Merge branch 'branch/v17' into mcbattirola/v17/contacts-audit-events

gravitational · Dec 23, 2024 · dfd0928 · dfd0928
2 parents 1706285 + 53a46ba
commit dfd0928
Show file tree

Hide file tree

Showing 45 changed files with 3,079 additions and 1,686 deletions.
diff --git a/docs/config.json b/docs/config.json
@@ -185,18 +185,18 @@
     "teleport": {
       "git": "api/14.0.0-gd1e081e",
       "major_version": "17",
-      "version": "17.1.0",
+      "version": "17.1.1",
       "url": "teleport.example.com",
       "golang": "1.23.4",
       "plugin": {
-        "version": "17.1.0"
+        "version": "17.1.1"
       },
       "helm_repo_url": "https://charts.releases.teleport.dev",
-      "latest_oss_docker_image": "public.ecr.aws/gravitational/teleport-distroless:17.1.0",
-      "latest_oss_debug_docker_image": "public.ecr.aws/gravitational/teleport-distroless-debug:17.1.0",
-      "latest_ent_docker_image": "public.ecr.aws/gravitational/teleport-ent-distroless:17.1.0",
-      "latest_ent_debug_docker_image": "public.ecr.aws/gravitational/teleport-ent-distroless-debug:17.1.0",
-      "teleport_install_script_url": "https://cdn.teleport.dev/install-v17.1.0.sh"
+      "latest_oss_docker_image": "public.ecr.aws/gravitational/teleport-distroless:17.1.1",
+      "latest_oss_debug_docker_image": "public.ecr.aws/gravitational/teleport-distroless-debug:17.1.1",
+      "latest_ent_docker_image": "public.ecr.aws/gravitational/teleport-ent-distroless:17.1.1",
+      "latest_ent_debug_docker_image": "public.ecr.aws/gravitational/teleport-ent-distroless-debug:17.1.1",
+      "teleport_install_script_url": "https://cdn.teleport.dev/install-v17.1.1.sh"
     },
     "terraform": {
       "version": "1.0.0"

diff --git a/docs/pages/includes/database-access/tctl-auth-sign-3-files.mdx b/docs/pages/includes/database-access/tctl-auth-sign-3-files.mdx
@@ -30,12 +30,12 @@ the database, follow these instructions on your workstation:
    ```
 
 1. Export Teleport's certificate authority and a generate certificate/key pair.
-   This example generates a certificate with a 1-year validity period.
+   This example generates a certificate with a 90-day validity period.
    `db.example.com` is the hostname where the Teleport Database Service can
    reach the {{ dbname }} server.
 
    ```code
-   $ tctl auth sign --format={{ format }} --host=db.example.com --out=server --ttl=2190h
+   $ tctl auth sign --format={{ format }} --host=db.example.com --out=server --ttl=2160h
    ```
 
    (!docs/pages/includes/database-access/ttl-note.mdx!)

diff --git a/examples/chart/tbot/.lint/full.yaml b/examples/chart/tbot/.lint/full.yaml
@@ -1,7 +1,7 @@
 clusterName: "test.teleport.sh"
 teleportAuthAddress: "my-auth:3024"
 defaultOutput:
-  enabled: false
+  enabled: true
 token: "my-token"
 joinMethod: "modified-join-method"
 

diff --git a/examples/chart/tbot/templates/_config.tpl b/examples/chart/tbot/templates/_config.tpl
@@ -40,10 +40,10 @@ outputs:
       name: {{ include "tbot.defaultOutputName" . }}
 {{- end }}
 {{- if .Values.outputs }}
-{{- toYaml .Values.outputs | nindent 6}}
+{{- toYaml .Values.outputs | nindent 2}}
 {{- end }}
 {{- end }}
 {{- if .Values.services }}
-services: {{- toYaml .Values.services | nindent 6}}
+services: {{- toYaml .Values.services | nindent 2}}
 {{- end }}
 {{- end -}}
diff --git a/examples/chart/tbot/tests/__snapshot__/config_test.yaml.snap b/examples/chart/tbot/tests/__snapshot__/config_test.yaml.snap
@@ -35,6 +35,10 @@ should match the snapshot (full):
           join_method: modified-join-method
           token: my-token
         outputs:
+        - destination:
+            name: RELEASE-NAME-tbot-out
+            type: kubernetes_secret
+          type: identity
         - app_name: foo
           destination:
             path: /bar

diff --git a/examples/chart/tbot/tests/__snapshot__/deployment_test.yaml.snap b/examples/chart/tbot/tests/__snapshot__/deployment_test.yaml.snap
@@ -22,7 +22,7 @@ should match the snapshot (full):
       template:
         metadata:
           annotations:
-            checksum/config: 094cdbfc4e4fe3824a33426d8eea4e9e8a4b2711823d4fbb4102e11caa7f62c0
+            checksum/config: 010d3421120a26bed12d1b9df8443e0eeafa362e88bd830e4a81688d13689483
             test-key: test-annotation-pod
           labels:
             app.kubernetes.io/component: tbot

diff --git a/lib/integrations/awsoidc/deployserviceconfig/deployservice_config.go b/lib/integrations/awsoidc/deployserviceconfig/deployservice_config.go
@@ -89,3 +89,26 @@ func GenerateTeleportConfigString(proxyHostPort, iamTokenName string, resourceMa
 
 	return teleportConfigString, nil
 }
+
+// ParseResourceLabelMatchers receives a teleport config string and returns the Resource Matcher Label.
+// The expected input is a base64 encoded yaml string containing a teleport configuration,
+// the same format that GenerateTeleportConfigString returns.
+func ParseResourceLabelMatchers(teleportConfigStringBase64 string) (types.Labels, error) {
+	teleportConfigString, err := base64.StdEncoding.DecodeString(teleportConfigStringBase64)
+	if err != nil {
+		return nil, trace.BadParameter("invalid base64 value, error=%v", err)
+	}
+
+	var teleportConfig config.FileConfig
+	if err := yaml.Unmarshal(teleportConfigString, &teleportConfig); err != nil {
+		return nil, trace.BadParameter("invalid teleport config, error=%v", err)
+	}
+
+	if len(teleportConfig.Databases.ResourceMatchers) == 0 {
+		return nil, trace.BadParameter("valid yaml configuration but db_service.resources has 0 items")
+	}
+
+	resourceMatchers := teleportConfig.Databases.ResourceMatchers[0]
+
+	return resourceMatchers.Labels, nil
+}
diff --git a/lib/integrations/awsoidc/deployserviceconfig/deployservice_config_test.go b/lib/integrations/awsoidc/deployserviceconfig/deployservice_config_test.go
@@ -23,8 +23,10 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/require"
+	"gopkg.in/yaml.v2"
 
 	"github.com/gravitational/teleport/api/types"
+	"github.com/gravitational/teleport/api/utils"
 )
 
 func TestDeployServiceConfig(t *testing.T) {
@@ -39,3 +41,45 @@ func TestDeployServiceConfig(t *testing.T) {
 		require.Contains(t, base64Config, base64SeverityDebug)
 	})
 }
+
+func TestParseResourceLabelMatchers(t *testing.T) {
+	labels := types.Labels{
+		"vpc":    utils.Strings{"vpc-1", "vpc-2"},
+		"region": utils.Strings{"us-west-2"},
+		"xyz":    utils.Strings{},
+	}
+	base64Config, err := GenerateTeleportConfigString("host:port", "iam-token", labels)
+	require.NoError(t, err)
+
+	t.Run("recover matching labels", func(t *testing.T) {
+		gotLabels, err := ParseResourceLabelMatchers(base64Config)
+		require.NoError(t, err)
+
+		require.Equal(t, labels, gotLabels)
+	})
+
+	t.Run("fails if invalid base64 string", func(t *testing.T) {
+		_, err := ParseResourceLabelMatchers("invalid base 64")
+		require.ErrorContains(t, err, "base64")
+	})
+
+	t.Run("invalid yaml", func(t *testing.T) {
+		input := base64.StdEncoding.EncodeToString([]byte("invalid yaml"))
+		_, err := ParseResourceLabelMatchers(input)
+		require.ErrorContains(t, err, "yaml")
+	})
+
+	t.Run("valid yaml but not a teleport config", func(t *testing.T) {
+		yamlInput := struct {
+			DBService string `yaml:"db_service"`
+		}{
+			DBService: "not a valid teleport config",
+		}
+		yamlBS, err := yaml.Marshal(yamlInput)
+		require.NoError(t, err)
+		input := base64.StdEncoding.EncodeToString(yamlBS)
+
+		_, err = ParseResourceLabelMatchers(input)
+		require.ErrorContains(t, err, "invalid teleport config")
+	})
+}
diff --git a/lib/web/apiserver.go b/lib/web/apiserver.go
@@ -815,6 +815,9 @@ func (h *Handler) bindDefaultEndpoints() {
 
 	// Site specific API
 
+	// get site info
+	h.GET("/webapi/sites/:site/info", h.WithClusterAuth(h.getClusterInfo))
+
 	// get namespaces
 	h.GET("/webapi/sites/:site/namespaces", h.WithClusterAuth(h.getSiteNamespaces))
 
@@ -996,6 +999,7 @@ func (h *Handler) bindDefaultEndpoints() {
 	h.GET("/webapi/scripts/integrations/configure/listdatabases-iam.sh", h.WithLimiter(h.awsOIDCConfigureListDatabasesIAM))
 	h.POST("/webapi/sites/:site/integrations/aws-oidc/:name/deployservice", h.WithClusterAuth(h.awsOIDCDeployService))
 	h.POST("/webapi/sites/:site/integrations/aws-oidc/:name/deploydatabaseservices", h.WithClusterAuth(h.awsOIDCDeployDatabaseServices))
+	h.POST("/webapi/sites/:site/integrations/aws-oidc/:name/listdeployeddatabaseservices", h.WithClusterAuth(h.awsOIDCListDeployedDatabaseService))
 	h.GET("/webapi/scripts/integrations/configure/deployservice-iam.sh", h.WithLimiter(h.awsOIDCConfigureDeployServiceIAM))
 	h.POST("/webapi/sites/:site/integrations/aws-oidc/:name/ec2", h.WithClusterAuth(h.awsOIDCListEC2))
 	h.POST("/webapi/sites/:site/integrations/aws-oidc/:name/eksclusters", h.WithClusterAuth(h.awsOIDCListEKSClusters))
@@ -2890,6 +2894,35 @@ func (h *Handler) getClusters(w http.ResponseWriter, r *http.Request, p httprout
 	return out, nil
 }
 
+type getClusterInfoResponse struct {
+	ui.Cluster
+	IsCloud bool `json:"isCloud"`
+}
+
+// getClusterInfo returns the information about the cluster in the :site param
+func (h *Handler) getClusterInfo(w http.ResponseWriter, r *http.Request, p httprouter.Params, sctx *SessionContext, site reversetunnelclient.RemoteSite) (interface{}, error) {
+	ctx := r.Context()
+	clusterDetails, err := ui.GetClusterDetails(ctx, site)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	clt, err := sctx.GetUserClient(ctx, site)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	pingResp, err := clt.Ping(ctx)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	return getClusterInfoResponse{
+		Cluster: *clusterDetails,
+		IsCloud: pingResp.GetServerFeatures().Cloud,
+	}, nil
+}
+
 type getSiteNamespacesResponse struct {
 	Namespaces []types.Namespace `json:"namespaces"`
 }