[v15] Update access graph version and add Docker deployment warning (#…

…42195) * Update access graph version and add Docker deployment warning The access graph version in the config.json file has been updated from 1.20.1 to 1.20.4. Also, a warning notice about Docker deployment suitability for testing and development purposes only has been added in the Docker deployment page. * Update access control documentation for non-root containers The Access Graph service documentation has been updated to reflect that containers now run as non-root users by default starting from version 1.20.4. Instructions have been amended to guide users on the necessary steps to ensure certificate files are readable by the new non-root user. Obsolete file permission tweaks were also removed. * Update Access Graph documentation The documentation for the Access-Graph service has been updated to clarify the information about non-root user and adjust the command-line path. It also includes corrections to some formatting issues for a better readability. * Apply suggestions from code review Co-authored-by: Paul Gottschling <[email protected]> --------- Co-authored-by: Paul Gottschling <[email protected]>
gravitational · May 30, 2024 · e2aca8d · e2aca8d
1 parent a5c1d04
commit e2aca8d
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 1 deletion.
diff --git a/docs/config.json b/docs/config.json
@@ -2201,7 +2201,7 @@
       "nodeIP": "ip-172-31-35-170"
     },
     "access_graph": {
-      "version": "1.20.1"
+      "version": "1.20.4"
     },
     "ansible": {
       "min_version": "2.9.6"

diff --git a/docs/pages/access-controls/access-graph/self-hosted.mdx b/docs/pages/access-controls/access-graph/self-hosted.mdx
@@ -29,8 +29,19 @@ to Teleport Enterprise customers.
 - A TLS certificate for the Access Graph service
   - The TLS certificate must be issued for "server authentication" key usage,
     and must list the IP or DNS name of the TAG service in an X.509 v3 `subjectAltName` extension.
+  - Starting from version 1.20.4 of the Access Graph service, the container runs as a non-root user by default.
+    Make sure the certificate files are readable by the user running the container. You can set correct permissions with the following command:
+    ```code
+    $ sudo chown 65532 /etc/access_graph/tls.key
+    ```
 - The node running the Access Graph service must be reachable from Teleport Auth Service and Proxy Service.
 
+<Notice type="warning">
+    The deployment with Docker is suitable for testing and development purposes. For production deployments,
+    consider using the Teleport Access Graph Helm chart to deploy this service on Kubernetes.
+    Refer to [Helm chart for Access Graph](self-hosted-helm.mdx) for instructions.
+</Notice>
+
 ## Step 1/3. Set up the Teleport Access Graph service
 
 You will need a copy of your Teleport cluster's host certificate authority (CA) on the machine that hosts the Access Graph service.