Shellcheck is a linter for shell scripts. Since we have quite a few of
those for release packaging and examples, we'll benefit from an extra
set of (robot) eyes.
Note: I disabled https://github.com/koalaman/shellcheck/wiki/Sc2086 to
make this PR smaller. That specific check is for the most frequent
mistake in our scripts - not quoting env var expansions. I'll do a
separate PR cleaning those up.
`build.assets/pkg` is no longer used and was removed.
The prefix fetching logic has a bug: it treats everything starting with
`/teleport` as the legacy prefix data, even if it's `/teleport-foo/bar`.
This is an issue if user specifies `/teleport-foo` as their custom
prefix. Each restart will copy the data from `/teleport-foo/...` to
`/teleport-foo-foo/...`.
Set the legacy prefix const to `/teleport/` instead. This avoids
excessive copying during startup.
Prefixes can still be confused later on, with `Watch` and `GetRange`,
but this is harder to migrate with backwards-compatibility.
This script is similar to `examples/gke-auth/get-kubeconfig.sh` but
should work for any k8s setup.
It uses a service account bearer token for authentication instead of TLS
key/cert. These tokens shouldn't expire and are more appropriate for
automation. It also fetches the CA cert from the service account secret,
which is more reliable than assuming a `kube-dns` pod exists in the
cluster.
In addition, this script sets up the needed k8s RBAC objects for
impersonation, saving the user a few extra steps.
Prefix-handling code was using a hardcoded prefix (`/teleport`) instead
of the prefix specified in config. Use the correct config prefix and add
a test.
Our auth middleware already attaches a TLS identity as context value.
Plumb contexts through and extract the username when recording events.
If the received context doesn't have an identity attached, use "system"
as username.
Lots of noise here due to missing context.Context plumbing :(
We should eventually plumb contexts to all those RPC interfaces.
Updates #3816
* Base fork for 4.3 docs
* [docs] external email identities and Kube Users (#3628)
* Base fork for 4.3 docs
* [docs] external email identities and Kube Users (#3628)
* Remove trailing whitespace from docs files
Some editors will do this automatically on save. This causes a lot of
diffs when editing the docs in such an editor.
Clean them up once now and we'll try to keep it tidy going forward.
* Add make rules for docs whitespace and milv
docs-test-whitespace: checks for trailing whitespace in all .md files
under docs/.
docs-fix-whitespace: removes trailing whitespace in all .md files under
docs/.
docs-test-links: runs milv in all docs/ subdirectories that have
milv.config.yaml.
docs-test: runs whitespace and links tests, used during `make docs`
* Document the new `--use-local-ssh-agent` flag for tsh
The flag is used to bypass the local SSH agent even when it's running.
Specifically, this helps with agents that don't support certs.
The flag was added in #3721
* Remove pam_script.so docs from SSH PAM page
With #3725 we now populate teleport-specific env vars in a way that's
accessible to `pam_exec.so`. There's no longer any reason to install
pam_script.so separately and duplicate our docs.
Updates #3692
* Using the correct --insecure-no-tls flag
* Run docs-fix-whitespace make rule in a busybox container
* Fixes#3414
Co-authored-by: Andrew Lytvynov <andrew@gravitational.com>
Co-authored-by: Gus Luxton <gus@gravitational.com>
Co-authored-by: Steven Martin <steven@gravitational.com>
Co-authored-by: Gus Luxton <webvictim@gmail.com>
* Teleport helm upgrade command update
The --name in the helm upgrade example was not a valid parameter. Also put in comments that ca.pem is not required. It is off by default.
* Modified comments based on feedback
* Add image types, AMI IDs, extend AuthASG timeout
Added options for m4.large and m5.large. Added AMI IDs for all regions. Extended the timeout on the Auth ASG from 20 minutes to 30 minutes.
* Update ent.yaml
Co-authored-by: Ben Arent <ben@gravitational.com>
Co-authored-by: Gus Luxton <gus@gravitational.com>