Before this commit, the `tsh` HTTP requests that had the extra headers
were those that did not use `roundtrip`.
This commit leverages `http.RoundTripper.RoundTrip` to ensure that all
requests have the the extra headers.
Currently, there is no wait to cancel Wait() in the reverse tunnel. This behavior has been exposed by TestTokens test, which caused the tests to timeout.
This change fixes the test and avoids potential server deadlock on close. I'll analyze in parallel what is the root cause of the reverse tunnel hanging on Wait(), but we should have the option to cancel wait anyway.
Part of https://github.com/gravitational/teleport/pull/18274
This commit introduces a new hidden `wait` CLI subcommand:
- `teleport wait no-resolve <domain-name>` resolves a domain name and exits only when no IPs are resolved. This CLI command should be used in the Helm chart, as an init-container, to block proxies from rolling out until all auth pods have been successfully rolled-out.
- `teleport wait duration 30s` has the same behaviour as `sleep 30`. Due to image hardening we won't have `sleep` available, but waiting 30 seconds in a preStop hook is required to ensure a 100% seamless pod rollout on kube-proxy-based clusters.
This commit adds a certificate reloader that periodically reloads proxy
certificates.
Implementation was intentionally kept as simple as possible:
- periodically go through all key pairs and try to load them again
- if any key pair fails to load, then no certificate is updated
- no retry mechanism
- `inotify` is not used
The interval between reloads is configurable by setting
`https_keypairs_reload_interval` to some duration. If not set, or if set
to `0`, then certificates are not reloaded periodically. Thus, this
feature is opt-in and the current behaviour is maintained.
The "tets bundling" introduced in TesAppAccess() made TestAppInvalidateAppSessionsOnLogout test very unstable as other tests are modifying the state of the whole suit.
Removing the test from the bundle seems to fix it.
AttemptDeviceLogin, which is the main entry point for device authentication, now
checks the Ping response and skips the attempt entirely if device trust is
disabled.
The main objective is to avoid a needless roundtrip if the feature is disabled,
as one should only pay for what is in use.
There's actual little consequence in attempting the roundtrip, apart from the
added latency on logins, so I've gone with a negative flag ("Disabled" instead
of "Enabled"). The negative is less harmful if, for some reason, it's wrongly
absent (say, because of some future Ping code branch).
gravitational/teleport.e#514
Previously we were looking up a user's SID by their ldap "name" attribute,
which is their modifiable display name. This commit has us looking them
up by their SAM Account Name, which is their unmodifiable username.
* Move GCP cloud clients into a separate interface
* Add azure mysql/postgresql flex server support
* Add teleport db configure create support for azure postgres/mysql flex servers
* discover both single and flexi server with 'mysql' and 'postgres' db types.
* go doc gcp interface
* Add is_flexi_server to database Azure config
This fixes a small regression in #19044 that broke IAM-based joining
for bots. Bots now have slightly different joining logic, but IAM
joining uses a different entrypoint that wasn't updated to reflect
this.
Add definitions for Connection Proxy RPCs.
ProxyService is fairly isolated from other services, so it is generated using plain protoc-gen-go instead of Gogo.
Access requests now implement ResourceWithLabels and a few utility functions
have been added. These are all for making access requests easier to work with
for the new access request watcher introduced in
https://github.com/gravitational/teleport/pull/19626.
When modifying the `types.WatchKind` of `ForRemoteProxy` a series of
steps need to be performed to prevent bricking remote cluster caches.
First, the `cfg.Watches` of `ForOldRemoteProxy` must be replaced
with the current `cfg.Watches` of `ForRemoteProxy`. Next, the
version used by `lib/reversetunnel/srv.go` to determine whether
to use `ForRemoteProxy` or `ForOldRemoteProxy` must be updated
to be the release in which the new resource(s) will exist in.
Once both of these are done, `ForRemoteProxy` may be updated.
Comments are added to `ForRemoteProxy`, `ForOldRemoteProxy`, and
`createRemoteAccessPoint` to help prevent backward incompatible
changes like https://github.com/gravitational/teleport/issues/17211
and https://github.com/gravitational/teleport/issues/19907 from
occurring again in future releases.
- Add a generalized client store made up of a key, profile, and trusted certs store. Each sub store can support different backends (~/.tsh, identity_file, in-memory).
- Replace custom identity file handling with in-memory client store.
- Fix issues with trusted certs handling.
When running in debugger width was returning as 0, even though there was no error.
This resulted in panic further down the code, because column maxCellLength
ended up to be negative.
The changes in #17405 added a section to the docs for guides to
exporting audit events, and moved guides from
`docs/pages/management/guides`, but failed to add redirects. This change
adds the missing redirects.
Follow up on #19659 by enabling device authorization for k8s access.
All relevant changes and tests are already part of the aforementioned PR, I was
simply holding this out until I could do more thorough manual testing.
Without session MFA:
```shell
$ tsh logout; tsh login
$ kubectl get ns
> ERROR: unauthorized device
>
> Unable to connect to the server: getting credentials: exec: executable tsh failed with exit code 1
$ ./tsh logout; ./tsh login # tsh signed for device authn
$ kubectl get ns
> NAME STATUS AGE
> default Active 27h
> kube-node-lease Active 27h
> kube-public Active 27h
> kube-system Active 27h
> local-path-storage Active 27h
> teleport Active 126m
```
With session MFA:
```shell
$ tsh logout; tsh login
$ kubectl get ns
> ERROR: rpc error: code = PermissionDenied desc = unauthorized device
>
> Unable to connect to the server: getting credentials: exec: executable tsh failed with exit code 1
$ ./tsh logout; ./tsh login # tsh signed for device authn
$ kubectl get ns
> Tap any security key
*taps*
> NAME STATUS AGE
> default Active 27h
> kube-node-lease Active 27h
> kube-public Active 27h
> kube-system Active 27h
> local-path-storage Active 27h
> teleport Active 122m
```
gravitational/teleport.e#514
the federation data xml had a warning to treat as a password. RAther it should be treated securely like a certificate so the values are loaded correctly.
* Fix Teleport version
* Update GitHub actions guide with new actions and GHES support
* Fix SPAG
* Add note on ommitting -i
* Changes notes order to make things make more sense
* Apply suggestions from code review
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
* More spag tidying in github actions article and removed some chaff
* Fix SPAG
* Introduce next steps sectionm
* Add missing hyphen
* Move Enterprise instructions to tabbs
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
When users access a cluster, Teleport caches their credentials to avoid generating a new cert key pair each time they run a command on the cluster. If the user's certificate includes an active access request that was later discarded, the Teleport Kubernetes Proxy continues to use the cached credentials - which include the dropped access request - resulting in subsequent requests being denied by Teleport. The problem persists even if the user assumes another access request that grants him access to the cluster.
This situation happens because Kubernetes Proxy stores in a TTL map the user's certificate to avoid generating and signing it each time the user hits the proxy. The lookup in cache happens using a key that includes the `kubeCluster`, `username`, `certificate_expiration`, `kube_users`, and `kube_groups` but does not include the `active_requests`.
This PR adds the `active_requests` into the cache's key to distinguish different certificate requests for the same user.
Fixes#19884
Since the release of `tsh proxy app` we no longer need a
Teleport-aware Drone CLI and can leverage the standard
drone tool from https://docs.drone.io/cli/install/