* add version compatibility callout to Cloud section
* consolidate partial usage in various guides
* remove partial consolidated into
* Apply suggestions from code review
Add missing roles to the tctl users add command and replace
the old admin role with the preset access and editor roles.
Signed-off-by: Zac Bergquist <zac.bergquist@goteleport.com>
Co-authored-by: Rob Langford <rob.langford1@gmail.com>
* Require enterprise license to create tokens including GHES support
* Enforce Enterprise on joining as well as token creation
* Fix tests and file formats for GHES enteprrise licenseing
* Use ErrRequiresEnterprise
* Fix imports >:(
The existing `build.assets` makefile targets had the actual build steps
coupled together with building the build box image. Because of how GHA
image builds work, we need to uncouple those tasks.
GHA also builds OSS and Enterprise teleports in parallel, so we needed
a new target to build the Enterprise release without also automatically
building the OSS bundle in series.
Co-authored-by: Roman Tkachenko <roman@goteleport.com>
Desktop session playback is currently the only playback that leverages
the StreamSessionEvents API (though that will change with RFD 91).
For this API, we were checking for VerbList instead of VerbRead.
(The SSH session APIs were correctly checking VerbRead).
Since all uses of actionForKindSession now use the same verb, I've
removed the verb as an argument to prevent this mistake from happening
again.
The session cache routine to purge expired sessions would not consider
a session which was not found in the cache or backend to be expired.
It would instead defer to the expiry of the session token. This results
in a window after a user has logged out for that session to still be
considered valid by any Proxy which did not process the logout request.
On logout the Proxy manually removes the session from the cache. So in
an HA configuration there is an inconsistent state between Proxies after
a user logs out which results in #197.
To remedy this the expiration routine should consider all sessions which
were not found in the cache/backend to be expired and purge them from
their session cache. This causes all Proxies to honor the logout as soon
as the deletion of the web session is processed.
Closes#197
When the AWS Account ID is provided, we must check that it is a valid
one.
AWS Account ID is a well documented field: 12-digit string
This check is meant to prevent typos when creating Databases mainly from
the Web UI in the context of Teleport Discover.
* Add secure IP propagation from proxy to auth server when using ALPN
We're using PROXY protocol extensions called TLVs to send
signed JWT and proxy's certificate to the auth server. Auth
validates JWT using provided signing certificate and host CA
to make sure that IP information comes from our internal proxy.
* Move logic out of RoundTrip and into ServeHTTP as a middleware before handing off to oxy forwarder
* Move AWS signing service code into lib/utils/aws/signing.go
* use app server close context for audit event emitting
* add go doc comments.
* refactor request rewriting to make the copy in a more robust way.
* pass status code as uint32 rather than casting in audit emitter
* clone request instead of making a new request, and rewrite url to force https
* update header handling
* Set oxy forwarder to PassHostHeader=false to ensure the host header is
the URL being sought.
* Remove code that deleted forwarding headers previously, we should keep
those (X-Forwarded-*).
* Audit log the AWS Host sought rather than the incoming request Host
header (prior behavior maintained, we just rewrite the request
differently using Clone).
* Remove obsolete header copying helper func
Also improve the correctness of web tests that use waitForOutput
by checking if the output was received even when the read fails
with an error.
Fixes#17918
This commit adds a new Prometheus gauge `teleport_migrations` that
tracks for each migration if it is active (1) or not (0).
This gauge is then leveraged in `tctl top` to show a set of active
migrations.
* Reorganize early-stage docs sections
Closes#18127
Currently, there are two sections of the docs related to the earliest
stages of setting up Teleport, "Try out Teleport" and "Deploy a
Cluster". While the organization of our top-level docs sections attempts
to correspond to the stages a user goes through when setting up
Teleport, these combine some tasks that should probably be separated:
- **Choosing an edition and deploying a production cluster**: While the
"Deploy a Cluster" section includes our deployment guides as well as
our edition guides, user will likely commit to setting up Teleport
Cloud, Open Source, or Enterprise before they plan a full HA
production deployment.
- **Deploying a production cluster and deploying a small-scale Teleport
cluster:** While the "Deploy a Cluster" section includes the Linux
Server and Digital Ocean 1-Click guides, these two guides are more for
small-scale deployments than full production clusters.
This change improves the early-stage docs experience for new Teleport
users by:
Splitting the "Deploy a Cluster" section
----------------------------------------
The "Deploy a Cluster" section includes subsections related to choosing
a Teleport edition as well as subsections related to deploying a
production cluster. The problem with this approach is that it leaves no
room for adding introductory guides to help users with these two
purposes.
By splitting the "Deploy a Cluster" section into two top-level sections,
one related to choosing an edition and the other to dpeloying to
production, we can add introductory pages that put the subsections of
these sections in context.
_This change accompanies the work on #16751 to write a general guide to
HA Teleport deployments, since the new guide will have a prominent
place in the reorganized "Deploy a Cluster" section._
Adding introductory pages
-------------------------
Sections related to getting started with Teleport, "Try out Teleport"
and "Deploy a Cluster", were missing introductory pages. This change
adds them, and also adds one to the new "Choose an Edition" section.
Moving the Linux Server and Digital Ocean guides
------------------------------------------------
Move these to "Try out Teleport". The Digital Ocean guide didn't fit
with the rest of the deployment guides, since it's not about
architecting an HA deployment.
This is also a better home for the "Linux Server" guide, so this change
moves that as well.
Removing the "getting-started.mdx" page
---------------------------------------
This page is not reachable via the navigation menu.
* Respond to PR feedback
* Respond to PR feedback
Also minor text tweaks
n the context of Teleport Discover, we must be able to known if there's any DatabaseService available to proxy a given Database resource.
If there's none available, we will offer a script for the user to run and install a DatabaseService which proxies the desired Database resource.
By DatabaseService, we mean the process that Teleport binary manages when the `teleport.yaml` config has the following section:
```yaml
db_service:
enabled: "yes"
```
To accomplish this we are creating a new resource: DatabaseService.
The UI will fetch all DatabaseServices and check if there's any ResourceMatcher that matches the DatabaseLabels.
Previous PRs created the DatabaseService resource and its CRUD methods.
This PR adds an heartbeat for DatabaseServices similar to what we have for Databases.
There's also a new command to list DatabaseServices using `tctl`:
```
$ tctl get db_service --format text
Name Resource Matchers
------------------------------------ --------------------------------------
a6065ee9-d5ee-4555-8d47-94a78625277b (Labels: <all databases>)
d4e13f2b-0a55-4e0a-b363-bacfb1a11294 (Labels: env=[prod],aws-tag=[xyz abc])
```
Test using Teleport Cloud
```
dinis@lenix ~/p/cloudagents> tctl get db_services
kind: db_service
metadata:
expires: "2022-12-21T18:05:10Z"
id: 1671645310983808522
name: 2a28d394-900c-42ea-a120-eed918e4526b
spec:
resources:
- labels:
aws-tag:
- xyz
- abc
env: prod
version: v1
dinis@lenix ~/p/cloudagents> tctl status
Cluster marcoacme.cloud.gravitational.io
Version 12.0.0-dev
```
Part of #19032
Related #19363#19469
As we're now using a GitHub app to dispatch workflow requests from Drone to GHA, this patch updates the workflow runner script to handle app authentication.
Add device-aware authorization for SSH access, including both long-lived and
single-use certificates.
If the device trust mode is set to "required", then the presence of the
corresponding extensions is enforced. (Requires Teleport Enterprise.)
Adds logic related to TLS validation and single-use certificates as well, where
appropriate. TLS device-aware validation is not wired into Teleport yet, but
will be in follow up PRs.
gravitational/teleport.e#514