* Add agentless installer
* Resolve comments
* Resolve comments
* Use GetCertAuthorities locally
* Try to get IMDS hostname
* Try get imds hostname first
This seems to be how its implemented for non-agentless nodes
* Use FIPS cipher suites
* use the openssh ca, resolve comments
* write keys to /etc/teleport/agentless by default
* Resolve comment
* lints
* test fixes
* Add integration test for daemon.Service.AddCluster
* Call SaveProfile on clusterClient rather than cfg
This way we don't have to explicitly set ClientStore as
client.NewClient(cfg) does that for us.
* Includes in commericial pre-req to have a enterprise account. Uses includes on how to get a license file.
* Showed how to use the arm version. Removed comment that only x86_64 are provided.
* includes amd64, arm and arm64 include descriptions
* Updates to GCp to show enterprise installation.
The change from kube_service to kube_server in v11
lead to breaking backwards compatibility for v10 agents
connecting to a v11 teleport cluster when proxy peering
is enabled.
The issue was in converting from a kube_service to kube_server
the proxy ids the kube agent is connected to was never copied.
This leads to kube agents being reachable through the proxy
they are connected to but not through peer proxies.
This PR implements a `kubectl` wrapper inside `tsh` that creates resource access requests, waits for their approval and retries the command when it detects that access to a pod was denied due to missing role or Kubernetes RBAC principals permissions.
Part of #18434
Updates #19573
* Move tsconfig.json to root dir
At the moment, it looks like the TS language server has problems with
recognizing imports when editing files inside e/web.
I figured this is probably because tsconfig.json is in web, so the lang
server doesn't recognize it when editing files from e/web.
* Remove web/Dockerfile and web/Makefile
* Misc updates to readme
* Fix links in readme
Increases deadline until the agent receives the first byte to 10s.
It's required to accommodate setups with high latency and where the time
between the TCP being accepted and the time for the first byte is longer
than the default value - 1s.
Fixes#20442
Add device-specific verbs to RoleAdmin, which are not included in the default
`RW()` set. Fixes issues while using `tctl devices add --enroll` and
`tctl devices enroll`.
#514
The new app access authentication workflow inadvertently preserves the URL
encoded values present in the AWS role ARN, which are then passed directly
to the webapi/sessions endpoint. As a result, Teleport RBAC doesn't properly
match AWS role ARNs, as they contain (in particular) `/` characters encoded as
`%2F`.
We were returning a trace.BadParameter, however we should return
trace.IsNotFound.
The godoc suggests that error.
The tests suggests that error, but they were only matching for type
which is the same for all the trace.XYZ errors.
Tests are now using the `trace.Is<Error>` helper method to correctly
validate the error message.
The side effect of this change is that we were receiving a lot of logs
when interpolating traits in a role.
That log is supressed when the error is NotFound.
That was not the case before this commit: the error was a BadParameter
one, so the log is written (as debug, but still a lot of noise).
Co-authored-by: Vitor Enes <vitor.duarte@goteleport.com>
i.Web is also used as tconf.Proxy.WebAddr.Addr a couple of lines below.
When pinging the proxy, TeleportClient takes the response and updates a
couple of values based on that response. If proxySettings.SSH.PublicAddr
is not empty, it tries to parse the address and then set it as
tc.WebProxyAddr. [1]
If it cannot parse the port number, it uses the default (3080).
What is getting returned as `proxySettings.SSH.PublicAddr`? That's determined
by setProxyPublicAddressesSettings in lib/service/proxy_settings.go. [2]
It uses the first element from Proxy.PublicAddrs.
Now, the integration test helpers set up the Teleport instance in such
way that the first Proxy.PublicAddrs is set to i.Hostname which resolves
to just "localhost" in tests. So if any test pings the proxy first and then
tries to make another request with the same TeleportClient, the subsequent
request will try to reach out to localhost:3080. This happened to me when
trying to add a new test. [3]
This PR fixes this by making sure that the first element of Proxy.PublicAddrs
actually points at the address of the web UI.
See also the message from Marek about backwards compatibility of
SSHProxyHostPort. [4] [5]
[1] 885d7397ab/lib/client/api.go (L3666-L3673)
[2] 806a568ada/lib/service/proxy_settings.go (L112)
[3] https://github.com/gravitational/teleport/pull/20263
[4] https://gravitational.slack.com/archives/C0DF0TPMY/p1673895327794379?thread_ts=1673891288.249809&cid=C0DF0TPMY
[5] db7fdff809/api/client/webclient/webclient.go (L490)
Since #16964, `tsh login` defaults to passwordless if it finds suitable platform
credentials - it is safer and more convenient than other authentication methods.
Unfortunately, it is a bit too eager in doing that.
This change adds the following prerequisites for the switch, in addition to
existing conditions:
1. `--auth` must not be specified
2. `--mfa-mode` must be either `auto` or `platform`
(1) avoids defaulting when `--auth=local` is present, as well as for other
custom/future values. (If `--auth=passwordless` is passed, we'll do passwordless
anyway.)
(2) includes both an explicit platform attachment test (which is a bit more
conservative in face of changes), as well as checking for `--mfa-mode=otp`.
#20429 and #20322
Introduces `limiter.Listener` to provide a consistent and reusable
mechanism for limiting incoming connections per client. The new
listener is used by `sshutils/server.go` instead of manually applying
limits in `HandleConnection`.
This is particularly important now that the Proxy SSH port multiplexes
both SSH and gRPC. Each listener is now wrapped in a `limiter.Listener`
that uses the same `limiter.ConnectionsListener` to ensure that the
connection limits for the Proxy are enforced for all traffic on the
port.
