* Allow a tsh aws user to specify a command to run with the AWS environment variables set
* Update name of the argument per feedback
* Address nits
---------
Co-authored-by: Daniel Ballenger <daniel@otter.ai>
Co-authored-by: Marek Smoliński <marek@goteleport.com>
Co-authored-by: STeve (Xin) Huang <xin.huang@goteleport.com>
* Change formatting for "/version" endpoint
This PR changes the formatting for "/version" endpoint since Kubernetes
clients do not expect a JSON response on that endpoint.
This PR returns the error message directly into the body without any
formatting so that `kubectl` is able to present the desired error.
```
kubectl version --short
Flag --short has been deprecated, and will be removed in the future. The --short output will become the default.
Client Version: v1.25.4
Kustomize Version: v4.5.7
Error from server (InternalError): an error on the server ("this user cannot request kubernetes access, has no assigned groups or users") has prevented the request from succeeding
```
Fixes#20900
* change message wording
* add validation when generating kube creds
* fix typo
Current implementation of NewlyAdded() requires to keep different implementation on production branches. New implementation will allow to keep the same source code to be identical on all branches.
Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com>
* Add SAML query functions to auth preferences and role.
Getter functions have been made for the new IdP configuration fields in the
AuthPreferences and RoleOptions.
* Remove role query, as we can access this in the object.
* Make sure the IdP options section won't hit any nil pointer errors.
This PR removes a deprecated warning when Teleport proxy starts.
If the cluster is running in multiplex mode the warning is not valid
because Kubernetes Proxy is enabled by default using ALPN proxy
listener.
* BPF build fix
https://github.com/gravitational/teleport/pull/21745 switched CentOS 7 image to the upstream, but I missed a few other places were we're using our fork.
This change fixes all places.
* Add missing FIPS changes
* Update e
This commit adds a user message ("Detected security key tap") that is
printed at the earliest opportunity after `tsh` succesfully detects a
security key tap.
This solves a problem users have when there is significant latency in
their connection to their teleport proxy, where there may be zero
visible feedback to the user for upwards of 8 seconds after they tap
their security key.
This often causes users to think that the tap was not detected or
failed, and they attempt to tap again.
This can cause the user to accidentally paste a "yubisneeze" into their
terminal, which is not great from a security perspective.
As an API choice here I added a `TouchAcknowledger` returned by they
`PromptTouch` of the `LoginPrompt` interface.
It may seem like a bit of a weird API, but I did it this way so that all
callers of `PromptTouch` are forced to explicitly acknowledge the touch
or explicitly ignore that return value, they cannot simply forget to ack.
This applies to WebAuthn and Passwordless logins from `tsh`, no changes
are made to Connect.
* Add more info re: AWS credentials to the docs
Closes#2781
- Add a partial for how to provide credentials to Teleport's AWS client.
Since this includes adding environment variables to the file used by
our systemd service, I also created a partial re: how to configure
Teleport's systemd service and added these two partials to the
relevant guides.
- Removed `Admonition`s that link to the docs re: AWS credentials in
favor of the partial above. (The partial links to the Go SDK for AWS
docs for situations where users have a specific use case.)
- Remove mentions of the AWS credential-related config settings from the
Backends reference. The example config snippets don't actually include
the `access_key` and `secret_key` settings, so these are left over
from an earlier version of the guide. While you can still add these
settings to a config file, I thought it would make sense to leave them
undocumented since using an EC2 instance, environment variables, etc.
is the recommended approach.
- Split the S3/DynamoDB sections of the Backends reference into
subsections so the extra authentication info fits a bit better.
* Respond to PR feedback
* Add new partials to the RDS Proxy guide
Update to libbpf 1.0.1 and github.com/aquasecurity/libbpfgo v0.4.5-libbpf-1.0.1. As we're building our releases on CentOS 7 anyway we can also switch to mainstream libbpf instead of using our fork.
This PR removes the requirement of providing a cluster name to login
into if the user provides the `--all` flag.
If the user does not provide a cluster, Teleport does not select any
cluster by default.
Fixes#21713
* SAML IdP session objects.
The upcoming SAML IdP feature requires session storage in the backend. To
support that, the `WebSession` that has been adapted for app sessions and
Snowflake sessions has been adapted for SAML IdP sessions.
The SAML IdP will be encoding the session structure as JSON and packing it
into the new `data` field within the web session.
* Update api/types/session.go
Co-authored-by: Roman Tkachenko <roman@goteleport.com>
* Use specific structure instead of a JSON blob.
* Update the create SAML session request.
* Make SAML session a pointer.
* Add in link to crewjam/saml object.
---------
Co-authored-by: Roman Tkachenko <roman@goteleport.com>
The reqs member of the mock Firestore Server used in the `TestDeleteDocuments`
test was occasionally causing a data race. Accesses to this field have now
been wrapped in a lock.
An issue with `gravitational/docs` caused the docs linter to stop
catching issues for a period of time. Now that we have addressed the
linter issue, this change addresses warnings/errors flagged by the
linter.
Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com>
* Add Device to LocketTarget proto
* Refactor LockTarget.Match
* Test lib/srv.ComputeLockTargets
* Test lib/services.LockTargetsFromTLSIdentity
* Test device lock during cert issuance
* Add device lock targets where applicable
* Add --device to `tctl lock`
* Fix godocs (unrelated)
* Review: Drop redundant comments
* Make UsageSessionStart more selective and granular for app access
* Allow generic "app" kind for app.session.start
app.session.start is consistently emitted, just not consistently stored
* Avoid singling out aws app access
* Use the same check as app access
* Reuse auth token when upgrading an Helm chart without token
When upgrading an Helm chat and not providing the auth token because it
was previously set, Helm deleted the secret and Statefulset pods become
stuck because the secret does not exist.
This PR reads the secret value from the previous upgrade/install and
reuses it during the upgrade.
Fixes#20761
* remove secret lookup
The `tsh appps` family of commands is aliased to `tsh apps`, so both
invocations work correctly. The command itself is defined as `tsh apps`,
so this is what appears in the help message.
Update references to `tsh app` to recommend `tsh apps` instead so that
there isn't confusion when browsing `tsh help` and looking for a missing
`app` subcommand.
Fixes#21367