This commit optimizes `PostJSONWithFallback` by not requiring it to
parse the endpoint (to determine if the host is loopback) if HTTP
fallback is not allowed in the first place.
This PR disables the update of kubeconfig when `tsh login` does not have the `--kube-cluster` flag.
The new behavior will update the kubeconfig only if the user provided a non-empty value in `--kube-cluster`.
This PR also introduces a mechanism to restore the current context on `tsh logout`. On `tsh login --kube-cluster=<cluster>` or `tsh kube login <cluster>`, Teleport updates the selected context - if it's not from Teleport - to add an extension whose key is: `selected_context`. Once `tsh logout` is called and the active context was a Teleport cluster, we restore the current context to the cluster that has the `selected_context` key in extensions.
Fixes#9718
Improve UserMetadata audit logging by using `tlsca.Identity.GetUserMetadata()`
more consistently in audit logs.
There are still a handful of logs that don't include the data above for lack of
context (in the general sense and in the Go context sense), but many more
entries now call back to identity in some way.
Related to gravitational/teleport.e#514.
Add the DeviceTrustMode field to RoleOptions, so it lands in RoleSpecV6.
The field is not yet used, but it's added now in preparation for the
corresponding feature.
gravitational/teleport.e#514
This commit refactors the `teleport-cluster` Helm chart to deploy separately proxy and auth pods.
It allows users to pass raw teleport configuration to the deployed Teleport nodes.
Finally, it removes the `custom` chart mode as the mode was broken by the split. A new `scratch` mode has been introduced.
See [the corresponding RFD](https://github.com/gravitational/teleport/pull/18274) describing the design.
* Stablize RemoteConnCleanup
Alters `RemoteConnCleanup` to rely less on `BlockUntil` by artificially
adjusting the last heartbeat manually in the test. Additionally, the
tests in `localsite_test` no longer call `native.PreComputeKey` by
injecitng an uninitialized `certificateCache` into the localsite
constructor since it is not used for the tests. The logger is now
also initialized for all tests within the `reversetunnel` package.
Closes#19827
Before this commit, the `tsh` HTTP requests that had the extra headers
were those that did not use `roundtrip`.
This commit leverages `http.RoundTripper.RoundTrip` to ensure that all
requests have the the extra headers.
Currently, there is no wait to cancel Wait() in the reverse tunnel. This behavior has been exposed by TestTokens test, which caused the tests to timeout.
This change fixes the test and avoids potential server deadlock on close. I'll analyze in parallel what is the root cause of the reverse tunnel hanging on Wait(), but we should have the option to cancel wait anyway.
Part of https://github.com/gravitational/teleport/pull/18274
This commit introduces a new hidden `wait` CLI subcommand:
- `teleport wait no-resolve <domain-name>` resolves a domain name and exits only when no IPs are resolved. This CLI command should be used in the Helm chart, as an init-container, to block proxies from rolling out until all auth pods have been successfully rolled-out.
- `teleport wait duration 30s` has the same behaviour as `sleep 30`. Due to image hardening we won't have `sleep` available, but waiting 30 seconds in a preStop hook is required to ensure a 100% seamless pod rollout on kube-proxy-based clusters.
This commit adds a certificate reloader that periodically reloads proxy
certificates.
Implementation was intentionally kept as simple as possible:
- periodically go through all key pairs and try to load them again
- if any key pair fails to load, then no certificate is updated
- no retry mechanism
- `inotify` is not used
The interval between reloads is configurable by setting
`https_keypairs_reload_interval` to some duration. If not set, or if set
to `0`, then certificates are not reloaded periodically. Thus, this
feature is opt-in and the current behaviour is maintained.
The "tets bundling" introduced in TesAppAccess() made TestAppInvalidateAppSessionsOnLogout test very unstable as other tests are modifying the state of the whole suit.
Removing the test from the bundle seems to fix it.
AttemptDeviceLogin, which is the main entry point for device authentication, now
checks the Ping response and skips the attempt entirely if device trust is
disabled.
The main objective is to avoid a needless roundtrip if the feature is disabled,
as one should only pay for what is in use.
There's actual little consequence in attempting the roundtrip, apart from the
added latency on logins, so I've gone with a negative flag ("Disabled" instead
of "Enabled"). The negative is less harmful if, for some reason, it's wrongly
absent (say, because of some future Ping code branch).
gravitational/teleport.e#514
Previously we were looking up a user's SID by their ldap "name" attribute,
which is their modifiable display name. This commit has us looking them
up by their SAM Account Name, which is their unmodifiable username.