This commit enables login rule evaluation during login for users logging
in with a GitHub connector.
The GitHub connector is a bit different from the SAML and OIDC
connectors in that the user roles are not mapped from the traits
(claims/assertions) but from the user's GitHub organizations and teams
directly.
This makes login rules slightly less useful for GitHub logins because
they cannot affect the user's roles, only their traits.
However, GitHub login is mostly an OSS feature and login rules will be
enterprise-only.
Any enterprise users making use of GitHub login will still be able to
use some of the features (trait mapping).
This commit adds the types necessary in order to add audit events for
login rule resource actions.
The emission of these events will be added in a separate commit to
teleport.e, and the frontend display will be added later (currently
these show up as "Unknown" events).
Fixes an issue where the operator sidecar tries to mount the public TLS certificates but the volume is not declared.
```
$ helm install -n teleport teleport-repro /home/shaka/work/teleport/examples/chart/teleport-cluster --set teleportVersionOverride=12.0.0-alpha.1 --set clusterName=teleport.example.com --set tls.existingSecretName=my-tls-secret --set tls.existingCASecretName=my-root-ca --set operator.enabled=true
# [...]
Error: INSTALLATION FAILED: Deployment.apps "teleport-repro-auth" is invalid: spec.template.spec.containers[1].volumeMounts[0].name: Not found: "teleport-tls"
```
The operator does not need those certs to work.
Migrates metrics counting proxied connections and connection attempts
from `regular/proxy.go` to `proxy.Router` so that connections via
the web UI, tsh ssh via the Proxy ssh and grpc servers are all
accounted for.
This change adds support for FIDO2/webauthn/hardware tokens by default.
OTP 2fa fill remains functional. This is a major change and should be
part of a major release, even if this should be seamless for most users.
Warning: `webauthn.rp_id` should not change in the cluster life, else
2fa tokens will have to be re-registered.
Users accessing the cluster under a different name than `clusterName`
will have to set rp_id
(`auth.teleportConfig.auth_service.authentication.webauthn.rp_id`) to be
able to register second factors. As we strongly encourage users to have
a resolvable `clusterName` and `publicAddr` support got added recently,
this seems an acceptable edge case.
This commit sets the `IdleTimeoutMessage` in the windows server
`MonitorConfig`, which ensures that the `client_idle_timeout_message`
will be written to the `MessageWriter` upon a client timeout
(see `Monitor.start`).
* Add agentless installer
* Resolve comments
* Resolve comments
* Use GetCertAuthorities locally
* Try to get IMDS hostname
* Try get imds hostname first
This seems to be how its implemented for non-agentless nodes
* Use FIPS cipher suites
* use the openssh ca, resolve comments
* write keys to /etc/teleport/agentless by default
* Resolve comment
* lints
* test fixes
* Add integration test for daemon.Service.AddCluster
* Call SaveProfile on clusterClient rather than cfg
This way we don't have to explicitly set ClientStore as
client.NewClient(cfg) does that for us.
* Includes in commericial pre-req to have a enterprise account. Uses includes on how to get a license file.
* Showed how to use the arm version. Removed comment that only x86_64 are provided.
* includes amd64, arm and arm64 include descriptions
* Updates to GCp to show enterprise installation.
The change from kube_service to kube_server in v11
lead to breaking backwards compatibility for v10 agents
connecting to a v11 teleport cluster when proxy peering
is enabled.
The issue was in converting from a kube_service to kube_server
the proxy ids the kube agent is connected to was never copied.
This leads to kube agents being reachable through the proxy
they are connected to but not through peer proxies.
This PR implements a `kubectl` wrapper inside `tsh` that creates resource access requests, waits for their approval and retries the command when it detects that access to a pod was denied due to missing role or Kubernetes RBAC principals permissions.
Part of #18434
Updates #19573
* Move tsconfig.json to root dir
At the moment, it looks like the TS language server has problems with
recognizing imports when editing files inside e/web.
I figured this is probably because tsconfig.json is in web, so the lang
server doesn't recognize it when editing files from e/web.
* Remove web/Dockerfile and web/Makefile
* Misc updates to readme
* Fix links in readme
Increases deadline until the agent receives the first byte to 10s.
It's required to accommodate setups with high latency and where the time
between the TCP being accepted and the time for the first byte is longer
than the default value - 1s.
Fixes#20442
Add device-specific verbs to RoleAdmin, which are not included in the default
`RW()` set. Fixes issues while using `tctl devices add --enroll` and
`tctl devices enroll`.
#514