Merge remote-tracking branch 'origin/master' into strideynet/tbot-doc…

…ker-image-remastered

.github/ISSUE_TEMPLATE/testplan.md

@@ -1238,7 +1238,7 @@ tsh bench web sessions --max=5000 --web user ls
         - [ ] A folder from inside the shared directory can be copy-pasted to another folder inside shared directory (and its contents retained)
   - RBAC
     - [ ] Give the user one role that explicitly disables directory sharing (`desktop_directory_sharing: false`) and confirm that the option to share a directory doesn't appear in the menu
-- Per-Session MFA (try webauthn on each of Chrome, Safari, and Firefox; u2f only works with Firefox)
+- Per-Session MFA
   - [ ] Attempting to start a session no keys registered shows an error message
   - [ ] Attempting to start a session with a webauthn registered pops up the "Verify Your Identity" dialog
     - [ ] Hitting "Cancel" shows an error message
@@ -1282,6 +1282,10 @@ tsh bench web sessions --max=5000 --web user ls
   - Set up Teleport in a trusted cluster configuration where the root and leaf cluster has a w_d_s connected via tunnel (w_d_s running as a separate process)
     - [ ] Confirm that windows desktop sessions can be made on root cluster
     - [ ] Confirm that windows desktop sessions can be made on leaf cluster
+- Screen size
+    - [ ] Desktops that specify a fixed `screen_size` in their spec always use the same screen size.
+    - [ ] Desktops sessions for desktops which specify a fixed `screen_size` do not resize automatically.
+    - [ ] Attempting to register a desktop with a `screen_size` dimension larger than 8192 fails.
 - Non-AD setup
   - [ ] Installer in GUI mode finishes successfully on instance that is not part of domain
   - [ ] Installer works correctly invoked from command line
@@ -1412,7 +1416,7 @@ TODO(lxea): replace links with actual docs once merged
 
 ## SSH Connection Resumption
 
-Verify that SSH works, and that resumable SSH is not interrupted across a Teleport Cloud tenant upgrade. 
+Verify that SSH works, and that resumable SSH is not interrupted across a Teleport Cloud tenant upgrade.
 |   | Standard node | Non-resuming node | Peered node | Agentless node |
 |---|---|---|---|---|
 | `tsh ssh` | <ul><li> [ ] </ul></li> | <ul><li> [ ] </ul></li> | <ul><li> [ ] </ul></li> | <ul><li> [ ] </ul></li> |

.github/vale-styles/messaging/consistent-terms.yml

@@ -19,3 +19,4 @@ swap:
   'Auth Services': Auth Service instances
   'Teleport open source|open source Teleport': Teleport Community Edition
   'OSS Teleport|Teleport OSS': Teleport Community Edition
+  'automatic upgrade': automatic update

.github/workflows/aws-e2e-tests-non-root.yaml

@@ -32,7 +32,7 @@ jobs:
        - name: Checkout
          if: ${{ github.event_name == 'merge_group' }}
          uses: actions/checkout@v4
-       - uses: dorny/paths-filter@0bc4621a3135347011ad047f9ecf449bf72ce2bd # v3.0.0
+       - uses: dorny/paths-filter@ebc4d7e9ebcb0b1eb21480bb8f43113e996ac77a # v3.0.1
          id: changes
          with:
            base: ${{ github.event.pull_request.base.ref || github.event.merge_group.base_ref }}

.github/workflows/check-devbox.yaml

@@ -18,7 +18,7 @@ jobs:
        - name: Checkout
          if: ${{ github.event_name == 'merge_group' }}
          uses: actions/checkout@v4
-       - uses: dorny/paths-filter@0bc4621a3135347011ad047f9ecf449bf72ce2bd # v3.0.0
+       - uses: dorny/paths-filter@ebc4d7e9ebcb0b1eb21480bb8f43113e996ac77a # v3.0.1
          id: changes
          with:
            base: ${{ github.event.pull_request.base.ref || github.event.merge_group.base_ref }}

.github/workflows/doc-tests.yaml

@@ -18,7 +18,7 @@ jobs:
       - name: Checkout
         if: ${{ github.event_name == 'merge_group' }}
         uses: actions/checkout@v4
-      - uses: dorny/paths-filter@0bc4621a3135347011ad047f9ecf449bf72ce2bd # v3.0.0
+      - uses: dorny/paths-filter@ebc4d7e9ebcb0b1eb21480bb8f43113e996ac77a # v3.0.1
         id: changes
         with:
           base: ${{ github.event.pull_request.base.ref || github.event.merge_group.base_ref }}
@@ -27,7 +27,6 @@ jobs:
           filters: |
             changed:
               - '.github/workflows/doc-tests.yaml'
-              - 'CHANGELOG.md'
               - 'docs/**'
               - 'examples/**'
 
@@ -116,10 +115,8 @@ jobs:
           # relevant changes" job.
           separator: ","
           files: ${{ needs.changes.outputs.changed_files }}
-          # Report all results in a file modified in the PR, even if it wasn't
-          # touched by the diff. This way, we can gradually implement a style
-          # guide across the docs: docs authors do a little bit of extra work,
-          # but aren't responsible for entire docs site.
-          filter_mode: file
+          # Restrict the linter to lines modified/added by a PR, not entire
+          # changed files.
+          filter_mode: added
           fail_on_error: true
 

.github/workflows/integration-tests-non-root.yaml

@@ -18,7 +18,7 @@ jobs:
       - name: Checkout
         if: ${{ github.event_name == 'merge_group' }}
         uses: actions/checkout@v4
-      - uses: dorny/paths-filter@0bc4621a3135347011ad047f9ecf449bf72ce2bd # v3.0.0
+      - uses: dorny/paths-filter@ebc4d7e9ebcb0b1eb21480bb8f43113e996ac77a # v3.0.1
         id: changes
         with:
           base: ${{ github.event.pull_request.base.ref || github.event.merge_group.base_ref }}

.github/workflows/integration-tests-root.yaml

@@ -18,7 +18,7 @@ jobs:
       - name: Checkout
         if: ${{ github.event_name == 'merge_group' }}
         uses: actions/checkout@v4
-      - uses: dorny/paths-filter@0bc4621a3135347011ad047f9ecf449bf72ce2bd # v3.0.0
+      - uses: dorny/paths-filter@ebc4d7e9ebcb0b1eb21480bb8f43113e996ac77a # v3.0.1
         id: changes
         with:
           base: ${{ github.event.pull_request.base.ref || github.event.merge_group.base_ref }}

.github/workflows/kube-integration-tests-non-root.yaml

@@ -22,7 +22,7 @@ jobs:
       - name: Checkout
         if: ${{ github.event_name == 'merge_group' }}
         uses: actions/checkout@v4
-      - uses: dorny/paths-filter@0bc4621a3135347011ad047f9ecf449bf72ce2bd # v3.0.0
+      - uses: dorny/paths-filter@ebc4d7e9ebcb0b1eb21480bb8f43113e996ac77a # v3.0.1
         id: changes
         with:
           base: ${{ github.event.pull_request.base.ref || github.event.merge_group.base_ref }}
@@ -68,7 +68,7 @@ jobs:
         continue-on-error: true
 
       - name: Create KinD cluster
-        uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0
+        uses: helm/kind-action@99576bfa6ddf9a8e612d83b513da5a75875caced # v1.9.0
         with:
           cluster_name: kind
           config: fixtures/kind/config.yaml

.github/workflows/lint.yaml

@@ -23,9 +23,6 @@ jobs:
     container:
       image: ghcr.io/gravitational/teleport-buildbox:teleport16
 
-    env:
-      GOLANGCI_LINT_VERSION: v1.56.1
-
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -37,6 +34,16 @@ jobs:
         # We have to add the current directory as a safe directory or else git commands will not work as expected.
         run: git config --global --add safe.directory $( realpath . ) && git diff --exit-code -- go.mod go.sum api/go.mod api/go.sum
 
+      - name: Set linter versions
+        run: |
+          echo BUF_VERSION=$(cd build.assets; make print-buf-version) >> $GITHUB_ENV
+          echo GOLANGCI_LINT_VERSION=$(cd build.assets; make print-golangci-lint-version) >> $GITHUB_ENV
+
+      - name: Print linter versions
+        run: |
+          echo "BUF_VERSION=$BUF_VERSION"
+          echo "GOLANGCI_LINT_VERSION=$GOLANGCI_LINT_VERSION"
+
       # Run various golangci-lint checks.
       # TODO(codingllama): Using go.work could save a bunch of repetition here.
       - name: golangci-lint (api)
@@ -70,7 +77,7 @@ jobs:
       - uses: bufbuild/buf-setup-action@88db93f5d74ffa329bb43e42aa95cd822697d214 # v1.29.0
         with:
           github_token: ${{ github.token }}
-          version: v1.29.0
+          version: ${{ env.BUF_VERSION }}
       - uses: bufbuild/buf-lint-action@044d13acb1f155179c606aaa2e53aea304d22058 # v1.1.0
       - name: buf breaking from parent to self
         uses: bufbuild/buf-breaking-action@a074e988ee34efcd4927079e79c611f428354c01 # v1.1.3

.github/workflows/unit-tests-integrations.yaml

@@ -18,7 +18,7 @@ jobs:
        - name: Checkout
          if: ${{ github.event_name == 'merge_group' }}
          uses: actions/checkout@v4
-       - uses: dorny/paths-filter@0bc4621a3135347011ad047f9ecf449bf72ce2bd # v3.0.0
+       - uses: dorny/paths-filter@ebc4d7e9ebcb0b1eb21480bb8f43113e996ac77a # v3.0.1
          id: changes
          with:
            base: ${{ github.event.pull_request.base.ref || github.event.merge_group.base_ref }}

BUILD_macos.md

@@ -6,10 +6,10 @@ PRs with corrections and updates are welcome!
 * Install [Homebrew](https://brew.sh/)
 * `Go` version from
   [go.mod](https://github.com/gravitational/teleport/blob/master/go.mod#L3)
-  
+
   * Follow [official instructions](https://go.dev/doc/install) to install `Go`
     * **On an M1 Mac, download ARM64 installer from https://go.dev/dl/**
-    * Download the installer for `<version from go.mod>`  
+    * Download the installer for `<version from go.mod>`
     * After installing, don't forget to `export PATH="/usr/local/go/bin:$PATH"` in `~/.zprofile`
     * If you need other go versions, see https://go.dev/doc/manage-install
       * You will need to add `export PATH="$HOME/go/bin:$PATH"` to the `~/.zprofile`
@@ -22,7 +22,7 @@ PRs with corrections and updates are welcome!
   #
   # check which version will be installed by running:
   # brew info go
-  
+
   brew install go
   ````
 
@@ -36,27 +36,27 @@ PRs with corrections and updates are welcome!
   ```shell
   brew install rustup
   ```
-  
+
   * Initialize Rustup
-  
+
   ```shell
   rustup-init
   #
   # accept defaults
   #
   # Once command finishes successfully, you might need to add
-  # 
+  #
   # export PATH="$HOME/.cargo/bin:$PATH"
-  # 
+  #
   # into ~/.zprofile and run:
-  # 
+  #
   # . ~/.zprofile
-  # 
+  #
   # or open a new shell
   ```
-  
+
   * Install the required version
-  
+
   ```shell
   rustup toolchain install <version from build.assets/versions.mk>
   cd <teleport.git>
@@ -77,9 +77,12 @@ PRs with corrections and updates are welcome!
   brew install pkg-config
   ```
 
-* To install `yarn` for building the UI
+* To install tools for building the UI:
   * `brew install node yarn`
   * Currently, [`yarn`](https://classic.yarnpkg.com/en/docs/install) (< 2.0.0) is required
+  * The `Rust` and `Cargo` version in [build.assets/Makefile](https://github.com/gravitational/teleport/blob/master/build.assets/versions.mk#L11) (search for `RUST_VERSION`) are required.
+  * The [`wasm-pack`](https://github.com/rustwasm/wasm-pack) version in [build.assets/Makefile](https://github.com/gravitational/teleport/blob/master/build.assets/versions.mk#L12) (search for `WASM_PACK_VERSION`) is required:
+    `curl https://rustwasm.github.io/wasm-pack/installer/init.sh -sSf | sh`
 
 ##### Local Tests Dependencies
 
@@ -91,7 +94,7 @@ To run a full test suite locally, you will need
   brew install helm
   helm plugin install https://github.com/quintush/helm-unittest
   ```
-  
+
 * `bats-core` version from [build.assets/Dockerfile](https://github.com/gravitational/teleport/blob/master/build.assets/Dockerfile#L183) (search for `bats-core`)
 
   ```shell
@@ -106,14 +109,14 @@ To run a full test suite locally, you will need
   rm -rf bats-core-1.2.1 bats.tar.gz
   ```
 
-* `protoc` binary, typically found in `protobuf` package 
+* `protoc` binary, typically found in `protobuf` package
 
   ```shell
   brew install protobuf
   ```
 
 * increased `ulimit -n`
-  
+
   ```shell
   ulimit -n 2560 # 10x default
   ```

CHANGELOG.md

@@ -152,6 +152,17 @@ Do not run debug container images in production environments.
 Heavy container images will continue to be published for Teleport 13 and 14
 throughout the remainder of these releases' lifecycle.
 
+##### Helm cluster chart FIPS mode changes
+
+The teleport-cluster chart no longer uses versionOverride and extraArgs to set FIPS mode. 
+
+Instead, you should use the following values file configuration:
+```
+enterpriseImage: public.ecr.aws/gravitational/teleport-ent-fips-distroless
+authentication:
+  localAuth: false
+```
+
 ##### Multi-architecture Teleport Operator images
 
 Teleport Operator container images will no longer be published with architecture
@@ -231,6 +242,19 @@ The operator now joins using a Kubernetes ServiceAccount token. To validate the
 token, the Teleport Auth Service must have access to the `TokenReview` API.
 The chart configures this for you since v12, unless you disabled `rbac` creation.
 
+##### Helm cluster chart FIPS mode changes
+
+The teleport-cluster chart no longer uses versionOverride and extraArgs to set FIPS mode. 
+
+Instead, you should use the following values file configuration:
+
+```
+enterpriseImage: public.ecr.aws/gravitational/teleport-ent-fips-distroless
+authentication:
+  localAuth: false
+
+```
+
 #### Resource version is now mandatory and immutable in the Terraform provider
 
 Starting with Teleport 15, each Terraform resource must have its version specified.
@@ -388,7 +412,7 @@ Teleport 14 before upgrading.
 #### SSH node open dial no longer supported
 
 Teleport 14 no longer allows connecting to OpenSSH servers not registered with
-the cluster. Follow the updated agentless OpenSSH integration [guide](docs/pages/server-access/guides/openssh.mdx)
+the cluster. Follow the updated agentless OpenSSH integration [guide](docs/pages/server-access/openssh/openssh.mdx)
 to register your OpenSSH nodes in the cluster’s inventory.
 
 You can set `TELEPORT_UNSTABLE_UNLISTED_AGENT_DIALING=yes` environment variable
@@ -637,7 +661,7 @@ This will allow users to view the OpenSSH nodes in Web UI and using `tsh ls`
 and use RBAC to control access to them.
 
 See the updated [OpenSSH integration
-guide](docs/pages/server-access/guides/openssh.mdx).
+guide](docs/pages/server-access/openssh/openssh.mdx).
 
 ### Cross-cluster search for Teleport Connect