* Update all connector YAML configs
* User <cluster-url> as standard
* Leverage markdown_include.include
* Include screenshots for Buttons based on Display.
The defaults file is a common location to define service specific
environment variables. Defining the variables is still up to the
admin, but like this at least the service file doesn't need to be
modified anymore.
* Expose diagnostic endpoint and add liveness/ready checks to pods to enable automatic restart if Teleport shuts down
* Force add OIDC connector to suppress error message when container restarts, also add missing echo to errors
* Force adding of trusted cluster on restart
Update mirror mode (for both the memory and SQLite backends) to no
longer emit events when an element expires. This allows caches to handle
update/delete logic themselves.
This fixes an issue where services.ProxyWatcher was not getting updates
to the list of proxies.
* Add resest for buffers to close watchers
and reset buffer the state.
* Add reconnect logic to DynamoDB
* Add tests for cache watchers, make sure
the errors of the cache internal watcher propagate to
external watchers.
* Create wildcard DNS record for the main cluster as well as single A record so we can use Kubernetes forwarding to remote clusters via proxy properly
* Automatically delete created Cloudflare DNS records via pre-delete hook when the chart is deleted to keep the zone tidy
* Don't explicitly print Cloudflare API credentials in debug mode (they're logged along with the curl commands anyway)
* Add a function to handle Cloudflare API calls rather than copy/pasting code
* Initial commit with split Helm chart for proxy/auth and node elements
* Many, many changes to add all required features
* Remove cert-manager and nginx-ingress
* Update TTL
* Add build-essential and python-dev to cloudflare-agent Docker build and set exit on error
* Add --force-upgrade flag to Tiller for potentially different Helm versions
* Enable Letsencrypt by default
* Overhaul naming to allow better multi-tenancy on k8s clusters
* Add NOTES.txt to provide cluster usage instructions
* Make the use of trusted clusters entirely optional
* Actually make the use of trusted clusters entirely optional this time
* Update .gitignore
* Update whitespace formatting in NOTES.txt
* Enable Letsencrypt by default
* Move secrets to git submodule
* Fix README typo and add secrets to .gitignore
* Update documentation
* Add some extra details to NOTES.txt
* Address PR comments plus update all references to Teleport 3.1.4 -> 3.1.7
* Make Cloudflare TTL optional (use Cloudflare's auto value when it's not provided)
* - Explicitly add admin role to clusters with use of kubernetes_groups
- Fix use of claims_to_roles so it can be specified in values.yaml
- Improve Minikube/NodePort support
- Replace use of containerPort with service port for LoadBalancer objects
* Update secrets in submodule to use Kubernetes-enabled license
* Add admin role script to containers
* Ignore all secrets files
* Update k8s RBAC to fix proxy functionality, also create 'clusteradmin' and 'admin' roles in Teleport to split permissions
* Update default version to 3.1.8
* Add k8s cluster roles and bindings to allow use of CSR APIs and limited permission scope
* Restrict admin role from seeing/updating auth_connectors
* Fix whitespace and naming bug
* Change from using k8s CSR API to impersonation API
* Update from kubectl 1.12.4 -> 1.12.5 for security fix
* Updated build scripts to use Docker cache properly, also using version tags for all containers now to keep things tidier
* Use docker build --pull rather than manual pull, also remove unused TELEPORT_VERSION arguments
This commit switches Teleport proxy to use impersonation
API instead of the CSR API.
This allows Teleport to work on EKS clusters, GKE and all
other CNCF compabitble clusters.
This commit updates helm chart RBAC as well.
It introduces extra configuration flag to proxy_service
configuration parameter:
```yaml
proxy_service:
# kubeconfig_file is used for scenarios
# when Teleport Proxy is deployed outside
# of the kubernetes cluster
kubeconfig_file: /path/to/kube/config
```
It deprecates similar flag in auth_service:
```yaml
auth_service:
# DEPRECATED. THIS FLAG IS IGNORED
kubeconfig_file: /path/to/kube/config
```
* Change cluster validation method from using CA cert stored in SSM to CA pin hash stored in SSM - also fixes issues with proxy/node being unable to join the cluster if the cluster name is reused. Split builds into local 'debug' versions and separate production/marketplace versions with different names
* Fixes for Terraform documentation and license
* Update Makefile and README
* Makefile formatting fixes
* Add build timestamps back into Jenkins
* Add BuildTimestamp into user tags
* Add region to modify-image-attribute command
* Add owner ID into list command
* Add single AMI build/setup
* Add ACM support to Terraform and Letsencrypt support to single AMI
* Finish Letsencrypt support for Single AMI, also add ACM to Single AMI and tidy up Terraform versioning
* Fix Letsencrypt cert acquistion, reduce startup timers from 5 minutes to 3 minutes, tweaks for ACM/non-ACM in Terraform
* Remove AWS-based license from Enterprise AMI to convert to BYOL
* Tidy up - move Cloudformation into a separate subdirectory and remove old Terraform code
* Updated TIG stack to latest versions and tested
* Tidy up CloudFormation builds and improve instructions
* Fix VPC variable name