* Reorganize uri & tests
* uri routing: Use `routing` instead of `this`
`this` used within objects like this loses type information due to implicit
any used by TypeScript there. Instead, we can refer to `routing` (like
other functions already do) and keep type information.
* Add parseConnectMyComputerUri
* Parse and validate deep link in main process
Updates tctl edit and the web ui to start using optimistic locking.
The functionality to support optimistic locking already existed,
the APIs used by both clients were updated to use create/update
instead of upsert so that optimistic locking could be enforced.
Most of the changes introduced are tests to ensure that tctl edit,
tctl create behave as expected.
Note: the web ui changes are include in the e ref update.
Contributes to #30416.
* Add WIP implementation of Teleport email invites
This adds a WIP impl of Teleport email invites. Requires a compatible
Enterprise build and Cloud API.
* Bump e ref and add new validation rule
* Various improvements to enable Cloud email invites
* Add description to UI role resources
* Expose various new react-select options
* Add new FieldSelectCreatable
* Add some typing for validation rules
* Tweak invite button for Cloud to use email UI instead of showing
both buttons
* Partial implementation for onboarding invites
* Add support for Cloud collaborator invites during onboarding
This adds various changes to enable showing the invite collaborators
form during initial user onboarding.
* Adds a `?initial` URL query parameter for the UI to signify the
first user; Cloud will append this to invite appropriate invite
links.
* Added a new ratelimited public endpoint to return a list of preset
roles. This just exposes static data available otherwise available
in Git and that could be obtained from the public Teleport version
shown in ping responses already.
* Update e ref for the invite-collaborators branch
* Honor the `inputId` parameter if set
* bump e ref
* Improve typing for `requiredEmailLike` to add a error category
The `kind` field can allow the UI to group errors together if several
invalid emails are entered.
* bump e ref
* Destructure the InviteCollaborators component sanely
* Set `setDisplayInviteCollaborators` to `null` instead of `false`
* Split `FieldSelectCreatable` into its own file
* Fix lint
* add story for SelectCreatable
* Add tests for `requiredEmailLike`
* Rename `initial` flag to `invite`
Renaming the flag will hopefully clarify the intent.
* Add tests for invite collaborators feedback and users rendering
* Add rendering test for the invite collaborators card
* Clean up lints
* Rename types.tsx -> shared.tsx
* Relocate invite constant to `Welcome/const.ts`
* Split `SelectCreatable` into its own story
* Clarify SelectCreatable story
* Simplify story; fix lint
* Fix type checker failure
* Rename `preset-roles` endpoint to `presetroles` to follow API conventions
* Skeleton out docs refactor (#31017)
* Start outlining index pages
* More reshuffling
* Remove old guides index page
* Adjust sidebar config
* Fix redirect
* Fix crosslinks
* Fix changelog links
* Fix more links
* Add short descriptions for platform guides
* Improve some page descriptions/signposting
* Nicer title
* Outline intro page
* Add notes on common usecases
* Remove old sections from introduction
* Start to outline overview topics
* Roughly expand on overview to cover bot user/bot role
* Clarify usecases
* Attempt to break up further reading section to be intelligible
* SPAG
* Add TODOs
* Machine ID Docs Refactor: Kubernetes Platform Guide + some AWS/GCP (#31796)
* Add config files needed for Kubernetes deployment
* Tidy examples under defined headers
* Add namespace to specs
* Add notes on join methods
* Further details on Kubernetes joining
* Document kubernetes rbac resources
* Skeleton out GCP/Linux platform guides
* Add necessary topics to the background for GCP and Linux
* Try and rewrite the blank role mdx to be less rubbish
I'm pulling my hair out over this lol
* Add a todo so I can come back to this part of the description when i can use words
* Further flesh out the background shape and intor shape for the platform guides
* Add more steps to k8s guide
* Fix links to k8s page
* Explain `kubernetes` join method
* Add documentation to the token yaml
* Add reasoning for role
* Document deployment manifest
* Add notes on determining if the deployment is healthy.
* Add token yaml for aws/gcp from my reference notes
* Add token/bot creation step for aws,gcp,linux
* customizing
* Machine ID Docs Refactor: Add `tctl` and `terraform` access guides (#32036)
* Outline `tctl` access doc
* Flesh out Terraform page with an example
* Fill out the copy for the Terraform provider guide
* Add explanation to configure tbot step of Terraform guide
* Add similar explanatory prose to tctl.mdx
* Add example role for tctl guide
* Try to better explain modifying the existing role
* Fix prerequisites
* Note on configuring permissions
* Fix SPAG
* Appease linter
* Expand intro for Terraform
* Please linter with newlines
* Remove spurious newline
* Clarify install/confgiure language
* Update docs/pages/machine-id/access-guides/tctl.mdx
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Update docs/pages/machine-id/access-guides/tctl.mdx
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Update docs/pages/machine-id/access-guides/tctl.mdx
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Update docs/pages/machine-id/access-guides/terraform.mdx
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Remove bactics from title
* Make example roles less powerful
* Add example of tctl command to check success
* Correctly say platform guide not access guide
* Be more specific in mentioning `tbot`
---------
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Remove V11 support warnings from platform guides
* Machine ID Docs Refactor: Linux VM based Platform Guides (#32472)
* Add pre-requisites
* Add example systemd service
* Notes on oneshot mode
* Offer daemon or oneshot mode docs
* Hide one-shot mode from `token` join based Linux
* Clarify Linux user for access
* Use variables for the token and explain commands
* Explain creating systemd service
* Explain when to prefer one-shot mode
* Add skeleton for Azure
* Document azure join token fields
* Add intros for guides
* Explain why we protect the directory
* Add install instructions
* Remove step regarding writing token to a seperate file
* Move coinfigure outputs to template
* Signify each step as local machine or target host
* Explain gcp/azure join methods
* Explain token and iam join methods
* Remove no longer recommended host certs guide
* Add next step
* Correct list of supported join methods
* Machine ID Docs Refactor: Rewrite GitLab and CircleCI guides (#32834)
* Start reshaping the circleic guide
* Make some changes to the GitLab side as well
* Add role creation to GitLab guide
* Add role creation step to CircleCI guide
* Adjust token file name
* Make sure anonymous telemetry advice is included
* Machine ID Docs Refactor: GitHub Actions docs (#32854)
* Start restructuring GHA guides
* Copy in Kubernetes Action example
* Add example DIY workflow
* Adjust examples with replacement steps
* Link off to the action github pages
* Tidy up introduction for GHA guide
* Explain GHA examples better and more searchably
* Improved title
* Add example role modifications
* Machine ID Docs Refactor: Ansible Access Guide (#32741)
* Rework Ansible with Server Access guide
* SPAG and consistency suggested changes
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Clarify intro and use the variable throughout
* suggested fixes
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Clarify configuring bot rbac
---------
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Machine ID Docs Refactor: Application Access (#32745)
* Rework Application Access docs
* Code review suggestions
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Clarify RBAC
---------
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Machine ID Docs Refactor: SSH Access guide (#32735)
* Add prereqs for ssh access guide
* Outline steps and output config
* Add guidance on tsha nd OpenSSH
* Guidance on other tools
* Simplify guidance on other tools
* Link to ansible guide
* Apply suggestions from code review
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Reorganise RBAC section
* Fix miscopied sentence
---------
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Machine ID Docs Refactor: Architecture and Introduction (#32901)
* Rewrite getting started guide next steps
* Rewrite introduction introduction to focus on tangible machine ID benefits
* Overview
* Add todo markers
* Rewrite overview
* Rewrite some of the architecture page
* Apply suggestions from code review
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Rearrange "overview" to act as "concepts"
---------
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Machine ID Docs Refactor: Database Access (#32743)
* Rewrite database access guide
* Apply suggestions from code review
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Apply suggestions from code review
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Clarify that systemd should be used rather than exercise for reader
---------
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Machine ID Docs Refactor: Kubernetes Access (#32744)
* Rewrite Kubernetes access guide
* Code review suggestions
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Explain need for kubectl on both client machine and machine id host
* spag
* Fix `kubernetes_resources` example
* Further clarify `kubernetes_resources`
---------
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Edit the Machine ID docs refactor (#33596)
* Edit the Machine ID docs refactor
- **Rename the new guides:** Use the "Connect a Bot" and "Deploy Machine
ID" language instead of "Access Guides" and "Platform Guides" to
connect these guides more explicitly to the language we use in the
"Concepts" discussion of the Machine ID landing page.
- **Add context to the deployment guide index page**: Reduce repetition
and provide information about each deployment method to help users get
more context about how Machine ID runs and joins a cluster, as well as
to help users choose a deployment guide.
- **Make links more visible on the Machine ID intro page:** Use a video
banner for the Machine ID intro so it takes up less space on the page.
Shorten some sections and add more specific H2s for the links.
- **Streamline some deployment guides:** Where guides include
"Background" and "Guide" H2s, blend the introductory information with
the guide so we can promote the "Step" H2s to H3s and direct the reader
to the step-by-step instructions more quickly.
- **Add new pages to the docs table of contents.**
* Respond to zmb3 feedback
- List cloud platforms before CI/CD platforms on the sidebar
- Recommend using platform-signed identity documents in the deployment
guide intro page.
- Edit language introducing join tokens.
* Respond to strideynet feedback
- Edit wording in the deployment guide index page, including renaming a
section heading and adding language re: renewable certs in the static
token join method.
- Change GitHub Actions link.
- Rename the Access Guides back to "Access Guides"
* Fix spelling
* Appease linter
---------
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
Updates tctl edit and the web ui to start using optimistic locking.
The functionality to support optimistic locking already existed, the
APIs used by both clients were updated to use create/update instead
of upsert so that optimistic locking could be enforced. Most of the
changes introduced are tests to ensure that tctl edit, tctl create
behave as expected.
Note: the web ui changes are include in the e ref update.
Contributes to #30416.
* Configure custom protocol in electron-builder
* Set up listeners for deep links
* Change custom protocol to teleport
* Clarify behavior around window focus
* Up-revs the Okta plugin settings version
Adds a version field to the OktaPlugin settings and updates the associated
protocol files and tests. This is in preparation for adding new behaviour
to the Okta plugin, and will allow Teleport to determine if a plugin
installation was created by the current version of Teleport (and should
get the new behaviour), or an old version (which will get no surprising
behavioural changes)
changing the behaviour of the Okta plugin depending
if the plugin is created from a current or old version of Teleport.
* revert structure up-rev
* Fix spelling
* Revert to simple flag
* Test tidyup
* Update api/types/plugin_test.go
Co-authored-by: Forrest <30576607+fspmarshall@users.noreply.github.com>
---------
Co-authored-by: Forrest <30576607+fspmarshall@users.noreply.github.com>
Closes#32519
Inline the `commercial-prereqs-tabs.mdx` partial within the
Prerequisites section and modify the language to clarify that this
plugin only supports Teleport Enterprise Cloud.
tibdex is some random developer. We prefer 2nd party actions from
GitHub, as we have a contractual relationship with them.
As part of this change, I'm also comfortable dropping the SHA pinning --
since the `actions` org can be held to a higher level of trust for
both security and backwards compatibility concerns.
In addition to adding server and backend handling for create and
update roles, the services.Access interface was updated to return
a role from the existing Create/UpsertRole methods. Bumps the e
ref to incorporate the associated changes needed there to prevent
breaking the build.
* ignores https:// in proxy parameter
* remove extra line
* use TrimPrefix to simplify
* Apply suggestions from code review
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
---------
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
* Add unified resource view gRPC handler to tshd
* Improve comments
* Move `kinds` validation to `unifiedresources.List`
* Make `listUnifiedResources` return a union
* Rename `CombinedResource` to `UnifiedResource`
* Support `pinnedOnly`
* Ignore unsupported resources
* Fix lint issues
* Run prettier
* Take kubes from `PaginatedResource_KubernetesServer`, not `PaginatedResource_KubeCluster`
* handle empty lists for yaml and json lists in tctl
* users list nil check
* move order of empty list assignment
* check for nil value for resources json and yaml output
* remove duplicate resources() call
* JSON and YAML empty handling
* Apply suggestions from code review
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
* Apply suggestions from code review
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
* change to use utils
* fix test
* fix tokens yaml testing
* addressed comments
* WriteJSON used by enterprise code, restored
---------
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
This test attempted to verify that the uploader is able to operate
correctly even when faults are injected into the system.
It ended up being flaky for a number of reasons, but the biggest
issue is that it wasn't simulating a real world scenario.
1. It used a fake clock, but never advanced it, so the uploader's
scan loop didn't correctly "tick" and only ran once.
2. It invoked many uploader scans in parallel while also running
the uploader's own scan loop in the background. In any real
deployment we only have one scan loop running, so this test
is creating an environment that never exists in the wild.
Updates #33099
This commit adds a one-off teleport command that configures the
necessary IAM permissions for the upcoming External Cloud Audit
(BYOBucket) feature.
An example command invocation looks like:
```
$ teleport integration configure externalcloudaudit-iam \
--aws-region us-west-2 --role nic-byob-test --policy nic-byob \
--session-recordings s3://nic-byob/sess-rec-v2 \
--audit-events s3://nic-byob/events --athena-results s3://nic-byob/results \
--athena-workgroup primary --glue-database nic_byob --glue-table nic_byob_table
```
In normal usage this command will be generated for the user so that they
can just copy a command from the Web UI and run it in AWS CloudShell.
The permissions generated here are based on
https://github.com/gravitational/cloud/blob/rfd/77-bring-your-own-bucket/rfd/0077-Bring-your-own-bucket.md,
but only include the permissions necessary for using the feature at
runtime and not any permissions necessary to bootstrap/create the
resources.
This updates `api` in `access-plugin-minimal`, `api-sync-roles`, `desktop-registration` and `service-discovery-api-client`. These four examples are being updated because of their dependency on OpenTelemetry and Crewjam which are both being pulled in from the parent `api` dependency.
* Fix issue with ServiceNow incidents not including link to access request
* Add cluster to incident desciption and include user as caller
* Add status sink to servicenow client
* Fix formatting
* Undefer status updating in servicenow plugin
* Add log of plugin status
* Update integrations/access/servicenow/client.go
Co-authored-by: Marco André Dinis <marco.dinis@goteleport.com>
* Fix bug caused by caller_id field being a different type on response
* Change format for description for resource requests
* Fix mock servicenow to use seperate incident response type
* Update integrations/access/servicenow/client_test.go
Co-authored-by: Roman Tkachenko <roman@goteleport.com>
* Fix formating
* Update tests
---------
Co-authored-by: Roman Tkachenko <roman@goteleport.com>
Co-authored-by: Marco André Dinis <marco.dinis@goteleport.com>
Updates tctl edit and the web ui to start using optimistic locking.
The functionality to support optimistic locking already existed, the
APIs used by both clients were updated to use create/update instead
of upsert so that optimistic locking could be enforced. Most of the
changes introduced are tests to ensure that tctl edit, tctl create
and the web ui behave as expected.
Contributes to #30416.
