Merge branch 'branch/v16' into strideynet/v16/backport-44615

build.assets/versions.mk

@@ -4,7 +4,7 @@
 
 # Sync with devbox.json.
 GOLANG_VERSION ?= go1.22.7
-GOLANGCI_LINT_VERSION ?= v1.60.3
+GOLANGCI_LINT_VERSION ?= v1.61.0
 
 NODE_VERSION ?= 20.14.0
 

docs/pages/admin-guides/access-controls/sso.mdx

@@ -209,9 +209,12 @@ $ tsh login --proxy=proxy.example.com --auth=github --bind-addr=localhost:1234 -
 ```
 
 For this to work the hostname or CIDR of the remote machine that will be used for
-the callback will need to be allowed  via`spec.client_redirect_settings`:
+the callback will need to be allowed via your auth connector's `client_redirect_settings`:
 
 ```code
+kind: oidc
+metadata:
+  name: example-connector
 spec:
   client_redirect_settings:
     # a list of hostnames allowed for HTTPS client redirect URLs

docs/pages/admin-guides/management/export-audit-events.mdx

@@ -28,3 +28,5 @@ events to your solution of choice:
 - [Monitor Teleport Audit Events with Splunk](./export-audit-events/splunk.mdx):
   How to configure the Event Handler plugin to send logs to Splunk's Universal
   Forwarder so you can explore your audit events in Splunk.
+- [Monitor Teleport Audit Events with Datadog](./export-audit-events/datadog.mdx):
+  How to configure the Event Handler plugin to export audit logs to Datadog via Fluentd.

docs/pages/admin-guides/management/security/revoking-access.mdx

@@ -12,7 +12,7 @@ There are two options available for revoking access: CA rotations and Teleport l
 ## CA rotations
 
 To generate a new certificate authority and invalidate user certificates issued
-by the current CA, run `tctl auth rotate --type-user`. This process will require
+by the current CA, run `tctl auth rotate --type=user`. This process will require
 that the newly generated CA certificate is uploaded to your entire fleet of
 OpenSSH servers. This can be a disruptive change, especially in environments
 that lack automation, so proceed with caution.

docs/pages/enroll-resources/database-access/enroll-aws-databases/rds.mdx

@@ -292,7 +292,7 @@ $ tsh db ls
 Retrieve credentials for the database and connect to it as the `alice` user:
 
 ```code
-$ tsh db connect --db-user=postgres --db-name=postgres rds-example
+$ tsh db connect --db-user=alice --db-name=postgres rds-example
 ```
 
 <Admonition type="note" title="Note">

docs/pages/upcoming-releases.mdx

@@ -9,11 +9,20 @@ The Teleport team delivers a new major release roughly every 4 months.
 
 | Version | Date               |
 |---------|--------------------|
-| 16.3.0  | September 16, 2024 |
+| 16.3.0  | September 13, 2024 |
+| 16.4.0  | September 18, 2024 |
 | 17.0.0  | October 31, 2024   |
 
 ### 16.3.0
 
+#### Out-of-band user creation
+
+Cluster administrators will be able to configure Teleport's `ssh_service` to
+ensure that certain host users exist on the machine without the need to start
+an SSH session.
+
+### 16.4.0
+
 #### Machine ID for Terraform Cloud
 
 Teleport will support secure joining via Terraform Cloud, allowing Machine ID
@@ -34,12 +43,6 @@ Teleport will support web application access where one application depends on
 another. For example, you may have a web application that depends on a backend
 API service, of which are separate apps protected by Teleport.
 
-#### Out-of-band user creation
-
-Cluster administrators will be able to configure Teleport's `ssh_service` to
-ensure that certain host users exist on the machine without the need to start
-an SSH session.
-
 ### 17.0.0
 
 #### New Nav
@@ -103,8 +106,11 @@ The key deliverables for Teleport Cloud in the next quarter:
 
 | Week of            | Description                                                    |
 |--------------------|----------------------------------------------------------------|
+| September 9, 2024  | Teleport Policy 1.24.0 will begin rollout on Cloud.            |
 | September 16, 2024 | Teleport 16.3 will begin rollout on Cloud.                     |
 | September 16, 2024 | Teleport 16.3 agents will begin rollout to eligible tenants.   |
+| September 30, 2024 | Teleport 16.4 will begin rollout on Cloud.                     |
+| September 30, 2024 | Teleport 16.4 agents will begin rollout to eligible tenants.   |
 | December 2, 2024   | Teleport 17.1 will begin rollout on Cloud.                     |
 | December 2, 2024   | Teleport 17.1 agents will begin rollout to eligible tenants.   |
 

examples/chart/teleport-kube-agent/templates/statefulset.yaml

@@ -13,6 +13,10 @@ metadata:
   {{- if .Values.extraLabels.deployment }}
     {{- toYaml .Values.extraLabels.deployment | nindent 4 }}
   {{- end }}
+  {{- if .Values.annotations.deployment }}
+  annotations:
+    {{- toYaml .Values.annotations.deployment | nindent 4 }}
+  {{- end }}
 spec:
   serviceName: {{ .Release.Name }}
   replicas: {{ $replicaCount }}

examples/chart/teleport-kube-agent/tests/statefulset_test.yaml

@@ -44,6 +44,19 @@ tests:
       - matchSnapshot:
           path: spec.template.spec
 
+  - it: sets StatefulSet annotations when specified
+    template: statefulset.yaml
+    values:
+      - ../.lint/stateful.yaml
+      - ../.lint/annotations.yaml
+    asserts:
+      - equal:
+          path: metadata.annotations.kubernetes\.io/deployment
+          value: test-annotation
+      - equal:
+          path: metadata.annotations.kubernetes\.io/deployment-different
+          value: 3
+
   - it: sets Pod annotations when specified
     template: statefulset.yaml
     values:

integrations/access/accessmonitoring/access_monitoring_rules.go

@@ -45,6 +45,7 @@ type RuleHandler struct {
 
 	apiClient  teleport.Client
 	pluginType string
+	pluginName string
 
 	fetchRecipientCallback func(ctx context.Context, recipient string) (*common.Recipient, error)
 }
@@ -60,6 +61,7 @@ type RuleMap struct {
 type RuleHandlerConfig struct {
 	Client     teleport.Client
 	PluginType string
+	PluginName string
 
 	// FetchRecipientCallback is a callback that maps recipient strings to plugin Recipients.
 	FetchRecipientCallback func(ctx context.Context, recipient string) (*common.Recipient, error)
@@ -73,6 +75,7 @@ func NewRuleHandler(conf RuleHandlerConfig) *RuleHandler {
 		},
 		apiClient:              conf.Client,
 		pluginType:             conf.PluginType,
+		pluginName:             conf.PluginName,
 		fetchRecipientCallback: conf.FetchRecipientCallback,
 	}
 }
@@ -161,7 +164,7 @@ func (amrh *RuleHandler) getAllAccessMonitoringRules(ctx context.Context) ([]*ac
 	for {
 		var page []*accessmonitoringrulesv1.AccessMonitoringRule
 		var err error
-		page, nextToken, err = amrh.apiClient.ListAccessMonitoringRulesWithFilter(ctx, defaultAccessMonitoringRulePageSize, nextToken, []string{types.KindAccessRequest}, amrh.pluginType)
+		page, nextToken, err = amrh.apiClient.ListAccessMonitoringRulesWithFilter(ctx, defaultAccessMonitoringRulePageSize, nextToken, []string{types.KindAccessRequest}, amrh.pluginName)
 		if err != nil {
 			return nil, trace.Wrap(err)
 		}
@@ -187,7 +190,7 @@ func (amrh *RuleHandler) getAccessMonitoringRules() map[string]*accessmonitoring
 }
 
 func (amrh *RuleHandler) ruleApplies(amr *accessmonitoringrulesv1.AccessMonitoringRule) bool {
-	if amr.Spec.Notification.Name != amrh.pluginType {
+	if amr.Spec.Notification.Name != amrh.pluginName {
 		return false
 	}
 	return slices.ContainsFunc(amr.Spec.Subjects, func(subject string) bool {

integrations/access/accessmonitoring/access_monitoring_rules_test.go

@@ -36,15 +36,16 @@ func mockFetchRecipient(ctx context.Context, recipient string) (*common.Recipien
 
 func TestHandleAccessMonitoringRule(t *testing.T) {
 	amrh := NewRuleHandler(RuleHandlerConfig{
-		PluginType:             "fakePlugin",
+		PluginType:             "fakePluginType",
+		PluginName:             "fakePluginName",
 		FetchRecipientCallback: mockFetchRecipient,
 	})
 
 	rule1, err := services.NewAccessMonitoringRuleWithLabels("rule1", nil, &pb.AccessMonitoringRuleSpec{
 		Subjects:  []string{types.KindAccessRequest},
 		Condition: "true",
 		Notification: &pb.Notification{
-			Name:       "fakePlugin",
+			Name:       "fakePluginName",
 			Recipients: []string{"a", "b"},
 		},
 	})
@@ -76,3 +77,46 @@ func TestHandleAccessMonitoringRule(t *testing.T) {
 	})
 	require.Empty(t, amrh.getAccessMonitoringRules())
 }
+
+func TestHandleAccessMonitoringRulePluginNameMisMatch(t *testing.T) {
+	amrh := NewRuleHandler(RuleHandlerConfig{
+		PluginName:             "fakePluginName",
+		FetchRecipientCallback: mockFetchRecipient,
+	})
+
+	rule1, err := services.NewAccessMonitoringRuleWithLabels("rule1", nil, &pb.AccessMonitoringRuleSpec{
+		Subjects:  []string{types.KindAccessRequest},
+		Condition: "true",
+		Notification: &pb.Notification{
+			Name:       "notTheFakePluginName",
+			Recipients: []string{"a", "b"},
+		},
+	})
+	require.NoError(t, err)
+	amrh.HandleAccessMonitoringRule(context.Background(), types.Event{
+		Type:     types.OpPut,
+		Resource: types.Resource153ToLegacy(rule1),
+	})
+	require.Empty(t, amrh.getAccessMonitoringRules())
+
+	rule2, err := services.NewAccessMonitoringRuleWithLabels("rule2", nil, &pb.AccessMonitoringRuleSpec{
+		Subjects:  []string{types.KindAccessRequest},
+		Condition: "true",
+		Notification: &pb.Notification{
+			Name:       "fakePluginName",
+			Recipients: []string{"c", "d"},
+		},
+	})
+	require.NoError(t, err)
+	amrh.HandleAccessMonitoringRule(context.Background(), types.Event{
+		Type:     types.OpPut,
+		Resource: types.Resource153ToLegacy(rule2),
+	})
+	require.Len(t, amrh.getAccessMonitoringRules(), 1)
+
+	amrh.HandleAccessMonitoringRule(context.Background(), types.Event{
+		Type:     types.OpDelete,
+		Resource: types.Resource153ToLegacy(rule2),
+	})
+	require.Empty(t, amrh.getAccessMonitoringRules())
+}

integrations/access/accessrequest/app.go

@@ -85,6 +85,7 @@ func (a *App) Init(baseApp *common.BaseApp) error {
 	a.accessMonitoringRules = accessmonitoring.NewRuleHandler(accessmonitoring.RuleHandlerConfig{
 		Client:                 a.apiClient,
 		PluginType:             a.pluginType,
+		PluginName:             a.pluginName,
 		FetchRecipientCallback: a.bot.FetchRecipient,
 	})
 

integrations/access/opsgenie/app.go

@@ -85,6 +85,7 @@ func NewOpsgenieApp(ctx context.Context, conf *Config) (*App, error) {
 	opsgenieApp.accessMonitoringRules = accessmonitoring.NewRuleHandler(accessmonitoring.RuleHandlerConfig{
 		Client:                 teleClient,
 		PluginType:             string(conf.BaseConfig.PluginType),
+		PluginName:             pluginName,
 		FetchRecipientCallback: createScheduleRecipient,
 	})
 	opsgenieApp.mainJob = lib.NewServiceJob(opsgenieApp.run)

integrations/access/pagerduty/app.go

@@ -81,6 +81,7 @@ func NewApp(conf Config) (*App, error) {
 	app.accessMonitoringRules = accessmonitoring.NewRuleHandler(accessmonitoring.RuleHandlerConfig{
 		Client:     conf.Client,
 		PluginType: types.PluginTypePagerDuty,
+		PluginName: pluginName,
 		FetchRecipientCallback: func(_ context.Context, name string) (*common.Recipient, error) {
 			return &common.Recipient{
 				Name: name,

integrations/access/servicenow/app.go

@@ -82,6 +82,7 @@ func NewServiceNowApp(ctx context.Context, conf *Config) (*App, error) {
 	serviceNowApp.accessMonitoringRules = accessmonitoring.NewRuleHandler(accessmonitoring.RuleHandlerConfig{
 		Client:     teleClient,
 		PluginType: string(conf.PluginType),
+		PluginName: pluginName,
 		FetchRecipientCallback: func(_ context.Context, name string) (*common.Recipient, error) {
 			return &common.Recipient{
 				Name: name,