With the arrival of Teleport 12, we stop supporting v10.x.x clients, and we no longer require the `types.KindKubernetesService` legacy heartbeat.
This change removes the legacy heartbeat from Kubernetes Service but keeps the legacy Auth Server CRUD methods and heartbeat support to maintain compatibility with Teleport 11 Kubernetes Service - Teleport 11 still heartbeats the legacy type.
We postponed the related `DELETES` to Teleport 13.
- Determine Go version for cache key automatically instead of hardcoding.
- Do not build ghcr CI images (etcd and buildboxes) on PRs to avoid unintended breakages.
- Only build/push them on push events which mirrors our current Drone setup. We might add ability to trigger them manually via workflow_dispatch events later.
- Add release branches pattern for buildbox images trigger as well.
- Remove packages: read permission from test jobs since buildbox images are now public.
Signed-off-by: Roman Tkachenko <roman@goteleport.com>
Co-authored-by: Victor Sokolov <gzigzigzeo@gmail.com>
- Webauthn on Windows is now supported
- per-session MFA for Database Access is supported
- Mention that OTP can only be used with tsh, not the web UI
Closes#18739
* Improve the Kubernetes Dynamic Registration guide
Some review comments for an earlier PR that edited the Standalone
Kubernetes guide (#18608) also apply to this one:
- Use systemctl to start TAR-based Teleport installations
- Edit the `curl` command that fetches the kubeconfig script so it uses
the Teleport release specified in the docs
* Respond to PR feedback
Closes#18304
- This applies to installing `teleport-cluster`, `teleport-kube-agent`,
and plugins, using the appropriate version variable for each.
- Some pages use the `--teleportVersionOverride` values setting instead
of `--version`. I've replaced this with `--version` for consistency.
Used this `awk` script to find `helm install` instructions that were
missing the `--version` flag:
```awk
find docs/pages -name "*.mdx" -exec awk '
BEGIN{v=0;i=0}
/helm install teleport-/{i++}
/--version \(=/{v++}
END{if(i>0 && i!=v) print FILENAME}' {} \;
```
Closes#9683
To reduce confusion, we should use "set up" as a verb, rather than
"setup", and treat "setup" only as a noun.
Note that one use of the term "setup" as a verb is in the Jira Server
guide, which #17546 intended to remove, but neglected to. This change
removes that instance of "setup" along with the rest of the surrounding
guide.
* markdown linting and spacing
* update ec2 discovery for bootstrapping
* Apply suggestions from code review
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* re-add invite token step
* remove sid
* document keys to adjust in example config
* Apply suggestions from code review
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Update docs/pages/server-access/guides/ec2-discovery.mdx
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* add reference to docs on IAM tokens
* Apply suggestions from code review
Co-authored-by: Alex McGrath <alex.mcgrath@goteleport.com>
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* additional copy edits
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
Co-authored-by: Alex McGrath <alex.mcgrath@goteleport.com>
It was added in effort to debug flaky Connect builds (#15836).
However, we discovered that the v11.1.0 macOS version of Connect stopped
working. This was likely due to upgrade of electron-builder which recently
updated its process of building native deps
(electron-userland/electron-builder#7196).
In the Node.js ecosystem, the DEBUG env var is typically used to control
which packages emit debug messages [1]. However, after the update of
electron-builder, the env var also changed the behavior of one of the
packages responsible for building the apps.
This was confirmed by inspecting file tree between different app bundles
and running the build locally with DEBUG set to electron-*.
[1] https://www.npmjs.com/package/debug
This commit fixes a test flakiness that happened [here](https://github.com/gravitational/teleport/actions/runs/3578512131/jobs/6018743116#step:5:1375).
This was caused by concurrent updates of the same resource by the operator and the test suite. The operator handled conflicts gracefully, the test suite did not.
This PR adds a retry-on-conflict mechanism on the various resource updates made by the test suite.
* Update config.mdx
Update permit_user_env config reference comments to indicate that the ~/.tsh/environment file exists on the SSH server and not the client side. This caused confusion with users attempting to pass variables to sessions via the client.
* Update docs/pages/reference/config.mdx
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
* Update config.mdx
* Update docs/pages/reference/config.mdx
Co-authored-by: Gus Luxton <gus@goteleport.com>
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
Co-authored-by: Gus Luxton <gus@goteleport.com>
Provide defaults for `TestTLSServerConfig` when passed to
`auth.NewTestServer()`, as some of those fields cannot be set from
outside `NewTestServer()`. The defaults are the same as when called
without a `TestTLSServerConfig`, which allows just some fields to be
set/overridden.
This is to allow `APIConfig.PluginRegistry` to be set.
* Include Go version in the cache key to prevent cache reuse when upgrading Go.
* Push buildboxes to Github container registry to avoid public ECR rate limiting.
Signed-off-by: Roman Tkachenko <roman@goteleport.com>
Co-authored-by: Victor Sokolov <gzigzigzeo@gmail.com>
Before this commit, events in the output of `tsh play --format=yaml` were
separated by a newline. This commit ensures that these events are now
separated by `---`, allowing the command output to play well with `yq`.
For consistency, the output of `tsh play --format=yaml <session-id>`
now mirrors what we get e.g. with `tctl nodes ls --format=yaml`.
The same applies to `tsh play --format json`.
If all etcd nodes are unreachable, Teleport exits with the following
message:
```
ERROR: initialization failed
context deadline exceeded
```
With this commit we get instead:
```
ERROR: timed out dialing etcd endpoints: [https://127.0.0.1:2381https://127.0.0.1:12381]
initialization failed
context deadline exceeded
```
Note that if only some of the etcd nodes are unreachable, the etcd
client already provides a useful error message:
```
ERROR: initialization failed
failed to dial endpoint https://127.0.0.1:12381 with maintenance client: context deadline exceeded
```
Before this commit, users would `tctl get windows_desktop/<name>` and
`tctl desktops ls`. For consistency, `tctl windows_desktops ls` is now
the default but `tctl desktops ls` is kept as an alias for backwards
compatibility.
* add info to docs about working with github enterprise server
* Update docs/pages/access-controls/sso/github-sso.mdx
Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com>
* Review Edits for #18712 (#18755)
* add scopes for edited file to config.json
* replace ScopedBlock with Tabs for config example
* Update docs/pages/access-controls/sso/github-sso.mdx
Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com>
There is an occasional race condition where the app session does not appear to
be reflected in the backend after it's created by the time the test logic in
the app access integration tests is run. This will (hopefully) address this
issue.
Parker process is only needed when a user is auto-provision by Teleport. Currently, this process always starts, which causes some problems when SELinux is enabled and may also cause issues with a similar mechanism as AppArmor.
This PR runs only the parker process only when it's really needed not for every SSH session reducing the problem mentioned above.
