* Add Kubernetes Access support to Machine ID
This adds support for Kubernetes Access to Machine ID. Users can now
request access to a Kubernetes cluster with the new
`kubernetes_cluster` config field. When a request is configured, a
`kubeconfig.yaml` is generated which can be used to access the given
cluster.
As part of this, we also refactor a few parts of the bot code to help
cache various requests that config templates make frequently by
passing a new trivial `bot.B` interface to the `Render()` function.
For good measure, we also fix the `destination.Destination` stutter
by moving the interface to `bot.Destination`.
* Remove unused CLI param and fix docstring typo
* Cache cert authority requests
We now cache most cert authority requests from config templates and
purge the cache after each cert renewal.
* Move bot.B to config.Bot
* Add a matching marshaller for the KubernetesCluster type.
Fixes an issue where the agentpool backoff channel would be redefined
each time an event was received while waiting for the backoff to complete.
This could lead to a longer backoff period than expected.
Waits for each resource to connect individually by splitting up the test into
multiple runs ran in parallel
* Ensure ListResources is accurate with denied resources
Prior to this tsh ls and the web UI were reporting different number
of resources when a user had role/roles that restricted access to
certain resources. This was caused by returning an incorrect
`NextKey` in the `ListResourcesResponse`.
In the event that `IterateResourcePages` was returning early due to
the callback requesting to stop iteration, the `NextKey` being returned
was the last key for the **current page** instead of the key for
the **next resource** in the page. This would cause N resources between
the last resource iterated on and the end of the page to be skipped.
To remedy this `IterateResourcePages` has been refactored to
`IterateResources`. This shifts the responsiblity of building the
`ListResourcesResponse` onto the caller and not the iterator. There
are no more pages to worry about, so the logic about what the next
key should be becomes simpler.
`TestListResources_WithRoles` was added to ensure that a user with
a set of roles that denies access is always returned the correct
resources from `ListResources` from both tsh and the web ui.
* configure golangci-lint misspell to check for anglicized spellings
* Americanize spellings
* fix aws constant value with british spelling 🇬🇧
* update api types with americanized spellings
* use american spellings .cloudbuild/scripts
This prevents an old approval from counting if the reviewer changes
their review state, and also ensures that multiple approvals from
the same author don't count as more than one approval.
Splits `close()` into `close()` and `cleanup()`. `cleanup()` is only ever called when both the input and output streaming goroutines have returned, so panics due to using freed memory should no longer be possible
* start hashing out machine id CA rotation
* filter out incoming ca events by type
* support multiple trusted certificate authorities in known_hosts
* remove redundant trace.Debug from `tbot` `main()`
* filter to only recieve relevant CA events
* add exponential backoff to renewal
* remove unnecessary `.Ping()` check with new client
* add unit test for filtering CA events
* debounce reloads
* add retry limit and backoff for CA watching
* add integration test for CA rotation
* modify CA rotation watcher loop to retry forever
Co-authored-by: Tim Buckley <tim@goteleport.com>
* Update error message returned when user is not allowed to sign db certs
* Update lib/auth/auth_with_roles.go
Co-authored-by: Nic Klaassen <nic@goteleport.com>
* Update docs
* Fix docs
* Update error for snowflake cert signing
* Update docs/pages/database-access/reference/cli.mdx
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Update docs/pages/database-access/reference/cli.mdx
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
Co-authored-by: Nic Klaassen <nic@goteleport.com>
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
This changes tbot's configuration to access the token via a
getter/setter instead of a direct property, to allow us to fetch the
token (possibly reading it from a file) when we need it instead of when
the configuration is created.
This also changes the identity fetching logic, to try and read the token
when there is an identity present but not error, allowing for the token
file to have been deleted between restarts. If it can read the token,
it'll check to see if it has changed and refetch the identity if so.
* WebAPI: read user
We currently need to fetch the whole list of users to get User's
information.
Adding more fields increases the probabilty of having performance
issues.
This PR adds a new endpoint which returns a single user.
This endpoint returns the information we already return when listing
users but also returns the user's traits
This is a follow up of
https://github.com/gravitational/teleport/pull/14076
The following traits are returned:
- Logins
- DB Users
- DB Names
- Kube Users
- Kube Groups
- Windows Logins
- AWS Role ARNs
The changes in #13068 moved pages in the Kubernetes Access section that
did not relate to Kubernetes Access into more appropriate sections of
the docs. This meant converting
`/docs/kubernetes-access/getting-started` into a guide, rather than a
section, since only one page within the previous `getting-started`
section had to do with Kubernetes Access.
However, this change left the nav sidebar for the Getting Started
section unchanged. The current change deletes the sidebar entries to
prevent confusion.
In the previous version, the proxy client would be closed immediately
after addMetadataToRetryableError. This commit makes it so that the proxy
client is closed only after GetAllowedDatabaseUsers finishes.
When running Connect on Windows, Grzegorz ran into a problem where fetching
db users for MSSQL would fail but only on Windows and only for MSSQL:
Failed to fetch current user information: connection error:
desc = "transport: Error while dialing failed to dial: read tcp
10.211.55.4:55519->52.14.45.73:3023: use of closed network
connection". services\role.go:764
Other times the error would be
connection error: desc = "transport: Error while dialing failed
to dial: ssh: unexpected packet in response to channel open:
<nil>"] apiserver\middleware.go:39
Surprisingly, `tsh db ls` didn't have this problem. So when thinking about
what we're doing differently than tsh and how it might be related to
a closed connection, I noticed that I made a bug in the code that closes
the proxy client.
Re-run the assign workflow whenever a review is submitted.
If the PR meets the required approvals and there are additional
reviewers still assigned, dismiss them.
This makes it easier on reviewers to filter PRs on
"awaiting review from me" as the list will not include PRs that
already have the required reviews.
Fixes#11855
* Prevent forwarding traces to servers which don't support tracing
Tracing clients can detect if a server doesn't support tracing by
checking for a trace.NotImplented error in response to an
UploadTraces request. Since the grpc.Conn used by the client is
likely to be bound to that server for the duration of its life
it doesn't make sense to keep trying to forward traces. Instead
the client now remembers that a server doesn't support tracing
and will drop any spans.
Part of #12241
If we are following the example, we should be grepping for the user created directly above this command to see if it was deleted.
Co-authored-by: Gavin Frazar <gavinfrazar@gmail.com>