabs>
|
||||
<TabItem label="cert-manager">
|
||||
|
@ -627,4 +627,4 @@ users and setting up RBAC.
|
|||
|
||||
See the [high availability section of our Helm chart reference](../../reference/helm-reference/teleport-cluster.mdx#highavailability) for more details on high availability.
|
||||
|
||||
Read the [`cert-manager` documentation](https://cert-manager.io/docs/).
|
||||
Read the [`cert-manager` documentation](https://cert-manager.io/docs/).
|
||||
|
|
|
@ -301,7 +301,7 @@ Next, configure the `teleport-cluster` Helm chart to use the `gcp` mode. Create
|
|||
file called `gcp-values.yaml` file and write the values you've chosen above to
|
||||
it:
|
||||
|
||||
<ScopedBlock scope={["oss", "cloud"]}>
|
||||
<ScopedBlock scope={["oss"]}>
|
||||
|
||||
```yaml
|
||||
chartMode: gcp
|
||||
|
|
|
@ -138,7 +138,7 @@ will use to receive notifications from Let's Encrypt, which provides TLS
|
|||
credentials for the Teleport Proxy Service's HTTPS endpoint.
|
||||
|
||||
<Tabs>
|
||||
<TabItem label="Open Source">
|
||||
<TabItem label="Open Source" scope="oss">
|
||||
|
||||
Write a values file (`teleport-cluster-values.yaml`) which will configure a single node Teleport cluster and
|
||||
provision a cert using ACME.
|
||||
|
|
|
@ -566,10 +566,11 @@ ssh_service:
|
|||
```
|
||||
|
||||
</TabItem>
|
||||
<TabItem scope={["cloud"]} label="Cloud">
|
||||
For Teleport Cloud, Windows Desktop Service should establish a reverse tunnel to
|
||||
the hosted proxy. This requires setting `proxy_server` to your cloud tenant and
|
||||
providing a join token.
|
||||
<TabItem scope={["cloud","team"]} label="Cloud-Hosted">
|
||||
|
||||
For Teleport Team and Teleport Enterprise Cloud, the Windows Desktop Service
|
||||
should establish a reverse tunnel to the hosted Teleport Proxy Service. This
|
||||
requires setting `proxy_server` to your cloud tenant and providing a join token.
|
||||
|
||||
First, generate a join token with the following command:
|
||||
|
||||
|
|
|
@ -20,8 +20,6 @@ with the static host definitions described below.
|
|||
<Details
|
||||
title="Version warning"
|
||||
opened={true}
|
||||
scope={["oss", "enterprise"]}
|
||||
scopeOnly={true}
|
||||
min="12.0"
|
||||
>
|
||||
Passwordless access for local users is available starting from Teleport `v12`.
|
||||
|
@ -91,7 +89,7 @@ for detailed information on configuring Teleport Desktop Access with this token.
|
|||
|
||||
Copy the token to the Linux host where you will run the Desktop service as `/tmp/token`.
|
||||
|
||||
(!docs/pages/includes/install-linux.mdx!)
|
||||
(!docs/pages/includes/install-linux-enterprise.mdx!)
|
||||
|
||||
Create `/etc/teleport.yaml` and configure it for desktop access. Update the `proxy_server`
|
||||
value to your Teleport proxy service or cloud tenant, and put the Windows machine address
|
||||
|
|
|
@ -1,6 +1,5 @@
|
|||
<Notice
|
||||
type="tip"
|
||||
scope={["oss", "enterprise"]}
|
||||
>
|
||||
|
||||
Teleport Team takes care of this setup for you so you can provide secure access
|
||||
|
|
|
@ -1,8 +1,9 @@
|
|||
<Tabs>
|
||||
<TabItem scope={["cloud"]} label="Teleport Enterprise Cloud">
|
||||
<TabItem scope={["cloud","team"]} label="Cloud-Hosted">
|
||||
|
||||
Run the `configure` command to generate a sample configuration. Replace
|
||||
`mytenant.teleport.sh` with the DNS name of your Teleport Enterprise Cloud tenant:
|
||||
`mytenant.teleport.sh` with the DNS name of your Teleport Team or Teleport
|
||||
Enterprise Cloud tenant:
|
||||
|
||||
```code
|
||||
$ teleport-event-handler configure . mytenant.teleport.sh:443
|
||||
|
|
|
@ -4,7 +4,8 @@ To modify an existing user to provide access to the Database Service, see [Datab
|
|||
|
||||
</Admonition>
|
||||
|
||||
<ScopedBlock scope={["oss"]}>
|
||||
<Tabs>
|
||||
<TabItem scope={["oss","team"]} label="Teleport Team/Community Edition">
|
||||
Create a local Teleport user with the built-in `access` role:
|
||||
|
||||
```code
|
||||
|
@ -14,8 +15,8 @@ $ tctl users add \
|
|||
--db-names=\* \
|
||||
alice
|
||||
```
|
||||
</ScopedBlock>
|
||||
<ScopedBlock scope={["enterprise", "cloud"]}>
|
||||
</TabItem>
|
||||
<TabItem scope={["enterprise", "cloud"]} label="Teleport Enterprise/Enterprise Cloud">
|
||||
Create a local Teleport user with the built-in `access` and `requester` roles:
|
||||
|
||||
```code
|
||||
|
@ -25,7 +26,8 @@ $ tctl users add \
|
|||
--db-names=\* \
|
||||
alice
|
||||
```
|
||||
</ScopedBlock>
|
||||
</TabItem>
|
||||
</Tabs>
|
||||
|
||||
| Flag | Description |
|
||||
|--------------|------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
|
|
|
@ -1,6 +1,4 @@
|
|||
{{ dbName="test" }}
|
||||
<Tabs>
|
||||
<TabItem label="Using a config file">
|
||||
On the host where you will run the Teleport Database Service, start Teleport
|
||||
with the appropriate configuration.
|
||||
|
||||
|
@ -12,7 +10,8 @@ your terminal, and manually adjust `/etc/teleport.yaml`.
|
|||
|
||||
Generate a configuration file at `/etc/teleport.yaml` for the Database Service:
|
||||
|
||||
<ScopedBlock scope={["oss", "enterprise"]}>
|
||||
<Tabs>
|
||||
<TabItem scope={["oss", "enterprise"]} label="Teleport Enterprise/Enterprise Cloud">
|
||||
|
||||
```code
|
||||
$ teleport db configure create \
|
||||
|
@ -25,8 +24,8 @@ $ teleport db configure create \
|
|||
--labels=env=dev
|
||||
```
|
||||
|
||||
</ScopedBlock>
|
||||
<ScopedBlock scope={["cloud"]}>
|
||||
</TabItem>
|
||||
<TabItem scope={["cloud","team"]} label="Teleport Team/Community Edition">
|
||||
|
||||
```code
|
||||
$ teleport db configure create \
|
||||
|
@ -39,84 +38,7 @@ $ teleport db configure create \
|
|||
--labels=env=dev
|
||||
```
|
||||
|
||||
</ScopedBlock>
|
||||
|
||||
Configure the Database Service to start automatically when the host boots up by
|
||||
creating a systemd service for it. The instructions depend on how you installed
|
||||
the Database Service.
|
||||
|
||||
<Tabs>
|
||||
<TabItem label="Package Manager">
|
||||
|
||||
On the host where you will run {{ service }}, start Teleport:
|
||||
|
||||
```code
|
||||
$ sudo systemctl enable teleport
|
||||
$ sudo systemctl start teleport
|
||||
```
|
||||
|
||||
</TabItem>
|
||||
<TabItem label="TAR Archive">
|
||||
|
||||
On the host where you will run {{ service }}, create a systemd service
|
||||
configuration for Teleport, enable the Teleport service, and start Teleport:
|
||||
|
||||
```code
|
||||
$ sudo teleport install systemd -o /etc/systemd/system/teleport.service
|
||||
$ sudo systemctl enable teleport
|
||||
$ sudo systemctl start teleport
|
||||
```
|
||||
|
||||
</TabItem>
|
||||
</Tabs>
|
||||
|
||||
</TabItem>
|
||||
<TabItem label="With CLI flags">
|
||||
|
||||
You can start the Teleport Database Service without configuration file using a
|
||||
CLI command:
|
||||
|
||||
<ScopedBlock scope={["oss", "enterprise"]}>
|
||||
|
||||
```code
|
||||
$ teleport db start \
|
||||
--token=/tmp/token \
|
||||
--auth-server=teleport.example.com:443 \
|
||||
--name={{ dbName }} \
|
||||
--protocol={{ dbProtocol }} \
|
||||
--uri={{ databaseAddress }} \
|
||||
--labels=env=dev
|
||||
```
|
||||
|
||||
Note that the `--auth-server` flag must point to the Teleport cluster's Proxy
|
||||
Service endpoint because the Database Service always connects back to the
|
||||
cluster over a reverse tunnel.
|
||||
|
||||
</ScopedBlock>
|
||||
<ScopedBlock scope={["cloud"]}>
|
||||
|
||||
```code
|
||||
$ teleport db start \
|
||||
--token=/tmp/token \
|
||||
--auth-server=mytenant.teleport.sh:443 \
|
||||
--name={{ dbName }} \
|
||||
--protocol={{ dbProtocol }} \
|
||||
--uri={{ databaseAddress }} \
|
||||
--labels=env=dev
|
||||
```
|
||||
|
||||
Note that the `--auth-server` flag must point to your Teleport Cloud tenant
|
||||
address.
|
||||
|
||||
</ScopedBlock>
|
||||
|
||||
</TabItem>
|
||||
</Tabs>
|
||||
|
||||
<Admonition type="note">
|
||||
|
||||
The `--auth-server` flag must point to the Teleport cluster's Proxy Service
|
||||
endpoint because the Database Service always connects back to the cluster over a
|
||||
reverse tunnel.
|
||||
|
||||
</Admonition>
|
||||
(!docs/pages/includes/start-teleport.mdx service="the Teleport Database Service"!)
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
{{ dbName="test" }}
|
||||
<ScopedBlock scope={["oss", "enterprise"]}>
|
||||
<Tabs>
|
||||
<TabItem label="Self-Hosted" scope={["oss", "enterprise"]}>
|
||||
Install the Teleport Kube Agent into your Kubernetes Cluster
|
||||
with the Teleport Database Service configuration.
|
||||
|
||||
|
@ -18,8 +19,8 @@ $ helm install teleport-kube-agent teleport/teleport-kube-agent \
|
|||
--version (=teleport.version=)
|
||||
```
|
||||
|
||||
</ScopedBlock>
|
||||
<ScopedBlock scope={["cloud"]}>
|
||||
</TabItem>
|
||||
<TabItem label="Cloud-Hosted"scope={["cloud","team"]}>
|
||||
Install the Teleport Kube Agent into your Kubernetes Cluster
|
||||
with the Teleport Database Service configuration.
|
||||
|
||||
|
@ -38,4 +39,5 @@ $ helm install teleport-kube-agent teleport/teleport-kube-agent \
|
|||
--version (=cloud.version=)
|
||||
```
|
||||
|
||||
</ScopedBlock>
|
||||
</TabItem>
|
||||
</Tabs>
|
||||
|
|
|
@ -10,7 +10,7 @@ Log into your Teleport cluster and see available databases:
|
|||
# example-redis Example Redis env=dev
|
||||
```
|
||||
</TabItem>
|
||||
<TabItem scope={["cloud"]} label="Teleport Cloud">
|
||||
<TabItem scope={["cloud","team"]} label="Cloud-Hosted">
|
||||
```code
|
||||
$ tsh login --proxy=mytenant.teleport.sh --user=alice
|
||||
$ tsh db ls
|
||||
|
|
|
@ -1,5 +1,23 @@
|
|||
<Tabs>
|
||||
<TabItem scope={["oss"]} label="Open Source">
|
||||
<TabItem scope="team" label="Teleport Team">
|
||||
|
||||
- A Teleport Team account. If you do not have one, visit the [signup
|
||||
page](https://goteleport.com/signup/) to begin your free trial.
|
||||
|
||||
- The `tctl` admin tool and `tsh` client tool version >= (=teleport.version=).
|
||||
|
||||
```code
|
||||
$ tctl version
|
||||
# Teleport v(=teleport.version=) go(=teleport.golang=)
|
||||
|
||||
$ tsh version
|
||||
# Teleport v(=teleport.version=) go(=teleport.golang=)
|
||||
```
|
||||
|
||||
See [Installation](../installation.mdx) for details.
|
||||
|
||||
</TabItem>
|
||||
<TabItem scope={["oss"]} label="Teleport Community Edition">
|
||||
|
||||
- A running Teleport cluster. For details on how to set this up, see our
|
||||
[Getting Started](../index.mdx) guide.
|
||||
|
@ -18,7 +36,7 @@
|
|||
|
||||
</TabItem>
|
||||
<TabItem
|
||||
scope={["enterprise"]} label="Enterprise">
|
||||
scope={["enterprise"]} label="Teleport Enterprise">
|
||||
|
||||
- A running Teleport Enterprise cluster. For details on how to set this up, see our Enterprise
|
||||
[Getting Started](../choose-an-edition/teleport-enterprise/introduction.mdx) guide.
|
||||
|
@ -36,7 +54,7 @@
|
|||
|
||||
</TabItem>
|
||||
<TabItem scope={["cloud"]}
|
||||
label="Teleport Cloud">
|
||||
label="Teleport Enterprise Cloud">
|
||||
|
||||
- A Teleport Enterprise Cloud account. If you do not have one, visit the [signup
|
||||
page](https://goteleport.com/signup/) to begin a free trial of Teleport Team
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
Configure Teleport to use OIDC authentication as the default instead of the local
|
||||
user database.
|
||||
|
||||
<ScopedBlock scope={["oss", "enterprise"]}>
|
||||
<ScopedBlock scope={["enterprise"]}>
|
||||
|
||||
You can either edit your Teleport configuration file or create a dynamic
|
||||
resource.
|
||||
|
|
|
@ -2,13 +2,8 @@
|
|||
- Configure Teleport to use SAML authentication as the default instead of the local
|
||||
user database.
|
||||
|
||||
<ScopedBlock scope={["oss", "enterprise"]}>
|
||||
You can either edit the Teleport Auth Service configuration file or create a dynamic
|
||||
resource.
|
||||
</ScopedBlock>
|
||||
|
||||
<Tabs>
|
||||
<TabItem scope={["cloud", "oss", "enterprise"]} label="Dynamic Resources (All Editions)">
|
||||
<TabItem scope={["cloud"]} label="Dynamic Resources (All Editions)">
|
||||
|
||||
Use `tctl` to edit the `cluster_auth_preference` value:
|
||||
|
||||
|
@ -37,7 +32,7 @@ user database.
|
|||
```
|
||||
|
||||
</TabItem>
|
||||
<TabItem label="Static Config (Self-Hosted)" scope={["oss", "enterprise"]}>
|
||||
<TabItem label="Static Config (Self-Hosted)" scope={["enterprise"]}>
|
||||
|
||||
Update `/etc/teleport.yaml` in the `auth_service` section and restart the `teleport` daemon.
|
||||
|
||||
|
|
125
docs/pages/includes/install-linux-enterprise.mdx
Normal file
125
docs/pages/includes/install-linux-enterprise.mdx
Normal file
|
@ -0,0 +1,125 @@
|
|||
Use the appropriate commands for your environment to install your package:
|
||||
|
||||
<Tabs dropdownView dropdownCaption="Teleport Edition">
|
||||
<TabItem label="Enterprise" scope="enterprise">
|
||||
<Tabs>
|
||||
<TabItem label="Debian 8+/Ubuntu 16.04+ (apt)">
|
||||
|
||||
```code
|
||||
# Download Teleport's PGP public key
|
||||
$ sudo curl https://apt.releases.teleport.dev/gpg \
|
||||
-o /usr/share/keyrings/teleport-archive-keyring.asc
|
||||
# Source variables about OS version
|
||||
$ source /etc/os-release
|
||||
# Add the Teleport APT repository for v(=teleport.major_version=). You'll need to update this
|
||||
# file for each major release of Teleport.
|
||||
$ echo "deb [signed-by=/usr/share/keyrings/teleport-archive-keyring.asc] \
|
||||
https://apt.releases.teleport.dev/${ID?} ${VERSION_CODENAME?} stable/v(=teleport.major_version=)" \
|
||||
| sudo tee /etc/apt/sources.list.d/teleport.list > /dev/null
|
||||
|
||||
$ sudo apt-get update
|
||||
$ sudo apt-get install teleport-ent
|
||||
```
|
||||
|
||||
For FedRAMP/FIPS-compliant installations, install the `teleport-ent-fips` package instead:
|
||||
|
||||
```code
|
||||
$ sudo apt-get install teleport-ent-fips
|
||||
```
|
||||
|
||||
</TabItem>
|
||||
<TabItem label="Amazon Linux 2/RHEL 7 (yum)">
|
||||
|
||||
```code
|
||||
# Source variables about OS version
|
||||
$ source /etc/os-release
|
||||
# Add the Teleport YUM repository for v(=teleport.major_version=). You'll need to update this
|
||||
# file for each major release of Teleport.
|
||||
# First, get the major version from $VERSION_ID so this fetches the correct
|
||||
# package version.
|
||||
$ VERSION_ID=$(echo $VERSION_ID | grep -Eo "^[0-9]+")
|
||||
$ sudo yum-config-manager --add-repo "$(rpm --eval "https://yum.releases.teleport.dev/$ID/$VERSION_ID/Teleport/%{_arch}/stable/v(=teleport.major_version=)/teleport.repo")"
|
||||
$ sudo yum install teleport-ent
|
||||
#
|
||||
# Tip: Add /usr/local/bin to path used by sudo (so 'sudo tctl users add' will work as per the docs)
|
||||
# echo "Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin" > /etc/sudoers.d/secure_path
|
||||
```
|
||||
|
||||
For FedRAMP/FIPS-compliant installations, install the `teleport-ent-fips` package instead:
|
||||
|
||||
```code
|
||||
$ sudo yum install teleport-ent-fips
|
||||
```
|
||||
|
||||
</TabItem>
|
||||
<TabItem label="Amazon Linux 2023/RHEL 8+ (dnf)">
|
||||
|
||||
```code
|
||||
# Source variables about OS version
|
||||
$ source /etc/os-release
|
||||
# Add the Teleport YUM repository for v(=teleport.major_version=). You'll need to update this
|
||||
# file for each major release of Teleport.
|
||||
# Use the dnf config manager plugin to add the teleport RPM repo
|
||||
$ sudo dnf config-manager --add-repo "$(rpm --eval "https://yum.releases.teleport.dev/$ID/$VERSION_ID/Teleport/%{_arch}/stable/v(=teleport.major_version=)/teleport.repo")"
|
||||
|
||||
# Install teleport
|
||||
$ sudo dnf install teleport-ent
|
||||
|
||||
# Tip: Add /usr/local/bin to path used by sudo (so 'sudo tctl users add' will work as per the docs)
|
||||
# echo "Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin" > /etc/sudoers.d/secure_path
|
||||
```
|
||||
|
||||
For FedRAMP/FIPS-compliant installations, install the `teleport-ent-fips` package instead:
|
||||
|
||||
```code
|
||||
$ sudo dnf install teleport-ent-fips
|
||||
```
|
||||
|
||||
</TabItem>
|
||||
<TabItem label="Tarball" >
|
||||
|
||||
In the example commands below, update `$SYSTEM_ARCH` with the appropriate
|
||||
value (`amd64`, `arm64`, or `arm`). All example commands using this variable
|
||||
will update after one is filled out.
|
||||
|
||||
```code
|
||||
$ curl https://get.gravitational.com/teleport-ent-v(=teleport.version=)-linux-<Var name="$SYSTEM_ARCH"/>-bin.tar.gz.sha256
|
||||
# <checksum> <filename>
|
||||
$ curl -O https://cdn.teleport.dev/teleport-ent-v(=teleport.version=)-linux-<Var name="$SYSTEM_ARCH"/>-bin.tar.gz
|
||||
$ shasum -a 256 teleport-ent-v(=teleport.version=)-linux-<Var name="$SYSTEM_ARCH"/>-bin.tar.gz
|
||||
# Verify that the checksums match
|
||||
$ tar -xvf teleport-ent-v(=teleport.version=)-linux-<Var name="$SYSTEM_ARCH"/>-bin.tar.gz
|
||||
$ cd teleport-ent
|
||||
$ sudo ./install
|
||||
```
|
||||
|
||||
For FedRAMP/FIPS-compliant installations of Teleport Enterprise, package URLs
|
||||
will be slightly different:
|
||||
|
||||
```code
|
||||
$ curl https://get.gravitational.com/teleport-ent-v(=teleport.version=)-linux-<Var name="$SYSTEM_ARCH"/>-fips-bin.tar.gz.sha256
|
||||
# <checksum> <filename>
|
||||
$ curl -O https://cdn.teleport.dev/teleport-ent-v(=teleport.version=)-linux-<Var name="$SYSTEM_ARCH"/>-fips-bin.tar.gz
|
||||
$ shasum -a 256 teleport-ent-v(=teleport.version=)-linux-<Var name="$SYSTEM_ARCH"/>-fips-bin.tar.gz
|
||||
# Verify that the checksums match
|
||||
$ tar -xvf teleport-ent-v(=teleport.version=)-linux-<Var name="$SYSTEM_ARCH"/>-fips-bin.tar.gz
|
||||
$ cd teleport-ent
|
||||
$ sudo ./install
|
||||
```
|
||||
|
||||
</TabItem>
|
||||
</Tabs>
|
||||
</TabItem>
|
||||
<TabItem label="Enterprise Cloud" scope="cloud">
|
||||
(!docs/pages/includes/cloud/install-linux-cloud.mdx!)
|
||||
<Details title="Is my Teleport instance compatible with Teleport Enterprise Cloud?">
|
||||
|
||||
Before installing a `teleport` binary with a version besides v(=cloud.major_version=),
|
||||
read our compatibility rules to ensure that the binary is compatible with
|
||||
Teleport Enterprise Cloud.
|
||||
|
||||
(!docs/pages/includes/compatibility.mdx!)
|
||||
|
||||
</Details>
|
||||
</TabItem>
|
||||
</Tabs>
|
|
@ -1,6 +1,23 @@
|
|||
Use the appropriate commands for your environment to install your package:
|
||||
|
||||
<Tabs dropdownView dropdownCaption="Teleport Edition">
|
||||
<TabItem label="Teleport Team" scope="team">
|
||||
|
||||
```code
|
||||
$ curl https://goteleport.com/static/install.sh | bash -s (=cloud.version=)
|
||||
```
|
||||
|
||||
<Details title="Is my Teleport instance compatible with Teleport Team?">
|
||||
|
||||
Before installing a `teleport` binary with a version besides
|
||||
v(=cloud.major_version=), read our compatibility rules to ensure that the
|
||||
binary is compatible with Teleport Cloud.
|
||||
|
||||
(!docs/pages/includes/compatibility.mdx!)
|
||||
|
||||
</Details>
|
||||
|
||||
</TabItem>
|
||||
<TabItem label="Open Source" scope="oss">
|
||||
|
||||
```code
|
||||
|
@ -10,7 +27,7 @@ Use the appropriate commands for your environment to install your package:
|
|||
</TabItem>
|
||||
<TabItem label="Enterprise" scope="enterprise">
|
||||
<Tabs>
|
||||
<TabItem label="Debian 8+/Ubuntu 16.04+ (apt)" scope="enterprise">
|
||||
<TabItem label="Debian 8+/Ubuntu 16.04+ (apt)">
|
||||
|
||||
```code
|
||||
# Download Teleport's PGP public key
|
||||
|
@ -35,7 +52,7 @@ Use the appropriate commands for your environment to install your package:
|
|||
```
|
||||
|
||||
</TabItem>
|
||||
<TabItem label="Amazon Linux 2/RHEL 7 (yum)" scope="enterprise">
|
||||
<TabItem label="Amazon Linux 2/RHEL 7 (yum)">
|
||||
|
||||
```code
|
||||
# Source variables about OS version
|
||||
|
@ -59,7 +76,7 @@ Use the appropriate commands for your environment to install your package:
|
|||
```
|
||||
|
||||
</TabItem>
|
||||
<TabItem label="Amazon Linux 2023/RHEL 8+ (dnf)" scope="enterprise">
|
||||
<TabItem label="Amazon Linux 2023/RHEL 8+ (dnf)">
|
||||
|
||||
```code
|
||||
# Source variables about OS version
|
||||
|
@ -83,7 +100,7 @@ Use the appropriate commands for your environment to install your package:
|
|||
```
|
||||
|
||||
</TabItem>
|
||||
<TabItem label="Tarball" scope="enterprise">
|
||||
<TabItem label="Tarball" >
|
||||
|
||||
In the example commands below, update `$SYSTEM_ARCH` with the appropriate
|
||||
value (`amd64`, `arm64`, or `arm`). All example commands using this variable
|
||||
|
@ -117,13 +134,13 @@ Use the appropriate commands for your environment to install your package:
|
|||
</TabItem>
|
||||
</Tabs>
|
||||
</TabItem>
|
||||
<TabItem label="Cloud" scope="cloud">
|
||||
<TabItem label="Enterprise Cloud" scope="cloud">
|
||||
(!docs/pages/includes/cloud/install-linux-cloud.mdx!)
|
||||
<Details title="Is my Teleport instance compatible with Teleport Cloud?">
|
||||
<Details title="Is my Teleport instance compatible with Teleport Enterprise Cloud?">
|
||||
|
||||
Before installing a `teleport` binary with a version besides v(=cloud.major_version=),
|
||||
read our compatibility rules to ensure that the binary is compatible with
|
||||
Teleport Cloud.
|
||||
Teleport Enterprise Cloud.
|
||||
|
||||
(!docs/pages/includes/compatibility.mdx!)
|
||||
|
||||
|
|
|
@ -4,20 +4,25 @@ can be run under `cmd.exe`, PowerShell, and Windows Terminal.
|
|||
To install `tsh` on Windows, run the following commands in **PowerShell** (these commands will not work in `cmd.exe`):
|
||||
|
||||
<Tabs dropdownView dropdownCaption="Teleport Edition">
|
||||
<TabItem label="Open Source" scope="oss">
|
||||
<TabItem label="Teleport Community Edition" scope="oss">
|
||||
|
||||
(!docs/pages/includes/install-windows-tsh.mdx version="(=teleport.version=)" !)
|
||||
|
||||
</TabItem>
|
||||
<TabItem label="Enterprise" scope="enterprise">
|
||||
</TabItem>
|
||||
<TabItem label="Teleport Team" scope="team">
|
||||
|
||||
(!docs/pages/includes/install-windows-tsh.mdx version="(=teleport.version=)" !)
|
||||
|
||||
</TabItem>
|
||||
</TabItem>
|
||||
<TabItem label="Teleport Enterprise" scope="enterprise">
|
||||
|
||||
<TabItem label="Cloud" scope="cloud">
|
||||
(!docs/pages/includes/install-windows-tsh.mdx version="(=teleport.version=)" !)
|
||||
|
||||
</TabItem>
|
||||
|
||||
<TabItem label="Teleport Enterprise Cloud" scope="cloud">
|
||||
|
||||
(!docs/pages/includes/install-windows-tsh.mdx version="(=cloud.version=)" !)
|
||||
|
||||
</TabItem>
|
||||
</Tabs>
|
||||
</TabItem>
|
||||
</Tabs>
|
||||
|
|
56
docs/pages/includes/no-oss-prereqs-tabs.mdx
Normal file
56
docs/pages/includes/no-oss-prereqs-tabs.mdx
Normal file
|
@ -0,0 +1,56 @@
|
|||
<Tabs>
|
||||
<TabItem scope="team" label="Teleport Team">
|
||||
|
||||
- A Teleport Team account. If you do not have one, visit the [signup
|
||||
page](https://goteleport.com/signup/) to begin your free trial.
|
||||
|
||||
- The `tctl` admin tool and `tsh` client tool version >= (=teleport.version=).
|
||||
|
||||
```code
|
||||
$ tctl version
|
||||
# Teleport v(=teleport.version=) go(=teleport.golang=)
|
||||
|
||||
$ tsh version
|
||||
# Teleport v(=teleport.version=) go(=teleport.golang=)
|
||||
```
|
||||
|
||||
See [Installation](../installation.mdx) for details.
|
||||
|
||||
</TabItem>
|
||||
<TabItem
|
||||
scope={["enterprise"]} label="Teleport Enterprise">
|
||||
|
||||
- A running Teleport Enterprise cluster. For details on how to set this up, see our Enterprise
|
||||
[Getting Started](../choose-an-edition/teleport-enterprise/introduction.mdx) guide.
|
||||
|
||||
- The Enterprise `tctl` admin tool and `tsh` client tool version >= (=teleport.version=),
|
||||
which you can download by visiting your [Teleport account](https://teleport.sh).
|
||||
|
||||
```code
|
||||
$ tctl version
|
||||
# Teleport Enterprise v(=teleport.version=) go(=teleport.golang=)
|
||||
|
||||
$ tsh version
|
||||
# Teleport v(=teleport.version=) go(=teleport.golang=)
|
||||
```
|
||||
|
||||
</TabItem>
|
||||
<TabItem scope={["cloud"]}
|
||||
label="Teleport Enterprise Cloud">
|
||||
|
||||
- A Teleport Enterprise Cloud account. If you do not have one, visit the [signup
|
||||
page](https://goteleport.com/signup/) to begin your free trial.
|
||||
|
||||
- The Enterprise `tctl` admin tool and `tsh` client tool version >= (=cloud.version=).
|
||||
To download these tools, visit the [Downloads](../choose-an-edition/teleport-cloud/downloads.mdx) page.
|
||||
|
||||
```code
|
||||
$ tctl version
|
||||
# Teleport Enterprise v(=cloud.version=) go(=teleport.golang=)
|
||||
|
||||
$ tsh version
|
||||
# Teleport v(=cloud.version=) go(=teleport.golang=)
|
||||
```
|
||||
|
||||
</TabItem>
|
||||
</Tabs>
|
38
docs/pages/includes/self-hosted-prereqs-tabs.mdx
Normal file
38
docs/pages/includes/self-hosted-prereqs-tabs.mdx
Normal file
|
@ -0,0 +1,38 @@
|
|||
<Tabs>
|
||||
<TabItem scope={["oss"]} label="Teleport Community Edition">
|
||||
|
||||
- A running Teleport cluster. For details on how to set this up, see our
|
||||
[Getting Started](../index.mdx) guide.
|
||||
|
||||
- The `tctl` admin tool and `tsh` client tool version >= (=teleport.version=).
|
||||
|
||||
```code
|
||||
$ tctl version
|
||||
# Teleport v(=teleport.version=) go(=teleport.golang=)
|
||||
|
||||
$ tsh version
|
||||
# Teleport v(=teleport.version=) go(=teleport.golang=)
|
||||
```
|
||||
|
||||
See [Installation](../installation.mdx) for details.
|
||||
|
||||
</TabItem>
|
||||
<TabItem
|
||||
scope={["enterprise"]} label="Teleport Enterprise">
|
||||
|
||||
- A running Teleport Enterprise cluster. For details on how to set this up, see our Enterprise
|
||||
[Getting Started](../choose-an-edition/teleport-enterprise/introduction.mdx) guide.
|
||||
|
||||
- The Enterprise `tctl` admin tool and `tsh` client tool version >= (=teleport.version=),
|
||||
which you can download by visiting your [Teleport account](https://teleport.sh).
|
||||
|
||||
```code
|
||||
$ tctl version
|
||||
# Teleport Enterprise v(=teleport.version=) go(=teleport.golang=)
|
||||
|
||||
$ tsh version
|
||||
# Teleport v(=teleport.version=) go(=teleport.golang=)
|
||||
```
|
||||
|
||||
</TabItem>
|
||||
</Tabs>
|
|
@ -1,9 +1,9 @@
|
|||
Troubleshooting SSO configuration can be challenging. Usually a Teleport administrator
|
||||
must be able to:
|
||||
|
||||
<ScopedBlock scope={["oss","enterprise"]}>
|
||||
- Ensure that HTTP/TLS certificates are configured properly for both Teleport
|
||||
proxy and the SSO provider.
|
||||
<ScopedBlock scope={["enterprise"]}>
|
||||
- Ensure that HTTP/TLS certificates are configured properly for both the Teleport
|
||||
Proxy Service and the SSO provider.
|
||||
</ScopedBlock>
|
||||
- Be able to see what SAML/OIDC claims and values are getting exported and passed
|
||||
by the SSO provider to Teleport.
|
||||
|
|
|
@ -1,6 +1,9 @@
|
|||
Make sure you can connect to Teleport. Log in to your cluster using `tsh`, then use `tctl`
|
||||
remotely:
|
||||
|
||||
{/* Ignoring scope linting since we use this partial throughout the docs and
|
||||
cannot guarantee that it will line up with a page's configured scopes*/}
|
||||
{/*lint ignore scopes*/}
|
||||
<ScopedBlock scope={["oss", "enterprise"]}>
|
||||
|
||||
```code
|
||||
|
@ -16,7 +19,8 @@ You can run subsequent `tctl` commands in this guide on your local machine.
|
|||
For full privileges, you can also run `tctl` commands on your Auth Service host.
|
||||
|
||||
</ScopedBlock>
|
||||
<ScopedBlock scope="cloud">
|
||||
{/*lint ignore scopes*/}
|
||||
<ScopedBlock scope={["cloud","team"]}>
|
||||
|
||||
```code
|
||||
$ tsh login --proxy=myinstance.teleport.sh --user=email@example.com
|
||||
|
|
|
@ -153,7 +153,7 @@ either:
|
|||
`(=teleport.version=)`.
|
||||
|
||||
<Tabs>
|
||||
<TabItem label="Open Source" scope={["cloud", "enterprise"]}>
|
||||
<TabItem label="Teleport Team/Community Edition" scope={["oss", "team"]}>
|
||||
|
||||
|Image name|Troubleshooting Tools?|Image base|
|
||||
|-|-|-|
|
||||
|
@ -169,7 +169,7 @@ repository](https://gallery.ecr.aws/gravitational/teleport-ent). Their use is
|
|||
considered deprecated, and they may be removed in future releases.
|
||||
|
||||
</TabItem>
|
||||
<TabItem label="Enterprise" scope={["cloud", "enterprise"]}>
|
||||
<TabItem label="Teleport Enterprise Cloud/Enterprise" scope={["cloud", "enterprise"]}>
|
||||
|
||||
| Image name | Includes troubleshooting tools | Image base |
|
||||
| - | - | - |
|
||||
|
@ -346,7 +346,7 @@ chart.
|
|||
## macOS
|
||||
|
||||
<Tabs dropdownView dropdownCaption="Teleport Edition">
|
||||
<TabItem label="Open Source" scope="oss">
|
||||
<TabItem label="Teleport Team/Community Edition" scope={["oss","team"]}>
|
||||
<Tabs>
|
||||
<TabItem label="Teleport package" >
|
||||
You can download one of the following .pkg installers for macOS:
|
||||
|
@ -418,7 +418,7 @@ chart.
|
|||
(!docs/pages/includes/enterprise/install-macos.mdx!)
|
||||
|
||||
</TabItem>
|
||||
<TabItem label="Cloud" scope="cloud">
|
||||
<TabItem label="Enterprise Cloud" scope="cloud">
|
||||
|
||||
(!docs/pages/includes/cloud/install-macos.mdx!)
|
||||
|
||||
|
|
|
@ -77,7 +77,7 @@ or up to one major version back. You can set the version override with the overr
|
|||
(!docs/pages/kubernetes-access/helm/includes/helm-repo-add.mdx!)
|
||||
|
||||
<Tabs>
|
||||
<TabItem scope={["oss"]} label="Open Source">
|
||||
<TabItem scope={["oss","team"]} label="Teleport Team/Community Edition">
|
||||
|
||||
Switch `kubectl` to the Kubernetes cluster `cookie` and run the following
|
||||
commands, assigning `PROXY_ADDR` to the address of your Auth Service or Proxy
|
||||
|
|
|
@ -42,7 +42,7 @@ $ tsh --proxy=main.example.com login east
|
|||
```
|
||||
|
||||
</TabItem>
|
||||
<TabItem scope={["cloud"]} label="Teleport Cloud">
|
||||
<TabItem scope={["cloud","team"]} label="Cloud-Hosted">
|
||||
|
||||
When multiple Trusted Clusters are present behind the Teleport Proxy Service, the
|
||||
`kubeconfig` generated by [tsh login](../../reference/cli.mdx#tsh-login) will contain the
|
||||
|
@ -52,7 +52,7 @@ login](../../reference/cli.mdx#tsh-login).
|
|||
For example, consider the following setup:
|
||||
|
||||
- There are two Teleport/Kubernetes clusters, `east` and `west`. These are the names set in `cluster_name` setting in their configuration files.
|
||||
- The clusters `east` and `west` are Trusted Clusters for a Teleport Cloud tenant, `mytenant.teleport.sh`.
|
||||
- The clusters `east` and `west` are Trusted Clusters for a Teleport Team or Enterprise Cloud tenant, `mytenant.teleport.sh`.
|
||||
- Users always authenticate against `mytenant.teleport.sh` but use their certificates to access
|
||||
SSH nodes and the Kubernetes API in all three clusters.
|
||||
|
||||
|
|
|
@ -150,11 +150,11 @@ Teleport v9.0.4 git: go1.18
|
|||
### Pose your question
|
||||
|
||||
<Tabs>
|
||||
<TabItem scope={["cloud", "enterprise"]} label="Commercial">
|
||||
<TabItem scope={["cloud", "enterprise","team"]} label="Commercial Teleport Editions">
|
||||
If you need help, please ask on our [community forum](https://github.com/gravitational/teleport/discussions). You can also open an [issue on GitHub](https://github.com/gravitational/teleport/issues) or create a ticket through your [Teleport account](https://teleport.sh).
|
||||
|
||||
</TabItem>
|
||||
<TabItem scope={["oss"]} label="Open Source">
|
||||
<TabItem scope={["oss"]} label="Teleport Community Edition">
|
||||
If you need help, please ask on our [community forum](https://github.com/gravitational/teleport/discussions). You can also open an [issue on GitHub](https://github.com/gravitational/teleport/issues).
|
||||
|
||||
For more information about custom features, or to try our [Enterprise edition](../../choose-an-edition/teleport-enterprise/introduction.mdx) of Teleport, please reach out to us at [sales](https://goteleport.com/signup/enterprise/).
|
||||
|
|
|
@ -42,6 +42,26 @@ This guide will explain how to:
|
|||
## Prerequisites
|
||||
|
||||
<Tabs>
|
||||
<TabItem scope="team" label="Teleport Team">
|
||||
|
||||
- A Teleport Team account. If you do not have one, visit the [signup
|
||||
page](https://goteleport.com/signup/) to begin your free trial.
|
||||
|
||||
- A second Teleport cluster, which will act as the leaf cluster. For details on
|
||||
how to set up this cluster, see our [Getting Started](../../index.mdx)
|
||||
guide.
|
||||
|
||||
As an alternative, you can set up a second Teleport Team account.
|
||||
|
||||
- (!docs/pages/includes/cloud/tctl-tsh-prerequisite.mdx!)
|
||||
|
||||
- A Teleport Node that is joined to one of your clusters. We will refer to this
|
||||
cluster as the **leaf cluster** throughout this guide.
|
||||
|
||||
See [Join Services to your Cluster](../../agents/join-services-to-your-cluster.mdx) for
|
||||
how to launch a Teleport Node in your cluster.
|
||||
|
||||
</TabItem>
|
||||
<TabItem scope={["oss"]} label="Open Source">
|
||||
|
||||
- Two running Teleport clusters. For details on how to set up your clusters, see
|
||||
|
@ -76,7 +96,7 @@ This guide will explain how to:
|
|||
|
||||
</TabItem>
|
||||
<TabItem scope={["cloud"]}
|
||||
label="Teleport Cloud">
|
||||
label="Teleport Enterprise Cloud">
|
||||
|
||||
- A Teleport Enterprise Cloud account. If you do not have one, visit the [sign
|
||||
up page](https://goteleport.com/signup/) to begin a free trial of Teleport
|
||||
|
@ -981,7 +1001,7 @@ should check to see the following:
|
|||
cluster. Check the audit log messages on both clusters to get answers for the
|
||||
questions above.
|
||||
</TabItem>
|
||||
<TabItem scope={["cloud"]} label="Teleport Cloud">
|
||||
<TabItem scope={["cloud", "team"]} label="Cloud-Hosted">
|
||||
Troubleshooting "access denied" messages can be challenging. A Teleport administrator
|
||||
should check to see the following:
|
||||
|
||||
|
@ -995,6 +1015,7 @@ should check to see the following:
|
|||
</Tabs>
|
||||
|
||||
## Further reading
|
||||
|
||||
- Read more about how Trusted Clusters fit into Teleport's overall architecture:
|
||||
[Architecture Introduction](../../architecture/trustedclusters.mdx).
|
||||
|
||||
|
|
|
@ -70,9 +70,9 @@ $ docker stop teleport
|
|||
## Step 2/3. Remove Teleport binaries
|
||||
|
||||
<Tabs dropdownView dropdownCaption="Teleport Edition">
|
||||
<TabItem label="Open Source" scope="oss">
|
||||
<TabItem label="Teleport Community Edition/Teleport Team" scope={["oss","team"]}>
|
||||
<Tabs>
|
||||
<TabItem label="Debian/Ubuntu Linux (DEB)" scope="oss">
|
||||
<TabItem label="Debian/Ubuntu Linux (DEB)">
|
||||
|
||||
Uninstall the Teleport binary using APT:
|
||||
|
||||
|
@ -95,7 +95,7 @@ $ docker stop teleport
|
|||
</Admonition>
|
||||
|
||||
</TabItem>
|
||||
<TabItem label="Amazon Linux 2/RHEL (RPM)" scope="oss">
|
||||
<TabItem label="Amazon Linux 2/RHEL (RPM)">
|
||||
|
||||
Uninstall the Teleport binary using YUM:
|
||||
|
||||
|
@ -120,7 +120,7 @@ $ docker stop teleport
|
|||
</Admonition>
|
||||
|
||||
</TabItem>
|
||||
<TabItem label="Linux Tarball" scope="oss">
|
||||
<TabItem label="Linux Tarball">
|
||||
|
||||
<Admonition type="notice">
|
||||
These are the default paths to the Teleport binaries. If you have changed these from the defaults on your system, substitute those paths here.
|
||||
|
@ -137,7 +137,7 @@ $ docker stop teleport
|
|||
```
|
||||
|
||||
</TabItem>
|
||||
<TabItem label="MacOS" scope="oss">
|
||||
<TabItem label="MacOS">
|
||||
|
||||
<Admonition type="notice">
|
||||
These are the default paths to the Teleport binaries. If you have changed these from the defaults on your system, substitute those paths here.
|
||||
|
@ -163,7 +163,7 @@ $ docker stop teleport
|
|||
</Admonition>
|
||||
|
||||
</TabItem>
|
||||
<TabItem label="Windows" scope="oss">
|
||||
<TabItem label="Windows">
|
||||
|
||||
Remove the `tsh.exe` binary from the machine:
|
||||
|
||||
|
@ -179,7 +179,7 @@ $ docker stop teleport
|
|||
<TabItem label="Enterprise" scope="enterprise">
|
||||
|
||||
<Tabs>
|
||||
<TabItem label="Debian/Ubuntu Linux (DEB)" scope="enterprise">
|
||||
<TabItem label="Debian/Ubuntu Linux (DEB)">
|
||||
|
||||
Uninstall the Teleport binary using APT:
|
||||
|
||||
|
@ -207,7 +207,7 @@ $ docker stop teleport
|
|||
</Admonition>
|
||||
|
||||
</TabItem>
|
||||
<TabItem label="Amazon Linux 2/RHEL (RPM)" scope="enterprise">
|
||||
<TabItem label="Amazon Linux 2/RHEL (RPM)">
|
||||
|
||||
Uninstall the Teleport binary using YUM:
|
||||
|
||||
|
@ -238,7 +238,7 @@ $ docker stop teleport
|
|||
</Admonition>
|
||||
|
||||
</TabItem>
|
||||
<TabItem label="Linux Tarball" scope="enterprise">
|
||||
<TabItem label="Linux Tarball">
|
||||
|
||||
<Admonition type="notice">
|
||||
These are the default paths to the Teleport binaries. If you have changed these from the defaults on your system, substitute those paths here.
|
||||
|
@ -255,7 +255,7 @@ $ docker stop teleport
|
|||
```
|
||||
|
||||
</TabItem>
|
||||
<TabItem label="MacOS" scope="enterprise">
|
||||
<TabItem label="MacOS">
|
||||
|
||||
<Admonition type="notice">
|
||||
These are the default paths to the Teleport binaries. If you have changed these from the defaults on your system, substitute those paths here.
|
||||
|
@ -281,7 +281,7 @@ $ docker stop teleport
|
|||
</Admonition>
|
||||
|
||||
</TabItem>
|
||||
<TabItem label="Windows" scope="enterprise">
|
||||
<TabItem label="Windows">
|
||||
|
||||
Remove the `tsh.exe` binary from the machine:
|
||||
|
||||
|
@ -294,10 +294,10 @@ $ docker stop teleport
|
|||
</TabItem>
|
||||
</Tabs>
|
||||
</TabItem>
|
||||
<TabItem label="Cloud" scope="cloud">
|
||||
<TabItem label="Teleport Enterprise Cloud" scope="cloud">
|
||||
|
||||
<Tabs>
|
||||
<TabItem label="Debian/Ubuntu Linux (DEB)" scope="cloud">
|
||||
<TabItem label="Debian/Ubuntu Linux (DEB)">
|
||||
|
||||
Uninstall the Teleport binary using APT:
|
||||
|
||||
|
@ -324,7 +324,7 @@ $ docker stop teleport
|
|||
</Admonition>
|
||||
|
||||
</TabItem>
|
||||
<TabItem label="Amazon Linux 2/RHEL (RPM)" scope="cloud">
|
||||
<TabItem label="Amazon Linux 2/RHEL (RPM)">
|
||||
|
||||
Uninstall the Teleport binary using YUM:
|
||||
|
||||
|
@ -354,7 +354,7 @@ $ docker stop teleport
|
|||
</Admonition>
|
||||
|
||||
</TabItem>
|
||||
<TabItem label="Linux Tarball" scope="cloud">
|
||||
<TabItem label="Linux Tarball">
|
||||
|
||||
<Admonition type="notice">
|
||||
These are the default paths to the Teleport binaries. If you have changed these from the defaults on your system, substitute those paths here.
|
||||
|
@ -371,7 +371,7 @@ $ docker stop teleport
|
|||
```
|
||||
|
||||
</TabItem>
|
||||
<TabItem label="MacOS" scope="cloud">
|
||||
<TabItem label="MacOS">
|
||||
|
||||
<Admonition type="notice">
|
||||
These are the default paths to the Teleport binaries. If you have changed these from the defaults on your system, substitute those paths here.
|
||||
|
@ -397,7 +397,7 @@ $ docker stop teleport
|
|||
</Admonition>
|
||||
|
||||
</TabItem>
|
||||
<TabItem label="Windows" scope="cloud">
|
||||
<TabItem label="Windows">
|
||||
|
||||
Remove the `tsh.exe` binary from the machine:
|
||||
|
||||
|
|
|
@ -112,7 +112,7 @@ $ tctl users rm joe
|
|||
## Next steps
|
||||
|
||||
<Tabs>
|
||||
<TabItem scope={["enterprise", "cloud"]} label="Commercial">
|
||||
<TabItem scope={["enterprise", "cloud"]} label="Teleport Enterprise/Enterprise Cloud">
|
||||
|
||||
In addition to users, you can use `tctl` to manage roles and other dynamic
|
||||
resources. See our [Teleport Resources Reference](../../reference/resources.mdx).
|
||||
|
@ -125,7 +125,7 @@ For more information, see:
|
|||
- [Single Sign-On](../../access-controls/sso.mdx)
|
||||
|
||||
</TabItem>
|
||||
<TabItem scope={["oss"]} label="Open Source">
|
||||
<TabItem scope={["oss","team"]} label="Teleport Team/Community Edition">
|
||||
|
||||
In addition to users, you can use `tctl` to manage roles and other dynamic
|
||||
resources. See our [Teleport Resources Reference](../../reference/resources.mdx).
|
||||
|
|
|
@ -34,7 +34,7 @@ This guide covers how to:
|
|||
|
||||
## Prerequisites
|
||||
|
||||
(!docs/pages/includes/edition-prereqs-tabs.mdx!)
|
||||
(!docs/pages/includes/self-hosted-prereqs-tabs.mdx!)
|
||||
|
||||
- Kubernetes cluster (with or without `teleport-cluster` Helm chart already deployed);
|
||||
- [Helm](https://helm.sh/docs/intro/quickstart/)
|
||||
|
|
|
@ -138,7 +138,7 @@ Paste the following into a file called `main.tf` to define an example user and
|
|||
role using Terraform.
|
||||
|
||||
<Tabs>
|
||||
<TabItem scope={["cloud"]} label="Teleport Cloud">
|
||||
<TabItem scope={["cloud","team"]} label="Cloud-Hosted">
|
||||
```
|
||||
(!examples/resources/terraform/terraform-user-role-cloud.tf!)
|
||||
```
|
||||
|
|
|
@ -48,7 +48,7 @@ d-->h(Datadog)
|
|||
|
||||
## Prerequisites
|
||||
|
||||
(!docs/pages/includes/commercial-prereqs-tabs.mdx!)
|
||||
(!docs/pages/includes/edition-prereqs-tabs.mdx!)
|
||||
|
||||
- A [Datadog](https://www.datadoghq.com/) account.
|
||||
- A server, virtual machine, Kubernetes cluster, or Docker environment to run the
|
||||
|
@ -125,12 +125,12 @@ read events. We export an identity file for the user with the `tctl auth sign`
|
|||
command.
|
||||
|
||||
<Tabs>
|
||||
<TabItem label="Executable" scope={["oss","enterprise"]}>
|
||||
<TabItem label="Executable">
|
||||
|
||||
(!docs/pages/includes/plugins/identity-export.mdx user="teleport-event-handler"!)
|
||||
|
||||
</TabItem>
|
||||
<TabItem label="Helm Chart" scope={["cloud"]}>
|
||||
<TabItem label="Helm Chart">
|
||||
|
||||
(!docs/pages/includes/plugins/identity-export.mdx user="teleport-event-handler"!)
|
||||
|
||||
|
@ -217,7 +217,7 @@ Earlier, we generated a file called `teleport-event-handler.toml` to configure
|
|||
the Fluentd event handler. This file includes setting similar to the following:
|
||||
|
||||
<Tabs>
|
||||
<TabItem scope={["cloud"]} label="Teleport Cloud">
|
||||
<TabItem scope={["cloud","team"]} label="Cloud-Hosted">
|
||||
|
||||
```toml
|
||||
storage = "./storage"
|
||||
|
|
|
@ -15,7 +15,7 @@ stores them in Elasticsearch for visualization and alerting in Kibana.
|
|||
|
||||
## Prerequisites
|
||||
|
||||
(!docs/pages/includes/commercial-prereqs-tabs.mdx!)
|
||||
(!docs/pages/includes/edition-prereqs-tabs.mdx!)
|
||||
|
||||
- Logstash version 8.4.1 or above running on a Linux host. Logstash must be
|
||||
listening on a TCP port that is open to traffic from <ScopedBlock
|
||||
|
|
|
@ -131,7 +131,7 @@ connection to the Auth Service. The plugin uses this reverse tunnel, along with
|
|||
your TLS credentials, to connect to the Auth Service's gRPC endpoint.
|
||||
|
||||
</TabItem>
|
||||
<TabItem label="Teleport Cloud" scope={["cloud"]}>
|
||||
<TabItem label="Cloud-Hosted" scope={["cloud","team"]}>
|
||||
```code
|
||||
$ tctl auth sign --user=teleport-event-handler --out=identity
|
||||
```
|
||||
|
@ -143,7 +143,7 @@ connection to the Auth Service. The plugin uses this reverse tunnel, along with
|
|||
your TLS credentials, to connect to the Auth Service's gRPC endpoint.
|
||||
|
||||
</TabItem>
|
||||
<TabItem label="Helm Chart" scope={["cloud"]}>
|
||||
<TabItem label="Helm Chart" scope={["cloud","team","oss","enterprise"]}>
|
||||
|
||||
If you are planning to use the Helm Chart, you'll need to generate the keys
|
||||
with the `file` format, then create a secret in Kubernetes.
|
||||
|
@ -235,7 +235,7 @@ Earlier, we generated a file called `teleport-event-handler.toml` to configure
|
|||
the Fluentd event handler. This file includes setting similar to the following:
|
||||
|
||||
<Tabs>
|
||||
<TabItem scope={["cloud"]} label="Teleport Cloud">
|
||||
<TabItem scope={["cloud","team"]} label="Cloud-Hosted">
|
||||
|
||||
```toml
|
||||
storage = "./storage"
|
||||
|
|
|
@ -16,7 +16,7 @@ visualization and alerting.
|
|||
|
||||
## Prerequisites
|
||||
|
||||
(!docs/pages/includes/commercial-prereqs-tabs.mdx!)
|
||||
(!docs/pages/includes/edition-prereqs-tabs.mdx!)
|
||||
|
||||
- Splunk Cloud Platform or Splunk Enterprise v9.0.1 or above.
|
||||
|
||||
|
|
|
@ -47,9 +47,10 @@ Teleport audit logs, logged events have a TTL of 1 year.
|
|||
| Firestore | [Follow GCP's guidelines for automated backups](https://firebase.google.com/docs/database/backups) |
|
||||
|
||||
</TabItem>
|
||||
<TabItem scope={["cloud"]} label="Teleport Cloud">
|
||||
<TabItem scope={["cloud","team"]} label="Cloud-Hosted">
|
||||
|
||||
Teleport Cloud manages all Auth Service and Proxy Service backups.
|
||||
Teleport Team and Teleport Enterprise Cloud manage all Auth Service and Proxy
|
||||
Service backups.
|
||||
|
||||
While Teleport Nodes are stateless, you should ensure that you can restore their
|
||||
configuration files.
|
||||
|
@ -80,7 +81,7 @@ If you're running Teleport at scale, your teams need to have an automated way to
|
|||
if a resource already exists, so this command can be run regularly.
|
||||
|
||||
</TabItem>
|
||||
<TabItem scope={["cloud"]} label="Teleport Cloud">
|
||||
<TabItem scope={["cloud","team"]} label="Cloud-Hosted">
|
||||
|
||||
- Store your dynamic resource configurations as discrete files in a git
|
||||
repository.
|
||||
|
@ -224,9 +225,10 @@ also apply to a new cluster being bootstrapped from the state of an old cluster:
|
|||
dynamically will need to be re-invited.
|
||||
|
||||
</TabItem>
|
||||
<TabItem scope={["cloud"]} label="Teleport Cloud">
|
||||
<TabItem scope={["cloud","team"]} label="Team/Enterprise Cloud">
|
||||
|
||||
In Teleport Cloud, backend data is managed for you automatically.
|
||||
In Teleport Team and Teleport Enterprise Cloud, backend data is managed for you
|
||||
automatically.
|
||||
|
||||
If you would like to migrate configuration resources to a self-hosted Teleport
|
||||
cluster, follow our recommended backup practice of storing configuration
|
||||
|
|
|
@ -4,14 +4,7 @@ description: How to configure Teleport for large-scale deployments
|
|||
---
|
||||
|
||||
This section explains the recommended configuration settings for large-scale
|
||||
deployments of Teleport.
|
||||
|
||||
<ScopedBlock scope="cloud">
|
||||
|
||||
For Teleport Cloud customers, the settings in this guide are configured
|
||||
automatically.
|
||||
|
||||
</ScopedBlock>
|
||||
self-hosted deployments of Teleport.
|
||||
|
||||
(!docs/pages/includes/cloud/call-to-action.mdx!)
|
||||
|
||||
|
|
|
@ -89,7 +89,7 @@ When upgrading multiple clusters:
|
|||
2. Upgrade the Trusted Clusters.
|
||||
|
||||
</TabItem>
|
||||
<TabItem scope={["cloud"]} label="Teleport Cloud">
|
||||
<TabItem scope={["cloud","team"]} label="Cloud-Hosted">
|
||||
|
||||
The Teleport Auth Service and Proxy Service are upgraded automatically. When
|
||||
upgrading resource services, you may upgrade in any sequence or at the same
|
||||
|
|
|
@ -22,7 +22,7 @@ Teleport lets you make it mandatory for a user to enroll an MFA device when they
|
|||
To do so, make the following changes depending on your environment:
|
||||
|
||||
<Tabs>
|
||||
<TabItem label="Self-hosted" scope={["oss","enterprise"]}>
|
||||
<TabItem label="Self-Hosted" scope={["oss","enterprise"]}>
|
||||
|
||||
Ensure that the value of `auth_service.authentication.second_factor` is `otp`,
|
||||
`webauthn`, or `on`:
|
||||
|
@ -34,7 +34,7 @@ auth_service:
|
|||
```
|
||||
|
||||
</TabItem>
|
||||
<TabItem label="Teleport Cloud" scope={["cloud"]}>
|
||||
<TabItem label="Cloud-Hosted" scope={["cloud","team"]}>
|
||||
|
||||
Obtain your existing `cluster_auth_preference` resource:
|
||||
|
||||
|
@ -99,7 +99,7 @@ auth_service:
|
|||
require_session_mfa: yes
|
||||
```
|
||||
</TabItem>
|
||||
<TabItem label="Teleport Cloud" scope={["cloud"]}>
|
||||
<TabItem label="Cloud-Hosted" scope={["cloud", "team"]}>
|
||||
Create the following `cluster_auth_preference` dynamic resource:
|
||||
|
||||
```yaml
|
||||
|
|
|
@ -16,7 +16,7 @@ There are two components of the audit log:
|
|||
but can be configured to be done by the proxy.
|
||||
|
||||
</TabItem>
|
||||
<TabItem scope={["cloud"]} label="Teleport Cloud">
|
||||
<TabItem scope={["cloud","team"]} label="Cloud-Hosted">
|
||||
|
||||
1. **Cluster Events:** Teleport logs events like successful user logins along
|
||||
with metadata like remote IP address, time, and the session ID.
|
||||
|
@ -72,10 +72,10 @@ $ ls -l /var/lib/teleport/log/
|
|||
```
|
||||
|
||||
</TabItem>
|
||||
<TabItem scope={["cloud"]} label="Teleport Cloud">
|
||||
<TabItem scope={["cloud", "team"]} label="Cloud-Hosted">
|
||||
|
||||
Teleport Cloud manages the storage of audit logs for you. You can access your
|
||||
audit logs via the Teleport Web UI by clicking:
|
||||
Teleport Team and Teleport Enterprise Cloud manage the storage of audit logs for
|
||||
you. You can access your audit logs via the Teleport Web UI by clicking:
|
||||
|
||||
**Activity** > **Audit Log**
|
||||
|
||||
|
@ -180,9 +180,10 @@ $ tsh play 4c146ec8-eab6-11e6-b1b3-40167e68e931 --format=json
|
|||
```
|
||||
|
||||
</TabItem>
|
||||
<TabItem scope={["cloud"]} label="Teleport Cloud">
|
||||
<TabItem scope={["cloud","team"]} label="Cloud-Hosted">
|
||||
|
||||
Teleport Cloud automatically stores recorded sessions.
|
||||
Teleport Team and Teleport Enterprise Cloud automatically store recorded
|
||||
sessions.
|
||||
|
||||
You can replay recorded sessions using the [`tsh play`](./cli.mdx#tsh-play) command or the Web
|
||||
UI.
|
||||
|
|
|
@ -79,12 +79,11 @@ Create the `cluster_auth_preference` resource via `tctl`:
|
|||
$ tctl create -f cap.yaml
|
||||
```
|
||||
</TabItem>
|
||||
<TabItem scope={["cloud"]} label="Teleport Cloud">
|
||||
<TabItem scope={["cloud","team"]} label="Cloud-Hosted">
|
||||
|
||||
You can modify these settings using dynamic configuration resources.
|
||||
|
||||
Log in to Teleport from your local machine so you can use the Enterprise
|
||||
edition of the `tctl` admin tool:
|
||||
Log in to Teleport from your local machine so you can use the `tctl` admin tool:
|
||||
|
||||
```code
|
||||
$ tsh login --proxy=myinstance.teleport.sh
|
||||
|
@ -168,7 +167,28 @@ The user will now be unblocked from login attempts and can attempt to authentica
|
|||
## Authentication connectors
|
||||
|
||||
<Tabs>
|
||||
<TabItem scope={["cloud"]} label="Teleport Cloud">
|
||||
<TabItem scope="team" label="Teleport Team">
|
||||
|
||||
### GitHub
|
||||
|
||||
This connector implements GitHub's OAuth 2.0 authentication flow. Please refer to GitHub's documentation on [Creating an OAuth App](https://developer.github.com/apps/building-oauth-apps/creating-an-oauth-app/)
|
||||
to learn how to create and register an OAuth app.
|
||||
|
||||
Here is an example of this setting in a `cluster_auth_preference` resource:
|
||||
|
||||
```yaml
|
||||
kind: cluster_auth_preference
|
||||
metadata:
|
||||
name: cluster-auth-preference
|
||||
spec:
|
||||
type: github
|
||||
version: v2
|
||||
```
|
||||
|
||||
See [GitHub OAuth 2.0](../access-controls/sso/github-sso.mdx) for details on how to configure it.
|
||||
|
||||
</TabItem>
|
||||
<TabItem scope={["cloud"]} label="Teleport Enterprise Cloud">
|
||||
|
||||
### GitHub
|
||||
|
||||
|
|
|
@ -4,15 +4,11 @@ description: How to configure Teleport deployment for high-availability using st
|
|||
---
|
||||
|
||||
A Teleport cluster stores different types of data in different locations. By
|
||||
default everything is stored in a local directory at the Auth server.
|
||||
Integration with other storage types is implemented based on the nature of the
|
||||
stored data (size, read/write ratio, mutability, etc.).
|
||||
default everything is stored in a local directory on the Auth Service host.
|
||||
|
||||
<ScopedBlock scope={["cloud"]}>
|
||||
|
||||
Teleport Cloud manages Auth Service and Proxy Service data for you, so there is
|
||||
no need to configure a backend.
|
||||
</ScopedBlock>
|
||||
For self-hosted Teleport deployments, you can configure Teleport to integrate
|
||||
with other storage types based on the nature of the stored data (size,
|
||||
read/write ratio, mutability, etc.).
|
||||
|
||||
| Data type | Description | Supported storage backends |
|
||||
| - | - | - |
|
||||
|
|
|
@ -1575,7 +1575,7 @@ which could result in the error,
|
|||
`ERROR: open /var/lib/teleport/host_uuid: permission denied`.
|
||||
|
||||
</TabItem>
|
||||
<TabItem scope={["cloud"]} label="Teleport Cloud">
|
||||
<TabItem scope={["cloud", "team"]} label="Cloud-Hosted">
|
||||
|
||||
When running `tctl` commands, administrators must authenticate to a Teleport
|
||||
cluster. This can be done in two ways:
|
||||
|
@ -2982,7 +2982,7 @@ Starts the Machine ID client `tbot`, fetching and writing certificates to disk a
|
|||
|
||||
#### Examples
|
||||
<Tabs>
|
||||
<TabItem scope={["Cloud"]} label="Teleport Cloud">
|
||||
<TabItem scope={["cloud", "team"]} label="Cloud-Hosted">
|
||||
|
||||
```code
|
||||
$ tbot start \
|
||||
|
@ -2995,7 +2995,7 @@ $ tbot start \
|
|||
```
|
||||
|
||||
</TabItem>
|
||||
<TabItem scope={["Enterprise/OSS"]} label="Enterprise/OSS">
|
||||
<TabItem scope={["enterprise", "oss"]} label="Self-Hosted">
|
||||
|
||||
```code
|
||||
$ tbot start \
|
||||
|
|
|
@ -25,7 +25,7 @@ following use cases:
|
|||
- You want Teleport to issue an SSH certificate for the service with additional
|
||||
principals, e.g., host names.
|
||||
</TabItem>
|
||||
<TabItem scope={["cloud"]} label="Cloud-Hosted Teleport">
|
||||
<TabItem scope={["cloud", "team"]} label="Cloud-Hosted">
|
||||
|
||||
All Teleport services (e.g., the Application Service and Database Service) have
|
||||
an optional `public_addr` property that you can modify in each service's
|
||||
|
@ -157,7 +157,7 @@ In those cases, they can set up separate listeners in the config file.
|
|||
| 3025 | All Teleport services | TLS port used by the Auth Service to serve its gRPC API to other Teleport services in a cluster.|
|
||||
|
||||
</TabItem>
|
||||
<TabItem scope={["cloud"]} label="Cloud-Hosted Teleport">
|
||||
<TabItem scope={["cloud", "team"]} label="Cloud-Hosted">
|
||||
|
||||
### Proxy Service ports
|
||||
|
||||
|
|
|
@ -241,7 +241,7 @@ To quickly check the status of the audit log, you can simply tail the logs with
|
|||
`tail -f /var/lib/teleport/log/events.log`. The resulting capture from Teleport will
|
||||
be a JSON log for each command and network request.
|
||||
</TabItem>
|
||||
<TabItem scope={["cloud"]} label="Teleport Cloud">
|
||||
<TabItem scope={["cloud","team"]} label="Cloud-Hosted">
|
||||
|
||||
Enhanced session recording events will be shown in Teleport's audit log, which
|
||||
you can inspect by visiting Teleport's Web UI.
|
||||
|
|
|
@ -15,14 +15,14 @@ when gradually transitioning large server fleets to Teleport.
|
|||
![Teleport OpenSSH Recording Proxy](../../../img/server-access/openssh-proxy.svg)
|
||||
</Figure>
|
||||
|
||||
<ScopedBlock scope={["cloud"]}>
|
||||
<Notice type="warning">
|
||||
|
||||
Teleport Cloud only supports session recording at the Node level. If you are
|
||||
interested in setting up session recording, read our
|
||||
[Server Access Getting Started Guide](../getting-started.mdx) so you can start
|
||||
replacing your OpenSSH servers with Teleport Nodes.
|
||||
|
||||
</ScopedBlock>
|
||||
</Notice>
|
||||
|
||||
We consider Recording Proxy Mode to be less secure than recording at the Node
|
||||
level for two reasons:
|
||||
|
@ -34,7 +34,7 @@ The Teleport Proxy Service should be available to clients and set up with TLS.
|
|||
|
||||
## Prerequisites
|
||||
|
||||
(!docs/pages/includes/edition-prereqs-tabs.mdx!)
|
||||
(!docs/pages/includes/self-hosted-prereqs-tabs.mdx!)
|
||||
|
||||
- A host where you will run an OpenSSH server.
|
||||
- (!docs/pages/includes/tctl.mdx!)
|
||||
|
|
Loading…
Reference in a new issue