* Add Kubernetes/Helm instructions to the RDS guide
Closes#27753
Add "Kubernetes" tabs as counterparts to Linux host instructions,
following the structure we have used in Access Request plugin guides:
where we show how to install Teleport on a VM, include `helm repo add`
instructions. And when we show how to run a Teleport service, include
`helm install` instructions.
In this guide, I've hardcoded a Teleport configuration file in order to
run `teleport db configure bootstrap`, then inserted the config file
into a Helm values file.
This change also includes instructions to use a local `teleport` binary
in order to bootstrap IAM resources.
This also adds minor formatting and readability changes, e.g., the `Var`
component.
* Respond to alexfornuto feedback
* Update docs/pages/database-access/guides/rds.mdx
Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com>
* Fix linter warnings
* Add Service Account IAM instructions
Frame the guide around authenticating the Teleport agent pod's service
account via the IAM OIDC provider.
* Respond to stevenGravy feedback
* Minor tweaks
- Ensure `Var` names are consistent
- Use obviously fake values for resource URIs
- Use the correct value for the OIDC issuer ID
* Respond to alexfornuto feedback
* Fix spelling
* Fix linter issues
---------
Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com>
Device Trust remains an enterprise-only feature and is fully enforced
by the enterprise auth server. Move the tctl commands to OSS as part
of our effort to eliminate the enterprise build of tctl.
* Replace custom test render with gotestsum - part II
CContinuation of https://github.com/gravitational/teleport/pull/29862
As the Docker image has been updated now gotestsum is used for all tests except flaky test detector.
I'll tackle it separate as it requires more work due to custom generated report format.
* Add $(RENDER_TESTS) to makefile test-go-flaky target as test render was removed from the test-go-prepare target.
Ignore any `.swc` directories when computing the SHA of SHAs to
determine if `make ensure-webassets` should rebuild the web UI. The
`.swc` directories are in the `.gitignore` file, so should also be
ignored when computing the SHA of the web files.
On a fresh checkout of `teleport`, running `make ensure-webassets`
causes a plugin to be build or downloaded into
`web/packages/teleport/.swc/plugins/v4`. As this is inside the directory
over which the SHA of SHAs is computed, if you re-run
`make ensure-webassets`, it ends up rebuilding the web UI for the same
result. It should not rebuild the web UI if it hasn't changed. The SHA
of SHAs generated from a fresh checkout of teleport should match another
fresh checkout. This fails as generating the enterprise webassets after
generating the OSS webassets includes the plugin as part of the SHA, and
that is not there on a fresh checkin.
This will make a difference if we want to build the web assets as a
separate step on CI so that the `webassets` directory can be copied into
other builds. This will allow a later version of node.js to be used to
build the web UI that what may be available on the OS we're building
Teleport on (I'm looking at you, Centos 7).
Fix a shellcheck-reported issue of quoting while we're here.
* Adds FAQ entry for `tctl auth sign --tar`
* Add preferred option as well
* Actually include the flag we're documenting
* words
* Update docs/pages/faq.mdx
* Move to installation guide, re-word example for Docker
* fmt
gotestsum has been added to the Docker image in https://github.com/gravitational/teleport/pull/29862 Unfortunately, devbox failed to rebuild the image due to a bug in devbox that has been fixed in 0.5.8.
This PR re-adds the gotestsum to devbox and upgrades the version used in the CI.
After merging #28845, the cluster name is different and the test failed.
Since the AWS E2E tests are not required, the merge happened and broke
all tests.
Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
* Replace custom test renderer with gotestsum
All instances of the custom test renderer (`${RENDER_TESTS}`) in the Makefile have been replaced with gotestsum calls. This allows to provide a more standardized and extendible tool for handling the test output. The gotestsum tool, being a popular and actively maintained project, adds additional features such as output formatting options and compatibility with developer tools. As a result, it improves the readability and accessibility of our test results.
* Add gotestsum and update Makefile, Dockerfile, and devbox files
Changes have been made in Makefile, Dockerfile, and devbox.json files to install gotestsum if it's not already installed and use it in the test commands. The devbox.lock file has also been updated accordingly to reflect the addition of gotestsum.
* Update gotestsum installation in Makefile
The Makefile has been adjusted to ignore any errors while installing 'gotestsum'. This is a temporary measure until 'gotestsum' is added to the Dockerfile, to prevent the build process from failing.
* Fix devbox?
* Apply a review suggestion
Revert devbox changes - devbox seems to be broken. I'll introduce this change in a new PR, so the current one is not blocked on an admin approval.
* Revert `make e2e-aws` to use render-test to prevent CI failing
* Hash out fundamentals of a Kubernetes Secret destination (it works!)
* Propagate context through Init()
* Propagate context.Context through Destination.Write
* Propagate context.Context through destination.Read
* Use _ for unused context.Contexts
* Add docs for `kubernetes_secret` destination
* Basic tests for DestinationKubernetesSecret
* Add test based on fake k8s client
* Require init before usage
* Refine documentation for kubernetes_secret destination
* Improve logging when secret is created
* Fix test
* Fix imports
* Fix lock copy
* Use dry run for initialization
* Ensure same destination is not reused
* Add docs on how to impersonate Kubernetes ServiceAccounts
This PR brings clarity around how to impersonate Kubernetes ServiceAccounts.
This feature has been supported for a long time but unfortunately it wasn't documented and there was an issue that implied it wasn't supported.
Closes#5248
Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
* Apply suggestions from code review
Co-authored-by: Gus Luxton <gus@goteleport.com>
* Apply suggestions from code review
Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com>
---------
Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
Co-authored-by: Gus Luxton <gus@goteleport.com>
Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com>
This PR splits the resource list and delete collection handlers into
separate files.
It does not include any change to the codebase.
Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
This PR adds the support of discovery endpoints to Teleport Kubernetes
Mock api.
The discovery API will be used to build a collection of cluster
CRD namespaced resources supported by the server.
Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
If tsconfig doesn't have an `outDir` option set, VS Code shows multitude of errors of the following kind:
```
Cannot write file '/Users/bartosz/code/teleport/e/web/teleport/babel.config.js' because it would overwrite input file.
```
* dronegen: Build Teleport Connect for amd64 push build
Add an input parameter when calling the release-linux workflow to build
Teleport Connect for the AMD64 build. This was previously done when
Drone was doing the build but got accidentally dropped when moving to
GitHub actions.
This will also be used for the tag builds when they migrate to GHA as we
do a release build of Teleport Connect for each architecture.
* ci: Update .drone.yml
Update .drone.yml with `make dronegen` to add the `build-connect`
parameter to the call of the `release-linux` workflow.
* Update e ref for release-linux teleport param
Update e ref for 98fc02c3f276054b72fe7c55544b45834d964b9b so we can call
the release-linux workflow with the `build-connect` parameter.
* Add a way to construct Teleport app from Kubernetes service
* Address review comments
* Log errors of kube apps discovery instead of returning error
Returning error would prevent other non-errored apps to be discovered.
* Move automatic protocol checking out of services package
* Add annotation for overriding app name
* Return error in case of invalid label key
* Change value for discovery name annotation
Co-authored-by: Tiago Silva <tiago.silva@goteleport.com>
* Use local service name even for external services
---------
Co-authored-by: Tiago Silva <tiago.silva@goteleport.com>
* Vendors Discord plugin source into Teleport
In preparation for running the Discord integration as a hosted plugin,
this PR transplants the plugin source into Teleport.
* gci
* quote database name predicate
* Add test for GetDatabase
* ensured test fails without the predicate quoting fix
* tested with and without active cert, to test the different list API paths
* Make sure Connect My Computer is not shown to SSO users
* Improve user type check in RoleSetup
* Reexport UserType
* Fix protos
* Add makeLoggedInUser test helper and use it in tests