* helm: allow to set `initSecurityContext` in `teleport-kube-agent`
* Apply suggestions from code review
Co-authored-by: Gus Luxton <gus@goteleport.com>
* fixup! helm: allow to set `initSecurityContext` in `teleport-kube-agent`
---------
Co-authored-by: Gus Luxton <gus@goteleport.com>
Port `:443` is explicitly stated in the Okta configuration but not in the the Teleport auth connector example (only has <cluster-url> mentioned without 443). This has created multiple Okta issues for users recently with mismatched configurations on the auth connector and Okta configuration.
Proposal is to align the configuration reference for the Okta and Teleport auth connector examples so users are clear these MUST match for the connector to work. I chose to align the Okta to the Teleport example but it could go the other way too.
We may also want to consider changing the order of the Okta guide. With IDP initiated configuration flow it makes more sense to create and name the Teleport connector first before trying to configure Okta. But this is outside the scope of this PR for now.
* Explain Kubernetes RBAC more comprehensively
Closes#18230
This change explains Teleport's RBAC system in relation to the Teleport
Kubernetes Service. The docs didn't leave me with a readily available
place to put this information, since explanations of Kubernetes-related
role fields are scattered in asides throughout various pages.
As a result, I have added a more comprehensive, focused explanation of
Teleport's Kubernetes RBAC system in two places:
- A new how-to guide for setting up Kubernetes RBAC with Teleport using
a local `minikube` cluster.
- A reference guide that explains the Kubernetes-related fields within a
Teleport role as well as the logic that the Kubernetes Service uses to
evaluate these fields. This replaces the existing Kubernetes Access
Controls guide.
To make room for the RBAC how-to guide, I've reorganized the other
guides into a logical sequence: enabling auto-discovery, manually
registering clusters, and setting up access controls.
I've also edited the Resource Access Requests guides to explain role
fields for the different resources you can restrict access to via
`search_as_roles`, including `pods`.
* Partially respond to PR feedback
- Add `kubernetes_labels` to example snippets
- Rename a misleading H5 in the Resource Requests guide
- Make the description of impersonation more accurate in the Access
Controls guide
- Move a Notice in the Access Controls guide
- Add an example role to the warning re: namespace restrictions in the
Access Controls guide
- Make resource filtering info more accurate in the CLI reference
* Change the RBAC how-to guide
Use Deployments in the demo cluster instead of Pods, showcasing the use
of regular expressions in per-pod RBAC.
This responds to PR feedback.
* Provide an example of internal traits
This responds to PR feedback
* Add notes about regex support
Responds to PR feedback
* Explain multiple values in labels
Responds to PR feedback
* Document progressively enabling access to pods
In response to PR feedback
* unbreak redirect
* copy edits
* more copy edits
* Respond to alexfornuto feedback
---------
Co-authored-by: alexfornuto <alex.fornuto@goteleport.com>
* rename manual to active directory manual
* rename getting started to active directory
* update titles and descriptions
* first draft of non-AD getting started
Note: I have images but did not yet include them in the commit history. No need to bloat the repo if those steps will be invalidated by a new installer
* update draft
* update links for new paths
* Update based on review feedback
* update config reference
* Apply suggestions from code review
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* post-review edits
* note non-AD as enterprise feature
* expand manual AD process adminition
* Apply suggestions from code review
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* disable default services for Desktop node
* document cli access, clarify non-AD listing of hosts
* add join token for new node
* update screenshot for new UI
* copy edit...
Based on https://github.com/gravitational/teleport/pull/19311\#discussion_r1095187559
* name and link for windows exe
* Update download link
* note zip format
---------
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
* helm: disbale PSPs on 1.23 and document PSA usage
In 1.25 Kubernetes removes PSP support, this has 2 consequences:
- Helm will break after upgrading if PSPs are deployed
- We cannot set security policies anymore
This commit documents those two behaviours and makes the chart disable
PSPs on 1.23 and higher to ensure a smooth upgrade path.
* helm: Remove stale 'migrate from legacy charts' guide
* Remove Auth/Proxy instructions from DB guides
Closes#11538
A number of our Database Service guides instruct the user to install the
Auth Service and the Proxy Service. For users who have already set up
these services, these instructions add friction. For users who have
_not_ set up these services, Teleport has existing instructions that
users can follow instead.
This change edits our Database Access guides to require the user to have
a running Teleport cluster as a prerequisite, in line with how-to guides
in other sections of the docs.
Note that, while the issue this change closes is to add Auth/Proxy
Service setup instructions to _more_ places in the docs, this change
follows our style guide recommendation (#20024) to add steps to the
Prerequisites section if we have them documented elsewhere and they
don't directly pertain to the goal of a how-to guide.
* Respond to PR feedback
Change H3s to H2s
---------
Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com>
* Improve the Teleport Cloud Getting Started guide
While following the Teleport Enterprise Cloud Getting Started guide to
test v12, I made the following changes to the guide:
- Change the title of the guide--and language throughout our Cloud
docs--to use "Teleport Enterprise Cloud" instead of "Teleport Cloud".
This reflects the usage in our Core Concepts page.
- Add a brief architectural explanation to the guide in case users
arrive here from a search engine.
- Restructure the guide to include a step to start a local Docker
container. This way, we can (a) ensure that all steps are consistent
for all users; and (b) let the user get started quickly without "real"
infra.
- Include instructions to paste a script generated via Teleport Discover
into the container shell.
- Update screenshots.
* Respond to alexfornuto feedback
* Minor wording change
Responding to PR feedback
* Update troubleshooting.mdx
Update Disable NLA section to include troubleshooting step to force the policy update. Similar to smartcard troubleshooting section and relevant here from customer experience
* copy edits
* Update docs/pages/desktop-access/troubleshooting.mdx
Co-authored-by: Gus Luxton <gus@goteleport.com>
---------
Co-authored-by: alexfornuto <alex.fornuto@goteleport.com>
Co-authored-by: Gus Luxton <gus@goteleport.com>
* Document Google Cloud CLI access
Closes#17584
- Add a guide to configuring and using Google Cloud CLI access via the
Teleport Application Service.
- Since we now have three guides to setting up secure access to cloud
APIs, create a new subsection of the "Application Access" docs section
related to cloud provider APIs.
* Respond to PR feedback
- Capitalize "JSON Web Tokens"
- Edit the AWS guide's nav bar entry
- Fix garbled section in the App Access intro page
- Improve the service account name we use in the how-to guide
- Clarify the way the App Service uses a service account
- Add new env vars to the `tsh proxy` command output
- Other small changes in response to suggestions/comments
* Edit instructions for starting the VM
Add instructions to launch a new VM with a service account attached.
This addresses feedback on the PR.
* Use more precise terminology for service accounts
This addresses feedback on the PR
* Add information about `tsh gsutil`
This adds to both the Google Cloud API access how-to guide and the CLI
reference.
* Respond to PR feedback
* use nobr tags
* fix multiline command
---------
Co-authored-by: alexfornuto <alex.fornuto@goteleport.com>
* Require a new flag for enabling dynamic resources matching for "tsh db configure create"
* rename flag to --dynamic-resources-labels
* make naming more consistent
* Add device trust documentation
* Link to Device Trust from Access Control pages
* Document `device_trust` authentication section
* Document the `tsh device enroll` command
* Document `tctl devices` commands
* Review: Explain macOS restriction in text
* Review: Address Alex's comments
Indents, markdown style, code block style, punctuation and missing
words.
* Review: Use diff blocks on `tctl edit` example
* Review: Use diff blocks in other examples
* Review: Use standard example names
* Review: Address Alex's comments (2)
Uppercase SERIAL, macOS enroll notice, config example tabs.
* Review: Sort `tctl devices` commands alphabetically
* Review: Use config variables for asset_tag and enroll_token
* Review: Remove '#' from code blocks in cli.mdx
* combine warning and ScopedBlock
A ScopedBlock for OSS will never render on a page not scoped for OSS. This way, it's always visible. Once the feature is out of preview, we can just remove the first line.
* clarify device trust between trusted clusters
This addition dispells any assumptions made by the reader that applying device trust to root clusters would enforece the setting on leaf clusters.
* update enterprise tctl version output
---------
Co-authored-by: alexfornuto <alex.fornuto@goteleport.com>
* Update CA rotation docs
* Add openssh to --types
* Update --types warning
* Update --type verbiage
* Make --type editable instead of providing the options
* Add proper tag to code block.
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Improve readability.
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
---------
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>