* sort list of db guides alphabetically
* add Elastic guide
* Apply suggestions from code review
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
* additional edits from review
* add spaces to next steps include
This is so that additional ul items added to a guide using this partial will have consistent spacing
* remove instructions and add tip
Resolves #r995144908 and #r995566035
* fix Database Access config and add scopes
* Move note into relevant tab
* adjust example user mapping
* incorporate more feedback
* incorporate feedback from @tener
* Update docs/pages/database-access/guides/elastic.mdx
Co-authored-by: Krzysztof Skrzętnicki <krzysztof.skrzetnicki@goteleport.com>
* bypass linter rule
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
Co-authored-by: Krzysztof Skrzętnicki <krzysztof.skrzetnicki@goteleport.com>
* Move SAML/OIDC web handlers to enterprise repository
Remove the SAML and OIDC web handlers from this repository as they have
been added to the enterprise repository. The SAML and OIDC connectors
are not available in the OSS edition and connectors of these types could
not be created.
This change does not have any effect on existing OSS deployments.
* Recognize GSSEncRequest as postgres proto
* Respond to GSSEncRequest with 'N' for 'not supported' in postgres engine
* Add test for GSSEncRequest to postgres via proxy
* Save gssencmode=disable in .pg_service.conf and test it
* Check for repeated startup encryption request
* Refactor postgres startup test code into its own test
* Test covers all code paths in the proxy startup handler
* Make postgres proxy tests run in parallel
* Reduced test execution time from 15 seconds to 4.5 seconds.
* Ran with race detector and all tests passed.
* Make sure we read at least one byte
* Fix lint
* Fix lint
* Change err to bad parameter
* Update test
clients close the stream and any connection when they are done with it
servers close the stream after a 1 minute timeout
proxy JoinService gRPC server closes idle connections with no RPC calls after 10 seconds
This PR returns a list of allowed principals that a user is authorized to impersonate for each Kubernetes cluster.
When a Teleport user has multiple Kubernetes users defined for the same Cluster we must allow him to choose one otherwise the request will return an error. Similar to `kubectl get pods --as {user} --as-group {kubeGroup}`.
If the user selects invalid users or groups, it will return invalid Kubernetes principals.
Closes#17382
* Serialize apt/yum promote pipelines
These were running in parallel, but we want them to run serially.
Therefore, we add a dependency between each step and its previous step.
* Allow dev build promotes to proceed in deb/rpm pipelines
This helps test a couple more changes from this pipeline when cutting a
dev build. Particularly, we saw the download and role assumption steps
fail in https://github.com/gravitational/teleport/pull/17334, and this
change would have allowed us to catch that error during testing.
* Fix globbing bug
This bug does not appear to affect anything currently. However it
should be fixed in case the rm is important at some point in the future.
The bug is: when a wildcard is inside quotes, it is treated as a literal
filename. So rm -rf "$ARTIFACT_PATH/*" tries to remove the file named
'*' instead of trying to remove everything in artifact path.
* Swap YUM_REPO_NEW_ROLE to YUM_REPO_NEW_AWS_ROLE
All other roles environment variables end in AWS_ROLE, and consistency
is our friend here.
Devices running these architectures are likely not powerful enough
to handle desktop sessions. This will also reduce the binary size
for these builds, making them slightly more convenient for smaller
resource-constrained devices.
To enable feature detection in the Connect application, we need to
ping the auth server to understand which features are enabled.
Previously, we could get away with any cluster information stored in the
cluster profile but a proxy dial is necessary now to get an auth ping response.
* Update teleport-kube-agent readme
* Add values.yaml and schema changes for azure dbs
* Add azure discovery helm lint
* Add azure discovery helm tests
* Fix schema and update snapshot
* Update lint
* Update helm chart docs reference
* Update readme
* Update docs/pages/reference/helm-reference/teleport-kube-agent.mdx
Co-authored-by: Isaiah Becker-Mayer <isaiah@goteleport.com>
* Move yaml lint note to include snippet
* Update docs/pages/reference/helm-reference/teleport-kube-agent.mdx
Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com>
* Update docs/pages/reference/helm-reference/teleport-kube-agent.mdx
Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com>
* Add azureDatabases to list of required resources for db role in docs
* Update readme to link to docs
* Provide complete example yaml for azure db discovery helm chart
* s|dbResources|databaseResources|g in helm chart reference
* Remove --set tabs for aws and azure databases from chart reference
* Update lint to use secret as example too
* Update azure db discovery helm chart snapshot
* Update docs/pages/reference/helm-reference/teleport-kube-agent.mdx
Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com>
* Update docs/pages/reference/helm-reference/teleport-kube-agent.mdx
Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com>
* Update docs/pages/reference/helm-reference/teleport-kube-agent.mdx
Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com>
* Update docs/pages/reference/helm-reference/teleport-kube-agent.mdx
Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com>
* Update docs/pages/reference/helm-reference/teleport-kube-agent.mdx
Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com>
* Update docs/pages/reference/helm-reference/teleport-kube-agent.mdx
Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com>
* Remove shell vars in readme since we dont provide a command
Co-authored-by: Isaiah Becker-Mayer <isaiah@goteleport.com>
Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com>
Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com>
* Connect: Accommodate for making gRPC client creds from tshd key pair
For tshd-initiated communication, the tshd process will need to create a
client that will connect to a gRPC server operated by the renderer
process of the Electron app.
On Windows, we use gRPC over TCP with mTLS. Each process creates its own
keypair and saves the public key to a predetermined location.
The previous code assumes that tshd is only going to need server
credentials. This commit makes it possible to create client credentials
from the same key pair.
* Refactor server options
* Expand the comment for createServerCredentials
* Remove unnecessary filepath.Join
* generateAndSaveCert: Use os.CreateTemp
`types.Metadata` was not properly copied when removing credentials and the internal map was not deep copied.
The race condition happened when service labels were set which caused the watcher and heartbeat functions to be reading and manipulating static labels.
When recovering after a restart, `host_uuid` changes and Auth Server authentication fails. This happens because `host_uuid` is not stored in the Kubernetes Secret but it's stored in the certificate Common Name.
This PR forces the storage of the `host_uuid` into Kubernetes Secrets for later reuse.
Fixes#17474
Improves FIDO2 login/registration UX by letting users choose (almost) any
available key and then presenting a user-friendly error if the operation cannot
be done.
New devices are now polled for continuously, as we can't eagerly filter devices
anymore. All FIDO2 devices, regardless of their capabilities, are made to wait
for user interaction: once the user interacts with the device we either complete
the operation successfully or return a reason for failure.
U2F-only devices are still silently ignored, as before. They don't respond well
to FIDO2 APIs and proved to be unwieldy in practical tests. (Maybe we can tackle
those in a follow up.)
Examples of new UX:
```shell
# Attempting passwordless login on a non-capable device (lack of PIN)
$ tsh login --proxy=zarquon --user=ihaveitall --auth=passwordless
> Tap your security key
> ERROR: device not registered for passwordless
# Attempting passwordless registration on a non-capable device (lack of PIN)
$ tsh mfa add --type=WEBAUTHN --name=test --allow-passwordless
> Tap any *registered* security key
> Tap your *new* security key
> ERROR: device lacks PIN or user verification capabilities
```
Closes#15037.
Export some names in the `lib/auth` package so that SSO auth plugins can
be implemented from outside this package, adding doc comments where missing:
* struct `ssoRequestParams` (including fields)
* struct `ssoCallbackResponse` (including fields)
* func `parseSSORequestParams`
* func `ssoSetWebSessionAndRedirectURL`
* func `redirectURLWithError`
* var `ssoLoginConsoleErr`, renamed to `SSOLoginFailureMessage`
* type `CachedSessionLingeringThreshold` (for TestSAML)
* Added multiarch build support for teleport oss, ent, and fips
* Exported image/imageTag types
* Resigned dronegen
* Removed remainder of testing changes
* Removed changes to submodules
* Reverted dockerfile-fips change
* FIxed docs wording
* Un-exported most constants
* Removed teleport.e makefile deb call
* Moved "sed | cut magic" to files
* Re-added `mkdir -pv /go/cache` to push.go
* Command deterministic order fix
* Added staging-only tag pipeline
* Moved PR to teleport operator to minimize potential issue impact
* Updated promote to pull and push without build
* Made cron triggers not affect canonical tags
* Added check for pre-existing tags on immutable CRs
* Added immutability check to manifests
* Updated staging ecr to only apply $TIMESTAMP tag on cron triggers
* Updated triggerinfo struct to use a triggerflag struct
* Fixed makefile after git mistake
* Makefile fix
* PR fixes
* Moved internal tools Go version to constant
* Separated container images gofile into multiple files
* Moved testing comment
* Added licenses
* Reorganized and added docs for container images
* Moved const to correct file
* Tag trigger logic test
* Testing specific fix
* Moved testing to v10.3.2
* Make semver dirs
* Refactored local registry name/socket
* Merged previous dockerfile changes
* Added TARGETOS TARGETARCH args
* Updatd tag to testing tag
* Promotion logic test
* Promotion fixes
* Testing specific fix
* Removed prerelease check for testing
* Added staging login commands to promote
* Fixed missing credentials on promotion pull
* Rerun tag test with new "full" semver
* Made staging builds only publish full semver
* Added semver logging command
* Empty commit to trigger Drone
* Promotion test
* Fixed preceeding v on promote pull
* Empty commit to trigger Drone
* Re-enabled verify not prerelease step on promote
* Cron trigger test
* Testing fix
* Testing fix 2
* Added sleep timer on docker buildx build
* Testing cleanup