Signed-off-by: guoguangwu <guoguangwu@magic-shield.com>
Signed-off-by: Tim Ross <tim.ross@goteleport.com>
Co-authored-by: guoguangwu <guoguangwu@magic-shield.com>
Updates tctl edit and the web ui to use the new UpdateRole RPC
which uses optimistic locking to enforce that concurrent
modifications to a role are not possible.
A few small improvements were also done on the github connector tests
which the role tests were based on.
Contributes to #30416.
* Add headless mode to 'tsh proxy kube'
* Require clusters specified for headless mode
* Use cf.Stdout()
Co-authored-by: STeve (Xin) Huang <xin.huang@goteleport.com>
* Remove unneeded check.
This error will be returned from 'c.prepare()'
* Extract logic of running headless proxy into a function
* Add comment about cancel function
* Use []byte instead of strings to avoid unnecessary conversions
* Add information note for the user about shell reexec.
* Modify headless kube proxy info print out.
* Fix protos after rebase.
* Fix mismatched number of returns
---------
Co-authored-by: STeve (Xin) Huang <xin.huang@goteleport.com>
* tsh: Add support for host:port combinations to tsh puttyconfig
* docs: Update PuTTY docs to add instructions for adding OpenSSH nodes
* Add OpenSSH example to tsh puttyconfig CLI reference
* Tidying as suggested by tiago
We should not use `[true|false]` syntax when describing fields
in a YAML file, as the square brackets may be interpreted as a
YAML list instead of a scalar boolean value.
These are strings, not objects, so they must be quoted.
Also removed the <Var> component here since it makes it
harder to spot the trailing slash and breaks YAML syntax
highlighting.
Closes#32460
* Remove CodeQL Scanning for release branches
In RFD 114 (PR #32233) we setup mirroring for the Teleport release branches to the `teleport-sec-scan` repos. There are several advantages to moving the CodeQL scanning to these repos:
* It removes the manual process described in `preflight` to update the codeql scanning branch
* It solves the issue of alerts being repeatedly opened and closed as they are found on release branches and only fixed in master, for example: https://github.com/gravitational/teleport/security/code-scanning/560
As such CodeQL has already been configured on these repos and the initial findings triaged: https://github.com/gravitational/teleport-sec-scan-1/blob/master/.github/workflows/codeql-mirror.yml
* codeql: Comment relaese branch scanning
This adds a check to make sure the resource we are about to delete actually
exists in the resources map and throws an error if not. Right now, if it
doesn't exist then we cause a panic trying to generate a sort key from `nil`.
* Add an Access Request configuration guide
Fixes#22496Fixes#13927Fixes#6557Fixes#31095Fixes#29980Fixes#17630
The current approach to documenting Access Requests is to include how-to
guides for various scenarios. The downside of this approach is that we
don't have a great place to put general conceptual discussions of Access
Request configuration fields. This leads to confusion among users
regarding the way Teleport handles certain Access Request configuration
options.
This change adds a conceptual guide that explains all of the fields in a
Teleport role that are relevant to configuring Access Requests.
This change also moves conceptual discussions from other guides into the
new guide. To limit the scope of this change, it is not intended to
overhaul the existing guides. If a discussion of a particular
configuration field was buried in another guide, this change moves it
into the new guide:
- `preview_as_roles` discussion in the Role Requests guide
- TTL information in the Role Requests guide
- The reference role in the Role Requests page
* Respond to zmb3 feedback
- Use clearer wording when describing key concepts.
- Include more detail about the `max_duration` field.
- Use consistent version numbers in example roles.
* Fix linter issues
* Reorganize uri & tests
* uri routing: Use `routing` instead of `this`
`this` used within objects like this loses type information due to implicit
any used by TypeScript there. Instead, we can refer to `routing` (like
other functions already do) and keep type information.
* Add parseConnectMyComputerUri
* Parse and validate deep link in main process
Updates tctl edit and the web ui to start using optimistic locking.
The functionality to support optimistic locking already existed,
the APIs used by both clients were updated to use create/update
instead of upsert so that optimistic locking could be enforced.
Most of the changes introduced are tests to ensure that tctl edit,
tctl create behave as expected.
Note: the web ui changes are include in the e ref update.
Contributes to #30416.
* Add WIP implementation of Teleport email invites
This adds a WIP impl of Teleport email invites. Requires a compatible
Enterprise build and Cloud API.
* Bump e ref and add new validation rule
* Various improvements to enable Cloud email invites
* Add description to UI role resources
* Expose various new react-select options
* Add new FieldSelectCreatable
* Add some typing for validation rules
* Tweak invite button for Cloud to use email UI instead of showing
both buttons
* Partial implementation for onboarding invites
* Add support for Cloud collaborator invites during onboarding
This adds various changes to enable showing the invite collaborators
form during initial user onboarding.
* Adds a `?initial` URL query parameter for the UI to signify the
first user; Cloud will append this to invite appropriate invite
links.
* Added a new ratelimited public endpoint to return a list of preset
roles. This just exposes static data available otherwise available
in Git and that could be obtained from the public Teleport version
shown in ping responses already.
* Update e ref for the invite-collaborators branch
* Honor the `inputId` parameter if set
* bump e ref
* Improve typing for `requiredEmailLike` to add a error category
The `kind` field can allow the UI to group errors together if several
invalid emails are entered.
* bump e ref
* Destructure the InviteCollaborators component sanely
* Set `setDisplayInviteCollaborators` to `null` instead of `false`
* Split `FieldSelectCreatable` into its own file
* Fix lint
* add story for SelectCreatable
* Add tests for `requiredEmailLike`
* Rename `initial` flag to `invite`
Renaming the flag will hopefully clarify the intent.
* Add tests for invite collaborators feedback and users rendering
* Add rendering test for the invite collaborators card
* Clean up lints
* Rename types.tsx -> shared.tsx
* Relocate invite constant to `Welcome/const.ts`
* Split `SelectCreatable` into its own story
* Clarify SelectCreatable story
* Simplify story; fix lint
* Fix type checker failure
* Rename `preset-roles` endpoint to `presetroles` to follow API conventions
* Skeleton out docs refactor (#31017)
* Start outlining index pages
* More reshuffling
* Remove old guides index page
* Adjust sidebar config
* Fix redirect
* Fix crosslinks
* Fix changelog links
* Fix more links
* Add short descriptions for platform guides
* Improve some page descriptions/signposting
* Nicer title
* Outline intro page
* Add notes on common usecases
* Remove old sections from introduction
* Start to outline overview topics
* Roughly expand on overview to cover bot user/bot role
* Clarify usecases
* Attempt to break up further reading section to be intelligible
* SPAG
* Add TODOs
* Machine ID Docs Refactor: Kubernetes Platform Guide + some AWS/GCP (#31796)
* Add config files needed for Kubernetes deployment
* Tidy examples under defined headers
* Add namespace to specs
* Add notes on join methods
* Further details on Kubernetes joining
* Document kubernetes rbac resources
* Skeleton out GCP/Linux platform guides
* Add necessary topics to the background for GCP and Linux
* Try and rewrite the blank role mdx to be less rubbish
I'm pulling my hair out over this lol
* Add a todo so I can come back to this part of the description when i can use words
* Further flesh out the background shape and intor shape for the platform guides
* Add more steps to k8s guide
* Fix links to k8s page
* Explain `kubernetes` join method
* Add documentation to the token yaml
* Add reasoning for role
* Document deployment manifest
* Add notes on determining if the deployment is healthy.
* Add token yaml for aws/gcp from my reference notes
* Add token/bot creation step for aws,gcp,linux
* customizing
* Machine ID Docs Refactor: Add `tctl` and `terraform` access guides (#32036)
* Outline `tctl` access doc
* Flesh out Terraform page with an example
* Fill out the copy for the Terraform provider guide
* Add explanation to configure tbot step of Terraform guide
* Add similar explanatory prose to tctl.mdx
* Add example role for tctl guide
* Try to better explain modifying the existing role
* Fix prerequisites
* Note on configuring permissions
* Fix SPAG
* Appease linter
* Expand intro for Terraform
* Please linter with newlines
* Remove spurious newline
* Clarify install/confgiure language
* Update docs/pages/machine-id/access-guides/tctl.mdx
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Update docs/pages/machine-id/access-guides/tctl.mdx
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Update docs/pages/machine-id/access-guides/tctl.mdx
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Update docs/pages/machine-id/access-guides/terraform.mdx
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Remove bactics from title
* Make example roles less powerful
* Add example of tctl command to check success
* Correctly say platform guide not access guide
* Be more specific in mentioning `tbot`
---------
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Remove V11 support warnings from platform guides
* Machine ID Docs Refactor: Linux VM based Platform Guides (#32472)
* Add pre-requisites
* Add example systemd service
* Notes on oneshot mode
* Offer daemon or oneshot mode docs
* Hide one-shot mode from `token` join based Linux
* Clarify Linux user for access
* Use variables for the token and explain commands
* Explain creating systemd service
* Explain when to prefer one-shot mode
* Add skeleton for Azure
* Document azure join token fields
* Add intros for guides
* Explain why we protect the directory
* Add install instructions
* Remove step regarding writing token to a seperate file
* Move coinfigure outputs to template
* Signify each step as local machine or target host
* Explain gcp/azure join methods
* Explain token and iam join methods
* Remove no longer recommended host certs guide
* Add next step
* Correct list of supported join methods
* Machine ID Docs Refactor: Rewrite GitLab and CircleCI guides (#32834)
* Start reshaping the circleic guide
* Make some changes to the GitLab side as well
* Add role creation to GitLab guide
* Add role creation step to CircleCI guide
* Adjust token file name
* Make sure anonymous telemetry advice is included
* Machine ID Docs Refactor: GitHub Actions docs (#32854)
* Start restructuring GHA guides
* Copy in Kubernetes Action example
* Add example DIY workflow
* Adjust examples with replacement steps
* Link off to the action github pages
* Tidy up introduction for GHA guide
* Explain GHA examples better and more searchably
* Improved title
* Add example role modifications
* Machine ID Docs Refactor: Ansible Access Guide (#32741)
* Rework Ansible with Server Access guide
* SPAG and consistency suggested changes
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Clarify intro and use the variable throughout
* suggested fixes
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Clarify configuring bot rbac
---------
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Machine ID Docs Refactor: Application Access (#32745)
* Rework Application Access docs
* Code review suggestions
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Clarify RBAC
---------
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Machine ID Docs Refactor: SSH Access guide (#32735)
* Add prereqs for ssh access guide
* Outline steps and output config
* Add guidance on tsha nd OpenSSH
* Guidance on other tools
* Simplify guidance on other tools
* Link to ansible guide
* Apply suggestions from code review
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Reorganise RBAC section
* Fix miscopied sentence
---------
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Machine ID Docs Refactor: Architecture and Introduction (#32901)
* Rewrite getting started guide next steps
* Rewrite introduction introduction to focus on tangible machine ID benefits
* Overview
* Add todo markers
* Rewrite overview
* Rewrite some of the architecture page
* Apply suggestions from code review
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Rearrange "overview" to act as "concepts"
---------
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Machine ID Docs Refactor: Database Access (#32743)
* Rewrite database access guide
* Apply suggestions from code review
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Apply suggestions from code review
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Clarify that systemd should be used rather than exercise for reader
---------
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Machine ID Docs Refactor: Kubernetes Access (#32744)
* Rewrite Kubernetes access guide
* Code review suggestions
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Explain need for kubectl on both client machine and machine id host
* spag
* Fix `kubernetes_resources` example
* Further clarify `kubernetes_resources`
---------
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Edit the Machine ID docs refactor (#33596)
* Edit the Machine ID docs refactor
- **Rename the new guides:** Use the "Connect a Bot" and "Deploy Machine
ID" language instead of "Access Guides" and "Platform Guides" to
connect these guides more explicitly to the language we use in the
"Concepts" discussion of the Machine ID landing page.
- **Add context to the deployment guide index page**: Reduce repetition
and provide information about each deployment method to help users get
more context about how Machine ID runs and joins a cluster, as well as
to help users choose a deployment guide.
- **Make links more visible on the Machine ID intro page:** Use a video
banner for the Machine ID intro so it takes up less space on the page.
Shorten some sections and add more specific H2s for the links.
- **Streamline some deployment guides:** Where guides include
"Background" and "Guide" H2s, blend the introductory information with
the guide so we can promote the "Step" H2s to H3s and direct the reader
to the step-by-step instructions more quickly.
- **Add new pages to the docs table of contents.**
* Respond to zmb3 feedback
- List cloud platforms before CI/CD platforms on the sidebar
- Recommend using platform-signed identity documents in the deployment
guide intro page.
- Edit language introducing join tokens.
* Respond to strideynet feedback
- Edit wording in the deployment guide index page, including renaming a
section heading and adding language re: renewable certs in the static
token join method.
- Change GitHub Actions link.
- Rename the Access Guides back to "Access Guides"
* Fix spelling
* Appease linter
---------
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
Updates tctl edit and the web ui to start using optimistic locking.
The functionality to support optimistic locking already existed, the
APIs used by both clients were updated to use create/update instead
of upsert so that optimistic locking could be enforced. Most of the
changes introduced are tests to ensure that tctl edit, tctl create
behave as expected.
Note: the web ui changes are include in the e ref update.
Contributes to #30416.
* Configure custom protocol in electron-builder
* Set up listeners for deep links
* Change custom protocol to teleport
* Clarify behavior around window focus
* Up-revs the Okta plugin settings version
Adds a version field to the OktaPlugin settings and updates the associated
protocol files and tests. This is in preparation for adding new behaviour
to the Okta plugin, and will allow Teleport to determine if a plugin
installation was created by the current version of Teleport (and should
get the new behaviour), or an old version (which will get no surprising
behavioural changes)
changing the behaviour of the Okta plugin depending
if the plugin is created from a current or old version of Teleport.
* revert structure up-rev
* Fix spelling
* Revert to simple flag
* Test tidyup
* Update api/types/plugin_test.go
Co-authored-by: Forrest <30576607+fspmarshall@users.noreply.github.com>
---------
Co-authored-by: Forrest <30576607+fspmarshall@users.noreply.github.com>
Closes#32519
Inline the `commercial-prereqs-tabs.mdx` partial within the
Prerequisites section and modify the language to clarify that this
plugin only supports Teleport Enterprise Cloud.
