When modifying the `types.WatchKind` of `ForRemoteProxy` a series of
steps need to be performed to prevent bricking remote cluster caches.
First, the `cfg.Watches` of `ForOldRemoteProxy` must be replaced
with the current `cfg.Watches` of `ForRemoteProxy`. Next, the
version used by `lib/reversetunnel/srv.go` to determine whether
to use `ForRemoteProxy` or `ForOldRemoteProxy` must be updated
to be the release in which the new resource(s) will exist in.
Once both of these are done, `ForRemoteProxy` may be updated.
Comments are added to `ForRemoteProxy`, `ForOldRemoteProxy`, and
`createRemoteAccessPoint` to help prevent backward incompatible
changes like https://github.com/gravitational/teleport/issues/17211
and https://github.com/gravitational/teleport/issues/19907 from
occurring again in future releases.
- Add a generalized client store made up of a key, profile, and trusted certs store. Each sub store can support different backends (~/.tsh, identity_file, in-memory).
- Replace custom identity file handling with in-memory client store.
- Fix issues with trusted certs handling.
When running in debugger width was returning as 0, even though there was no error.
This resulted in panic further down the code, because column maxCellLength
ended up to be negative.
The changes in #17405 added a section to the docs for guides to
exporting audit events, and moved guides from
`docs/pages/management/guides`, but failed to add redirects. This change
adds the missing redirects.
Follow up on #19659 by enabling device authorization for k8s access.
All relevant changes and tests are already part of the aforementioned PR, I was
simply holding this out until I could do more thorough manual testing.
Without session MFA:
```shell
$ tsh logout; tsh login
$ kubectl get ns
> ERROR: unauthorized device
>
> Unable to connect to the server: getting credentials: exec: executable tsh failed with exit code 1
$ ./tsh logout; ./tsh login # tsh signed for device authn
$ kubectl get ns
> NAME STATUS AGE
> default Active 27h
> kube-node-lease Active 27h
> kube-public Active 27h
> kube-system Active 27h
> local-path-storage Active 27h
> teleport Active 126m
```
With session MFA:
```shell
$ tsh logout; tsh login
$ kubectl get ns
> ERROR: rpc error: code = PermissionDenied desc = unauthorized device
>
> Unable to connect to the server: getting credentials: exec: executable tsh failed with exit code 1
$ ./tsh logout; ./tsh login # tsh signed for device authn
$ kubectl get ns
> Tap any security key
*taps*
> NAME STATUS AGE
> default Active 27h
> kube-node-lease Active 27h
> kube-public Active 27h
> kube-system Active 27h
> local-path-storage Active 27h
> teleport Active 122m
```
gravitational/teleport.e#514
the federation data xml had a warning to treat as a password. RAther it should be treated securely like a certificate so the values are loaded correctly.
* Fix Teleport version
* Update GitHub actions guide with new actions and GHES support
* Fix SPAG
* Add note on ommitting -i
* Changes notes order to make things make more sense
* Apply suggestions from code review
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
* More spag tidying in github actions article and removed some chaff
* Fix SPAG
* Introduce next steps sectionm
* Add missing hyphen
* Move Enterprise instructions to tabbs
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
When users access a cluster, Teleport caches their credentials to avoid generating a new cert key pair each time they run a command on the cluster. If the user's certificate includes an active access request that was later discarded, the Teleport Kubernetes Proxy continues to use the cached credentials - which include the dropped access request - resulting in subsequent requests being denied by Teleport. The problem persists even if the user assumes another access request that grants him access to the cluster.
This situation happens because Kubernetes Proxy stores in a TTL map the user's certificate to avoid generating and signing it each time the user hits the proxy. The lookup in cache happens using a key that includes the `kubeCluster`, `username`, `certificate_expiration`, `kube_users`, and `kube_groups` but does not include the `active_requests`.
This PR adds the `active_requests` into the cache's key to distinguish different certificate requests for the same user.
Fixes#19884
Since the release of `tsh proxy app` we no longer need a
Teleport-aware Drone CLI and can leverage the standard
drone tool from https://docs.drone.io/cli/install/
This PR includes a new Role resource version that is compatible with V5 spec.
The new resource introduces the `kubernetes_resources` definition that allows operators to limit the Kubernetes resources that each member can access. The `kubernetes_resources` entries must follow the following format: `{"kind":"<kind>", "namespace":"<namespace>","name":"<pod>"}`. Currently, it only supports objects of `kind` `pod`. Valid examples `<namespace>/<name>:
- `*/*`: matches all pods in all namespaces.
- `default/*`: matches all pods in the `default` namespace.
- `*/nginx-*`: matches every pod prefixed with `nginx-` in every namespace.
For older resource versions - V5, V4, V3 - `kubernetes_resources` is automatically populated with `{"kind":"pod","namespace":"*","name":"*"}` to keep compatibility. For the newest version, it's mandatory to define its value otherwise access to pods will be denied.
Part of #18434
This patch performs the (hopefully final) switchover that will make drone
defer to GHA in order to build Teleport ion arm64.
This patch:
- Replaces all of the Dronegen code to generate arm64 builds locally with
steps that invoke the GHA builder workflow
- Changes the release tagging behavior in the Makefile to tag `teleport.e`
with the same tag as teleport. This is required to for Drone to identify
the revision of the arm64 build workflow to invoke
- Updates the e reference to include a revision of `teleport.e` that
contains the builder workflows
Thanks to everyone involved in getting this working.
The `fileStreamer` continues to write events after the server shuts down and races against the `os.RemoveAll` call during the test cleanup causing the test to fail.
Using `node-sync` recording mode to write the events and session recordings directly to AuthClient solves the issue.
Fixes#19847
* Update etcd backend docs to include recommendations
- Update links to currently maintained docs
- Include link to hardware recs including mentioning storage
Closes#19765
The CHANGELOG includes some links to docs pages that use a full URL,
including the `ver` path segment. These links broke once we changed the
docs engine to recognize the `[0-9]+.x` format for versions, rather than
`[0-9]+.[0-9]+`.
If we were to change these links to use the new version format, though,
they would break once we deprecate that version.
This change turns all of the paths in these links to relative paths to
MDX files. In the CHANGELOG.md file, they will now link to pages on
GitHub. In the the docs changelog page, they will link to the current
version of the docs. Users who want to see how the pages looked when we
released the appropraite version can do so by using the version switcher
dropdown.
* Switch golang.org/x/crypto to gravitational fork
* Update golden files
* Add comment to go.mod
* Update api module to use crypto fork.
* Move x/crypto to replaced section in dependabot.yml
Converts usage of `newFixture` to `newFixtureWithoutDiskBasedLogging`
to prevent directory not empty errors caused by `t.TempDir` still
containing upload parts.
Fixes#19826
This creates a more human-readable representation of a role.
Fixes#7549
Signed-off-by: Zac Bergquist <zac.bergquist@goteleport.com>
Co-authored-by: David Heitman <david.heitman@checkr.com>
Consolidates more of the build logic into the build.assets Makefile, transplanted from the workflow file in teleport.e
See comment gravitational/teleport.e#673 (comment)
* Fix listing all nodes in tsh
Usage of channels was flipped, we tried to write to collecting channel,
but nobody was reading from it, so we blocked forever. Now using simpler
version with mutex for synchronization, and doing it for db listings as
well for consistency.
Enable device authorization by plugging into auth.Authorizer and selectively
disabling it for processes that don't (yet) want device authz.
`GenerateUserCerts` is modified to issue device-aware certificates (DB/k8s
access), as well as `CreateAppSession`. The latter is not necessary for DB
access, but it does enable App Access to issue device-aware certs - commands
such as `tsh apps login` and `tsh proxy app` can benefit from those.
DB access is now ready to benefit from trusted devices. k8s access is likely
supported with these changes as well, but I've postponed enabling it after I've
done more testing.
Both `GenerateUserCerts` and `GenerateUserSingleUseCerts` now do early
device-aware authorization; this creates a better UX, as it allows us to return
error messages directly via `tsh`, instead of having to pipe them through
database-specific protocols. Further PRs could improve errors for scenarios
where the existing certificate became lacking due to higher server-side authz
enforcement.
gravitational/teleport.e#514
An accesss request watcher has been added to support access requests that
will require downstream reconciliation based on access request approval. This
will be useful for requests that trigger external APIs in other Teleport
services once they've been approved. This will be useful for the upcoming
Okta integration work.