Update access graph version and add Docker deployment warning #42002
Conversation
|
🤖 Vercel preview here: https://docs-a7shqqo20-goteleport.vercel.app/docs/ver/preview |
|
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
|
🤖 Vercel preview here: https://docs-mp4eloc8y-goteleport.vercel.app/docs/ver/preview |
|
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
stevenGravy
added
the
no-changelog
| - Starting from version 1.20.4 of the Access Graph service, the container by default runs as a non-root user. | ||
| Make sure the certificate files are readable by the user running the container. You can set correct permissions with the following command: | ||
| ```console | ||
| $ sudo chown 65532 /path/to/tls.key |
There was a problem hiding this comment.
Nit: we use /etc/access_graph/tls.key as the path in the example config further below, so maybe use that here as well.
| @@ -43,7 +54,7 @@ The host CA can be retrieved and saved into a file in one of the following ways: | |||
| ```code | |||
| $ sudo mkdir /etc/access_graph | |||
| $ curl -s 'https://<Var name="teleport.example.com" />/webapi/auth/export?type=tls-host' | sudo tee /etc/access_graph/teleport_host_ca.pem | |||
| ``` | |||
| ``` | |||
| @@ -29,8 +29,19 @@ to Teleport Enterprise customers. | |||
| - A TLS certificate for the Access Graph service | |||
| - The TLS certificate must be issued for "server authentication" key usage, | |||
| and must list the IP or DNS name of the TAG service in an X.509 v3 `subjectAltName` extension. | |||
| - Starting from version 1.20.4 of the Access Graph service, the container by default runs as a non-root user. | |||
There was a problem hiding this comment.
nit: "the container runs as a non-root user by default." might be a nicer phrasing?
The access graph version in the config.json file has been updated from 1.20.1 to 1.20.4. Also, a warning notice about Docker deployment suitability for testing and development purposes only has been added in the Docker deployment page.
The Access Graph service documentation has been updated to reflect that containers now run as non-root users by default starting from version 1.20.4. Instructions have been amended to guide users on the necessary steps to ensure certificate files are readable by the new non-root user. Obsolete file permission tweaks were also removed.
The documentation for the Access-Graph service has been updated to clarify the information about non-root user and adjust the command-line path. It also includes corrections to some formatting issues for a better readability.
jakule
force-pushed
the
jakule/tag-docker-warning
branch
from
850d8b0 to
776da77
Compare
|
🤖 Vercel preview here: https://docs-edguudqnc-goteleport.vercel.app/docs/ver/preview |
public-teleport-github-review-bot
bot
removed request for
r0mant,
zmb3,
nklaassen and
xinding33
Co-authored-by: Paul Gottschling <[email protected]>
|
🤖 Vercel preview here: https://docs-a0x3akul0-goteleport.vercel.app/docs/ver/preview |
The access graph version in the config.json file has been updated from 1.20.1 to 1.20.4. Also, a warning notice about Docker deployment suitability for testing and development purposes only has been added in the Docker deployment page.
Included instruction to make the tls keys readable after the default docker user has been changed.