* Fix Helm chart Join token secret creation
Since #20763 was merged, we lost the ability of the chart reusing the
externally created secrets for join token.
This PR changes the logic and allows to control the secret creation
using the `joinTokenSecret.create` boolean and the secret name with
`joinTokenSecret.name`.
Fixes#20763
* Add changelog
* docs: make consistent helm configuration and instructions
* Language updates and identity file fix
* fix identity file refs
* label as Teleport Enterprise Cloud, not Teleport Cloud
* helm: mount token through projected volumes when available
Mounting ServiceAccount tokens through projected volumes instead of the
regular automout allows to reduce the token TTL from 1 year to 1 hour
when the `BoundServiceAccountTokenVolume` feature gate is on.
This helps mitigating the impact of token exfiltration (even though the
token valid 1 year still got revoked on pod termination).
Kubernetes running version 1.20 and above must
support `TokenRequest/TokenRequestProjection` (GA in 1.20). This is the
capability required to mount tokens through projected volumes. While EKS
and GKE might have supported this earlier, kubeadm, kubespray, minikube
and AKS only turned the flag on in 1.20.
Kubernetes running version 1.22 and above must support
`BoundServiceAccountTokenVolume` (beta in 1.21, GA in 1.22). This is the
capability required to issue short-lived and pod-bound tokens.
* helm: mount auth token through projected volumes when available
* fix-templates
* Reworked AWS launch_configuration to launch_templates
* fixup! Reworked AWS launch_configuration to launch_templates
---------
Co-authored-by: Filip Van Houtryve <filip.van.houtryve@sentia.com>
* Added SSL Certificate install
* Update examples/teleport-usage/Dockerfile
Co-authored-by: Russell Jones <russjones@users.noreply.github.com>
* Update examples/teleport-usage/Dockerfile
Co-authored-by: Russell Jones <russjones@users.noreply.github.com>
---------
Co-authored-by: Russell Jones <russjones@users.noreply.github.com>
* helm: add updater support to `teleport-kube-agent`
* fixup! helm: add updater support to `teleport-kube-agent`
* Apply suggestions from code review
Co-authored-by: Marco André Dinis <marco.dinis@goteleport.com>
Co-authored-by: Roman Tkachenko <roman@goteleport.com>
* address review feedback
* Fix rebase?
* Fix linter
---------
Co-authored-by: Marco André Dinis <marco.dinis@goteleport.com>
Co-authored-by: Roman Tkachenko <roman@goteleport.com>
In case of a previously failed deployment this will allow users to
attempt directly another chart release without having to delete the
jobs. This behaviour is less awkward but might hide previous failures.
We can legitimnately expect users to monitor their own failures though.
This PR introduces a Kubernetes benchmark tool that allows us to test the Kubernetes access flow using a similar approach used for ssh.
This PR renames the default SSH benchmark to `tsh bench ssh` while Kube benchmarks are available using `tsh bench kube`.
Closes#23763
* helm: Add support for imagePullSecrets to teleport-cluster chart
This was added to the teleport-kube-agent chart in #6941 but for some reason we never added it to teleport-cluster. This PR rectifies that.
* Add imagePullSecrets to teleport-cluster chart reference
* Add a guide to creating Teleport roles via the API
See #19716
This guide uses a small demo application to show how to create Teleport
roles based on an external RBAC system. The demo revolves around a local
`minikube` cluster. I chose this approach because Teleport works well
with Kubernetes RBAC, and Kubernetes RBAC resources are pretty
straightforward to set up locally.
* Based the guide on a program in the examples dir
* Respond to zmb3 PR feedback
* Run make fix-license
* Respond to PR feedback
* Respond to alexfornuto feedback
* Add a guide to using the API for auto-discovery
See #19716
Adding resources is a popular use of Teleport's API, so I have added a
guide to using the API for syncing resources to a service discovery API
using an example of a local Docker setup.
* Respond to zmb3 feedback
* Use the examples directory for the code
This way, users can have a compilable example before they start working
through the guide.
* Respond to alexfornuto feedback
* Respond to PR feedback
* Run make fix-license
* Edit cluster joining info in Access Request docs
See #21305
Edit Access Request plugin guides to remove the options to connect to
the Auth Service directly. This simplifies the guides and helps us
standardize the docs around connecting services via the Proxy Service.
Also make the Jira guide more consistent with other Access Request
plugin guides (this is not an attempt to refresh the guide, which is
still out of date, but will help us refresh the guide when the time
comes).
* Fix linter issues
* Respond to PR feedback
Moves the description of the value closer to its use in the file, and also adds a real-world example including a port. Reorders grammar to a more natural English order.
This commit updates copied and generated code under
integrations/operator.
First of all, this commit includes the result of running make manifests in
integrations/operator to update the CRDs used by the k8s operator. These
are generated from the .proto files in the API package and are only
updated when someone runs make manifests.
Second, this commit updates the unit tests in
integrations/operator/crdgen. A static copy of the .proto files is kept
there so that every teleport PR updating the protobufs does not have to
break the CRD tests. Previously only types.proto and wrappers.proto were
kept there, with some hacks to make the imports work. Now that our
import structure is a little more complicated, I am copying all of the
api .proto files in. Only types explicitly listed in crdgen/main.go
actually generate CRDs. The test snapshots are necessarily updated here.
* use tctl edit in partial
* configure as prereq bullet point
This partial is used exclusively as a prereq item in the guides calling it. This change updates the render to properly embed it as a prerequisite bullet item.
* overhaul Okta SAML guide
* trailing newline
per https://github.com/gravitational/teleport/pull/23053/files\#r1135862340
* respond to copy review
* Apply suggestions from code review
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* rm outdated header refs
---------
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Update predeploy_job.yaml
Adding the ability to allow for requests and limits to be added to the predeploy_job like already done for deployments.
* Update predeploy_job.yaml
Add the ability for the proxy predeploy_job to have limits and requests like the deployment. Using same values from Values file.
* Update predeploy_test.yaml
Adding tests for resource limits on predeploy job for auth and proxy.
* Update examples/chart/teleport-cluster/tests/predeploy_test.yaml
Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com>
* Update examples/chart/teleport-cluster/tests/predeploy_test.yaml
Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com>
* Update examples/chart/teleport-cluster/tests/predeploy_test.yaml
Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com>
* Update examples/chart/teleport-cluster/tests/predeploy_test.yaml
Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com>
---------
Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com>
* Emit new `AgentMetadataEvent`
Part of https://github.com/gravitational/cloud/issues/3550.
This commits adds a new `UpstreamInventoryAgentMetadata` that is sent
from a Teleport agent to an auth server.
Once received, it is transformed into an `AgentMetadataEvent` and sent
to PreHog.
Most `UpstreamInventoryAgentMetadata` fields are intentionally kept as
empty in this PR. Follow up PRs will be opened with the mechanisms
required to fill them (as described in #21337).
* server_id -> host_id
* compute OS and host architecture
* Compute OS version and container runtime
* Close stream if agent receives an agent metadata message
* cmd -> exec ; file -> read
* implement fetchOSVersion for linux
* Remove unused import
* Add note about `agentMetadataCh`
* Allow commands with args
* Remove parseFun abstraction
* fetch glibc version
* fetch container orchestrator
* Fix lint
* Fix TODO
* Add note about glibc version
* cmd -> command
* fetch cloud environment
* fetch install methods
* GLibCVersion -> GlibcVersion
* Use `http.NewRequestWithContext`
* Add missing comment
Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com>
* GLibCVersion -> GlibcVersion
* Fix lint
* Fix helm unit tests
* Add missing comments
* 5 second timeout on http requests
* Spawn gorountine that fetches metadata on each new stream
* Use `defaults.HTTPClient()`
Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com>
* Add missing import
* Handle error
* Revert "Spawn gorountine that fetches metadata on each new stream"
This reverts commit fe4f2790be.
* Send agent metadata to auth server once per stream
* Improve note about agentMetadataDone
* Don't process command output & file content on the agent
Since agents cannot be trusted, regex validation and sanitization should
happen in PreHog anyways. So this commit removes such logic in favor of
moving it to PreHog.
* Fix lint
* Trim space
* Move handling of `AgentMetadataEvent` to `handleControlStream`
* Use cached hello message
* Move metadata files to lib/inventory/metadata
* make sending of agent metadata more self contained
* Minimize diff
* Send all system roles to PreHog
* Remove unused import
* Add parsing of command output / file content back
* Usage reporter refactor
* Usage reporter refactor
* Add missing handling of inventory agent metadata msg
* Fix ICS usage reporter
* Improve comments
* Add cached `metadata.Get*` methods
* Use systemctl status instead of is-active
* Add `Metadata` struct
* return pointer in `FetchMetadata`
* Pass context to `GetMetadata`
* metadataFetchConfig -> fetchConfig
* GetMetadata -> Get
* Add note about `Get` result
* Ensure install methods are non-nil
* Exit `metadata.Get` if context is closed
* Replace sync.Once with atomic.Bool.Swap
* Initialize channel
* Fix lint
* Fix lint
* Make `metadata.Get` return an error instead of bool
* Allow multiple true/false values for env vars
* Use `strings.Cut`
* Use /etc/os-release ID instead of NAME
* Improve `autoEmitMetadata`
* Use `gnu_get_libc_version`
* Ubuntu -> ubuntu
* Use GOARCH
* gofmt
* Move import C up
* Variables may include quotes
Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com>
* Default values for ID and VERSION_ID
Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com>
* Blank lines are permitted
Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com>
* Anonymize host id
---------
Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com>
* Describe node instance usage in AWS Terraform
* Include link to AWS Terraform Guide
* minor wording update
* phrasing update
Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com>
* phrasing update
Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com>
* Update language
* Update AWS language
---------
Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com>