Merge branch 'master' into joerger/sso-mfa-ceremony

.github/workflows/lint.yaml

@@ -63,7 +63,6 @@ jobs:
               - 'docs/pages/admin-guides/**'
               - 'docs/pages/enroll-resources/**'
               - 'docs/pages/reference/operator-resources/**'
-              - 'docs/pages/reference/terraform-provider.mdx'
               - 'docs/pages/reference/terraform-provider/**'
               - 'examples/chart/teleport-cluster/charts/teleport-operator/operator-crds'
 

Makefile

@@ -820,10 +820,6 @@ RERUN := $(TOOLINGDIR)/bin/rerun
 $(RERUN): $(wildcard $(TOOLINGDIR)/cmd/rerun/*.go)
 	cd $(TOOLINGDIR) && go build -o "$@" ./cmd/rerun
 
-RELEASE_NOTES_GEN := $(TOOLINGDIR)/bin/release-notes
-$(RELEASE_NOTES_GEN): $(wildcard $(TOOLINGDIR)/cmd/release-notes/*.go)
-	cd $(TOOLINGDIR) && go build -o "$@" ./cmd/release-notes
-
 .PHONY: tooling
 tooling: ensure-gotestsum $(DIFF_TEST)
 
@@ -1822,11 +1818,13 @@ changelog:
 # does not match version set it will fail to create a release. If tag doesn't exist it
 # will also fail to create a release.
 #
-# For more information on release notes generation see ./build.assets/tooling/cmd/release-notes
+# For more information on release notes generation see: 
+#   https://github.com/gravitational/shared-workflows/tree/gus/release-notes/tools/release-notes#readme
+RELEASE_NOTES_GEN = github.com/gravitational/shared-workflows/tools/release-notes@latest
 .PHONY: create-github-release
 create-github-release: LATEST = false
 create-github-release: GITHUB_RELEASE_LABELS = ""
-create-github-release: $(RELEASE_NOTES_GEN)
+create-github-release:
 	@NOTES=$$($(RELEASE_NOTES_GEN) --labels=$(GITHUB_RELEASE_LABELS) $(VERSION) CHANGELOG.md) && gh release create v$(VERSION) \
 	-t "Teleport $(VERSION)" \
 	--latest=$(LATEST) \

api/client/webclient/webclient.go

@@ -305,6 +305,10 @@ type PingResponse struct {
 	// reserved: license_warnings ([]string)
 	// AutomaticUpgrades describes whether agents should automatically upgrade.
 	AutomaticUpgrades bool `json:"automatic_upgrades"`
+	// Edition represents the Teleport edition. Possible values are "oss", "ent", and "community".
+	Edition string `json:"edition"`
+	// FIPS represents if Teleport is using FIPS-compliant cryptography.
+	FIPS bool `json:"fips"`
 }
 
 // PingErrorResponse contains the error from /webapi/ping.
@@ -336,6 +340,12 @@ type AutoUpdateSettings struct {
 	ToolsVersion string `json:"tools_version"`
 	// ToolsMode defines mode client auto update feature `enabled|disabled`.
 	ToolsMode string `json:"tools_mode"`
+	// AgentVersion defines the version of teleport that agents enrolled into autoupdates should run.
+	AgentVersion string `json:"agent_version"`
+	// AgentAutoUpdate indicates if the requesting agent should attempt to update now.
+	AgentAutoUpdate bool `json:"agent_auto_update"`
+	// AgentUpdateJitterSeconds defines the jitter time an agent should wait before updating.
+	AgentUpdateJitterSeconds int `json:"agent_update_jitter_seconds"`
 }
 
 // KubeProxySettings is kubernetes proxy settings

api/types/autoupdate/rollout_test.go

@@ -41,7 +41,7 @@ func TestNewAutoUpdateAgentRollout(t *testing.T) {
 			spec: &autoupdate.AutoUpdateAgentRolloutSpec{
 				StartVersion:   "1.2.3",
 				TargetVersion:  "2.3.4-dev",
-				Schedule:       AgentsScheduleRegular,
+				Schedule:       AgentsScheduleImmediate,
 				AutoupdateMode: AgentsUpdateModeEnabled,
 				Strategy:       AgentsStrategyHaltOnError,
 			},
@@ -57,7 +57,7 @@ func TestNewAutoUpdateAgentRollout(t *testing.T) {
 				Spec: &autoupdate.AutoUpdateAgentRolloutSpec{
 					StartVersion:   "1.2.3",
 					TargetVersion:  "2.3.4-dev",
-					Schedule:       AgentsScheduleRegular,
+					Schedule:       AgentsScheduleImmediate,
 					AutoupdateMode: AgentsUpdateModeEnabled,
 					Strategy:       AgentsStrategyHaltOnError,
 				},
@@ -74,7 +74,7 @@ func TestNewAutoUpdateAgentRollout(t *testing.T) {
 			name: "missing start version",
 			spec: &autoupdate.AutoUpdateAgentRolloutSpec{
 				TargetVersion:  "2.3.4-dev",
-				Schedule:       AgentsScheduleRegular,
+				Schedule:       AgentsScheduleImmediate,
 				AutoupdateMode: AgentsUpdateModeEnabled,
 				Strategy:       AgentsStrategyHaltOnError,
 			},
@@ -87,7 +87,7 @@ func TestNewAutoUpdateAgentRollout(t *testing.T) {
 			spec: &autoupdate.AutoUpdateAgentRolloutSpec{
 				StartVersion:   "1.2.3",
 				TargetVersion:  "2-3-4",
-				Schedule:       AgentsScheduleRegular,
+				Schedule:       AgentsScheduleImmediate,
 				AutoupdateMode: AgentsUpdateModeEnabled,
 				Strategy:       AgentsStrategyHaltOnError,
 			},
@@ -100,7 +100,7 @@ func TestNewAutoUpdateAgentRollout(t *testing.T) {
 			spec: &autoupdate.AutoUpdateAgentRolloutSpec{
 				StartVersion:   "1.2.3",
 				TargetVersion:  "2.3.4-dev",
-				Schedule:       AgentsScheduleRegular,
+				Schedule:       AgentsScheduleImmediate,
 				AutoupdateMode: "invalid-mode",
 				Strategy:       AgentsStrategyHaltOnError,
 			},
@@ -126,7 +126,7 @@ func TestNewAutoUpdateAgentRollout(t *testing.T) {
 			spec: &autoupdate.AutoUpdateAgentRolloutSpec{
 				StartVersion:   "1.2.3",
 				TargetVersion:  "2.3.4-dev",
-				Schedule:       AgentsScheduleRegular,
+				Schedule:       AgentsScheduleImmediate,
 				AutoupdateMode: AgentsUpdateModeEnabled,
 				Strategy:       "invalid-strategy",
 			},

api/types/autoupdate/utils.go

@@ -51,8 +51,10 @@ func checkToolsMode(mode string) error {
 
 func checkScheduleName(schedule string) error {
 	switch schedule {
-	case AgentsScheduleRegular, AgentsScheduleImmediate:
+	case AgentsScheduleImmediate:
 		return nil
+	case AgentsScheduleRegular:
+		return trace.BadParameter("regular schedule is not implemented yet")
 	default:
 		return trace.BadParameter("unsupported schedule type: %q", schedule)
 	}

api/types/autoupdate/version_test.go

@@ -94,7 +94,7 @@ func TestNewAutoUpdateVersion(t *testing.T) {
 				Agents: &autoupdate.AutoUpdateVersionSpecAgents{
 					StartVersion:  "1.2.3-dev.1",
 					TargetVersion: "1.2.3-dev.2",
-					Schedule:      AgentsScheduleRegular,
+					Schedule:      AgentsScheduleImmediate,
 					Mode:          AgentsUpdateModeEnabled,
 				},
 			},
@@ -111,7 +111,7 @@ func TestNewAutoUpdateVersion(t *testing.T) {
 					Agents: &autoupdate.AutoUpdateVersionSpecAgents{
 						StartVersion:  "1.2.3-dev.1",
 						TargetVersion: "1.2.3-dev.2",
-						Schedule:      AgentsScheduleRegular,
+						Schedule:      AgentsScheduleImmediate,
 						Mode:          AgentsUpdateModeEnabled,
 					},
 				},
@@ -124,7 +124,7 @@ func TestNewAutoUpdateVersion(t *testing.T) {
 					StartVersion:  "",
 					TargetVersion: "1.2.3",
 					Mode:          AgentsUpdateModeEnabled,
-					Schedule:      AgentsScheduleRegular,
+					Schedule:      AgentsScheduleImmediate,
 				},
 			},
 			assertErr: func(t *testing.T, err error, a ...any) {
@@ -138,7 +138,7 @@ func TestNewAutoUpdateVersion(t *testing.T) {
 					StartVersion:  "1.2.3-dev",
 					TargetVersion: "",
 					Mode:          AgentsUpdateModeEnabled,
-					Schedule:      AgentsScheduleRegular,
+					Schedule:      AgentsScheduleImmediate,
 				},
 			},
 			assertErr: func(t *testing.T, err error, a ...any) {
@@ -152,7 +152,7 @@ func TestNewAutoUpdateVersion(t *testing.T) {
 					StartVersion:  "17-0-0",
 					TargetVersion: "1.2.3",
 					Mode:          AgentsUpdateModeEnabled,
-					Schedule:      AgentsScheduleRegular,
+					Schedule:      AgentsScheduleImmediate,
 				},
 			},
 			assertErr: func(t *testing.T, err error, a ...any) {
@@ -166,7 +166,7 @@ func TestNewAutoUpdateVersion(t *testing.T) {
 					StartVersion:  "1.2.3",
 					TargetVersion: "17-0-0",
 					Mode:          AgentsUpdateModeEnabled,
-					Schedule:      AgentsScheduleRegular,
+					Schedule:      AgentsScheduleImmediate,
 				},
 			},
 			assertErr: func(t *testing.T, err error, a ...any) {

api/types/trustedcluster.go

@@ -22,6 +22,8 @@ import (
 	"time"
 
 	"github.com/gravitational/trace"
+
+	"github.com/gravitational/teleport/api/utils"
 )
 
 // TrustedCluster holds information needed for a cluster that can not be directly
@@ -60,6 +62,8 @@ type TrustedCluster interface {
 	SetReverseTunnelAddress(string)
 	// CanChangeStateTo checks the TrustedCluster can transform into another.
 	CanChangeStateTo(TrustedCluster) error
+	// Clone returns a deep copy of the TrustedCluster.
+	Clone() TrustedCluster
 }
 
 // NewTrustedCluster is a convenience way to create a TrustedCluster resource.
@@ -259,6 +263,10 @@ func (c *TrustedClusterV2) CanChangeStateTo(t TrustedCluster) error {
 	return nil
 }
 
+func (c *TrustedClusterV2) Clone() TrustedCluster {
+	return utils.CloneProtoMsg(c)
+}
+
 // String represents a human readable version of trusted cluster settings.
 func (c *TrustedClusterV2) String() string {
 	return fmt.Sprintf("TrustedCluster(Enabled=%v,Roles=%v,Token=%v,ProxyAddress=%v,ReverseTunnelAddress=%v)",

api/utils/entraid/federation_metadata.go

@@ -0,0 +1,33 @@
+/*
+Copyright 2024 Gravitational, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+package entraid
+
+import (
+	"net/url"
+	"path"
+)
+
+// FederationMetadataURL returns the URL for the federation metadata endpoint
+func FederationMetadataURL(tenantID, appID string) string {
+	return (&url.URL{
+		Scheme: "https",
+		Host:   "login.microsoftonline.com",
+		Path:   path.Join(tenantID, "federationmetadata", "2007-06", "federationmetadata.xml"),
+		RawQuery: url.Values{
+			"appid": {appID},
+		}.Encode(),
+	}).String()
+}

assets/aws/files/system/teleport-proxy-acm.service

@@ -11,8 +11,6 @@ Restart=always
 RestartSec=5
 RuntimeDirectory=teleport
 EnvironmentFile=-/etc/default/teleport
-# TODO(gus): REMOVE IN 17.0.0 - /etc/default/teleport should be used instead
-EnvironmentFile=/etc/teleport.d/conf
 ExecStartPre=/usr/local/bin/teleport-ssm-get-token
 ExecStart=/usr/local/bin/teleport start --config=/etc/teleport.yaml --diag-addr=127.0.0.1:3000 --pid-file=/run/teleport/teleport.pid
 # systemd before 239 needs an absolute path

assets/aws/files/system/teleport-proxy.service

@@ -11,8 +11,6 @@ Restart=always
 RestartSec=5
 RuntimeDirectory=teleport
 EnvironmentFile=-/etc/default/teleport
-# TODO(gus): REMOVE IN 17.0.0 - /etc/default/teleport should be used instead
-EnvironmentFile=/etc/teleport.d/conf
 ExecStartPre=/usr/local/bin/teleport-ssm-get-token
 ExecStartPre=/bin/aws s3 sync s3://${TELEPORT_S3_BUCKET}/live/${TELEPORT_DOMAIN_NAME} /var/lib/teleport
 ExecStart=/usr/local/bin/teleport start --config=/etc/teleport.yaml --diag-addr=127.0.0.1:3000 --pid-file=/run/teleport/teleport.pid