While working on https://github.com/gravitational/teleport/pull/32911 I
noticed the following broken error comparison, which would always log
because the error was always wrapped and never exactly matched
`http.ErrServerClosed`:
```
if err != nil && err != http.ErrServerClosed {
log.Warningf("TLS server exited with error: %v.", err)
}
```
I tried to fix it with `errors.Is`, but unfortunately got the condition
inverted. This fixes the condition to match the original intended
behaviour. It's not useful to log `http.ErrServerClosed` errors because
that error is returned every time the server is manually closed.
services.UsersService now takes a context and returns the user
from write operations as shown in the diff below. The bulk of the
changes are from modifying code to account for the additional
parameter and/or return value. Functional changes to better make
use of the new API will come in follow up PRs.
```diff
// UserGetter is responsible for getting users
type UserGetter interface {
// GetUser returns a user by name
- GetUser(user string, withSecrets bool) (types.User, error)
+ GetUser(ctx context.Context, user string, withSecrets bool) (types.User, error)
}
// UsersService is responsible for basic user management
type UsersService interface {
UserGetter
// CreateUser creates user, only if the user entry does not exist
- CreateUser(user types.User) error
+ CreateUser(ctx context.Context, user types.User) (types.User, error)
// UpdateUser updates an existing user.
- UpdateUser(ctx context.Context, user types.User) error
+ UpdateUser(ctx context.Context, user types.User) (types.User, error)
// UpdateAndSwapUser reads an existing user, runs `fn` against it and writes
// the result to storage. Return `false` from `fn` to avoid storage changes.
// Roughly equivalent to [GetUser] followed by [CompareAndSwapUser].
// Returns the storage user.
UpdateAndSwapUser(ctx context.Context, user string, withSecrets bool, fn func(types.User) (changed bool, err error)) (types.User, error)
// UpsertUser updates parameters about user
- UpsertUser(user types.User) error
+ UpsertUser(ctx context.Context, user types.User) (types.User, error)
// CompareAndSwapUser updates an existing user, but fails if the user does
// not match an expected backend value.
CompareAndSwapUser(ctx context.Context, new, existing types.User) error
// DeleteUser deletes a user with all the keys from the backend
DeleteUser(ctx context.Context, user string) error
// GetUsers returns a list of users registered with the local auth server
- GetUsers(withSecrets bool) ([]types.User, error)
+ GetUsers(ctx context.Context, withSecrets bool) ([]types.User, error)
// DeleteAllUsers deletes all users
- DeleteAllUsers() error
+ DeleteAllUsers(ctx context.Context) error
}
```
Depends on gravitational/teleport.e#2346
Implements step 3 of #32949
This PR fixes a problem where Kubernetes cannot transform the bool value
into a string.
```
Deployment in version "v1" cannot be handled as a Deployment: json: cannot unmarshal bool into Go struct field EnvVar.spec.template.spec.containers.env.value of type string
```
Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
* Fix `tsh kube credentials` when root cluster roles don't allow Kube access
This PR fixes an edge case where an error message is printed to the
users without proper knowledge of the role mappings between root and
leaf clusters.
The user certificates include the `kubernetes_users` and
`kubernetes_groups` allowed in the root cluster but nothing prevents the
access to be sucessfull if the leaf cluster roles after the mapping
introduce the kubernetes principals.
This PR prevents tsh from failing when generating certificates for leaf
Kubernetes clusters.
Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
* Update tool/tsh/common/kube.go
Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com>
* add check to tsh proxy
---------
Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com>
* Reword Troubleshooting section in Connect docs
* Point readers towards Open Logs Directory button
* Mention specific manifestations of partially unusable UI
* Update commands for removing tsh and app_state.json
* Reduce instances of "just"
* agent lifecycle -> the lifecycle of the agent
* proxy version -> Teleport Proxy Service version
* Simplify sentence about local user requirement
* Add screenshots of Connect My Computer
* Update screenshots of Connect UI
* Minor typos
* Update docs/pages/architecture/proxy.mdx
* fix capitalization and hyphenation and make features more parallel
* fix identity typo
---------
Co-authored-by: Gabriel Petrovay <gabipetrovay@gmail.com>
* Header `Connection: close` causes `kubectl` to fail exec
The header `Connection: close` causes failure in kubetl when it upgrades
the connection to SPDY.
The `ReadTimeout` and `WriteTimeout` are known to cause problems to
Kubernetes watch streams.
Fixes#33020
Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
* add unit tests
---------
Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
* Add Docker to the access request plugin partial and Discord section
* Update another partial for Docker
* Restore variable to teleport.plugin.version
* Update docs/pages/includes/plugins/install-access-request.mdx
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
---------
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Start migrating services.Identity to use context and return users
Adds new variants of existing methods that are going to be updated
to support propagating context and return users from create, update
and upsert. This is an unfortunate step required because e utilizes
the interface for various functionality. In order to prevent breaking
builds, the temporary methods were added so that e can be converted
to them first, then oss can be updated to the new version of the
interface. Once that is done e will be converted and then the temp
methods will be removed.
* fix typos in comment
Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com>
* fix: don't set metadata on existing item in CAS
Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com>
* fix: gci
* fix: set resource id on update
---------
Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com>
As per https://support.apple.com/en-in/HT210176:
> TLS server certificates must contain an ExtendedKeyUsage (EKU)
extension containing the id-kp-serverAuth OID.
We were not specifying this EKU.
Validated by checking with the old self-signed certs:
$ security verify-cert -c webproxy_cert.pem -p ssl -r webproxy_cert.pem
Cert Verify Result: Invalid Extended Key Usage for policy
And then repeating the process after this change:
$ security verify-cert -c webproxy_cert.pem -p ssl -r webproxy_cert.pem
...certificate verification successful.
Closes#32531
* Bump the go group in /integrations/kube-agent-updater with 2 updates
Bumps the go group in /integrations/kube-agent-updater with 2 updates: [github.com/docker/distribution](https://github.com/docker/distribution) and [golang.org/x/mod](https://github.com/golang/mod).
Updates `github.com/docker/distribution` from 2.8.2+incompatible to 2.8.3+incompatible
- [Release notes](https://github.com/docker/distribution/releases)
- [Commits](https://github.com/docker/distribution/compare/v2.8.2...v2.8.3)
Updates `golang.org/x/mod` from 0.12.0 to 0.13.0
- [Commits](https://github.com/golang/mod/compare/v0.12.0...v0.13.0)
---
updated-dependencies:
- dependency-name: github.com/docker/distribution
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: golang.org/x/mod
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
...
Signed-off-by: dependabot[bot] <support@github.com>
* Replaced deprecated import
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
Bumps the go group in /assets/backport with 1 update: [golang.org/x/oauth2](https://github.com/golang/oauth2).
- [Commits](https://github.com/golang/oauth2/compare/v0.12.0...v0.13.0)
---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the go group in /build.assets/tooling with 2 updates: [golang.org/x/mod](https://github.com/golang/mod) and [golang.org/x/oauth2](https://github.com/golang/oauth2).
Updates `golang.org/x/mod` from 0.12.0 to 0.13.0
- [Commits](https://github.com/golang/mod/compare/v0.12.0...v0.13.0)
Updates `golang.org/x/oauth2` from 0.12.0 to 0.13.0
- [Commits](https://github.com/golang/oauth2/compare/v0.12.0...v0.13.0)
---
updated-dependencies:
- dependency-name: golang.org/x/mod
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: golang.org/x/oauth2
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Adds new RPCs which return the modified connector from write
operations. Server side and interface changes will be don in follow
up PRs to prevent breaking e. This is the first step in enforcing
optimistic locking for auth connectors.
Contributes to #30416.
* Add docs for Connect My Computer
* Update Troubleshooting Connect My Computer header
This way it doesn't conflict with the general Troubleshooting header.
* Add troubleshooting section about expired token
* Expand section on agent not being visible in cluster
* Mention that logout removes the agent
* OneOff Script: use ent build if cluster is Enterprise
We were always using the OSS version of teleport in the one-off scripts.
This PR changes that to pick the correct version depending on the
running version in the Proxy.
* use gzip bestspeed for compressing files
* Remove check that enforces slack oauthProviders are set
* Remove test that checks for an error when hosted plugins is true
* Set hosted plugins to always be true
* Update tests that check hosted plugins is disabled
* Add comment explaining hosted being set to true at all times
When user starts a session, we do not report the initial command used
which causes visibility problems to moderators when they need to figure
out if they join or not the session.
This PR exposes the intial command for SSH and Kubernetes so moderators
can decide if they want to join the session or not based on the initial
command.
Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
When checking GHA logs of OS Compatibility build, I notice info log
```
The repository will be downloaded using the GitHub REST API
To create a local Git repository instead, add Git 2.18 or higher to the PATH
```
suggesting that our self-compiled git is not being used. For some reason out git binary was installed in /usr/local/usr/local/bin/git. I removed the additional /usr/local prefix to install the binary in the correct directory. I also updated git to the latest version.
* docs: Add WinSCP to PuTTY client instructions
* Restore validity section
* Restore validity section
* Formatting tweaks
* Merge lists
* Change title
* Fix docs link title to match page
* Bump tsh version for WinSCP support
* Whitelist WinSCP in spellcheck
* putty.mdx -> putty-winscp.mdx
The Vercel preview workflow currently inserts the head branch of a pull
request into the edge version of the Teleport docs. This makes it
difficult to post a link to the correct version, since we need to
include the version number in the path.
This change edits the Vercel preview workflow to include only one
version of the docs--the user's version--in the preview site. This makes
it easier to find the user's changes.
* log message improvements
* fix etcd cleanup
* re-enable TestHSMDualAuthRotation
* retry client connection tests
* fixes based on code review
* make fix-imports
* fix: use EventuallyWithT
* set short polling period
