Skip to content

Commit

Permalink
Merge remote-tracking branch 'origin/master' into vapopov/client-auto…
Browse files Browse the repository at this point in the history
…-updates-for-tctl-tsh
  • Loading branch information
vapopov committed Oct 25, 2024
2 parents 48a1159 + 02bb832 commit 66c34a6
Show file tree
Hide file tree
Showing 566 changed files with 24,193 additions and 10,408 deletions.
6 changes: 5 additions & 1 deletion .github/ISSUE_TEMPLATE/test-plan-docs.md
Original file line number Diff line number Diff line change
Expand Up @@ -36,11 +36,15 @@ to determine the rollout date.
git submodule add https://github.com/gravitational/teleport content/<VERSION>.x
```

## Is the docs site up to date with the new release?
## Is the docs site content up to date with the new release?

- [ ] Verify that Teleport version variables are correct and reflect the upcoming
release. Check `docs/config.json` for this.

- [ ] Ensure that redirects (as configured in `docs/config.json`) only exist for
the default version of the docs site, and have been removed from other
versions.

- [ ] Remove version warnings in the docs that mention a version we no longer
support _except_ for the last EOL version. E.g., if we no longer support
version 10, remove messages saying "You need at least version n to use this
Expand Down
11 changes: 11 additions & 0 deletions .github/ISSUE_TEMPLATE/testplan.md
Original file line number Diff line number Diff line change
Expand Up @@ -1335,6 +1335,17 @@ manualy testing.
- [ ] Banner goes away if you reduce number of non-AD desktops to less or equal 5 (check occurs every 5 minutes so you may need to wait to confirm)
- [ ] Installer in GUI mode successfully uninstalls Authentication Package (logging in is not possible)
- [ ] Installer successfully uninstalls Authentication Package (logging in is not possible) when invoked from command line
- Dynamic registration
- [ ] Dynamic Windows desktop resources can be added, removed, and updated using `tctl`
- [ ] `tctl get dynamic_windows_desktop` works with all supported formats
- [ ] Adding dynamic Windows desktop that doesn't match labels for any Windows Desktop Service does not create any
Windows desktop
- [ ] Adding dynamic Windows desktop that matches some `windows_desktop_services`s creates Windows desktops for each
matching WDS
- [ ] Updating dynamic Windows desktop updates corresponding Windows desktops
- [ ] Updating dynamic Windows desktop's labels so it no longer matches `windows_desktop_services` deletes
corresponding Windows desktops
- [ ] Deleting dynamic Windows desktop deletes corresponding Windows desktops

## Binaries / OS compatibility

Expand Down
102 changes: 99 additions & 3 deletions .github/ISSUE_TEMPLATE/webtestplan.md
Original file line number Diff line number Diff line change
Expand Up @@ -175,11 +175,14 @@ All actions should require re-authn with a webauthn device.

Use Discover Wizard to enroll new resources and access them:

- [ ] SSH Server (teleport service, singular EC2, SSM agent)
- [ ] SSH Server using Teleport Service
- [ ] Self-Hosted PostgreSQL and Mongo
- [ ] AWS RDS (singular RDS, auto discover with ECS)
- [ ] Kubernetes
- [ ] AWS EKS cluster
- [ ] Using an AWS OIDC Integration
- [ ] EC2 Auto Enrollment (SSM)
- [ ] RDS flow: single database
- [ ] RDS flow: Auto Enrollment (by VPC)
- [ ] EKS Clusters
- [ ] Non-guided cards link out to correct docs

#### Access Lists
Expand Down Expand Up @@ -259,6 +262,99 @@ spec:
- [ ] Verify that root is marked with a `root` pill
- [ ] Verify that cluster dropdown menu items goes to the correct route

## Application Access

### Required Applications

Create two apps running locally, a frontend app and a backend app. The frontend app should
make an API request to the backend app at its teleport public_addr

<details>
<summary>You can use this example app if you don't have a frontend/backend setup</summary>

```go
package main

import (
"encoding/json"
"fmt"
"log"
"net/http"
)

// change to your cluster addr
const clusterName = "avatus.sh"

func main() {
// handler for the html page. this is the "client".
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
html := fmt.Sprintf(html, clusterName)
w.Header().Set("Content-Type", "text/html")
w.Write([]byte(html))
})

// Handler for the API endpoint
http.HandleFunc("/api/data", func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Access-Control-Allow-Origin", fmt.Sprintf("https://client.%s", clusterName))
w.Header().Set("Access-Control-Allow-Credentials", "true")
data := map[string]string{"hello": "world"}
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(data)
})

log.Println("Server starting on http://localhost:8080")
log.Fatal(http.ListenAndServe(":8080", nil))
}

const html = `
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>API Data Fetcher</title>
</head>
<body>
<div id="result"></div>
<div id="cors-result"></div>
<script>
fetch('https://api.%s/api/data', { credentials: 'include' })
.then(response => response.json())
.then(data => {
document.getElementById('result').textContent = JSON.stringify(data);
})
.catch(error => console.error('Error:', error));
</script>
</body>
</html>
`
```
</details>

Update your app service to serve the apps like this (update your public addr to what makes sense for your cluster)
```
app_service:
enabled: "yes"
debug_app: true
apps:
- name: client
uri: http://localhost:8080
public_addr: client.avatus.sh
required_apps:
- api
- name: api
uri: http://localhost:8080
public_addr: api.avatus.sh
cors:
allowed_origins:
- https://client.avatus.sh
```

Launch your cluster and make sure you are logged out of your api by going to `https://api.avatus.sh/teleport-logout`

- [ ] Launch the client app and you should see `{"hello":"world"}` response
- [ ] You should see no CORS issues in the console

## Access Requests

Not available for OSS
Expand Down
35 changes: 35 additions & 0 deletions .golangci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,7 @@ linters:
- testifylint
- unconvert
- unused
- forbidigo

linters-settings:
depguard:
Expand Down Expand Up @@ -184,6 +185,36 @@ linters-settings:
desc: '"lib/system/signal" requires CGO'
- pkg: github.com/gravitational/teleport/lib/vnet/daemon
desc: '"vnet/daemon" requires CGO'
# Prevent importing go-cmp into production code. From the go-cmp docs:
# > It is intended to only be used in tests, as performance is not a goal
# > and it may panic if it cannot compare the values. Its propensity towards
# > panicking means that its unsuitable for production environments where a
# > spurious panic may be fatal.
go-cmp:
files:
# Tests can do anything
- '!$test'
# Various test helpers defined outside _test.go files are allowed
- '!**/integration/helpers/**'
- '!**/integrations/operator/controllers/resources/testlib/**'
- '!**/lib/auth/test/**'
- '!**/lib/services/suite/**'
# Non-compliant legacy code. These should be converted to compare by another mechanism
# and be removed from this list in the future. Use caution before adding any additional
# exclusions to this list.
- '!**/e/lib/accesslist/equal.go'
- '!**/e/lib/auth/saml.go'
- '!**lib/services/authority.go'
- '!**lib/services/compare.go'
- '!**/lib/services/local/access_list.go'
- '!**/lib/services/local/users.go'
- '!**/lib/services/server.go'
- '!**/lib/services/user.go'
deny:
- pkg: github.com/google/go-cmp/cmp
desc: '"github.com/google/go-cmp/cmp" should only be used in tests'
- pkg: github.com/google/go-cmp/cmp/cmpopts
desc: '"github.com/google/go-cmp/cmp/cmpopts" should only be used in tests'
errorlint:
comparison: true
asserts: true
Expand Down Expand Up @@ -228,6 +259,10 @@ linters-settings:
- len
- suite-extra-assert-call
- suite-thelper
forbidigo:
forbid:
- p: '^rsa\.GenerateKey$'
msg: 'generating RSA keys is slow, use lib/cryptosuites to generate an appropriate key type'

output:
uniq-by-line: false
Expand Down
30 changes: 15 additions & 15 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -386,7 +386,7 @@ applications in Kubernetes clusters. When connected to a Kubernetes cluster (or
deployed as a Helm chart), the Teleport Discovery Service will automatically find
and enroll web applications with your Teleport cluster.

See documentation [here](docs/pages/enroll-resources/auto-discovery/kubernetes-applications.mdx).
See documentation [here](docs/pages/enroll-resources/auto-discovery/kubernetes-applications/kubernetes-applications.mdx).

#### Extended Kubernetes per-resource RBAC

Expand Down Expand Up @@ -1909,7 +1909,7 @@ is more than one major version behind them. You can use the `--skip-version-chec
bypass the version check.

Take a look at component compatibility guarantees in the
[documentation](docs/pages/upgrading.mdx).
[documentation](docs/pages/upgrading/upgrading.mdx).

#### HTTP_PROXY for reverse tunnels

Expand Down Expand Up @@ -2898,7 +2898,7 @@ if err = clt.CreateAccessRequest(ctx, accessRequest); err != nil {

### Upgrade Notes

Please follow our [standard upgrade procedure](docs/pages/admin-guides/management/admin.mdx) to upgrade your cluster.
Please follow our [standard upgrade procedure](docs/pages/admin-guides/management/admin/admin.mdx) to upgrade your cluster.

Note, for clusters using GitHub SSO and Trusted Clusters, when upgrading SSO users will lose connectivity to leaf clusters. Local users will not be affected.

Expand Down Expand Up @@ -3149,7 +3149,7 @@ Other updates:

* We now provide local user management via `https://[cluster-url]/web/users`, providing the ability to edit, reset and delete local users.
* Teleport Node & App Install scripts. This is currently an Enterprise-only feature that provides customers with an 'auto-magic' installer script. Enterprise customers can enable this feature by modifying the 'token' resource. See note above.
* We've added a Waiting Room for customers using Access Workflows. [Docs](docs/pages/admin-guides/access-controls/access-request-plugins.mdx)
* We've added a Waiting Room for customers using Access Workflows. [Docs](docs/pages/admin-guides/access-controls/access-request-plugins/access-request-plugins.mdx)

##### Signed RPM and Releases

Expand Down Expand Up @@ -3183,7 +3183,7 @@ We've added an [API Guide](docs/pages/admin-guides/api/api.mdx) to simply develo

#### Upgrade Notes

Please follow our [standard upgrade procedure](./docs/pages/upgrading.mdx).
Please follow our [standard upgrade procedure](docs/pages/upgrading/upgrading.mdx).

* Optional: Consider updating `https_key_file` & `https_cert_file` to our new `https_keypairs:` format.
* Optional: Consider migrating Kubernetes access from `proxy_service` to `kubernetes_service` after the upgrade.
Expand Down Expand Up @@ -3327,7 +3327,7 @@ auth_service:
#### Upgrade Notes

Please follow our [standard upgrade
procedure](docs/pages/upgrading.mdx).
procedure](docs/pages/upgrading/upgrading.mdx).

## 4.3.9

Expand Down Expand Up @@ -3412,7 +3412,7 @@ Teleport's Web UI now exposes Teleport’s Audit log, letting auditors and admin

##### Teleport Plugins

Teleport 4.3 introduces four new plugins that work out of the box with [Approval Workflow](docs/pages/admin-guides/access-controls/access-request-plugins.mdx). These plugins allow you to automatically support role escalation with commonly used third party services. The built-in plugins are listed below.
Teleport 4.3 introduces four new plugins that work out of the box with [Approval Workflow](docs/pages/admin-guides/access-controls/access-request-plugins/access-request-plugins.mdx). These plugins allow you to automatically support role escalation with commonly used third party services. The built-in plugins are listed below.

* [PagerDuty](docs/pages/admin-guides/access-controls/access-request-plugins/ssh-approval-pagerduty.mdx)
* [Jira](docs/pages/admin-guides/access-controls/access-request-plugins/ssh-approval-jira.mdx)
Expand Down Expand Up @@ -3448,7 +3448,7 @@ Teleport 4.3 introduces four new plugins that work out of the box with [Approval
#### Upgrade Notes

Always follow the [recommended upgrade
procedure](./docs/pages/upgrading.mdx) to upgrade to this version.
procedure](docs/pages/upgrading/upgrading.mdx) to upgrade to this version.

##### New Signing Algorithm

Expand Down Expand Up @@ -3489,7 +3489,7 @@ permissions](./docs/pages/enroll-resources/kubernetes-access/controls.mdx).
The [etcd backend](docs/pages/reference/backends.mdx#etcd) now correctly uses
the “prefix” config value when storing data. Upgrading from 4.2 to 4.3 will
migrate the data as needed at startup. Make sure you follow our Teleport
[upgrade guidance](docs/pages/upgrading.mdx).
[upgrade guidance](docs/pages/upgrading/upgrading.mdx).

**Note: If you use an etcd backend with a non-default prefix and need to downgrade from 4.3 to 4.2, you should [backup Teleport data and restore it](docs/pages/admin-guides/management/operations/backup-restore.mdx) into the downgraded cluster.**

Expand Down Expand Up @@ -3612,7 +3612,7 @@ This is a minor Teleport release with a focus on new features and bug fixes.
### Improvements

* Alpha: Enhanced Session Recording lets you know what's really happening during a Teleport Session. [#2948](https://github.com/gravitational/teleport/issues/2948)
* Alpha: Workflows API lets admins escalate RBAC roles in response to user requests. [Read the docs](docs/pages/admin-guides/access-controls/access-requests.mdx). [#3006](https://github.com/gravitational/teleport/issues/3006)
* Alpha: Workflows API lets admins escalate RBAC roles in response to user requests. [Read the docs](docs/pages/admin-guides/access-controls/access-requests/access-requests.mdx). [#3006](https://github.com/gravitational/teleport/issues/3006)
* Beta: Teleport provides HA Support using Firestore and Google Cloud Storage using Google Cloud Platform. [Read the docs](docs/pages/admin-guides/deploy-a-cluster/deployments/gcp.mdx). [#2821](https://github.com/gravitational/teleport/pull/2821)
* Remote tctl execution is now possible. [Read the docs](./docs/pages/reference/cli/tctl.mdx). [#1525](https://github.com/gravitational/teleport/issues/1525) [#2991](https://github.com/gravitational/teleport/issues/2991)

Expand Down Expand Up @@ -3868,7 +3868,7 @@ The lists of improvements and bug fixes above mention only the significant chang

### Upgrading

Teleport 4.0 is backwards compatible with Teleport 3.2 and later. [Follow the recommended upgrade procedure to upgrade to this version.](docs/pages/upgrading.mdx)
Teleport 4.0 is backwards compatible with Teleport 3.2 and later. [Follow the recommended upgrade procedure to upgrade to this version.](docs/pages/upgrading/upgrading.mdx)

Note that due to substantial changes between Teleport 3.2 and 4.0, we recommend creating a backup of the backend datastore (DynamoDB, etcd, or dir) before upgrading a cluster to Teleport 4.0 to allow downgrades.

Expand Down Expand Up @@ -4136,7 +4136,7 @@ on Github for more.
#### Upgrading to 3.0

Follow the [recommended upgrade
procedure](docs/pages/upgrading.mdx) to upgrade to this
procedure](docs/pages/upgrading/upgrading.mdx) to upgrade to this
version.

**WARNING:** if you are using Teleport with the etcd back-end, make sure your
Expand Down Expand Up @@ -4242,7 +4242,7 @@ As always, this release contains several bug fixes. The full list can be seen [h
#### Upgrading

Follow the [recommended upgrade
procedure](docs/pages/upgrading.mdx) to upgrade to this
procedure](docs/pages/upgrading/upgrading.mdx) to upgrade to this
version.

## 2.6.9
Expand Down Expand Up @@ -4372,7 +4372,7 @@ You can see the full list of 2.6.0 changes [here](https://github.com/gravitation
#### Upgrading

Follow the [recommended upgrade
procedure](docs/pages/upgrading.mdx) to upgrade to this
procedure](docs/pages/upgrading/upgrading.mdx) to upgrade to this
version.

## 2.5.7
Expand Down Expand Up @@ -4459,7 +4459,7 @@ release, which includes:

* The Teleport daemon now implements built-in connection draining which allows
zero-downtime upgrades. [See
documentation](docs/pages/upgrading.mdx).
documentation](docs/pages/upgrading/upgrading.mdx).

* Dynamic join tokens for new nodes can now be explicitly set via `tctl node add --token`.
This allows Teleport admins to use an external mechanism for generating
Expand Down
Loading

0 comments on commit 66c34a6

Please sign in to comment.