* Explain how to start new services on an agent
Closes#22540
This change adds a new H3 section to the intro page of the "Run Teleport
Agents" section. It uses an H3 section, rather than a new guide, because
starting a new service on an agent is close enough to redeploying the
agent that it would make sense to recommend deploying new agents instead
(and linking to the guide for deploying agents via Terraform).
At the same time, this change briefly describes how you _would_ start a
new service on an existing agent, and puts this in context with a
description of how agent joining works.
* Respond to zmb3/alexfornuto feedback
* feat: Login Rule support for email.local and regexp.replace
This commit updates the `stringListMap` function to filter out values
that map to the empty string.
This is used by `email.local` and `regexp.replace` only.
The empty values were already being filtered out in
`(*TraitsTemplateExpression).Interpolate`, adding the filtering here
just makes it more convenient to call these functions in the Login Rule
parser in teleport.e where it's desirable to have the same behaviour of
`regexp.replace` filtering out values that don't match the expression.
The actual implementation and tests for the new helpers in Login Rules
is added in a buddy PR in teleport.e.
This PR also adds documentation for the new functions.
* apply docs grammar suggestions
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
---------
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
Fix messed up spelling
add missing punctuation, fir wording
Docs: Ordered and unordered list changes for lint update (#29094)
* Ordered and unordered list chnages for lint update
* Fixes from Alex's review
Docs: numbering lint warnings batch 2 (#29093)
* Change ordered and unordered lists to squash lint warnings
* Change ordered and unordered lists to squash lint warnings
* Changes for lint update
additional lint fixes
Additional fixes for linter
* Add methods to create and remove tokens
* Add a function to create agent config file
* Integrate token generation and config file creation
* Move response formatting to the handler
* Remove doc links
* Declare struct before its methods
* Remove `useRetryWithRelogin` usage
* Hold a clock in `TokenProvisionerConfig`, add a function that creates `TokenProvisioner`
* Do not use `EmptyResponse` in proto
* Create a specialized struct to return token and labels
* Add an integration test
* Uncomment `runGenerateConfigFileAttempt` step
* Run prettier
* Remove duplicated assertion and use more meaningful name
* Fix lint issue
The reexec process now has a two way wait mechanism to allow the
child process to complete any setup operations that may be required
before the parent process starts enhanced recording.
The old process was:
1) Parent launches child process
2) Child process opens PAM context and blocks on the continue signal
3) Parent sets up enhanced recording
4) Parent sends the continue signal
5) Child executes command/opens shell
The new process is:
1) Parent launches child process and waits for child continue signal
2) Child process opens PAM context and then signals it has completed setup
3) Parent receives child continue signal and sets up enhanced recording
4) Parent sends the continue signal
5) Child executes command/opens shell
Closes#29030
* Allow creating a admin `ClusterRoleBinding`
This PR adds the possibility of creating a cluster role binding between a group whose name defined by `adminClusterRolebinding.name` and the built-in `cluster-admin` `ClusterRole`.
This is particularly useful for GKE Autopilot clusters where it's not
possible to use the default `system:masters` group because authz Warden
security module prevents impersonating system-wide identities.
When the chart detects that the target cluster is a GKE cluster - `version: v1.x.x-gke.<build>` - it will automatically create the `ClusterRoleBinding` and print a warning message with the following payload:
```
NOTES:
WARNING: GKE Autopilot clusters forbid users from impersonating system-wide identities.
This means you won't be able to use the `system:masters` Kubernetes Group in
the Teleport Roles for GKE Autopilot clusters.
Given that you installed Teleport on a GKE cluster, we recommend you use the
Kubernetes Group `cluster-admin` instead of `system:masters` in the Teleport Roles
for GKE Autopilot clusters.
This chart automatically created the `cluster-admin` Kubernetes Group for you and
assigned it admin privileges on the Kubernetes cluster.
Consult the built-in security features that GKE Autopilot enforces:
https://cloud.google.com/kubernetes-engine/docs/concepts/autopilot-security#built-in-security
```
Part of #28506
Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
* Apply suggestions from code review
Co-authored-by: Gus Luxton <gus@goteleport.com>
* add role example
---------
Co-authored-by: Gus Luxton <gus@goteleport.com>
* Reduce headless watcher max backoff period to 90s; Propogate watcher error properly; Don't retry on not implemented error.
* Stop watcher if it wasn't stopped already.
Prior to this change, running the example as written would result
in the followinmg error:
```
Error: INSTALLATION FAILED: execution error at (teleport-cluster/templates/proxy/service.yaml:5:6):
proxy.service.type must not be LoadBalancer when using an ingress - any load balancer should be
provisioned by your ingress controller. Set proxy.service.type=ClusterIP instead
```
This patch adds that change to the example cluster configuration
helm values.
* Copy files from teleport/plugins/access/mattermost
* Add github.com/mailgun/holster/v3
* Define mattermost types
* Move StatusFromStatusCode to commons dir
* Make changes/ refactor based on other plugins
- Re-use commons
- Delete dups (most of app.go and version.go)
- Moved looking up channel into bot.go
- Emit status update after a response
- Added missing? recipients section to example toml
* Move mailgun dep to direct dep and fix lint
- run go mod tidy
- remove unused example config
- fix ordering of imports
* Vendors in `jira` access plugin source
Transplants the source for the JIRA access plugin from the `teleport-plugins`
repository into the main OSS `teleport` repo in preparation for integration
as a hosted plugin.
* gci
Closes#27755
- Separate the docs test plan into its own issue template. This makes
the checklist easier to work with for Docs Team members. Also adds
sections to the Docs Test Plan for readability.
- Update the list of guides to verify. This reflects the current range
of getting started guides available for Teleport's editions.
- Propose verifying that we can complete all how-to guides introduced
within an upcoming release.
We need to strike a balance between testing critical guides and keeping
the workload of the Docs Team manageable, so this change limits the
number of guides it adds to the Test Plan.
Alongside new feature guides, this change adds the Terraform AWS HA
guide to the list of guides to verify. This is because we want to
position this as a critical guide for launching an HA self-hosted
Teleport cluster.
* Describe using dynamic resources for DB Service HA
Closes#9869
- Edit the Database Access HA guide to mention dynamic registration
- Briefly mention HA in the Dynamic Registration guide
* Respond to alexfornuto feedback
This commit adds support for Resource Access Requests to the tctl
request create command, specifically adding the --resource flag already
available in tsh that was never added to tctl (an oversight). It may be
useful when creating requests for other users as an admin or an
automation.
* adds public web addresses to self-signed cert
* skips adding ip addresses to self-signed cert
* skip error on public addresses
* lint fix
* optimize logic and log error
* Update lib/service/service.go
Co-authored-by: Noah Stride <noah.stride@goteleport.com>
* skip adding IP addresses to DNS SANS and log warning
* lint fix and update log message
* add public addresses into IP sans if ips
* remove comment
* lint fix
* include empty ipaddress for GeneratedSelfSignedCert calls
* removed
* update function call
* logic updates
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
* handle when a IP addressed can't be parsed for self-signed cert
---------
Co-authored-by: Noah Stride <noah.stride@goteleport.com>
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
This PR fixes the operator's CRDs drift between the CRD and the proto
stubs they are derived from.
It also adds a check to prevent future drifts by forcing the manifest
generation and requiring an empty diff.
Fixes#29438