gravitational
diff --git a/‎api/client/proto/authservice.pb.go
Lines changed: 999 additions & 941 deletions b/‎api/client/proto/authservice.pb.go
Lines changed: 999 additions & 941 deletions
diff --git a/‎api/proto/teleport/legacy/client/proto/authservice.proto
Lines changed: 2 additions & 0 deletions b/‎api/proto/teleport/legacy/client/proto/authservice.proto
Lines changed: 2 additions & 0 deletions
diff --git a/‎build.assets/versions.mk
Lines changed: 1 addition & 1 deletion b/‎build.assets/versions.mk
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/pages/admin-guides/access-controls/guides/locking.mdx
Lines changed: 36 additions & 43 deletions b/‎docs/pages/admin-guides/access-controls/guides/locking.mdx
Lines changed: 36 additions & 43 deletions
diff --git a/‎docs/pages/admin-guides/deploy-a-cluster/helm-deployments/aws.mdx
Lines changed: 9 additions & 107 deletions b/‎docs/pages/admin-guides/deploy-a-cluster/helm-deployments/aws.mdx
Lines changed: 9 additions & 107 deletions
diff --git a/‎docs/pages/admin-guides/management/admin/self-signed-certs.mdx
Lines changed: 27 additions & 27 deletions b/‎docs/pages/admin-guides/management/admin/self-signed-certs.mdx
Lines changed: 27 additions & 27 deletions
@@ -581,6 +581,8 @@ message Features {
   // NOTE: this flag is used to signal that Access Monitoring is *enabled* on a cluster.
   // *Access* to the feature is gated on the `AccessMonitoring` entitlement.
   bool AccessMonitoringConfigured = 36;
+  // CloudAnonymizationKey is a hash of the Salesforce ID used to anonymize usage events
+  bytes CloudAnonymizationKey = 37 [(gogoproto.jsontag) = "cloud_anonymization_key,omitempty"];
 }
 
 // EntitlementInfo is the state and limits of a particular entitlement
 
@@ -10,7 +10,7 @@ NODE_VERSION ?= 20.18.0
 
 # Run lint-rust check locally before merging code after you bump this.
 RUST_VERSION ?= 1.81.0
-WASM_PACK_VERSION ?= 0.12.1
+WASM_PACK_VERSION ?= 0.13.1
 LIBBPF_VERSION ?= 1.2.2
 LIBPCSCLITE_VERSION ?= 1.9.9-teleport
 
 
@@ -194,51 +194,27 @@ the last known locks. This decision strategy is encoded as one of the two modes:
 
 The cluster-wide mode defaults to `best_effort`. You can set up the default
 locking mode via API or CLI using a `cluster_auth_preference` resource or static
-configuration file:
+configuration file.
 
-<Tabs>
-  <TabItem label="API or CLI">
-
-    Create a YAML file called `cap.yaml` or get the existing file using
-    `tctl get cap`.
-
-    ```yaml
-    kind: cluster_auth_preference
-    metadata:
-      name: cluster-auth-preference
-    spec:
-      locking_mode: best_effort
-    version: v2
-    ```
-
-    Create a resource:
-
-    ```code
-    $ tctl create -f cap.yaml
-    # cluster auth preference has been updated
-    ```
-  </TabItem>
-  <TabItem label="Static Config">
-    Edit `/etc/teleport.yaml` on the Auth Server:
+If your Auth Service configuration (`/etc/teleport.yaml` by default) contains
+an `auth_service.authentication` section, edit the Teleport configuration
+file to contain the following:
 
-    ```yaml
-    auth_service:
-        authentication:
-            locking_mode: best_effort
-    ```
+```yaml
+auth_service:
+    authentication:
+        locking_mode: best_effort
+```
 
-    Restart the Auth Server for the change to take effect.
-  </TabItem>
-</Tabs>
+Restart or redeploy the Auth Service for the change to take effect.
 
-</TabItem>
-<TabItem scope={["Enterprise"]} label="Teleport Enterprise">
+If not, edit your cluster authentication preference resource: 
 
-The cluster-wide mode defaults to `best_effort`. You can set up the default
-locking mode via API or CLI using a `cluster_auth_preference` resource:
+```code
+$ tctl edit cap
+```
 
-Create a YAML file called `cap.yaml` or get the existing file using
-`tctl get cap`.
+Adjust the file in your editor to include the following:
 
 ```yaml
 kind: cluster_auth_preference
@@ -249,15 +225,32 @@ spec:
 version: v2
 ```
 
-Create a resource:
+Save and close your editor to apply your changes.
+
+</TabItem>
+<TabItem scope={["Enterprise"]} label="Teleport Enterprise (Cloud)">
+
+The cluster-wide mode defaults to `best_effort`. You can set up the default
+locking mode via API or CLI using a `cluster_auth_preference` resource:
 
 ```code
-$ tctl create -f cap.yaml
-# cluster auth preference has been updated
+$ tctl edit cap
 ```
 
-</TabItem>
+Adjust the file in your editor to include the following:
+
+```yaml
+kind: cluster_auth_preference
+metadata:
+  name: cluster-auth-preference
+spec:
+  locking_mode: best_effort
+version: v2
+```
+
+Save and close your editor to apply your changes.
 
+</TabItem>
 </Tabs>
 
 It is also possible to configure the locking mode for a particular role:
 
@@ -290,11 +290,9 @@ Edit your `aws-values.yaml` file (created below) to refer to the name of your se
 
 ## Step 5/7. Set values to configure the cluster
 
-<Tabs>
-<TabItem scope="enterprise" label="Teleport Enterprise">
-
-Before you can install Teleport in your Kubernetes cluster, you will need to
-create a secret that contains your Teleport license information.
+If you run Teleport Enterprise, you will need to create a secret that contains
+your Teleport license information before you can install Teleport in your
+Kubernetes cluster. 
 
 (!docs/pages/includes//enterprise/obtainlicense.mdx!)
 
@@ -305,105 +303,9 @@ this secret as long as your file is named `license.pem`.
 $ kubectl -n <Var name="namespace" /> create secret generic license --from-file=license.pem
 ```
 
-</TabItem>
-
-</Tabs>
-
 Next, configure the `teleport-cluster` Helm chart to use the `aws` mode. Create
 a file called `aws-values.yaml` and write the values you've chosen above to it:
 
-<Tabs>
-<TabItem scope={["oss"]} label="Teleport Community Edition">
-
-<Tabs>
-<TabItem label="cert-manager">
-```yaml
-chartMode: aws
-clusterName: <Var name="teleport.example.com" />                 # Name of your cluster. Use the FQDN you intend to configure in DNS below.
-proxyListenerMode: multiplex
-aws:
-  region: <Var name="us-west-2" />                # AWS region
-  backendTable: <Var name="teleport-helm-backend" /> # DynamoDB table to use for the Teleport backend
-  auditLogTable: <Var name="teleport-helm-events" />             # DynamoDB table to use for the Teleport audit log (must be different to the backend table)
-  auditLogMirrorOnStdout: false                   # Whether to mirror audit log entries to stdout in JSON format (useful for external log collectors)
-  sessionRecordingBucket: <Var name="your-sessions-bucket" />  # S3 bucket to use for Teleport session recordings
-  backups: true                                   # Whether or not to turn on DynamoDB backups
-  dynamoAutoScaling: false                        # Whether Teleport should configure DynamoDB's autoscaling.
-highAvailability:
-  replicaCount: 2                                 # Number of replicas to configure
-  certManager:
-    enabled: true                                 # Enable cert-manager support to get TLS certificates
-    issuerName: letsencrypt-production            # Name of the cert-manager Issuer to use (as configured above)
-# If you are running Kubernetes 1.23 or above, disable PodSecurityPolicies
-podSecurityPolicy:
-  enabled: false
-```
-<Admonition type="note">
-If using an AWS PCA with cert-manager, you will need to
-[ensure you set](../../../reference/helm-reference/teleport-cluster.mdx)
-`highAvailability.certManager.addCommonName: true` in your values file.  You will also need to get the certificate authority
-certificate for the CA (`aws acm-pca get-certificate-authority-certificate --certificate-authority-arn <arn>`),
-upload the full certificate chain to a secret, and
-[reference the secret](../../../reference/helm-reference/teleport-cluster.mdx)
-with `tls.existingCASecretName` in the values file.
-</Admonition>
-</TabItem>
-<TabItem label="AWS Certificate Manager">
-```yaml
-chartMode: aws
-clusterName: <Var name="teleport.example.com" />                 # Name of your cluster. Use the FQDN you intend to configure in DNS below.
-proxyListenerMode: multiplex
-service:
-  type: ClusterIP
-aws:
-  region: <Var name="us-west-2" />                # AWS region
-  backendTable: <Var name="teleport-helm-backend" /> # DynamoDB table to use for the Teleport backend
-  auditLogTable: <Var name="teleport-helm-events" />             # DynamoDB table to use for the Teleport audit log (must be different to the backend table)
-  auditLogMirrorOnStdout: false                   # Whether to mirror audit log entries to stdout in JSON format (useful for external log collectors)
-  sessionRecordingBucket: <Var name="your-sessions-bucket" />  # S3 bucket to use for Teleport session recordings
-  backups: true                                   # Whether or not to turn on DynamoDB backups
-  dynamoAutoScaling: false                        # Whether Teleport should configure DynamoDB's autoscaling.
-highAvailability:
-  replicaCount: 2                                 # Number of replicas to configure
-ingress:
-  enabled: true
-  spec:
-    ingressClassName: alb
-annotations:
-  ingress:
-    alb.ingress.kubernetes.io/target-type: ip
-    alb.ingress.kubernetes.io/backend-protocol: HTTPS
-    alb.ingress.kubernetes.io/scheme: internet-facing
-    alb.ingress.kubernetes.io/load-balancer-attributes: idle_timeout.timeout_seconds=350
-    alb.ingress.kubernetes.io/healthcheck-protocol: HTTPS
-    alb.ingress.kubernetes.io/success-codes: 200,301,302
-    # Replace with your AWS certificate ARN
-    alb.ingress.kubernetes.io/certificate-arn: "<Var name="arn:aws:acm:us-west-2:1234567890:certificate/12345678-43c7-4dd1-a2f6-c495b91ebece"/>"
-# If you are running Kubernetes 1.23 or above, disable PodSecurityPolicies
-podSecurityPolicy:
-  enabled: false
-```
-
-To use an internal AWS application load balancer (as opposed to an internet-facing ALB), you should
-edit the `alb.ingress.kubernetes.io/scheme` annotation:
-
-  ```yaml
-    alb.ingress.kubernetes.io/scheme: internal
-  ```
-
-To automatically redirect HTTP requests on port 80 to HTTPS requests on port 443, you
-can also optionally provide these two values under `annotations.ingress`:
-
-  ```yaml
-    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'
-    alb.ingress.kubernetes.io/ssl-redirect: '443'
-  ```
-</TabItem>
-</Tabs>
-
-</TabItem>
-<TabItem scope={["enterprise"]} label="Teleport Enterprise">
-
 <Tabs>
 <TabItem label="cert-manager">
 ```yaml
@@ -423,7 +325,9 @@ highAvailability:
   certManager:
     enabled: true                                 # Enable cert-manager support to get TLS certificates
     issuerName: letsencrypt-production            # Name of the cert-manager Issuer to use (as configured above)
-enterprise: true                                  # Indicate that this is a Teleport Enterprise deployment
+# Indicate that this is a Teleport Enterprise deployment. Set to false for
+# Teleport Community Edition.
+enterprise: true                                  
 # If you are running Kubernetes 1.23 or above, disable PodSecurityPolicies
 podSecurityPolicy:
   enabled: false
@@ -455,7 +359,9 @@ aws:
   dynamoAutoScaling: false                        # Whether Teleport should configure DynamoDB's autoscaling.
 highAvailability:
   replicaCount: 2                                 # Number of replicas to configure
-enterprise: true                                  # Indicate that this is a Teleport Enterprise deployment
+# Indicate that this is a Teleport Enterprise deployment. Set to false for
+# Teleport Community Edition.
+enterprise: true                                  
 ingress:
   enabled: true
   spec:
@@ -493,10 +399,6 @@ can also optionally provide these two values under `annotations.ingress`:
 </TabItem>
 </Tabs>
 
-</TabItem>
-
-</Tabs>
-
 Install the chart with the values from your `aws-values.yaml` file using this command:
 
 ```code
 
@@ -110,37 +110,37 @@ running Teleport: via the `teleport` CLI, using a Helm chart, or via systemd:
     <TabItem label="Helm chart">
     If you are using the `teleport-cluster` Helm chart, set
     [extraArgs](../../../reference/helm-reference/teleport-cluster.mdx)
-    to include the extra argument: `--insecure`:
-    <Tabs>
-      <TabItem label="values.yaml">
-      ```yaml
-      extraArgs:
-      - "--insecure"
-      ```
-      </TabItem>
-      <TabItem label="--set">
-      ```code
-      $ --set "extraArgs={--insecure}"
+    to include the extra argument: `--insecure`.
+
+    Here is an example of the field within a values file:
+
+    ```yaml
+    extraArgs:
+    - "--insecure"
+    ```
+
+    When using the `--set` flag, use the following syntax:
+
+
+      ```text
+      --set "extraArgs={--insecure}"
       ```
-      </TabItem>
-    </Tabs>
-    
 
     If you are using the `teleport-kube-agent` chart, set the 
     [insecureSkipProxyTLSVerify](../../../reference/helm-reference/teleport-kube-agent.mdx)
-    flag to `true`:
-    <Tabs>
-      <TabItem label="values.yaml">
-      ```yaml
-      insecureSkipProxyTLSVerify: true
-      ```
-      </TabItem>
-      <TabItem label="--set">
-      ```code
-      $ --set insecureSkipProxyTLSVerify=true
-      ```
-      </TabItem>
-    </Tabs>
+    flag to `true`.
+
+    In a values file, this would appear as follows:
+
+    ```yaml
+    insecureSkipProxyTLSVerify: true
+    ```
+
+    When using the `--set` flag, use the following syntax:
+
+    ```text
+    --set insecureSkipProxyTLSVerify=true
+    ```
     </TabItem>
 
     <TabItem label="systemd">
Original file line number	Diff line number	Diff line change
`@@ -581,6 +581,8 @@ message Features {`
`581`	`581`	`// NOTE: this flag is used to signal that Access Monitoring is enabled on a cluster.`
`582`	`582`	// Access to the feature is gated on the `AccessMonitoring` entitlement.
`583`	`583`	`bool AccessMonitoringConfigured = 36;`
	`584`	`+ // CloudAnonymizationKey is a hash of the Salesforce ID used to anonymize usage events`
	`585`	`+ bytes CloudAnonymizationKey = 37 [(gogoproto.jsontag) = "cloud_anonymization_key,omitempty"];`
`584`	`586`	`}`
`585`	`587`
`586`	`588`	`// EntitlementInfo is the state and limits of a particular entitlement`