See #12654
The Kubernetes Access section includes guides for using the Kubernetes
Service as well as guides for running the Auth and Proxy Service on
Kubernetes. This is misleading, since (a) you can run the Auth/Proxy
on Kubernetes without using Kubernetes Access and (b) you can use
Kubernetes Access without running the Auth/Proxy on Kubernetes.
This change focuses on the pages in:
/docs/pages/kubernetes-access/getting-started/
- Move docs/pages/kubernetes-access/getting-started guides that don't
relate to Kubernetes Access out of this section, and change the
docs/pages/kubernetes-access/getting-started.mdx page to point to
the current "Agent" guide.
- Edit the "docs/pages/getting-started.mdx" menu page to accommodate the
Kubernetes guides. Previously, this page included separate links for
each edition's getting started guide. To add the Kubernetes Cluster
guide, I organized the links in the "Deploy to production" section into
a TabItem for each Teleport edition. There are separate links to the
Kubernetes Cluster guide, one for OSS users and one for Enterprise
users. These links also take users to the appropriate scope.
Fixes#12924
The Linux and MacOS sections of the Installation page only included
instructions for the OSS edition of Teleport. This change adds
Enterprise instructions to prevent Enterprise users from downloading
the wrong Teleport edition.
This also changes the install-linux partial to accommodate Enterprise
customers.
Fixes a bug in tsh ls resources, where users were prompted
to re-login when it was only a predicate query error.
`RetryWithRelogin` now aborts the re-login attempt if the
error is of type predicate.
The Linux Server getting started guide shows the wrong screenshot
when referring to the Teleport welcome screen. This change uses
a screenshot of the view an unauthenticated user would see when
first visiting the Web UI.
Attempt to detect builder environment inconsistencies by compiling a toy FIDO2
program - if this fails, then clear the cache and try again.
Builders are sometimes getting into inconsistent states, this should help
avoiding manual intervention in order to fix them.
Favor newer Touch ID credentials in the allowed set for MFA, or just the newer
credential for passwordless.
Fixes a capture-by-reference bug and adds coverage for it.
Issue #13340.
* Add tests for Touch ID credential-choosing logic
* Favor newer Touch ID credentials within the allowed set
* Warn about origin vs RPID mismatch
* Ensure tctl commands include login instructions
See #10192
Add the tctl.mdx partial or a "tsh login" command in some pages that
include example tctl commands. Note that this change does not address
SSO guides, which will be handled separately.
Where a guide requires a complete restructuring to provide full context,
"docs/pages/application-access/guides/connecting-apps.mdx", I've added
"tsh login" instruction above the first tctl command.
* Respond to PR feedback
Fixes#12921
This removes the DigitalOcean link on the /docs/getting-started page
and moves the DigitalOcean guide into /docs/setup/deployments, which is
a more appropriate home. Now, the "Deploy to production" section of
/docs/getting-started only includes links to the Getting Started
guide for the Open Source, Cloud, and Enterprise editions, making it
clearer to users that there are three editions and that we have separate
content for each one.
This also changes the href of the Teleport Cloud link on the Getting
Started page to /cloud/getting-started/?scope=cloud to be
consistent with the other links, which direct users to guides.
* Edit the Machine ID getting started guide
Fixes#11806
- Add more scope-specific information to the Prerequisites section
- Add the tctl.mdx partial to make it clearer for each scope how to
connect to the cluster to run tctl commands.
- Add the Cloud tenant address to the "tbot start" example command for
Cloud users.
* Respond to PR feedback
Fixes#12582
Some of our Enterpise information is out of date.
Teleport Enterprise introduction:
- Add information on HSM support and Moderated Sessions
Teleport FAQ:
- Update the edition comparison table.
- Promote each question to an H2 header, allowing it to appear in the
table of contents sidebar.
- Update some outdated terms.
- Convert the edition comparison table from HTMl to Markdown for ease
of reading.
- Remove the version support table since it is long out of date.
Super minor, but in this case we log that we're initializing the backend
_prior_ to cfg.CheckAndSetDefaults which means that if we are indeed
using the default the following will be printed:
> {"caller":"dynamo/dynamodbbk.go:206","component":"dynamodb","level":"info","message":"Initializing
backend. Table: \"example-table\", poll streams every
0s.","timestamp":"2022-06-01T23:49:49Z"}
Which is misleading as it's not polling the stream every "0s", it's
polling every 1s as per backend.DefaultPollStreamPeriod
Signed-off-by: Michael McAllister <michael.mcallister@goteleport.com>
* Update api/types/fuzz_test.go
* do not fail if the file is missing
* missing go-118-fuzz-build fix
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
This test would occaisonally fail with:
=== RUN TestGRPCErrorWrapping
grpc_test.go:125:
Error Trace: grpc_test.go:125
Error: Received unexpected error:
EOF
Test: TestGRPCErrorWrapping
According to the GPRC docs
(https://pkg.go.dev/google.golang.org/grpc#section-readme)
io.EOF indicates that the server closed the stream and
that "the status of the stream may be discovered using ReadMsg."
Since the test is ultimately attempting to assert that the error
from Recv() is properly wrapped in an "already exists" error, we
tolerate the io.EOF on Send() and continue to check the error from
Recv().
I've run with this change for about 150K iterations and haven't seen
a failure. Prior to this change we would get a few failures per 10K
iterations.
Recent Rust dependency upgrades include a newer version of prost.
This new version no longer ships embedded protoc binaries, and
instead tries to build protoc from source. This would require us
to install cmake on our buildboxes. We want to avoid this and
instead leverage the version of protoc already installed.
This change was made to the standard buildbox, but the CentOS 7
buildbox was missed.
Additionally, I noticed that Rust was installed in
Dockerfile-centos7-fips, but not in Dockerfile-fips, which means
the FIPS binaries have different functionality depending on which
version you use. To correct this, I removed Rust from the CentOS 7
FIPS builds (since the Rust features are not FIPS compliant anyway).
Adds a `trace.Tracer` to the `cache.Cache`so
that all operations can be traced. Also, updates
the `utils.FnCache` to link the `context.Context`
passed to the loadFn to any current spans. This
will allow any fetches made by the `FnCache` to
be associated with the call that lead to loading.
Note: There are a few methods in the `auth.Cache`
interface which do not take a `context.Context`.
For the time being all spans for these calls use
a `context.TODO` and will be updated in the future,
where the changes can be made on a per method basis.
* Support configuration `teleport.join_params.join_method` "token"
* support loading token name from file
* update tests
* update documentation for AuthToken to hint towards deprecation