From 98c9c7bd08a0e2c990879d1db7642bfa3f9a111c Mon Sep 17 00:00:00 2001 From: Paul Gottschling Date: Thu, 24 Oct 2024 18:16:52 -0400 Subject: [PATCH] Restructure docs menu pages (#47797) Docusaurus [sidebar generation](https://docusaurus.io/docs/next/sidebar/autogenerated) expects category index pages to have one of three file path conventions: - `section/index.mdx` - `section/README.mdx` - `section/section.mdx` This change standardizes category index paths on the third convention so Docusaurus sidebar generation succeeds. We can then add checks to the current docs site to prevent additional menu pages from violating this convention. This change also adds redirects to the new category index pages, and updates internal links to pages that were moved. Note that this change does not move all relevant menu pages. We still need to reorganize the `reference/terraform-provider` section. Since this section is automatically generated, we need another approach to restructuring it. --- CHANGELOG.md | 30 +++--- docs/config.json | 97 +++++++++---------- .../access-controls/access-controls.mdx | 8 +- .../{ => access-lists}/access-lists.mdx | 4 +- .../access-request-plugins.mdx | 2 +- .../{ => access-requests}/access-requests.mdx | 10 +- .../access-requests/oss-role-requests.mdx | 2 +- .../access-requests/resource-requests.mdx | 4 +- .../access-requests/role-requests.mdx | 2 +- .../compliance-frameworks.mdx | 4 +- .../compliance-frameworks/soc2.mdx | 8 +- .../{ => device-trust}/device-trust.mdx | 8 +- .../device-trust/jamf-integration.mdx | 2 +- .../access-controls/guides/dual-authz.mdx | 2 +- .../access-controls/{ => guides}/guides.mdx | 0 .../access-controls/guides/locking.mdx | 2 +- .../admin-guides/access-controls/idps.mdx | 13 --- .../access-controls/idps/idps.mdx | 13 +++ .../access-controls/login-rules/guide.mdx | 2 +- .../{ => login-rules}/login-rules.mdx | 8 +- .../admin-guides/access-controls/sso/okta.mdx | 2 +- .../access-controls/{ => sso}/sso.mdx | 44 ++++----- docs/pages/admin-guides/api/access-plugin.mdx | 4 +- docs/pages/admin-guides/api/api.mdx | 4 +- .../api/automatically-register-agents.mdx | 2 +- .../admin-guides/api/getting-started.mdx | 2 +- .../access-graph/self-hosted-helm.mdx | 2 +- .../deploy-a-cluster/deployments.mdx | 19 ---- .../aws-ha-autoscale-cluster-terraform.mdx | 2 +- .../aws-starter-cluster-terraform.mdx | 2 +- .../deployments/deployments.mdx | 19 ++++ .../helm-deployments.mdx | 18 ++-- .../helm-deployments/kubernetes-cluster.mdx | 4 +- .../deploy-a-cluster/high-availability.mdx | 12 +-- .../infrastructure-as-code.mdx | 26 ++--- .../agentless-ssh-servers.mdx | 2 +- .../import-existing-resources.mdx | 2 +- .../login-rules-operator.mdx | 4 +- .../login-rules-terraform.mdx | 4 +- .../managing-resources/user-and-role.mdx | 6 +- .../teleport-operator/secret-lookup.mdx | 2 +- .../teleport-operator-helm.mdx | 2 +- .../teleport-operator.mdx | 10 +- .../terraform-provider.mdx | 39 -------- .../long-lived-credentials.mdx | 2 +- .../terraform-provider/terraform-provider.mdx | 39 ++++++++ .../terraform-starter/enroll-resources.mdx | 4 +- .../terraform-starter/rbac.mdx | 2 +- .../terraform-starter.mdx | 7 +- docs/pages/admin-guides/management/admin.mdx | 30 ------ .../admin-guides/management/admin/admin.mdx | 30 ++++++ .../management/admin/trustedclusters.mdx | 4 +- .../admin-guides/management/admin/users.mdx | 2 +- .../{ => diagnostics}/diagnostics.mdx | 2 +- .../export-audit-events.mdx | 10 +- .../management/external-audit-storage.mdx | 2 +- .../management/guides/ec2-tags.mdx | 2 +- .../management/guides/gcp-tags.mdx | 2 +- .../management/{ => guides}/guides.mdx | 8 +- .../admin-guides/management/operations.mdx | 18 ---- .../management/operations/ca-rotation.mdx | 2 +- .../management/operations/operations.mdx | 18 ++++ .../management/operations/tls-routing.mdx | 2 +- .../security/reduce-blast-radius.mdx | 2 +- .../management/{ => security}/security.mdx | 6 +- docs/pages/admin-guides/migrate-plans.mdx | 8 +- .../teleport-policy/crown-jewels.mdx | 2 +- .../integrations/ssh-keys-scan.mdx | 8 +- .../pages/connect-your-client/gui-clients.mdx | 2 +- .../connect-your-client/teleport-connect.mdx | 2 +- docs/pages/core-concepts.mdx | 2 +- .../enroll-resources/agents/introduction.mdx | 2 +- .../agents/join-services-to-your-cluster.mdx | 22 ----- .../join-services-to-your-cluster/azure.mdx | 2 +- .../join-services-to-your-cluster.mdx | 22 +++++ .../kubernetes.mdx | 6 +- .../cloud-apis/aws-console.mdx | 2 +- .../cloud-apis/azure-aks-workload-id.mdx | 2 +- .../application-access/cloud-apis/azure.mdx | 2 +- .../{ => cloud-apis}/cloud-apis.mdx | 10 +- .../cloud-apis/google-cloud.mdx | 2 +- .../application-access/controls.mdx | 4 +- .../application-access/guides.mdx | 20 ---- .../guides/dynamic-registration.mdx | 2 +- .../application-access/guides/guides.mdx | 20 ++++ .../application-access/introduction.mdx | 4 +- .../application-access/{ => jwt}/jwt.mdx | 4 +- .../application-access/okta.mdx | 12 --- .../application-access/okta/okta.mdx | 12 +++ .../auto-discovery/databases/aws.mdx | 6 +- .../{ => databases}/databases.mdx | 12 +-- .../kubernetes-applications.mdx | 6 +- .../{ => kubernetes}/kubernetes.mdx | 6 +- .../auto-discovery/reference.mdx | 7 -- .../auto-discovery/reference/reference.mdx | 7 ++ .../auto-discovery/{ => servers}/servers.mdx | 6 +- .../auto-user-provisioning.mdx | 16 --- .../auto-user-provisioning.mdx | 16 +++ .../database-access/database-access.mdx | 2 +- .../database-access/enroll-aws-databases.mdx | 31 ------ .../aws-cross-account.mdx | 4 +- .../enroll-aws-databases.mdx | 31 ++++++ .../enroll-aws-databases/rds.mdx | 2 +- .../enroll-azure-databases.mdx | 6 +- .../enroll-google-cloud-databases.mdx | 6 +- .../enroll-managed-databases.mdx | 6 +- .../enroll-self-hosted-databases.mdx | 22 ----- .../enroll-self-hosted-databases/elastic.mdx | 2 +- .../enroll-self-hosted-databases.mdx | 22 +++++ .../enroll-resources/database-access/faq.mdx | 2 +- .../database-access/getting-started.mdx | 2 +- .../guides/dynamic-registration.mdx | 8 +- .../database-access/{ => guides}/guides.mdx | 6 +- .../database-access/guides/ha.mdx | 2 +- .../enroll-resources/database-access/rbac.mdx | 2 +- .../kubernetes-access/controls.mdx | 2 +- .../kubernetes-access/faq.mdx | 2 +- .../kubernetes-access/getting-started.mdx | 6 +- .../kubernetes-access/introduction.mdx | 4 +- .../kubernetes-access/manage-access.mdx | 2 +- .../register-clusters.mdx | 8 +- .../machine-id/access-guides.mdx | 26 ----- .../access-guides/access-guides.mdx | 26 +++++ .../machine-id/access-guides/ansible.mdx | 2 +- .../machine-id/access-guides/applications.mdx | 2 +- .../machine-id/access-guides/databases.mdx | 4 +- .../machine-id/access-guides/kubernetes.mdx | 2 +- .../machine-id/access-guides/ssh.mdx | 2 +- .../machine-id/access-guides/tctl.mdx | 2 +- .../machine-id/deployment/aws.mdx | 2 +- .../machine-id/deployment/azure.mdx | 2 +- .../machine-id/deployment/circleci.mdx | 2 +- .../{ => deployment}/deployment.mdx | 30 +++--- .../machine-id/deployment/gcp.mdx | 2 +- .../machine-id/deployment/gitlab.mdx | 2 +- .../machine-id/deployment/kubernetes.mdx | 4 +- .../machine-id/deployment/linux-tpm.mdx | 2 +- .../machine-id/deployment/linux.mdx | 2 +- .../machine-id/getting-started.mdx | 6 +- .../machine-id/introduction.mdx | 4 +- .../server-access/getting-started.mdx | 2 +- .../enroll-resources/server-access/guides.mdx | 18 ---- .../server-access/guides/guides.mdx | 18 ++++ .../guides/host-user-creation.mdx | 2 +- .../server-access/guides/jetbrains-sftp.mdx | 4 +- .../server-access/guides/vscode.mdx | 4 +- .../server-access/introduction.mdx | 2 +- .../server-access/openssh.mdx | 9 -- .../server-access/openssh/openssh.mdx | 9 ++ .../enroll-resources/server-access/rbac.mdx | 2 +- .../workload-identity/aws-oidc-federation.mdx | 5 +- .../workload-identity/aws-roles-anywhere.mdx | 2 +- .../gcp-workload-identity-federation-jwt.mdx | 2 +- .../workload-identity/getting-started.mdx | 2 +- .../database-access/auto-discovery-tip.mdx | 2 +- .../aws-auto-discovery-prerequisite.mdx | 2 +- .../database-service-troubleshooting.mdx | 4 +- docs/pages/includes/edition-comparison.mdx | 4 +- .../includes/machine-id/configure-outputs.mdx | 5 +- .../machine-id/plugin-prerequisites.mdx | 5 +- docs/pages/index.mdx | 8 +- docs/pages/installation.mdx | 2 +- .../access-controls/access-lists.mdx | 2 +- .../pages/reference/access-controls/roles.mdx | 4 +- .../architecture/agent-update-management.mdx | 4 +- docs/pages/reference/architecture/agents.mdx | 12 +-- .../architecture/api-architecture.mdx | 2 +- .../reference/architecture/architecture.mdx | 4 +- .../reference/architecture/authorization.mdx | 4 +- docs/pages/reference/{ => cli}/cli.mdx | 12 +-- docs/pages/reference/cloud-faq.mdx | 2 +- docs/pages/reference/config.mdx | 6 +- .../{ => helm-reference}/helm-reference.mdx | 26 ++--- .../helm-reference/teleport-cluster.mdx | 2 +- .../helm-reference/teleport-kube-agent.mdx | 4 +- docs/pages/reference/monitoring/audit.mdx | 2 +- docs/pages/reference/predicate-language.mdx | 2 +- docs/pages/reference/resources.mdx | 6 +- docs/pages/reference/terraform-provider.mdx | 8 +- docs/pages/reference/user-types.mdx | 2 +- docs/pages/upgrading/overview.mdx | 2 +- docs/pages/{ => upgrading}/upgrading.mdx | 8 +- .../terraform/templates/index.md.tmpl | 8 +- 183 files changed, 721 insertions(+), 722 deletions(-) rename docs/pages/admin-guides/access-controls/{ => access-lists}/access-lists.mdx (74%) rename docs/pages/admin-guides/access-controls/{ => access-request-plugins}/access-request-plugins.mdx (98%) rename docs/pages/admin-guides/access-controls/{ => access-requests}/access-requests.mdx (85%) rename docs/pages/admin-guides/access-controls/{ => compliance-frameworks}/compliance-frameworks.mdx (83%) rename docs/pages/admin-guides/access-controls/{ => device-trust}/device-trust.mdx (93%) rename docs/pages/admin-guides/access-controls/{ => guides}/guides.mdx (100%) delete mode 100644 docs/pages/admin-guides/access-controls/idps.mdx create mode 100644 docs/pages/admin-guides/access-controls/idps/idps.mdx rename docs/pages/admin-guides/access-controls/{ => login-rules}/login-rules.mdx (89%) rename docs/pages/admin-guides/access-controls/{ => sso}/sso.mdx (90%) delete mode 100644 docs/pages/admin-guides/deploy-a-cluster/deployments.mdx create mode 100644 docs/pages/admin-guides/deploy-a-cluster/deployments/deployments.mdx rename docs/pages/admin-guides/deploy-a-cluster/{ => helm-deployments}/helm-deployments.mdx (55%) rename docs/pages/admin-guides/{ => infrastructure-as-code}/infrastructure-as-code.mdx (90%) rename docs/pages/admin-guides/infrastructure-as-code/{ => teleport-operator}/teleport-operator.mdx (89%) delete mode 100644 docs/pages/admin-guides/infrastructure-as-code/terraform-provider.mdx create mode 100644 docs/pages/admin-guides/infrastructure-as-code/terraform-provider/terraform-provider.mdx rename docs/pages/admin-guides/infrastructure-as-code/{ => terraform-starter}/terraform-starter.mdx (88%) delete mode 100644 docs/pages/admin-guides/management/admin.mdx create mode 100644 docs/pages/admin-guides/management/admin/admin.mdx rename docs/pages/admin-guides/management/{ => diagnostics}/diagnostics.mdx (99%) rename docs/pages/admin-guides/management/{ => export-audit-events}/export-audit-events.mdx (75%) rename docs/pages/admin-guides/management/{ => guides}/guides.mdx (65%) delete mode 100644 docs/pages/admin-guides/management/operations.mdx create mode 100644 docs/pages/admin-guides/management/operations/operations.mdx rename docs/pages/admin-guides/management/{ => security}/security.mdx (81%) delete mode 100644 docs/pages/enroll-resources/agents/join-services-to-your-cluster.mdx create mode 100644 docs/pages/enroll-resources/agents/join-services-to-your-cluster/join-services-to-your-cluster.mdx rename docs/pages/enroll-resources/application-access/{ => cloud-apis}/cloud-apis.mdx (68%) delete mode 100644 docs/pages/enroll-resources/application-access/guides.mdx create mode 100644 docs/pages/enroll-resources/application-access/guides/guides.mdx rename docs/pages/enroll-resources/application-access/{ => jwt}/jwt.mdx (62%) delete mode 100644 docs/pages/enroll-resources/application-access/okta.mdx create mode 100644 docs/pages/enroll-resources/application-access/okta/okta.mdx rename docs/pages/enroll-resources/auto-discovery/{ => databases}/databases.mdx (95%) rename docs/pages/enroll-resources/auto-discovery/{ => kubernetes-applications}/kubernetes-applications.mdx (80%) rename docs/pages/enroll-resources/auto-discovery/{ => kubernetes}/kubernetes.mdx (97%) delete mode 100644 docs/pages/enroll-resources/auto-discovery/reference.mdx create mode 100644 docs/pages/enroll-resources/auto-discovery/reference/reference.mdx rename docs/pages/enroll-resources/auto-discovery/{ => servers}/servers.mdx (75%) delete mode 100644 docs/pages/enroll-resources/database-access/auto-user-provisioning.mdx create mode 100644 docs/pages/enroll-resources/database-access/auto-user-provisioning/auto-user-provisioning.mdx delete mode 100644 docs/pages/enroll-resources/database-access/enroll-aws-databases.mdx create mode 100644 docs/pages/enroll-resources/database-access/enroll-aws-databases/enroll-aws-databases.mdx rename docs/pages/enroll-resources/database-access/{ => enroll-azure-databases}/enroll-azure-databases.mdx (52%) rename docs/pages/enroll-resources/database-access/{ => enroll-google-cloud-databases}/enroll-google-cloud-databases.mdx (56%) rename docs/pages/enroll-resources/database-access/{ => enroll-managed-databases}/enroll-managed-databases.mdx (62%) delete mode 100644 docs/pages/enroll-resources/database-access/enroll-self-hosted-databases.mdx create mode 100644 docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/enroll-self-hosted-databases.mdx rename docs/pages/enroll-resources/database-access/{ => guides}/guides.mdx (77%) rename docs/pages/enroll-resources/kubernetes-access/{ => register-clusters}/register-clusters.mdx (67%) delete mode 100644 docs/pages/enroll-resources/machine-id/access-guides.mdx create mode 100644 docs/pages/enroll-resources/machine-id/access-guides/access-guides.mdx rename docs/pages/enroll-resources/machine-id/{ => deployment}/deployment.mdx (55%) delete mode 100644 docs/pages/enroll-resources/server-access/guides.mdx create mode 100644 docs/pages/enroll-resources/server-access/guides/guides.mdx delete mode 100644 docs/pages/enroll-resources/server-access/openssh.mdx create mode 100644 docs/pages/enroll-resources/server-access/openssh/openssh.mdx rename docs/pages/reference/{ => cli}/cli.mdx (75%) rename docs/pages/reference/{ => helm-reference}/helm-reference.mdx (58%) rename docs/pages/{ => upgrading}/upgrading.mdx (71%) diff --git a/CHANGELOG.md b/CHANGELOG.md index cd1fc597ac06b..0107d7720e978 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -386,7 +386,7 @@ applications in Kubernetes clusters. When connected to a Kubernetes cluster (or deployed as a Helm chart), the Teleport Discovery Service will automatically find and enroll web applications with your Teleport cluster. -See documentation [here](docs/pages/enroll-resources/auto-discovery/kubernetes-applications.mdx). +See documentation [here](docs/pages/enroll-resources/auto-discovery/kubernetes-applications/kubernetes-applications.mdx). #### Extended Kubernetes per-resource RBAC @@ -1909,7 +1909,7 @@ is more than one major version behind them. You can use the `--skip-version-chec bypass the version check. Take a look at component compatibility guarantees in the -[documentation](docs/pages/upgrading.mdx). +[documentation](docs/pages/upgrading/upgrading.mdx). #### HTTP_PROXY for reverse tunnels @@ -2898,7 +2898,7 @@ if err = clt.CreateAccessRequest(ctx, accessRequest); err != nil { ### Upgrade Notes -Please follow our [standard upgrade procedure](docs/pages/admin-guides/management/admin.mdx) to upgrade your cluster. +Please follow our [standard upgrade procedure](docs/pages/admin-guides/management/admin/admin.mdx) to upgrade your cluster. Note, for clusters using GitHub SSO and Trusted Clusters, when upgrading SSO users will lose connectivity to leaf clusters. Local users will not be affected. @@ -3149,7 +3149,7 @@ Other updates: * We now provide local user management via `https://[cluster-url]/web/users`, providing the ability to edit, reset and delete local users. * Teleport Node & App Install scripts. This is currently an Enterprise-only feature that provides customers with an 'auto-magic' installer script. Enterprise customers can enable this feature by modifying the 'token' resource. See note above. -* We've added a Waiting Room for customers using Access Workflows. [Docs](docs/pages/admin-guides/access-controls/access-request-plugins.mdx) +* We've added a Waiting Room for customers using Access Workflows. [Docs](docs/pages/admin-guides/access-controls/access-request-plugins/access-request-plugins.mdx) ##### Signed RPM and Releases @@ -3183,7 +3183,7 @@ We've added an [API Guide](docs/pages/admin-guides/api/api.mdx) to simply develo #### Upgrade Notes -Please follow our [standard upgrade procedure](./docs/pages/upgrading.mdx). +Please follow our [standard upgrade procedure](docs/pages/upgrading/upgrading.mdx). * Optional: Consider updating `https_key_file` & `https_cert_file` to our new `https_keypairs:` format. * Optional: Consider migrating Kubernetes access from `proxy_service` to `kubernetes_service` after the upgrade. @@ -3327,7 +3327,7 @@ auth_service: #### Upgrade Notes Please follow our [standard upgrade -procedure](docs/pages/upgrading.mdx). +procedure](docs/pages/upgrading/upgrading.mdx). ## 4.3.9 @@ -3412,7 +3412,7 @@ Teleport's Web UI now exposes Teleport’s Audit log, letting auditors and admin ##### Teleport Plugins -Teleport 4.3 introduces four new plugins that work out of the box with [Approval Workflow](docs/pages/admin-guides/access-controls/access-request-plugins.mdx). These plugins allow you to automatically support role escalation with commonly used third party services. The built-in plugins are listed below. +Teleport 4.3 introduces four new plugins that work out of the box with [Approval Workflow](docs/pages/admin-guides/access-controls/access-request-plugins/access-request-plugins.mdx). These plugins allow you to automatically support role escalation with commonly used third party services. The built-in plugins are listed below. * [PagerDuty](docs/pages/admin-guides/access-controls/access-request-plugins/ssh-approval-pagerduty.mdx) * [Jira](docs/pages/admin-guides/access-controls/access-request-plugins/ssh-approval-jira.mdx) @@ -3448,7 +3448,7 @@ Teleport 4.3 introduces four new plugins that work out of the box with [Approval #### Upgrade Notes Always follow the [recommended upgrade -procedure](./docs/pages/upgrading.mdx) to upgrade to this version. +procedure](docs/pages/upgrading/upgrading.mdx) to upgrade to this version. ##### New Signing Algorithm @@ -3489,7 +3489,7 @@ permissions](./docs/pages/enroll-resources/kubernetes-access/controls.mdx). The [etcd backend](docs/pages/reference/backends.mdx#etcd) now correctly uses the “prefix” config value when storing data. Upgrading from 4.2 to 4.3 will migrate the data as needed at startup. Make sure you follow our Teleport -[upgrade guidance](docs/pages/upgrading.mdx). +[upgrade guidance](docs/pages/upgrading/upgrading.mdx). **Note: If you use an etcd backend with a non-default prefix and need to downgrade from 4.3 to 4.2, you should [backup Teleport data and restore it](docs/pages/admin-guides/management/operations/backup-restore.mdx) into the downgraded cluster.** @@ -3612,7 +3612,7 @@ This is a minor Teleport release with a focus on new features and bug fixes. ### Improvements * Alpha: Enhanced Session Recording lets you know what's really happening during a Teleport Session. [#2948](https://github.com/gravitational/teleport/issues/2948) -* Alpha: Workflows API lets admins escalate RBAC roles in response to user requests. [Read the docs](docs/pages/admin-guides/access-controls/access-requests.mdx). [#3006](https://github.com/gravitational/teleport/issues/3006) +* Alpha: Workflows API lets admins escalate RBAC roles in response to user requests. [Read the docs](docs/pages/admin-guides/access-controls/access-requests/access-requests.mdx). [#3006](https://github.com/gravitational/teleport/issues/3006) * Beta: Teleport provides HA Support using Firestore and Google Cloud Storage using Google Cloud Platform. [Read the docs](docs/pages/admin-guides/deploy-a-cluster/deployments/gcp.mdx). [#2821](https://github.com/gravitational/teleport/pull/2821) * Remote tctl execution is now possible. [Read the docs](./docs/pages/reference/cli/tctl.mdx). [#1525](https://github.com/gravitational/teleport/issues/1525) [#2991](https://github.com/gravitational/teleport/issues/2991) @@ -3868,7 +3868,7 @@ The lists of improvements and bug fixes above mention only the significant chang ### Upgrading -Teleport 4.0 is backwards compatible with Teleport 3.2 and later. [Follow the recommended upgrade procedure to upgrade to this version.](docs/pages/upgrading.mdx) +Teleport 4.0 is backwards compatible with Teleport 3.2 and later. [Follow the recommended upgrade procedure to upgrade to this version.](docs/pages/upgrading/upgrading.mdx) Note that due to substantial changes between Teleport 3.2 and 4.0, we recommend creating a backup of the backend datastore (DynamoDB, etcd, or dir) before upgrading a cluster to Teleport 4.0 to allow downgrades. @@ -4136,7 +4136,7 @@ on Github for more. #### Upgrading to 3.0 Follow the [recommended upgrade -procedure](docs/pages/upgrading.mdx) to upgrade to this +procedure](docs/pages/upgrading/upgrading.mdx) to upgrade to this version. **WARNING:** if you are using Teleport with the etcd back-end, make sure your @@ -4242,7 +4242,7 @@ As always, this release contains several bug fixes. The full list can be seen [h #### Upgrading Follow the [recommended upgrade -procedure](docs/pages/upgrading.mdx) to upgrade to this +procedure](docs/pages/upgrading/upgrading.mdx) to upgrade to this version. ## 2.6.9 @@ -4372,7 +4372,7 @@ You can see the full list of 2.6.0 changes [here](https://github.com/gravitation #### Upgrading Follow the [recommended upgrade -procedure](docs/pages/upgrading.mdx) to upgrade to this +procedure](docs/pages/upgrading/upgrading.mdx) to upgrade to this version. ## 2.5.7 @@ -4459,7 +4459,7 @@ release, which includes: * The Teleport daemon now implements built-in connection draining which allows zero-downtime upgrades. [See - documentation](docs/pages/upgrading.mdx). + documentation](docs/pages/upgrading/upgrading.mdx). * Dynamic join tokens for new nodes can now be explicitly set via `tctl node add --token`. This allows Teleport admins to use an external mechanism for generating diff --git a/docs/config.json b/docs/config.json index e3cc48db12bca..f955d894dbc16 100644 --- a/docs/config.json +++ b/docs/config.json @@ -22,7 +22,7 @@ }, { "title": "Upgrading", - "slug": "/upgrading/", + "slug": "/upgrading/upgrading/", "entries": [ { "title": "Compatibility Overview", @@ -232,7 +232,7 @@ }, { "source": "/database-access/guides/", - "destination": "/enroll-resources/database-access/guides/", + "destination": "/enroll-resources/database-access/guides/guides/", "permanent": true }, { @@ -272,7 +272,7 @@ }, { "source": "/agents/join-services-to-your-cluster/", - "destination": "/enroll-resources/agents/join-services-to-your-cluster/", + "destination": "/enroll-resources/agents/join-services-to-your-cluster/join-services-to-your-cluster/", "permanent": true }, { @@ -307,7 +307,7 @@ }, { "source": "/application-access/cloud-apis/", - "destination": "/enroll-resources/application-access/cloud-apis/", + "destination": "/enroll-resources/application-access/cloud-apis/cloud-apis/", "permanent": true }, { @@ -342,7 +342,7 @@ }, { "source": "/application-access/guides/", - "destination": "/enroll-resources/application-access/guides/", + "destination": "/enroll-resources/application-access/guides/guides/", "permanent": true }, { @@ -407,7 +407,7 @@ }, { "source": "/application-access/okta/", - "destination": "/enroll-resources/application-access/okta/", + "destination": "/enroll-resources/application-access/okta/okta/", "permanent": true }, { @@ -442,7 +442,7 @@ }, { "source": "/auto-discovery/databases/", - "destination": "/enroll-resources/auto-discovery/databases/", + "destination": "/enroll-resources/auto-discovery/databases/databases/", "permanent": true }, { @@ -457,7 +457,7 @@ }, { "source": "/auto-discovery/kubernetes-applications/", - "destination": "/enroll-resources/auto-discovery/kubernetes-applications/", + "destination": "/enroll-resources/auto-discovery/kubernetes-applications/kubernetes-applications/", "permanent": true }, { @@ -477,7 +477,7 @@ }, { "source": "/auto-discovery/kubernetes/", - "destination": "/enroll-resources/auto-discovery/kubernetes/", + "destination": "/enroll-resources/auto-discovery/kubernetes/kubernetes/", "permanent": true }, { @@ -497,7 +497,7 @@ }, { "source": "/auto-discovery/servers/", - "destination": "/enroll-resources/auto-discovery/servers/", + "destination": "/enroll-resources/auto-discovery/servers/servers/", "permanent": true }, { @@ -517,7 +517,7 @@ }, { "source": "/database-access/auto-user-provisioning/", - "destination": "/enroll-resources/database-access/auto-user-provisioning/", + "destination": "/enroll-resources/database-access/auto-user-provisioning/auto-user-provisioning/", "permanent": true }, { @@ -547,7 +547,7 @@ }, { "source": "/database-access/enroll-aws-databases/", - "destination": "/enroll-resources/database-access/enroll-aws-databases/", + "destination": "/enroll-resources/database-access/enroll-aws-databases/enroll-aws-databases/", "permanent": true }, { @@ -612,7 +612,7 @@ }, { "source": "/database-access/enroll-azure-databases/", - "destination": "/enroll-resources/database-access/enroll-azure-databases/", + "destination": "/enroll-resources/database-access/enroll-azure-databases/enroll-azure-databases/", "permanent": true }, { @@ -632,7 +632,7 @@ }, { "source": "/database-access/enroll-google-cloud-databases/", - "destination": "/enroll-resources/database-access/enroll-google-cloud-databases/", + "destination": "/enroll-resources/database-access/enroll-google-cloud-databases/enroll-google-cloud-databases/", "permanent": true }, { @@ -652,7 +652,7 @@ }, { "source": "/database-access/enroll-managed-databases/", - "destination": "/enroll-resources/database-access/enroll-managed-databases/", + "destination": "/enroll-resources/database-access/enroll-managed-databases/enroll-managed-databases/", "permanent": true }, { @@ -667,7 +667,7 @@ }, { "source": "/database-access/enroll-self-hosted-databases/", - "destination": "/enroll-resources/database-access/enroll-self-hosted-databases/", + "destination": "/enroll-resources/database-access/enroll-self-hosted-databases/enroll-self-hosted-databases/", "permanent": true }, { @@ -882,7 +882,7 @@ }, { "source": "/kubernetes-access/register-clusters/", - "destination": "/enroll-resources/kubernetes-access/register-clusters/", + "destination": "/enroll-resources/kubernetes-access/register-clusters/register-clusters/", "permanent": true }, { @@ -907,7 +907,7 @@ }, { "source": "/machine-id/access-guides/", - "destination": "/enroll-resources/machine-id/access-guides/", + "destination": "/enroll-resources/machine-id/access-guides/access-guides/", "permanent": true }, { @@ -952,7 +952,7 @@ }, { "source": "/machine-id/deployment/", - "destination": "/enroll-resources/machine-id/deployment/", + "destination": "/enroll-resources/machine-id/deployment/deployment/", "permanent": true }, { @@ -1097,7 +1097,7 @@ }, { "source": "/server-access/guides/", - "destination": "/enroll-resources/server-access/guides/", + "destination": "/enroll-resources/server-access/guides/guides/", "permanent": true }, { @@ -1147,7 +1147,7 @@ }, { "source": "/server-access/openssh/", - "destination": "/enroll-resources/server-access/openssh/", + "destination": "/enroll-resources/server-access/openssh/openssh/", "permanent": true }, { @@ -1252,12 +1252,12 @@ }, { "source": "/enterprise/sso/", - "destination": "/admin-guides/access-controls/sso/", + "destination": "/admin-guides/access-controls/sso/sso/", "permanent": true }, { "source": "/access-controls/guides/device-trust/", - "destination": "/admin-guides/access-controls/device-trust/", + "destination": "/admin-guides/access-controls/device-trust/device-trust/", "permanent": true }, { @@ -1272,7 +1272,7 @@ }, { "source": "/application-access/okta/guide/", - "destination": "/enroll-resources/application-access/okta/", + "destination": "/enroll-resources/application-access/okta/okta/", "permanent": true }, { @@ -1327,7 +1327,7 @@ }, { "source": "/setup/operations/upgrading/", - "destination": "/upgrading/", + "destination": "/upgrading/upgrading/", "permanent": true }, { @@ -1447,7 +1447,7 @@ }, { "source": "/access-controls/access-lists/", - "destination": "/admin-guides/access-controls/access-lists/", + "destination": "/admin-guides/access-controls/access-lists/access-lists/", "permanent": true }, { @@ -1467,7 +1467,7 @@ }, { "source": "/access-controls/access-request-plugins/", - "destination": "/admin-guides/access-controls/access-request-plugins/", + "destination": "/admin-guides/access-controls/access-request-plugins/access-request-plugins/", "permanent": true }, { @@ -1527,7 +1527,7 @@ }, { "source": "/access-controls/access-requests/", - "destination": "/admin-guides/access-controls/access-requests/", + "destination": "/admin-guides/access-controls/access-requests/access-requests/", "permanent": true }, { @@ -1552,7 +1552,7 @@ }, { "source": "/access-controls/compliance-frameworks/", - "destination": "/admin-guides/access-controls/compliance-frameworks/", + "destination": "/admin-guides/access-controls/compliance-frameworks/compliance-frameworks/", "permanent": true }, { @@ -1567,7 +1567,7 @@ }, { "source": "/access-controls/device-trust/", - "destination": "/admin-guides/access-controls/device-trust/", + "destination": "/admin-guides/access-controls/device-trust/device-trust/", "permanent": true }, { @@ -1597,7 +1597,7 @@ }, { "source": "/access-controls/guides/", - "destination": "/admin-guides/access-controls/guides/", + "destination": "/admin-guides/access-controls/guides/guides/", "permanent": true }, { @@ -1662,7 +1662,7 @@ }, { "source": "/access-controls/idps/", - "destination": "/admin-guides/access-controls/idps/", + "destination": "/admin-guides/access-controls/idps/idps/", "permanent": true }, { @@ -1697,7 +1697,7 @@ }, { "source": "/access-controls/login-rules/", - "destination": "/admin-guides/access-controls/login-rules/", + "destination": "/admin-guides/access-controls/login-rules/login-rules/", "permanent": true }, { @@ -1727,7 +1727,7 @@ }, { "source": "/access-controls/sso/", - "destination": "/admin-guides/access-controls/sso/", + "destination": "/admin-guides/access-controls/sso/sso/", "permanent": true }, { @@ -1927,7 +1927,7 @@ }, { "source": "/deploy-a-cluster/deployments/", - "destination": "/admin-guides/deploy-a-cluster/deployments/", + "destination": "/admin-guides/deploy-a-cluster/deployments/deployments/", "permanent": true }, { @@ -1957,7 +1957,7 @@ }, { "source": "/deploy-a-cluster/helm-deployments/", - "destination": "/admin-guides/deploy-a-cluster/helm-deployments/", + "destination": "/admin-guides/deploy-a-cluster/helm-deployments/helm-deployments/", "permanent": true }, { @@ -2132,7 +2132,7 @@ }, { "source": "/management/admin/", - "destination": "/admin-guides/management/admin/", + "destination": "/admin-guides/management/admin/admin/", "permanent": true }, { @@ -2177,7 +2177,7 @@ }, { "source": "/management/diagnostics/", - "destination": "/admin-guides/management/diagnostics/", + "destination": "/admin-guides/management/diagnostics/diagnostics/", "permanent": true }, { @@ -2212,7 +2212,7 @@ }, { "source": "/management/dynamic-resources/", - "destination": "/admin-guides/infrastructure-as-code/", + "destination": "/admin-guides/infrastructure-as-code/infrastructure-as-code/", "permanent": true }, { @@ -2237,12 +2237,12 @@ }, { "source": "/management/dynamic-resources/teleport-operator/", - "destination": "/admin-guides/infrastructure-as-code/teleport-operator/", + "destination": "/admin-guides/infrastructure-as-code/teleport-operator/teleport-operator/", "permanent": true }, { "source": "/management/dynamic-resources/terraform-provider/", - "destination": "/admin-guides/infrastructure-as-code/terraform-provider/", + "destination": "/admin-guides/infrastructure-as-code/terraform-provider/terraform-provider/", "permanent": true }, { @@ -2252,7 +2252,7 @@ }, { "source": "/management/export-audit-events/", - "destination": "/admin-guides/management/export-audit-events/", + "destination": "/admin-guides/management/export-audit-events/export-audit-events/", "permanent": true }, { @@ -2277,7 +2277,7 @@ }, { "source": "/management/guides/", - "destination": "/admin-guides/management/guides/", + "destination": "/admin-guides/management/guides/guides/", "permanent": true }, { @@ -2307,7 +2307,7 @@ }, { "source": "/management/operations/", - "destination": "/admin-guides/management/operations/", + "destination": "/admin-guides/management/operations/operations/", "permanent": true }, { @@ -2347,7 +2347,7 @@ }, { "source": "/management/security/", - "destination": "/admin-guides/management/security/", + "destination": "/admin-guides/management/security/security/", "permanent": true }, { @@ -2390,11 +2390,6 @@ "destination": "/upgrading/upgrading-reference/", "permanent": true }, - { - "source": "/upgrading/upgrading/", - "destination": "/upgrading/upgrading-reference/", - "permanent": true - }, { "source": "/choose-an-edition/teleport-enterprise/introduction/", "destination": "/admin-guides/deploy-a-cluster/deploy-a-cluster/", @@ -2407,7 +2402,7 @@ }, { "source": "/kubernetes-access/helm/guides/", - "destination": "/admin-guides/deploy-a-cluster/helm-deployments/", + "destination": "/admin-guides/deploy-a-cluster/helm-deployments/helm-deployments/", "permanent": true }, { diff --git a/docs/pages/admin-guides/access-controls/access-controls.mdx b/docs/pages/admin-guides/access-controls/access-controls.mdx index 732160611e0bb..22db43b7b14a6 100644 --- a/docs/pages/admin-guides/access-controls/access-controls.mdx +++ b/docs/pages/admin-guides/access-controls/access-controls.mdx @@ -28,7 +28,7 @@ that specifies access policies for resources in your Teleport cluster. Assigning a role to a Teleport user applies the policies listed in the role to the user. -See the [Cluster Access and RBAC](./guides.mdx) section for instructions on +See the [Cluster Access and RBAC](guides/guides.mdx) section for instructions on setting up Teleport roles. ## Integrate with your Single Sign-On provider @@ -42,7 +42,7 @@ automatically assigns roles to the user based on data provided by the IdP. This means that you can implement a fully fledged infrastructure RBAC system based on your existing Single Sign-On solution. -Read our [Single Sign-On guide](./sso.mdx) to get started. +Read our [Single Sign-On guide](sso/sso.mdx) to get started. ## Enable Access Requests @@ -51,13 +51,13 @@ resources in your infrastructure based on the approval of other users. You can set up your RBAC so all privileged access is short lived, and there are no longstanding admin roles for attackers to hijack. -[Get started with Access Requests](./access-requests.mdx). +[Get started with Access Requests](access-requests/access-requests.mdx). You can integrate Teleport with your existing communication tool, e.g., Slack, PagerDuty, or Microsoft Teams, so Teleport users can easily create and approve Access Requests. -[Get started with Access Request plugins](access-request-plugins.mdx). +[Get started with Access Request plugins](access-request-plugins/access-request-plugins.mdx). ## Achieve compliance diff --git a/docs/pages/admin-guides/access-controls/access-lists.mdx b/docs/pages/admin-guides/access-controls/access-lists/access-lists.mdx similarity index 74% rename from docs/pages/admin-guides/access-controls/access-lists.mdx rename to docs/pages/admin-guides/access-controls/access-lists/access-lists.mdx index f2b504c966559..c7501f5f6e368 100644 --- a/docs/pages/admin-guides/access-controls/access-lists.mdx +++ b/docs/pages/admin-guides/access-controls/access-lists/access-lists.mdx @@ -9,6 +9,6 @@ managed within Teleport. With Access Lists, administrators and access list owners can regularly audit and control membership to specific roles and traits, which then tie easily back into Teleport's existing RBAC system. -[Getting Started with Access Lists](./access-lists/guide.mdx) +[Getting Started with Access Lists](guide.mdx) -[Access List Reference](../../reference/access-controls/access-lists.mdx) +[Access List Reference](../../../reference/access-controls/access-lists.mdx) diff --git a/docs/pages/admin-guides/access-controls/access-request-plugins.mdx b/docs/pages/admin-guides/access-controls/access-request-plugins/access-request-plugins.mdx similarity index 98% rename from docs/pages/admin-guides/access-controls/access-request-plugins.mdx rename to docs/pages/admin-guides/access-controls/access-request-plugins/access-request-plugins.mdx index a58faf37d635a..8dc6813f74e5a 100644 --- a/docs/pages/admin-guides/access-controls/access-request-plugins.mdx +++ b/docs/pages/admin-guides/access-controls/access-request-plugins/access-request-plugins.mdx @@ -56,4 +56,4 @@ workflows by reading our setup guides: To read more about the architecture of an Access Request plugin, and start writing your own, read our [Access Request plugin development -guide](../api/access-plugin.mdx). +guide](../../api/access-plugin.mdx). diff --git a/docs/pages/admin-guides/access-controls/access-requests.mdx b/docs/pages/admin-guides/access-controls/access-requests/access-requests.mdx similarity index 85% rename from docs/pages/admin-guides/access-controls/access-requests.mdx rename to docs/pages/admin-guides/access-controls/access-requests/access-requests.mdx index 9e820ac3a8a7c..6ca980f2db8c2 100644 --- a/docs/pages/admin-guides/access-controls/access-requests.mdx +++ b/docs/pages/admin-guides/access-controls/access-requests/access-requests.mdx @@ -16,7 +16,7 @@ be configured with limited cluster access so they are not high value targets. Access Requests are designed to provide temporary permissions to users. If you want to grant longstanding permissions to a group of users, with the option to renew these permissions after a recurring interval (such as three months), -consider [Access Lists](access-lists.mdx). +consider [Access Lists](../access-lists/access-lists.mdx). ## See how Access Requests work @@ -26,12 +26,12 @@ and **Resource Access Requests**. With Role Access Requests, engineers can request temporary credentials with elevated roles in order to perform critical system-wide tasks. -[Get started with Role Access Requests](./access-requests/role-requests.mdx). +[Get started with Role Access Requests](role-requests.mdx). With Resource Access Requests, engineers can easily get access to only the individual resources they need, when they need it. -[Get started with Resource Access Requests](./access-requests/resource-requests.mdx). +[Get started with Resource Access Requests](resource-requests.mdx). ## Configure Access Requests @@ -44,7 +44,7 @@ including: - How many users can approve or deny different kinds of requests. Read the [Access Request -Configuration](access-requests/access-request-configuration.mdx) guide for an +Configuration](access-request-configuration.mdx) guide for an overview of the configuration options available for Access Requests. ## Teleport Community Edition users @@ -56,6 +56,6 @@ including Resource Access Requests managing Access Requests via the Web UI are available in Teleport Enterprise. For information on how to use Just-in-time Access Requests with Teleport Community -Edition, see [Teleport Community Access Requests](./access-requests/oss-role-requests.mdx). +Edition, see [Teleport Community Access Requests](oss-role-requests.mdx). diff --git a/docs/pages/admin-guides/access-controls/access-requests/oss-role-requests.mdx b/docs/pages/admin-guides/access-controls/access-requests/oss-role-requests.mdx index 7e08b72e09aad..cd364ddc76544 100644 --- a/docs/pages/admin-guides/access-controls/access-requests/oss-role-requests.mdx +++ b/docs/pages/admin-guides/access-controls/access-requests/oss-role-requests.mdx @@ -153,7 +153,7 @@ $ tctl request approve \ ## Next Steps -- Learn more about [Access Requests](../access-requests.mdx) +- Learn more about [Access Requests](access-requests.mdx) - See what additional features are available for [role requests](./role-requests.mdx) in Teleport Enterprise - Request access to [specific resources](./resource-requests.mdx) with Teleport Enterprise \ No newline at end of file diff --git a/docs/pages/admin-guides/access-controls/access-requests/resource-requests.mdx b/docs/pages/admin-guides/access-controls/access-requests/resource-requests.mdx index eafdc721e8c28..569e29df64358 100644 --- a/docs/pages/admin-guides/access-controls/access-requests/resource-requests.mdx +++ b/docs/pages/admin-guides/access-controls/access-requests/resource-requests.mdx @@ -120,7 +120,7 @@ However, it prevents you from access any resources belonging to another namespac Advanced filters and queries are supported. See our -[filtering reference](../../../reference/cli.mdx) for more information. +[filtering reference](../../../reference/cli/cli.mdx) for more information. Try narrowing your search to a specific resource you want to access. @@ -606,4 +606,4 @@ within your organization's existing messaging and project management solutions. ## Next Steps -- Learn more about [Access Lists](../access-lists.mdx) +- Learn more about [Access Lists](../access-lists/access-lists.mdx) diff --git a/docs/pages/admin-guides/access-controls/access-requests/role-requests.mdx b/docs/pages/admin-guides/access-controls/access-requests/role-requests.mdx index 0b5829f023749..33317081f6135 100644 --- a/docs/pages/admin-guides/access-controls/access-requests/role-requests.mdx +++ b/docs/pages/admin-guides/access-controls/access-requests/role-requests.mdx @@ -217,5 +217,5 @@ just-in-time Access Request workflow for your organization. Access Lists enable you to assign privileges to groups of users for a fixed period of time. Learn more about Access Lists in the -[documentation](../access-lists.mdx). +[documentation](../access-lists/access-lists.mdx). diff --git a/docs/pages/admin-guides/access-controls/compliance-frameworks.mdx b/docs/pages/admin-guides/access-controls/compliance-frameworks/compliance-frameworks.mdx similarity index 83% rename from docs/pages/admin-guides/access-controls/compliance-frameworks.mdx rename to docs/pages/admin-guides/access-controls/compliance-frameworks/compliance-frameworks.mdx index 7bc35e8c84a49..6ee2dcd7f4484 100644 --- a/docs/pages/admin-guides/access-controls/compliance-frameworks.mdx +++ b/docs/pages/admin-guides/access-controls/compliance-frameworks/compliance-frameworks.mdx @@ -10,5 +10,5 @@ settings within Teleport. Follow our guides to see how to use Teleport to achieve compliance: -- [FedRAMP](./compliance-frameworks/fedramp.mdx) -- [SOC 2](./compliance-frameworks/soc2.mdx) +- [FedRAMP](fedramp.mdx) +- [SOC 2](soc2.mdx) diff --git a/docs/pages/admin-guides/access-controls/compliance-frameworks/soc2.mdx b/docs/pages/admin-guides/access-controls/compliance-frameworks/soc2.mdx index 601231dbb02a9..0fcc79c6750e8 100644 --- a/docs/pages/admin-guides/access-controls/compliance-frameworks/soc2.mdx +++ b/docs/pages/admin-guides/access-controls/compliance-frameworks/soc2.mdx @@ -58,16 +58,16 @@ Each principle has many "Points of Focus" which will apply differently to differ | CC6.1 - Manages Credentials for Infrastructure and Software | New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and software are no longer in use. | [Invite nodes to your cluster with short lived tokens](../../../enroll-resources/agents/join-services-to-your-cluster/join-token.mdx) | | CC6.1 - Uses Encryption to Protect Data | The entity uses encryption to supplement other measures used to protect data at rest, when such protections are deemed appropriate based on assessed risk. | Teleport Audit logs can use DynamoDB encryption at rest. | | CC6.1 - Protects Encryption Keys | Processes are in place to protect encryption keys during generation, storage, use, and destruction. | Teleport acts as a Certificate Authority to issue SSH and x509 user certificates that are signed by the CA and are (by default) short-lived. SSH host certificates are also signed by the CA and rotated automatically | -| CC6.2 - Controls Access Credentials to Protected Assets | Information asset access credentials are created based on an authorization from the system's asset owner or authorized custodian. | [Request Approval from the command line](../../../reference/cli/tctl.mdx)

[Build Approval Workflows with Access Requests](../../access-controls/access-requests.mdx)

[Use Plugins to send approvals to tools like Slack or Jira](../../access-controls/access-requests.mdx) | -| CC6.2 - Removes Access to Protected Assets When Appropriate | Processes are in place to remove credential access when an individual no longer requires such access. | [Teleport issues temporary credentials based on an employees role and are revoked upon job change, termination or end of a maintenance window](../../access-controls/access-requests.mdx) | +| CC6.2 - Controls Access Credentials to Protected Assets | Information asset access credentials are created based on an authorization from the system's asset owner or authorized custodian. | [Request Approval from the command line](../../../reference/cli/tctl.mdx)

[Build Approval Workflows with Access Requests](../access-requests/access-requests.mdx)

[Use Plugins to send approvals to tools like Slack or Jira](../access-requests/access-requests.mdx) | +| CC6.2 - Removes Access to Protected Assets When Appropriate | Processes are in place to remove credential access when an individual no longer requires such access. | [Teleport issues temporary credentials based on an employees role and are revoked upon job change, termination or end of a maintenance window](../access-requests/access-requests.mdx) | | CC6.2 - Reviews Appropriateness of Access Credentials | The appropriateness of access credentials is reviewed on a periodic basis for unnecessary and inappropriate individuals with credentials. | Teleport maintains a live list of all nodes within a cluster. This node list can be queried by users (who see a subset they have access to) and administrators any time. | -| CC6.3 - Creates or Modifies Access to Protected Information Assets | Processes are in place to create or modify access to protected information assets based on authorization from the asset’s owner. | [Build Approval Workflows with Access Requests](../../access-controls/access-requests.mdx) to get authorization from asset owners. | +| CC6.3 - Creates or Modifies Access to Protected Information Assets | Processes are in place to create or modify access to protected information assets based on authorization from the asset’s owner. | [Build Approval Workflows with Access Requests](../access-requests/access-requests.mdx) to get authorization from asset owners. | | CC6.3 - Removes Access to Protected Information Assets | Processes are in place to remove access to protected information assets when an individual no longer requires access. | Teleport uses temporary credentials and can be integrated with your version control system or even your HR system to [revoke access with the Access requests API](../../api/api.mdx) | | CC6.3 - Uses Role-Based Access Controls | Role-based access control is utilized to support segregation of incompatible functions. | [Role based access control ("RBAC") allows Teleport administrators to grant granular access permissions to users.](../access-controls.mdx) | | CC6.3 - Reviews Access Roles and Rules | The appropriateness of access roles and access rules is reviewed on a periodic basis for unnecessary and inappropriate individuals with access and access rules are modified as appropriate. | Teleport maintains a live list of all nodes within a cluster. This node list can be queried by users (who see a subset they have access to) and administrators any time. | | CC6.6 - Restricts Access | The types of activities that can occur through a communication channel (for example, FTP site, router port) are restricted. | Teleport makes it easy to restrict access to common ports like 21, 22 and instead have users [tunnel to the server](../../../faq.mdx) using Teleport. [Teleport uses the following default ports.](../../../reference/networking.mdx) | | CC6.6 - Protects Identification and Authentication Credentials | Identification and authentication credentials are protected during transmission outside system boundaries. | [Yes, Teleport protects credentials outside your network allowing for Zero Trust network architecture](https://goteleport.com/blog/applying-principles-of-zero-trust-to-ssh/) | -| CC6.6 - Requires Additional Authentication or Credentials | Additional authentication information or credentials are required when accessing the system from outside its boundaries. | [Yes, Teleport can manage MFA with TOTP, WebAuthn or U2F Standards or connect to your Identity Provider using SAML, OAUTH or OIDC](../../access-controls/sso.mdx) | +| CC6.6 - Requires Additional Authentication or Credentials | Additional authentication information or credentials are required when accessing the system from outside its boundaries. | [Yes, Teleport can manage MFA with TOTP, WebAuthn or U2F Standards or connect to your Identity Provider using SAML, OAUTH or OIDC](../sso/sso.mdx) | | CC6.6 - Implements Boundary Protection Systems | Boundary protection systems (for example, firewalls, demilitarized zones, and intrusion detection systems) are implemented to protect external access points from attempts and unauthorized access and are monitored to detect such attempts. | [Trusted clusters](../../management/admin/trustedclusters.mdx) | | CC6.7 - Uses Encryption Technologies or Secure Communication Channels to Protect Data | Encryption technologies or secured communication channels are used to protect transmission of data and other communications beyond connectivity access points. | [Teleport has strong encryption including a FedRAMP compliant FIPS mode](./fedramp.mdx#start-teleport-in-fips-mode) | | CC7.2 - Implements Detection Policies, Procedures, and Tools | Processes are in place to detect changes to software and configuration parameters that may be indicative of unauthorized or malicious software. | [Teleport creates detailed SSH Audit Logs with Metadata](../../../reference/monitoring/audit.mdx)

[Use BPF Session Recording to catch malicious program execution](../../../enroll-resources/server-access/guides/bpf-session-recording.mdx) | diff --git a/docs/pages/admin-guides/access-controls/device-trust.mdx b/docs/pages/admin-guides/access-controls/device-trust/device-trust.mdx similarity index 93% rename from docs/pages/admin-guides/access-controls/device-trust.mdx rename to docs/pages/admin-guides/access-controls/device-trust/device-trust.mdx index 658a7dd487d5b..30ccd62349073 100644 --- a/docs/pages/admin-guides/access-controls/device-trust.mdx +++ b/docs/pages/admin-guides/access-controls/device-trust/device-trust.mdx @@ -82,7 +82,7 @@ enforcement and Cluster-wide enforcement. ## Guides -- [Getting Started with Device Trust](./device-trust/guide.mdx) -- [Device Management](./device-trust/device-management.mdx) -- [Enforcing Device Trust](./device-trust/enforcing-device-trust.mdx) -- [Jamf Pro Integration](./device-trust/jamf-integration.mdx) +- [Getting Started with Device Trust](guide.mdx) +- [Device Management](device-management.mdx) +- [Enforcing Device Trust](enforcing-device-trust.mdx) +- [Jamf Pro Integration](jamf-integration.mdx) diff --git a/docs/pages/admin-guides/access-controls/device-trust/jamf-integration.mdx b/docs/pages/admin-guides/access-controls/device-trust/jamf-integration.mdx index 564cac7891dac..2fbada2f0815e 100644 --- a/docs/pages/admin-guides/access-controls/device-trust/jamf-integration.mdx +++ b/docs/pages/admin-guides/access-controls/device-trust/jamf-integration.mdx @@ -14,7 +14,7 @@ Teleport if a computer is removed from Jamf Pro. Syncing devices from Jamf Pro is an **inventory management** step, equivalent to automatically running the corresponding `tctl devices add` commands. -See the [Device Trust guide](../device-trust.mdx) for fundamental Device Trust concepts +See the [Device Trust guide](device-trust.mdx) for fundamental Device Trust concepts and behavior.
diff --git a/docs/pages/admin-guides/access-controls/guides/dual-authz.mdx b/docs/pages/admin-guides/access-controls/guides/dual-authz.mdx index 7313b49f52788..579c6f62bad81 100644 --- a/docs/pages/admin-guides/access-controls/guides/dual-authz.mdx +++ b/docs/pages/admin-guides/access-controls/guides/dual-authz.mdx @@ -14,7 +14,7 @@ In this guide, we will set up Teleport's Just-in-Time Access Requests to require the approval of two team members for a privileged role `dbadmin`. The steps below describe how to use Teleport with Mattermost. You can also -[integrate with many other providers](../access-requests.mdx). +[integrate with many other providers](../access-requests/access-requests.mdx). diff --git a/docs/pages/admin-guides/access-controls/guides.mdx b/docs/pages/admin-guides/access-controls/guides/guides.mdx similarity index 100% rename from docs/pages/admin-guides/access-controls/guides.mdx rename to docs/pages/admin-guides/access-controls/guides/guides.mdx diff --git a/docs/pages/admin-guides/access-controls/guides/locking.mdx b/docs/pages/admin-guides/access-controls/guides/locking.mdx index a0e824fc55cfc..c71bd5f3e6313 100644 --- a/docs/pages/admin-guides/access-controls/guides/locking.mdx +++ b/docs/pages/admin-guides/access-controls/guides/locking.mdx @@ -22,7 +22,7 @@ A lock can target the following objects or attributes: - a Teleport agent by the agent's server UUID (effectively unregistering it from the cluster) - a Windows desktop by the desktop's name -- an [Access Request](../access-requests.mdx) by UUID +- an [Access Request](../access-requests/access-requests.mdx) by UUID ## Prerequisites diff --git a/docs/pages/admin-guides/access-controls/idps.mdx b/docs/pages/admin-guides/access-controls/idps.mdx deleted file mode 100644 index 347b7840b9391..0000000000000 --- a/docs/pages/admin-guides/access-controls/idps.mdx +++ /dev/null @@ -1,13 +0,0 @@ ---- -title: Configure Teleport as an identity provider -description: How to set up Teleport's identity provider functionality ---- - -Users can authenticate to both internal and external applications -through the use of a built in identity provider in Teleport. - -- [SAML Guide](./idps/saml-guide.mdx): A guide for setting up an example application to integration with the SAML identity provider. -- [SAML Attribute Mapping](./idps/saml-attribute-mapping.mdx): A reference on how attribute mapping works in Teleport and how to -use it to assert custom user attribute name and values in a SAML response. -- [Use Teleport's SAML Provider to authenticate with Grafana](./idps/saml-grafana.mdx): Configure Grafana to authenticate using Teleport identities. -- [SAML Reference](../../reference/access-controls/saml-idp.mdx): A reference for Teleport's SAML identity provider. diff --git a/docs/pages/admin-guides/access-controls/idps/idps.mdx b/docs/pages/admin-guides/access-controls/idps/idps.mdx new file mode 100644 index 0000000000000..2c4daa37a4ae8 --- /dev/null +++ b/docs/pages/admin-guides/access-controls/idps/idps.mdx @@ -0,0 +1,13 @@ +--- +title: Configure Teleport as an identity provider +description: How to set up Teleport's identity provider functionality +--- + +Users can authenticate to both internal and external applications +through the use of a built in identity provider in Teleport. + +- [SAML Guide](saml-guide.mdx): A guide for setting up an example application to integration with the SAML identity provider. +- [SAML Attribute Mapping](saml-attribute-mapping.mdx): A reference on how attribute mapping works in Teleport and how to +use it to assert custom user attribute name and values in a SAML response. +- [Use Teleport's SAML Provider to authenticate with Grafana](saml-grafana.mdx): Configure Grafana to authenticate using Teleport identities. +- [SAML Reference](../../../reference/access-controls/saml-idp.mdx): A reference for Teleport's SAML identity provider. diff --git a/docs/pages/admin-guides/access-controls/login-rules/guide.mdx b/docs/pages/admin-guides/access-controls/login-rules/guide.mdx index c42a66e4548c3..9ddcc3203a72e 100644 --- a/docs/pages/admin-guides/access-controls/login-rules/guide.mdx +++ b/docs/pages/admin-guides/access-controls/login-rules/guide.mdx @@ -17,7 +17,7 @@ cluster on version `11.3.1` or greater. Login Rules only operate on SSO logins, so make sure you have configured an OIDC, SAML, or GitHub connector before you begin. -Check the [Single Sign-On](../sso.mdx) docs to learn how to set this up. +Check the [Single Sign-On](../sso/sso.mdx) docs to learn how to set this up. ## Step 1/5. Configure RBAC diff --git a/docs/pages/admin-guides/access-controls/login-rules.mdx b/docs/pages/admin-guides/access-controls/login-rules/login-rules.mdx similarity index 89% rename from docs/pages/admin-guides/access-controls/login-rules.mdx rename to docs/pages/admin-guides/access-controls/login-rules/login-rules.mdx index cc36b2e97469d..f179a2a8b4ec9 100644 --- a/docs/pages/admin-guides/access-controls/login-rules.mdx +++ b/docs/pages/admin-guides/access-controls/login-rules/login-rules.mdx @@ -19,7 +19,7 @@ Some use cases for Login Rules are: traits will be included in your user's SSH certificates and JWTs, which can become too large for some third-party applications to handle. Login Rules can filter out unnecessary traits and keep just the ones you need. -- When you have multiple [Role Templates](./guides/role-templates.mdx) repeating +- When you have multiple [Role Templates](../guides/role-templates.mdx) repeating the same logic to combine and transform external traits, consider using Login Rules to consolidate the logic to one place and simplify your Roles. @@ -42,13 +42,13 @@ traits_map: - 'ifelse(external.groups.contains("db-admins"), external.groups.add("db-users"), external.groups)' ``` -Check out the [Login Rules guide](./login-rules/guide.mdx) for a quick walkthrough +Check out the [Login Rules guide](guide.mdx) for a quick walkthrough that will show you how to write, test, and add the first Login Rule to your -cluster. See [example Login Rules](./login-rules/guide.mdx#example-login-rules) to +cluster. See [example Login Rules](guide.mdx) to learn how to address common use cases. When you're ready to take full advantage of Login Rules in your cluster, see the -[Login Rules Reference](../../reference/access-controls/login-rules.mdx) for details on the expression +[Login Rules Reference](../../../reference/access-controls/login-rules.mdx) for details on the expression language that powers them. ## FAQ diff --git a/docs/pages/admin-guides/access-controls/sso/okta.mdx b/docs/pages/admin-guides/access-controls/sso/okta.mdx index 82822c80cbd9f..969f77e67c21c 100644 --- a/docs/pages/admin-guides/access-controls/sso/okta.mdx +++ b/docs/pages/admin-guides/access-controls/sso/okta.mdx @@ -17,7 +17,7 @@ Teleport administrators to define policies like: In Teleport Enterprise Cloud and Self-Hosted Teleport Enterprise, Teleport can automatically configure an SSO connector for you when as part of [enrolling the -hosted Okta integration](../../../enroll-resources/application-access/okta.mdx). +hosted Okta integration](../../../enroll-resources/application-access/okta/okta.mdx). You can enroll the Okta integration from the Teleport Web UI. diff --git a/docs/pages/admin-guides/access-controls/sso.mdx b/docs/pages/admin-guides/access-controls/sso/sso.mdx similarity index 90% rename from docs/pages/admin-guides/access-controls/sso.mdx rename to docs/pages/admin-guides/access-controls/sso/sso.mdx index cb477c6210f12..279c6be84142a 100644 --- a/docs/pages/admin-guides/access-controls/sso.mdx +++ b/docs/pages/admin-guides/access-controls/sso/sso.mdx @@ -7,15 +7,15 @@ Teleport users can log in to servers, Kubernetes clusters, databases, web applications, and Windows desktops through their organization's Single Sign-On (SSO) provider. -- [Azure Active Directory (AD)](./sso/azuread.mdx): Configure Azure Active Directory SSO for SSH, Kubernetes, databases, desktops and web apps. -- [Active Directory (ADFS)](./sso/adfs.mdx): Configure Windows Active Directory SSO for SSH, Kubernetes, databases, desktops and web apps. -- [Google Workspace](./sso/google-workspace.mdx): Configure Google Workspace SSO for SSH, Kubernetes, databases, desktops and web apps. -- [GitHub](./sso/github-sso.mdx): Configure GitHub SSO for SSH, +- [Azure Active Directory (AD)](azuread.mdx): Configure Azure Active Directory SSO for SSH, Kubernetes, databases, desktops and web apps. +- [Active Directory (ADFS)](adfs.mdx): Configure Windows Active Directory SSO for SSH, Kubernetes, databases, desktops and web apps. +- [Google Workspace](google-workspace.mdx): Configure Google Workspace SSO for SSH, Kubernetes, databases, desktops and web apps. +- [GitHub](github-sso.mdx): Configure GitHub SSO for SSH, Kubernetes, databases, desktops, and web apps. -- [GitLab](./sso/gitlab.mdx): Configure GitLab SSO for SSH, Kubernetes, databases, desktops and web apps. -- [OneLogin](./sso/one-login.mdx): Configure OneLogin SSO for SSH, Kubernetes, databases, desktops and web apps. -- [OIDC](./sso/oidc.mdx): Configure OIDC SSO for SSH, Kubernetes, databases, desktops and web apps. -- [Okta](./sso/okta.mdx): Configure Okta SSO for SSH, Kubernetes, databases, desktops and web apps. +- [GitLab](gitlab.mdx): Configure GitLab SSO for SSH, Kubernetes, databases, desktops and web apps. +- [OneLogin](one-login.mdx): Configure OneLogin SSO for SSH, Kubernetes, databases, desktops and web apps. +- [OIDC](oidc.mdx): Configure OIDC SSO for SSH, Kubernetes, databases, desktops and web apps. +- [Okta](okta.mdx): Configure Okta SSO for SSH, Kubernetes, databases, desktops and web apps. ## How Teleport uses SSO @@ -402,9 +402,9 @@ flow. These provider-specific changes can be enabled by setting the values to match your identity provider: - `adfs` (SAML): Required for compatibility with Active Directory (ADFS); refer - to the full [ADFS guide](./sso/adfs.mdx#step-23-create-teleport-roles) for details. + to the full [ADFS guide](adfs.mdx) for details. - `netiq` (OIDC): Used to enable NetIQ-specific ACR value processing; refer to - the [OIDC guide](./sso/oidc.mdx#optional-acr-values) for details. + the [OIDC guide](oidc.mdx) for details. - `ping` (SAML and OIDC): Required for compatibility with Ping Identity (including PingOne and PingFederate). - `okta` (OIDC): Required when using Okta as an OIDC provider. @@ -456,7 +456,7 @@ $ tctl get connectors ``` To delete/update connectors, use the usual `tctl rm` and `tctl create` commands -as described in the [Resources Reference](../../reference/resources.mdx). +as described in the [Resources Reference](../../../reference/resources.mdx). If multiple authentication connectors exist, the clients must supply a connector name to `tsh login` via `--auth` argument: @@ -472,10 +472,10 @@ $ tsh --proxy=proxy.example.com login --auth=local --user=admin Refer to the following guides to configure authentication connectors of both SAML and OIDC types: -- [SSH Authentication with Okta](./sso/okta.mdx) -- [SSH Authentication with OneLogin](./sso/one-login.mdx) -- [SSH Authentication with ADFS](./sso/adfs.mdx) -- [SSH Authentication with OAuth2 / OpenID Connect](./sso/oidc.mdx) +- [SSH Authentication with Okta](okta.mdx) +- [SSH Authentication with OneLogin](one-login.mdx) +- [SSH Authentication with ADFS](adfs.mdx) +- [SSH Authentication with OAuth2 / OpenID Connect](oidc.mdx) ## SSO customization @@ -484,11 +484,11 @@ of SSO buttons in the Teleport Web UI. | Provider | YAML | Example | | - | - | - | -| GitHub | `display: GitHub` | ![github](../../../img/teleport-sso/github@2x.png) | -| Microsoft | `display: Microsoft` | ![microsoft](../../../img/teleport-sso/microsoft@2x.png) | -| Google | `display: Google` | ![google](../../../img/teleport-sso/google@2x.png) | -| BitBucket | `display: Bitbucket` | ![bitbucket](../../../img/teleport-sso/bitbucket@2x.png) | -| OpenID | `display: Okta` | ![Okta](../../../img/teleport-sso/openId@2x.png) | +| GitHub | `display: GitHub` | ![github](../../../../img/teleport-sso/github@2x.png) | +| Microsoft | `display: Microsoft` | ![microsoft](../../../../img/teleport-sso/microsoft@2x.png) | +| Google | `display: Google` | ![google](../../../../img/teleport-sso/google@2x.png) | +| BitBucket | `display: Bitbucket` | ![bitbucket](../../../../img/teleport-sso/bitbucket@2x.png) | +| OpenID | `display: Okta` | ![Okta](../../../../img/teleport-sso/openId@2x.png) | ## Troubleshooting @@ -516,7 +516,7 @@ If something is not working, we recommend to: If you get "access denied" or other login errors, the number one place to check is the Audit Log. You can access it in the **Activity** tab of the Teleport Web UI. -![Audit Log Entry for SSO Login error](../../../img/sso/teleportauditlogssofailed.png) +![Audit Log Entry for SSO Login error](../../../../img/sso/teleportauditlogssofailed.png) Example of a user being denied because the role `clusteradmin` wasn't set up: @@ -561,5 +561,5 @@ The roles we illustrated in this guide use `external` traits, which Teleport replaces with values from the single sign-on provider that the user used to authenticate with Teleport. For full details on how variable expansion works in Teleport roles, see the [Teleport Access Controls -Reference](../../reference/access-controls/roles.mdx). +Reference](../../../reference/access-controls/roles.mdx). diff --git a/docs/pages/admin-guides/api/access-plugin.mdx b/docs/pages/admin-guides/api/access-plugin.mdx index 7b30ec69d4ae0..80943073a7bb8 100644 --- a/docs/pages/admin-guides/api/access-plugin.mdx +++ b/docs/pages/admin-guides/api/access-plugin.mdx @@ -3,12 +3,12 @@ title: How to Build an Access Request Plugin description: Manage Access Requests using custom workflows with the Teleport API --- -With Teleport [Access Requests](../access-controls/access-requests.mdx), you can +With Teleport [Access Requests](../access-controls/access-requests/access-requests.mdx), you can assign Teleport users to less privileged roles by default and allow them to temporarily escalate their privileges. Reviewers can grant or deny Access Requests within your organization's existing communication workflows (e.g., Slack, email, and PagerDuty) using [Access Request -plugins](../access-controls/access-request-plugins.mdx). +plugins](../access-controls/access-request-plugins/access-request-plugins.mdx). You can use Teleport's API client library to build an Access Request plugin that integrates with your organization's unique workflows. diff --git a/docs/pages/admin-guides/api/api.mdx b/docs/pages/admin-guides/api/api.mdx index 7a4233680e87e..c376b1271bfb0 100644 --- a/docs/pages/admin-guides/api/api.mdx +++ b/docs/pages/admin-guides/api/api.mdx @@ -11,13 +11,13 @@ cluster. In this section, we will show you how to use Teleport's API. Teleport has a public [Go client](https://pkg.go.dev/github.com/gravitational/teleport/api/client) to -programatically interact with the API. [tsh and tctl](../../reference/cli.mdx) use +programatically interact with the API. [tsh and tctl](../../reference/cli/cli.mdx) use the same API. Here is what you can do with the Go Client: - Integrate with external tools, e.g., to write an [Access Request - plugin](../access-controls/access-request-plugins.mdx). Teleport + plugin](../access-controls/access-request-plugins/access-request-plugins.mdx). Teleport maintains Access Request plugins for tools like Slack, Jira, and Mattermost. - Perform CRUD actions on resources, such as roles, authentication connectors, and provisioning tokens. diff --git a/docs/pages/admin-guides/api/automatically-register-agents.mdx b/docs/pages/admin-guides/api/automatically-register-agents.mdx index 1f0d081ae99e4..5cad251d7a1d6 100644 --- a/docs/pages/admin-guides/api/automatically-register-agents.mdx +++ b/docs/pages/admin-guides/api/automatically-register-agents.mdx @@ -7,7 +7,7 @@ You can use Teleport's API to automatically register resources in your infrastructure with your Teleport cluster. Teleport already supports the automatic discovery of [Kubernetes -clusters](../../enroll-resources/auto-discovery/kubernetes.mdx) in AWS, Azure, and +clusters](../../enroll-resources/auto-discovery/kubernetes/kubernetes.mdx) in AWS, Azure, and Google Cloud, as well as [servers](../../enroll-resources/auto-discovery/servers/ec2-discovery.mdx) on Amazon EC2. To support other resources and cloud providers, you can use the API diff --git a/docs/pages/admin-guides/api/getting-started.mdx b/docs/pages/admin-guides/api/getting-started.mdx index 4f9287fc5e14e..cfdbe207dedc5 100644 --- a/docs/pages/admin-guides/api/getting-started.mdx +++ b/docs/pages/admin-guides/api/getting-started.mdx @@ -127,4 +127,4 @@ $ go run main.go - Read about Teleport [API architecture](../../reference/architecture/api-architecture.mdx) for an in-depth overview of the API and API clients. - Read [API authorization](../../reference/architecture/api-architecture.mdx) to learn more about defining custom roles for your API client. - Review the `client` [pkg.go reference documentation](https://pkg.go.dev/github.com/gravitational/teleport/api/client) for more information about working with the Teleport API programmatically. -- Familiarize yourself with the [admin manual](../management/admin.mdx) to make the best use of the API. +- Familiarize yourself with the [admin manual](../management/admin/admin.mdx) to make the best use of the API. diff --git a/docs/pages/admin-guides/deploy-a-cluster/access-graph/self-hosted-helm.mdx b/docs/pages/admin-guides/deploy-a-cluster/access-graph/self-hosted-helm.mdx index ff11a4a034ebd..60b35c0f9e2a2 100644 --- a/docs/pages/admin-guides/deploy-a-cluster/access-graph/self-hosted-helm.mdx +++ b/docs/pages/admin-guides/deploy-a-cluster/access-graph/self-hosted-helm.mdx @@ -22,7 +22,7 @@ to Teleport Enterprise customers. - Helm >= (=helm.version=) - A running Teleport Enterprise cluster v14.3.6 or later. - For the purposes of this guide, we assume that the Teleport cluster is set up - [using the `teleport-cluster` Helm chart](../../deploy-a-cluster/helm-deployments.mdx) + [using the `teleport-cluster` Helm chart](../helm-deployments/helm-deployments.mdx) in the same Kubernetes cluster that will be used to deploy Access Graph. - An updated `license.pem` with Teleport Policy enabled. - A PostgreSQL database server v14 or later. diff --git a/docs/pages/admin-guides/deploy-a-cluster/deployments.mdx b/docs/pages/admin-guides/deploy-a-cluster/deployments.mdx deleted file mode 100644 index 706eb1c405ea9..0000000000000 --- a/docs/pages/admin-guides/deploy-a-cluster/deployments.mdx +++ /dev/null @@ -1,19 +0,0 @@ ---- -title: Reference Deployment Guides -description: Teleport Installation and Configuration Reference Deployment Guides. -layout: tocless-doc ---- - -These guides show you how to set up a full self-hosted Teleport deployment on -the platform of your choice. - -- [AWS High Availability Deployment with Terraform](./deployments/aws-ha-autoscale-cluster-terraform.mdx): Deploy HA Teleport with - Terraform on AWS. -- [AWS Single-Instance Deployment with Terraform](./deployments/aws-starter-cluster-terraform.mdx): Deploy Teleport on a single instance with - Terraform on AWS. -- [AWS Multi-Region Proxy - Deployment](./deployments/aws-gslb-proxy-peering-ha-deployment.mdx): Deploy HA - Teleport with Proxy Service instances in multiple regions for low-latency - access. -- [GCP](./deployments/gcp.mdx): Deploy HA Teleport on GCP. -- [IBM Cloud](./deployments/ibm.mdx): Deploy HA Teleport on IBM cloud. diff --git a/docs/pages/admin-guides/deploy-a-cluster/deployments/aws-ha-autoscale-cluster-terraform.mdx b/docs/pages/admin-guides/deploy-a-cluster/deployments/aws-ha-autoscale-cluster-terraform.mdx index c31cfc419ae82..cb6bb3e42a5c7 100644 --- a/docs/pages/admin-guides/deploy-a-cluster/deployments/aws-ha-autoscale-cluster-terraform.mdx +++ b/docs/pages/admin-guides/deploy-a-cluster/deployments/aws-ha-autoscale-cluster-terraform.mdx @@ -837,7 +837,7 @@ To add new nodes/EC2 servers that you can "SSH into" you'll need to: - [Run Teleport - we recommend using systemd](../../management/admin/daemon.mdx) - [Set the correct settings in /etc/teleport.yaml](../../../reference/config.mdx) - [Add Nodes to the Teleport - cluster](../../../enroll-resources/agents/join-services-to-your-cluster.mdx) + cluster](../../../enroll-resources/agents/join-services-to-your-cluster/join-services-to-your-cluster.mdx) ### Getting the SSH Service join token diff --git a/docs/pages/admin-guides/deploy-a-cluster/deployments/aws-starter-cluster-terraform.mdx b/docs/pages/admin-guides/deploy-a-cluster/deployments/aws-starter-cluster-terraform.mdx index 4581ec4161b27..9a3556b489d07 100644 --- a/docs/pages/admin-guides/deploy-a-cluster/deployments/aws-starter-cluster-terraform.mdx +++ b/docs/pages/admin-guides/deploy-a-cluster/deployments/aws-starter-cluster-terraform.mdx @@ -726,7 +726,7 @@ To add new nodes/EC2 servers that you can "SSH into" you'll need to: - [Run Teleport - we recommend using systemd](../../management/admin/daemon.mdx) - [Set the correct settings in /etc/teleport.yaml](../../../reference/config.mdx) - [Add Nodes to the Teleport - cluster](../../../enroll-resources/agents/join-services-to-your-cluster.mdx) + cluster](../../../enroll-resources/agents/join-services-to-your-cluster/join-services-to-your-cluster.mdx) ## Troubleshooting diff --git a/docs/pages/admin-guides/deploy-a-cluster/deployments/deployments.mdx b/docs/pages/admin-guides/deploy-a-cluster/deployments/deployments.mdx new file mode 100644 index 0000000000000..a30782f9ca3c4 --- /dev/null +++ b/docs/pages/admin-guides/deploy-a-cluster/deployments/deployments.mdx @@ -0,0 +1,19 @@ +--- +title: Reference Deployment Guides +description: Teleport Installation and Configuration Reference Deployment Guides. +layout: tocless-doc +--- + +These guides show you how to set up a full self-hosted Teleport deployment on +the platform of your choice. + +- [AWS High Availability Deployment with Terraform](aws-ha-autoscale-cluster-terraform.mdx): Deploy HA Teleport with + Terraform on AWS. +- [AWS Single-Instance Deployment with Terraform](aws-starter-cluster-terraform.mdx): Deploy Teleport on a single instance with + Terraform on AWS. +- [AWS Multi-Region Proxy + Deployment](aws-gslb-proxy-peering-ha-deployment.mdx): Deploy HA + Teleport with Proxy Service instances in multiple regions for low-latency + access. +- [GCP](gcp.mdx): Deploy HA Teleport on GCP. +- [IBM Cloud](ibm.mdx): Deploy HA Teleport on IBM cloud. diff --git a/docs/pages/admin-guides/deploy-a-cluster/helm-deployments.mdx b/docs/pages/admin-guides/deploy-a-cluster/helm-deployments/helm-deployments.mdx similarity index 55% rename from docs/pages/admin-guides/deploy-a-cluster/helm-deployments.mdx rename to docs/pages/admin-guides/deploy-a-cluster/helm-deployments/helm-deployments.mdx index fb62933678eea..e35528834cf72 100644 --- a/docs/pages/admin-guides/deploy-a-cluster/helm-deployments.mdx +++ b/docs/pages/admin-guides/deploy-a-cluster/helm-deployments/helm-deployments.mdx @@ -15,24 +15,24 @@ order to protect a Kubernetes cluster with Teleport, and it is possible to enroll a Kubernetes cluster on Teleport Cloud or by running the Teleport Kubernetes Service on a Linux server. For instructions on enrolling a Kubernetes cluster with Teleport, read the [Kubernetes -Access](../../enroll-resources/kubernetes-access/introduction.mdx) documentation. +Access](../../../enroll-resources/kubernetes-access/introduction.mdx) documentation. ## Helm deployment guides These guides show you how to set up a full self-hosted Teleport deployment using our `teleport-cluster` Helm chart. -- [Deploy Teleport on Kubernetes](./helm-deployments/kubernetes-cluster.mdx): Run a Teleport cluster in a Kubernetes cluster using +- [Deploy Teleport on Kubernetes](kubernetes-cluster.mdx): Run a Teleport cluster in a Kubernetes cluster using the default configuration. This deployment is a great starting point to try a self-hosted Teleport with minimal resources. -- [HA AWS Teleport Cluster](./helm-deployments/aws.mdx): Running an HA Teleport cluster in Kubernetes using an AWS EKS Cluster -- [HA Azure Teleport Cluster](./helm-deployments/azure.mdx): Running an HA Teleport cluster in Kubernetes using an Azure AKS Cluster -- [HA GCP Teleport Cluster](./helm-deployments/gcp.mdx): Running an HA Teleport cluster in Kubernetes using a Google Cloud GKE Cluster -- [DigitalOcean Kubernetes Cluster](./helm-deployments/digitalocean.mdx): +- [HA AWS Teleport Cluster](aws.mdx): Running an HA Teleport cluster in Kubernetes using an AWS EKS Cluster +- [HA Azure Teleport Cluster](azure.mdx): Running an HA Teleport cluster in Kubernetes using an Azure AKS Cluster +- [HA GCP Teleport Cluster](gcp.mdx): Running an HA Teleport cluster in Kubernetes using a Google Cloud GKE Cluster +- [DigitalOcean Kubernetes Cluster](digitalocean.mdx): Running Teleport on DigitalOcean Kubernetes. -- [Custom Teleport config](./helm-deployments/custom.mdx): Running a Teleport cluster in Kubernetes with a custom Teleport config +- [Custom Teleport config](custom.mdx): Running a Teleport cluster in Kubernetes with a custom Teleport config ## Migration Guides -- [Migrating from v11 to v12](./helm-deployments/migration-v12.mdx) -- [Kubernetes 1.25 and PSP removal](./helm-deployments/migration-kubernetes-1-25-psp.mdx) +- [Migrating from v11 to v12](migration-v12.mdx) +- [Kubernetes 1.25 and PSP removal](migration-kubernetes-1-25-psp.mdx) diff --git a/docs/pages/admin-guides/deploy-a-cluster/helm-deployments/kubernetes-cluster.mdx b/docs/pages/admin-guides/deploy-a-cluster/helm-deployments/kubernetes-cluster.mdx index 174fef2670f9b..abe2e2a4ba415 100644 --- a/docs/pages/admin-guides/deploy-a-cluster/helm-deployments/kubernetes-cluster.mdx +++ b/docs/pages/admin-guides/deploy-a-cluster/helm-deployments/kubernetes-cluster.mdx @@ -372,13 +372,13 @@ cluster. - **Set up Single Sign-On:** In this guide, we showed you how to create a local user, which is appropriate for demo environments. For a production deployment, you should set up Single Sign-On with your provider of choice. See our [Single - Sign-On guides](../../access-controls/sso.mdx) for how to do this. + Sign-On guides](../../access-controls/sso/sso.mdx) for how to do this. - **Configure your Teleport deployment:** To see all of the options you can set in the values file for the `teleport-cluster` Helm chart, consult our [reference guide](../../../reference/helm-reference/teleport-cluster.mdx). - **Register resources:** You can register all of the Kubernetes clusters in your infrastructure with Teleport. To start, read our [Auto-Discovery - guides](../../../enroll-resources/auto-discovery/kubernetes.mdx) to see how to automatically + guides](../../../enroll-resources/auto-discovery/kubernetes/kubernetes.mdx) to see how to automatically register every cluster in your cloud. You can also register servers, databases, applications, and Windows desktops. - **Fine-tune your Kubernetes RBAC:** While the user you created in this guide diff --git a/docs/pages/admin-guides/deploy-a-cluster/high-availability.mdx b/docs/pages/admin-guides/deploy-a-cluster/high-availability.mdx index 2d3ced747ce68..49a16ac166666 100644 --- a/docs/pages/admin-guides/deploy-a-cluster/high-availability.mdx +++ b/docs/pages/admin-guides/deploy-a-cluster/high-availability.mdx @@ -296,7 +296,7 @@ pod or virtual machine in your group. If you plan to run Teleport on Kubernetes, the `teleport-cluster` Helm chart deploys the Auth Service and Proxy Service pools for you. To see how to use this -Helm chart, read our [Helm Deployments](helm-deployments.mdx) documentation. +Helm chart, read our [Helm Deployments](helm-deployments/helm-deployments.mdx) documentation. @@ -353,7 +353,7 @@ Create a configuration file and provide it to each of your Proxy Service instances at `/etc/teleport.yaml`. We will explain the required configuration fields for a high-availability Teleport deployment below. These are the minimum requirements, and when planning your high-availability deployment, you will want -to follow a more specific [deployment guide](deployments.mdx) for your +to follow a more specific [deployment guide](deployments/deployments.mdx) for your environment. #### `proxy_service` and `auth_service` @@ -467,7 +467,7 @@ Create a configuration file and provide it to each of your Auth Service instances at `/etc/teleport.yaml`. We will explain the required configuration fields for a high-availability Teleport deployment below. These are the minimum requirements, and when planning your high-availability deployment, you will want -to follow a more specific [deployment guide](deployments.mdx) for your +to follow a more specific [deployment guide](deployments/deployments.mdx) for your environment. #### `storage` @@ -540,8 +540,8 @@ deployment, read about how to design your own deployment on Kubernetes or a cluster of virtual machines in your cloud of choice: - [High-availability Teleport Deployments on Kubernetes with - Helm](helm-deployments.mdx) -- [Reference Deployments](deployments.mdx) for running Teleport on a cluster of + Helm](helm-deployments/helm-deployments.mdx) +- [Reference Deployments](deployments/deployments.mdx) for running Teleport on a cluster of virtual machines ### Ensure high performance @@ -550,7 +550,7 @@ You should also get familiar with how to ensure that your Teleport deployment is performing as expected: - [Scaling a Teleport cluster](../management/operations/scaling.mdx) -- [Monitoring a Teleport cluster](../management/diagnostics.mdx) +- [Monitoring a Teleport cluster](../management/diagnostics/diagnostics.mdx) ### Deploy Teleport services diff --git a/docs/pages/admin-guides/infrastructure-as-code.mdx b/docs/pages/admin-guides/infrastructure-as-code/infrastructure-as-code.mdx similarity index 90% rename from docs/pages/admin-guides/infrastructure-as-code.mdx rename to docs/pages/admin-guides/infrastructure-as-code/infrastructure-as-code.mdx index e3b756b4a5a5e..f1b8d92aee5b1 100644 --- a/docs/pages/admin-guides/infrastructure-as-code.mdx +++ b/docs/pages/admin-guides/infrastructure-as-code/infrastructure-as-code.mdx @@ -27,7 +27,7 @@ There are two ways to configure a Teleport cluster: This approach makes it possible to incrementally adjust your Teleport configuration without restarting Teleport instances. -![Architecture of dynamic resources](../../img/dynamic-resources.png) +![Architecture of dynamic resources](../../../img/dynamic-resources.png) A cluster is composed of different objects (i.e., resources) and there are three common operations that can be performed on them: `get` , `create` , and `remove` @@ -64,13 +64,13 @@ infrastructure-as-code and GitOps approaches. You can get started with `tctl`, the Terraform Provider, and the Kubernetes Operator by following: -- the ["Managing Users and Roles with IaC" guide](infrastructure-as-code/managing-resources/user-and-role.mdx) -- the ["Creating Access Lists with IaC" guide](infrastructure-as-code/managing-resources/access-list.mdx) -- the ["Registering Agentless OpenSSH Servers with IaC" guide](infrastructure-as-code/managing-resources/agentless-ssh-servers.mdx) +- the ["Managing Users and Roles with IaC" guide](managing-resources/user-and-role.mdx) +- the ["Creating Access Lists with IaC" guide](managing-resources/access-list.mdx) +- the ["Registering Agentless OpenSSH Servers with IaC" guide](managing-resources/agentless-ssh-servers.mdx) For more information on Teleport roles, including the `internal.logins` trait we use in these example roles, see the [Teleport Access -Controls Reference](../reference/access-controls/roles.mdx). +Controls Reference](../../reference/access-controls/roles.mdx). ### YAML documents with `tctl` @@ -92,7 +92,7 @@ spec: Since `tctl` works from the local filesystem, you can write commands that apply all configuration documents in a directory tree. See the [CLI -reference](../reference/cli/tctl.mdx) for more information on `tctl`. +reference](../../reference/cli/tctl.mdx) for more information on `tctl`. ### Teleport Terraform provider @@ -121,7 +121,7 @@ resource "teleport_role" "developer" { ``` [Get started with the Terraform -provider](infrastructure-as-code/terraform-provider.mdx). +provider](terraform-provider/terraform-provider.mdx). ### Teleport Kubernetes Operator @@ -142,7 +142,7 @@ spec: 'env': 'test' ``` -[Get started with the Kubernetes Operator](infrastructure-as-code/teleport-operator.mdx). +[Get started with the Kubernetes Operator](teleport-operator/teleport-operator.mdx). ## Reconciling the configuration file with dynamic resources @@ -255,16 +255,16 @@ configuration resources with the `teleport.dev/origin=config-file` label. ### Configuration references - For a comprehensive reference of Teleport's static configuration options, read - the [Configuration Reference](../reference/config.mdx). + the [Configuration Reference](../../reference/config.mdx). - To see the dynamic configuration resources available to apply, read the - [Configuration Resource Reference](../reference/resources.mdx). There are also + [Configuration Resource Reference](../../reference/resources.mdx). There are also dedicated configuration resource references for - [applications](../reference/agent-services/application-access.mdx) and - [databases](../reference/agent-services/database-access-reference/configuration.mdx). + [applications](../../reference/agent-services/application-access.mdx) and + [databases](../../reference/agent-services/database-access-reference/configuration.mdx). ### Other ways to use the Teleport API The Teleport Kubernetes Operator, Terraform provider, and `tctl` are all clients of the Teleport Auth Service's gRPC API. To build your own API client to extend Teleport for your organization's needs, read our [API -guides](api/api.mdx). +guides](../api/api.mdx). diff --git a/docs/pages/admin-guides/infrastructure-as-code/managing-resources/agentless-ssh-servers.mdx b/docs/pages/admin-guides/infrastructure-as-code/managing-resources/agentless-ssh-servers.mdx index 189b3511fe8ce..b64234da193f4 100644 --- a/docs/pages/admin-guides/infrastructure-as-code/managing-resources/agentless-ssh-servers.mdx +++ b/docs/pages/admin-guides/infrastructure-as-code/managing-resources/agentless-ssh-servers.mdx @@ -43,7 +43,7 @@ $ export OPERATOR_NAMESPACE="teleport-iac" -A functional Teleport Terraform provider by following [the Terraform provider guide](../terraform-provider.mdx). +A functional Teleport Terraform provider by following [the Terraform provider guide](../terraform-provider/terraform-provider.mdx). diff --git a/docs/pages/admin-guides/infrastructure-as-code/managing-resources/import-existing-resources.mdx b/docs/pages/admin-guides/infrastructure-as-code/managing-resources/import-existing-resources.mdx index 0ca2464ec2a7b..d5329defb9feb 100644 --- a/docs/pages/admin-guides/infrastructure-as-code/managing-resources/import-existing-resources.mdx +++ b/docs/pages/admin-guides/infrastructure-as-code/managing-resources/import-existing-resources.mdx @@ -84,4 +84,4 @@ cluster configuration matches your expectations. Provider to create Teleport users and grant them roles. - Explore the full list of supported [Terraform provider resources](../../../reference/terraform-provider.mdx). -- See [the list of supported Teleport Terraform setups](../terraform-provider.mdx): +- See [the list of supported Teleport Terraform setups](../terraform-provider/terraform-provider.mdx): diff --git a/docs/pages/admin-guides/infrastructure-as-code/managing-resources/login-rules-operator.mdx b/docs/pages/admin-guides/infrastructure-as-code/managing-resources/login-rules-operator.mdx index 259f6eba8e6fa..9110501361bcb 100644 --- a/docs/pages/admin-guides/infrastructure-as-code/managing-resources/login-rules-operator.mdx +++ b/docs/pages/admin-guides/infrastructure-as-code/managing-resources/login-rules-operator.mdx @@ -39,7 +39,7 @@ This guide is applicable if you self-host Teleport in Kubernetes using the -- Follow the [Teleport operator guides](../teleport-operator.mdx) +- Follow the [Teleport operator guides](../teleport-operator/teleport-operator.mdx) to install the Teleport Operator in your Kubernetes cluster. Make sure to follow the Enterprise instructions if you're deploying the operator as part of the `teleport-cluster` chart. @@ -245,7 +245,7 @@ logins: ## Next Steps -- Read the [Teleport Operator Guide](../teleport-operator.mdx) to +- Read the [Teleport Operator Guide](../teleport-operator/teleport-operator.mdx) to learn more about the Teleport Operator. - Read the [Login Rules reference](../../../reference/access-controls/login-rules.mdx) to learn mode about the Login Rule expression syntax. diff --git a/docs/pages/admin-guides/infrastructure-as-code/managing-resources/login-rules-terraform.mdx b/docs/pages/admin-guides/infrastructure-as-code/managing-resources/login-rules-terraform.mdx index 9d7f421e60d2d..f9f0e3fae17ce 100644 --- a/docs/pages/admin-guides/infrastructure-as-code/managing-resources/login-rules-terraform.mdx +++ b/docs/pages/admin-guides/infrastructure-as-code/managing-resources/login-rules-terraform.mdx @@ -27,7 +27,7 @@ For simplicity, this guide will configure the Terraform provider to use your current logged-in user's Teleport credentials obtained from `tsh login`. -The [Terraform provider guide](../terraform-provider.mdx) +The [Terraform provider guide](../terraform-provider/terraform-provider.mdx) includes instructions for configuring a dedicated `terraform` user and role, which is a better option when running Terraform in a non-interactive environment. @@ -152,7 +152,7 @@ logins: ## Next Steps -- Read the [Terraform Guide](../terraform-provider.mdx) to +- Read the [Terraform Guide](../terraform-provider/terraform-provider.mdx) to learn more about configuring the Terraform provider. - Read the [Login Rules reference](../../../reference/access-controls/login-rules.mdx) to learn mode about the Login Rule expression syntax. diff --git a/docs/pages/admin-guides/infrastructure-as-code/managing-resources/user-and-role.mdx b/docs/pages/admin-guides/infrastructure-as-code/managing-resources/user-and-role.mdx index 0d288a1f763d7..a10cfa345a8e1 100644 --- a/docs/pages/admin-guides/infrastructure-as-code/managing-resources/user-and-role.mdx +++ b/docs/pages/admin-guides/infrastructure-as-code/managing-resources/user-and-role.mdx @@ -44,7 +44,7 @@ $ export OPERATOR_NAMESPACE="teleport-iac" -A functional Teleport Terraform provider by following [the Terraform provider guide](../terraform-provider.mdx). +A functional Teleport Terraform provider by following [the Terraform provider guide](../terraform-provider/terraform-provider.mdx). @@ -480,13 +480,13 @@ resource "teleport_user" "bob" { - Allow users with the `manager` role to grant access to production servers to some `engineers` via Access Lists. Manager will need to justify and review granted access periodically. - See [the AccessList documentation](../../access-controls/access-lists.mdx) for + See [the AccessList documentation](../../access-controls/access-lists/access-lists.mdx) for a high-level explanation of the feature, and [the AccessList IaC guide](access-list.mdx) for a step by step IaC AccessList setup. - Allow users with the `engineer` role to request temporary access to production, and have users with the `manager` role validate the requests. - See [the Access Requests documentation](../../access-controls/access-requests.mdx) + See [the Access Requests documentation](../../access-controls/access-requests/access-requests.mdx) - You can see all supported fields in the references of [the user resource](../../../reference/resources.mdx) and [the role resource](../../../reference/resources.mdx). diff --git a/docs/pages/admin-guides/infrastructure-as-code/teleport-operator/secret-lookup.mdx b/docs/pages/admin-guides/infrastructure-as-code/teleport-operator/secret-lookup.mdx index 9cf816d8a015f..a23e4935c5051 100644 --- a/docs/pages/admin-guides/infrastructure-as-code/teleport-operator/secret-lookup.mdx +++ b/docs/pages/admin-guides/infrastructure-as-code/teleport-operator/secret-lookup.mdx @@ -18,7 +18,7 @@ Currently only the GithubConnector and OIDCConnector `client_secret` field suppo To follow this guide you need: - A running Teleport cluster -- [A functional Teleport Kubernetes operator setup](../teleport-operator.mdx#setting-up-the-operator) +- [A functional Teleport Kubernetes operator setup](teleport-operator.mdx) - Kubernetes rights to edit CRs and Secrets in the operator namespace - `kubectl` installed locally and configured for your Kubernetes cluster - A working GitHub or OIDC connector you want to manage with the operator diff --git a/docs/pages/admin-guides/infrastructure-as-code/teleport-operator/teleport-operator-helm.mdx b/docs/pages/admin-guides/infrastructure-as-code/teleport-operator/teleport-operator-helm.mdx index 950699a7b53a7..5a40f1e2bef4a 100644 --- a/docs/pages/admin-guides/infrastructure-as-code/teleport-operator/teleport-operator-helm.mdx +++ b/docs/pages/admin-guides/infrastructure-as-code/teleport-operator/teleport-operator-helm.mdx @@ -104,7 +104,7 @@ roles. Helm Chart parameters are documented in the [`teleport-cluster` Helm chart reference](../../../reference/helm-reference/teleport-cluster.mdx). -See the [Helm Deployment guides](../../deploy-a-cluster/helm-deployments.mdx) detailing specific setups like running Teleport on AWS or GCP. +See the [Helm Deployment guides](../../deploy-a-cluster/helm-deployments/helm-deployments.mdx) detailing specific setups like running Teleport on AWS or GCP. ## Troubleshooting diff --git a/docs/pages/admin-guides/infrastructure-as-code/teleport-operator.mdx b/docs/pages/admin-guides/infrastructure-as-code/teleport-operator/teleport-operator.mdx similarity index 89% rename from docs/pages/admin-guides/infrastructure-as-code/teleport-operator.mdx rename to docs/pages/admin-guides/infrastructure-as-code/teleport-operator/teleport-operator.mdx index ca6fe1ca21484..e8dec4b877a13 100644 --- a/docs/pages/admin-guides/infrastructure-as-code/teleport-operator.mdx +++ b/docs/pages/admin-guides/infrastructure-as-code/teleport-operator/teleport-operator.mdx @@ -40,10 +40,10 @@ Currently supported Teleport resources are: ### Setting up the operator If you are self-hosting Teleport using the `teleport-cluster` Helm chart, -follow [the guide for Helm-deployed clusters](teleport-operator/teleport-operator-helm.mdx). +follow [the guide for Helm-deployed clusters](teleport-operator-helm.mdx). If you are hosting Teleport out of Kubernetes (Teleport Cloud, Terraform, ...), -follow [the standalone operator guide](teleport-operator/teleport-operator-standalone.mdx). +follow [the standalone operator guide](teleport-operator-standalone.mdx). ### Control reconciliation with annotations @@ -81,7 +81,7 @@ Even when you store sensitive values out of CRs, the CRs must still be considere the Kubernetes secrets themselves. Many CRs configure Teleport RBAC. Someone with CR editing permissions can become a Teleport administrator and retrieve the sensitive values from Teleport. -See [the dedicated guide](./teleport-operator/secret-lookup.mdx) for more details. +See [the dedicated guide](secret-lookup.mdx) for more details. ### Troubleshooting @@ -89,5 +89,5 @@ See [the dedicated guide](./teleport-operator/secret-lookup.mdx) for more detail ## Next steps -- Follow the ["Managing users and roles with IaC" guide](managing-resources/user-and-role.mdx). -- Check out [access controls documentation](../access-controls/access-controls.mdx). +- Follow the ["Managing users and roles with IaC" guide](../managing-resources/user-and-role.mdx). +- Check out [access controls documentation](../../access-controls/access-controls.mdx). diff --git a/docs/pages/admin-guides/infrastructure-as-code/terraform-provider.mdx b/docs/pages/admin-guides/infrastructure-as-code/terraform-provider.mdx deleted file mode 100644 index d299debb7acd8..0000000000000 --- a/docs/pages/admin-guides/infrastructure-as-code/terraform-provider.mdx +++ /dev/null @@ -1,39 +0,0 @@ ---- -title: Configuring Teleport with Terraform -description: How to manage dynamic resources using the Teleport Terraform provider. -videoBanner: YgNHD4SS8dg ---- - -The Teleport Terraform provider allows Teleport administrators to use Terraform to configure Teleport via -dynamic resources. - -## Setup - -For instructions on managing users and roles via Terraform, read -the ["Managing users and roles with IaC" guide](managing-resources/user-and-role.mdx). - -The provider must obtain an identity to connect to Teleport. The method to obtain it depends on where the Terraform code -is executed. You must pick the correct guide for your setup: - -| Guide | Use-case | How it works | -|---------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------| -| [Run the Teleport Terraform provider locally](./terraform-provider/local.mdx) | You are getting started with the Teleport Terraform provider and managing Teleport resources with IaC. | You use local credentials to create a temporary bot, obtain short-lived credentials, and store them in environment variables. | -| [Run the Teleport Terraform provider on Terraform Cloud](./terraform-provider/terraform-cloud.mdx) | You're running on HCP Terraform (Terraform Cloud) or self-hosted Terraform Enterprise. | Terraform Cloud Workload Identity issues a proof of identity and the Teleport Terraform provider uses it to authenticate. | -| [Run the Teleport Terraform provider in CI or a cloud VM](./terraform-provider/ci-or-cloud.mdx) | You already have a working Terraform module configuring Teleport and want to run it in CI to benefit from review and audit capabilities from your versioning system (e.g. git). | You're using a proof provided by your runtime (CI engine, cloud provider) to prove your identity and join using MachineID. | -| [Run the Teleport Terraform provider on Spacelift](./terraform-provider/spacelift.mdx) | You already have a working Terraform module configuring Teleport and want to run it on the Spacelift platform. | You're using a proof provided by Spacelift to prove your identity and join using MachineID. | -| [Run the Teleport Terraform provider from a server](./terraform-provider/dedicated-server.mdx) | You have working Terraform code and want to run it on a dedicated server. The server is long-lived, like a bastion or a task runner. | You setup a MachineID daemon (`tbot`) that obtains and refreshes credentials for the Terraform provider. | -| [Run the Teleport Terraform provider with long-lived credentials.](./terraform-provider/long-lived-credentials.mdx) | This method is discouraged as less secure than the others. This should be used when none of the other methods work in your case (short-lived CI environments that don't have dedicated Teleport join methods). | You sign one long lived certificate allowing the Terraform provider to connect to Teleport. | - -## Resource guides - -Once you have a functional Teleport Terraform provider, you will want to configure your resources with it. - -You can find the list of supported resources and their fields is -available [in the Terraform reference](../../reference/terraform-provider.mdx). - -Some resources have their dedicated Infrastructure-as-Code (IaC) step-by step guides such as: -- [Managing Users And Roles With IaC](managing-resources/user-and-role.mdx) -- [Creating Access Lists with IaC](managing-resources/access-list.mdx) -- [Registering Agentless OpenSSH Servers with IaC](managing-resources/agentless-ssh-servers.mdx) - -Finally, you can [import your existing resources in Terraform](managing-resources/import-existing-resources.mdx). diff --git a/docs/pages/admin-guides/infrastructure-as-code/terraform-provider/long-lived-credentials.mdx b/docs/pages/admin-guides/infrastructure-as-code/terraform-provider/long-lived-credentials.mdx index 9c54a81f88730..ee1e9e3ed3cc5 100644 --- a/docs/pages/admin-guides/infrastructure-as-code/terraform-provider/long-lived-credentials.mdx +++ b/docs/pages/admin-guides/infrastructure-as-code/terraform-provider/long-lived-credentials.mdx @@ -13,7 +13,7 @@ they hold full Teleport administrative access. You should prefer using [`tbot`](./dedicated-server.mdx), [native MachineID joining](./ci-or-cloud.mdx) in CI or Cloud environments, or [create temporary bots for local use](./local.mdx) when possible. -See [the list of possible Terraform provider setups](../terraform-provider.mdx#setup) to find which one fits your +See [the list of possible Terraform provider setups](terraform-provider.mdx) to find which one fits your use-case. diff --git a/docs/pages/admin-guides/infrastructure-as-code/terraform-provider/terraform-provider.mdx b/docs/pages/admin-guides/infrastructure-as-code/terraform-provider/terraform-provider.mdx new file mode 100644 index 0000000000000..e19b9a49b0fc9 --- /dev/null +++ b/docs/pages/admin-guides/infrastructure-as-code/terraform-provider/terraform-provider.mdx @@ -0,0 +1,39 @@ +--- +title: Configuring Teleport with Terraform +description: How to manage dynamic resources using the Teleport Terraform provider. +videoBanner: YgNHD4SS8dg +--- + +The Teleport Terraform provider allows Teleport administrators to use Terraform to configure Teleport via +dynamic resources. + +## Setup + +For instructions on managing users and roles via Terraform, read +the ["Managing users and roles with IaC" guide](../managing-resources/user-and-role.mdx). + +The provider must obtain an identity to connect to Teleport. The method to obtain it depends on where the Terraform code +is executed. You must pick the correct guide for your setup: + +| Guide | Use-case | How it works | +|---------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------| +| [Run the Teleport Terraform provider locally](local.mdx) | You are getting started with the Teleport Terraform provider and managing Teleport resources with IaC. | You use local credentials to create a temporary bot, obtain short-lived credentials, and store them in environment variables. | +| [Run the Teleport Terraform provider on Terraform Cloud](terraform-cloud.mdx) | You're running on HCP Terraform (Terraform Cloud) or self-hosted Terraform Enterprise. | Terraform Cloud Workload Identity issues a proof of identity and the Teleport Terraform provider uses it to authenticate. | +| [Run the Teleport Terraform provider in CI or a cloud VM](ci-or-cloud.mdx) | You already have a working Terraform module configuring Teleport and want to run it in CI to benefit from review and audit capabilities from your versioning system (e.g. git). | You're using a proof provided by your runtime (CI engine, cloud provider) to prove your identity and join using MachineID. | +| [Run the Teleport Terraform provider on Spacelift](spacelift.mdx) | You already have a working Terraform module configuring Teleport and want to run it on the Spacelift platform. | You're using a proof provided by Spacelift to prove your identity and join using MachineID. | +| [Run the Teleport Terraform provider from a server](dedicated-server.mdx) | You have working Terraform code and want to run it on a dedicated server. The server is long-lived, like a bastion or a task runner. | You setup a MachineID daemon (`tbot`) that obtains and refreshes credentials for the Terraform provider. | +| [Run the Teleport Terraform provider with long-lived credentials.](long-lived-credentials.mdx) | This method is discouraged as less secure than the others. This should be used when none of the other methods work in your case (short-lived CI environments that don't have dedicated Teleport join methods). | You sign one long lived certificate allowing the Terraform provider to connect to Teleport. | + +## Resource guides + +Once you have a functional Teleport Terraform provider, you will want to configure your resources with it. + +You can find the list of supported resources and their fields is +available [in the Terraform reference](../../../reference/terraform-provider.mdx). + +Some resources have their dedicated Infrastructure-as-Code (IaC) step-by step guides such as: +- [Managing Users And Roles With IaC](../managing-resources/user-and-role.mdx) +- [Creating Access Lists with IaC](../managing-resources/access-list.mdx) +- [Registering Agentless OpenSSH Servers with IaC](../managing-resources/agentless-ssh-servers.mdx) + +Finally, you can [import your existing resources in Terraform](../managing-resources/import-existing-resources.mdx). diff --git a/docs/pages/admin-guides/infrastructure-as-code/terraform-starter/enroll-resources.mdx b/docs/pages/admin-guides/infrastructure-as-code/terraform-starter/enroll-resources.mdx index b28896b42033b..d4de6522c848a 100644 --- a/docs/pages/admin-guides/infrastructure-as-code/terraform-starter/enroll-resources.mdx +++ b/docs/pages/admin-guides/infrastructure-as-code/terraform-starter/enroll-resources.mdx @@ -5,7 +5,7 @@ description: Explains how to deploy a pool of Teleport Agents so you can apply d --- *This guide is Part One of the Teleport Terraform starter guide. Read the -[overview](../terraform-starter.mdx) for the scope and purpose of the Terraform +[overview](terraform-starter.mdx) for the scope and purpose of the Terraform starter guide.* This guide shows you how to use Terraform to enroll infrastructure resources @@ -25,7 +25,7 @@ Agents](../../../enroll-resources/agents/introduction.mdx). There are several methods you can use to join a Teleport Agent to your cluster, which we discuss in the [Joining Services to your -Cluster](../../../enroll-resources/agents/join-services-to-your-cluster.mdx) guide. In this guide, we will use +Cluster](../../../enroll-resources/agents/join-services-to-your-cluster/join-services-to-your-cluster.mdx) guide. In this guide, we will use the **join token** method, where the operator stores a secure token on the Auth Service, and an Agent presents the token in order to join a cluster. diff --git a/docs/pages/admin-guides/infrastructure-as-code/terraform-starter/rbac.mdx b/docs/pages/admin-guides/infrastructure-as-code/terraform-starter/rbac.mdx index ab6e33bbda34f..3699876228ef1 100644 --- a/docs/pages/admin-guides/infrastructure-as-code/terraform-starter/rbac.mdx +++ b/docs/pages/admin-guides/infrastructure-as-code/terraform-starter/rbac.mdx @@ -5,7 +5,7 @@ description: Explains how to manage Teleport roles and authentication connectors --- *This guide is Part Two of the Teleport Terraform starter guide. Read the -[overview](../terraform-starter.mdx) for the scope and purpose of the Terraform +[overview](terraform-starter.mdx) for the scope and purpose of the Terraform starter guide.* In [Part One](enroll-resources.mdx) of this series, we showed you how to use diff --git a/docs/pages/admin-guides/infrastructure-as-code/terraform-starter.mdx b/docs/pages/admin-guides/infrastructure-as-code/terraform-starter/terraform-starter.mdx similarity index 88% rename from docs/pages/admin-guides/infrastructure-as-code/terraform-starter.mdx rename to docs/pages/admin-guides/infrastructure-as-code/terraform-starter/terraform-starter.mdx index 31fa873f04166..bb973bb936d1c 100644 --- a/docs/pages/admin-guides/infrastructure-as-code/terraform-starter.mdx +++ b/docs/pages/admin-guides/infrastructure-as-code/terraform-starter/terraform-starter.mdx @@ -9,8 +9,7 @@ Teleport resources to manage with Terraform in order to accomplish common Teleport setup tasks. You can use the example module as a starting point for managing a complete set of Teleport cluster resources. -The guides in the Terraform starter module assume that you have [a working Terraform provider setup]( -./terraform-provider.mdx) on your workstation. +The guides in the Terraform starter module assume that you have [a working Terraform provider setup](../terraform-provider/terraform-provider.mdx) on your workstation. ## Part One: Enroll resources @@ -20,7 +19,7 @@ Teleport Agents on virtual machine instances. You can then declare dynamic infrastructure resources with Terraform or change the configuration file provided to each Agent. -[Read Part One](./terraform-starter/enroll-resources.mdx). +[Read Part One](enroll-resources.mdx). ## Part Two: Configure RBAC @@ -32,5 +31,5 @@ roles by default but can request access to more privileged roles. An authentication connector lets users authenticate to Teleport using a Single Sign-On provider. -[Read Part Two](./terraform-starter/rbac.mdx). +[Read Part Two](rbac.mdx). diff --git a/docs/pages/admin-guides/management/admin.mdx b/docs/pages/admin-guides/management/admin.mdx deleted file mode 100644 index 817618350db8d..0000000000000 --- a/docs/pages/admin-guides/management/admin.mdx +++ /dev/null @@ -1,30 +0,0 @@ ---- -title: Cluster Administration Guides -description: Teleport Cluster Administration Guides. -layout: tocless-doc ---- - -The guides in this section show you the fundamentals of setting up and running a -Teleport cluster. You will learn how to run the `teleport` daemon, manage users -and resources, and troubleshoot any issues that arise. - -If you already understand how to set up a Teleport cluster, consult the -[Operations](./operations.mdx) section so you can start conducting periodic -cluster maintenance tasks. - -## Run Teleport - -- [Teleport Daemon](./admin/daemon.mdx): Set up Teleport as a daemon on Linux with systemd. -- [Run Teleport with Self-Signed Certificates](./admin/self-signed-certs.mdx): Set up Teleport in a local -environment without configuring TLS certificates. - -## Manage users and resources - -- [Trusted Clusters](./admin/trustedclusters.mdx): Connect multiple Teleport clusters using trusted clusters. -- [Labels](./admin/labels.mdx): Manage resource metadata with labels. -- [Local Users](./admin/users.mdx): Manage local user accounts. - -## Troubleshoot issues - -- [Troubleshooting](./admin/troubleshooting.mdx): Collect metrics and diagnostic information from Teleport. -- [Uninstall Teleport](./admin/uninstall-teleport.mdx): Uninstall Teleport from your system. diff --git a/docs/pages/admin-guides/management/admin/admin.mdx b/docs/pages/admin-guides/management/admin/admin.mdx new file mode 100644 index 0000000000000..4e11195231369 --- /dev/null +++ b/docs/pages/admin-guides/management/admin/admin.mdx @@ -0,0 +1,30 @@ +--- +title: Cluster Administration Guides +description: Teleport Cluster Administration Guides. +layout: tocless-doc +--- + +The guides in this section show you the fundamentals of setting up and running a +Teleport cluster. You will learn how to run the `teleport` daemon, manage users +and resources, and troubleshoot any issues that arise. + +If you already understand how to set up a Teleport cluster, consult the +[Operations](../operations/operations.mdx) section so you can start conducting periodic +cluster maintenance tasks. + +## Run Teleport + +- [Teleport Daemon](daemon.mdx): Set up Teleport as a daemon on Linux with systemd. +- [Run Teleport with Self-Signed Certificates](self-signed-certs.mdx): Set up Teleport in a local +environment without configuring TLS certificates. + +## Manage users and resources + +- [Trusted Clusters](trustedclusters.mdx): Connect multiple Teleport clusters using trusted clusters. +- [Labels](labels.mdx): Manage resource metadata with labels. +- [Local Users](users.mdx): Manage local user accounts. + +## Troubleshoot issues + +- [Troubleshooting](troubleshooting.mdx): Collect metrics and diagnostic information from Teleport. +- [Uninstall Teleport](uninstall-teleport.mdx): Uninstall Teleport from your system. diff --git a/docs/pages/admin-guides/management/admin/trustedclusters.mdx b/docs/pages/admin-guides/management/admin/trustedclusters.mdx index 8145f4cda66c2..5322f020927f0 100644 --- a/docs/pages/admin-guides/management/admin/trustedclusters.mdx +++ b/docs/pages/admin-guides/management/admin/trustedclusters.mdx @@ -110,7 +110,7 @@ configured with a single sign-on identity provider that authenticates her identi Based on the information from the identity provider, the root cluster assigns Alice the `full-access` role and issues her a certificate. The mapping of single sign-on properties to Teleport roles is configured when you add an authentication connector to the Teleport cluster. To learn more about configuring single sign-on -through an external identity provider, see [Configure Single Sign-on](../../access-controls/sso.mdx). +through an external identity provider, see [Configure Single Sign-on](../../access-controls/sso/sso.mdx). Alice receives the certificate that specifies the roles assigned to her in the root cluster. This metadata about her roles is contained in the certificate extensions and is protected by the signature of the root @@ -167,7 +167,7 @@ To complete the steps in this guide, verify your environment meets the following - A Teleport SSH server that is joined to the cluster you plan to use as the **leaf cluster**. For information about how to enroll a resource in your cluster, see - [Join Services to your Cluster](../../../enroll-resources/agents/join-services-to-your-cluster.mdx). + [Join Services to your Cluster](../../../enroll-resources/agents/join-services-to-your-cluster/join-services-to-your-cluster.mdx). (!docs/pages/includes/permission-warning.mdx!) diff --git a/docs/pages/admin-guides/management/admin/users.mdx b/docs/pages/admin-guides/management/admin/users.mdx index 5f71a26ba8875..6e22ca3c22c47 100644 --- a/docs/pages/admin-guides/management/admin/users.mdx +++ b/docs/pages/admin-guides/management/admin/users.mdx @@ -120,7 +120,7 @@ For all available `tctl` commands and flags, see our [CLI Reference](../../../re You can also configure Teleport so that users can log in using an SSO provider. For more information, see: -- [Single Sign-On](../../access-controls/sso.mdx) +- [Single Sign-On](../../access-controls/sso/sso.mdx) diff --git a/docs/pages/admin-guides/management/diagnostics.mdx b/docs/pages/admin-guides/management/diagnostics/diagnostics.mdx similarity index 99% rename from docs/pages/admin-guides/management/diagnostics.mdx rename to docs/pages/admin-guides/management/diagnostics/diagnostics.mdx index c29ddddc68b9a..51385e22c9482 100644 --- a/docs/pages/admin-guides/management/diagnostics.mdx +++ b/docs/pages/admin-guides/management/diagnostics/diagnostics.mdx @@ -98,7 +98,7 @@ to a format that your telemetry backend accepts. ## Configure Teleport In order to enable tracing for a `teleport` instance, add the following section to that instance's configuration file (`/etc/teleport.yaml`). -For a detailed description of these configuration fields, see the [configuration reference](../../reference/config.mdx) page. +For a detailed description of these configuration fields, see the [configuration reference](../../../reference/config.mdx) page. ```yaml tracing_service: diff --git a/docs/pages/admin-guides/management/export-audit-events.mdx b/docs/pages/admin-guides/management/export-audit-events/export-audit-events.mdx similarity index 75% rename from docs/pages/admin-guides/management/export-audit-events.mdx rename to docs/pages/admin-guides/management/export-audit-events/export-audit-events.mdx index 4f23c61432494..49387f7964b1b 100644 --- a/docs/pages/admin-guides/management/export-audit-events.mdx +++ b/docs/pages/admin-guides/management/export-audit-events/export-audit-events.mdx @@ -10,7 +10,7 @@ You can use Teleport's Event Handler plugin to export audit events from Teleport so you can store them in a log management platform or custom backend. If you are new to exporting audit events with Teleport, read [Forwarding Events -with Fluentd](./export-audit-events/fluentd.mdx) to learn the basics of how our +with Fluentd](fluentd.mdx) to learn the basics of how our Event Handler plugin works. While this guide focuses on Fluentd, the Event Handler plugin can export audit events to any endpoint that ingests JSON messages via HTTP. @@ -19,14 +19,14 @@ Next, read our guides to setting up the Event Handler plugin to export audit events to your solution of choice: - [Monitor Teleport Audit Events with the Elastic - Stack](./export-audit-events/elastic-stack.mdx): How to configure the Event + Stack](elastic-stack.mdx): How to configure the Event Handler plugin to forward Teleport audit logs to Logstash for ingestion in Elasticsearch so you can explore them in Kibana. -- [Monitor Teleport Audit Events with Panther](./export-audit-events/panther.mdx): +- [Monitor Teleport Audit Events with Panther](panther.mdx): How to configure the Event Handler plugin to send logs to Panther via Fluentd so you can explore your audit events in Panther. -- [Monitor Teleport Audit Events with Splunk](./export-audit-events/splunk.mdx): +- [Monitor Teleport Audit Events with Splunk](splunk.mdx): How to configure the Event Handler plugin to send logs to Splunk's Universal Forwarder so you can explore your audit events in Splunk. -- [Monitor Teleport Audit Events with Datadog](./export-audit-events/datadog.mdx): +- [Monitor Teleport Audit Events with Datadog](datadog.mdx): How to configure the Event Handler plugin to export audit logs to Datadog via Fluentd. diff --git a/docs/pages/admin-guides/management/external-audit-storage.mdx b/docs/pages/admin-guides/management/external-audit-storage.mdx index ce1d1fd74d636..6aa2fcc0368b8 100644 --- a/docs/pages/admin-guides/management/external-audit-storage.mdx +++ b/docs/pages/admin-guides/management/external-audit-storage.mdx @@ -154,7 +154,7 @@ recordings will be stored in your S3 bucket, and they will *not* be stored in the Teleport Cloud infrastructure. If you currently use the -[Event Handler](export-audit-events.mdx) plugin to export +[Event Handler](export-audit-events/export-audit-events.mdx) plugin to export events, it will follow the switch from the old to new backends and new events will continue to be exported. Only events emitted after the transition to External Audit Storage will be visible in the Teleport UI or accessible to diff --git a/docs/pages/admin-guides/management/guides/ec2-tags.mdx b/docs/pages/admin-guides/management/guides/ec2-tags.mdx index 382648e966b1e..409cc020efc31 100644 --- a/docs/pages/admin-guides/management/guides/ec2-tags.mdx +++ b/docs/pages/admin-guides/management/guides/ec2-tags.mdx @@ -28,7 +28,7 @@ fakehost.example.com 127.0.0.1:3022 env=example,hostname=ip-172-31-53-70,aws/Nam (!docs/pages/includes/edition-prereqs-tabs.mdx!) - One Teleport agent running on an Amazon EC2 instance. See - [our guides](../../../enroll-resources/agents/join-services-to-your-cluster.mdx) for how to set up Teleport agents. + [our guides](../../../enroll-resources/agents/join-services-to-your-cluster/join-services-to-your-cluster.mdx) for how to set up Teleport agents. ## Enable tags in instance metadata diff --git a/docs/pages/admin-guides/management/guides/gcp-tags.mdx b/docs/pages/admin-guides/management/guides/gcp-tags.mdx index 36b3bbb2dbabc..80e9451716d10 100644 --- a/docs/pages/admin-guides/management/guides/gcp-tags.mdx +++ b/docs/pages/admin-guides/management/guides/gcp-tags.mdx @@ -36,7 +36,7 @@ fakehost.example.com 127.0.0.1:3022 gcp/label/testing=yes,gcp/tag/environment=st (!docs/pages/includes/edition-prereqs-tabs.mdx!) - One Teleport agent running on a GCP Compute instance. See - [our guides](../../../enroll-resources/agents/join-services-to-your-cluster.mdx) for how to set up Teleport agents. + [our guides](../../../enroll-resources/agents/join-services-to-your-cluster/join-services-to-your-cluster.mdx) for how to set up Teleport agents. ## Configure service account on instances with Teleport nodes diff --git a/docs/pages/admin-guides/management/guides.mdx b/docs/pages/admin-guides/management/guides/guides.mdx similarity index 65% rename from docs/pages/admin-guides/management/guides.mdx rename to docs/pages/admin-guides/management/guides/guides.mdx index d90e194272c63..bc817ac0bae83 100644 --- a/docs/pages/admin-guides/management/guides.mdx +++ b/docs/pages/admin-guides/management/guides/guides.mdx @@ -8,12 +8,12 @@ You can integrate Teleport with third-party tools in order to complete various tasks in your cluster. These guides describe Teleport integrations that are not documented elsewhere: - - [EC2 tags as Teleport agent labels](./guides/ec2-tags.mdx). How to set up + - [EC2 tags as Teleport agent labels](ec2-tags.mdx). How to set up Teleport agent labels based on EC2 tags. - - [GCP tags and labels as Teleport agent labels](./guides/gcp-tags.mdx). How + - [GCP tags and labels as Teleport agent labels](gcp-tags.mdx). How to set up Teleport agent labels based on GCP tags and labels. - [Using Teleport's Certificate Authority with - GitHub](./guides/ssh-key-extensions.mdx). Use Teleport's short-lived + GitHub](ssh-key-extensions.mdx). Use Teleport's short-lived certificates with GitHub's Certificate Authority. - - [Using Teleport with Datadog](./guides/datadog.mdx). Set up the official + - [Using Teleport with Datadog](datadog.mdx). Set up the official Datadog integration to export Teleport metrics and logs. diff --git a/docs/pages/admin-guides/management/operations.mdx b/docs/pages/admin-guides/management/operations.mdx deleted file mode 100644 index 3a97454fdb247..0000000000000 --- a/docs/pages/admin-guides/management/operations.mdx +++ /dev/null @@ -1,18 +0,0 @@ ---- -title: Operations -description: Teleport Operations - Scaling and High-Availability. -layout: tocless-doc ---- - -The guides in this section show you how to carry out common administration tasks -on an already running Teleport cluster. - -For guides on the fundamentals of setting up your cluster, you should consult -the [Cluster Administration Guides](./admin.mdx) section. - -- [Scaling](./operations/scaling.mdx): How to configure Teleport for large-scale deployments. -- [Backup and Restore](./operations/backup-restore.mdx): Backing up and restoring the cluster. -- [CA Rotation](./operations/ca-rotation.mdx): Rotating Teleport certificate authorities. -- [TLS Routing Migration](./operations/tls-routing.mdx): Migrating your Teleport cluster to single-port TLS routing mode. -- [Proxy Peering Migration](./operations/proxy-peering.mdx): Migrating your Teleport cluster to Proxy Peering mode. -- [Database CA Migrations](./operations/db-ca-migrations.mdx): Completing Teleport's Database CA migrations. diff --git a/docs/pages/admin-guides/management/operations/ca-rotation.mdx b/docs/pages/admin-guides/management/operations/ca-rotation.mdx index 5c98774497f66..56bfc45817b28 100644 --- a/docs/pages/admin-guides/management/operations/ca-rotation.mdx +++ b/docs/pages/admin-guides/management/operations/ca-rotation.mdx @@ -190,7 +190,7 @@ to reconfigure them again before transitioning to `standby` from the ### `openssh` The `openssh` CA issues certificates for [OpenSSH servers registered with -Teleport](../../../enroll-resources/server-access/openssh.mdx). Clients verify these certificates +Teleport](../../../enroll-resources/server-access/openssh/openssh.mdx). Clients verify these certificates when connecting to Teleport-protected OpenSSH servers. If you used the [manual diff --git a/docs/pages/admin-guides/management/operations/operations.mdx b/docs/pages/admin-guides/management/operations/operations.mdx new file mode 100644 index 0000000000000..63e025209bcba --- /dev/null +++ b/docs/pages/admin-guides/management/operations/operations.mdx @@ -0,0 +1,18 @@ +--- +title: Operations +description: Teleport Operations - Scaling and High-Availability. +layout: tocless-doc +--- + +The guides in this section show you how to carry out common administration tasks +on an already running Teleport cluster. + +For guides on the fundamentals of setting up your cluster, you should consult +the [Cluster Administration Guides](../admin/admin.mdx) section. + +- [Scaling](scaling.mdx): How to configure Teleport for large-scale deployments. +- [Backup and Restore](backup-restore.mdx): Backing up and restoring the cluster. +- [CA Rotation](ca-rotation.mdx): Rotating Teleport certificate authorities. +- [TLS Routing Migration](tls-routing.mdx): Migrating your Teleport cluster to single-port TLS routing mode. +- [Proxy Peering Migration](proxy-peering.mdx): Migrating your Teleport cluster to Proxy Peering mode. +- [Database CA Migrations](db-ca-migrations.mdx): Completing Teleport's Database CA migrations. diff --git a/docs/pages/admin-guides/management/operations/tls-routing.mdx b/docs/pages/admin-guides/management/operations/tls-routing.mdx index 63ae3fd4b0eae..718b20f282a8b 100644 --- a/docs/pages/admin-guides/management/operations/tls-routing.mdx +++ b/docs/pages/admin-guides/management/operations/tls-routing.mdx @@ -42,7 +42,7 @@ $ curl https://mytenant.teleport.sh/webapi/ping | jq '.proxy' Download Teleport from the [downloads page](https://goteleport.com/download) or your enterprise portal and follow the standard [upgrade -procedure](../../../upgrading.mdx). Make sure to upgrade both root and leaf clusters +procedure](../../../upgrading/upgrading.mdx). Make sure to upgrade both root and leaf clusters as well as `tsh` client. ## Step 2/7. Enable proxy multiplexing diff --git a/docs/pages/admin-guides/management/security/reduce-blast-radius.mdx b/docs/pages/admin-guides/management/security/reduce-blast-radius.mdx index 951dc49c91c5e..5b7d7c5d8bda2 100644 --- a/docs/pages/admin-guides/management/security/reduce-blast-radius.mdx +++ b/docs/pages/admin-guides/management/security/reduce-blast-radius.mdx @@ -280,7 +280,7 @@ Two `user`s can grant elevated privileges to another `user` temporarily without - [Per-session MFA](../../access-controls/guides/per-session-mfa.mdx) - [Dual authorization](../../access-controls/guides/dual-authz.mdx) - [Role templates, allow/deny rules, and traits](../../access-controls/guides/role-templates.mdx) -- [Access Requests](../../access-controls/access-requests.mdx) +- [Access Requests](../../access-controls/access-requests/access-requests.mdx) ### Background reading - [Authentication connectors](../../../reference/access-controls/authentication.mdx) diff --git a/docs/pages/admin-guides/management/security.mdx b/docs/pages/admin-guides/management/security/security.mdx similarity index 81% rename from docs/pages/admin-guides/management/security.mdx rename to docs/pages/admin-guides/management/security/security.mdx index d7d1d02d1084d..ab9c62e9cc316 100644 --- a/docs/pages/admin-guides/management/security.mdx +++ b/docs/pages/admin-guides/management/security/security.mdx @@ -15,10 +15,10 @@ You should note that the security practices covered in this section aren't neces examples used in the documentation. Examples in the documentation are primarily intended for demonstration purposes and for development environments. -- [Restrict Access for Privileged Accounts](./security/restrict-privileges.mdx). Learn about potential +- [Restrict Access for Privileged Accounts](restrict-privileges.mdx). Learn about potential risks of allowing privileged access and how to mitigate them. -- [Reducing the Blast Radius of Attacks](./security/reduce-blast-radius.mdx). +- [Reducing the Blast Radius of Attacks](reduce-blast-radius.mdx). Prevent attackers from accessing your infrastructure even if they manage to obtain passwords or certificates. -- [Revoking Access](./security/revoking-access.mdx). Revoke access in the event +- [Revoking Access](revoking-access.mdx). Revoke access in the event of a compromise. diff --git a/docs/pages/admin-guides/migrate-plans.mdx b/docs/pages/admin-guides/migrate-plans.mdx index 893b7ca4fe807..bcbb489e5be09 100644 --- a/docs/pages/admin-guides/migrate-plans.mdx +++ b/docs/pages/admin-guides/migrate-plans.mdx @@ -43,7 +43,7 @@ migrating from Teleport Enterprise to Teleport Community Edition. - An existing Teleport cluster. - The `tsh` and `tctl` client tools. This guide assumes that you are using `tctl` to manage dynamic resources, but it is also possible to use [Teleport - Terraform provider](infrastructure-as-code/terraform-provider.mdx) and + Terraform provider](infrastructure-as-code/terraform-provider/terraform-provider.mdx) and [Kubernetes operator](infrastructure-as-code/teleport-operator/teleport-operator-standalone.mdx), in addition to custom scripts that use the [Teleport API](api/api.mdx) @@ -307,7 +307,7 @@ In general, you can migrate a Machine ID Bot using the following steps: 1. Restart `tbot`. To learn how to restart and configure a Machine ID Bot in your infrastructure, -read the [full documentation](../enroll-resources/machine-id/deployment.mdx) on deploying a +read the [full documentation](../enroll-resources/machine-id/deployment/deployment.mdx) on deploying a Machine ID Bot. ### Access Request plugins and the Event Handler @@ -329,8 +329,8 @@ In general, you can migrate Teleport plugins using the following steps: For specific plugins running in your infrastructure, read the full documentation on: -- [Access Request plugins](access-controls/access-request-plugins.mdx) -- The [Teleport Event Handler](management/export-audit-events.mdx) +- [Access Request plugins](access-controls/access-request-plugins/access-request-plugins.mdx) +- The [Teleport Event Handler](management/export-audit-events/export-audit-events.mdx) ## Step 4/4. Verify end user access and performance diff --git a/docs/pages/admin-guides/teleport-policy/crown-jewels.mdx b/docs/pages/admin-guides/teleport-policy/crown-jewels.mdx index fc498fd47142c..dced6eaa98040 100644 --- a/docs/pages/admin-guides/teleport-policy/crown-jewels.mdx +++ b/docs/pages/admin-guides/teleport-policy/crown-jewels.mdx @@ -94,4 +94,4 @@ Here is what an example audit event looks like: ``` You can export the audit event using the event handler. -The setup is described [here](../management/export-audit-events.mdx). +The setup is described [here](../management/export-audit-events/export-audit-events.mdx). diff --git a/docs/pages/admin-guides/teleport-policy/integrations/ssh-keys-scan.mdx b/docs/pages/admin-guides/teleport-policy/integrations/ssh-keys-scan.mdx index 8c50d3ad2da9d..4609e07be3c6d 100644 --- a/docs/pages/admin-guides/teleport-policy/integrations/ssh-keys-scan.mdx +++ b/docs/pages/admin-guides/teleport-policy/integrations/ssh-keys-scan.mdx @@ -46,7 +46,7 @@ Teleport's `tsh` CLI tool can scan users' laptops for SSH private keys. It goes through the specified directories, defaulting to `/Users` on macOS, `/home` on Linux, and `C:\Users` on Windows, by peeking into files to identify SSH private keys. -The `tsh` tool authenticates with the Teleport cluster through the [Device Trust](../../access-controls/device-trust.mdx) feature, +The `tsh` tool authenticates with the Teleport cluster through the [Device Trust](../../access-controls/device-trust/device-trust.mdx) feature, which guarantees that only enrolled devices can submit private keys to the cluster. By utilizing the device's Secure Enclave or TPM private key, it confirms that the device is the same one that was enrolled, enabling Teleport to trust and accept the private key reports without requiring further authentication or credentials thus allowing scanning operations @@ -72,7 +72,7 @@ It also never sends the private key path or any other sensitive information. - A running Teleport Enterprise cluster v15.4.16/v16.2.0 or later. - Teleport Policy enabled for your account. - A Linux/macOS server running the Teleport SSH Service. -- Devices enrolled in the [Teleport Device Trust feature](../../access-controls/device-trust.mdx). +- Devices enrolled in the [Teleport Device Trust feature](../../access-controls/device-trust/device-trust.mdx). - For Jamf Pro integration, devices must be enrolled in Jamf Pro and have the signed `tsh` binary installed. - For self-hosted clusters: - Ensure that an up-to-date `license.pem` is used in the Auth Service configuration. @@ -110,7 +110,7 @@ and local users. ## Step 2/3. Scan for SSH Private Keys -On devices enrolled in the Teleport, you can use the `tsh` CLI tool to scan for SSH Private Keys. Check [Device Trust](../../access-controls/device-trust.mdx) +On devices enrolled in the Teleport, you can use the `tsh` CLI tool to scan for SSH Private Keys. Check [Device Trust](../../access-controls/device-trust/device-trust.mdx) for details on how to enroll devices in Teleport, specially if you are using Jamf Pro. To scan for SSH Private Keys, run the following command from any enrolled device: @@ -186,7 +186,7 @@ Cluster. The keys will be imported and displayed in the Access Graph. ### `"device not enrolled"` error If you see the `device not enrolled` error when running the `tsh scan keys` command, it means that the device is not enrolled -in the Teleport Device Trust feature. Check the [Device Trust](../../access-controls/device-trust.mdx) page for details on how to enroll devices +in the Teleport Device Trust feature. Check the [Device Trust](../../access-controls/device-trust/device-trust.mdx) page for details on how to enroll devices in Teleport. ### `"binary missing signature or entitlements"` error diff --git a/docs/pages/connect-your-client/gui-clients.mdx b/docs/pages/connect-your-client/gui-clients.mdx index 5c2bd78bcdace..50917aafcf0a6 100644 --- a/docs/pages/connect-your-client/gui-clients.mdx +++ b/docs/pages/connect-your-client/gui-clients.mdx @@ -14,7 +14,7 @@ work with Teleport. - (!docs/pages/includes/tctl.mdx!) - The Teleport Database Service configured to access a database. See one of our - [guides](../enroll-resources/database-access/guides.mdx) for how to set up the Teleport + [guides](../enroll-resources/database-access/guides/guides.mdx) for how to set up the Teleport Database Service for your database. ### Get connection information diff --git a/docs/pages/connect-your-client/teleport-connect.mdx b/docs/pages/connect-your-client/teleport-connect.mdx index 26bfafd411416..949034009f609 100644 --- a/docs/pages/connect-your-client/teleport-connect.mdx +++ b/docs/pages/connect-your-client/teleport-connect.mdx @@ -153,7 +153,7 @@ with that command executed. Teleport Connect supports launching applications in the browser, as well as creating authenticated tunnels for web and TCP applications. -When it comes to [cloud APIs secured with Application Access](../enroll-resources/application-access/cloud-apis.mdx), +When it comes to [cloud APIs secured with Application Access](../enroll-resources/application-access/cloud-apis/cloud-apis.mdx), Teleport Connect supports launching the AWS console in the browser, but other CLI applications can be used only through tsh in [a local terminal tab](#opening-a-local-terminal). diff --git a/docs/pages/core-concepts.mdx b/docs/pages/core-concepts.mdx index 3211a1fcb954e..c7afd7338db53 100644 --- a/docs/pages/core-concepts.mdx +++ b/docs/pages/core-concepts.mdx @@ -196,7 +196,7 @@ subject of the certificate—including its username and Teleport roles—to authorize the user. Read more about [local users](reference/access-controls/authentication.mdx) and how [SSO -authentication works in Teleport](admin-guides/access-controls/sso.mdx). +authentication works in Teleport](admin-guides/access-controls/sso/sso.mdx). ### Authentication connector diff --git a/docs/pages/enroll-resources/agents/introduction.mdx b/docs/pages/enroll-resources/agents/introduction.mdx index 31984736685fb..8ad139a652f64 100644 --- a/docs/pages/enroll-resources/agents/introduction.mdx +++ b/docs/pages/enroll-resources/agents/introduction.mdx @@ -78,7 +78,7 @@ Teleport Agents need to establish trust with the Teleport Auth Service in order to join a cluster. There are several ways to join an Agent to your Teleport cluster, making it possible to automate the join process for your environment. Read about the available join methods in our [Join Services to your -Cluster](./join-services-to-your-cluster.mdx) guides. +Cluster](join-services-to-your-cluster/join-services-to-your-cluster.mdx) guides. When a Teleport process first runs, it checks its configuration file to determine which services are enabled. Each service then connects separately to diff --git a/docs/pages/enroll-resources/agents/join-services-to-your-cluster.mdx b/docs/pages/enroll-resources/agents/join-services-to-your-cluster.mdx deleted file mode 100644 index caa23b19d00d1..0000000000000 --- a/docs/pages/enroll-resources/agents/join-services-to-your-cluster.mdx +++ /dev/null @@ -1,22 +0,0 @@ ---- -title: Join Services to your Teleport Cluster -description: How to register the Proxy Service, Database Service, and other Teleport services with your cluster. ---- - -A **Teleport service** manages access to resources in your infrastructure, such -as Kubernetes clusters, Windows desktops, internal web applications, and -databases. A single **Teleport process** can run multiple Teleport services. - -There are multiple methods you can use to join a Teleport process to your -cluster in order to run Teleport services, including an instance of the Proxy -Service. Choose the method that best suits your infrastructure: - -|Method|Description|When to use| -|------|-----------|-----------| -|[EC2 Identity Document](./join-services-to-your-cluster/aws-ec2.mdx)|A Teleport process running on an EC2 instance authenticates to your cluster via a signed EC2 instance identity document.|Your Teleport process will run on EC2 and your Teleport cluster is self hosted.| -|[AWS IAM](./join-services-to-your-cluster/aws-iam.mdx)|A Teleport process uses AWS credentials to join the cluster, whether running on EC2 or not.|At least some of your infrastructure runs on AWS.| -|[Azure Managed Identity](./join-services-to-your-cluster/azure.mdx)|A Teleport process demonstrates that it runs in your Azure subscription by sending a signed attested data document and access token to the Teleport Auth Service.|Your Teleport process will run on Azure.| -|[Kubernetes ServiceAccount](./join-services-to-your-cluster/kubernetes.mdx)|A Teleport process uses a Kubernetes-signed proof to establish a trust relationship with your Teleport cluster.|Your Teleport process will run on Kubernetes.| -|[GCP IAM](./join-services-to-your-cluster/gcp.mdx)|A Teleport process uses a GCP-signed token to establish a trust relationship with your Teleport cluster.|Your Teleport process will run on a GCP VM.| -|[Join Token](./join-services-to-your-cluster/join-token.mdx)|A Teleport process presents a join token provided when starting the service.|There is no other supported method for your cloud provider.| - diff --git a/docs/pages/enroll-resources/agents/join-services-to-your-cluster/azure.mdx b/docs/pages/enroll-resources/agents/join-services-to-your-cluster/azure.mdx index 499c9d0938535..551395ee186bb 100644 --- a/docs/pages/enroll-resources/agents/join-services-to-your-cluster/azure.mdx +++ b/docs/pages/enroll-resources/agents/join-services-to-your-cluster/azure.mdx @@ -12,7 +12,7 @@ Azure Virtual Machine. Support for joining a cluster with the Proxy Service behind a layer 7 load balancer or reverse proxy is available in Teleport 13.0+. For other methods of joining a Teleport process to a cluster, see [Joining -Teleport Services to a Cluster](../join-services-to-your-cluster.mdx). +Teleport Services to a Cluster](join-services-to-your-cluster.mdx). ## Prerequisites diff --git a/docs/pages/enroll-resources/agents/join-services-to-your-cluster/join-services-to-your-cluster.mdx b/docs/pages/enroll-resources/agents/join-services-to-your-cluster/join-services-to-your-cluster.mdx new file mode 100644 index 0000000000000..c2443619e1517 --- /dev/null +++ b/docs/pages/enroll-resources/agents/join-services-to-your-cluster/join-services-to-your-cluster.mdx @@ -0,0 +1,22 @@ +--- +title: Join Services to your Teleport Cluster +description: How to register the Proxy Service, Database Service, and other Teleport services with your cluster. +--- + +A **Teleport service** manages access to resources in your infrastructure, such +as Kubernetes clusters, Windows desktops, internal web applications, and +databases. A single **Teleport process** can run multiple Teleport services. + +There are multiple methods you can use to join a Teleport process to your +cluster in order to run Teleport services, including an instance of the Proxy +Service. Choose the method that best suits your infrastructure: + +|Method|Description|When to use| +|------|-----------|-----------| +|[EC2 Identity Document](aws-ec2.mdx)|A Teleport process running on an EC2 instance authenticates to your cluster via a signed EC2 instance identity document.|Your Teleport process will run on EC2 and your Teleport cluster is self hosted.| +|[AWS IAM](aws-iam.mdx)|A Teleport process uses AWS credentials to join the cluster, whether running on EC2 or not.|At least some of your infrastructure runs on AWS.| +|[Azure Managed Identity](azure.mdx)|A Teleport process demonstrates that it runs in your Azure subscription by sending a signed attested data document and access token to the Teleport Auth Service.|Your Teleport process will run on Azure.| +|[Kubernetes ServiceAccount](kubernetes.mdx)|A Teleport process uses a Kubernetes-signed proof to establish a trust relationship with your Teleport cluster.|Your Teleport process will run on Kubernetes.| +|[GCP IAM](gcp.mdx)|A Teleport process uses a GCP-signed token to establish a trust relationship with your Teleport cluster.|Your Teleport process will run on a GCP VM.| +|[Join Token](join-token.mdx)|A Teleport process presents a join token provided when starting the service.|There is no other supported method for your cloud provider.| + diff --git a/docs/pages/enroll-resources/agents/join-services-to-your-cluster/kubernetes.mdx b/docs/pages/enroll-resources/agents/join-services-to-your-cluster/kubernetes.mdx index 4372887169ab6..38d70223dbd13 100644 --- a/docs/pages/enroll-resources/agents/join-services-to-your-cluster/kubernetes.mdx +++ b/docs/pages/enroll-resources/agents/join-services-to-your-cluster/kubernetes.mdx @@ -27,7 +27,7 @@ as the Auth Service. ## Prerequisites - A running Teleport cluster in Kubernetes. For details on how to set this up, - see [Guides for running Teleport using Helm](../../../admin-guides/deploy-a-cluster/helm-deployments.mdx). + see [Guides for running Teleport using Helm](../../../admin-guides/deploy-a-cluster/helm-deployments/helm-deployments.mdx). - Editor access to the Kubernetes cluster running the Teleport cluster. You must be able to create Namespaces and Deployments. - A Teleport user with `access` role, or any other role that allows access to @@ -240,5 +240,5 @@ namespace "teleport-agent" deleted - The possible values for `teleport-kube-agent` chart are documented [in its reference](../../../reference/helm-reference/teleport-kube-agent.mdx). -- See [Application Access Guides](../../application-access/guides.mdx) -- See [Database Access Guides](../../database-access/guides.mdx) +- See [Application Access Guides](../../application-access/guides/guides.mdx) +- See [Database Access Guides](../../database-access/guides/guides.mdx) diff --git a/docs/pages/enroll-resources/application-access/cloud-apis/aws-console.mdx b/docs/pages/enroll-resources/application-access/cloud-apis/aws-console.mdx index 6f4922c96041c..33403e6980227 100644 --- a/docs/pages/enroll-resources/application-access/cloud-apis/aws-console.mdx +++ b/docs/pages/enroll-resources/application-access/cloud-apis/aws-console.mdx @@ -811,7 +811,7 @@ applications](../guides/dynamic-registration.mdx). This guide shows you how to use the **join token method** to enroll the Teleport Application Service in your cluster. This is one of several available methods, and we recommend reading the [Join Services to your Teleport -Cluster](../../agents/join-services-to-your-cluster.mdx) guide to configure the +Cluster](../../agents/join-services-to-your-cluster/join-services-to-your-cluster.mdx) guide to configure the most appropriate method for your environment. ## Further reading diff --git a/docs/pages/enroll-resources/application-access/cloud-apis/azure-aks-workload-id.mdx b/docs/pages/enroll-resources/application-access/cloud-apis/azure-aks-workload-id.mdx index 853ab099d6d1f..555e12bacab62 100644 --- a/docs/pages/enroll-resources/application-access/cloud-apis/azure-aks-workload-id.mdx +++ b/docs/pages/enroll-resources/application-access/cloud-apis/azure-aks-workload-id.mdx @@ -222,7 +222,7 @@ teleport-azure-access-agent-0 1/1 Running 0 99s longstanding admin roles for attackers to hijack. View our documentation on [Role Access Requests](../../../admin-guides/access-controls/access-requests/role-requests.mdx) and - [Access Request plugins](../../../admin-guides/access-controls/access-request-plugins.mdx). + [Access Request plugins](../../../admin-guides/access-controls/access-request-plugins/access-request-plugins.mdx). - Consult the Azure documentation for information about [Azure managed identities](https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview) and how to [manage user-assigned managed diff --git a/docs/pages/enroll-resources/application-access/cloud-apis/azure.mdx b/docs/pages/enroll-resources/application-access/cloud-apis/azure.mdx index 206445f0adc97..5a691a0d96bc9 100644 --- a/docs/pages/enroll-resources/application-access/cloud-apis/azure.mdx +++ b/docs/pages/enroll-resources/application-access/cloud-apis/azure.mdx @@ -224,7 +224,7 @@ Application Service host. longstanding admin roles for attackers to hijack. View our documentation on [Role Access Requests](../../../admin-guides/access-controls/access-requests/role-requests.mdx) and - [Access Request plugins](../../../admin-guides/access-controls/access-request-plugins.mdx). + [Access Request plugins](../../../admin-guides/access-controls/access-request-plugins/access-request-plugins.mdx). - Consult the Azure documentation for information about [Azure managed identities](https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview) and how to [manage user-assigned managed diff --git a/docs/pages/enroll-resources/application-access/cloud-apis.mdx b/docs/pages/enroll-resources/application-access/cloud-apis/cloud-apis.mdx similarity index 68% rename from docs/pages/enroll-resources/application-access/cloud-apis.mdx rename to docs/pages/enroll-resources/application-access/cloud-apis/cloud-apis.mdx index 6f2146fc8c63c..fac714a736b3d 100644 --- a/docs/pages/enroll-resources/application-access/cloud-apis.mdx +++ b/docs/pages/enroll-resources/application-access/cloud-apis/cloud-apis.mdx @@ -15,8 +15,8 @@ longstanding admin accounts to target. Learn how to protect your cloud provider APIs with Teleport: -- [AWS (console and CLI applications)](./cloud-apis/aws-console.mdx) -- [Azure CLI applications](./cloud-apis/azure.mdx) -- [Azure CLI applications (AKS with Workload ID deployment)](./cloud-apis/azure-aks-workload-id.mdx) -- [Google Cloud CLI applications](./cloud-apis/google-cloud.mdx) -- [GCP Web Console Access with Workforce Identity Federation and Teleport SAML IdP](../../admin-guides/access-controls/idps/saml-gcp-workforce-identity-federation.mdx) +- [AWS (console and CLI applications)](aws-console.mdx) +- [Azure CLI applications](azure.mdx) +- [Azure CLI applications (AKS with Workload ID deployment)](azure-aks-workload-id.mdx) +- [Google Cloud CLI applications](google-cloud.mdx) +- [GCP Web Console Access with Workforce Identity Federation and Teleport SAML IdP](../../../admin-guides/access-controls/idps/saml-gcp-workforce-identity-federation.mdx) diff --git a/docs/pages/enroll-resources/application-access/cloud-apis/google-cloud.mdx b/docs/pages/enroll-resources/application-access/cloud-apis/google-cloud.mdx index 4cb993b5c7e29..a48c6d1a8ac04 100644 --- a/docs/pages/enroll-resources/application-access/cloud-apis/google-cloud.mdx +++ b/docs/pages/enroll-resources/application-access/cloud-apis/google-cloud.mdx @@ -631,7 +631,7 @@ command. temporarily, with no longstanding admin roles for attackers to hijack. View our documentation on [Role Access Requests](../../../admin-guides/access-controls/access-requests/role-requests.mdx) and [Access - Request plugins](../../../admin-guides/access-controls/access-request-plugins.mdx). + Request plugins](../../../admin-guides/access-controls/access-request-plugins/access-request-plugins.mdx). - You can proxy any `gcloud` or `gsutil` command via Teleport. For a full reference of commands, view the Google Cloud documentation for [`gcloud`](https://cloud.google.com/sdk/gcloud/reference) and diff --git a/docs/pages/enroll-resources/application-access/controls.mdx b/docs/pages/enroll-resources/application-access/controls.mdx index ee3fa03b7f0f6..8ed46d000aa2b 100644 --- a/docs/pages/enroll-resources/application-access/controls.mdx +++ b/docs/pages/enroll-resources/application-access/controls.mdx @@ -133,12 +133,12 @@ for more information on enabling access to Azure managed identities. ## Next steps - View access controls [Getting Started](../../admin-guides/access-controls/getting-started.mdx) - and other available [guides](../../admin-guides/access-controls/guides.mdx). + and other available [guides](../../admin-guides/access-controls/guides/guides.mdx). - For full details on how Teleport populates the `internal` and `external` traits we illustrated in this guide, see the [Teleport Access Controls Reference](../../reference/access-controls/roles.mdx). - View access controls [Getting Started](../../admin-guides/access-controls/getting-started.mdx) - and other available [guides](../../admin-guides/access-controls/guides.mdx). + and other available [guides](../../admin-guides/access-controls/guides/guides.mdx). - Learn about using [JWT tokens](./jwt/introduction.mdx) to implement access controls in your application. - Integrate with your identity provider: diff --git a/docs/pages/enroll-resources/application-access/guides.mdx b/docs/pages/enroll-resources/application-access/guides.mdx deleted file mode 100644 index 9404f9bc12ef7..0000000000000 --- a/docs/pages/enroll-resources/application-access/guides.mdx +++ /dev/null @@ -1,20 +0,0 @@ ---- -title: Application Access Guides -description: Guides for configuring Teleport application access. -layout: tocless-doc ---- - -These guides explain how to use the Teleport Application Service, which allows -your teams to connect to applications within private networks with fine-grained -RBAC and audit logging. - -Manage access to internal applications: - -- [Web App Access](./guides/connecting-apps.mdx): How to access web apps with Teleport. -- [TCP App Access](./guides/tcp.mdx): How to access plain TCP apps with Teleport. -- [VNet](./guides/vnet.mdx): How to configure VNet to support applications with custom public addresses. -- [API Access](./guides/api-access.mdx): How to access REST APIs with Teleport. -- [Dynamic Registration](./guides/dynamic-registration.mdx): Register/unregister apps without restarting Teleport. -- [Amazon Athena Access](./guides/amazon-athena.mdx): How to access Amazon Athena with Teleport. -- [Amazon DynamoDB Access](./guides/dynamodb.mdx): How to access Amazon DynamoDB as an application. -- [Application Access HA](./guides/ha.mdx): How to configure the Teleport Application Service for high availability. diff --git a/docs/pages/enroll-resources/application-access/guides/dynamic-registration.mdx b/docs/pages/enroll-resources/application-access/guides/dynamic-registration.mdx index 0fa80a9c52801..39bc44e29fe16 100644 --- a/docs/pages/enroll-resources/application-access/guides/dynamic-registration.mdx +++ b/docs/pages/enroll-resources/application-access/guides/dynamic-registration.mdx @@ -14,7 +14,7 @@ Service needs to proxy an application. Dynamic registration is useful for [managing pools of Application Service instances](../../../admin-guides/infrastructure-as-code/terraform-starter/enroll-resources.mdx). And behind the scenes, the Teleport Discovery Service uses dynamic registration to [register Kubernetes -applications](../../auto-discovery/kubernetes-applications.mdx). +applications](../../auto-discovery/kubernetes-applications/kubernetes-applications.mdx). ## Required permissions diff --git a/docs/pages/enroll-resources/application-access/guides/guides.mdx b/docs/pages/enroll-resources/application-access/guides/guides.mdx new file mode 100644 index 0000000000000..19e76e0caa0b9 --- /dev/null +++ b/docs/pages/enroll-resources/application-access/guides/guides.mdx @@ -0,0 +1,20 @@ +--- +title: Application Access Guides +description: Guides for configuring Teleport application access. +layout: tocless-doc +--- + +These guides explain how to use the Teleport Application Service, which allows +your teams to connect to applications within private networks with fine-grained +RBAC and audit logging. + +Manage access to internal applications: + +- [Web App Access](connecting-apps.mdx): How to access web apps with Teleport. +- [TCP App Access](tcp.mdx): How to access plain TCP apps with Teleport. +- [VNet](vnet.mdx): How to configure VNet to support applications with custom public addresses. +- [API Access](api-access.mdx): How to access REST APIs with Teleport. +- [Dynamic Registration](dynamic-registration.mdx): Register/unregister apps without restarting Teleport. +- [Amazon Athena Access](amazon-athena.mdx): How to access Amazon Athena with Teleport. +- [Amazon DynamoDB Access](dynamodb.mdx): How to access Amazon DynamoDB as an application. +- [Application Access HA](ha.mdx): How to configure the Teleport Application Service for high availability. diff --git a/docs/pages/enroll-resources/application-access/introduction.mdx b/docs/pages/enroll-resources/application-access/introduction.mdx index c6f64d066e046..51a684122b7a1 100644 --- a/docs/pages/enroll-resources/application-access/introduction.mdx +++ b/docs/pages/enroll-resources/application-access/introduction.mdx @@ -18,7 +18,7 @@ Examples include: ![Application access architecture](../../../img/application-access/architecture.png) If you are running applications on Kubernetes, you can [enroll them in your -Teleport cluster automatically](../auto-discovery/kubernetes-applications.mdx). +Teleport cluster automatically](../auto-discovery/kubernetes-applications/kubernetes-applications.mdx). Teleport protects applications through the Teleport Application Service, which is a Teleport agent service. For more information on agent services, read @@ -78,4 +78,4 @@ can access Okta applications through the Teleport Web UI and `tsh`, and administrators can manage access to these applications by defining RBAC policies in Teleport roles. -Learn more about the [Teleport Okta integration](./okta.mdx). +Learn more about the [Teleport Okta integration](okta/okta.mdx). diff --git a/docs/pages/enroll-resources/application-access/jwt.mdx b/docs/pages/enroll-resources/application-access/jwt/jwt.mdx similarity index 62% rename from docs/pages/enroll-resources/application-access/jwt.mdx rename to docs/pages/enroll-resources/application-access/jwt/jwt.mdx index b1574b11aa7a6..aab990bf03f89 100644 --- a/docs/pages/enroll-resources/application-access/jwt.mdx +++ b/docs/pages/enroll-resources/application-access/jwt/jwt.mdx @@ -8,5 +8,5 @@ These guides explain how web apps behind the Teleport Application Service can leverage Teleport-signed JWT tokens to implement authentication and authorization. -- [Introduction](./jwt/introduction.mdx): Introduction to JWT tokens with application access. -- [Elasticsearch](./jwt/elasticsearch.mdx): How to use JWT authentication with Elasticsearch. +- [Introduction](introduction.mdx): Introduction to JWT tokens with application access. +- [Elasticsearch](elasticsearch.mdx): How to use JWT authentication with Elasticsearch. diff --git a/docs/pages/enroll-resources/application-access/okta.mdx b/docs/pages/enroll-resources/application-access/okta.mdx deleted file mode 100644 index 5f5432476a5a9..0000000000000 --- a/docs/pages/enroll-resources/application-access/okta.mdx +++ /dev/null @@ -1,12 +0,0 @@ ---- -title: Okta Integration with Application Access -description: Guides for using Teleport Okta integration. -layout: tocless-doc ---- - -Configure Teleport to import and grant access to Okta applications and user groups. - -- [Configuring Okta integration](./okta/hosted-guide.mdx): A guide for connecting Okta organization to Teleport. -- [Setting up a SCIM-only integration](./okta/scim-only.mdx): A guide for setting up a SCIM-only Okta integration in Teleport. -- [Resource Synchronization](./okta/sync-scim.mdx): How synchronized resources are represented in Teleport. -- [Reference](../../reference/agent-services/okta.mdx): A reference for the Okta integration resources. diff --git a/docs/pages/enroll-resources/application-access/okta/okta.mdx b/docs/pages/enroll-resources/application-access/okta/okta.mdx new file mode 100644 index 0000000000000..499f7a82e4c86 --- /dev/null +++ b/docs/pages/enroll-resources/application-access/okta/okta.mdx @@ -0,0 +1,12 @@ +--- +title: Okta Integration with Application Access +description: Guides for using Teleport Okta integration. +layout: tocless-doc +--- + +Configure Teleport to import and grant access to Okta applications and user groups. + +- [Configuring Okta integration](hosted-guide.mdx): A guide for connecting Okta organization to Teleport. +- [Setting up a SCIM-only integration](scim-only.mdx): A guide for setting up a SCIM-only Okta integration in Teleport. +- [Resource Synchronization](sync-scim.mdx): How synchronized resources are represented in Teleport. +- [Reference](../../../reference/agent-services/okta.mdx): A reference for the Okta integration resources. diff --git a/docs/pages/enroll-resources/auto-discovery/databases/aws.mdx b/docs/pages/enroll-resources/auto-discovery/databases/aws.mdx index 8c7e7000d6eaa..0d1c98a6973c6 100644 --- a/docs/pages/enroll-resources/auto-discovery/databases/aws.mdx +++ b/docs/pages/enroll-resources/auto-discovery/databases/aws.mdx @@ -291,17 +291,17 @@ Additional Teleport RBAC configuration and possibly IAM configuration may also be required to connect to the discovered databases via Teleport. Refer to the appropriate guide in -[Enroll AWS Databases](../../database-access/enroll-aws-databases.mdx) +[Enroll AWS Databases](../../database-access/enroll-aws-databases/enroll-aws-databases.mdx) for information about database user provisioning and configuration. ## Next - Learn about [Dynamic Registration](../../database-access/guides/dynamic-registration.mdx) by the Teleport Database Service. -- Get started by [connecting](../../database-access/guides.mdx) your database. +- Get started by [connecting](../../database-access/guides/guides.mdx) your database. - Connect AWS databases in [external AWS accounts](../../database-access/enroll-aws-databases/aws-cross-account.mdx). - Refer to the appropriate guide in -[Enroll AWS Databases](../../database-access/enroll-aws-databases.mdx) +[Enroll AWS Databases](../../database-access/enroll-aws-databases/enroll-aws-databases.mdx) for information about database user provisioning and configuration. ## Troubleshooting diff --git a/docs/pages/enroll-resources/auto-discovery/databases.mdx b/docs/pages/enroll-resources/auto-discovery/databases/databases.mdx similarity index 95% rename from docs/pages/enroll-resources/auto-discovery/databases.mdx rename to docs/pages/enroll-resources/auto-discovery/databases/databases.mdx index ef664f4e51f64..fe893fa1a9787 100644 --- a/docs/pages/enroll-resources/auto-discovery/databases.mdx +++ b/docs/pages/enroll-resources/auto-discovery/databases/databases.mdx @@ -8,8 +8,8 @@ them with your Teleport cluster. ## Supported clouds -- [AWS](./databases/aws.mdx): Discovery for AWS databases. -- [Azure](../database-access/enroll-azure-databases.mdx): Discovery for Azure databases. +- [AWS](aws.mdx): Discovery for AWS databases. +- [Azure](../../database-access/enroll-azure-databases/enroll-azure-databases.mdx): Discovery for Azure databases. {/* TODO(gavin): Add an Azure discovery guide and permission reference */} ## Architecture overview @@ -31,7 +31,7 @@ from database access. The Teleport Discovery Service is responsible for polling APIs for databases that match its configured selectors. When the Discovery Service matches a database, it will -[dynamically register the database](../database-access/guides/dynamic-registration.mdx) +[dynamically register the database](../../database-access/guides/dynamic-registration.mdx) with your Teleport cluster. The dynamic `db` resources it creates in your Teleport cluster will include information such as: @@ -154,12 +154,12 @@ Here's how it works in detail: For more information about Discovery Service configuration, refer to [one of the guides above](#supported-clouds) or the -[Discovery Service Config File Reference](../../reference/config.mdx#discovery-service). +[Discovery Service Config File Reference](../../../reference/config.mdx). ## How the Database Service works The Teleport Database Service is responsible for monitoring -[dynamically registered](../database-access/guides/dynamic-registration.mdx) +[dynamically registered](../../database-access/guides/dynamic-registration.mdx) `db` resources in your Teleport cluster and acting as a connection proxy for the databases they represent. @@ -171,7 +171,7 @@ database that the `db` resource represents. The Database Service must have network connectivity to the database endpoint and permissions to authenticate to the database. The permissions it needs vary by database type, so refer to Teleport's -[database access guides](../database-access/database-access.mdx) +[database access guides](../../database-access/database-access.mdx) for detailed permissions information. ## Database Service configuration diff --git a/docs/pages/enroll-resources/auto-discovery/kubernetes-applications.mdx b/docs/pages/enroll-resources/auto-discovery/kubernetes-applications/kubernetes-applications.mdx similarity index 80% rename from docs/pages/enroll-resources/auto-discovery/kubernetes-applications.mdx rename to docs/pages/enroll-resources/auto-discovery/kubernetes-applications/kubernetes-applications.mdx index f2ece91746776..af1b3b47fd674 100644 --- a/docs/pages/enroll-resources/auto-discovery/kubernetes-applications.mdx +++ b/docs/pages/enroll-resources/auto-discovery/kubernetes-applications/kubernetes-applications.mdx @@ -16,10 +16,10 @@ applications, and registers these applications with your cluster. The Teleport Application Service then detects the new application resources and proxies user traffic to them. -- [Get started](./kubernetes-applications/get-started.mdx): Set up automatic +- [Get started](get-started.mdx): Set up automatic application discovery with the `teleport-kube-agent` Helm chart. -- [Architecture](../../reference/architecture/kubernetes-applications-architecture.mdx): Learn how +- [Architecture](../../../reference/architecture/kubernetes-applications-architecture.mdx): Learn how automatic application discovery works. -- [Reference](../../reference/agent-services/kubernetes-application-discovery.mdx): Consult this guide +- [Reference](../../../reference/agent-services/kubernetes-application-discovery.mdx): Consult this guide for options and Kubernetes annotations you can use to configure automatic Kubernetes application discovery. diff --git a/docs/pages/enroll-resources/auto-discovery/kubernetes.mdx b/docs/pages/enroll-resources/auto-discovery/kubernetes/kubernetes.mdx similarity index 97% rename from docs/pages/enroll-resources/auto-discovery/kubernetes.mdx rename to docs/pages/enroll-resources/auto-discovery/kubernetes/kubernetes.mdx index e6a7d845b26b7..2f24fa39bd08b 100644 --- a/docs/pages/enroll-resources/auto-discovery/kubernetes.mdx +++ b/docs/pages/enroll-resources/auto-discovery/kubernetes/kubernetes.mdx @@ -12,9 +12,9 @@ minimal access permissions. ## Supported clouds -- [AWS](./kubernetes/aws.mdx): Discovery for AWS EKS clusters. -- [Azure](./kubernetes/azure.mdx): Discovery for Azure AKS clusters. -- [Google Cloud](./kubernetes/google-cloud.mdx): Discovery for +- [AWS](aws.mdx): Discovery for AWS EKS clusters. +- [Azure](azure.mdx): Discovery for Azure AKS clusters. +- [Google Cloud](google-cloud.mdx): Discovery for Google Kubernetes Engine clusters. ## How Kubernetes Clusters Discovery works diff --git a/docs/pages/enroll-resources/auto-discovery/reference.mdx b/docs/pages/enroll-resources/auto-discovery/reference.mdx deleted file mode 100644 index 57156db2dd385..0000000000000 --- a/docs/pages/enroll-resources/auto-discovery/reference.mdx +++ /dev/null @@ -1,7 +0,0 @@ ---- -title: Discovery Service Reference -description: Configuration reference for the Teleport Discovery Service. ---- - -- [AWS IAM](./reference/aws-iam.mdx) -- [Kubernetes Applications](../../reference/agent-services/kubernetes-application-discovery.mdx) diff --git a/docs/pages/enroll-resources/auto-discovery/reference/reference.mdx b/docs/pages/enroll-resources/auto-discovery/reference/reference.mdx new file mode 100644 index 0000000000000..377a821871425 --- /dev/null +++ b/docs/pages/enroll-resources/auto-discovery/reference/reference.mdx @@ -0,0 +1,7 @@ +--- +title: Discovery Service Reference +description: Configuration reference for the Teleport Discovery Service. +--- + +- [AWS IAM](aws-iam.mdx) +- [Kubernetes Applications](../../../reference/agent-services/kubernetes-application-discovery.mdx) diff --git a/docs/pages/enroll-resources/auto-discovery/servers.mdx b/docs/pages/enroll-resources/auto-discovery/servers/servers.mdx similarity index 75% rename from docs/pages/enroll-resources/auto-discovery/servers.mdx rename to docs/pages/enroll-resources/auto-discovery/servers/servers.mdx index 1ad2228ae76bb..331471111a59f 100644 --- a/docs/pages/enroll-resources/auto-discovery/servers.mdx +++ b/docs/pages/enroll-resources/auto-discovery/servers/servers.mdx @@ -10,6 +10,6 @@ Teleport, start it and join the cluster. Learn how to set up auto-discovery for servers in your cloud: -- [Amazon EC2](./servers/ec2-discovery.mdx) -- [Google Compute Engine](./servers/gcp-discovery.mdx) -- [Azure Virtual Machines](./servers/azure-discovery.mdx) +- [Amazon EC2](ec2-discovery.mdx) +- [Google Compute Engine](gcp-discovery.mdx) +- [Azure Virtual Machines](azure-discovery.mdx) diff --git a/docs/pages/enroll-resources/database-access/auto-user-provisioning.mdx b/docs/pages/enroll-resources/database-access/auto-user-provisioning.mdx deleted file mode 100644 index e2bfbec09b3f2..0000000000000 --- a/docs/pages/enroll-resources/database-access/auto-user-provisioning.mdx +++ /dev/null @@ -1,16 +0,0 @@ ---- -title: Database Automatic User Provisioning -description: Configure automatic user provisioning for databases. ---- - -(!docs/pages/includes/database-access/auto-user-provisioning/intro.mdx!) - -Currently, automatic user provisioning is supported for the following databases: -- [PostgreSQL databases (self-hosted and Amazon RDS)](./auto-user-provisioning/postgres.mdx) -- [MySQL databases (self-hosted and Amazon RDS)](./auto-user-provisioning/mysql.mdx) -- [MariaDB databases (self-hosted and Amazon RDS)](./auto-user-provisioning/mariadb.mdx) -- [Amazon Redshift databases](./auto-user-provisioning/aws-redshift.mdx) -- [MongoDB databases (self-hosted)](./auto-user-provisioning/mongodb.mdx) - - - diff --git a/docs/pages/enroll-resources/database-access/auto-user-provisioning/auto-user-provisioning.mdx b/docs/pages/enroll-resources/database-access/auto-user-provisioning/auto-user-provisioning.mdx new file mode 100644 index 0000000000000..cfe99bfb4c339 --- /dev/null +++ b/docs/pages/enroll-resources/database-access/auto-user-provisioning/auto-user-provisioning.mdx @@ -0,0 +1,16 @@ +--- +title: Database Automatic User Provisioning +description: Configure automatic user provisioning for databases. +--- + +(!docs/pages/includes/database-access/auto-user-provisioning/intro.mdx!) + +Currently, automatic user provisioning is supported for the following databases: +- [PostgreSQL databases (self-hosted and Amazon RDS)](postgres.mdx) +- [MySQL databases (self-hosted and Amazon RDS)](mysql.mdx) +- [MariaDB databases (self-hosted and Amazon RDS)](mariadb.mdx) +- [Amazon Redshift databases](aws-redshift.mdx) +- [MongoDB databases (self-hosted)](mongodb.mdx) + + + diff --git a/docs/pages/enroll-resources/database-access/database-access.mdx b/docs/pages/enroll-resources/database-access/database-access.mdx index 3bc061f106071..cf22e931918e6 100644 --- a/docs/pages/enroll-resources/database-access/database-access.mdx +++ b/docs/pages/enroll-resources/database-access/database-access.mdx @@ -11,7 +11,7 @@ Some of the things you can do with database access: - Enable users to retrieve short-lived database certificates using a Single Sign-On flow, thus maintaining their organization-wide identity. - Configure role-based access controls for databases and implement custom - [Access Request](../../admin-guides/access-controls/access-requests.mdx) workflows. + [Access Request](../../admin-guides/access-controls/access-requests/access-requests.mdx) workflows. - Capture database activity in the Teleport audit log. Teleport protects databases through the Teleport Database Service, which is a diff --git a/docs/pages/enroll-resources/database-access/enroll-aws-databases.mdx b/docs/pages/enroll-resources/database-access/enroll-aws-databases.mdx deleted file mode 100644 index 2489ce0c05322..0000000000000 --- a/docs/pages/enroll-resources/database-access/enroll-aws-databases.mdx +++ /dev/null @@ -1,31 +0,0 @@ ---- -title: Enroll AWS Databases -description: "Provides instructions on protecting databases in your AWS-managed infrastructure with Teleport." ---- - -The guides in this section show you how to protect AWS-managed databases with -Teleport. - -You can configure Teleport to discover databases in your AWS account and enroll -them with your cluster automatically. Read more about setting up -[Database Auto-Discovery](../auto-discovery/databases.mdx). - -It is also possible to protect databases across your AWS accounts. Read the -instructions in [AWS Cross-Account Database -Access](./enroll-aws-databases/aws-cross-account.mdx). - -Read the following guides for how to protect a specific AWS-managed database -with Teleport: - -- [Amazon DocumentDB](./enroll-aws-databases/aws-docdb.mdx) -- [Amazon DynamoDB](./enroll-aws-databases/aws-dynamodb.mdx) -- [Amazon ElastiCache and MemoryDB for Redis](./enroll-aws-databases/redis-aws.mdx) -- [Amazon Keyspaces (Apache Cassandra)](./enroll-aws-databases/aws-cassandra-keyspaces.mdx) -- [Amazon OpenSearch](./enroll-aws-databases/aws-opensearch.mdx) -- [Amazon RDS Proxy MySQL](./enroll-aws-databases/rds-proxy-mysql.mdx) -- [Amazon RDS Proxy for Microsoft SQL Server](./enroll-aws-databases/rds-proxy-sqlserver.mdx) -- [Amazon RDS Proxy for PostgreSQL](./enroll-aws-databases/rds-proxy-postgres.mdx) -- [Amazon RDS and Aurora](./enroll-aws-databases/rds.mdx) -- [Amazon RDS for SQL Server](./enroll-aws-databases/sql-server-ad.mdx) -- [Amazon Redshift Serverless](./enroll-aws-databases/redshift-serverless.mdx) -- [Amazon Redshift](./enroll-aws-databases/postgres-redshift.mdx) diff --git a/docs/pages/enroll-resources/database-access/enroll-aws-databases/aws-cross-account.mdx b/docs/pages/enroll-resources/database-access/enroll-aws-databases/aws-cross-account.mdx index fe898747a3910..51b4c1a676ae5 100644 --- a/docs/pages/enroll-resources/database-access/enroll-aws-databases/aws-cross-account.mdx +++ b/docs/pages/enroll-resources/database-access/enroll-aws-databases/aws-cross-account.mdx @@ -31,7 +31,7 @@ Teleport Database Service to connect to the databases. This guide does not cover AWS network configuration, because it depends on your specific AWS network setup and the kind(s) of AWS databases you wish to connect to Teleport. For more information, see [how to connect your -database](../enroll-aws-databases.mdx). +database](enroll-aws-databases.mdx). ## Teleport configuration @@ -226,4 +226,4 @@ role, then the trust policy might look like: ## Next steps -- Get started by [connecting](../guides.mdx) your database. +- Get started by [connecting](../guides/guides.mdx) your database. diff --git a/docs/pages/enroll-resources/database-access/enroll-aws-databases/enroll-aws-databases.mdx b/docs/pages/enroll-resources/database-access/enroll-aws-databases/enroll-aws-databases.mdx new file mode 100644 index 0000000000000..d3cd9e3cd4505 --- /dev/null +++ b/docs/pages/enroll-resources/database-access/enroll-aws-databases/enroll-aws-databases.mdx @@ -0,0 +1,31 @@ +--- +title: Enroll AWS Databases +description: "Provides instructions on protecting databases in your AWS-managed infrastructure with Teleport." +--- + +The guides in this section show you how to protect AWS-managed databases with +Teleport. + +You can configure Teleport to discover databases in your AWS account and enroll +them with your cluster automatically. Read more about setting up +[Database Auto-Discovery](../../auto-discovery/databases/databases.mdx). + +It is also possible to protect databases across your AWS accounts. Read the +instructions in [AWS Cross-Account Database +Access](aws-cross-account.mdx). + +Read the following guides for how to protect a specific AWS-managed database +with Teleport: + +- [Amazon DocumentDB](aws-docdb.mdx) +- [Amazon DynamoDB](aws-dynamodb.mdx) +- [Amazon ElastiCache and MemoryDB for Redis](redis-aws.mdx) +- [Amazon Keyspaces (Apache Cassandra)](aws-cassandra-keyspaces.mdx) +- [Amazon OpenSearch](aws-opensearch.mdx) +- [Amazon RDS Proxy MySQL](rds-proxy-mysql.mdx) +- [Amazon RDS Proxy for Microsoft SQL Server](rds-proxy-sqlserver.mdx) +- [Amazon RDS Proxy for PostgreSQL](rds-proxy-postgres.mdx) +- [Amazon RDS and Aurora](rds.mdx) +- [Amazon RDS for SQL Server](sql-server-ad.mdx) +- [Amazon Redshift Serverless](redshift-serverless.mdx) +- [Amazon Redshift](postgres-redshift.mdx) diff --git a/docs/pages/enroll-resources/database-access/enroll-aws-databases/rds.mdx b/docs/pages/enroll-resources/database-access/enroll-aws-databases/rds.mdx index eda15ea5f3cca..ece63c6ee21ad 100644 --- a/docs/pages/enroll-resources/database-access/enroll-aws-databases/rds.mdx +++ b/docs/pages/enroll-resources/database-access/enroll-aws-databases/rds.mdx @@ -319,5 +319,5 @@ $ tsh db logout rds-example ## Next steps (!docs/pages/includes/database-access/guides-next-steps.mdx!) -- Set up [automatic database user provisioning](../auto-user-provisioning.mdx). +- Set up [automatic database user provisioning](../auto-user-provisioning/auto-user-provisioning.mdx). diff --git a/docs/pages/enroll-resources/database-access/enroll-azure-databases.mdx b/docs/pages/enroll-resources/database-access/enroll-azure-databases/enroll-azure-databases.mdx similarity index 52% rename from docs/pages/enroll-resources/database-access/enroll-azure-databases.mdx rename to docs/pages/enroll-resources/database-access/enroll-azure-databases/enroll-azure-databases.mdx index e09f2c074e16a..13afa45e52f94 100644 --- a/docs/pages/enroll-resources/database-access/enroll-azure-databases.mdx +++ b/docs/pages/enroll-resources/database-access/enroll-azure-databases/enroll-azure-databases.mdx @@ -6,6 +6,6 @@ description: "Provides instructions on protecting databases in your Azure-manage You can protect Azure-managed databases with Teleport. Learn how to enroll the following databases: -- [Azure SQL Server](./enroll-azure-databases/azure-sql-server-ad.mdx) -- [Azure Database for PostgreSQL or MySQL Server](./enroll-azure-databases/azure-postgres-mysql.mdx) -- [Azure Redis](./enroll-azure-databases/azure-redis.mdx) +- [Azure SQL Server](azure-sql-server-ad.mdx) +- [Azure Database for PostgreSQL or MySQL Server](azure-postgres-mysql.mdx) +- [Azure Redis](azure-redis.mdx) diff --git a/docs/pages/enroll-resources/database-access/enroll-google-cloud-databases.mdx b/docs/pages/enroll-resources/database-access/enroll-google-cloud-databases/enroll-google-cloud-databases.mdx similarity index 56% rename from docs/pages/enroll-resources/database-access/enroll-google-cloud-databases.mdx rename to docs/pages/enroll-resources/database-access/enroll-google-cloud-databases/enroll-google-cloud-databases.mdx index 93cc6632bf5b4..f46814237b8dc 100644 --- a/docs/pages/enroll-resources/database-access/enroll-google-cloud-databases.mdx +++ b/docs/pages/enroll-resources/database-access/enroll-google-cloud-databases/enroll-google-cloud-databases.mdx @@ -6,6 +6,6 @@ description: "Provides instructions on protecting databases in your Google Cloud You can protect databases hosted on Google Cloud with Teleport. Read the following guides for instructions on enrolling a specific database: -- [PostgreSQL on Google Cloud SQL](./enroll-google-cloud-databases/postgres-cloudsql.mdx) -- [MySQL on Google Cloud SQL](./enroll-google-cloud-databases/mysql-cloudsql.mdx) -- [Cloud Spanner](./enroll-google-cloud-databases/spanner.mdx) +- [PostgreSQL on Google Cloud SQL](postgres-cloudsql.mdx) +- [MySQL on Google Cloud SQL](mysql-cloudsql.mdx) +- [Cloud Spanner](spanner.mdx) diff --git a/docs/pages/enroll-resources/database-access/enroll-managed-databases.mdx b/docs/pages/enroll-resources/database-access/enroll-managed-databases/enroll-managed-databases.mdx similarity index 62% rename from docs/pages/enroll-resources/database-access/enroll-managed-databases.mdx rename to docs/pages/enroll-resources/database-access/enroll-managed-databases/enroll-managed-databases.mdx index d8aef6a4e5911..0987c878f5504 100644 --- a/docs/pages/enroll-resources/database-access/enroll-managed-databases.mdx +++ b/docs/pages/enroll-resources/database-access/enroll-managed-databases/enroll-managed-databases.mdx @@ -6,6 +6,6 @@ description: "Provides instructions on protecting managed databases in your infr Teleport can protect databases that are managed as a dedicated cloud platform. Learn how to enroll the following databases in your Teleport cluster: -- [MongoDB Atlas](./enroll-managed-databases/mongodb-atlas.mdx) -- [Oracle Exadata](./enroll-managed-databases/oracle-exadata.mdx) -- [Snowflake](./enroll-managed-databases/snowflake.mdx) +- [MongoDB Atlas](mongodb-atlas.mdx) +- [Oracle Exadata](oracle-exadata.mdx) +- [Snowflake](snowflake.mdx) diff --git a/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases.mdx b/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases.mdx deleted file mode 100644 index 81eb3527bac83..0000000000000 --- a/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases.mdx +++ /dev/null @@ -1,22 +0,0 @@ ---- -title: Enroll Self-Hosted Databases -description: "Provides instructions on protecting self-hosted databases in your infrastructure with Teleport." ---- - -You can protect self-hosted databases with Teleport. Learn how to enroll your -database in your Teleport cluster with the following guides: - -- [Cassandra and - ScyllaDB](./enroll-self-hosted-databases/cassandra-self-hosted.mdx) -- [ClickHouse](./enroll-self-hosted-databases/clickhouse-self-hosted.mdx) -- [CockroachDB](./enroll-self-hosted-databases/cockroachdb-self-hosted.mdx) -- [Elastic](./enroll-self-hosted-databases/elastic.mdx) -- [MongoDB](./enroll-self-hosted-databases/mongodb-self-hosted.mdx) -- [MySQL](./enroll-self-hosted-databases/mysql-self-hosted.mdx) -- [Oracle](./enroll-self-hosted-databases/oracle-self-hosted.mdx) -- [PostgreSQL](./enroll-self-hosted-databases/postgres-self-hosted.mdx) -- [Redis Cluster](./enroll-self-hosted-databases/redis-cluster.mdx) -- [Redis](./enroll-self-hosted-databases/redis.mdx) -- [SQL Server with PKINIT - authentication](./enroll-self-hosted-databases/sql-server-ad-pkinit.mdx) -- [Vitess](./enroll-self-hosted-databases/vitess.mdx) diff --git a/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/elastic.mdx b/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/elastic.mdx index 1b342d1db660e..3ef4b64831bc6 100644 --- a/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/elastic.mdx +++ b/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/elastic.mdx @@ -75,7 +75,7 @@ $ curl -u elastic:your_elasticsearch_password -X POST "https://elasticsearch.exa
-In a scenario where Teleport is using [single sign-on](../../../admin-guides/access-controls/sso.mdx) you may want to define a mapping for all users to a role: +In a scenario where Teleport is using [single sign-on](../../../admin-guides/access-controls/sso/sso.mdx) you may want to define a mapping for all users to a role: ```code $ curl -u elastic:your_elasticsearch_password -X POST "https://elasticsearch.example.com:9200/_security/role_mapping/mapping1?pretty" -H 'Content-Type: application/json' -d' diff --git a/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/enroll-self-hosted-databases.mdx b/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/enroll-self-hosted-databases.mdx new file mode 100644 index 0000000000000..bdbecd8478fc4 --- /dev/null +++ b/docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/enroll-self-hosted-databases.mdx @@ -0,0 +1,22 @@ +--- +title: Enroll Self-Hosted Databases +description: "Provides instructions on protecting self-hosted databases in your infrastructure with Teleport." +--- + +You can protect self-hosted databases with Teleport. Learn how to enroll your +database in your Teleport cluster with the following guides: + +- [Cassandra and + ScyllaDB](cassandra-self-hosted.mdx) +- [ClickHouse](clickhouse-self-hosted.mdx) +- [CockroachDB](cockroachdb-self-hosted.mdx) +- [Elastic](elastic.mdx) +- [MongoDB](mongodb-self-hosted.mdx) +- [MySQL](mysql-self-hosted.mdx) +- [Oracle](oracle-self-hosted.mdx) +- [PostgreSQL](postgres-self-hosted.mdx) +- [Redis Cluster](redis-cluster.mdx) +- [Redis](redis.mdx) +- [SQL Server with PKINIT + authentication](sql-server-ad-pkinit.mdx) +- [Vitess](vitess.mdx) diff --git a/docs/pages/enroll-resources/database-access/faq.mdx b/docs/pages/enroll-resources/database-access/faq.mdx index 59ab92704e03f..eaf628f7fbf4e 100644 --- a/docs/pages/enroll-resources/database-access/faq.mdx +++ b/docs/pages/enroll-resources/database-access/faq.mdx @@ -29,7 +29,7 @@ For PostgreSQL and MySQL, the following Cloud-hosted versions are supported in a - Google Cloud SQL - Azure Database -See the available [guides](./guides.mdx) for all supported configurations. +See the available [guides](guides/guides.mdx) for all supported configurations. ## Which PostgreSQL protocol features are not supported? diff --git a/docs/pages/enroll-resources/database-access/getting-started.mdx b/docs/pages/enroll-resources/database-access/getting-started.mdx index eb02dbf567b42..29f96ad18ab2f 100644 --- a/docs/pages/enroll-resources/database-access/getting-started.mdx +++ b/docs/pages/enroll-resources/database-access/getting-started.mdx @@ -239,7 +239,7 @@ $ tsh db connect --db-user=alice --db-name postgres aurora For the next steps, dive deeper into the topics relevant to your Database Access use-case, for example: -- Check out configuration [guides](./guides.mdx). +- Check out configuration [guides](guides/guides.mdx). - Learn how to configure [GUI clients](../../connect-your-client/gui-clients.mdx). - Learn about database access [role-based access control](./rbac.mdx). - See [frequently asked questions](./faq.mdx). diff --git a/docs/pages/enroll-resources/database-access/guides/dynamic-registration.mdx b/docs/pages/enroll-resources/database-access/guides/dynamic-registration.mdx index 5e34ecedb4aaf..7eb815e072b5c 100644 --- a/docs/pages/enroll-resources/database-access/guides/dynamic-registration.mdx +++ b/docs/pages/enroll-resources/database-access/guides/dynamic-registration.mdx @@ -127,11 +127,11 @@ $ tctl rm db/example ``` Aside from `tctl`, dynamic resources can also be added by: -- [Auto-Discovery](../../auto-discovery/databases.mdx) -- [Terraform Provider](../../../admin-guides/infrastructure-as-code/terraform-provider.mdx) -- [Kubernetes Operator](../../../admin-guides/infrastructure-as-code/teleport-operator.mdx) +- [Auto-Discovery](../../auto-discovery/databases/databases.mdx) +- [Terraform Provider](../../../admin-guides/infrastructure-as-code/terraform-provider/terraform-provider.mdx) +- [Kubernetes Operator](../../../admin-guides/infrastructure-as-code/teleport-operator/teleport-operator.mdx) - [Teleport API](../../../admin-guides/api/api.mdx) -See [Using Dynamic Resources](../../../admin-guides/infrastructure-as-code.mdx) to learn +See [Using Dynamic Resources](../../../admin-guides/infrastructure-as-code/infrastructure-as-code.mdx) to learn more about managing Teleport's dynamic resources in general. diff --git a/docs/pages/enroll-resources/database-access/guides.mdx b/docs/pages/enroll-resources/database-access/guides/guides.mdx similarity index 77% rename from docs/pages/enroll-resources/database-access/guides.mdx rename to docs/pages/enroll-resources/database-access/guides/guides.mdx index 44b5b0f656182..f59ad3cc398a3 100644 --- a/docs/pages/enroll-resources/database-access/guides.mdx +++ b/docs/pages/enroll-resources/database-access/guides/guides.mdx @@ -8,13 +8,13 @@ The Teleport Database Service proxies connections to databases protected by Teleport. Read more about deploying the Teleport Database Service and enrolling databases: -- [High Availability](./guides/ha.mdx): Learn how to deploy +- [High Availability](ha.mdx): Learn how to deploy multiple instances of the Teleport Database Service to proxy the same set of databases. -- [Dynamic Registration](./guides/dynamic-registration.mdx): Learn how to enroll +- [Dynamic Registration](dynamic-registration.mdx): Learn how to enroll databases without re-deploying the Teleport Database Service. The Teleport Database Service is one service that you can run on an a Teleport -**agent.** Read the [Teleport Agents](../agents/introduction.mdx) +**agent.** Read the [Teleport Agents](../../agents/introduction.mdx) documentation for all of the methods you can use to join agents to your cluster in order to proxy various kinds of infrastructure resources. diff --git a/docs/pages/enroll-resources/database-access/guides/ha.mdx b/docs/pages/enroll-resources/database-access/guides/ha.mdx index 89258e40bbd4b..f3892f8aa8171 100644 --- a/docs/pages/enroll-resources/database-access/guides/ha.mdx +++ b/docs/pages/enroll-resources/database-access/guides/ha.mdx @@ -133,6 +133,6 @@ you're using to connect. ## Next steps -- Get started by [connecting](../guides.mdx) your database. +- Get started by [connecting](guides.mdx) your database. - Review the [architecture](../../../reference/architecture/agents.mdx) of the Teleport Database Service and other services that run on Teleport agents. diff --git a/docs/pages/enroll-resources/database-access/rbac.mdx b/docs/pages/enroll-resources/database-access/rbac.mdx index c70f76ca467a8..38a63801be474 100644 --- a/docs/pages/enroll-resources/database-access/rbac.mdx +++ b/docs/pages/enroll-resources/database-access/rbac.mdx @@ -122,7 +122,7 @@ is not currently enforced on MySQL connection attempts. Similar to other role fields, `db_*` fields support templating variables. The `external.xyz` traits are replaced with values from external [single -sign-on](../../admin-guides/access-controls/sso.mdx) providers. For OIDC, they will be +sign-on](../../admin-guides/access-controls/sso/sso.mdx) providers. For OIDC, they will be replaced with the value of an "xyz" claim. For SAML, they are replaced with an "xyz" assertion value. diff --git a/docs/pages/enroll-resources/kubernetes-access/controls.mdx b/docs/pages/enroll-resources/kubernetes-access/controls.mdx index 25041c4d5d6f7..5332e036201e2 100644 --- a/docs/pages/enroll-resources/kubernetes-access/controls.mdx +++ b/docs/pages/enroll-resources/kubernetes-access/controls.mdx @@ -338,7 +338,7 @@ permissions to a service account. There is usually no need to define these resources manually. The [manual -methods](./register-clusters.mdx) and [automatic methods](../auto-discovery/kubernetes.mdx) for +methods](register-clusters/register-clusters.mdx) and [automatic methods](../auto-discovery/kubernetes/kubernetes.mdx) for registering Kubernetes clusters with Teleport include steps for setting up the Kubernetes RBAC resources that Teleport needs to allow access to clusters. diff --git a/docs/pages/enroll-resources/kubernetes-access/faq.mdx b/docs/pages/enroll-resources/kubernetes-access/faq.mdx index fbeb1dd348799..de245c4d35dfd 100644 --- a/docs/pages/enroll-resources/kubernetes-access/faq.mdx +++ b/docs/pages/enroll-resources/kubernetes-access/faq.mdx @@ -30,6 +30,6 @@ Since version 11, Teleport can discover your Kubernetes clusters on AWS, GCP, and Azure. Check out the [Kubernetes Service Discovery -Guide](../auto-discovery/kubernetes.mdx) for more +Guide](../auto-discovery/kubernetes/kubernetes.mdx) for more documentation and examples. diff --git a/docs/pages/enroll-resources/kubernetes-access/getting-started.mdx b/docs/pages/enroll-resources/kubernetes-access/getting-started.mdx index d87a9bf1e3657..552bed0c763f4 100644 --- a/docs/pages/enroll-resources/kubernetes-access/getting-started.mdx +++ b/docs/pages/enroll-resources/kubernetes-access/getting-started.mdx @@ -16,7 +16,7 @@ Teleport Kubernetes Service running on the Kubernetes cluster: ![Enroll a Kubernetes cluster](../../../img/k8s/enroll-kubernetes.png) For information about other ways to enroll and discover Kubernetes clusters, see -[Registering Kubernetes Clusters with Teleport](./register-clusters.mdx). +[Registering Kubernetes Clusters with Teleport](register-clusters/register-clusters.mdx). ## Prerequisites @@ -207,8 +207,8 @@ This guide demonstrated how to enroll a Kubernetes cluster by running the Teleport Kubernetes Service within the Kubernetes cluster. - For information about discovering Kubernetes clusters hosted on cloud providers, see -[Kubernetes Cluster Discovery](../auto-discovery/kubernetes.mdx). +[Kubernetes Cluster Discovery](../auto-discovery/kubernetes/kubernetes.mdx). - To learn about other ways you can register a Kubernetes cluster with Teleport, see -[Registering Kubernetes Clusters with Teleport](./register-clusters.mdx). +[Registering Kubernetes Clusters with Teleport](register-clusters/register-clusters.mdx). - For a complete list of the parameters you can configure in the `teleport-kube-agent` helm chart, see the [Chart Reference](../../reference/helm-reference/teleport-kube-agent.mdx). diff --git a/docs/pages/enroll-resources/kubernetes-access/introduction.mdx b/docs/pages/enroll-resources/kubernetes-access/introduction.mdx index e6302b8c4fbc6..687b0d9907479 100644 --- a/docs/pages/enroll-resources/kubernetes-access/introduction.mdx +++ b/docs/pages/enroll-resources/kubernetes-access/introduction.mdx @@ -15,7 +15,7 @@ Teleport provides secure access to Kubernetes clusters: The guides in this section show you how to protect Kubernetes clusters with Teleport. For instructions on self-hosting Teleport Community Edition or Teleport Enterprise on Kubernetes, see the [Kubernetes Deployment -Guides](../../admin-guides/deploy-a-cluster/helm-deployments.mdx). +Guides](../../admin-guides/deploy-a-cluster/helm-deployments/helm-deployments.mdx). Here is an example of using Teleport to access a Kubernetes cluster, execute commands, and view your `kubectl` activity in Teleport's audit log: @@ -24,7 +24,7 @@ commands, and view your `kubectl` activity in Teleport's audit log: You can set up the Teleport Discovery Service to protect Kubernetes clusters with your Teleport automatically. Read more about [Teleport -auto-discovery](../auto-discovery/kubernetes.mdx). +auto-discovery](../auto-discovery/kubernetes/kubernetes.mdx). Teleport protects Kubernetes clusters through the Teleport Kubernetes Service, which is a Teleport agent service. For more information on agent services, read diff --git a/docs/pages/enroll-resources/kubernetes-access/manage-access.mdx b/docs/pages/enroll-resources/kubernetes-access/manage-access.mdx index 19703902b87e9..b2a6dd54ff496 100644 --- a/docs/pages/enroll-resources/kubernetes-access/manage-access.mdx +++ b/docs/pages/enroll-resources/kubernetes-access/manage-access.mdx @@ -450,6 +450,6 @@ Now that you know how to configure Teleport's RBAC system to control access to Kubernetes clusters, learn how to set up [Resource Access Requests](../../admin-guides/access-controls/access-requests/resource-requests.mdx) for just-in-time access and [Access Request -plugins](../../admin-guides/access-controls/access-request-plugins.mdx) so you can manage +plugins](../../admin-guides/access-controls/access-request-plugins/access-request-plugins.mdx) so you can manage access with your communication workflow of choice. diff --git a/docs/pages/enroll-resources/kubernetes-access/register-clusters.mdx b/docs/pages/enroll-resources/kubernetes-access/register-clusters/register-clusters.mdx similarity index 67% rename from docs/pages/enroll-resources/kubernetes-access/register-clusters.mdx rename to docs/pages/enroll-resources/kubernetes-access/register-clusters/register-clusters.mdx index 6096f2b1d8609..00ce72a418f68 100644 --- a/docs/pages/enroll-resources/kubernetes-access/register-clusters.mdx +++ b/docs/pages/enroll-resources/kubernetes-access/register-clusters/register-clusters.mdx @@ -6,16 +6,16 @@ layout: tocless-doc In some cases, you will want to register a Kubernetes cluster with Teleport manually, rather than letting Teleport [discover the cluster -automatically](../auto-discovery/kubernetes.mdx). There are a few ways to do +automatically](../../auto-discovery/kubernetes/kubernetes.mdx). There are a few ways to do this: - [Deploy the Teleport Kubernetes - Service with IAM Joining](./register-clusters/iam-joining.mdx) on your cluster of + Service with IAM Joining](iam-joining.mdx) on your cluster of choice. - Deploy the Teleport Kubernetes Service outside your Kubernetes cluster (e.g., directly on a virtual machine) and [give it access to a - kubeconfig](./register-clusters/static-kubeconfig.mdx). + kubeconfig](static-kubeconfig.mdx). - Deploy the Teleport Kubernetes Service outside of Kubernetes and [use dynamic - configuration resources](./register-clusters/dynamic-registration.mdx) to + configuration resources](dynamic-registration.mdx) to register your clusters. diff --git a/docs/pages/enroll-resources/machine-id/access-guides.mdx b/docs/pages/enroll-resources/machine-id/access-guides.mdx deleted file mode 100644 index 27493f6dc6aa3..0000000000000 --- a/docs/pages/enroll-resources/machine-id/access-guides.mdx +++ /dev/null @@ -1,26 +0,0 @@ ---- -title: Access your Infrastructure with Machine ID -description: How to use Machine ID to enable secure access to Teleport resources. -layout: tocless-doc ---- - -These guides cover how to configure a deployed Machine ID to produce credentials -that can be used for machine to machine access to different Teleport resources. - -It is a pre-requisite of these guides that Machine ID has been configured for -your platform, see the [Deploy Machine ID](./deployment.mdx) guides for information -on how to do so. - -## Resource Access - -- [Server Access](./access-guides/ssh.mdx): How to use Machine ID to access servers via SSH. -- [Kubernetes Access](./access-guides/kubernetes.mdx): How to use Machine ID to access Kubernetes clusters. -- [Database Access](./access-guides/databases.mdx): How to use Machine ID to access Database servers. -- [Application Access](./access-guides/applications.mdx): How to use Machine ID to access Applications. - -## Specific Tools - -- [tctl](./access-guides/tctl.mdx): How to use Machine ID with `tctl` to manage your Teleport configuration. -- [Teleport Terraform provider](../../admin-guides/infrastructure-as-code/terraform-provider/dedicated-server.mdx): How to use Machine ID with the Teleport Terraform provider to manage your Teleport configuration as IaC. -- [Ansible](./access-guides/ansible.mdx): How to use Machine ID with Ansible. -- [SPIFFE](../workload-identity/getting-started.mdx): How to use Machine ID to issue SPIFFE certificates. diff --git a/docs/pages/enroll-resources/machine-id/access-guides/access-guides.mdx b/docs/pages/enroll-resources/machine-id/access-guides/access-guides.mdx new file mode 100644 index 0000000000000..6d829d01b9685 --- /dev/null +++ b/docs/pages/enroll-resources/machine-id/access-guides/access-guides.mdx @@ -0,0 +1,26 @@ +--- +title: Access your Infrastructure with Machine ID +description: How to use Machine ID to enable secure access to Teleport resources. +layout: tocless-doc +--- + +These guides cover how to configure a deployed Machine ID to produce credentials +that can be used for machine to machine access to different Teleport resources. + +It is a pre-requisite of these guides that Machine ID has been configured for +your platform, see the [Deploy Machine ID](../deployment/deployment.mdx) guides for information +on how to do so. + +## Resource Access + +- [Server Access](ssh.mdx): How to use Machine ID to access servers via SSH. +- [Kubernetes Access](kubernetes.mdx): How to use Machine ID to access Kubernetes clusters. +- [Database Access](databases.mdx): How to use Machine ID to access Database servers. +- [Application Access](applications.mdx): How to use Machine ID to access Applications. + +## Specific Tools + +- [tctl](tctl.mdx): How to use Machine ID with `tctl` to manage your Teleport configuration. +- [Teleport Terraform provider](../../../admin-guides/infrastructure-as-code/terraform-provider/dedicated-server.mdx): How to use Machine ID with the Teleport Terraform provider to manage your Teleport configuration as IaC. +- [Ansible](ansible.mdx): How to use Machine ID with Ansible. +- [SPIFFE](../../workload-identity/getting-started.mdx): How to use Machine ID to issue SPIFFE certificates. diff --git a/docs/pages/enroll-resources/machine-id/access-guides/ansible.mdx b/docs/pages/enroll-resources/machine-id/access-guides/ansible.mdx index dd5bc03811f86..ef4010154def9 100644 --- a/docs/pages/enroll-resources/machine-id/access-guides/ansible.mdx +++ b/docs/pages/enroll-resources/machine-id/access-guides/ansible.mdx @@ -26,7 +26,7 @@ You will need the following tools to use Teleport with Ansible. - `tbot` must already be installed and configured on the machine that will run Ansible. For more information, see the - [deployment guides](../deployment.mdx). + [deployment guides](../deployment/deployment.mdx). - If you followed the above guide, note the `--destination-dir=/opt/machine-id` flag, which defines the directory where SSH certificates and OpenSSH configuration diff --git a/docs/pages/enroll-resources/machine-id/access-guides/applications.mdx b/docs/pages/enroll-resources/machine-id/access-guides/applications.mdx index 82cd7c50d5e65..736038a990814 100644 --- a/docs/pages/enroll-resources/machine-id/access-guides/applications.mdx +++ b/docs/pages/enroll-resources/machine-id/access-guides/applications.mdx @@ -18,7 +18,7 @@ used to access an application enrolled in your Teleport cluster. - (!docs/pages/includes/tctl.mdx!) - `tbot` must already be installed and configured on the machine that will access applications. For more information, see the - [deployment guides](../deployment.mdx). + [deployment guides](../deployment/deployment.mdx). ## Step 1/3. Configure RBAC diff --git a/docs/pages/enroll-resources/machine-id/access-guides/databases.mdx b/docs/pages/enroll-resources/machine-id/access-guides/databases.mdx index 9e7ebad0f969f..60f8d463c1ee5 100644 --- a/docs/pages/enroll-resources/machine-id/access-guides/databases.mdx +++ b/docs/pages/enroll-resources/machine-id/access-guides/databases.mdx @@ -21,7 +21,7 @@ used to access a database configured in Teleport. follow the [database access getting started guide](../../database-access/getting-started.mdx). The Teleport Database Service supports databases like PostgreSQL, MongoDB, Redis, and much more. See our [database access - guides](../../database-access/guides.mdx) for a complete list. + guides](../../database-access/guides/guides.mdx) for a complete list. - (!docs/pages/includes/tctl.mdx!) - The `tsh` binary must be installed on the machine that will access the database. Depending on how `tbot` was installed, this may already be @@ -29,7 +29,7 @@ used to access a database configured in Teleport. details. - `tbot` must already be installed and configured on the machine that will access the database. For more information, see the - [deployment guides](../deployment.mdx). + [deployment guides](../deployment/deployment.mdx). ## Step 1/4. Configure RBAC diff --git a/docs/pages/enroll-resources/machine-id/access-guides/kubernetes.mdx b/docs/pages/enroll-resources/machine-id/access-guides/kubernetes.mdx index 73879388eb92f..72ab9ad3fb13b 100644 --- a/docs/pages/enroll-resources/machine-id/access-guides/kubernetes.mdx +++ b/docs/pages/enroll-resources/machine-id/access-guides/kubernetes.mdx @@ -23,7 +23,7 @@ used to access a Kubernetes cluster enrolled with your Teleport cluster. installation instructions. - `tbot` must already be installed and configured on the machine that will access Kubernetes clusters. For more information, see the - [deployment guides](../deployment.mdx). + [deployment guides](../deployment/deployment.mdx). - To demonstrate connecting to the Kubernetes cluster, the machine that will access Kubernetes clusters will need to have `kubectl` installed. See the [Kubernetes documentation](https://kubernetes.io/docs/tasks/tools/) for diff --git a/docs/pages/enroll-resources/machine-id/access-guides/ssh.mdx b/docs/pages/enroll-resources/machine-id/access-guides/ssh.mdx index ca4bf290c9cdc..39a0aaaa043c0 100644 --- a/docs/pages/enroll-resources/machine-id/access-guides/ssh.mdx +++ b/docs/pages/enroll-resources/machine-id/access-guides/ssh.mdx @@ -19,7 +19,7 @@ will cover access using the Teleport CLI `tsh` as well as the OpenSSH client. - (!docs/pages/includes/tctl.mdx!) - `tbot` must already be installed and configured on the machine that will connect to Linux hosts with SSH. For more information, see the - [deployment guides](../deployment.mdx). + [deployment guides](../deployment/deployment.mdx). ## Step 1/3. Configure RBAC diff --git a/docs/pages/enroll-resources/machine-id/access-guides/tctl.mdx b/docs/pages/enroll-resources/machine-id/access-guides/tctl.mdx index b6e8b33f99d72..8e7dcde67668b 100644 --- a/docs/pages/enroll-resources/machine-id/access-guides/tctl.mdx +++ b/docs/pages/enroll-resources/machine-id/access-guides/tctl.mdx @@ -18,7 +18,7 @@ then use `tctl` to deploy Teleport roles defined in files. - (!docs/pages/includes/tctl.mdx!) - `tbot` must already be installed and configured on the machine that will use `tctl`. For more information, see the - [deployment guides](../deployment.mdx). + [deployment guides](../deployment/deployment.mdx). ## Step 1/3. Configure RBAC diff --git a/docs/pages/enroll-resources/machine-id/deployment/aws.mdx b/docs/pages/enroll-resources/machine-id/deployment/aws.mdx index 6ef41748bef8c..8ef8d6d37c814 100644 --- a/docs/pages/enroll-resources/machine-id/deployment/aws.mdx +++ b/docs/pages/enroll-resources/machine-id/deployment/aws.mdx @@ -122,7 +122,7 @@ Replace: ## Next steps -- Follow the [access guides](../access-guides.mdx) to finish configuring `tbot` for +- Follow the [access guides](../access-guides/access-guides.mdx) to finish configuring `tbot` for your environment. - Read the [configuration reference](../../../reference/machine-id/configuration.mdx) to explore all the available configuration options. diff --git a/docs/pages/enroll-resources/machine-id/deployment/azure.mdx b/docs/pages/enroll-resources/machine-id/deployment/azure.mdx index 8308bde95dc87..c78005fbb7598 100644 --- a/docs/pages/enroll-resources/machine-id/deployment/azure.mdx +++ b/docs/pages/enroll-resources/machine-id/deployment/azure.mdx @@ -123,7 +123,7 @@ Replace: ## Next steps -- Follow the [access guides](../access-guides.mdx) to finish configuring `tbot` for +- Follow the [access guides](../access-guides/access-guides.mdx) to finish configuring `tbot` for your environment. - Read the [configuration reference](../../../reference/machine-id/configuration.mdx) to explore all the available configuration options. diff --git a/docs/pages/enroll-resources/machine-id/deployment/circleci.mdx b/docs/pages/enroll-resources/machine-id/deployment/circleci.mdx index 50fd3ccc351c7..9116f2db0db6a 100644 --- a/docs/pages/enroll-resources/machine-id/deployment/circleci.mdx +++ b/docs/pages/enroll-resources/machine-id/deployment/circleci.mdx @@ -163,7 +163,7 @@ resources in your Teleport cluster that your CI/CD needs to interact with. ## Further steps -- Follow the [access guides](../access-guides.mdx) to finish configuring `tbot` for +- Follow the [access guides](../access-guides/access-guides.mdx) to finish configuring `tbot` for your environment. - Read the [configuration reference](../../../reference/machine-id/configuration.mdx) to explore all the available configuration options. diff --git a/docs/pages/enroll-resources/machine-id/deployment.mdx b/docs/pages/enroll-resources/machine-id/deployment/deployment.mdx similarity index 55% rename from docs/pages/enroll-resources/machine-id/deployment.mdx rename to docs/pages/enroll-resources/machine-id/deployment/deployment.mdx index adf801987cf0a..808fdf221f274 100644 --- a/docs/pages/enroll-resources/machine-id/deployment.mdx +++ b/docs/pages/enroll-resources/machine-id/deployment/deployment.mdx @@ -43,9 +43,9 @@ to your cluster. Choose a guide based on the platform where you intend to run Machine ID. If a specific guide does not exist for your platform, the [Linux -guide](./deployment/linux.mdx) is compatible with most platforms. For -custom approaches, you can also read the [Machine ID Reference](../../reference/machine-id/machine-id.mdx) -and [Architecture](../../reference/architecture/machine-id-architecture.mdx) to plan your deployment. +guide](linux.mdx) is compatible with most platforms. For +custom approaches, you can also read the [Machine ID Reference](../../../reference/machine-id/machine-id.mdx) +and [Architecture](../../../reference/architecture/machine-id-architecture.mdx) to plan your deployment. ### Self-hosted infrastructure @@ -54,12 +54,12 @@ on-prem infrastructure. | Platform | Installation method | Join method | |-------------------------------------------|-------------------------------------------------|-----------------------------------------------------| -| [Linux](./deployment/linux.mdx) | Package manager or TAR archive | Static join token | -| [Linux (TPM)](./deployment/linux-tpm.mdx) | Package manager or TAR archive | Attestation from TPM 2.0 | -| [GCP](./deployment/gcp.mdx) | Package manager, TAR archive, or Kubernetes pod | Identity document signed by GCP | -| [AWS](./deployment/aws.mdx) | Package manager, TAR archive, or Kubernetes pod | Identity document signed by AWS | -| [Azure](./deployment/azure.mdx) | Package manager or TAR archive | Identity document signed by Azure | -| [Kubernetes](./deployment/kubernetes.mdx) | Kubernetes pod | Identity document signed by your Kubernetes cluster | +| [Linux](linux.mdx) | Package manager or TAR archive | Static join token | +| [Linux (TPM)](linux-tpm.mdx) | Package manager or TAR archive | Attestation from TPM 2.0 | +| [GCP](gcp.mdx) | Package manager, TAR archive, or Kubernetes pod | Identity document signed by GCP | +| [AWS](aws.mdx) | Package manager, TAR archive, or Kubernetes pod | Identity document signed by AWS | +| [Azure](azure.mdx) | Package manager or TAR archive | Identity document signed by Azure | +| [Kubernetes](kubernetes.mdx) | Kubernetes pod | Identity document signed by your Kubernetes cluster | ### CI/CD @@ -68,9 +68,9 @@ integration and continuous deployment platform | Platform | Installation method | Join method | |-----------------------------------------------------------------------------------------------------|---------------------------------------------------------------|------------------------------------| -| [CircleCI](./deployment/circleci.mdx) | TAR archive | CircleCI-signed identity document | -| [GitLab](./deployment/gitlab.mdx) | TAR archive | GitLab-signed identity document | -| [GitHub Actions](./deployment/github-actions.mdx) | Teleport job available through the GitHub Actions marketplace | GitHub-signed identity document. | -| [Jenkins](./deployment/jenkins.mdx) | Package manager or TAR archive | Static join token | -| [Spacelift](../../admin-guides/infrastructure-as-code/terraform-provider/spacelift.mdx) | Docker Image | Spacelift-signed identity document | -| [Terraform Cloud](../../admin-guides/infrastructure-as-code/terraform-provider/terraform-cloud.mdx) | Teleport Terraform Provider via Teleport's Terraform Registry | Terraform Cloud-signed identity document | \ No newline at end of file +| [CircleCI](circleci.mdx) | TAR archive | CircleCI-signed identity document | +| [GitLab](gitlab.mdx) | TAR archive | GitLab-signed identity document | +| [GitHub Actions](github-actions.mdx) | Teleport job available through the GitHub Actions marketplace | GitHub-signed identity document. | +| [Jenkins](jenkins.mdx) | Package manager or TAR archive | Static join token | +| [Spacelift](../../../admin-guides/infrastructure-as-code/terraform-provider/spacelift.mdx) | Docker Image | Spacelift-signed identity document | +| [Terraform Cloud](../../../admin-guides/infrastructure-as-code/terraform-provider/terraform-cloud.mdx) | Teleport Terraform Provider via Teleport's Terraform Registry | Terraform Cloud-signed identity document | \ No newline at end of file diff --git a/docs/pages/enroll-resources/machine-id/deployment/gcp.mdx b/docs/pages/enroll-resources/machine-id/deployment/gcp.mdx index 89ec5b80e0ea6..695aa2042c3e1 100644 --- a/docs/pages/enroll-resources/machine-id/deployment/gcp.mdx +++ b/docs/pages/enroll-resources/machine-id/deployment/gcp.mdx @@ -124,7 +124,7 @@ Replace: ## Next steps -- Follow the [access guides](../access-guides.mdx) to finish configuring `tbot` for +- Follow the [access guides](../access-guides/access-guides.mdx) to finish configuring `tbot` for your environment. - Read the [configuration reference](../../../reference/machine-id/configuration.mdx) to explore all the available configuration options. diff --git a/docs/pages/enroll-resources/machine-id/deployment/gitlab.mdx b/docs/pages/enroll-resources/machine-id/deployment/gitlab.mdx index 0bdf40d1d4279..5c04b7d800600 100644 --- a/docs/pages/enroll-resources/machine-id/deployment/gitlab.mdx +++ b/docs/pages/enroll-resources/machine-id/deployment/gitlab.mdx @@ -171,7 +171,7 @@ failure. [GitLab CI reference page.](../../../reference/machine-id/gitlab.mdx) - For more information about GitLab itself, read [their documentation](https://docs.gitlab.com/ee/ci/). -- Follow the [access guides](../access-guides.mdx) to finish configuring `tbot` for +- Follow the [access guides](../access-guides/access-guides.mdx) to finish configuring `tbot` for your environment. - Read the [configuration reference](../../../reference/machine-id/configuration.mdx) to explore all the available configuration options. diff --git a/docs/pages/enroll-resources/machine-id/deployment/kubernetes.mdx b/docs/pages/enroll-resources/machine-id/deployment/kubernetes.mdx index 35f165541876e..88708342b21d3 100644 --- a/docs/pages/enroll-resources/machine-id/deployment/kubernetes.mdx +++ b/docs/pages/enroll-resources/machine-id/deployment/kubernetes.mdx @@ -311,7 +311,7 @@ However, it is not yet producing any useful output. ## Step 5/5. Configure outputs -Follow one of the [access guides](../access-guides.mdx) to configure an output +Follow one of the [access guides](../access-guides/access-guides.mdx) to configure an output that meets your access needs. In order to adjust the access guides to work well with Kubernetes, use the @@ -357,7 +357,7 @@ spec: ## Next steps -- Follow the [access guides](../access-guides.mdx) to finish configuring `tbot` for +- Follow the [access guides](../access-guides/access-guides.mdx) to finish configuring `tbot` for your environment. - Read the [configuration reference](../../../reference/machine-id/configuration.mdx) to explore all the available configuration options. diff --git a/docs/pages/enroll-resources/machine-id/deployment/linux-tpm.mdx b/docs/pages/enroll-resources/machine-id/deployment/linux-tpm.mdx index 4a3160a96cdaa..01ebe86c4537f 100644 --- a/docs/pages/enroll-resources/machine-id/deployment/linux-tpm.mdx +++ b/docs/pages/enroll-resources/machine-id/deployment/linux-tpm.mdx @@ -199,7 +199,7 @@ $ sudo chown teleport:teleport /var/lib/teleport/bot ## Next steps -- Follow the [access guides](../access-guides.mdx) to finish configuring `tbot` for +- Follow the [access guides](../access-guides/access-guides.mdx) to finish configuring `tbot` for your environment. - Read the [TPM joining reference](../../../reference/join-methods.mdx#trusted-platform-module-tpm) to learn more about `tpm`joining. diff --git a/docs/pages/enroll-resources/machine-id/deployment/linux.mdx b/docs/pages/enroll-resources/machine-id/deployment/linux.mdx index 9c345eebe6217..8df4622ed3c67 100644 --- a/docs/pages/enroll-resources/machine-id/deployment/linux.mdx +++ b/docs/pages/enroll-resources/machine-id/deployment/linux.mdx @@ -110,7 +110,7 @@ $ sudo chown teleport:teleport /var/lib/teleport/bot ## Next steps -- Follow the [access guides](../access-guides.mdx) to finish configuring `tbot` for +- Follow the [access guides](../access-guides/access-guides.mdx) to finish configuring `tbot` for your environment. - Read the [configuration reference](../../../reference/machine-id/configuration.mdx) to explore all the available configuration options. diff --git a/docs/pages/enroll-resources/machine-id/getting-started.mdx b/docs/pages/enroll-resources/machine-id/getting-started.mdx index e168f2e2144ba..b69b8f2226fde 100644 --- a/docs/pages/enroll-resources/machine-id/getting-started.mdx +++ b/docs/pages/enroll-resources/machine-id/getting-started.mdx @@ -15,7 +15,7 @@ Here's an overview of what you will do: This guide covers configuring Machine ID for development and learning purposes. For a production-ready configuration of Machine ID, visit the [Deploying Machine -ID](./deployment.mdx) guides. +ID](deployment/deployment.mdx) guides. ## Prerequisites @@ -215,9 +215,9 @@ and controlled with all the familiar Teleport access controls. - Read the [architecture overview](../../reference/architecture/machine-id-architecture.mdx) to learn about how Machine ID works in more detail. -- Check out the [deployment guides](./deployment.mdx) to learn about +- Check out the [deployment guides](deployment/deployment.mdx) to learn about configuring `tbot` in a production-ready way for your platform. -- Check out the [access guides](./access-guides.mdx) to learn about configuring +- Check out the [access guides](access-guides/access-guides.mdx) to learn about configuring `tbot` for different use cases than SSH. - Read the [configuration reference](../../reference/machine-id/configuration.mdx) to explore all the available configuration options. diff --git a/docs/pages/enroll-resources/machine-id/introduction.mdx b/docs/pages/enroll-resources/machine-id/introduction.mdx index 18caf011b3350..e5e39aff21dfe 100644 --- a/docs/pages/enroll-resources/machine-id/introduction.mdx +++ b/docs/pages/enroll-resources/machine-id/introduction.mdx @@ -94,9 +94,9 @@ For a quickstart non-production introduction to Machine ID, read the Production-ready guidance on deploying Machine ID is broken out into two parts: -- [Deploying Machine ID](./deployment.mdx): How to install and configure +- [Deploying Machine ID](deployment/deployment.mdx): How to install and configure Machine ID for a specific platform. -- [Access your Infrastructure with Machine ID](./access-guides.mdx): How to use Machine ID to access +- [Access your Infrastructure with Machine ID](access-guides/access-guides.mdx): How to use Machine ID to access Teleport and Teleport resources. ## Further reading diff --git a/docs/pages/enroll-resources/server-access/getting-started.mdx b/docs/pages/enroll-resources/server-access/getting-started.mdx index 6d577a5e0ea00..540348fc92bf8 100644 --- a/docs/pages/enroll-resources/server-access/getting-started.mdx +++ b/docs/pages/enroll-resources/server-access/getting-started.mdx @@ -378,7 +378,7 @@ further Getting Started exercises. - While this guide shows you how to create a local user in order to access a server, you can also enable Teleport users to authenticate through a single sign-on provider. Read the - [documentation](../../admin-guides/access-controls/sso.mdx) to learn more. + [documentation](../../admin-guides/access-controls/sso/sso.mdx) to learn more. - Learn more about Teleport `tsh` through the [reference documentation](../../reference/cli/tsh.mdx#tsh-ssh). - For a complete list of ports used by Teleport, read the [Networking Guide](../../reference/networking.mdx). diff --git a/docs/pages/enroll-resources/server-access/guides.mdx b/docs/pages/enroll-resources/server-access/guides.mdx deleted file mode 100644 index 794e1de4d5990..0000000000000 --- a/docs/pages/enroll-resources/server-access/guides.mdx +++ /dev/null @@ -1,18 +0,0 @@ ---- -title: Server Access Guides -description: Teleport server access guides. -layout: tocless-doc ---- - -- [Using Teleport with PAM](./guides/ssh-pam.mdx): How to configure Teleport SSH with PAM (Pluggable Authentication Modules). -- [Agentless OpenSSH Integration](openssh/openssh-agentless.mdx): How to use Teleport in agentless mode on systems with OpenSSH and `sshd`. -- [Agentless OpenSSH Integration (Manual Installation)](./openssh/openssh-manual-install.mdx): How to use Teleport in agentless mode - on systems with OpenSSH and `sshd` that can't run `teleport`. -- [Recording Proxy Mode](./guides/recording-proxy-mode.mdx): How to use Teleport Recording Proxy Mode to capture activity on OpenSSH servers. -- [BPF Session Recording](./guides/bpf-session-recording.mdx): How to use BPF to record SSH session commands, modified files and network connections. -- [Visual Studio Code](./guides/vscode.mdx): How to remotely develop with Visual Studio Code and Teleport. -- [JetBrains SFTP](./guides/jetbrains-sftp.mdx): How to use a JetBrains IDE to access SFTP with Teleport. -- [Host User Creation](./guides/host-user-creation.mdx): How to configure Teleport to automatically create transient host users. -- [Linux Auditing System](./guides/auditd.mdx): How to integrate Teleport with the Linux Auditing System (auditd). -- [Using Teleport with Ansible](./guides/ansible.mdx): How to use Ansible with - Teleport-issued SSH credentials. diff --git a/docs/pages/enroll-resources/server-access/guides/guides.mdx b/docs/pages/enroll-resources/server-access/guides/guides.mdx new file mode 100644 index 0000000000000..c7ba23b463bf7 --- /dev/null +++ b/docs/pages/enroll-resources/server-access/guides/guides.mdx @@ -0,0 +1,18 @@ +--- +title: Server Access Guides +description: Teleport server access guides. +layout: tocless-doc +--- + +- [Using Teleport with PAM](ssh-pam.mdx): How to configure Teleport SSH with PAM (Pluggable Authentication Modules). +- [Agentless OpenSSH Integration](../openssh/openssh-agentless.mdx): How to use Teleport in agentless mode on systems with OpenSSH and `sshd`. +- [Agentless OpenSSH Integration (Manual Installation)](../openssh/openssh-manual-install.mdx): How to use Teleport in agentless mode + on systems with OpenSSH and `sshd` that can't run `teleport`. +- [Recording Proxy Mode](recording-proxy-mode.mdx): How to use Teleport Recording Proxy Mode to capture activity on OpenSSH servers. +- [BPF Session Recording](bpf-session-recording.mdx): How to use BPF to record SSH session commands, modified files and network connections. +- [Visual Studio Code](vscode.mdx): How to remotely develop with Visual Studio Code and Teleport. +- [JetBrains SFTP](jetbrains-sftp.mdx): How to use a JetBrains IDE to access SFTP with Teleport. +- [Host User Creation](host-user-creation.mdx): How to configure Teleport to automatically create transient host users. +- [Linux Auditing System](auditd.mdx): How to integrate Teleport with the Linux Auditing System (auditd). +- [Using Teleport with Ansible](ansible.mdx): How to use Ansible with + Teleport-issued SSH credentials. diff --git a/docs/pages/enroll-resources/server-access/guides/host-user-creation.mdx b/docs/pages/enroll-resources/server-access/guides/host-user-creation.mdx index 538c6c8c9032e..a5016534d6937 100644 --- a/docs/pages/enroll-resources/server-access/guides/host-user-creation.mdx +++ b/docs/pages/enroll-resources/server-access/guides/host-user-creation.mdx @@ -436,7 +436,7 @@ on the hosts. ## Next steps -- Configure automatic user provisioning for [Database Access](../../database-access/auto-user-provisioning.mdx). +- Configure automatic user provisioning for [Database Access](../../database-access/auto-user-provisioning/auto-user-provisioning.mdx). - Configure automatic user provisioning for [desktop access](../../../reference/agent-services/desktop-access-reference/user-creation.mdx). - Configure automatic user provisioning with [Terraform](../../../reference/terraform-provider/resources/role.mdx). Note when using the terraform provider that some values may be different than described in this guide. diff --git a/docs/pages/enroll-resources/server-access/guides/jetbrains-sftp.mdx b/docs/pages/enroll-resources/server-access/guides/jetbrains-sftp.mdx index 790fa1a0d674a..36f485690d3c9 100644 --- a/docs/pages/enroll-resources/server-access/guides/jetbrains-sftp.mdx +++ b/docs/pages/enroll-resources/server-access/guides/jetbrains-sftp.mdx @@ -66,7 +66,7 @@ $ ssh user@[server name].[cluster name] Include the port number for OpenSSH servers, by default `22`, or you can experience an error. - See the [OpenSSH guide](../openssh.mdx) for more information. + See the [OpenSSH guide](../openssh/openssh.mdx) for more information. Example connecting to a OpenSSH server: ```code @@ -128,7 +128,7 @@ After closing the SSH configuration window, you should see `Remote Host` menu in ### Using OpenSSH clients This guide makes use of `tsh config`; refer to the -[dedicated guide](../openssh.mdx) for additional information. +[dedicated guide](../openssh/openssh.mdx) for additional information. ## Further reading - [JetBrains - Create a remote server configuration](https://www.jetbrains.com/help/idea/creating-a-remote-server-configuration.html#overload) diff --git a/docs/pages/enroll-resources/server-access/guides/vscode.mdx b/docs/pages/enroll-resources/server-access/guides/vscode.mdx index 31a85e598616e..b933363e012cf 100644 --- a/docs/pages/enroll-resources/server-access/guides/vscode.mdx +++ b/docs/pages/enroll-resources/server-access/guides/vscode.mdx @@ -151,14 +151,14 @@ The Window Indicator in the bottom left highlights the currently connected remot It's possible to remotely develop on any OpenSSH host joined to a Teleport cluster so long as its host OS is supported by VS Code. Refer to the -[OpenSSH guide](../openssh.mdx) to configure the remote host to authenticate via +[OpenSSH guide](../openssh/openssh.mdx) to configure the remote host to authenticate via Teleport certificates, after which the procedure outlined above can be used to connect to the host in VS Code. ### Using OpenSSH clients This guide makes use of `tsh config`; refer to the -[dedicated guide](../openssh.mdx) for additional information. +[dedicated guide](../openssh/openssh.mdx) for additional information. ## Further reading - [VS Code Remote Development](https://code.visualstudio.com/docs/remote/remote-overview) diff --git a/docs/pages/enroll-resources/server-access/introduction.mdx b/docs/pages/enroll-resources/server-access/introduction.mdx index 65e37b0b981ae..8241a1df4c826 100644 --- a/docs/pages/enroll-resources/server-access/introduction.mdx +++ b/docs/pages/enroll-resources/server-access/introduction.mdx @@ -32,7 +32,7 @@ services. You can protect OpenSSH servers with Teleport, which makes it easier to protect legacy infrastructure, using an [agentless architecture](openssh/openssh-agentless.mdx). -Read the [Teleport OpenSSH guides](./openssh.mdx) to learn more. +Read the [Teleport OpenSSH guides](openssh/openssh.mdx) to learn more. ## Guides diff --git a/docs/pages/enroll-resources/server-access/openssh.mdx b/docs/pages/enroll-resources/server-access/openssh.mdx deleted file mode 100644 index e7632cfd9b097..0000000000000 --- a/docs/pages/enroll-resources/server-access/openssh.mdx +++ /dev/null @@ -1,9 +0,0 @@ ---- -title: OpenSSH Guides -description: Teleport Agentless OpenSSH integration guides. -layout: tocless-doc ---- - -- [Agentless OpenSSH Integration](openssh/openssh-agentless.mdx): How to use Teleport in agentless mode on systems with OpenSSH and `sshd`. -- [Agentless OpenSSH Integration (Manual Installation)](./openssh/openssh-manual-install.mdx): How to use Teleport in agentless mode - on systems with OpenSSH and `sshd` that can't run `teleport`. diff --git a/docs/pages/enroll-resources/server-access/openssh/openssh.mdx b/docs/pages/enroll-resources/server-access/openssh/openssh.mdx new file mode 100644 index 0000000000000..2af40693b1fc5 --- /dev/null +++ b/docs/pages/enroll-resources/server-access/openssh/openssh.mdx @@ -0,0 +1,9 @@ +--- +title: OpenSSH Guides +description: Teleport Agentless OpenSSH integration guides. +layout: tocless-doc +--- + +- [Agentless OpenSSH Integration](openssh-agentless.mdx): How to use Teleport in agentless mode on systems with OpenSSH and `sshd`. +- [Agentless OpenSSH Integration (Manual Installation)](openssh-manual-install.mdx): How to use Teleport in agentless mode + on systems with OpenSSH and `sshd` that can't run `teleport`. diff --git a/docs/pages/enroll-resources/server-access/rbac.mdx b/docs/pages/enroll-resources/server-access/rbac.mdx index 5cc65f99020cc..6cc43636c5d27 100644 --- a/docs/pages/enroll-resources/server-access/rbac.mdx +++ b/docs/pages/enroll-resources/server-access/rbac.mdx @@ -71,7 +71,7 @@ spec: Similar to role fields for accessing other resources in Teleport, server-related fields support template variables. -Variables with the format `{{external.xyz}}` are replaced with values from external [SSO](../../admin-guides/access-controls/sso.mdx) +Variables with the format `{{external.xyz}}` are replaced with values from external [SSO](../../admin-guides/access-controls/sso/sso.mdx) providers. For OIDC logins, `{{external.xyz}}` refers to the "xyz" claim; for SAML logins, `{{external.xyz}}` refers to the "xyz" assertion. diff --git a/docs/pages/enroll-resources/workload-identity/aws-oidc-federation.mdx b/docs/pages/enroll-resources/workload-identity/aws-oidc-federation.mdx index 6febebfaf106b..4ff32ceefad1f 100644 --- a/docs/pages/enroll-resources/workload-identity/aws-oidc-federation.mdx +++ b/docs/pages/enroll-resources/workload-identity/aws-oidc-federation.mdx @@ -60,8 +60,9 @@ This guide covers configuring OIDC federation. For Roles Anywhere, see - (!docs/pages/includes/tctl.mdx!) - `tbot` must already be installed and configured on the host where the -workloads which need to access Teleport Workload Identity will run. For more -information, see the [deployment guides](../machine-id/deployment.mdx). + workloads which need to access Teleport Workload Identity will run. For more + information, see the [deployment + guides](../machine-id/deployment/deployment.mdx). Issuing JWT SVIDs with Teleport Workload Identity requires at least Teleport diff --git a/docs/pages/enroll-resources/workload-identity/aws-roles-anywhere.mdx b/docs/pages/enroll-resources/workload-identity/aws-roles-anywhere.mdx index 56c7b7d23e97e..c2d21eff2db1a 100644 --- a/docs/pages/enroll-resources/workload-identity/aws-roles-anywhere.mdx +++ b/docs/pages/enroll-resources/workload-identity/aws-roles-anywhere.mdx @@ -58,7 +58,7 @@ This guide covers configuring Roles Anywhere, for OIDC federation, see - (!docs/pages/includes/tctl.mdx!) - `tbot` must already be installed and configured on the host where the workloads which need to access Teleport Workload Identity will run. For more -information, see the [deployment guides](../machine-id/deployment.mdx). +information, see the [deployment guides](../machine-id/deployment/deployment.mdx). ### Deciding on a SPIFFE ID structure diff --git a/docs/pages/enroll-resources/workload-identity/gcp-workload-identity-federation-jwt.mdx b/docs/pages/enroll-resources/workload-identity/gcp-workload-identity-federation-jwt.mdx index 95be984161a08..60531fffdcd15 100644 --- a/docs/pages/enroll-resources/workload-identity/gcp-workload-identity-federation-jwt.mdx +++ b/docs/pages/enroll-resources/workload-identity/gcp-workload-identity-federation-jwt.mdx @@ -38,7 +38,7 @@ GCP APIs in a few ways: - (!docs/pages/includes/tctl.mdx!) - `tbot` must already be installed and configured on the host where the workloads which need to access Teleport Workload Identity will run. For more -information, see the [deployment guides](../machine-id/deployment.mdx). +information, see the [deployment guides](../machine-id/deployment/deployment.mdx). Issuing JWT SVIDs with Teleport Workload Identity requires at minimum version diff --git a/docs/pages/enroll-resources/workload-identity/getting-started.mdx b/docs/pages/enroll-resources/workload-identity/getting-started.mdx index 9fd17e23f2b40..0879468fd1bf2 100644 --- a/docs/pages/enroll-resources/workload-identity/getting-started.mdx +++ b/docs/pages/enroll-resources/workload-identity/getting-started.mdx @@ -21,7 +21,7 @@ You can then connect your workloads to this endpoint to receive SPIFFE SVIDs. - (!docs/pages/includes/tctl.mdx!) - `tbot` must already be installed and configured on the host where the workloads which need to access Teleport Workload Identity will run. For more - information, see the [deployment guides](../machine-id/deployment.mdx). + information, see the [deployment guides](../machine-id/deployment/deployment.mdx). ## Step 1/4. Configure RBAC diff --git a/docs/pages/includes/database-access/auto-discovery-tip.mdx b/docs/pages/includes/database-access/auto-discovery-tip.mdx index 024302e261ede..e3f827f38d443 100644 --- a/docs/pages/includes/database-access/auto-discovery-tip.mdx +++ b/docs/pages/includes/database-access/auto-discovery-tip.mdx @@ -1,4 +1,4 @@ This guide shows how to register a single {{ dbType }} with your Teleport cluster. For a more scalable approach, learn how to set up [Database -Auto-Discovery](../../enroll-resources/auto-discovery/databases.mdx) to +Auto-Discovery](../../enroll-resources/auto-discovery/databases/databases.mdx) to automatically enroll all {{ providerType }} databases in your infrastructure. diff --git a/docs/pages/includes/database-access/aws-auto-discovery-prerequisite.mdx b/docs/pages/includes/database-access/aws-auto-discovery-prerequisite.mdx index 3ecd379f438fe..c0736749fea92 100644 --- a/docs/pages/includes/database-access/aws-auto-discovery-prerequisite.mdx +++ b/docs/pages/includes/database-access/aws-auto-discovery-prerequisite.mdx @@ -1,2 +1,2 @@ A running Teleport Discovery Service if you plan to use [Database -Auto-Discovery](./../../enroll-resources/auto-discovery/databases.mdx). +Auto-Discovery](../../enroll-resources/auto-discovery/databases/databases.mdx). diff --git a/docs/pages/includes/discovery/database-service-troubleshooting.mdx b/docs/pages/includes/discovery/database-service-troubleshooting.mdx index 102612396e064..96f07241b8663 100644 --- a/docs/pages/includes/discovery/database-service-troubleshooting.mdx +++ b/docs/pages/includes/discovery/database-service-troubleshooting.mdx @@ -40,7 +40,7 @@ spec: This section assumes you have already provisioned a database user and configured Teleport RBAC for that database user by following a specific guide in -[Enroll AWS Databases](../../enroll-resources/database-access/enroll-aws-databases.mdx). +[Enroll AWS Databases](../../enroll-resources/database-access/enroll-aws-databases/enroll-aws-databases.mdx). If there are connection errors when you try to connect to a database, then @@ -68,5 +68,5 @@ Refer to for more general troubleshooting steps. Additionally, a guide specific to the type of database in -[Enroll AWS Databases](../../enroll-resources/database-access/enroll-aws-databases.mdx). +[Enroll AWS Databases](../../enroll-resources/database-access/enroll-aws-databases/enroll-aws-databases.mdx). may have more specific troubleshooting information. diff --git a/docs/pages/includes/edition-comparison.mdx b/docs/pages/includes/edition-comparison.mdx index d7e5834ab8e9c..f9d91d92eaf65 100644 --- a/docs/pages/includes/edition-comparison.mdx +++ b/docs/pages/includes/edition-comparison.mdx @@ -6,7 +6,7 @@ |[Hardware Key Support](../admin-guides/access-controls/guides/hardware-key-support.mdx)|✖|✔|✔| |[Moderated Sessions](../admin-guides/access-controls/guides/moderated-sessions.mdx)|✖|✔|✔| |[Role-Based Access Control](../admin-guides/access-controls/guides/role-templates.mdx)|✔|✔|✔| -|[Single Sign-On](../admin-guides/access-controls/sso.mdx)|GitHub|GitHub, Google Workspace, OIDC, SAML, Teleport|GitHub, Google Workspace, OIDC, SAML, Teleport| +|[Single Sign-On](../admin-guides/access-controls/sso/sso.mdx)|GitHub|GitHub, Google Workspace, OIDC, SAML, Teleport|GitHub, Google Workspace, OIDC, SAML, Teleport| ### Audit logging and session recording @@ -34,7 +34,7 @@ _Available as an add-on to Teleport Enterprise_ ||Community Edition|Enterprise|Cloud| |---|---|---|---| |[Access Monitoring & Response](../admin-guides/access-controls/access-monitoring.mdx)|✖|✔|✔| -|[Access Lists & Access Reviews](../admin-guides/access-controls/access-lists.mdx)|✖|✔|✔| +|[Access Lists & Access Reviews](../admin-guides/access-controls/access-lists/access-lists.mdx)|✖|✔|✔| |[Device Trust](../admin-guides/access-controls/device-trust/guide.mdx)|✖|✔|✔| |[Endpoint Management: Jamf](../admin-guides/access-controls/device-trust/jamf-integration.mdx)|✖|✔|✔| |[JIT Access Requests](../admin-guides/access-controls/guides/dual-authz.mdx)|Limited|✔|✔| diff --git a/docs/pages/includes/machine-id/configure-outputs.mdx b/docs/pages/includes/machine-id/configure-outputs.mdx index 9020f2b367b25..b002290094ddc 100644 --- a/docs/pages/includes/machine-id/configure-outputs.mdx +++ b/docs/pages/includes/machine-id/configure-outputs.mdx @@ -2,5 +2,6 @@ You have now prepared the base configuration for `tbot`. At this point, it identifies itself to the Teleport cluster and renews its own credentials but does not output any credentials for other applications to use. -Follow one of the [access guides](../../enroll-resources/machine-id/access-guides.mdx) to configure an output -that meets your access needs. \ No newline at end of file +Follow one of the [access +guides](../../enroll-resources/machine-id/access-guides/access-guides.mdx) to +configure an output that meets your access needs. diff --git a/docs/pages/includes/machine-id/plugin-prerequisites.mdx b/docs/pages/includes/machine-id/plugin-prerequisites.mdx index 88b6390ae2b68..22d43626da035 100644 --- a/docs/pages/includes/machine-id/plugin-prerequisites.mdx +++ b/docs/pages/includes/machine-id/plugin-prerequisites.mdx @@ -1,6 +1,5 @@ **Recommended:** Configure Machine ID to provide short-lived Teleport credentials to the plugin. Before following this guide, follow a Machine ID -[deployment guide](../../enroll-resources/machine-id/deployment.mdx) to run the `tbot` binary on -your infrastructure. - +[deployment guide](../../enroll-resources/machine-id/deployment/deployment.mdx) +to run the `tbot` binary on your infrastructure. diff --git a/docs/pages/index.mdx b/docs/pages/index.mdx index 86a2191823837..7e630c2f970a1 100644 --- a/docs/pages/index.mdx +++ b/docs/pages/index.mdx @@ -60,7 +60,7 @@ Get started with Teleport Access: - [Set up passwordless authentication](admin-guides/access-controls/guides/passwordless.mdx) to enable users to access resources with hardware keys, including biometric credentials like Touch ID and YubiKey Bio. -- [Integrate your Single Sign-On provider](admin-guides/access-controls/sso.mdx): Allow users +- [Integrate your Single Sign-On provider](admin-guides/access-controls/sso/sso.mdx): Allow users to access infrastructure resources with IdPs like Okta. - [Use Teleport as an identity provider](admin-guides/access-controls/idps/saml-guide.mdx) to authenticate to external services. @@ -84,12 +84,12 @@ restrictions and potential security breaches. Get started with Teleport Identity: -- [Access Requests](admin-guides/access-controls/access-requests.mdx): Temporarily +- [Access Requests](admin-guides/access-controls/access-requests/access-requests.mdx): Temporarily provision minimal privileges to complete a task. -- [Access Lists](admin-guides/access-controls/access-lists.mdx): Regularly audit and +- [Access Lists](admin-guides/access-controls/access-lists/access-lists.mdx): Regularly audit and control membership to specific roles and traits, which then tie easily back into Teleport's existing RBAC system. -- [Device Trust](admin-guides/access-controls/device-trust.mdx): Require an up-to-date, +- [Device Trust](admin-guides/access-controls/device-trust/device-trust.mdx): Require an up-to-date, registered device for each authentication by giving every device a cryptographic identity. - [Session & Identity Locks](admin-guides/access-controls/guides/locking.mdx): Lock diff --git a/docs/pages/installation.mdx b/docs/pages/installation.mdx index 04bf752645955..1fb269e1a46c4 100644 --- a/docs/pages/installation.mdx +++ b/docs/pages/installation.mdx @@ -22,7 +22,7 @@ version as the cluster they are connecting to. Teleport servers are compatible with clients that are on the same major version or one major version older. Teleport servers do not support clients that are on a newer major version. -See our [Upgrading](./upgrading.mdx) guide for more information. +See our [Upgrading](upgrading/upgrading.mdx) guide for more information. ## Operating system support diff --git a/docs/pages/reference/access-controls/access-lists.mdx b/docs/pages/reference/access-controls/access-lists.mdx index 560505b10501e..e36b2c143bf3e 100644 --- a/docs/pages/reference/access-controls/access-lists.mdx +++ b/docs/pages/reference/access-controls/access-lists.mdx @@ -139,4 +139,4 @@ above) and run `tctl create `. Access Lists can be updated by using `t `tctl` also supports a subset of Access List focused commands under the `tctl acl` subcommand. Through these you can list Access Lists, get information about a particular Access Lists, and manage Access List users. To see more details, run `tctl acl --help`. More detail can be seen in the -[CLI Reference](../../reference/cli.mdx). +[CLI Reference](../cli/cli.mdx). diff --git a/docs/pages/reference/access-controls/roles.mdx b/docs/pages/reference/access-controls/roles.mdx index 10989cd5b2484..8975dc1896abd 100644 --- a/docs/pages/reference/access-controls/roles.mdx +++ b/docs/pages/reference/access-controls/roles.mdx @@ -22,7 +22,7 @@ resources: - [Custom API clients](../../admin-guides/api/rbac.mdx) To read more about managing dynamic resources, see the [Dynamic -Resources](../../admin-guides/infrastructure-as-code.mdx) guide. +Resources](../../admin-guides/infrastructure-as-code/infrastructure-as-code.mdx) guide. You can view all roles in your cluster on your local workstation by running the following commands: @@ -71,7 +71,7 @@ user: | `pin_source_ip` | Enable source IP pinning for SSH certificates. | Logical "OR" i.e. evaluates to "yes" if at least one role requires session termination | | `cert_extensions` | Specifies extensions to be included in SSH certificates | | | `create_host_user_mode` | Allow users to be automatically created on a host | Logical "AND" i.e. if all roles matching a server specify host user creation (`off`, `keep`, `insecure-drop`), it will evaluate to the option specified by all of the roles. If some roles specify both `insecure-drop` or `keep` it will evaluate to `keep`| -| `create_db_user_mode` | Allow [database user auto provisioning](../../enroll-resources/database-access/auto-user-provisioning.mdx). Options: `off` (disable database user auto-provisioning), `keep` (disables the user at session end, removing the roles and locking it), and `best_effort_drop` (try to drop the user at session end, if it doesn't succeed, fallback to disabling it). | Logical "OR" i.e. if any role allows database user auto-provisioning, it's allowed | +| `create_db_user_mode` | Allow [database user auto provisioning](../../enroll-resources/database-access/auto-user-provisioning/auto-user-provisioning.mdx). Options: `off` (disable database user auto-provisioning), `keep` (disables the user at session end, removing the roles and locking it), and `best_effort_drop` (try to drop the user at session end, if it doesn't succeed, fallback to disabling it). | Logical "OR" i.e. if any role allows database user auto-provisioning, it's allowed | ## Preset roles diff --git a/docs/pages/reference/architecture/agent-update-management.mdx b/docs/pages/reference/architecture/agent-update-management.mdx index 31f3daabc1c17..1c8da5a0017ae 100644 --- a/docs/pages/reference/architecture/agent-update-management.mdx +++ b/docs/pages/reference/architecture/agent-update-management.mdx @@ -56,7 +56,7 @@ The agent version is subject to the following constraints: The best practice is to always align the agent version with the Proxy and Auth ones. To upgrade Auth and Proxy, follow [the Teleport Cluster upgrade guide -](../../upgrading.mdx). +](../../upgrading/upgrading.mdx). For this reason, all updaters must subscribe to a release channel targeting versions that are compatible with their Teleport cluster. Teleport Cloud users @@ -95,4 +95,4 @@ Self-hosted users must first [set up self-hosted automatic agent upgrades ](../../upgrading/automatic-agent-updates.mdx). After that, you can set enroll agents in automatic updates as part of the -[upgrading procedure](../../upgrading.mdx). +[upgrading procedure](../../upgrading/upgrading.mdx). diff --git a/docs/pages/reference/architecture/agents.mdx b/docs/pages/reference/architecture/agents.mdx index 0cd4dff2f063e..51682ab357b6b 100644 --- a/docs/pages/reference/architecture/agents.mdx +++ b/docs/pages/reference/architecture/agents.mdx @@ -69,7 +69,7 @@ following components: The Teleport Auth Service runs a certificate authority that issues a host certificate to an agent when it joins the cluster for the first time. Read [Join -Services to your Teleport Cluster](../../enroll-resources/agents/join-services-to-your-cluster.mdx) +Services to your Teleport Cluster](../../enroll-resources/agents/join-services-to-your-cluster/join-services-to-your-cluster.mdx) for the available methods you can use to join an agent to your Teleport cluster. All agents in a Teleport cluster keep the Auth Service updated on their status @@ -172,12 +172,12 @@ To learn more about the mechanism an agent uses to authenticate to an infrastructure resource, read the guide to enrolling that resource in your Teleport cluster: -- [Applications](../../enroll-resources/application-access/guides.mdx) -- [Cloud provider APIs](../../enroll-resources/application-access/cloud-apis.mdx) -- [Databases](../../enroll-resources/database-access/guides.mdx) -- [Kubernetes clusters](../../enroll-resources/kubernetes-access/register-clusters.mdx) +- [Applications](../../enroll-resources/application-access/guides/guides.mdx) +- [Cloud provider APIs](../../enroll-resources/application-access/cloud-apis/cloud-apis.mdx) +- [Databases](../../enroll-resources/database-access/guides/guides.mdx) +- [Kubernetes clusters](../../enroll-resources/kubernetes-access/register-clusters/register-clusters.mdx) - [Linux hosts with Teleport](../../enroll-resources/server-access/getting-started.mdx) -- [OpenSSH servers](../../enroll-resources/server-access/openssh.mdx) +- [OpenSSH servers](../../enroll-resources/server-access/openssh/openssh.mdx) - [Windows desktops](../../enroll-resources/desktop-access/getting-started.mdx) ## Clients to agents diff --git a/docs/pages/reference/architecture/api-architecture.mdx b/docs/pages/reference/architecture/api-architecture.mdx index 7ebb9bba6541c..c02c311a7d51e 100644 --- a/docs/pages/reference/architecture/api-architecture.mdx +++ b/docs/pages/reference/architecture/api-architecture.mdx @@ -53,7 +53,7 @@ The Teleport Go client requires credentials in order to authenticate with a Teleport cluster. Credentials are created by using Credential loaders, which gather certificates -and data generated by [Teleport CLIs](../cli.mdx). +and data generated by [Teleport CLIs](../cli/cli.mdx). Since there are several Credential loaders to choose from with distinct benefits, here's a quick breakdown: diff --git a/docs/pages/reference/architecture/architecture.mdx b/docs/pages/reference/architecture/architecture.mdx index c93c95eb70686..bab8bbee62285 100644 --- a/docs/pages/reference/architecture/architecture.mdx +++ b/docs/pages/reference/architecture/architecture.mdx @@ -83,7 +83,7 @@ deny access to a resource. Agents must establish trust with the Teleport Auth Service when first joining a cluster, and there is are [variety of -methods](../../enroll-resources/agents/join-services-to-your-cluster.mdx) that +methods](../../enroll-resources/agents/join-services-to-your-cluster/join-services-to-your-cluster.mdx) that Agents use for this. Read more about [Teleport Agent Architecture](agents.mdx). You can also read @@ -110,7 +110,7 @@ Instances of the `tbot` binary communicate with the Teleport Auth Service to continuously refresh credentials. As with Agents, administrators must deploy `tbot` instances on their own infrastructure, including on CI/CD platforms such as GitHub Actions, and [join -them](../../enroll-resources/machine-id/deployment.mdx) to a cluster. +them](../../enroll-resources/machine-id/deployment/deployment.mdx) to a cluster. Read more about [Machine ID Architecture](machine-id-architecture.mdx). diff --git a/docs/pages/reference/architecture/authorization.mdx b/docs/pages/reference/architecture/authorization.mdx index 6f615c4613347..a432b7c8d108b 100644 --- a/docs/pages/reference/architecture/authorization.mdx +++ b/docs/pages/reference/architecture/authorization.mdx @@ -52,7 +52,7 @@ that this cluster trusts. In this case, Teleport activates [trusted cluster mapp Local interactive users have a record in Teleport's backend with credentials. A cluster administrator have to create account entries for every Teleport user with -[`tctl users add`](../cli.mdx) or API call. +[`tctl users add`](../cli/cli.mdx) or API call. Every local Teleport User must be associated with a list of one or more roles. This list is called "role mappings". @@ -394,7 +394,7 @@ spec: - [Access Control Reference](../access-controls/roles.mdx). - [Teleport Predicate Language](../predicate-language.mdx). -- [Access Requests Guides](../../admin-guides/access-controls/access-requests.mdx) +- [Access Requests Guides](../../admin-guides/access-controls/access-requests/access-requests.mdx) - [Architecture Overview](../../core-concepts.mdx) - [Teleport Auth](authentication.mdx) - [Teleport Agents](agents.mdx) diff --git a/docs/pages/reference/cli.mdx b/docs/pages/reference/cli/cli.mdx similarity index 75% rename from docs/pages/reference/cli.mdx rename to docs/pages/reference/cli/cli.mdx index 47bb23603f943..3edb955f5332d 100644 --- a/docs/pages/reference/cli.mdx +++ b/docs/pages/reference/cli/cli.mdx @@ -6,11 +6,11 @@ description: Detailed guide and reference documentation for Teleport's command l Teleport is made up of five CLI tools. -- [teleport](./cli/teleport.mdx): Supports the Teleport Access Platform by starting and configuring various Teleport services. -- [tsh](./cli/tsh.mdx): Allows end users to authenticate to Teleport and access resources in a cluster. -- [tctl](./cli/tctl.mdx): Used to configure the Teleport Auth Service. -- [tbot](./cli/tbot.mdx): Supports Machine ID, which provides short lived credentials to service accounts (e.g, a CI/CD server). -- [fdpass-teleport](./cli/fdpass-teleport.mdx): Supports integrating Machine ID with OpenSSH for higher performance SSH connections. +- [teleport](teleport.mdx): Supports the Teleport Access Platform by starting and configuring various Teleport services. +- [tsh](tsh.mdx): Allows end users to authenticate to Teleport and access resources in a cluster. +- [tctl](tctl.mdx): Used to configure the Teleport Auth Service. +- [tbot](tbot.mdx): Supports Machine ID, which provides short lived credentials to service accounts (e.g, a CI/CD server). +- [fdpass-teleport](fdpass-teleport.mdx): Supports integrating Machine ID with OpenSSH for higher performance SSH connections. (!docs/pages/includes/permission-warning.mdx!) @@ -53,7 +53,7 @@ desktops, and Kubernetes clusters using the `--search` and `--query` flags. The `--search` flag performs a simple fuzzy search on resource fields. For example, `--search=mac` searches for resources containing `mac`. -The `--query` flag allows you to perform more sophisticated searches using a [predicate language](predicate-language.mdx#resource-filtering). +The `--query` flag allows you to perform more sophisticated searches using a [predicate language](../predicate-language.mdx). In both cases, you can further refine the results by appending a list of comma-separated labels to the command. For example: diff --git a/docs/pages/reference/cloud-faq.mdx b/docs/pages/reference/cloud-faq.mdx index 7974c5cf79292..1a1d5e3ede050 100644 --- a/docs/pages/reference/cloud-faq.mdx +++ b/docs/pages/reference/cloud-faq.mdx @@ -67,7 +67,7 @@ S3, are established using encryption provided by AWS, both at rest and in transi You can connect servers, Kubernetes clusters, databases, desktops, and applications using [reverse -tunnels](../enroll-resources/agents/join-services-to-your-cluster.mdx). +tunnels](../enroll-resources/agents/join-services-to-your-cluster/join-services-to-your-cluster.mdx). There is no need to open any ports on your infrastructure for inbound traffic. diff --git a/docs/pages/reference/config.mdx b/docs/pages/reference/config.mdx index 288d64327c69d..7d00215cd30df 100644 --- a/docs/pages/reference/config.mdx +++ b/docs/pages/reference/config.mdx @@ -99,7 +99,7 @@ These settings apply to any `teleport` instance: Further reading: - [Joining Services to a - Cluster](../enroll-resources/agents/join-services-to-your-cluster.mdx): + Cluster](../enroll-resources/agents/join-services-to-your-cluster/join-services-to-your-cluster.mdx): Available join methods to help you configure `join_params`. - [Using a CA Pin](../enroll-resources/agents/join-services-to-your-cluster/join-token.mdx): @@ -141,11 +141,11 @@ Further reading: - [Headless WebAuthn](../admin-guides/access-controls/guides/headless.mdx): The `headless` authentication option. -- [Single Sign-On](../admin-guides/access-controls/sso.mdx): Configuring SSO +- [Single Sign-On](../admin-guides/access-controls/sso/sso.mdx): Configuring SSO so you can configure Teleport to use a specific SSO authentication connector. - [Locking](../admin-guides/access-controls/guides/locking.mdx): Configuring the `locking_mode` option. -- [Device Trust](../admin-guides/access-controls/device-trust.mdx): Configuring +- [Device Trust](../admin-guides/access-controls/device-trust/device-trust.mdx): Configuring the `device_trust` section. - [Recording Proxy Mode](architecture/session-recording.mdx): If you configure Recording Proxy Mode, consider enabling `proxy_checks_host_keys`. diff --git a/docs/pages/reference/helm-reference.mdx b/docs/pages/reference/helm-reference/helm-reference.mdx similarity index 58% rename from docs/pages/reference/helm-reference.mdx rename to docs/pages/reference/helm-reference/helm-reference.mdx index daac382c8ba6d..61f9efaaf7d02 100644 --- a/docs/pages/reference/helm-reference.mdx +++ b/docs/pages/reference/helm-reference/helm-reference.mdx @@ -5,40 +5,40 @@ description: Comprehensive lists of configuration values in Teleport's Helm char layout: tocless-doc --- -- [teleport-cluster](./helm-reference/teleport-cluster.mdx): Deploy the +- [teleport-cluster](teleport-cluster.mdx): Deploy the `teleport` daemon on Kubernetes with preset configurations for the Auth and Proxy Services and support for any Teleport service configuration. -- [teleport-kube-agent](./helm-reference/teleport-kube-agent.mdx): Deploy the +- [teleport-kube-agent](teleport-kube-agent.mdx): Deploy the Teleport Kubernetes Service, Application Service, or Database Service on Kubernetes. -- [teleport-operator](./helm-reference/teleport-operator.mdx): Deploy the +- [teleport-operator](teleport-operator.mdx): Deploy the Teleport Kubernetes Operator. -- [teleport-access-graph](./helm-reference/teleport-access-graph.mdx): Deploy the +- [teleport-access-graph](teleport-access-graph.mdx): Deploy the Teleport Policy Access Graph service. -- [teleport-plugin-event-handler](./helm-reference/teleport-plugin-event-handler.mdx): +- [teleport-plugin-event-handler](teleport-plugin-event-handler.mdx): Deploy the Teleport Event Handler plugin which sends events and session logs to Fluentd. -- [teleport-plugin-discord](./helm-reference/teleport-plugin-discord.mdx): Deploy +- [teleport-plugin-discord](teleport-plugin-discord.mdx): Deploy the Teleport Discord Plugin, which allows notifying Discord users and channels when Access Requests are made. -- [teleport-plugin-email](./helm-reference/teleport-plugin-email.mdx): Deploy +- [teleport-plugin-email](teleport-plugin-email.mdx): Deploy the Teleport email Plugin, which allows notifying via email when Access Requests are made. -- [teleport-plugin-jira](./helm-reference/teleport-plugin-jira.mdx): Deploy +- [teleport-plugin-jira](teleport-plugin-jira.mdx): Deploy the Teleport Jira Access Request Plugin, which allows approving of denying Access Requests via a Jira Project. -- [teleport-plugin-mattermost](./helm-reference/teleport-plugin-mattermost.mdx): +- [teleport-plugin-mattermost](teleport-plugin-mattermost.mdx): Deploy the Teleport Mattermost Access Request Plugin, which allows approving or denying Access Requests via Mattermost. -- [teleport-plugin-msteams](./helm-reference/teleport-plugin-msteams.mdx): +- [teleport-plugin-msteams](teleport-plugin-msteams.mdx): Deploy the Teleport MsTeams Access Request Plugin, which allows approving or denying Access Requests via MsTeams. -- [teleport-plugin-pagerduty](./helm-reference/teleport-plugin-pagerduty.mdx): +- [teleport-plugin-pagerduty](teleport-plugin-pagerduty.mdx): Deploy the Teleport PagerDuty Plugin, which allows sending PagerDuty alerts when Access Requests are made. -- [teleport-plugin-slack](./helm-reference/teleport-plugin-slack.mdx): Deploy +- [teleport-plugin-slack](teleport-plugin-slack.mdx): Deploy the Teleport Slack Plugin, which allows notifying Slack users and channels when Access Requests are made. -- [teleport-plugin-datadog](./helm-reference/teleport-plugin-datadog.mdx): Deploy +- [teleport-plugin-datadog](teleport-plugin-datadog.mdx): Deploy the Teleport Datadog Incident Management Plugin, which allows Access Requests to be managed as Datadog incidents. \ No newline at end of file diff --git a/docs/pages/reference/helm-reference/teleport-cluster.mdx b/docs/pages/reference/helm-reference/teleport-cluster.mdx index 32fb686f0fe2e..22c96c6302280 100644 --- a/docs/pages/reference/helm-reference/teleport-cluster.mdx +++ b/docs/pages/reference/helm-reference/teleport-cluster.mdx @@ -256,7 +256,7 @@ Possible values are `local` and `github` for Teleport Community Edition, plus `o | `string` | `""` | No | `auth_service.authentication.connector_name` | `authentication.connectorName` sets the default authentication connector. -[The SSO documentation](../../admin-guides/access-controls/sso.mdx) explains how to create +[The SSO documentation](../../admin-guides/access-controls/sso/sso.mdx) explains how to create authentication connectors for common identity providers. In addition to SSO connector names, the following built-in connectors are supported: diff --git a/docs/pages/reference/helm-reference/teleport-kube-agent.mdx b/docs/pages/reference/helm-reference/teleport-kube-agent.mdx index a46593e43457f..90c2f2f053ca8 100644 --- a/docs/pages/reference/helm-reference/teleport-kube-agent.mdx +++ b/docs/pages/reference/helm-reference/teleport-kube-agent.mdx @@ -23,8 +23,8 @@ The `teleport-kube-agent` chart can run any or all of three Teleport services: | Teleport service | Name for `roles` and `tctl tokens add` | Purpose | |---------------------------------------------------------------------------|----------------------------------------|----------------------------------------------------------------------------------------------| | [`kubernetes_service`](../../enroll-resources/kubernetes-access/introduction.mdx) | `kube` | Uses Teleport to handle authentication
with and proxy access to a Kubernetes cluster | -| [`application_service`](../../enroll-resources/application-access/guides.mdx) | `app` | Uses Teleport to handle authentication
with and proxy access to web-based applications | -| [`database_service`](../../enroll-resources/database-access/guides.mdx) | `db` | Uses Teleport to handle authentication
with and proxy access to databases | +| [`application_service`](../../enroll-resources/application-access/guides/guides.mdx) | `app` | Uses Teleport to handle authentication
with and proxy access to web-based applications | +| [`database_service`](../../enroll-resources/database-access/guides/guides.mdx) | `db` | Uses Teleport to handle authentication
with and proxy access to databases | | [`discovery_service`](../../enroll-resources/auto-discovery/auto-discovery.mdx) | `discovery` | Uses Teleport to discover new resources
and dynamically add them to the cluster | | [`jamf_service`](../../admin-guides/access-controls/device-trust/jamf-integration.mdx) | `jamf` | Uses Teleport to integrate with Jamf Pro
and sync devices with Device Trust inventory | diff --git a/docs/pages/reference/monitoring/audit.mdx b/docs/pages/reference/monitoring/audit.mdx index d772f076a33ba..c547c3c91e717 100644 --- a/docs/pages/reference/monitoring/audit.mdx +++ b/docs/pages/reference/monitoring/audit.mdx @@ -127,7 +127,7 @@ Below are some possible types of audit events. This list is not comprehensive. We recommend exporting audit events to a platform that automatically parses event payloads so you can group and filter them by their `event` key and discover trends. To set up audit event exporting, -read [Exporting Teleport Audit Events](../../admin-guides/management/export-audit-events.mdx). +read [Exporting Teleport Audit Events](../../admin-guides/management/export-audit-events/export-audit-events.mdx). diff --git a/docs/pages/reference/predicate-language.mdx b/docs/pages/reference/predicate-language.mdx index 2da0ce3c7e110..921436f125519 100644 --- a/docs/pages/reference/predicate-language.mdx +++ b/docs/pages/reference/predicate-language.mdx @@ -72,7 +72,7 @@ The language also supports the following functions: | `split(labels["foo"], ",")` | converts a delimited string into a list | | `contains(split(labels["foo"], ","), "bar")` | determines if a value exists in a list | -See some [examples](cli.mdx#filter-examples) of the different ways you can filter resources. +See some [examples](cli/cli.mdx) of the different ways you can filter resources. ## Label expressions diff --git a/docs/pages/reference/resources.mdx b/docs/pages/reference/resources.mdx index 309e36be5d129..90df80f6feefa 100644 --- a/docs/pages/reference/resources.mdx +++ b/docs/pages/reference/resources.mdx @@ -6,7 +6,7 @@ description: Reference documentation for Teleport resources This reference guide lists dynamic resources you can manage with Teleport. For more information on dynamic resources, see our guide to [Using Dynamic -Resources](../admin-guides/infrastructure-as-code.mdx). +Resources](../admin-guides/infrastructure-as-code/infrastructure-as-code.mdx). Examples of applying dynamic resources with `tctl`: @@ -51,11 +51,11 @@ Here's the list of resources currently exposed via [`tctl`](./cli/tctl.mdx): | - | - | | [user](#user) | A user record in the internal Teleport user DB. | | [role](#role) | A role assumed by interactive and non-interactive users. | -| connector | Authentication connectors for [Single Sign-On](../admin-guides/access-controls/sso.mdx) (SSO) for SAML, OIDC and GitHub. | +| connector | Authentication connectors for [Single Sign-On](../admin-guides/access-controls/sso/sso.mdx) (SSO) for SAML, OIDC and GitHub. | | node | A registered SSH node. The same record is displayed via `tctl nodes ls`. | | windows_desktop | A registered Windows desktop. | | cluster | A trusted cluster. See [here](../admin-guides/management/admin/trustedclusters.mdx) for more details on connecting clusters together. | -| [login_rule](#login-rules) | A Login Rule, see the [Login Rules guide](../admin-guides/access-controls/login-rules.mdx) for more info. | +| [login_rule](#login-rules) | A Login Rule, see the [Login Rules guide](../admin-guides/access-controls/login-rules/login-rules.mdx) for more info. | | [device](#device) | A Teleport Trusted Device, see the [Device Trust guide](../admin-guides/access-controls/device-trust/guide.mdx) for more info. | | [ui_config](#ui-config) | Configuration for the Web UI served by the Proxy Service. | | [vnet_config](#vnet-config) | Configuration for the cluster's VNet options. | diff --git a/docs/pages/reference/terraform-provider.mdx b/docs/pages/reference/terraform-provider.mdx index b04413e9454b4..0c959e49ff397 100644 --- a/docs/pages/reference/terraform-provider.mdx +++ b/docs/pages/reference/terraform-provider.mdx @@ -14,7 +14,7 @@ It lists all the supported resources and their fields. To get started with the Terraform provider, you must start with [the installation -guide](../admin-guides/infrastructure-as-code/terraform-provider.mdx). +guide](../admin-guides/infrastructure-as-code/terraform-provider/terraform-provider.mdx). Once you got a working provider, we recommend you to follow the ["Managing users and roles with IaC"]( ../admin-guides/infrastructure-as-code/managing-resources/user-and-role.mdx) guide. @@ -80,7 +80,8 @@ provider "teleport" { This section lists the different ways of passing credentials to the Terraform provider. You can find which method fits your use case in -the [Teleport Terraform provider setup page](../admin-guides/infrastructure-as-code/terraform-provider.mdx) +the [Teleport Terraform provider setup +page](../admin-guides/infrastructure-as-code/terraform-provider/terraform-provider.mdx) ### With an identity file @@ -115,7 +116,8 @@ the ["Run the Terraform provider locally" guide](../admin-guides/infrastructure- short-lived credentials. Such credentials are harder to exfiltrate, and you can control more precisely who has access to which roles (e.g. you can allow only GitHub Actions pipelines targeting the `prod` environment to get certificates). -You can follow [the Terraform Provider guide](../admin-guides/infrastructure-as-code/terraform-provider.mdx) to setup `tbot` +You can follow [the Terraform Provider +guide](../admin-guides/infrastructure-as-code/terraform-provider/terraform-provider.mdx) to setup `tbot` and have Terraform use its identity. #### Obtaining an identity file via `tctl auth sign` diff --git a/docs/pages/reference/user-types.mdx b/docs/pages/reference/user-types.mdx index f779d5098d1c3..07ef90fcff601 100644 --- a/docs/pages/reference/user-types.mdx +++ b/docs/pages/reference/user-types.mdx @@ -68,7 +68,7 @@ and automatically expire. The expiry is dynamically computed based on the IdP answer validity, the max session duration allowed by the user roles, and cannot exceed 30 hours. Those users cannot be edited via `tctl`, only deleted. -See the [SSO setup guides](../admin-guides/access-controls/sso.mdx) to learn how to setup an +See the [SSO setup guides](../admin-guides/access-controls/sso/sso.mdx) to learn how to setup an authentication connector and allow user to log in via an IdP. ### Synced users diff --git a/docs/pages/upgrading/overview.mdx b/docs/pages/upgrading/overview.mdx index f6fd3c03e0740..0f229ba86f285 100644 --- a/docs/pages/upgrading/overview.mdx +++ b/docs/pages/upgrading/overview.mdx @@ -69,5 +69,5 @@ upgrade from v10 to v11. ## Next steps -Return to the [Upgrading Introduction](../upgrading.mdx) for how to upgrade +Return to the [Upgrading Introduction](upgrading.mdx) for how to upgrade individual components within your Teleport cluster. diff --git a/docs/pages/upgrading.mdx b/docs/pages/upgrading/upgrading.mdx similarity index 71% rename from docs/pages/upgrading.mdx rename to docs/pages/upgrading/upgrading.mdx index c66546df6e21f..9657cdfc3e1da 100644 --- a/docs/pages/upgrading.mdx +++ b/docs/pages/upgrading/upgrading.mdx @@ -6,18 +6,18 @@ description: Explains how to upgrade Teleport depending on your environment and The guides in this section show you how to upgrade Teleport to a more recent version. -Read the [Upgrading Compatibility Overview](./upgrading/overview.mdx) to +Read the [Upgrading Compatibility Overview](overview.mdx) to understand how to upgrade components in your Teleport cluster while ensuring compatibility between all components. If you have a Teleport Enterprise (Cloud) account, you **must** [set up automatic -Teleport agent updates](./upgrading/automatic-agent-updates.mdx) to ensure that +Teleport agent updates](automatic-agent-updates.mdx) to ensure that the version of Teleport running on agents is always compatible with that of the Teleport cluster. You can also set up automatic agent upgrades in a self-hosted Enterprise cluster. For more information about upgrading, for example, to upgrade manually, read the -[Upgrading Reference](upgrading/upgrading-reference.mdx). +[Upgrading Reference](upgrading-reference.mdx). You can find more information regarding the automatic updates architecture in the -[Agent Update Management](reference/architecture/agent-update-management.mdx) page. +[Agent Update Management](../reference/architecture/agent-update-management.mdx) page. diff --git a/integrations/terraform/templates/index.md.tmpl b/integrations/terraform/templates/index.md.tmpl index cbf2c36eb98a8..15bc1c7c81fa5 100644 --- a/integrations/terraform/templates/index.md.tmpl +++ b/integrations/terraform/templates/index.md.tmpl @@ -14,7 +14,7 @@ It lists all the supported resources and their fields. To get started with the Terraform provider, you must start with [the installation -guide](../admin-guides/infrastructure-as-code/terraform-provider.mdx). +guide](../admin-guides/infrastructure-as-code/terraform-provider/terraform-provider.mdx). Once you got a working provider, we recommend you to follow the ["Managing users and roles with IaC"]( ../admin-guides/infrastructure-as-code/managing-resources/user-and-role.mdx) guide. @@ -80,7 +80,8 @@ provider "teleport" { This section lists the different ways of passing credentials to the Terraform provider. You can find which method fits your use case in -the [Teleport Terraform provider setup page](../admin-guides/infrastructure-as-code/terraform-provider.mdx) +the [Teleport Terraform provider setup +page](../admin-guides/infrastructure-as-code/terraform-provider/terraform-provider.mdx) ### With an identity file @@ -115,7 +116,8 @@ the ["Run the Terraform provider locally" guide](../admin-guides/infrastructure- short-lived credentials. Such credentials are harder to exfiltrate, and you can control more precisely who has access to which roles (e.g. you can allow only GitHub Actions pipelines targeting the `prod` environment to get certificates). -You can follow [the Terraform Provider guide](../admin-guides/infrastructure-as-code/terraform-provider.mdx) to setup `tbot` +You can follow [the Terraform Provider +guide](../admin-guides/infrastructure-as-code/terraform-provider/terraform-provider.mdx) to setup `tbot` and have Terraform use its identity. #### Obtaining an identity file via `tctl auth sign`