Merge branch 'branch/v15' into gavinfrazar/v15-add-version-to-error-r…

…eporting
gravitational · Dec 3, 2024 · cf0b4ac · cf0b4ac
2 parents 396de17 + 7438468
commit cf0b4ac
Show file tree

Hide file tree

Showing 54 changed files with 599 additions and 113 deletions.
diff --git a/api/client/credentials_test.go b/api/client/credentials_test.go
@@ -464,6 +464,7 @@ func TestDynamicIdentityFileCreds(t *testing.T) {
 	require.NoError(t, err)
 	wantTLSCert, err := tls.X509KeyPair(tlsCert, keyPEM)
 	require.NoError(t, err)
+	wantTLSCert.Leaf = nil
 	require.Equal(t, wantTLSCert, *gotTLSCert)
 
 	expiry, ok := cred.Expiry()
@@ -522,6 +523,7 @@ func TestDynamicIdentityFileCreds(t *testing.T) {
 	require.NoError(t, err)
 	wantTLSCert, err = tls.X509KeyPair(secondTLSCertPem, keyPEM)
 	require.NoError(t, err)
+	wantTLSCert.Leaf = nil
 	require.Equal(t, wantTLSCert, *gotTLSCert)
 
 	expiry, ok = cred.Expiry()

diff --git a/docs/pages/admin-guides/access-controls/sso/github-sso.mdx b/docs/pages/admin-guides/access-controls/sso/github-sso.mdx
@@ -8,6 +8,34 @@ This guide explains how to set up GitHub Single Sign On (SSO) so you can
 automatically map teams in your GitHub organization to users and roles in
 Teleport.
 
+## How it works
+
+A Teleport administrator creates a GitHub authentication connector on the
+Teleport Auth Service backend and requires Teleport users to authenticate
+through GitHub by creating a cluster authentication preference.
+
+When a user authenticates to Teleport, they receive instructions to finish
+authenticating using GitHub. The Teleport Auth Service receives an OAuth 2.0
+access token from GitHub and authenticates the token. (The GitHub authentication
+connector acts as an OAuth 2.0
+[client](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1).)
+
+The Auth Service then issues short-lived TLS and SSH certificates to the user by
+reading data from the OAuth 2.0 access token. In particular, the Auth Service:
+- Maps the user's GitHub teams to Teleport roles in order to assign the user
+  permissions. 
+- Assigns the user's Teleport username to their GitHub username.
+
+<Notice type="warning">
+
+GitHub usernames are not formatted as email addresses. As a result, any Teleport
+plugin that expects to send email to a user based on their Teleport username
+will not work as expected. For example, the [PagerDuty Access Request
+plugin](../access-request-plugins/ssh-approval-pagerduty.mdx) has this
+limitation.
+
+</Notice>
+
 ## Prerequisites
 
 - A GitHub organization with at least one team. 

diff --git a/docs/pages/changelog.mdx b/docs/pages/changelog.mdx
@@ -2,5 +2,6 @@
 title: Teleport Changelog
 description: The Changelog provides a comprehensive description of the changes introduced by each Teleport release.
 ---
-{/*lint disable messaging*/}
+{/*lint disable absolute-docs-links*/}
+
 (!CHANGELOG.md!)
diff --git a/docs/pages/enroll-resources/agents/join-services-to-your-cluster/aws-ec2.mdx b/docs/pages/enroll-resources/agents/join-services-to-your-cluster/aws-ec2.mdx
@@ -45,7 +45,7 @@ Teleport processes joining the cluster.
   by default). Remove the data directory if this instance has previously joined
   a Teleport cluster.
 
-## Step 1/4. Set up AWS IAM credentials
+## Step 1/5. Set up AWS IAM credentials
 
 The Teleport Auth Service needs permission to call `ec2:DescribeInstances` in order to check
 that the EC2 instances attempting to join your cluster are legitimate and
@@ -86,7 +86,7 @@ file or environment variables. See
 [Specifying Credentials](https://aws.github.io/aws-sdk-go-v2/docs/configuring-sdk/#specifying-credentials)
 for details.
 
-## Step 2/4. Create the AWS joining token
+## Step 2/5. Create the AWS joining token
 
 Configure your Teleport Auth Service with a special dynamic token which will
 allow services from your AWS account to join your Teleport cluster.
@@ -102,7 +102,13 @@ account and the AWS regions in which your EC2 instances will run.
 
 Run `tctl create token.yaml` to create the token.
 
-## Step 3/4. Configure your services
+## Step 3/5 Install Teleport
+
+Install Teleport on your AWS EC2 Instance.
+
+(!docs/pages/includes/install-linux.mdx!)
+
+## Step 4/5. Configure your services
 
 The EC2 join method can be used for Teleport processes running the SSH, Proxy,
 Kubernetes, Application, Database, or Windows Desktop Services. The Teleport
@@ -129,7 +135,7 @@ proxy_service:
   enabled: no
 ```
 
-## Step 4/4. Launch your Teleport process
+## Step 5/5. Launch your Teleport process
 
 <Admonition
   type="note"
@@ -144,6 +150,8 @@ proxy_service:
 
 </Admonition>
 
+(!docs/pages/includes/start-teleport.mdx!)
+
 Start Teleport on the host and confirm that it is able to connect to and join
 your cluster. You're all set!
 

diff --git a/docs/pages/enroll-resources/agents/join-services-to-your-cluster/aws-iam.mdx b/docs/pages/enroll-resources/agents/join-services-to-your-cluster/aws-iam.mdx
@@ -48,7 +48,7 @@ balancer or reverse proxy is available in Teleport 13.0+.
 
 (!docs/pages/includes/tctl.mdx!)
 
-## Step 1/4. Set up AWS IAM credentials
+## Step 1/5. Set up AWS IAM credentials
 
 Every Teleport process using the IAM method to join your Teleport cluster needs
 AWS IAM credentials in order to call the `sts:GetCallerIdentity` API. No
@@ -62,7 +62,7 @@ attached IAM policies at all. If your instance does not otherwise need AWS
 credentials, it is preferred to create and attach an empty role with no attached
 policies.
 
-## Step 2/4. Create the AWS joining token
+## Step 2/5. Create the AWS joining token
 
 Create the following `token.yaml` with an `allow` rule specifying your AWS
 account and the ARN that the Teleport process's identity must match.
@@ -82,7 +82,13 @@ Run the following command to create the token:
 $ tctl create -f token.yaml
 ```
 
-## Step 3/4. Configure your services
+## Step 3/5 Install Teleport
+
+Install Teleport on your AWS EC2 instance.
+
+(!docs/pages/includes/install-linux.mdx!)
+
+## Step 4/5. Configure your services
 
 The IAM join method can be used for Teleport processes running the SSH, Proxy,
 Kubernetes, Application, or Database Service.
@@ -111,7 +117,7 @@ In the `teleport.proxy_server` field, replace the value with the host and web
 port of your Teleport Proxy Service or Teleport Enterprise Cloud tenant, e.g.,
 `mytenant.teleport.sh:443`.
 
-## Step 4/4. Launch your Teleport process
+## Step 5/5. Launch your Teleport process
 
 (!docs/pages/includes/aws-credentials.mdx!)
 

diff --git a/docs/pages/enroll-resources/agents/join-services-to-your-cluster/azure.mdx b/docs/pages/enroll-resources/agents/join-services-to-your-cluster/azure.mdx
@@ -24,7 +24,7 @@ Teleport Services to a Cluster](join-services-to-your-cluster.mdx).
   assigned to it with permission to read virtual machine info.
 - (!docs/pages/includes/tctl.mdx!)
 
-## Step 1/4. Set up a Managed Identity
+## Step 1/5. Set up a Managed Identity
 
 Every virtual machine hosting a Teleport process using the Azure method to join
 your Teleport cluster needs a Managed Identity assigned to it. The identity
@@ -33,7 +33,7 @@ look up the virtual machine. No other permissions are required.
 
 (!docs/pages/includes/server-access/azure-join-managed-identity.mdx!)
 
-## Step 2/4. Create the Azure joining token
+## Step 2/5. Create the Azure joining token
 
 Under the hood, Teleport processes will prove that they are running in your
 Azure subscription by sending a signed attested data document and access token
@@ -54,7 +54,13 @@ Run the following command to create the token:
 $ tctl create -f token.yaml
 ```
 
-## Step 3/4. Configure your Teleport process
+## Step 3/5 Install Teleport
+
+Install Teleport on your Azure Linux VM.
+
+(!docs/pages/includes/install-linux.mdx!)
+
+## Step 4/5. Configure your Teleport process
 
 The Azure join method can be used for Teleport processes running the SSH, Proxy,
 Kubernetes, Application, Database, or Desktop Service.
@@ -82,7 +88,7 @@ proxy_service:
   enabled: no
 ```
 
-## Step 4/4. Launch your Teleport process
+## Step 5/5. Launch your Teleport process
 
 Start Teleport on the Azure VM.
 

diff --git a/docs/pages/enroll-resources/agents/join-services-to-your-cluster/gcp.mdx b/docs/pages/enroll-resources/agents/join-services-to-your-cluster/gcp.mdx
@@ -21,7 +21,7 @@ on the Teleport process joining the cluster.
   and with the Teleport binary installed.
 - (!docs/pages/includes/tctl.mdx!)
 
-## Step 1/3. Create the GCP joining token
+## Step 1/4. Create the GCP joining token
 
 Configure your Teleport Auth Service with a special dynamic token which will
 allow services from your GCP projects to join your Teleport cluster.
@@ -42,7 +42,13 @@ Run the following command to create the token:
 $ tctl create token.yaml
 ```
 
-## Step 2/3. Configure your services
+## Step 2/4 Install Teleport
+
+Install Teleport on your GCP Linux VM.
+
+(!docs/pages/includes/install-linux.mdx!)
+
+## Step 3/4. Configure your services
 
 The GCP join method can be used for Teleport processes running the SSH (`Node`), Proxy,
 Kubernetes, Application, Database, or Windows Desktop Services. The Teleport
@@ -68,7 +74,7 @@ proxy_service:
   enabled: no
 ```
 
-## Step 3/3. Launch your Teleport process
+## Step 4/4. Launch your Teleport process
 
 (!docs/pages/includes/start-teleport.mdx!)
 

diff --git a/docs/pages/enroll-resources/enroll-resources.mdx b/docs/pages/enroll-resources/enroll-resources.mdx
@@ -3,4 +3,27 @@ title: Enrolling Teleport Resources
 description: Provides step-by-step instructions for enrolling servers, databases, and other infrastructure resources with your Teleport cluster.
 ---
 
+You can use Teleport to protect infrastructure resources like servers,
+databases, and Kubernetes clusters. Once an infrastructure resource is protected
+by Teleport, you can restrict access to the resource using the Teleport
+[role-based access controls
+system](../admin-guides/access-controls/access-controls.mdx) and use Teleport
+features like session recordings and audit events to understand how your users
+interact with the resource.
+
+To enroll a resource with Teleport, you deploy a Teleport Agent, an instance of
+the `teleport` binary configured to run certain services, such as the Teleport
+SSH Service and Teleport Database Service. You then configure the Agent to proxy
+a resource by querying a service discovery API (Auto Discovery), using a
+[dynamic Teleport
+resource](../admin-guides/infrastructure-as-code/infrastructure-as-code.mdx), or
+naming the resource in the Agent's configuration file. Read more about [Teleport
+Agent architecture](../reference/architecture/agents.mdx).
+
+You can also create a Teleport bot user and set up Machine ID to enable service
+accounts to access Teleport-protected resources.
+
+Read the following documentation for more information on enrolling
+infrastructure resources with Teleport:
+
 (!toc!)
diff --git a/docs/pages/includes/helm-reference/zz_generated.teleport-operator.mdx b/docs/pages/includes/helm-reference/zz_generated.teleport-operator.mdx
@@ -149,6 +149,26 @@ put on the `Pod` resources created by the chart.
 `annotations.serviceAccount` contains the Kubernetes annotations
 put on the `Deployment` resource created by the chart.
 
+## `annotations`
+
+### `labels.deployment`
+
+| Type | Default |
+|------|---------|
+| `object` | `{}` |
+
+`labels.deployment` contains the Kubernetes labels
+put on the `Deployment` resource created by the chart.
+
+### `labels.pod`
+
+| Type | Default |
+|------|---------|
+| `object` | `{}` |
+
+`labels.pod` contains the Kubernetes labels
+put on the `Pod` resources created by the chart.
+
 ## `serviceAccount`
 
 ### `serviceAccount.create`

diff --git a/docs/pages/includes/plugins/identity-export.mdx b/docs/pages/includes/plugins/identity-export.mdx
@@ -46,7 +46,7 @@ If you are running the {{ client }} on a Linux server, create a data directory
 to hold certificate files for the {{ client }}:
 
 ```code
-$ sudo mkdir -p /var/lib/teleport/api-credentials
+$ sudo mkdir -p /var/lib/teleport/plugins/api-credentials
 $ sudo mv identity /var/lib/teleport/plugins/api-credentials
 ```