Merge branch 'branch/v15' into bot/backport-48772-branch/v15

README.md

@@ -12,7 +12,7 @@ Here is why you might use Teleport:
 
 Teleport works with SSH, Kubernetes, databases, RDP, and web services.
 
-* Architecture: https://goteleport.com/docs/architecture/
+* Architecture: https://goteleport.com/docs/reference/architecture/architecture
 * Getting Started: https://goteleport.com/docs/getting-started/
 
 <div align="center">

docs/pages/admin-guides/management/admin/troubleshooting.mdx

@@ -149,7 +149,8 @@ through the [Teleport support portal](https://support.goteleport.com).
 <TabItem scope={["oss"]} label="Teleport Community Edition">
 If you need help, please ask on our [community forum](https://github.com/gravitational/teleport/discussions). You can also open an [issue on GitHub](https://github.com/gravitational/teleport/issues).
 
-For more information about custom features, or to try the [self-hosted Enterprise edition](../../deploy-a-cluster/deploy-a-cluster.mdx) of Teleport, reach out to us at [sales](https://goteleport.com/signup/enterprise/).
+For more information about Enterprise features reach out to [the Teleport sales team](https://goteleport.com/signup/enterprise/).
+You can also sign up for a [free trial](https://goteleport.com/signup) of Teleport Enterprise.
 </TabItem>
 </Tabs>
 

docs/pages/core-concepts.mdx

@@ -39,15 +39,15 @@ Read our guides to how [authorization](reference/architecture/authorization.mdx)
 ### Teleport Proxy Service
 
 The **Teleport Proxy Service** allows for secure access to resources in your
-infrastructure from the public internet without the need for a VPN. 
+infrastructure from the public internet without the need for a VPN.
 
 It establishes reverse tunnels to the **Teleport Auth Service** and **Teleport
 Services**, which can run in private networks. This means that, in the Proxy
 Service's minimal configuration, you can expose only port `443` to the internet
 and run the rest of your infrastructure in private networks.
 
 You can also configure clients to bypass Proxy Service instances and connect to
-resources with Teleport-issued certificates directly. 
+resources with Teleport-issued certificates directly.
 
 Read our guide to [how the Teleport Proxy Service
 works](reference/architecture/proxy.mdx).
@@ -73,7 +73,7 @@ Service](./enroll-resources/application-access/introduction.mdx).
 ### Teleport Database Service
 
 Proxies TCP traffic in the native protocols of popular databases, including
-PostgreSQL and MySQL. 
+PostgreSQL and MySQL.
 
 Read more about the [Teleport Database
 Service](./enroll-resources/database-access/database-access.mdx).
@@ -92,7 +92,7 @@ Proxies HTTP traffic to the Kubernetes API server.
 Read more about the [Teleport Kubernetes
 Service](./enroll-resources/kubernetes-access/introduction.mdx)
 
-### Teleport SSH Service 
+### Teleport SSH Service
 
 An SSH server implementation that allows users to execute commands on remote
 machines while taking advantage of Teleport's built-in access controls,
@@ -104,7 +104,7 @@ Read more about the [Teleport SSH Service](./enroll-resources/server-access/intr
 
 Allows machines and services—called bot users—to communicate securely with
 resources in your infrastructure by automatically provisioning and renewing
-credentials. 
+credentials.
 
 Bot users can connect to resources in your infrastructure without relying
 on static credentials (e.g., certificates and private keys) that become more
@@ -131,7 +131,7 @@ on GitHub.
 
 You can find a detailed comparison of the features available in each Teleport
 edition in [Frequently Asked
-Questions](./faq.mdx#how-is-open-source-different-from-enterprise).
+Questions](./faq.mdx#how-is-teleports-community-edition-different-from-enterprise).
 
 ### Teleport Enterprise Cloud
 
@@ -193,29 +193,29 @@ Ultimately, a Teleport user is the subject of a certificate issued by the
 **Teleport Auth Service**. The Auth Service verifies that a client or service
 attempting to connect has a valid Teleport-issued certificate. It then uses the
 subject of the certificate—including its username and Teleport roles—to
-authorize the user.  
+authorize the user.
 
 Read more about [local users](reference/access-controls/authentication.mdx) and how [SSO
 authentication works in Teleport](admin-guides/access-controls/sso/sso.mdx).
 
 ### Authentication connector
 
 An authentication connector is a **configuration resource** that allows users to
-authenticate to Teleport via a Single Sign-On (SSO) solution. 
+authenticate to Teleport via a Single Sign-On (SSO) solution.
 
 See our guide to [Authentication Options](reference/access-controls/authentication.mdx).
 
 ### Trusted clusters
 
-Teleport allows you to configure a **trusted cluster relationship** between a 
-**root cluster** and one or more **leaf clusters** that trust the root cluster 
-certificate authority. The trust relationship between the root and leaf clusters 
-enables users authenticated in the root cluster to access resources 
+Teleport allows you to configure a **trusted cluster relationship** between a
+**root cluster** and one or more **leaf clusters** that trust the root cluster
+certificate authority. The trust relationship between the root and leaf clusters
+enables users authenticated in the root cluster to access resources
 in leaf cluster. The root and leaf cluster operate independently with their own
 users, roles, and resources, but the trust relationship allows users with certain roles
 in the root cluster to be mapped to roles and permissions defined in the leaf cluster.
 
 For more information about how to configure a trust relationship between clusters,
-see [Configure Trusted Clusters](admin-guides/management/admin/trustedclusters.mdx). 
-For an overview of the architecture used in a trusted cluster relationship, see 
+see [Configure Trusted Clusters](admin-guides/management/admin/trustedclusters.mdx).
+For an overview of the architecture used in a trusted cluster relationship, see
 [Trusted Cluster Architecture](reference/architecture/trustedclusters.mdx).

docs/pages/faq.mdx

@@ -11,32 +11,24 @@ Fortune 500 companies. It has been through several security audits from
 nationally recognized technology security companies, so we are comfortable with
 the stability of Teleport from a security perspective.
 
-## Can Teleport be deployed in agentless mode?
-
-Yes. All Teleport services support agentless mode, where the service proxies
-traffic to an upstream infrastructure resource not available on `localhost`.
+## Can I connect to nodes behind a firewall?
 
-With Teleport in agentless mode, you can easily control access to SSH servers,
-Kubernetes clusters, desktops, databases, and internal applications without
-running any additional software on your servers. Agentless mode supports session
-recordings and audit logs for deep understanding into user behavior.
+Yes, Teleport supports reverse SSH tunnels out of the box. To configure
+behind-firewall clusters, see [Configure Trusted Clusters](admin-guides/management/admin/trustedclusters.mdx).
 
-For capabilities such as kernel-level logging and user provisioning, we
-recommend Teleport as a drop in replacement for OpenSSH. Since Teleport replaces
-the OpenSSH agent while preserving OpenSSH's functionality, you get more
-functionality without a net addition of an agent on your system.
+## How is Teleport's Community Edition different from Enterprise?
 
-## Can I use OpenSSH with a Teleport cluster?
+Teleport provides two editions:
 
-Yes, this question comes up often and is related to the previous one. Take a
-look at [Using OpenSSH Guide](enroll-resources/server-access/openssh/openssh-agentless.mdx).
+- Teleport Enterprise
+- Teleport Community Edition
 
-## Can I connect to nodes behind a firewall?
+Here is a detailed breakdown of the differences between Teleport's editions.
 
-Yes, Teleport supports reverse SSH tunnels out of the box. To configure
-behind-firewall clusters, see [Configure Trusted Clusters](admin-guides/management/admin/trustedclusters.mdx).
+(!docs/pages/includes/edition-comparison.mdx!)
 
 ## Should we use Teleport Enterprise or Teleport Community Edition for connecting resources to our Teleport cluster?
+
 (!docs/pages/includes/ent-vs-community-faq.mdx!)
 
 ## Can individual agents create reverse tunnels to the Proxy Service without creating a new cluster?
@@ -54,6 +46,26 @@ Yes, Teleport supports tunnel multiplexing on a single port. Set the
 setting in the `proxy_service` configuration. Teleport will automatically use
 multiplexing with that configuration.
 
+## Can Teleport be deployed in agentless mode?
+
+Yes. All Teleport services support agentless mode, where the service proxies
+traffic to an upstream infrastructure resource not available on `localhost`.
+
+With Teleport in agentless mode, you can easily control access to SSH servers,
+Kubernetes clusters, desktops, databases, and internal applications without
+running any additional software on your servers. Agentless mode supports session
+recordings and audit logs for deep understanding into user behavior.
+
+For capabilities such as kernel-level logging and user provisioning, we
+recommend Teleport as a drop in replacement for OpenSSH. Since Teleport replaces
+the OpenSSH agent while preserving OpenSSH's functionality, you get more
+functionality without a net addition of an agent on your system.
+
+## Can I use OpenSSH with a Teleport cluster?
+
+Yes, this question comes up often and is related to the previous one. Take a
+look at [Using OpenSSH Guide](enroll-resources/server-access/openssh/openssh-agentless.mdx).
+
 ## Can I copy files from one Teleport node to another?
 
 Yes, Teleport supports [Headless WebAuthn authentication](admin-guides/access-controls/guides/headless.mdx),
@@ -65,7 +77,7 @@ are not logged in to Teleport or may not have access to a browser.
 If your host machine is joined to an Active Directory domain, you might find user lookups take a
 lot longer than you expect. The number of Active Directory accounts that must be scanned to
 perform a user lookup can cause tsh to hang waiting to get information about the current user.
-To fix this issue, you can use environment variables to set default account information for your 
+To fix this issue, you can use environment variables to set default account information for your
 Teleport user. If you are experiencing long lookup times on Windows, do the following:
 
 - Either set the `TELEPORT_USER` environment variable or set the `--user` flag to the name of your Teleport user.
@@ -75,18 +87,6 @@ Teleport user. If you are experiencing long lookup times on Windows, do the foll
 You can set these environment variables globally in Windows so that you don't have to set them every
 time you run `tsh`.
 
-## How is Open Source different from Enterprise?
-
-Teleport provides three editions:
-
-- Teleport Enterprise
-- Teleport Enterprise Cloud
-- Teleport Community Edition
-
-Here is a detailed breakdown of the differences between Teleport's editions.
-
-(!docs/pages/includes/edition-comparison.mdx!)
-
 ## Which version of Teleport is supported?
 
 Teleport releases a new major version approximately every 4 months, and provides
@@ -121,6 +121,19 @@ Please refer to our [Networking](./reference/networking.mdx) guide.
 Teleport offers this feature for the Enterprise (Cloud) and Enterprise
 (Self-Hosted) versions of Teleport.
 
+## Why do changes to a user's role set only take effect on the log next login?
+
+A Teleport user's assigned roles are embedded in the client certificate they
+receive upon logging on. This certificate remains valid and can be used until
+its expiry, even if the user's role set has changed.
+
+To get a new certificate with the new role set, the user will need to log out
+and log back in.
+
+Revocation of Teleport access should be done with Teleport's
+[session and identity locks](./admin-guides/access-controls/guides/locking.mdx),
+not by removing roles.
+
 ## Does Teleport support provisioning users via SCIM?
 
 Teleport supports [SCIM](https://scim.cloud/) provisioning for Okta via the
@@ -144,7 +157,10 @@ Service and Auth Service, as well as agents running other Teleport Services.
 
 Teleport requires a minimum of TLS version 1.2.
 
-This means that when applications and clients establish or accept TLS connections with Teleport processes, they must use TLS 1.2 or a higher protocol version. Teleport enforces this requirement in all operations that involve TLS connections.
+This means that when applications and clients establish or accept TLS
+connections with Teleport processes, they must use TLS 1.2 or a higher protocol
+version. Teleport enforces this requirement in all operations that involve TLS
+connections.
 
 ## Can I suppress warnings about available upgrades?
 

docs/pages/reference/helm-reference/teleport-cluster.mdx

@@ -606,6 +606,22 @@ $ kubectl --namespace teleport create secret generic license --from-file=/path/t
   enterprise: true
   ```
 
+### `licenseSecretName`
+
+| Type     | Default value  |
+|----------|----------------|
+| `string` | `license`      |
+
+`licenseSecretName` controls Kubernetes secret name for the Enterprise license.
+
+By using this value you will update the Kubernetes volume specification to mount Secret based volume to the container using custom name.
+
+`values.yaml` example:
+
+  ```yaml
+  licenseSecretName: enterprise-license
+  ```
+
 ## `installCRDs`
 
 | Type   | Default value |

examples/README.md

@@ -1,9 +1,5 @@
 # Examples
 
-## Configuration Examples
-
-* [local-cluster](https://github.com/gravitational/teleport/tree/master/examples/local-cluster) : Sample configuration of a 3-node Teleport cluster using just a single machine
-
 ## Daemon Configuration
 
 * [systemd](https://github.com/gravitational/teleport/tree/master/examples/systemd) : Service file for systemd
@@ -13,7 +9,6 @@
 
 * [AWS: CloudFormation](https://github.com/gravitational/teleport/tree/master/examples/aws/cloudformation#aws-cloudformation-based-provisioning-example) : CloudFormation templates as an example of how to setup HA Teleport in AWS using our AMIs.
 * [AWS: Terraform](https://github.com/gravitational/teleport/tree/master/examples/aws/terraform#terraform-based-provisioning-example-amazon-single-ami) : Terraform specifies example provisioning script for Teleport auth, proxy and nodes in HA mode. 
-* [AWS: EKS. External Link](https://aws.amazon.com/blogs/opensource/authenticating-eks-github-credentials-teleport/)
 
 ## Kubernetes - Helm Charts
 
@@ -33,4 +28,4 @@
 
 ### Trusted Cluster
 * [Trusted Cluster Resource](https://github.com/gravitational/teleport/blob/master/examples/resources/trusted_cluster.yaml)
-* [Trusted Cluster Resource - With RBAC (Enterprise Only)](https://github.com/gravitational/teleport/blob/master/examples/resources/trusted_cluster_enterprise.yaml)
+* [Trusted Cluster Resource - With RBAC (Enterprise Only)](https://github.com/gravitational/teleport/blob/master/examples/resources/trusted_cluster_enterprise.yaml)

examples/chart/teleport-cluster/.lint/auth-enterprise-license.yaml

@@ -0,0 +1,4 @@
+clusterName: helm-lint
+enterprise: true
+licenseSecretName: enterprise-license
+

examples/chart/teleport-cluster/templates/auth/deployment.yaml

@@ -266,7 +266,7 @@ spec:
 {{- if $auth.enterprise }}
       - name: license
         secret:
-          secretName: "license"
+          secretName: {{ $auth.licenseSecretName | quote }}
 {{- end }}
 {{- if and ($auth.gcp.credentialSecretName) (eq $auth.chartMode "gcp") }}
       - name: gcp-credentials

examples/chart/teleport-cluster/templates/auth/predeploy_job.yaml

@@ -84,7 +84,7 @@ spec:
 {{- if .Values.enterprise }}
       - name: license
         secret:
-          secretName: "license"
+          secretName: {{ .Values.licenseSecretName | quote }}
 {{- end }}
 {{- if and (.Values.gcp.credentialSecretName) (eq .Values.chartMode "gcp") }}
       - name: gcp-credentials

examples/chart/teleport-cluster/tests/auth_deployment_test.yaml

@@ -215,6 +215,30 @@ tests:
             secret:
               secretName: license
 
+  - it: should use enterprise image and mount license with custom secret name when enterprise is set in values
+    template: auth/deployment.yaml
+    set:
+      clusterName: helm-lint.example.com
+      enterprise: true
+      licenseSecretName: enterprise-license
+      teleportVersionOverride: 12.2.1
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: public.ecr.aws/gravitational/teleport-ent-distroless:12.2.1
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            mountPath: /var/lib/license
+            name: "license"
+            readOnly: true
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: license
+            secret:
+              secretName: enterprise-license
+
   - it: should use OSS image and not mount license when enterprise is not set in values
     template: auth/deployment.yaml
     set:

examples/chart/teleport-cluster/values.schema.json

@@ -286,6 +286,11 @@
             "type": "boolean",
             "default": false
         },
+        "licenseSecretName": {
+            "$id": "#/properties/licenseSecretName",
+            "type": "string",
+            "default": "license"
+        },
         "installCRDs": {
             "$id": "#/properties/installCRDs",
             "type": "boolean"

examples/chart/teleport-cluster/values.yaml

@@ -245,7 +245,8 @@ acmeURI: ""
 # You will need to download your Enterprise license from the Teleport dashboard and create a secret to use this:
 # kubectl -n ${TELEPORT_NAMESPACE?} create secret generic license --from-file=/path/to/downloaded/license.pem
 enterprise: false
-
+# Override default Enterprise license name
+licenseSecretName: "license"
 # CRDs are installed by default when the operator is enabled. This manual override allows to disable CRD installation
 # when deploying multiple releases in the same cluster.
 # installCRDs:

integration/hostuser_test.go

@@ -499,6 +499,28 @@ func TestRootHostUsers(t *testing.T) {
 		require.NoError(t, err)
 		require.False(t, hasExpirations)
 	})
+
+	t.Run("Test migrate unmanaged user", func(t *testing.T) {
+		t.Cleanup(func() { cleanupUsersAndGroups([]string{testuser}, []string{types.TeleportKeepGroup}) })
+
+		users := srv.NewHostUsers(context.Background(), presence, "host_uuid")
+		_, err := host.UserAdd(testuser, nil, "", "", "")
+		require.NoError(t, err)
+
+		closer, err := users.UpsertUser(testuser, services.HostUsersInfo{Mode: types.CreateHostUserMode_HOST_USER_MODE_KEEP, Groups: []string{types.TeleportKeepGroup}})
+		require.NoError(t, err)
+		require.Nil(t, closer)
+
+		u, err := user.Lookup(testuser)
+		require.NoError(t, err)
+
+		gids, err := u.GroupIds()
+		require.NoError(t, err)
+
+		keepGroup, err := user.LookupGroup(types.TeleportKeepGroup)
+		require.NoError(t, err)
+		require.Contains(t, gids, keepGroup.Gid)
+	})
 }
 
 type hostUsersBackendWithExp struct {