Ensure that tctl edit does the equivalent of
tctl get --with-secrets
Without this, the resource we fetch may be missing important details
that get overwritten when the edit completes.
Fixes#20326
Refactor `services.AccessMFAParams` and the accompanying `MFAParams` methods so
they may be extended to carry additional data (eg, information required to
perform device trust checks).
This PR refactors existing code without adding any new functionality, so it may
be backported to older branches to alleviate eventual conflicts. Follow up
changes will take advantage of it to add support for device trust.
Related to gravitational/teleport.e#514.
* Add Teleport Discover metrics RFD
* Fix
* Update Events
This commit includes some nit changes:
- adding the unspecified as the first enum
- renaming some messages to add the Discover namespace
Some other changes:
- added the Skipped status to accomodate for when we don't have to
install the DatabaseService
- merged deploy of services into a single event (deploy of an ssh agent,
kube agent and database agent)
- added the started event to capture when the wizard is launched
* Remove prefix on enums
Co-authored-by: Marco Dinis <marco.dinis@goteleport.com>
* spag changes
* Use `tctl` partial
* Further readability changes
* "we" -> "you"
* Further succincty
* Adjust referneces
* show format
* Finaly few copy fixes
* missing y
* Update docs/pages/machine-id/guides/github-actions-kubernetes.mdx
Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com>
* Clarify Teleport user privs
Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com>
This PR introduces support for creating resource access requests to `pod` resources to `tsh` and their approval from `tsh` and `tctl`.
Adds support `tsh request create --resource /<cluster>/pod/<kube_cluster>/<namespace>/<podname>`.
Part of #18434
This PR validates if the provided list of regions belongs to any AWS partition. If the region list is invalid or empty, Teleport prints a helpful message and exits.
Fixes#20276
User certs for desktop access are only valid for a few minutes
and are never written to disk. This can make it difficult to
troubleshoot cert validity.
This commit adds support for generating Windows user certificates
which can be exported to the Windows environment for validation.
Note: at this time, we only write the certificate and not the
corresponding private key, making it impossible to use the generated
cert for any real purpose.
Before this commit, only a single transformation like `email.local` or
`regexp.replace` was allowed in role templates.
With this commit now users can write:
- `email.local(regexp.replace(external.email, "_", "-"))`
- `regexp.replace(email.local(regexp.replace(external.email, "_", "-")), "dev", "admin")`
This commit also allows the above expressions to not contain any
variable, i.e., it allows constant expressions like
`email.local("vitor@goteleport.com")`.
Running computationally expensive tests causes connection failures that lead to test failures.
This PR tries to overcome this problem by making only the subtests run in parallel.
Abstracts out authenticateRequestWithCluster so that the WithClusterAuth
logic can be used in siteSessionStreamGet without making siteSessionStreamGet
a ClusterHandler, which is expected to return JSON.
The Web UI terminal wrongly dials to the leaf cluster, in trusted cluster scenarios, to issue single-use certificates (the kind one needs when `require_session_mfa` is enabled).
This fixes that by always dialing to the root cluster, [a behavior that matches `tsh`][1]
[1]: c23532cc00/lib/client/client.go (L455-L480)#20208
Ensures that active connections during a graceful shutdown don't
inadvertently prolong the heartbeat.
The added ReadyEvents ensure that TeleportReady is broadcast if
either the tracing_service or metrics_service is enabled. Not emitting
them prevents graceful shutdown from completing because the uploader
service requires the TeleportReady event before it can complete initialization.
* feat: login rule tctl CRUD commands
This commit implements the `create`, `get`, and `rm` `tctl` commands for
login rule resources.
Much of the Resource <-> Protobuf type conversion code is already
present in teleport.e and is being copied here so that it can be used in
OSS tctl (there is no longer an enterprise-specific resource command for
tctl, everything is in OSS).
https://github.com/gravitational/teleport.e/pull/699 removes the now
redundant code in teleport.e
* WIP adding OpenSSH CA
* fix creating OpenSSH CA for tests
* fix a test name and tctl usage flag
* fix 'tctl status' not displaying openssh CA sometimes
* add OpenSSH CA to TestInit_bootstrap, remove TLS key pair
* add OpenSSH CA to a few more places
* make help text of 'tctl auth rotate' more helpful and accurate
* fix web cert export test
* tbot doesn't need to know about OpenSSH CA
* address feedback
* fix comment formatting
Part of [RFD-096](https://github.com/gravitational/teleport/pull/18274): managing the major upgrades safely
This commit's main purpose is to block proxies running a new Teleport major version from connecting to auth pods running an old Teleport version.
This commit does 3 things:
- adding initContainers and preStop hooks to the `teleport-cluster` Helm chart (initContainers were designed in RFD 096, preStop was a nice additoin coming from [the wait PR](https://github.com/gravitational/teleport/pull/19277))
- fixing a bug in the `wait` command (the DNS error was not properly unwrapped and not recognized as a DNS error)
- fixing missing override support on some auth Deployment values. As a rule of thumb for future review, we should not use .Values directly and prefer using $auth and $proxy