Fix Cloud installation instructions

[ptgott]

The current instructions are missing a " character in the curl command and target the wrong channel for the current Teleport Cloud version: default instead of stable/cloud. This change corrects the instructions.

[github-actions]

The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with changelog: followed by the changelog entries for the PR.

[stevenGravy]

I believe there's still an issue that the apt and other instructions point to a version repo not cloud.

[github-actions]

🤖 Vercel preview here: https://docs-8it20rjej-goteleport.vercel.app/docs/ver/preview

[ptgott]

@bernardjkim Would it make sense to change $TELEPORT_VERSION to cloud for Teleport Cloud users in the Package Repositories section? Currently, the instructions are to query the latest compatible automatic updater version to populate TELEPORT_VERSION. Is there ever a situation where the updater is a major version ahead of the Teleport Cloud version and we need to base the version on the updater, rather than use the stable/cloud channel?

I suppose we could add instructions to check whether the updater is on a different major version than Teleport Cloud first, then have the user assign TELEPORT_VERSION to the automatic updater version if that's the case.

[bernardjkim]

Would it make sense to change $TELEPORT_VERSION to cloud for Teleport Cloud users

By cloud, does this mean the latest available version of Teleport Cloud? The problem is that Cloud needs to support tenants of multiple major versions of Teleport right now. There are tenants on Teleport 13, 14, and 15. So the installation needs to ensure that the agent that is being installed is the same major version as the user's Teleport control plane.

This is why we're currently instructing users to first query the latest compatible version from the proxy endpoint. It's not ideal, but it is a temporary workaround. However, we're planning to simplify this in the future. We're planning on having the Teleport updater manage the installation of Teleport. This would mean that all users can just install the latest version of the Teleport updater and the Teleport updater will install the latest compatible version of Teleport for the user.

[stevenGravy]

Would it make sense to change $TELEPORT_VERSION to cloud for Teleport Cloud users

By cloud, does this mean the latest available version of Teleport Cloud? The problem is that Cloud needs to support tenants of multiple major versions of Teleport right now. There are tenants on Teleport 13, 14, and 15. So the installation needs to ensure that the agent that is being installed is the same major version as the user's Teleport control plane.

I thought we had gone with the cloud repo so they don't have to go back in and change after the proxy/auth updates. That way they don't have to change their repo settings which could be a lot of work and isn't automatic now.

[stevenGravy]

Would it make sense to change $TELEPORT_VERSION to cloud for Teleport Cloud users

By cloud, does this mean the latest available version of Teleport Cloud? The problem is that Cloud needs to support tenants of multiple major versions of Teleport right now. There are tenants on Teleport 13, 14, and 15. So the installation needs to ensure that the agent that is being installed is the same major version as the user's Teleport control plane.

This is why we're currently instructing users to first query the latest compatible version from the proxy endpoint. It's not ideal, but it is a temporary workaround. However, we're planning to simplify this in the future. We're planning on having the Teleport updater manage the installation of Teleport. This would mean that all users can just install the latest version of the Teleport updater and the Teleport updater will install the latest compatible version of Teleport for the user.

Per this it seems cloud repo still makes sense until this is applied.

[bernardjkim]

I thought we had gone with the cloud repo so they don't have to go back in and change after the proxy/auth updates.

Yeah, that's correct. All cloud tenants should be using the stable/cloud package repository.

Sorry, I didn't realize TELEPORT_VERSION variable was being used in two different places here.

When using the installation script we want to specify the exact version of Teleport.

$ export TELEPORT_DOMAIN=example.teleport.sh
$ export TELEPORT_VERSION="$(curl https://$TELEPORT_DOMAIN/v1/webapi/automaticupgrades/channel/stable/cloud/version | sed 's/v//')"

$ curl https://goteleport.com/static/install.sh | bash -s ${TELEPORT_VERSION?} ${TELEPORT_EDITION?} 

When installing Teleport from the package repository, the stable/cloud channel should always be used for cloud users. However, the user needs to specify the version of the teleport-ent package to install.

$ export TELEPORT_DOMAIN=example.teleport.sh
$ export TELEPORT_VERSION="$(curl https://$TELEPORT_DOMAIN/v1/webapi/automaticupgrades/channel/stable/cloud/version | sed 's/v//')"

$ sudo yum install -y yum-utils
$ sudo yum-config-manager --add-repo "$(rpm --eval "https://yum.releases.teleport.dev/$ID/$VERSION_ID/Teleport/%{_arch}/stable/cloud/teleport.repo")"
$ sudo yum install "teleport-ent-$TELEPORT_VERSION" teleport-ent-updater

I updated the other page in #38401 with these changes, but I must have missed this one by mistake.

[hugoShaka]

Also: the zypper install instructions contain a yum command, and don't trust the teleport repo signing keys

[ptgott]

@stevenGravy @bernardjkim I've pushed some more fixes!

@hugoShaka I've fixed the yum command in the zypper instructions, but am not sure about the trust issue.

[github-actions]

🤖 Vercel preview here: https://docs-er80l3wl3-goteleport.vercel.app/docs/ver/preview

[hugoShaka]

On the first teleport install, it complains about not trusting the repo keys and wants manual action. It would fail if the script were to be run in a non-interactive shell.

I could not trust the gpg keys in a single addrepo command (which is either a zypper bug or my inability to properly set a CLI flag 🙃 ). Running a separate refresh did the trick.

0a2854b95e16:/ # zypper  addrepo --repo $(rpm --eval "https://zypper.releases.teleport.dev/sles/15/Teleport/%{_arch}/stable/cloud/teleport-zypper.repo")
Adding repository 'Gravitational Teleport packages' .......................................................................[done]
Repository 'Gravitational Teleport packages' successfully added

URI         : https://zypper.releases.teleport.dev/sles/15/Teleport/aarch64/stable/cloud
Enabled     : Yes
GPG Check   : Yes
Autorefresh : No
Priority    : 99 (default priority)

Repository priorities are without effect. All enabled repositories share the same priority.

0a2854b95e16:/ # zypper --gpg-auto-import-keys refresh

Retrieving repository 'Update repository of openSUSE Backports' metadata ..................................................[done]
Building repository 'Update repository of openSUSE Backports' cache .......................................................[done]
Retrieving repository 'Non-OSS Repository' metadata .......................................................................[done]
Building repository 'Non-OSS Repository' cache ............................................................................[done]
Retrieving repository 'Open H.264 Codec (openSUSE Leap)' metadata .........................................................[done]
Building repository 'Open H.264 Codec (openSUSE Leap)' cache ..............................................................[done]
Retrieving repository 'Main Repository' metadata ..........................................................................[done]
Building repository 'Main Repository' cache ...............................................................................[done]
Retrieving repository 'Update repository with updates from SUSE Linux Enterprise 15' metadata .............................[done]
Building repository 'Update repository with updates from SUSE Linux Enterprise 15' cache ..................................[done]
Retrieving repository 'Main Update Repository' metadata ...................................................................[done]
Building repository 'Main Update Repository' cache ........................................................................[done]
Retrieving repository 'Update Repository (Non-Oss)' metadata ..............................................................[done]
Building repository 'Update Repository (Non-Oss)' cache ...................................................................[done]
Looking for gpg key ID 6282C411 in cache /var/cache/zypp/pubkeys.
Looking for gpg key ID 6282C411 in repository Gravitational Teleport packages.
  gpgkey=https://zypper.releases.teleport.dev/gpg

Automatically importing the following key:

  Repository:       Gravitational Teleport packages
  Key Fingerprint:  0C5E 8BA5 658E 320D 1B03 1179 C87E D53A 6282 C411
  Key Name:         Gravitational, Inc <[email protected]>
  Key Algorithm:    RSA 4096
  Key Created:      Thu Oct 22 19:25:42 2020
  Key Expires:      Sun Oct 20 19:25:42 2030
  Subkey:           47E91E2B7B09807F 2020-10-22 [expires: 2030-10-20]
  Rpm Name:         gpg-pubkey-6282c411-5f91dcb6



    Note: A GPG pubkey is clearly identified by its fingerprint. Do not rely on the key's name. If
    you are not sure whether the presented key is authentic, ask the repository provider or check
    their web site. Many providers maintain a web page showing the fingerprints of the GPG keys they
    are using.
Retrieving repository 'Gravitational Teleport packages' metadata ..........................................................[done]
Building repository 'Gravitational Teleport packages' cache ...............................................................[done]
All repositories have been refreshed.

0a2854b95e16:/ # zypper install -y teleport-ent

# no gpg warning nor interactive prompt, just install

[ptgott]

@hugoShaka Thanks! That was my experience too, and I'm not sure what we can change in the installation instructions to produce a better experience. I think @fheinecke is investigating.

[hugoShaka]

I'm not sure what we can change in the installation instructions to produce a better experience.

If you make a separate refresh like in my previous example it works properly, it doesn't ask for manual action during the install command and works in non-interactive shells:

$ zypper  addrepo --repo $(rpm --eval "https://zypper.releases.teleport.dev/sles/15/Teleport/%{_arch}/stable/cloud/teleport-zypper.repo")

$ zypper --gpg-auto-import-keys refresh

$ zypper install -y teleport-ent

[ptgott]

@hugoShaka Thanks! Made this change in b238c9e2082f659ab493779bf9afe8e0ca180ede.

@stevenGravy This is ready for another review, I think.

[github-actions]

🤖 Vercel preview here: https://docs-7khfklh54-goteleport.vercel.app/docs/ver/preview

[github-actions]

🤖 Vercel preview here: https://docs-mn4gi18cf-goteleport.vercel.app/docs/ver/preview

[zmb3]

@bernardjkim can you review this one and make sure the recommended repos here are in line with our latest guidance for automatic upgrades?

[bernardjkim]

Ah, ran into an error here. When installing via apt, the command should be
apt-get install teleport-ent=X.Y.Z instead of apt-get install teleport-ent-X.Y.Z

Other than that. Looks good, thanks!

[github-actions]

🤖 Vercel preview here: https://docs-pgrxfw516-goteleport.vercel.app/docs/ver/preview

[fheinecke]

@ptgott is there any way to keep these in sync with our smoke tests? Can the contents of the code blocks maybe be loaded from another file, that I could also pull into a GHA workflow at release time? This could help prevent issues like we have with Zypper where the instructions don't actually work.

[ptgott]

@fheinecke This seems doable. I'll open an issue so we can work on this separately from this PR. It would also be nice to sync the package manager-specific installation logic in our one-line installation script with these instructions.

[ptgott]

@zmb3 It looks like this still needs one approval from a required reviewer. Would you have time to give this a look? Thanks!

[public-teleport-github-review-bot]

@ptgott See the table below for backport results.

Branch	Result
branch/v15	Create PR