Merge branch 'branch/v14' into bot/backport-43134-branch/v14

.github/workflows/os-compatibility-test.yaml

@@ -12,7 +12,7 @@ on:
       - 'docs/**'
       - 'web/**'
       - 'rfd/**'
-      - '**/*.md*'      
+      - '**/*.md*'
 
 jobs:
   build:
@@ -38,7 +38,7 @@ jobs:
 
       - name: Run make
         run: |
-          make binaries
+          make binaries FIDO2=static
 
       - name: Upload binaries
         uses: actions/upload-artifact@v3

Makefile

@@ -141,6 +141,10 @@ export C_ARCH
 # Eagerly enable if we detect the package, we want to test as much as possible.
 ifeq ("$(shell pkg-config libfido2 2>/dev/null; echo $$?)", "0")
 LIBFIDO2_TEST_TAG := libfido2
+ifeq ($(FIDO2),)
+$(info libfido2 found, setting FIDO2=dynamic)
+FIDO2 ?= dynamic
+endif
 endif
 
 # Build tsh against libfido2?
@@ -311,6 +315,9 @@ $(BUILDDIR)/teleport: ensure-webassets bpf-bytecode rdpclient
 $(BUILDDIR)/tsh: KUBECTL_VERSION ?= $(shell go run ./build.assets/kubectl-version/main.go)
 $(BUILDDIR)/tsh: KUBECTL_SETVERSION ?= -X k8s.io/component-base/version.gitVersion=$(KUBECTL_VERSION)
 $(BUILDDIR)/tsh:
+	@if [[ -z "$(LIBFIDO2_BUILD_TAG)" ]]; then \
+		echo 'Warning: Building tsh without libfido2. Install libfido2 to have access to MFA.' >&2; \
+	fi
 	GOOS=$(OS) GOARCH=$(ARCH) $(CGOFLAG_TSH) go build -tags "$(FIPS_TAG) $(LIBFIDO2_BUILD_TAG) $(TOUCHID_TAG) $(PIV_BUILD_TAG)" -o $(BUILDDIR)/tsh $(BUILDFLAGS) ./tool/tsh
 
 .PHONY: $(BUILDDIR)/tbot

api/utils/route.go

@@ -18,6 +18,7 @@ import (
 	"context"
 	"errors"
 	"net"
+	"strings"
 	"unicode/utf8"
 
 	"github.com/google/uuid"
@@ -49,6 +50,8 @@ type SSHRouteMatcherConfig struct {
 	Resolver HostResolver
 	// CaseInsensitive enabled case insensitive routing when true.
 	CaseInsensitive bool
+	// DisableUnqualifiedLookups disables lookups for unqualified hostnames.
+	DisableUnqualifiedLookups bool
 }
 
 // HostResolver provides an interface matching the net.Resolver.LookupHost method. Typically
@@ -88,7 +91,12 @@ func newSSHRouteMatcher(cfg SSHRouteMatcherConfig) SSHRouteMatcher {
 	_, err := uuid.Parse(cfg.Host)
 	dialByID := err == nil || aws.IsEC2NodeID(cfg.Host)
 
-	ips, _ := cfg.Resolver.LookupHost(context.Background(), cfg.Host)
+	var ips []string
+	if !(cfg.DisableUnqualifiedLookups && !strings.Contains(cfg.Host, ".")) {
+		// unqualified lookups are still on by default, but future versions of teleport may disable them as they tend
+		// to be responsible for the majority of all lookups generated by a teleport cluster and are of questionable utility.
+		ips, _ = cfg.Resolver.LookupHost(context.Background(), cfg.Host)
+	}
 
 	return SSHRouteMatcher{
 		cfg:            cfg,

api/utils/route_test.go

@@ -323,3 +323,66 @@ func TestSSHRouteMatcherScoring(t *testing.T) {
 		})
 	}
 }
+
+type recordingHostResolver struct {
+	didLookup bool
+}
+
+func (r *recordingHostResolver) LookupHost(ctx context.Context, host string) (addrs []string, err error) {
+	r.didLookup = true
+	return nil, nil
+}
+
+// TestDisableUnqualifiedLookups verifies that unqualified lookups being disabled results
+// in single-element/tld style hostname targets not being resolved.
+func TestDisableUnqualifiedLookups(t *testing.T) {
+	tts := []struct {
+		desc   string
+		target string
+		lookup bool
+	}{
+		{
+			desc:   "qualified hostname",
+			target: "example.com",
+			lookup: true,
+		},
+		{
+			desc:   "unqualified hostname",
+			target: "example",
+			lookup: false,
+		},
+		{
+			desc:   "localhost",
+			target: "localhost",
+			lookup: false,
+		},
+		{
+			desc:   "foo.localhost",
+			target: "foo.localhost",
+			lookup: true,
+		},
+		{
+			desc:   "uuid",
+			target: uuid.NewString(),
+			lookup: false,
+		},
+		{
+			desc:   "qualified uuid",
+			target: "foo." + uuid.NewString(),
+			lookup: true,
+		},
+	}
+
+	for _, tt := range tts {
+		t.Run(tt.desc, func(t *testing.T) {
+			resolver := &recordingHostResolver{}
+			_, err := NewSSHRouteMatcherFromConfig(SSHRouteMatcherConfig{
+				Host:                      tt.target,
+				Resolver:                  resolver,
+				DisableUnqualifiedLookups: true,
+			})
+			require.NoError(t, err)
+			require.Equal(t, tt.lookup, resolver.didLookup)
+		})
+	}
+}

assets/aws/files/system/teleport-acm.service

@@ -13,4 +13,7 @@ RuntimeDirectory=teleport
 ExecStart=/usr/local/bin/teleport start --config=/etc/teleport.yaml --diag-addr=127.0.0.1:3000 --pid-file=/run/teleport/teleport.pid
 ExecReload=/bin/kill -HUP $MAINPID
 PIDFile=/run/teleport/teleport.pid
-LimitNOFILE=524288
+LimitNOFILE=524288
+
+[Install]
+WantedBy=multi-user.target

build.assets/versions.mk

@@ -6,7 +6,7 @@
 GOLANG_VERSION ?= go1.21.11
 GOLANGCI_LINT_VERSION ?= v1.58.1
 
-NODE_VERSION ?= 20.13.0
+NODE_VERSION ?= 20.14.0
 
 # Run lint-rust check locally before merging code after you bump this.
 RUST_VERSION ?= 1.77.0
@@ -16,7 +16,7 @@ LIBPCSCLITE_VERSION ?= 1.9.9-teleport
 DEVTOOLSET ?= devtoolset-12
 
 # Protogen related versions.
-BUF_VERSION ?= v1.32.1
+BUF_VERSION ?= v1.33.0
 # Keep in sync with api/proto/buf.yaml (and buf.lock).
 GOGO_PROTO_TAG ?= v1.3.2
 NODE_GRPC_TOOLS_VERSION ?= 1.12.4

docs/config.json

@@ -3220,16 +3220,6 @@
       "destination": "/access-controls/device-trust/device-management/",
       "permanent": true
     },
-    {
-      "source": "/management/guides/teleport-operator/",
-      "destination": "/management/dynamic-resources/teleport-operator/",
-      "permanent": true
-    },
-    {
-      "source": "/management/guides/terraform-provider/",
-      "destination": "/management/dynamic-resources/terraform-provider/",
-      "permanent": true
-    },
     {
       "source": "/get-started/",
       "destination": "/",
@@ -3287,7 +3277,7 @@
     },
     {
       "source": "/machine-id/guides/",
-      "destination": "/machine-id/",
+      "destination": "/machine-id/introduction/",
       "permanent": true
     },
     {
@@ -3325,11 +3315,6 @@
       "destination": "/machine-id/deployment/gitlab/",
       "permanent": true
     },
-    {
-      "source": "/machine-id/guides/gitlab/",
-      "destination": "/machine-id/deployment/github-actions/",
-      "permanent": true
-    },
     {
       "source": "/server-access/guides/openssh/",
       "destination": "/server-access/guides/openssh/openssh/",

docs/pages/access-controls/access-request-plugins/servicenow.mdx

@@ -63,7 +63,7 @@ To retrieve the ServiceNow rotation ID, navigate to the group record
 of the ServiceNow group the rotation belongs to and right click on
 header, then click 'Select copy sys_id' to copy the ID.
 
-Then using the ServiceNow endpoint '/api/now/on_call_rota/workbench/group/{groupSysId}'
+Then using the ServiceNow endpoint `/api/now/on_call_rota/workbench/group/{groupSysId}`
 retrieve the group's on-call rota information.
 Select the value of the desired 'rota' from the response.
 

docs/pages/access-controls/login-rules/guide.mdx

@@ -17,7 +17,7 @@ cluster on version `11.3.1` or greater.
 
 Login Rules only operate on SSO logins, so make sure you have
 configured an OIDC, SAML, or GitHub connector before you begin.
-Check the [Single Sign-On](../sso/) docs to learn how to set this up.
+Check the [Single Sign-On](../sso.mdx) docs to learn how to set this up.
 
 ## Step 1/5. Configure RBAC
 

docs/pages/application-access/troubleshooting-apps.mdx

@@ -32,61 +32,106 @@ Issues with Cross-Site Request Forgery (CSRF) or Cross-Origin Resource Sharing (
 result in a loss of application functionality, errors in the application itself indicating that
 traffic isn't being permitted, or application logs that indicate CORS or CSRF errors.
 
-### Solution
-
 In most cases, you can fix these types of issues by adding explicit `rewrite` settings for the Origin and Host headers
-in the Teleport configuration file for each application.
+in the Teleport configuration for each application.
 
-To fix CSRF or CORS issues:
+### Solution 1: Application Service configuration file
+
+To fix CSRF or CORS issues if you use statically configured apps in `/etc/teleport.yaml`:
 
 1. Open the `/etc/teleport.yaml` file that contains the application configuration in a text editor.
 
-1. Add a `rewrite.headers` section similar to the following `grafana` example:
+{/*lint ignore ordered-list-marker-value*/}
+2. Add a `rewrite.headers` section similar to the following `grafana` example:
+
+  ```yaml
+  app_service:
+    enabled: true
+    apps:
+    - name: grafana
+      uri: http://localhost:3000
+      public_addr: grafana.teleport.example.com
+      rewrite:
+        headers:
+        - "Origin: https://grafana.teleport.example.com" # Teleport application subdomain prepended with "https://"
+        - "Host: grafana.teleport.example.com" # Teleport application subdomain itself
+  ```
 
-   ```yaml
-   app_service:
-     enabled: true
-     apps:
-     - name: grafana
-       uri: http://localhost:3000
-       public_addr: grafana.teleport.example.com
-       rewrite:
-         headers:
-         - "Origin: https://grafana.teleport.example.com" # Teleport application subdomain prepended with "https://"
-         - "Host: grafana.teleport.example.com" # Teleport application subdomain itself
-   ```
+3. Save your changes and restart the Teleport service.
 
-1. Save your changes and restart the Teleport service.
+### Solution 2: `teleport-kube-agent` values file
 
 To fix CSRF or CORS issues if you deploy applications using Kubernetes and `teleport-kube-agent`:
 
 1. Open the `teleport/examples/chart/teleport-kube-agent/values.yaml` file that contains the application
-   configuration in a text editor.
-
-1. Locate the `apps` section in the `values.yaml` file.
-
-   ```yaml
-   # Details of at least one app to be proxied. Example:
-   # apps:
-   #  - name: grafana
-   #    uri: http://localhost:3000
-   apps: []
-   ```
-
-1. Add a `rewrite.headers` section similar to the following `grafana` example:
-
-   ```yaml
-   app_service:
-     enabled: true
-     apps:
-     - name: grafana
-       uri: http://localhost:3000
-       public_addr: grafana.teleport.example.com
-       rewrite:
-         headers:
-         - "Origin: https://grafana.teleport.example.com" # Teleport application subdomain prepended with "https://"
-         - "Host: grafana.teleport.example.com" # Teleport application subdomain itself
-   ```
+  configuration in a text editor.
+
+{/*lint ignore ordered-list-marker-value*/}
+2. Locate the `apps` section in the `values.yaml` file.
+
+  ```yaml
+  # Details of at least one app to be proxied. Example:
+  # apps:
+  #  - name: grafana
+  #    uri: http://localhost:3000
+  apps: []
+  ```
+
+3. Add a `rewrite.headers` section similar to the following `grafana` example:
+
+  ```yaml
+  apps:
+  - name: grafana
+    uri: http://localhost:3000
+    public_addr: grafana.teleport.example.com
+    rewrite:
+      headers:
+      - "Origin: https://grafana.teleport.example.com" # Teleport application subdomain prepended with "https://"
+      - "Host: grafana.teleport.example.com" # Teleport application subdomain itself
+  ```
+
+### Solution 3: Dynamic app configuration
+
+To fix CSRF or CORS issues if you deploy applications with dynamic configuration:
+
+1. Edit your dynamic app configuration to include the `rewrite.headers` section:
+
+  ```yaml
+  kind: app
+  version: v3
+  metadata:
+    name: grafana
+    labels:
+      env: dev
+  spec:
+    uri: http://localhost:3000
+    public_addr: grafana.teleport.example.com
+    rewrite:
+      headers:
+      - name: "Origin"
+        value: "https://grafana.teleport.example.com" # Teleport application subdomain prepended with "https://"
+      - name: "Host"
+        value: "grafana.teleport.example.com" # Teleport application subdomain itself
+  ```
+
+### Solution 4: Kubernetes app autodiscovery
+
+To fix CSRF or CORS issues if you deploy applications using Kubernetes autodiscovery:
+
+1. Edit your Kubernetes `Service` configuration to include the `rewrite.headers` section:
+
+  ```yaml
+  apiVersion: v1
+  kind: Service
+  metadata:
+    annotations:
+      teleport.dev/app-rewrite: |
+        headers:
+        - name: "Origin"
+          value: "https://grafana.teleport.example.com" # Teleport application subdomain prepended with "https://"
+        - name: "Host"
+          value: "grafana.teleport.example.com" # Teleport application subdomain itself
+  ```
 
 ## Untrusted certificate errors
 

docs/pages/deploy-a-cluster/helm-deployments/aws.mdx

@@ -690,15 +690,14 @@ NOTE: Make sure teleport.example.com:443 points at a Teleport proxy that users c
 </TabItem>
 <TabItem scope={["enterprise", "cloud"]} label="Commercial">
 ```code
-$ kubectl --namespace teleport exec deploy/teleport-auth -- tctl users add test --roles=access,editor,reviewer
+$ kubectl --namespace <Var name="namespace" /> exec deploy/<Var name="release-name" />-auth -- tctl users add test --roles=access,editor,reviewer
 
 User "test" has been created but requires a password. Share this URL with the user to complete user setup, link is valid for 1h:
 https://teleport.example.com:443/web/invite/91cfbd08bc89122275006e48b516cc68
 
 NOTE: Make sure teleport.example.com:443 points at a Teleport proxy that users can access.
 ```
 </TabItem>
-
 </Tabs>
 
 Load the user creation link to create a password and set up multi-factor authentication for the Teleport user via the web UI.

docs/pages/includes/metrics.mdx

@@ -46,7 +46,7 @@
 | `grpc_server_handled_total`                              | counter   | Teleport Auth       | Total number of RPCs completed on the server, regardless of success or failure.                    |
 | `grpc_server_msg_received_total`                         | counter   | Teleport Auth       | Total number of RPC stream messages received on the server.                                        |
 | `grpc_server_msg_sent_total`                             | counter   | Teleport Auth       | Total number of gRPC stream messages sent by the server.                                           |
-| `heartbeat_connections_received_total`                   | counter   | Teleport Auth       | Number of times the Auth Service received a heartbeat connection.                                  |
+| `heartbeat_connections_received_total`                   | counter   | Teleport Auth       | Number of times the Auth Service received a heartbeat connection, representing total heart beating Agents. |
 | `s3_requests_total`                                      | counter   | Amazon S3           | Total number of requests to the S3 API.                                                            |
 | `s3_requests`                                            | counter   | Amazon S3           | Total number of requests to the S3 API grouped by result.                                          |
 | `s3_requests_seconds`                                    | histogram | Amazon S3           | Request latency for the S3 API.                                                                    |