Merge branch 'branch/v16' into bot/backport-42727-branch/v16

gravitational · Jun 11, 2024 · e00ed56 · e00ed56
2 parents f74d604 + fdcd808
commit e00ed56
Show file tree

Hide file tree

Showing 75 changed files with 1,656 additions and 1,108 deletions.
diff --git a/Makefile b/Makefile
@@ -11,7 +11,7 @@
 #   Stable releases:   "1.0.0"
 #   Pre-releases:      "1.0.0-alpha.1", "1.0.0-beta.2", "1.0.0-rc.3"
 #   Master/dev branch: "1.0.0-dev"
-VERSION=16.0.0-alpha.3
+VERSION=16.0.0-rc.1
 
 DOCKER_IMAGE ?= teleport
 

diff --git a/api/client/client.go b/api/client/client.go
@@ -879,6 +879,11 @@ func (c *Client) VnetConfigServiceClient() vnet.VnetConfigServiceClient {
 	return vnet.NewVnetConfigServiceClient(c.conn)
 }
 
+// GetVnetConfig returns the singleton VnetConfig resource.
+func (c *Client) GetVnetConfig(ctx context.Context) (*vnet.VnetConfig, error) {
+	return c.VnetConfigServiceClient().GetVnetConfig(ctx, &vnet.GetVnetConfigRequest{})
+}
+
 // Ping gets basic info about the auth server.
 func (c *Client) Ping(ctx context.Context) (proto.PingResponse, error) {
 	rsp, err := c.grpc.Ping(ctx, &proto.PingRequest{})

diff --git a/api/proto/teleport/legacy/types/events/events.proto b/api/proto/teleport/legacy/types/events/events.proto
@@ -3906,6 +3906,9 @@ message DeviceMetadata {
   // Web Session ID associated with the device.
   // Present in events related to device web authentication.
   string web_session_id = 7 [(gogoproto.jsontag) = "web_session_id,omitempty"];
+  // Device web authentication attempt ID.
+  // Present in events related to device web authentication.
+  string web_authentication_id = 8 [(gogoproto.jsontag) = "web_authentication_id,omitempty"];
 }
 
 // DeviceEvent is a device-related event.

diff --git a/api/types/events/events.pb.go b/api/types/events/events.pb.go
diff --git a/api/version.go b/api/version.go
diff --git a/docs/config.json b/docs/config.json
@@ -1275,52 +1275,52 @@
           "slug": "/database-access/enroll-aws-databases/",
           "entries": [
             {
-              "title": "AWS Cross-Account Database Access",
-              "slug": "/database-access/enroll-aws-databases/aws-cross-account/"
-            },
-            {
-              "title": "AWS DynamoDB",
+              "title": "Amazon DynamoDB",
               "slug": "/database-access/enroll-aws-databases/aws-dynamodb/"
             },
             {
-              "title": "AWS OpenSearch",
-              "slug": "/database-access/enroll-aws-databases/aws-opensearch/"
+              "title": "Amazon ElastiCache and MemoryDB for Redis",
+              "slug": "/database-access/enroll-aws-databases/redis-aws/"
             },
             {
-              "title": "AWS RDS Proxy for MariaDB/MySQL",
-              "slug": "/database-access/enroll-aws-databases/rds-proxy-mysql/"
+              "title": "Amazon Keyspaces (Apache Cassandra)",
+              "slug": "/database-access/enroll-aws-databases/aws-cassandra-keyspaces/"
             },
             {
-              "title": "Microsoft SQL Server with Active Directory authentication",
-              "slug": "/database-access/enroll-aws-databases/sql-server-ad/"
+              "title": "Amazon OpenSearch",
+              "slug": "/database-access/enroll-aws-databases/aws-opensearch/"
             },
             {
-              "title": "AWS ElastiCache and AWS MemoryDB for Redis",
-              "slug": "/database-access/enroll-aws-databases/redis-aws/"
+              "title": "Amazon RDS Proxy for MariaDB/MySQL",
+              "slug": "/database-access/enroll-aws-databases/rds-proxy-mysql/"
             },
             {
-              "title": "AWS Keyspaces (Apache Cassandra)",
-              "slug": "/database-access/enroll-aws-databases/aws-cassandra-keyspaces/"
+              "title": "Amazon RDS Proxy for Microsoft SQL Server",
+              "slug": "/database-access/enroll-aws-databases/rds-proxy-sqlserver/"
             },
             {
-              "title": "AWS RDS Proxy for PostgreSQL",
+              "title": "Amazon RDS Proxy for PostgreSQL",
               "slug": "/database-access/enroll-aws-databases/rds-proxy-postgres/"
             },
             {
-              "title": "Redshift Serverless on AWS",
-              "slug": "/database-access/enroll-aws-databases/redshift-serverless/"
+              "title": "Amazon RDS and Aurora",
+              "slug": "/database-access/enroll-aws-databases/rds/"
             },
             {
-              "title": "AWS RDS Proxy for Microsoft SQL Server",
-              "slug": "/database-access/enroll-aws-databases/rds-proxy-sqlserver/"
+              "title": "Amazon RDS for Microsoft SQL Server",
+              "slug": "/database-access/enroll-aws-databases/sql-server-ad/"
             },
             {
-              "title": "Redshift on AWS",
+              "title": "Amazon Redshift",
               "slug": "/database-access/enroll-aws-databases/postgres-redshift/"
             },
             {
-              "title": "AWS RDS and Aurora",
-              "slug": "/database-access/enroll-aws-databases/rds/"
+              "title": "Amazon Redshift Serverless",
+              "slug": "/database-access/enroll-aws-databases/redshift-serverless/"
+            },
+            {
+              "title": "Cross-Account Access",
+              "slug": "/database-access/enroll-aws-databases/aws-cross-account/"
             }
           ]
         },

diff --git a/docs/pages/application-access/cloud-apis/google-cloud.mdx b/docs/pages/application-access/cloud-apis/google-cloud.mdx
@@ -94,15 +94,6 @@ $ gcloud iam service-accounts create teleport-google-cloud-cli \
   --display-name="teleport-google-cloud-cli"
 ```
 
-Enable your service account to act as other service accounts by assigning it the
-predefined "Service Account User" role:
-
-```code
-$ gcloud projects add-iam-policy-binding <Var name="google-cloud-project" /> \
-   --member="serviceAccount:teleport-google-cloud-cli@<Var name="google-cloud-project" />.iam.gserviceaccount.com" \
-   --role="roles/iam.serviceAccountUser"
-```
-
 ### Set up a service account that Teleport users can access
 
 When a Teleport user executes a Google Cloud CLI command against the Teleport

diff --git a/docs/pages/database-access/enroll-aws-databases.mdx b/docs/pages/database-access/enroll-aws-databases.mdx
@@ -17,14 +17,14 @@ Access](./enroll-aws-databases/aws-cross-account.mdx).
 Read the following guides for how to protect a specific AWS-managed database
 with Teleport:
 
-- [Amazon Redshift](./enroll-aws-databases/postgres-redshift.mdx)
-- [Amazon Redshift Serverless](./enroll-aws-databases/redshift-serverless.mdx)
-- [Amazon RDS](./enroll-aws-databases/rds.mdx)
-- [Amazon RDS for SQL Server](./enroll-aws-databases/sql-server-ad.mdx)
-- [Amazon RDS Proxy for PostgreSQL](./enroll-aws-databases/rds-proxy-postgres.mdx)
-- [Amazon RDS Proxy for Microsoft SQL Server](./enroll-aws-databases/rds-proxy-sqlserver.mdx)
-- [Amazon RDS Proxy MySQL](./enroll-aws-databases/rds-proxy-mysql.mdx)
-- [Amazon OpenSearch](./enroll-aws-databases/aws-opensearch.mdx)
 - [Amazon DynamoDB](./enroll-aws-databases/aws-dynamodb.mdx)
-- [Amazon Keyspaces (Apache Cassandra)](./enroll-aws-databases/aws-cassandra-keyspaces.mdx)
 - [Amazon ElastiCache and MemoryDB for Redis](./enroll-aws-databases/redis-aws.mdx)
+- [Amazon Keyspaces (Apache Cassandra)](./enroll-aws-databases/aws-cassandra-keyspaces.mdx)
+- [Amazon OpenSearch](./enroll-aws-databases/aws-opensearch.mdx)
+- [Amazon RDS Proxy MySQL](./enroll-aws-databases/rds-proxy-mysql.mdx)
+- [Amazon RDS Proxy for Microsoft SQL Server](./enroll-aws-databases/rds-proxy-sqlserver.mdx)
+- [Amazon RDS Proxy for PostgreSQL](./enroll-aws-databases/rds-proxy-postgres.mdx)
+- [Amazon RDS and Aurora](./enroll-aws-databases/rds.mdx)
+- [Amazon RDS for SQL Server](./enroll-aws-databases/sql-server-ad.mdx)
+- [Amazon Redshift Serverless](./enroll-aws-databases/redshift-serverless.mdx)
+- [Amazon Redshift](./enroll-aws-databases/postgres-redshift.mdx)
diff --git a/docs/pages/database-access/enroll-aws-databases/rds.mdx b/docs/pages/database-access/enroll-aws-databases/rds.mdx
@@ -11,11 +11,11 @@ description: How to configure Teleport database access with AWS RDS and Aurora f
 (!docs/pages/includes/database-access/how-it-works/iam.mdx db="RDS" cloud="AWS"!)
 
 <Tabs>
-<TabItem scope={["oss", "enterprise"]} label="Self-Hosted">
-![Teleport Database Access RDS Self-Hosted](../../../img/database-access/guides/rds_selfhosted.png)
+<TabItem label="Self-Hosted">
+![Teleport Architecture RDS Self-Hosted](../../../img/database-access/guides/rds_selfhosted.png)
 </TabItem>
-<TabItem scope={["cloud"]} label="Teleport Enterprise Cloud">
-![Teleport Database Access RDS Cloud](../../../img/database-access/guides/rds_cloud.png)
+<TabItem label="Cloud-Hosted">
+![Teleport Architecture RDS Cloud-Hosted](../../../img/database-access/guides/rds_cloud.png)
 </TabItem>
 
 </Tabs>
@@ -136,43 +136,24 @@ Next, get your environment ready to run the Teleport Database Service:
 
 (!docs/pages/includes/install-linux.mdx!)
 
-Generate a configuration for the Teleport Database Service:
-
-Generate a configuration file for the Teleport Database Service. Run one of the
-following commands, depending on whether you want to proxy an AWS Aurora or
-Amazon RDS instance. 
-
-Assign <Var name="example.teleport.sh:443" /> to the host **and port** of your
-Teleport Proxy Service or Enterprise Cloud site. Assign <Var name="us-west-1" />
-to the region associated with the RDS database.
-
-Run the following command to proxy an AWS Aurora cluster, assigning <Var
-name="RDS_URI" /> to your cluster's domain name and port and <Var
-name="protocol" /> to either `postgres` or `mysql`, depending on the database
-you want to proxy:
-
-```code
-$ sudo teleport db configure create \
-   -o file \
-   --name="postgres-rds" \
-   --proxy=<Var name="example.teleport.sh:443" />  \
-   --protocol=<Var name="protocol" /> \
-   --uri=<Var name="RDS_URI" /> \
-   --token=/tmp/token
-```
-
-Run the following command to proxy an AWS RDS instance, assigning <Var
-name="RDS_URI" /> to your instance's domain name and port and <Var
-name="protocol" /> to either `postgres` or `mysql`, depending on the database
-you want to proxy:
+Provide the following information and then generate a configuration file for the
+Teleport Database Service:
+- <Var name="example.teleport.sh:443" /> The host **and port** of your Teleport
+Proxy Service or cloud-hosted Teleport Enterprise site
+- <Var name="protocol" /> The protocol of the database you want to proxy, either
+`mysql` or `postgres`
+- <Var name="endpoint:port" /> The endpoint **and port** of the database - the
+cluster endpoint for Aurora or the instance endpoint for an RDS instance, e.g.
+`myrds.us-east-1.rds.amazonaws.com:5432`
 
 ```code
 $ sudo teleport db configure create \
    -o file \
-   --name="postgres-rds" \
+   --name=rds-example \
    --proxy=<Var name="example.teleport.sh:443" />  \
    --protocol=<Var name="protocol" /> \
-   --uri=<Var name="RDS_URI" /> \
+   --uri=<Var name="endpoint:port" /> \
+   --labels=env=dev \
    --token=/tmp/token
 ```
 
@@ -339,7 +320,7 @@ Token                            Type Labels Expiry Time (UTC)
 Create a Helm values file called `values.yaml`, assigning <Var name="token" />
 to the value of the join token you retrieved above, <Var
 name="example.teleport.sh:443" /> to the host **and port** of your Teleport
-Proxy Service, and <Var name="rds-uri" /> to the host **and port** of your RDS
+Proxy Service, and <Var name="endpoint:port" /> to the host **and port** of your RDS
 database (e.g., `myrds.us-east-1.rds.amazonaws.com:5432`):
 
 ```var
@@ -348,12 +329,10 @@ proxyAddr: <Var name="example.teleport.sh:443" />
 roles: db
 databases:
 - name: example
-  uri: "<Var name="rds-uri" />"
+  uri: "<Var name="endpoint:port" />"
   protocol: <Var name="protocol" />
   static_labels:
     env: dev
-  aws:
-    region: "<Var name="rds-region" />"
 annotations:
   serviceAccount:
     eks.amazonaws.com/role-arn: arn:aws:iam::<Var name="aws-account" />:role/teleport-rds-role
@@ -421,24 +400,15 @@ Once the Database Service has started and joined the cluster, log in as the
 ```code
 $ tsh login --proxy=<Var name="example.teleport.sh:443" /> --user=alice
 $ tsh db ls
-# Name         Description Labels
-# ------------ ----------- --------
-# postgres-rds 
-```
-
-Retrieve credentials for a database and connect to it as the `alice` user,
-assigning <Var name="postgres-rds" /> to the name of a database resource listed
-by `tsh db ls`:
-
-```code
-$ tsh db connect <Var name="postgres-rds" /> --db-user=alice
+# Name        Description Labels
+# ----------- ----------- --------
+# rds-example             env=dev
 ```
 
-You can optionally specify the database name to use by default when connecting
-to the database instance:
+Retrieve credentials for the database and connect to it as the `alice` user:
 
 ```code
-$ tsh db connect --db-user=postgres --db-name=postgres <Var name="postgres-rds" />
+$ tsh db connect --db-user=postgres --db-name=postgres rds-example
 ```
 
 <Admonition type="note" title="Note">
@@ -449,7 +419,7 @@ $ tsh db connect --db-user=postgres --db-name=postgres <Var name="postgres-rds"
 Log out of the database and remove credentials:
 
 ```code
-$ tsh db logout <Var name="postgres-rds" /> 
+$ tsh db logout rds-example
 ```
 
 ## Troubleshooting