It was discovered that some customers' EKS clusters did not have their IMDSv2 hop limits
set correctly, causing requests for key functionality to attempt IMDSv1 fallback and failing.
For now, re-enable IMDSv1 fallback by way of removing the explicit disabling of
`EC2MetadataEnableFallback` until better documentation, error handling, and other work
can be done to inform customers that they need to correctly set their IMDSv2 hop limits.
Two changes to AWS SDK usage:
Teleport should never use AWS IMDSv1 for requests, so disable the
ability to fallback to it, as it could be a malicious attempt to
downgrade security.
Teleport generally prefers FIPS endpoints when in FIPS mode, but
there were a few places that were not selecting the FIPS endpoints.
Ensure that the FIPS endpoints if BoringCrypto is being used.
Standardize `examples/teleport-usage` to use the same base image
and other (general) build commands as `integrations/kube-agent-updater`
and `integrations/operator`.
The main change is moving from `debian:stable-slim` to `distroless/static-debian12`.
The Golang Docker images used in 'build.assets/Dockerfile-grpcbox' and 'examples/teleport-usage/Dockerfile' have been updated from version 1.20 to version 1.21.
When the script detects throttling it automatically scales the RCU,
however it was allowing the RCU to reach 0 which is an invalid
value. Any subsequent requests with a 0 RCU end up terminating the
script due to errors from the request. The RCU is no capped at a
minimum value of 1 to prevent this.
CredentialsChainVerboseErrors is now set in the aws.Config to provide
more actionable error messages when credentials are not configured
correctly. Users who had authentication issues would previously see
the following:
> 2023/07/11 16:50:25 NoCredentialProviders: no valid providers in chain. Deprecated.
> For verbose messaging see aws.Config.CredentialsChainVerboseErrors
By setting the config value to true users will now see more detailed output:
> 2023/07/12 10:56:06 NoCredentialProviders: no valid providers in chain
> caused by: EnvAccessKeyNotFound: failed to find credentials in the environment.
> SharedCredsLoad: failed to load profile, .
> EC2RoleRequestError: no EC2 instance role found
> caused by: RequestError: send request failed
The README was also updated to include instructions on how to authenticate
and run the script from outside the Auth server if they so choose.
* Update to Readme for Teleport Usage
Cleaning up the Readme. Removing the prompt option as it is no longer an option. Also clarifying where to find the container image version. Lastly, reordered the docker command to be backwards compatible on Docker.
* Update examples/teleport-usage/README.md
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
* Update examples/teleport-usage/README.md
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
---------
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
* Added SSL Certificate install
* Update examples/teleport-usage/Dockerfile
Co-authored-by: Russell Jones <russjones@users.noreply.github.com>
* Update examples/teleport-usage/Dockerfile
Co-authored-by: Russell Jones <russjones@users.noreply.github.com>
---------
Co-authored-by: Russell Jones <russjones@users.noreply.github.com>