Part of https://github.com/gravitational/teleport/pull/18274
This commit introduces a new hidden `wait` CLI subcommand:
- `teleport wait no-resolve <domain-name>` resolves a domain name and exits only when no IPs are resolved. This CLI command should be used in the Helm chart, as an init-container, to block proxies from rolling out until all auth pods have been successfully rolled-out.
- `teleport wait duration 30s` has the same behaviour as `sleep 30`. Due to image hardening we won't have `sleep` available, but waiting 30 seconds in a preStop hook is required to ensure a 100% seamless pod rollout on kube-proxy-based clusters.
* Move GCP cloud clients into a separate interface
* Add azure mysql/postgresql flex server support
* Add teleport db configure create support for azure postgres/mysql flex servers
* discover both single and flexi server with 'mysql' and 'postgres' db types.
* go doc gcp interface
* Add is_flexi_server to database Azure config
- Add a generalized client store made up of a key, profile, and trusted certs store. Each sub store can support different backends (~/.tsh, identity_file, in-memory).
- Replace custom identity file handling with in-memory client store.
- Fix issues with trusted certs handling.
This PR includes a new Role resource version that is compatible with V5 spec.
The new resource introduces the `kubernetes_resources` definition that allows operators to limit the Kubernetes resources that each member can access. The `kubernetes_resources` entries must follow the following format: `{"kind":"<kind>", "namespace":"<namespace>","name":"<pod>"}`. Currently, it only supports objects of `kind` `pod`. Valid examples `<namespace>/<name>:
- `*/*`: matches all pods in all namespaces.
- `default/*`: matches all pods in the `default` namespace.
- `*/nginx-*`: matches every pod prefixed with `nginx-` in every namespace.
For older resource versions - V5, V4, V3 - `kubernetes_resources` is automatically populated with `{"kind":"pod","namespace":"*","name":"*"}` to keep compatibility. For the newest version, it's mandatory to define its value otherwise access to pods will be denied.
Part of #18434
* Switch golang.org/x/crypto to gravitational fork
* Update golden files
* Add comment to go.mod
* Update api module to use crypto fork.
* Move x/crypto to replaced section in dependabot.yml
* Fix listing all nodes in tsh
Usage of channels was flipped, we tried to write to collecting channel,
but nobody was reading from it, so we blocked forever. Now using simpler
version with mutex for synchronization, and doing it for db listings as
well for consistency.
* Add a new db engine
* Add tests for new engine
* Update tsh db subcommands
* Refactor error message and suggestions for unsupported tsh commands
* Add dynamodb to test plan
* Add AWS external ID to db config and update protos
This command allows you to modify a resource in place by opening
the resource YAML in your text editor.
The editor is selected by checking the following, in order of
precedence:
- the TELEPORT_EDITOR environment variable
- the VISUAL environment variable
- the EDITOR environment variable
- defaulting to 'vi'
We also prevent renaming resources with this command.
See gravitational/webapps#1465 where we do the same for the web UI.
This PR replaces the following PRs opened by dependabot:
- #19678
- #19677
It also bumps:
- Bump k8s.io/api from v0.25.4 to v0.26.0
- Bump k8s.io/apiextensions-apiserver from v0.25.4 to v0.26.0
- Bump k8s.io/apimachinery from v0.25.4 to v0.26.0
- Bump k8s.io/apiserver from v0.25.4 to v0.26.0
- Bump k8s.io/cli-runtime from v0.25.4 to v0.26.0
- Bump k8s.io/kubectl from v0.25.4 to v0.26.0
- Bump k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed to v0.0.0-20221128185143-99ec85e7a448
- Bump sigs.k8s.io/controller-runtime from v0.13.1 to v0.14.1
This commit adds a new Prometheus gauge `teleport_migrations` that
tracks for each migration if it is active (1) or not (0).
This gauge is then leveraged in `tctl top` to show a set of active
migrations.
n the context of Teleport Discover, we must be able to known if there's any DatabaseService available to proxy a given Database resource.
If there's none available, we will offer a script for the user to run and install a DatabaseService which proxies the desired Database resource.
By DatabaseService, we mean the process that Teleport binary manages when the `teleport.yaml` config has the following section:
```yaml
db_service:
enabled: "yes"
```
To accomplish this we are creating a new resource: DatabaseService.
The UI will fetch all DatabaseServices and check if there's any ResourceMatcher that matches the DatabaseLabels.
Previous PRs created the DatabaseService resource and its CRUD methods.
This PR adds an heartbeat for DatabaseServices similar to what we have for Databases.
There's also a new command to list DatabaseServices using `tctl`:
```
$ tctl get db_service --format text
Name Resource Matchers
------------------------------------ --------------------------------------
a6065ee9-d5ee-4555-8d47-94a78625277b (Labels: <all databases>)
d4e13f2b-0a55-4e0a-b363-bacfb1a11294 (Labels: env=[prod],aws-tag=[xyz abc])
```
Test using Teleport Cloud
```
dinis@lenix ~/p/cloudagents> tctl get db_services
kind: db_service
metadata:
expires: "2022-12-21T18:05:10Z"
id: 1671645310983808522
name: 2a28d394-900c-42ea-a120-eed918e4526b
spec:
resources:
- labels:
aws-tag:
- xyz
- abc
env: prod
version: v1
dinis@lenix ~/p/cloudagents> tctl status
Cluster marcoacme.cloud.gravitational.io
Version 12.0.0-dev
```
Part of #19032
Related #19363#19469
* Allow custom trace exporter for tsh
Trace forwarding via `tsh --trace` only works to date if Auth is
configured with the `tracing_service` enabled. In all other scenarios
the traces are still forwarded to Auth but are silently dropped.
This makes it difficult to capture valuable traces from customers
with latency issues as they are first required to setup a Telemetry
backend and enable tracing in their cluster.
A new `--trace-exporter` flag is added to `tsh` to make it possible
to direct traces from `tsh` to a file or local instance of jaeger
without hacing to modify their Teleport cluster. The url must follow
the same semantics as the config file equivalent.
One important caveat is that **only** the `tsh` spans will be captured.
Any corresponding `teleport` spans are exported acording to the
`tracing_service`. While this only paints half the picture, it is
still a good indicator of where `tsh` may be experiencing latency.
An example usage to send traces to local files:
```bash
tsh --trace --trace-exporter=file:///some/path/traces ssh user@foo
```
Wire device authentication into `tsh`, so it attempts to acquire device
certificates after user login. This affects direct logins (`tsh login`),
indirect logins (RetryWithRelogin) and Connect.
If authentication fails (non-Enterprise cluster, device not enrolled, etc) `tsh`
proceeds as usual, but the final user certificate won't contain device
extensions.
gravitational/teleport.e#514
* Reduce latency of `tsh ls -R`
Listing nodes across clusters was done one cluster at a time. To
improve latency the same mechanism used by `tsh db ls -R` was copied
to ensure listing happens in parallel with an upper limit.
* Enable nolintlint linter
* Fix nolint comments in the api package
* Fix RDP client comment
* Address review comment
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Allow unused for nolintlint linter
* Remove redundant casting
* Add comment on why allowed unused is enabled
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
Added the ability to specify two CLI flags for Access Requests:
"--request-ttl" and "--session-ttl".
Updated "CreateAccessRequest" to adhere to the following rules.
If an Access Request does not have a TTL set (expiration time
types.AccessRequest resource itself), a default of 1 hour is used. Next,
the request value is truncated by the lifetime of the certificate,
requested expiration, and then strictest session TTL on all roles
requested.
Similar logic is followed for the expiration time of the elevated
certificate that will be issued if the Access Request is approved. First
the requested value is truncated by the lifetime of the certificate,
requested expiration, and then strictest session TTL on all roles
requested.
The output of "tsh requests ls" and "tctl requests ls" has been updated
to display the TTL values.
Many of our tests (db package, I'm looking at you) generate many RSA keys. This has two main side effects; makes our tests slow and flaky as CPU usage spikes in random moments when the tests are run in parallel.
This change pre-generates RSA keys at the beginning of each test module and reuse them in randomized order to reduce the situation that one key has been used multiple times in one test.
I had to move a few files to avoid circular dependencies.
This commit adds a new joinMethod as described in https://github.com/gravitational/teleport/pull/17905
This method allow pods running in the same Kubernetes cluster than the auth servers to join the Teleport cluster. It relies on Kubernetes tokens to establish trust. The goal is to be able to deploy proxies and auths separately and join them in a single cluser.
Pre Kubernetes 1.20, the tokens are static, long-lived, not bound to pods. We support them for compatibility reasons. Starting with Kubernetes 1.20, tokens are bound to pods (and starting with 1.21 they can be mounted through projected volumes). Starting with 1.21 we should only accept bound tokens. The chart will ensure tokens are properly mounted with projected volumes so we can benefit from the 1h to 10min token lifetime.
This commit ensures that `tctl desktops ls --format json|yaml` outputs a
list of `windows_desktop` resources. Note that `tctl desktops ls`
displays additional information that is only present in the
`windows_desktop_service`.
With `tctl windows_desktops ls --format json` now we get something like the
following:
```json
[
{
"kind": "windows_desktop",
"version": "v3",
"metadata": {
...
},
"spec": {
...
}
},
...
]
```
`tctl windows_desktops ls --format text` now also displays the same information
as `tctl get windows_desktop --format text` (removing all the info about the
`windows_desktop_service`):
```bash
❯ tctl get windows_desktop --format text
Name Address AD Domain Labels
--------------------------- ----------------- ----------- ------
EC2AMAZ-QME01PL-example-com 172.31.4.209:3389 example.com
❯ tctl windows_desktops ls
Name Address AD Domain Labels
--------------------------- ----------------- ----------- ------
EC2AMAZ-QME01PL-example-com 172.31.4.209:3389 example.com
```
Before this commit, events in the output of `tsh play --format=yaml` were
separated by a newline. This commit ensures that these events are now
separated by `---`, allowing the command output to play well with `yq`.
For consistency, the output of `tsh play --format=yaml <session-id>`
now mirrors what we get e.g. with `tctl nodes ls --format=yaml`.
The same applies to `tsh play --format json`.
Before this commit, users would `tctl get windows_desktop/<name>` and
`tctl desktops ls`. For consistency, `tctl windows_desktops ls` is now
the default but `tctl desktops ls` is kept as an alias for backwards
compatibility.