Merge branch 'branch/v16' into bot/backport-44731-branch/v16

api/proto/teleport/legacy/types/types.proto

@@ -4409,6 +4409,8 @@ message MaxAge {
 message SSOClientRedirectSettings {
   // a list of hostnames allowed for https client redirect URLs
   repeated string allowed_https_hostnames = 1;
+  // a list of CIDRs allowed for HTTP or HTTPS client redirect URLs
+  repeated string insecure_allowed_cidr_ranges = 2;
 }
 
 // OIDCAuthRequest is a request to authenticate with OIDC
@@ -4755,6 +4757,9 @@ message GithubAuthRequest {
   teleport.attestation.v1.AttestationStatement attestation_statement = 16 [(gogoproto.jsontag) = "attestation_statement,omitempty"];
   // ClientLoginIP specifies IP address of the client for login, it will be written to the user's certificates.
   string ClientLoginIP = 17 [(gogoproto.jsontag) = "client_login_ip,omitempty"];
+  // ClientUserAgent is the user agent of the Web browser, used for issuing
+  // a DeviceWebToken.
+  string ClientUserAgent = 18 [(gogoproto.jsontag) = "client_user_agent,omitempty"];
 }
 
 // SSOWarnings conveys a user-facing main message along with auxiliary warnings.

api/types/oidc.go

@@ -17,6 +17,7 @@ limitations under the License.
 package types
 
 import (
+	"net/netip"
 	"net/url"
 	"slices"
 	"time"
@@ -35,6 +36,11 @@ type OIDCConnector interface {
 	// ResourceWithSecrets provides common methods for objects
 	ResourceWithSecrets
 	ResourceWithOrigin
+	// Validate will preform checks not found in CheckAndSetDefaults
+	// that should only be preformed when the OIDC connector resource
+	// itself is being created or updated, not when a OIDCConnector
+	// object is being created or updated.
+	Validate() error
 	// Issuer URL is the endpoint of the provider, e.g. https://accounts.google.com
 	GetIssuerURL() string
 	// ClientID is id for authentication client (in our case it's our Auth server)
@@ -449,6 +455,23 @@ func (o *OIDCConnectorV3) CheckAndSetDefaults() error {
 	return nil
 }
 
+// Validate will preform checks not found in CheckAndSetDefaults
+// that should only be preformed when the OIDC connector resource
+// itself is being created or updated, not when a OIDCConnector
+// object is being created or updated.
+func (o *OIDCConnectorV3) Validate() error {
+	if o.Spec.ClientRedirectSettings != nil {
+		for _, cidrStr := range o.Spec.ClientRedirectSettings.InsecureAllowedCidrRanges {
+			_, err := netip.ParsePrefix(cidrStr)
+			if err != nil {
+				return trace.BadParameter("bad CIDR range in insecure_allowed_cidr_ranges '%s': %v", cidrStr, err)
+			}
+		}
+	}
+
+	return nil
+}
+
 // GetAllowUnverifiedEmail returns true if unverified emails should be allowed in received users.
 func (o *OIDCConnectorV3) GetAllowUnverifiedEmail() bool {
 	return o.Spec.AllowUnverifiedEmail

docs/pages/access-controls/sso.mdx

@@ -197,6 +197,35 @@ authentication succeeds, Teleport will retrieve SSH and X.509 certificates and
 store them in the `~/.tsh/keys/<clustername>` directory. The tool will also will
 add SSH cert to an SSH agent if there's one running.
 
+### Changing Callback Address
+
+The callback address can be changed if calling back to a remote machine
+instead of the local machine is required:
+
+```code
+# --bind-addr sets the host and port tsh will listen on, and --callback changes 
+# what link is displayed to the user
+$ tsh login --proxy=proxy.example.com --auth=github --bind-addr=localhost:1234 --callback https://remote.machine:1234
+```
+
+For this to work the hostname or CIDR of the remote machine that will be used for
+the callback will need to be allowed  via`spec.client_redirect_settings`:
+
+```code
+spec:
+  client_redirect_settings:
+    # a list of hostnames allowed for HTTPS client redirect URLs
+    # can be a regex pattern
+    allowed_https_hostnames:
+      - remote.machine
+      - '*.app.github.dev'
+      - '^\d+-[a-zA-Z0-9]+\.foo.internal$'
+    # a list of CIDRs allowed for HTTP or HTTPS client redirect URLs
+    insecure_allowed_cidr_ranges:
+      - '192.168.1.0/24'
+      - '2001:db8::/96'
+```
+
 ## Configuring SSO
 
 Teleport works with SSO providers by relying on the concept of an

docs/pages/choose-an-edition/migrate-to-cloud.mdx

@@ -318,7 +318,7 @@ your new Teleport cluster, ensure that the setup is complete.
    List all registered Windows desktops:
 
    ```code
-   $ tctl get windows_desktop
+   $ tctl desktop ls
    ```
 
 1. Ensure that end users have the expected SSO access to your infrastructure.

docs/pages/enroll-resources/server-access/guides/ansible.mdx

@@ -43,6 +43,8 @@ Create a folder `ansible` where we will collect all generated files:
 
 ```code
 $ mkdir -p ansible
+# Copy the openssh configuration from the previous step to the ansible dir
+$ cp ssh.cfg ansible/
 $ cd ansible
 ```
 

docs/pages/management/dynamic-resources/teleport-operator.mdx

@@ -45,6 +45,33 @@ follow [the guide for Helm-deployed clusters](./teleport-operator-helm.mdx).
 If you are hosting Teleport out of Kubernetes (Teleport Cloud, Terraform, ...),
 follow [the standalone operator guide](./teleport-operator-standalone.mdx).
 
+### Control reconciliation with annotations
+
+The operator supports two annotations on CRs:
+
+#### `teleport.dev/keep`
+
+This annotation instructs the operator to keep the Teleport resource if the CR is deleted.
+This is useful if you want to migrate between two resource versions.
+
+For example, to migrate from `TeleportRoleV6` to `TeleportRoleV7`:
+- Annotate the existing `TeleportRoleV6` resource with `teleport.dev/keep: "true"`
+- Delete the `TeleportRoleV6` CR, the operator won't delete the associated Teleport role
+- Create a `TeleportRoleV7` CR with the same name, the operator will find the existing v6 role and adopt it.
+
+Possible values are `"true"` or `"false"` (those are strings, as Booleans are not valid label values in Kubernetes).
+
+#### `teleport.dev/ignore`
+
+This annotation instructs the operator to ignore the CR when reconciling.
+This means the resource will not be created, updated, or deleted in Teleport.
+
+This also means the operator will not remove its finalizer if you try to delete an ignored CR.
+The finalizer will stay and the deletion be blocked until you patch the resource to remove the
+finalizer or remove the ignore annotation.
+
+Possible values are `"true"` or `"false"` (those are strings, as Booleans are not valid label values in Kubernetes).
+
 ### Troubleshooting
 
 (!docs/pages/includes/diagnostics/kubernetes-operator-troubleshooting.mdx!)

docs/pages/reference/cli/tsh.mdx

@@ -316,6 +316,7 @@ $ tsh login [<flags>] [<cluster>]
 | Name | Default Value(s) | Allowed Value(s) | Description |
 | - | - | - | - |
 | `--bind-addr` | none | host:port | Address in the form of host:port to bind to for login command webhook |
+| `--callback` | none | host:port | Override the base URL (host:port) of the link shown when opening a browser for cluster logins. Must be used with --bind-addr.
 | `-o, --out` | none | filepath | Identity output filepath |
 | `--format` | `file` | `file`, `openssh` or `kubernetes` | Identity format: file, openssh (for OpenSSH compatibility) or kubernetes (for kubeconfig) |
 | `--browser` | none | `none` | Set to 'none' to suppress opening system default browser for `tsh login` commands |

docs/pages/reference/terraform-provider/data-sources/github_connector.mdx

@@ -45,6 +45,7 @@ Optional:
 Optional:
 
 - `allowed_https_hostnames` (List of String) a list of hostnames allowed for https client redirect URLs
+- `insecure_allowed_cidr_ranges` (List of String) a list of CIDRs allowed for HTTP or HTTPS client redirect URLs
 
 
 ### Nested Schema for `spec.teams_to_logins`

docs/pages/reference/terraform-provider/data-sources/oidc_connector.mdx

@@ -59,6 +59,7 @@ Optional:
 Optional:
 
 - `allowed_https_hostnames` (List of String) a list of hostnames allowed for https client redirect URLs
+- `insecure_allowed_cidr_ranges` (List of String) a list of CIDRs allowed for HTTP or HTTPS client redirect URLs
 
 
 

docs/pages/reference/terraform-provider/data-sources/saml_connector.mdx

@@ -69,6 +69,7 @@ Optional:
 Optional:
 
 - `allowed_https_hostnames` (List of String) a list of hostnames allowed for https client redirect URLs
+- `insecure_allowed_cidr_ranges` (List of String) a list of CIDRs allowed for HTTP or HTTPS client redirect URLs
 
 
 ### Nested Schema for `spec.signing_key_pair`

docs/pages/reference/terraform-provider/resources/github_connector.mdx

@@ -76,6 +76,7 @@ Optional:
 Optional:
 
 - `allowed_https_hostnames` (List of String) a list of hostnames allowed for https client redirect URLs
+- `insecure_allowed_cidr_ranges` (List of String) a list of CIDRs allowed for HTTP or HTTPS client redirect URLs
 
 
 ### Nested Schema for `spec.teams_to_logins`

docs/pages/reference/terraform-provider/resources/oidc_connector.mdx

@@ -89,6 +89,7 @@ Optional:
 Optional:
 
 - `allowed_https_hostnames` (List of String) a list of hostnames allowed for https client redirect URLs
+- `insecure_allowed_cidr_ranges` (List of String) a list of CIDRs allowed for HTTP or HTTPS client redirect URLs
 
 
 

docs/pages/reference/terraform-provider/resources/saml_connector.mdx

@@ -115,6 +115,7 @@ Optional:
 Optional:
 
 - `allowed_https_hostnames` (List of String) a list of hostnames allowed for https client redirect URLs
+- `insecure_allowed_cidr_ranges` (List of String) a list of CIDRs allowed for HTTP or HTTPS client redirect URLs
 
 
 ### Nested Schema for `spec.signing_key_pair`

docs/pages/upgrading/automatic-agent-updates.mdx

@@ -189,9 +189,16 @@ Server ID                            Hostname      Services Version Upgrader
    </TabItem>
    <TabItem label="Self-Hosted Teleport Enterprise">
 
-   ```code
-   $ curl https://goteleport.com/static/install.sh | bash -s ${TELEPORT_VERSION?} enterprise
-   ```
+   1. Follow the instructions in the Teleport [installation
+      guide](../installation.mdx#package-repositories) to install the `teleport`
+      binary on your Linux server for your package manager.
+
+   1. Using your package manager, install `teleport-ent-updater` on the
+      server where you installed `teleport`. For example:
+
+      ```code
+      $ apt-get install -y teleport-ent-updater
+      ```
 
    </TabItem>
    </Tabs>

examples/chart/event-handler/templates/deployment.yaml

@@ -35,7 +35,7 @@ spec:
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           command:
-            - /usr/local/bin/teleport-event-handler
+            - /usr/local/bin/teleport-plugin
             - start
             - "--config"
             - "/etc/teleport-event-handler.toml"

examples/chart/event-handler/tests/__snapshot__/deployment_test.yaml.snap

@@ -24,7 +24,7 @@ should match the snapshot:
         spec:
           containers:
           - command:
-            - /usr/local/bin/teleport-event-handler
+            - /usr/local/bin/teleport-plugin
             - start
             - --config
             - /etc/teleport-event-handler.toml
@@ -73,7 +73,7 @@ should mount tls.existingCASecretName and set environment when set in values:
   1: |
     containers:
     - command:
-      - /usr/local/bin/teleport-event-handler
+      - /usr/local/bin/teleport-plugin
       - start
       - --config
       - /etc/teleport-event-handler.toml

examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_githubconnectors.yaml

@@ -55,6 +55,13 @@ spec:
                       type: string
                     nullable: true
                     type: array
+                  insecure_allowed_cidr_ranges:
+                    description: a list of CIDRs allowed for HTTP or HTTPS client
+                      redirect URLs
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
                 type: object
               client_secret:
                 description: ClientSecret is the Github OAuth app client secret.

examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_oidcconnectors.yaml

@@ -80,6 +80,13 @@ spec:
                       type: string
                     nullable: true
                     type: array
+                  insecure_allowed_cidr_ranges:
+                    description: a list of CIDRs allowed for HTTP or HTTPS client
+                      redirect URLs
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
                 type: object
               client_secret:
                 description: ClientSecret is used to authenticate the client.

examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_samlconnectors.yaml

@@ -95,6 +95,13 @@ spec:
                       type: string
                     nullable: true
                     type: array
+                  insecure_allowed_cidr_ranges:
+                    description: a list of CIDRs allowed for HTTP or HTTPS client
+                      redirect URLs
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
                 type: object
               display:
                 description: Display controls how this connector is displayed.

examples/resources/adfs-connector.yaml

@@ -62,3 +62,15 @@ spec:
     - name: "http://schemas.xmlsoap.org/claims/Group"
       value: "Users"
       roles: ["access"]
+
+  client_redirect_settings:
+    # a list of hostnames allowed for HTTPS client redirect URLs
+    # can be a regex pattern
+    allowed_https_hostnames:
+      - remote.machine
+      - '*.app.github.dev'
+      - '^\d+-[a-zA-Z0-9]+\.foo.internal$'
+    # a list of CIDRs allowed for HTTP or HTTPS client redirect URLs
+    insecure_allowed_cidr_ranges:
+      - '192.168.1.0/24'
+      - '2001:db8::/96'

examples/resources/github.yaml

@@ -20,3 +20,14 @@ spec:
     - editor
     organization: <github-org>
     team: <github-team>
+  client_redirect_settings:
+    # a list of hostnames allowed for HTTPS client redirect URLs
+    # can be a regex pattern
+    allowed_https_hostnames:
+      - remote.machine
+      - '*.app.github.dev'
+      - '^\d+-[a-zA-Z0-9]+\.foo.internal$'
+    # a list of CIDRs allowed for HTTP or HTTPS client redirect URLs
+    insecure_allowed_cidr_ranges:
+      - '192.168.1.0/24'
+      - '2001:db8::/96'

examples/resources/gworkspace-connector-inline.yaml

@@ -33,4 +33,15 @@ spec:
   scope:
   - openid
   - email
+  client_redirect_settings:
+    # a list of hostnames allowed for HTTPS client redirect URLs
+    # can be a regex pattern
+    allowed_https_hostnames:
+      - remote.machine
+      - '*.app.github.dev'
+      - '^\d+-[a-zA-Z0-9]+\.foo.internal$'
+    # a list of CIDRs allowed for HTTP or HTTPS client redirect URLs
+    insecure_allowed_cidr_ranges:
+      - '192.168.1.0/24'
+      - '2001:db8::/96'
 version: v3

examples/resources/gworkspace-connector.yaml

@@ -21,4 +21,15 @@ spec:
   scope:
   - openid
   - email
+  client_redirect_settings:
+    # a list of hostnames allowed for HTTPS client redirect URLs
+    # can be a regex pattern
+    allowed_https_hostnames:
+      - remote.machine
+      - '*.app.github.dev'
+      - '^\d+-[a-zA-Z0-9]+\.foo.internal$'
+    # a list of CIDRs allowed for HTTP or HTTPS client redirect URLs
+    insecure_allowed_cidr_ranges:
+      - '192.168.1.0/24'
+      - '2001:db8::/96'
 version: v3

examples/resources/oidc-connector.yaml

@@ -16,4 +16,15 @@ spec:
   issuer_url: https://idp.example.com/
   redirect_url: https://mytenant.teleport.sh:443/v1/webapi/oidc/callback
   max_age: 24h
+  client_redirect_settings:
+    # a list of hostnames allowed for HTTPS client redirect URLs
+    # can be a regex pattern
+    allowed_https_hostnames:
+      - remote.machine
+      - '*.app.github.dev'
+      - '^\d+-[a-zA-Z0-9]+\.foo.internal$'
+    # a list of CIDRs allowed for HTTP or HTTPS client redirect URLs
+    insecure_allowed_cidr_ranges:
+      - '192.168.1.0/24'
+      - '2001:db8::/96'
 version: v3

examples/resources/onelogin-connector.yaml

@@ -23,4 +23,15 @@ spec:
   issuer: ""
   service_provider_issuer: https://teleport.example.com:443/v1/webapi/saml/acs/onelogin
   sso: ""
+  client_redirect_settings:
+    # a list of hostnames allowed for HTTPS client redirect URLs
+    # can be a regex pattern
+    allowed_https_hostnames:
+      - remote.machine
+      - '*.app.github.dev'
+      - '^\d+-[a-zA-Z0-9]+\.foo.internal$'
+    # a list of CIDRs allowed for HTTP or HTTPS client redirect URLs
+    insecure_allowed_cidr_ranges:
+      - '192.168.1.0/24'
+      - '2001:db8::/96'
 version: v2