* Update e ref
* Complete services.Users interface refactoring
Removes temporary functions required to migrate the interface
without breaking e.
Closes#32949.
* docs: update networking ports
* reword db and app connections
* updated language on exposing ports
* verbiage
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
---------
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Prevent blank revisions from being read from the backend
Overwrites any empty resource revisions with a placeholder value to
prevent any blank revisions from being provided to users.
* Prevent backend items with empty revisions
All resource revisions are now being set on a backend.Item before
persisting the item to the backend.
* Add param `extraContainers` to `teleport-cluster` and `teleport-kube-agent` (close#6832)
This allows to add side containers to Teleport and Teleport-Agent pods.
Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
* fix unit tests
---------
Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
Co-authored-by: Kseniya Shaydurova <kseniya.shaydurova@saritasa.com>
* Bring internal repo documentation up to date
* Update CONTRIBUTING.md
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
---------
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
While working on https://github.com/gravitational/teleport/pull/32911 I
noticed the following broken error comparison, which would always log
because the error was always wrapped and never exactly matched
`http.ErrServerClosed`:
```
if err != nil && err != http.ErrServerClosed {
log.Warningf("TLS server exited with error: %v.", err)
}
```
I tried to fix it with `errors.Is`, but unfortunately got the condition
inverted. This fixes the condition to match the original intended
behaviour. It's not useful to log `http.ErrServerClosed` errors because
that error is returned every time the server is manually closed.
services.UsersService now takes a context and returns the user
from write operations as shown in the diff below. The bulk of the
changes are from modifying code to account for the additional
parameter and/or return value. Functional changes to better make
use of the new API will come in follow up PRs.
```diff
// UserGetter is responsible for getting users
type UserGetter interface {
// GetUser returns a user by name
- GetUser(user string, withSecrets bool) (types.User, error)
+ GetUser(ctx context.Context, user string, withSecrets bool) (types.User, error)
}
// UsersService is responsible for basic user management
type UsersService interface {
UserGetter
// CreateUser creates user, only if the user entry does not exist
- CreateUser(user types.User) error
+ CreateUser(ctx context.Context, user types.User) (types.User, error)
// UpdateUser updates an existing user.
- UpdateUser(ctx context.Context, user types.User) error
+ UpdateUser(ctx context.Context, user types.User) (types.User, error)
// UpdateAndSwapUser reads an existing user, runs `fn` against it and writes
// the result to storage. Return `false` from `fn` to avoid storage changes.
// Roughly equivalent to [GetUser] followed by [CompareAndSwapUser].
// Returns the storage user.
UpdateAndSwapUser(ctx context.Context, user string, withSecrets bool, fn func(types.User) (changed bool, err error)) (types.User, error)
// UpsertUser updates parameters about user
- UpsertUser(user types.User) error
+ UpsertUser(ctx context.Context, user types.User) (types.User, error)
// CompareAndSwapUser updates an existing user, but fails if the user does
// not match an expected backend value.
CompareAndSwapUser(ctx context.Context, new, existing types.User) error
// DeleteUser deletes a user with all the keys from the backend
DeleteUser(ctx context.Context, user string) error
// GetUsers returns a list of users registered with the local auth server
- GetUsers(withSecrets bool) ([]types.User, error)
+ GetUsers(ctx context.Context, withSecrets bool) ([]types.User, error)
// DeleteAllUsers deletes all users
- DeleteAllUsers() error
+ DeleteAllUsers(ctx context.Context) error
}
```
Depends on gravitational/teleport.e#2346
Implements step 3 of #32949
This PR fixes a problem where Kubernetes cannot transform the bool value
into a string.
```
Deployment in version "v1" cannot be handled as a Deployment: json: cannot unmarshal bool into Go struct field EnvVar.spec.template.spec.containers.env.value of type string
```
Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
* Fix `tsh kube credentials` when root cluster roles don't allow Kube access
This PR fixes an edge case where an error message is printed to the
users without proper knowledge of the role mappings between root and
leaf clusters.
The user certificates include the `kubernetes_users` and
`kubernetes_groups` allowed in the root cluster but nothing prevents the
access to be sucessfull if the leaf cluster roles after the mapping
introduce the kubernetes principals.
This PR prevents tsh from failing when generating certificates for leaf
Kubernetes clusters.
Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
* Update tool/tsh/common/kube.go
Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com>
* add check to tsh proxy
---------
Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com>
* Reword Troubleshooting section in Connect docs
* Point readers towards Open Logs Directory button
* Mention specific manifestations of partially unusable UI
* Update commands for removing tsh and app_state.json
* Reduce instances of "just"
* agent lifecycle -> the lifecycle of the agent
* proxy version -> Teleport Proxy Service version
* Simplify sentence about local user requirement
* Add screenshots of Connect My Computer
* Update screenshots of Connect UI
* Minor typos
* Update docs/pages/architecture/proxy.mdx
* fix capitalization and hyphenation and make features more parallel
* fix identity typo
---------
Co-authored-by: Gabriel Petrovay <gabipetrovay@gmail.com>
* Header `Connection: close` causes `kubectl` to fail exec
The header `Connection: close` causes failure in kubetl when it upgrades
the connection to SPDY.
The `ReadTimeout` and `WriteTimeout` are known to cause problems to
Kubernetes watch streams.
Fixes#33020
Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
* add unit tests
---------
Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
* Add Docker to the access request plugin partial and Discord section
* Update another partial for Docker
* Restore variable to teleport.plugin.version
* Update docs/pages/includes/plugins/install-access-request.mdx
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
---------
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Start migrating services.Identity to use context and return users
Adds new variants of existing methods that are going to be updated
to support propagating context and return users from create, update
and upsert. This is an unfortunate step required because e utilizes
the interface for various functionality. In order to prevent breaking
builds, the temporary methods were added so that e can be converted
to them first, then oss can be updated to the new version of the
interface. Once that is done e will be converted and then the temp
methods will be removed.
* fix typos in comment
Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com>
* fix: don't set metadata on existing item in CAS
Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com>
* fix: gci
* fix: set resource id on update
---------
Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com>
As per https://support.apple.com/en-in/HT210176:
> TLS server certificates must contain an ExtendedKeyUsage (EKU)
extension containing the id-kp-serverAuth OID.
We were not specifying this EKU.
Validated by checking with the old self-signed certs:
$ security verify-cert -c webproxy_cert.pem -p ssl -r webproxy_cert.pem
Cert Verify Result: Invalid Extended Key Usage for policy
And then repeating the process after this change:
$ security verify-cert -c webproxy_cert.pem -p ssl -r webproxy_cert.pem
...certificate verification successful.
Closes#32531
* Bump the go group in /integrations/kube-agent-updater with 2 updates
Bumps the go group in /integrations/kube-agent-updater with 2 updates: [github.com/docker/distribution](https://github.com/docker/distribution) and [golang.org/x/mod](https://github.com/golang/mod).
Updates `github.com/docker/distribution` from 2.8.2+incompatible to 2.8.3+incompatible
- [Release notes](https://github.com/docker/distribution/releases)
- [Commits](https://github.com/docker/distribution/compare/v2.8.2...v2.8.3)
Updates `golang.org/x/mod` from 0.12.0 to 0.13.0
- [Commits](https://github.com/golang/mod/compare/v0.12.0...v0.13.0)
---
updated-dependencies:
- dependency-name: github.com/docker/distribution
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: golang.org/x/mod
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
...
Signed-off-by: dependabot[bot] <support@github.com>
* Replaced deprecated import
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
Bumps the go group in /assets/backport with 1 update: [golang.org/x/oauth2](https://github.com/golang/oauth2).
- [Commits](https://github.com/golang/oauth2/compare/v0.12.0...v0.13.0)
---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the go group in /build.assets/tooling with 2 updates: [golang.org/x/mod](https://github.com/golang/mod) and [golang.org/x/oauth2](https://github.com/golang/oauth2).
Updates `golang.org/x/mod` from 0.12.0 to 0.13.0
- [Commits](https://github.com/golang/mod/compare/v0.12.0...v0.13.0)
Updates `golang.org/x/oauth2` from 0.12.0 to 0.13.0
- [Commits](https://github.com/golang/oauth2/compare/v0.12.0...v0.13.0)
---
updated-dependencies:
- dependency-name: golang.org/x/mod
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: golang.org/x/oauth2
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Adds new RPCs which return the modified connector from write
operations. Server side and interface changes will be don in follow
up PRs to prevent breaking e. This is the first step in enforcing
optimistic locking for auth connectors.
Contributes to #30416.
* Add docs for Connect My Computer
* Update Troubleshooting Connect My Computer header
This way it doesn't conflict with the general Troubleshooting header.
* Add troubleshooting section about expired token
* Expand section on agent not being visible in cluster
* Mention that logout removes the agent