Set the macOS deployment target, ensuring that statically linked libfido2 `tsh`
builds run correctly on older macOS versions.
#9160
* Consistently set macOS min version
* Bump min macOS version to 10.13
Since #12794 we now build `tsh` binaries with touch ID capabilities. This calls
for a more sophisticated mechanism to determine if touch ID functions should be
enabled, as compile-time support only is not enough.
I've added the following checks, on top of compile-time / `touchid` build tag:
Binary is signed
Binary has entitlements
Machine is touch ID capable
Machine has a Secure Enclave
Put together this give us a much better proxy on whether to enable touch ID.
I've also added the `tsh touchid diag` command, mentioned in the Passwordless
macOS RFD (see
https://github.com/gravitational/teleport/blob/master/rfd/0054-passwordless-macos.md#tsh-support-commands).
#9160
* Improved touch ID availability and diagnostics
* Add the `tsh touchid diag` command
* Set min macOS version to 10.12 (macOS Sierra)
Add a script to build libfido2 (and its dependencies) on macOS and enable FIDO2
static builds.
I decided to build all dependencies instead of pulling from Homebrew for a few
reasons:
1. There is no libcbor.a in a brew package
2. This captures library versions within the Teleport source code, allowing us
to build binaries against different versions of libfido2 (and its
dependencies).
I've also bumped libfido2 to 1.11.0. I've been running it locally and we are
still pre-release, so it seems like a good time to do it.
(See https://developers.yubico.com/libfido2/Release_Notes.html.)
#9160
* Build libfido2 and dependencies for macOS
* Build tsh with static fido2 on Drone
* Bump libfido2 versions in all builds
* Attempt to appease linters
* Use temp dirs inside LIB_CACHE
* Move LIB_CACHE outside of HOME
HOME is reassigned in macOS builders, but we want a "stable" cache
directory. /tmp is used by build-package.sh and build-pkg-tsh.sh.
* Rename script to build-fido2-macos.sh
* Regenerate Drone files
Changes how `make pkg-tsh` works so instead of building an installer for the
`tsh` binary, placed under `/usr/local/bin`, we install an app to
`/Applications/tsh-vXXX.app` and link its `tsh` binary to `/usr/local/bin`.
The app shell is necessary to distribute a provisioning profile along with the
signed/entitled/notarized binary. All of that is required for Touch ID to work.
Naked `tsh` binaries are unable to use Touch ID, even if built with the correct
build tags.
I've elected to split the logic from `build-package.sh` into a separate script -
it already does too much as-is. `build-pkg-tsh.sh` is more idiomatic, clears
additional `shellcheck` rules and is easier to dry-run.
#9160
* Build macOS installer for tsh.app
* Add resources to build the tshdev app
Moved from e/
* Add resources to build the tsh app (prod)
* Use production values
* Remove 'tsh' mode from build-package.tsh
* Appease buildbox linter
* Clarify one-time setup
* Update golangci-lint
To accomodate the recent Go 1.18 upgrade
* Fix new lint warnings as a result of linter upgrade
* Set golangci-lint to Go 1.18 mode
golangci-lint will automatically skip linters that don't have support
for Go 1.18.
See: https://github.com/golangci/golangci-lint/issues/2649
Reinstates Linux/amd64 and Centos7/amd64 builds using libfido2, now hidden
behind an explicit FIDO2 flag (similarly to FIPS).
This PR pulls in gravitational/go-libfido2#4 and adds the required pkg-config
setup so we can perform both dynamic (mostly testing) and static (tsh) builds.
Additionally, pkg-config is now the gateway for whether we run libfido2-related
tests (which should always happen in CI).
#9160
* Re-enable libfido2 builds for amd64 and Centos7
* Use pkg-config to build tsh with libfido2
* Install Centos7 libudev-zero to /usr/local/lib64
* Update gravitational/go-libfido2
* Remove /usr/local/lib from Centos PKG_CONFIG_PATH
Original behaviour did not take effect in CI due to a different entrypoint.
This restores the original behaviour (which will link external links when using make -C build.assets test-docs) but disables the external linting in CI for reliability.
Updates #11940
Build `tsh` with static `libfido2`, `libcbor`,`libcrypto` and `libudev-zero`.
Dockerfiles for buildbox and Centos7 changed. FIPS and macOS to be addressed at
a later date.
Add the `tsh fido2 diag` hidden command for ease of testing.
#9160
* Update go-libfido2 and tidy modules
* Add a fido2 diagnostic command to tsh
* Add a few build artifacts to .gitignore
* Build tsh with static libfido2 in buildbox
* Build tsh with static libfido2 in centos7
* Add a few relevant cmake flags
* Use illiliti/libudev-zero
* Do multi-stage build on centos7, image tweaks
* Add `make enter/centos7`
* s/OFf/OFF/g
The grpc-tools package is needed to generate gRPC files for JavaScript.
However, at the moment it can't be installed on M1 MacBooks because of
missing prebuilt binaries for arm64. [1]
One of them, protoc, is already installed in our buildbox. We still need
to compile grpc_node_plugin from source though. This adds significant
overhead as we need to pull in cmake, build-essential and then about
300 MB of git repos from protocolbuffers/protobuf.
Initially, those Teleterm gRPC were generated within `make grpc` with other
files. M1 users who don't work on Teleterm would not be happy about incurring
that additional overhead, hence I extracted everything into separate target
and Dockerfile.
Teleterm proto files don't depend on any other proto files. Once grpc-tools
adds support for arm64, we'll be able to essentially almost revert this
commit and generate Teleterm gRPC files within `make grpc`.
[1] https://github.com/grpc/grpc-node/issues/1405
- Lint libfido2 (and other) Go build tags
- `make test-go` exercises the libfido2 build tag, as long as `libfido2` is present in the system
- Install `libfido2` (and dependencies) in the teleport-buildbox image
Libraries are installed from source, instead of apt or ppas, so we can guarantee deterministic (and current!) versions.
(Binary releases are not available.)
At the present moment, `librdp_client` and `libfido2` can't be used together. This is because `librdp_client` embeds
openssl/`libcrypto`, which is also a dependency for `libfido2`, causing duplicate symbol errors. In practice both
libraries never coexist in the same binary, so it's easy to sidestep the issue (`librdp_client` links to `teleport`,
while FIDO2 code is only used by `tsh`). I may be able to make them coexist, but not without changes to how go-libfido2
builds.
This change is only for linting/testing libfido2 code, I'll address `tsh` releases in a future PR.
#9160
* Install libfido2 in buildbox
libfido2 and libcbor are installed from source to make sure we get
deterministic versions (apt is outdated and ppas are likely to move
forward with time).
* Run libfido2 tests on test-go
* Lint libfido2 Go build tag
* Lint other Go build tags
* Comment build tags that break the linter
* Tidy modules
* Re-enable roletester linter
* Pass tags conditionally to golangci-lint
* Clarify and improve libfido2 wildcard
* Drop `:$LD_LIBRARY_PATH` from variable
* Replace LD_LIBRARY_PATH with `ldconfig`
* Test for ARM homebrew location too
* POC for Helm unit tests
This uses https://github.com/vbehar/helm3-unittest to define
expectations of our helm templates
* Test that enterprise is configured correctly
* Added tests for teleport-cluster
* Added tests for teleport-kube-agent
* Removed tests for teleport chart
* Add tests for teleport-cluster Deployment
* Run shorter tests first
* Fix Docker plugin installation and add update-helm-snapshots target
* Add README
* Fix lint syntax error and add some missing linters
* Add missing ImagePullPolicy to Deployment and StatefulSet
* Add Deployment tests for teleport-kube-agent
* Fix replicaCount logic
* Add clarification to values
* Add StatefulSet suite for teleport-kube-agent
* Update snapshots after merge with master
* Helm tests are quicker than bash tests
* Add tests for extraEnv
* Random space
* Tidy up formatting of multiple tests
* [debug] List helm plugins and directories
* Special case Helm linting when running in CI
* Make trailing line breaks consistent
* Special case Helm linting when running in CI
* Add contribution guidelines for Helm charts
* Add contribution guidelines to READMEs
* Deprecate old charts
* Typo
* Spacing
* Clarification
* Update examples/chart/CONTRIBUTING.md
* Don't erroneously set extraEnv for initContainers
* Rename update-helm-snapshots -> test-helm-update-snapshots for clarity
Co-authored-by: Gus Luxton <gus@goteleport.com>
Co-authored-by: Roman Tkachenko <roman@goteleport.com>
We do not publish pre-releases to apt repos, but we do publish them to
github. That means we need to filter them out when considering if an
apt release should be published. We don't want v8.3.3 to be blocked by
v9.0.0-dev.1, only by v9.0.0.
Honestly, this is a bit of a mess, but it only needs to hold out a bit
longer until https://github.com/gravitational/teleport/pull/10746 lands.
Contributes to https://github.com/gravitational/teleport/issues/10800
* Include tbot binary in Teleport packages and installs
This includes the tbot binary in .rpm, .deb, and .pkg distributions,
and ensures the binary is installed using the `install` script in
.tar.gz packages.
* Remove tbot from macOS client-only builds
Prior to this patch the teleport buildbox version has been tagged with the Go version for the current release. This bit us during the Teleport 9 development cycle, as both Teleport 8 and 9 use the same version of Go but require different versions of Rust, and we were unable to distinguish between the 2 buildbox versions.
At the time, Teleport 8 was individually patched to create a new `teleport8` buildbox tag, decoupling the buildbox version from the Go version. This was never ported into master and now we find the teleport 9 branch sharing the same buildbox tag as master.
This patch forward-ports all the changes made to `branch/v8` and updates them for master, creating a new `teleport10` buildbox tag. The idea is that we will create a new tag for teleport11 at the same time the release branch for Teleport 10 is mad at some point in the future.
Once this is merged, Drone will create and push new buildbox images, which will become available for CI. A subsequent patch will update the CI scripts to use the new `teleport10` buildbox images.
API_IMPORT_PATH is consistently being resolved as an empty string, breaking
proto generation.
Since the path is fixed, it seems simpler to read api/go.mod and do away with
the Go program.
* Explicitly set API_IMPORT_PATH
* Delete the print-import-path program
* Read api module from api/go.mod, push variables to target
This gives us a robust way to find the latest published release for a
Major or Major.Minor version. This logic is useful for our automation
that publishes up-to-date teleport:X docker images
Contributes to https://github.com/gravitational/teleport/issues/9494
These should not be factored in when checking for the latest release
when we decide if we should release apt packages.
This also fixes a bug in sorting logic, where we were sorting
lexigraphically instead of by semver.
9 was comparing greater than 10, due to use of lexographic sorting
This would cause us to fail to publish apt packages when we roll over to
a patch release > 9.
The script for updating webassets uses the commit message from
webapps as the commit message for the PR to teleport.
This commit message is almost always a merged PR, which has the format:
do some awesome thing (#123)
Where '#123' is the number of the **webapps** PR that was merged.
The problem with this is, when the teleport PR is created, it interprets
the #123 as the number of a **teleport** PR. And since the Teleport repo
has a lot more issues/PRs than webapps, Github ends up linking to an old
and completely unrelated PR.
Fix this by replacing (#123) with (gravitational/webapps#123), which
Github correctly renders as a link to the webapps PR in question.
* Add more lint coverage
golanglint-ci doesn't pick up subdirectories with their own go.mod
which left certain directories unlinted. To get around this we can
run golanglint-ci directly against those submodules.
In Rust 1.58, deriving Debug no longer counts as using a struct's
fields, so we need to allow dead_code for our structs that implement
RDP protocols. (Just because we don't use the fields doesn't mean
we shoudln't decode them)
Starting with the Teleport 9 release, we will be versioning the
API module. This change ensures that the generated protobuf code
imports the correct version of the API by:
- introducing a small new command to print the correct version
- adding import rewrite rules to the protoc invocation
This patch makes a couple changes:
1. deb archives are not published to apt if they're not the latest
release ever
2. both rpm and deb archives are no longer published to yum / apt if
they contain any pre-release indicator or build metadata
3. nothing is published if the commit isn't tagged.
Contributes to https://github.com/gravitational/teleport/issues/8166
Linting for non-go files was accidentally dropped in the transition to
GCB (sorry!). This patch restores linting for non-go files and fixes
any lint failures that have crept in during the interim.
