Merge branch 'master' into tener/disable-default-import-rule

Author: Tener

.github/workflows/docs-amplify.yaml

@@ -0,0 +1,42 @@
+name: Docs Preview
+on:
+  pull_request:
+    paths:
+      - 'docs/**'
+      - .github/workflows/docs-amplify.yaml
+  workflow_dispatch:
+  
+permissions:
+  pull-requests: write
+  id-token: write
+  
+jobs:
+  amplify-preview:
+    name: Prepare Amplify preview URL
+    runs-on: ubuntu-22.04-2core-arm64
+    environment: docs-amplify
+    steps:    
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4
+      with:
+        aws-region: us-west-2
+        role-to-assume: ${{ vars.IAM_ROLE }}
+
+    - name: Create Amplify preview environment
+      uses: gravitational/shared-workflows/tools/amplify-preview@tools/amplify-preview/v0.0.1
+      continue-on-error: true
+      with:
+        app_ids: ${{ vars.AMPLIFY_APP_IDS }}
+        create_branches: "true"
+        github_token: ${{ secrets.GITHUB_TOKEN }}
+        wait: "true"
+
+    - name: Print failure message
+      if: failure()
+      env:
+        ERR_TITLE: Teleport Docs preview build failed
+        ERR_MESSAGE: >-
+          Please refer to the following documentation for help: https://www.notion.so/goteleport/How-to-Amplify-deployments-162fdd3830be8096ba72efa1a49ee7bc?pvs=4
+      run: |
+        echo ::error title=$ERR_TITLE::$ERR_MESSAGE
+        exit 1

.golangci.yml

@@ -9,54 +9,55 @@ issues:
   exclude-dirs-use-default: false
   exclude-rules:
     - linters:
-      - gosimple
-      text: "S1002: should omit comparison to bool constant"
+        - gosimple
+      text: 'S1002: should omit comparison to bool constant'
     - linters:
-      - revive
-      text: "exported: exported const"
+        - revive
+      text: 'exported: exported const'
     # TODO(hugoShaka): Remove once https://github.com/dominikh/go-tools/issues/1294 is fixed
     - linters:
-      - unused
+        - unused
       path: 'integrations/operator/controllers/resources/(.+)_controller_test\.go'
     # TODO(codingllama): Remove once we move to grpc.NewClient.
     - linters: [staticcheck]
-      text: "grpc.Dial is deprecated"
+      text: 'grpc.Dial is deprecated'
     - linters: [staticcheck]
-      text: "grpc.DialContext is deprecated"
+      text: 'grpc.DialContext is deprecated'
     # Deprecated gRPC dial options. Related to grpc.NewClient.
     - path: (client/client.go|client/proxy/client_test.go) # api/
       linters: [staticcheck]
       # grpc.FailOnNonTempDialError
       # grpc.WithReturnConnectionError
-      text: "this DialOption is not supported by NewClient"
+      text: 'this DialOption is not supported by NewClient'
     - path: lib/kube/grpc/grpc_test.go
       linters: [staticcheck]
-      text: "grpc.WithBlock is deprecated"
+      text: 'grpc.WithBlock is deprecated'
     - path: lib/observability/tracing/client.go
       linters: [staticcheck]
-      text: "grpc.WithBlock is deprecated"
+      text: 'grpc.WithBlock is deprecated'
     - path: integrations/lib/config.go
       linters: [staticcheck]
-      text: "grpc.WithReturnConnectionError is deprecated"
+      text: 'grpc.WithReturnConnectionError is deprecated'
     - path: lib/service/service_test.go
       linters: [staticcheck]
       # grpc.WithReturnConnectionError
       # grpc.FailOnNonTempDialError
-      text: "this DialOption is not supported by NewClient"
+      text: 'this DialOption is not supported by NewClient'
     - path: integration/client_test.go
       linters: [staticcheck]
-      text: "grpc.WithReturnConnectionError is deprecated"
+      text: 'grpc.WithReturnConnectionError is deprecated'
     - path: integration/integration_test.go
       linters: [staticcheck]
-      text: "grpc.WithBlock is deprecated"
+      text: 'grpc.WithBlock is deprecated'
     - path: lib/multiplexer/multiplexer_test.go
       linters: [staticcheck]
-      text: "grpc.WithBlock is deprecated"
+      text: 'grpc.WithBlock is deprecated'
     - path: provider/provider.go # integrations/terraform
       linters: [staticcheck]
-      text: "grpc.WithReturnConnectionError is deprecated"
+      text: 'grpc.WithReturnConnectionError is deprecated'
     - linters: [govet]
-      text: "non-constant format string in call to github.com/gravitational/trace."
+      path-except: ^e/
+      text: 'non-constant format string in call to github.com/gravitational/trace.'
   exclude-use-default: true
   max-same-issues: 0
   max-issues-per-linter: 0
@@ -121,6 +122,7 @@ linters-settings:
         files:
           - '**/api/**'
           - '**/e/**'
+          - '**/lib/srv/**'
         deny:
           - pkg: github.com/sirupsen/logrus
             desc: 'use "log/slog" instead'
@@ -130,7 +132,7 @@ linters-settings:
       client-tools:
         files:
           # Tests can do anything
-          - "!$test"
+          - '!$test'
           - '**/tool/tbot/**'
           - '**/lib/tbot/**'
           - '**/tool/tctl/**'
@@ -158,7 +160,7 @@ linters-settings:
       cgo:
         files:
           # Tests can do anything
-          - "!$test"
+          - '!$test'
           - '**/tool/tbot/**'
           - '**/lib/client/**'
           - '!**/lib/integrations/**'
@@ -240,8 +242,8 @@ linters-settings:
     require-specific: true
   revive:
     rules:
-    - name: unused-parameter
-      disabled: true
+      - name: unused-parameter
+        disabled: true
   sloglint:
     context: all
     key-naming-case: snake

api/client/client.go

@@ -2286,12 +2286,56 @@ func (c *Client) GetTrustedClusters(ctx context.Context) ([]types.TrustedCluster
 }
 
 // UpsertTrustedCluster creates or updates a Trusted Cluster.
-func (c *Client) UpsertTrustedCluster(ctx context.Context, trusedCluster types.TrustedCluster) (types.TrustedCluster, error) {
-	trustedCluster, ok := trusedCluster.(*types.TrustedClusterV2)
+//
+// Deprecated: Use [Client.UpsertTrustedClusterV2] instead.
+func (c *Client) UpsertTrustedCluster(ctx context.Context, trustedCluster types.TrustedCluster) (types.TrustedCluster, error) {
+	trustedClusterV2, ok := trustedCluster.(*types.TrustedClusterV2)
 	if !ok {
-		return nil, trace.BadParameter("invalid type %T", trusedCluster)
+		return nil, trace.BadParameter("invalid type %T", trustedCluster)
 	}
-	resp, err := c.grpc.UpsertTrustedCluster(ctx, trustedCluster)
+	resp, err := c.grpc.UpsertTrustedCluster(ctx, trustedClusterV2)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	return resp, nil
+}
+
+// UpsertTrustedClusterV2 creates or updates a Trusted Cluster.
+func (c *Client) UpsertTrustedClusterV2(ctx context.Context, trustedCluster types.TrustedCluster) (types.TrustedCluster, error) {
+	trustedClusterV2, ok := trustedCluster.(*types.TrustedClusterV2)
+	if !ok {
+		return nil, trace.BadParameter("invalid type %T", trustedCluster)
+	}
+	req := &trustpb.UpsertTrustedClusterRequest{TrustedCluster: trustedClusterV2}
+	resp, err := c.TrustClient().UpsertTrustedCluster(ctx, req)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	return resp, nil
+}
+
+// CreateTrustedCluster creates a Trusted Cluster.
+func (c *Client) CreateTrustedCluster(ctx context.Context, trustedCluster types.TrustedCluster) (types.TrustedCluster, error) {
+	trustedClusterV2, ok := trustedCluster.(*types.TrustedClusterV2)
+	if !ok {
+		return nil, trace.BadParameter("invalid type %T", trustedCluster)
+	}
+	req := &trustpb.CreateTrustedClusterRequest{TrustedCluster: trustedClusterV2}
+	resp, err := c.TrustClient().CreateTrustedCluster(ctx, req)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	return resp, nil
+}
+
+// UpdateTrustedCluster updates a Trusted Cluster.
+func (c *Client) UpdateTrustedCluster(ctx context.Context, trustedCluster types.TrustedCluster) (types.TrustedCluster, error) {
+	trustedClusterV2, ok := trustedCluster.(*types.TrustedClusterV2)
+	if !ok {
+		return nil, trace.BadParameter("invalid type %T", trustedCluster)
+	}
+	req := &trustpb.UpdateTrustedClusterRequest{TrustedCluster: trustedClusterV2}
+	resp, err := c.TrustClient().UpdateTrustedCluster(ctx, req)
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}
@@ -4262,6 +4306,12 @@ func (c *Client) GetSSHTargets(ctx context.Context, req *proto.GetSSHTargetsRequ
 	return rsp, trace.Wrap(err)
 }
 
+// ResolveSSHTarget gets a server that would match an equivalent ssh dial request.
+func (c *Client) ResolveSSHTarget(ctx context.Context, req *proto.ResolveSSHTargetRequest) (*proto.ResolveSSHTargetResponse, error) {
+	rsp, err := c.grpc.ResolveSSHTarget(ctx, req)
+	return rsp, trace.Wrap(err)
+}
+
 // CreateSessionTracker creates a tracker resource for an active session.
 func (c *Client) CreateSessionTracker(ctx context.Context, st types.SessionTracker) (types.SessionTracker, error) {
 	v1, ok := st.(*types.SessionTrackerV1)
@@ -5091,6 +5141,52 @@ func (c *Client) UpsertUserLastSeenNotification(ctx context.Context, req *notifi
 	return rsp, trace.Wrap(err)
 }
 
+// GetWorkloadIdentity returns a workload identity by name.
+func (c *Client) GetWorkloadIdentity(ctx context.Context, name string) (*workloadidentityv1pb.WorkloadIdentity, error) {
+	resp, err := c.WorkloadIdentityResourceServiceClient().GetWorkloadIdentity(ctx, &workloadidentityv1pb.GetWorkloadIdentityRequest{
+		Name: name,
+	})
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	return resp, nil
+}
+
+// DeleteWorkloadIdentity deletes a workload identity by name. It will throw an
+// error if the workload identity does not exist.
+func (c *Client) DeleteWorkloadIdentity(ctx context.Context, name string) error {
+	_, err := c.WorkloadIdentityResourceServiceClient().DeleteWorkloadIdentity(ctx, &workloadidentityv1pb.DeleteWorkloadIdentityRequest{
+		Name: name,
+	})
+	if err != nil {
+		return trace.Wrap(err)
+	}
+	return nil
+}
+
+// CreateWorkloadIdentity creates a new workload identity, it will not overwrite
+// an existing workload identity with the same name.
+func (c *Client) CreateWorkloadIdentity(ctx context.Context, r *workloadidentityv1pb.WorkloadIdentity) (*workloadidentityv1pb.WorkloadIdentity, error) {
+	resp, err := c.WorkloadIdentityResourceServiceClient().CreateWorkloadIdentity(ctx, &workloadidentityv1pb.CreateWorkloadIdentityRequest{
+		WorkloadIdentity: r,
+	})
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	return resp, nil
+}
+
+// UpsertWorkloadIdentity creates or updates a workload identity.
+func (c *Client) UpsertWorkloadIdentity(ctx context.Context, r *workloadidentityv1pb.WorkloadIdentity) (*workloadidentityv1pb.WorkloadIdentity, error) {
+	resp, err := c.WorkloadIdentityResourceServiceClient().UpsertWorkloadIdentity(ctx, &workloadidentityv1pb.UpsertWorkloadIdentityRequest{
+		WorkloadIdentity: r,
+	})
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	return resp, nil
+}
+
 // ResourceUsageClient returns an unadorned Resource Usage service client,
 // using the underlying Auth gRPC connection.
 // Clients connecting to non-Enterprise clusters, or older Teleport versions,