From e9209770051ae86b45f5e830d399cb99233756a9 Mon Sep 17 00:00:00 2001 From: Paul Gottschling Date: Wed, 30 Oct 2024 14:22:12 -0400 Subject: [PATCH] Restructure docs menu pages (#48151) Backports #47797 Docusaurus [sidebar generation](https://docusaurus.io/docs/next/sidebar/autogenerated) expects category index pages to have one of three file path conventions: - `section/index.mdx` - `section/README.mdx` - `section/section.mdx` This change standardizes category index paths on the third convention so Docusaurus sidebar generation succeeds. We can then add checks to the current docs site to prevent additional menu pages from violating this convention. This change also adds redirects to the new category index pages, and updates internal links to pages that were moved. Note that this change does not move all relevant menu pages. We still need to reorganize the `reference/terraform-provider` section. Since this section is automatically generated, we need another approach to restructuring it. --- CHANGELOG.md | 35 ++++----- docs/config.json | 2 +- .../access-controls/access-controls.mdx | 8 +- .../{ => access-lists}/access-lists.mdx | 4 +- .../access-request-plugins.mdx | 2 +- .../{ => access-requests}/access-requests.mdx | 10 +-- .../access-requests/oss-role-requests.mdx | 2 +- .../access-requests/resource-requests.mdx | 4 +- .../access-requests/role-requests.mdx | 2 +- .../compliance-frameworks.mdx | 4 +- .../compliance-frameworks/soc2.mdx | 8 +- .../{ => device-trust}/device-trust.mdx | 8 +- .../device-trust/jamf-integration.mdx | 2 +- .../access-controls/guides/dual-authz.mdx | 2 +- .../access-controls/{ => guides}/guides.mdx | 0 .../access-controls/guides/locking.mdx | 2 +- .../admin-guides/access-controls/idps.mdx | 13 ---- .../access-controls/idps/idps.mdx | 13 ++++ .../access-controls/login-rules/guide.mdx | 2 +- .../{ => login-rules}/login-rules.mdx | 8 +- .../access-controls/{ => sso}/sso.mdx | 44 +++++------ docs/pages/admin-guides/api/access-plugin.mdx | 4 +- docs/pages/admin-guides/api/api.mdx | 4 +- .../api/automatically-register-agents.mdx | 6 -- .../admin-guides/api/getting-started.mdx | 2 +- docs/pages/admin-guides/api/rbac.mdx | 2 +- .../access-graph/self-hosted-helm.mdx | 2 +- .../deploy-a-cluster/deployments.mdx | 19 ----- .../aws-ha-autoscale-cluster-terraform.mdx | 2 +- .../aws-starter-cluster-terraform.mdx | 2 +- .../deployments/deployments.mdx | 19 +++++ .../helm-deployments.mdx | 18 ++--- .../helm-deployments/kubernetes-cluster.mdx | 2 +- .../deploy-a-cluster/high-availability.mdx | 12 +-- .../infrastructure-as-code.mdx | 20 ++--- .../infrastructure-as-code/kubernetes.mdx | 4 +- .../teleport-operator.mdx | 5 +- .../terraform-provider.mdx | 10 +-- .../infrastructure-as-code/terraform.mdx | 4 +- docs/pages/admin-guides/management/admin.mdx | 30 -------- .../admin-guides/management/admin/admin.mdx | 30 ++++++++ .../management/admin/trustedclusters.mdx | 4 +- .../admin-guides/management/admin/users.mdx | 2 +- .../admin-guides/management/diagnostics.mdx | 11 --- .../management/diagnostics/diagnostics.mdx | 11 +++ .../management/diagnostics/metrics.mdx | 2 +- .../export-audit-events.mdx | 7 +- .../management/external-audit-storage.mdx | 2 +- .../management/guides/ec2-tags.mdx | 2 +- .../management/{ => guides}/guides.mdx | 7 +- .../admin-guides/management/operations.mdx | 19 ----- .../management/operations/db-ca-rotation.mdx | 4 +- .../management/operations/operations.mdx | 16 ++++ .../management/operations/tls-routing.mdx | 2 +- .../security/reduce-blast-radius.mdx | 2 +- .../management/{ => security}/security.mdx | 8 +- docs/pages/ai-assist.mdx | 2 +- .../pages/connect-your-client/gui-clients.mdx | 2 +- docs/pages/connect-your-client/tsh.mdx | 2 +- .../{ => documentation}/documentation.mdx | 10 +-- docs/pages/core-concepts.mdx | 2 +- .../agents/deploy-agents-terraform.mdx | 9 ++- .../enroll-resources/agents/introduction.mdx | 4 +- .../agents/join-services-to-your-cluster.mdx | 22 ------ .../join-services-to-your-cluster/azure.mdx | 2 +- .../join-services-to-your-cluster.mdx | 22 ++++++ .../kubernetes.mdx | 6 +- .../cloud-apis/aws-console.mdx | 2 +- .../application-access/cloud-apis/azure.mdx | 2 +- .../{ => cloud-apis}/cloud-apis.mdx | 8 +- .../cloud-apis/google-cloud.mdx | 2 +- .../application-access/controls.mdx | 4 +- .../enroll-kubernetes-applications.mdx | 6 +- .../kubernetes-applications.mdx | 26 +++++++ .../application-access/guides.mdx | 19 ----- .../guides/dynamic-registration.mdx | 5 -- .../application-access/guides/guides.mdx | 19 +++++ .../application-access/introduction.mdx | 4 +- .../application-access/{ => jwt}/jwt.mdx | 4 +- .../application-access/okta.mdx | 12 --- .../application-access/okta/okta.mdx | 12 +++ .../database-access/architecture.mdx | 4 +- .../auto-user-provisioning.mdx | 13 ---- .../auto-user-provisioning.mdx | 16 ++++ .../database-access/database-access.mdx | 2 +- .../enroll-resources/database-access/faq.mdx | 2 +- .../database-access/getting-started.mdx | 4 +- .../guides/aws-cross-account.mdx | 5 +- .../database-access/guides/aws-discovery.mdx | 4 +- .../guides/dynamic-registration.mdx | 7 +- .../database-access/guides/elastic.mdx | 2 +- .../database-access/{ => guides}/guides.mdx | 1 + .../database-access/guides/ha.mdx | 5 +- .../database-access/guides/mysql-cloudsql.mdx | 2 +- .../guides/mysql-self-hosted.mdx | 2 +- .../guides/oracle-self-hosted.mdx | 4 +- .../guides/postgres-cloudsql.mdx | 2 +- .../guides/postgres-self-hosted.mdx | 2 +- .../database-access/guides/rds.mdx | 4 +- .../database-access/guides/vitess.mdx | 2 +- .../enroll-resources/database-access/rbac.mdx | 15 ---- .../rbac/configuring-access.mdx | 2 +- .../database-access/rbac/rbac.mdx | 8 ++ .../database-access/troubleshooting.mdx | 2 +- .../kubernetes-access/controls.mdx | 8 -- .../{ => discovery}/discovery.mdx | 6 +- .../kubernetes-access/faq.mdx | 3 - .../kubernetes-access/getting-started.mdx | 6 +- .../kubernetes-access/introduction.mdx | 4 +- .../{ => manage-access}/manage-access.mdx | 6 +- .../kubernetes-access/manage-access/rbac.mdx | 2 +- .../register-clusters.mdx | 10 +-- .../machine-id/access-guides.mdx | 25 ------- .../access-guides/access-guides.mdx | 25 +++++++ .../machine-id/access-guides/ansible.mdx | 2 +- .../machine-id/access-guides/applications.mdx | 2 +- .../machine-id/access-guides/databases.mdx | 4 +- .../machine-id/access-guides/kubernetes.mdx | 2 +- .../machine-id/access-guides/ssh.mdx | 2 +- .../machine-id/access-guides/tctl.mdx | 2 +- .../machine-id/access-guides/terraform.mdx | 2 +- .../machine-id/deployment.mdx | 74 ------------------- .../machine-id/deployment/aws.mdx | 2 +- .../machine-id/deployment/azure.mdx | 2 +- .../machine-id/deployment/circleci.mdx | 2 +- .../machine-id/deployment/deployment.mdx | 73 ++++++++++++++++++ .../machine-id/deployment/gcp.mdx | 2 +- .../machine-id/deployment/gitlab.mdx | 2 +- .../machine-id/deployment/kubernetes.mdx | 4 +- .../machine-id/deployment/linux.mdx | 2 +- .../machine-id/getting-started.mdx | 6 +- .../machine-id/introduction.mdx | 4 +- .../server-access/getting-started.mdx | 2 +- .../enroll-resources/server-access/guides.mdx | 22 ------ .../server-access/guides/guides.mdx | 22 ++++++ .../guides/host-user-creation.mdx | 2 +- .../server-access/guides/jetbrains-sftp.mdx | 4 +- .../server-access/guides/openssh.mdx | 9 --- .../server-access/guides/openssh/openssh.mdx | 9 +++ .../server-access/guides/vscode.mdx | 4 +- .../server-access/introduction.mdx | 2 +- .../enroll-resources/server-access/rbac.mdx | 2 +- docs/pages/faq.mdx | 2 +- .../aws-auto-discovery-prerequisite.mdx | 3 +- .../includes/database-access/create-user.mdx | 4 +- .../database-access/db-introduction.mdx | 2 +- .../database-access/guides-next-steps.mdx | 2 +- docs/pages/includes/edition-comparison.mdx | 5 +- .../includes/machine-id/configure-outputs.mdx | 5 +- .../machine-id/plugin-prerequisites.mdx | 5 +- docs/pages/index.mdx | 8 +- docs/pages/installation.mdx | 4 +- .../access-controls/access-lists.mdx | 2 +- .../pages/reference/access-controls/roles.mdx | 6 +- .../database-access-reference/cli.mdx | 2 +- .../architecture/agent-update-management.mdx | 7 +- .../architecture/api-architecture.mdx | 2 +- .../reference/architecture/architecture.mdx | 4 +- .../reference/architecture/authorization.mdx | 4 +- docs/pages/reference/architecture/nodes.mdx | 2 +- .../reference/architecture/tls-routing.mdx | 2 +- docs/pages/reference/{ => cli}/cli.mdx | 10 +-- docs/pages/reference/cloud-faq.mdx | 2 +- .../{ => helm-reference}/helm-reference.mdx | 16 ++-- .../helm-reference/teleport-cluster.mdx | 2 +- .../helm-reference/teleport-kube-agent.mdx | 10 +-- docs/pages/reference/monitoring/audit.mdx | 2 +- docs/pages/reference/predicate-language.mdx | 2 +- docs/pages/reference/resources.mdx | 8 +- docs/pages/upgrading/overview.mdx | 2 +- .../self-hosted-automatic-agent-updates.mdx | 2 +- docs/pages/{ => upgrading}/upgrading.mdx | 12 +-- 172 files changed, 638 insertions(+), 652 deletions(-) rename docs/pages/admin-guides/access-controls/{ => access-lists}/access-lists.mdx (74%) rename docs/pages/admin-guides/access-controls/{ => access-request-plugins}/access-request-plugins.mdx (98%) rename docs/pages/admin-guides/access-controls/{ => access-requests}/access-requests.mdx (85%) rename docs/pages/admin-guides/access-controls/{ => compliance-frameworks}/compliance-frameworks.mdx (83%) rename docs/pages/admin-guides/access-controls/{ => device-trust}/device-trust.mdx (94%) rename docs/pages/admin-guides/access-controls/{ => guides}/guides.mdx (100%) delete mode 100644 docs/pages/admin-guides/access-controls/idps.mdx create mode 100644 docs/pages/admin-guides/access-controls/idps/idps.mdx rename docs/pages/admin-guides/access-controls/{ => login-rules}/login-rules.mdx (90%) rename docs/pages/admin-guides/access-controls/{ => sso}/sso.mdx (89%) delete mode 100644 docs/pages/admin-guides/deploy-a-cluster/deployments.mdx create mode 100644 docs/pages/admin-guides/deploy-a-cluster/deployments/deployments.mdx rename docs/pages/admin-guides/deploy-a-cluster/{ => helm-deployments}/helm-deployments.mdx (55%) rename docs/pages/admin-guides/{ => infrastructure-as-code}/infrastructure-as-code.mdx (93%) rename docs/pages/admin-guides/infrastructure-as-code/{ => teleport-operator}/teleport-operator.mdx (97%) rename docs/pages/admin-guides/infrastructure-as-code/{ => terraform-provider}/terraform-provider.mdx (93%) delete mode 100644 docs/pages/admin-guides/management/admin.mdx create mode 100644 docs/pages/admin-guides/management/admin/admin.mdx delete mode 100644 docs/pages/admin-guides/management/diagnostics.mdx create mode 100644 docs/pages/admin-guides/management/diagnostics/diagnostics.mdx rename docs/pages/admin-guides/management/{ => export-audit-events}/export-audit-events.mdx (81%) rename docs/pages/admin-guides/management/{ => guides}/guides.mdx (68%) delete mode 100644 docs/pages/admin-guides/management/operations.mdx create mode 100644 docs/pages/admin-guides/management/operations/operations.mdx rename docs/pages/admin-guides/management/{ => security}/security.mdx (76%) rename docs/pages/contributing/{ => documentation}/documentation.mdx (76%) delete mode 100644 docs/pages/enroll-resources/agents/join-services-to-your-cluster.mdx create mode 100644 docs/pages/enroll-resources/agents/join-services-to-your-cluster/join-services-to-your-cluster.mdx rename docs/pages/enroll-resources/application-access/{ => cloud-apis}/cloud-apis.mdx (80%) rename docs/pages/enroll-resources/application-access/{ => enroll-kubernetes-applications}/enroll-kubernetes-applications.mdx (80%) create mode 100644 docs/pages/enroll-resources/application-access/enroll-kubernetes-applications/kubernetes-applications.mdx delete mode 100644 docs/pages/enroll-resources/application-access/guides.mdx create mode 100644 docs/pages/enroll-resources/application-access/guides/guides.mdx rename docs/pages/enroll-resources/application-access/{ => jwt}/jwt.mdx (62%) delete mode 100644 docs/pages/enroll-resources/application-access/okta.mdx create mode 100644 docs/pages/enroll-resources/application-access/okta/okta.mdx delete mode 100644 docs/pages/enroll-resources/database-access/auto-user-provisioning.mdx create mode 100644 docs/pages/enroll-resources/database-access/auto-user-provisioning/auto-user-provisioning.mdx rename docs/pages/enroll-resources/database-access/{ => guides}/guides.mdx (99%) delete mode 100644 docs/pages/enroll-resources/database-access/rbac.mdx create mode 100644 docs/pages/enroll-resources/database-access/rbac/rbac.mdx rename docs/pages/enroll-resources/kubernetes-access/{ => discovery}/discovery.mdx (96%) rename docs/pages/enroll-resources/kubernetes-access/{ => manage-access}/manage-access.mdx (81%) rename docs/pages/enroll-resources/kubernetes-access/{ => register-clusters}/register-clusters.mdx (60%) delete mode 100644 docs/pages/enroll-resources/machine-id/access-guides.mdx create mode 100644 docs/pages/enroll-resources/machine-id/access-guides/access-guides.mdx delete mode 100644 docs/pages/enroll-resources/machine-id/deployment.mdx create mode 100644 docs/pages/enroll-resources/machine-id/deployment/deployment.mdx delete mode 100644 docs/pages/enroll-resources/server-access/guides.mdx create mode 100644 docs/pages/enroll-resources/server-access/guides/guides.mdx delete mode 100644 docs/pages/enroll-resources/server-access/guides/openssh.mdx create mode 100644 docs/pages/enroll-resources/server-access/guides/openssh/openssh.mdx rename docs/pages/reference/{ => cli}/cli.mdx (79%) rename docs/pages/reference/{ => helm-reference}/helm-reference.mdx (60%) rename docs/pages/{ => upgrading}/upgrading.mdx (77%) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4b789e53cf89b..49acd47ed4f65 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -859,7 +859,8 @@ applications in Kubernetes clusters. When connected to a Kubernetes cluster (or deployed as a Helm chart), the Teleport Discovery Service will automatically find and enroll web applications with your Teleport cluster. -See documentation [here](docs/pages/enroll-resources/application-access/enroll-kubernetes-applications.mdx). +See documentation +[here](docs/pages/enroll-resources/application-access/enroll-kubernetes-applications/kubernetes-applications.mdx). #### Extended Kubernetes per-resource RBAC @@ -1761,7 +1762,7 @@ This will allow users to view the OpenSSH nodes in Web UI and using `tsh ls` and use RBAC to control access to them. See the updated [OpenSSH integration -guide](docs/pages/enroll-resources/server-access/guides/openssh.mdx). +guide](docs/pages/enroll-resources/server-access/guides/openssh/openssh.mdx). ### Cross-cluster search for Teleport Connect @@ -2962,7 +2963,7 @@ is more than one major version behind them. You can use the `--skip-version-chec bypass the version check. Take a look at component compatibility guarantees in the -[documentation](docs/pages/upgrading.mdx). +[documentation](docs/pages/upgrading/upgrading.mdx). #### HTTP_PROXY for reverse tunnels @@ -3951,7 +3952,7 @@ if err = clt.CreateAccessRequest(ctx, accessRequest); err != nil { ### Upgrade Notes -Please follow our [standard upgrade procedure](docs/pages/admin-guides/management/admin.mdx) to upgrade your cluster. +Please follow our [standard upgrade procedure](docs/pages/admin-guides/management/admin/admin.mdx) to upgrade your cluster. Note, for clusters using GitHub SSO and Trusted Clusters, when upgrading SSO users will lose connectivity to leaf clusters. Local users will not be affected. @@ -4201,8 +4202,8 @@ Teleport 5.0 also iterates on the UI Refresh from 4.3. We've moved the cluster l Other updates: * We now provide local user management via `https://[cluster-url]/web/users`, providing the ability to edit, reset and delete local users. -* Teleport Node & App Install scripts. This is currently an Enterprise-only feature that provides customers with an installer script. Enterprise customers can enable this feature by modifying the 'token' resource. See note above. -* We've added a Waiting Room for customers using Access Workflows. [Docs](docs/pages/admin-guides/access-controls/access-request-plugins.mdx) +* Teleport Node & App Install scripts. This is currently an Enterprise-only feature that provides customers with an 'auto-magic' installer script. Enterprise customers can enable this feature by modifying the 'token' resource. See note above. +* We've added a Waiting Room for customers using Access Workflows. [Docs](docs/pages/admin-guides/access-controls/access-request-plugins/access-request-plugins.mdx) ##### Signed RPM and Releases @@ -4236,7 +4237,7 @@ We've added an [API Guide](docs/pages/admin-guides/api/api.mdx) to simply develo #### Upgrade Notes -Please follow our [standard upgrade procedure](./docs/pages/upgrading.mdx). +Please follow our [standard upgrade procedure](docs/pages/upgrading/upgrading.mdx). * Optional: Consider updating `https_key_file` & `https_cert_file` to our new `https_keypairs:` format. * Optional: Consider migrating Kubernetes access from `proxy_service` to `kubernetes_service` after the upgrade. @@ -4380,7 +4381,7 @@ auth_service: #### Upgrade Notes Please follow our [standard upgrade -procedure](docs/pages/upgrading.mdx). +procedure](docs/pages/upgrading/upgrading.mdx). ## 4.3.9 @@ -4465,7 +4466,7 @@ Teleport's Web UI now exposes Teleport’s Audit log, letting auditors and admin ##### Teleport Plugins -Teleport 4.3 introduces four new plugins that work out of the box with [Approval Workflow](docs/pages/admin-guides/access-controls/access-request-plugins.mdx). These plugins allow you to automatically support role escalation with commonly used third party services. The built-in plugins are listed below. +Teleport 4.3 introduces four new plugins that work out of the box with [Approval Workflow](docs/pages/admin-guides/access-controls/access-request-plugins/access-request-plugins.mdx). These plugins allow you to automatically support role escalation with commonly used third party services. The built-in plugins are listed below. * [PagerDuty](docs/pages/admin-guides/access-controls/access-request-plugins/ssh-approval-pagerduty.mdx) * [Jira](docs/pages/admin-guides/access-controls/access-request-plugins/ssh-approval-jira.mdx) @@ -4501,7 +4502,7 @@ Teleport 4.3 introduces four new plugins that work out of the box with [Approval #### Upgrade Notes Always follow the [recommended upgrade -procedure](./docs/pages/upgrading.mdx) to upgrade to this version. +procedure](docs/pages/upgrading/upgrading.mdx) to upgrade to this version. ##### New Signing Algorithm @@ -4542,7 +4543,7 @@ permissions](./docs/pages/enroll-resources/kubernetes-access/controls.mdx). The [etcd backend](docs/pages/reference/backends.mdx#etcd) now correctly uses the “prefix” config value when storing data. Upgrading from 4.2 to 4.3 will migrate the data as needed at startup. Make sure you follow our Teleport -[upgrade guidance](docs/pages/upgrading.mdx). +[upgrade guidance](docs/pages/upgrading/upgrading.mdx). **Note: If you use an etcd backend with a non-default prefix and need to downgrade from 4.3 to 4.2, you should [backup Teleport data and restore it](docs/pages/admin-guides/management/operations/backup-restore.mdx) into the downgraded cluster.** @@ -4665,7 +4666,7 @@ This is a minor Teleport release with a focus on new features and bug fixes. ### Improvements * Alpha: Enhanced Session Recording lets you know what's really happening during a Teleport Session. [#2948](https://github.com/gravitational/teleport/issues/2948) -* Alpha: Workflows API lets admins escalate RBAC roles in response to user requests. [Read the docs](docs/pages/admin-guides/access-controls/access-requests.mdx). [#3006](https://github.com/gravitational/teleport/issues/3006) +* Alpha: Workflows API lets admins escalate RBAC roles in response to user requests. [Read the docs](docs/pages/admin-guides/access-controls/access-requests/access-requests.mdx). [#3006](https://github.com/gravitational/teleport/issues/3006) * Beta: Teleport provides HA Support using Firestore and Google Cloud Storage using Google Cloud Platform. [Read the docs](docs/pages/admin-guides/deploy-a-cluster/deployments/gcp.mdx). [#2821](https://github.com/gravitational/teleport/pull/2821) * Remote tctl execution is now possible. [Read the docs](./docs/pages/reference/cli/tctl.mdx). [#1525](https://github.com/gravitational/teleport/issues/1525) [#2991](https://github.com/gravitational/teleport/issues/2991) @@ -4921,7 +4922,7 @@ The lists of improvements and bug fixes above mention only the significant chang ### Upgrading -Teleport 4.0 is backwards compatible with Teleport 3.2 and later. [Follow the recommended upgrade procedure to upgrade to this version.](docs/pages/upgrading.mdx) +Teleport 4.0 is backwards compatible with Teleport 3.2 and later. [Follow the recommended upgrade procedure to upgrade to this version.](docs/pages/upgrading/upgrading.mdx) Note that due to substantial changes between Teleport 3.2 and 4.0, we recommend creating a backup of the backend datastore (DynamoDB, etcd, or dir) before upgrading a cluster to Teleport 4.0 to allow downgrades. @@ -5189,7 +5190,7 @@ on Github for more. #### Upgrading to 3.0 Follow the [recommended upgrade -procedure](docs/pages/upgrading.mdx) to upgrade to this +procedure](docs/pages/upgrading/upgrading.mdx) to upgrade to this version. **WARNING:** if you are using Teleport with the etcd back-end, make sure your @@ -5295,7 +5296,7 @@ As always, this release contains several bug fixes. The full list can be seen [h #### Upgrading Follow the [recommended upgrade -procedure](docs/pages/upgrading.mdx) to upgrade to this +procedure](docs/pages/upgrading/upgrading.mdx) to upgrade to this version. ## 2.6.9 @@ -5425,7 +5426,7 @@ You can see the full list of 2.6.0 changes [here](https://github.com/gravitation #### Upgrading Follow the [recommended upgrade -procedure](docs/pages/upgrading.mdx) to upgrade to this +procedure](docs/pages/upgrading/upgrading.mdx) to upgrade to this version. ## 2.5.7 @@ -5512,7 +5513,7 @@ release, which includes: * The Teleport daemon now implements built-in connection draining which allows zero-downtime upgrades. [See - documentation](docs/pages/upgrading.mdx). + documentation](docs/pages/upgrading/upgrading.mdx). * Dynamic join tokens for new nodes can now be explicitly set via `tctl node add --token`. This allows Teleport admins to use an external mechanism for generating diff --git a/docs/config.json b/docs/config.json index fd37c89f43fdd..2a59b881febb5 100644 --- a/docs/config.json +++ b/docs/config.json @@ -22,7 +22,7 @@ }, { "title": "Upgrading", - "slug": "/upgrading/", + "slug": "/upgrading/upgrading/", "entries": [ { "title": "Compatibility Overview", diff --git a/docs/pages/admin-guides/access-controls/access-controls.mdx b/docs/pages/admin-guides/access-controls/access-controls.mdx index fbdb8af924a03..bf510140e1614 100644 --- a/docs/pages/admin-guides/access-controls/access-controls.mdx +++ b/docs/pages/admin-guides/access-controls/access-controls.mdx @@ -32,7 +32,7 @@ that specifies access policies for resources in your Teleport cluster. Assigning a role to a Teleport user applies the policies listed in the role to the user. -See the [Cluster Access and RBAC](./guides.mdx) section for instructions on +See the [Cluster Access and RBAC](guides/guides.mdx) section for instructions on setting up Teleport roles. ## Integrate with your Single Sign-On provider @@ -46,7 +46,7 @@ automatically assigns roles to the user based on data provided by the IdP. This means that you can implement a fully fledged infrastructure RBAC system based on your existing Single Sign-On solution. -Read our [Single Sign-On guide](./sso.mdx) to get started. +Read our [Single Sign-On guide](sso/sso.mdx) to get started. ## Enable Access Requests @@ -55,13 +55,13 @@ resources in your infrastructure based on the approval of other users. You can set up your RBAC so all privileged access is short lived, and there are no longstanding admin roles for attackers to hijack. -[Get started with Access Requests](./access-requests.mdx). +[Get started with Access Requests](access-requests/access-requests.mdx). You can integrate Teleport with your existing communication tool, e.g., Slack, PagerDuty, or Microsoft Teams, so Teleport users can easily create and approve Access Requests. -[Get started with Access Request plugins](access-request-plugins.mdx). +[Get started with Access Request plugins](access-request-plugins/access-request-plugins.mdx). ## Achieve compliance diff --git a/docs/pages/admin-guides/access-controls/access-lists.mdx b/docs/pages/admin-guides/access-controls/access-lists/access-lists.mdx similarity index 74% rename from docs/pages/admin-guides/access-controls/access-lists.mdx rename to docs/pages/admin-guides/access-controls/access-lists/access-lists.mdx index f2b504c966559..c7501f5f6e368 100644 --- a/docs/pages/admin-guides/access-controls/access-lists.mdx +++ b/docs/pages/admin-guides/access-controls/access-lists/access-lists.mdx @@ -9,6 +9,6 @@ managed within Teleport. With Access Lists, administrators and access list owners can regularly audit and control membership to specific roles and traits, which then tie easily back into Teleport's existing RBAC system. -[Getting Started with Access Lists](./access-lists/guide.mdx) +[Getting Started with Access Lists](guide.mdx) -[Access List Reference](../../reference/access-controls/access-lists.mdx) +[Access List Reference](../../../reference/access-controls/access-lists.mdx) diff --git a/docs/pages/admin-guides/access-controls/access-request-plugins.mdx b/docs/pages/admin-guides/access-controls/access-request-plugins/access-request-plugins.mdx similarity index 98% rename from docs/pages/admin-guides/access-controls/access-request-plugins.mdx rename to docs/pages/admin-guides/access-controls/access-request-plugins/access-request-plugins.mdx index e98548fd80f70..3d9dbd61c1c0c 100644 --- a/docs/pages/admin-guides/access-controls/access-request-plugins.mdx +++ b/docs/pages/admin-guides/access-controls/access-request-plugins/access-request-plugins.mdx @@ -55,4 +55,4 @@ workflows by reading our setup guides: To read more about the architecture of an Access Request plugin, and start writing your own, read our [Access Request plugin development -guide](../api/access-plugin.mdx). +guide](../../api/access-plugin.mdx). diff --git a/docs/pages/admin-guides/access-controls/access-requests.mdx b/docs/pages/admin-guides/access-controls/access-requests/access-requests.mdx similarity index 85% rename from docs/pages/admin-guides/access-controls/access-requests.mdx rename to docs/pages/admin-guides/access-controls/access-requests/access-requests.mdx index 9e820ac3a8a7c..6ca980f2db8c2 100644 --- a/docs/pages/admin-guides/access-controls/access-requests.mdx +++ b/docs/pages/admin-guides/access-controls/access-requests/access-requests.mdx @@ -16,7 +16,7 @@ be configured with limited cluster access so they are not high value targets. Access Requests are designed to provide temporary permissions to users. If you want to grant longstanding permissions to a group of users, with the option to renew these permissions after a recurring interval (such as three months), -consider [Access Lists](access-lists.mdx). +consider [Access Lists](../access-lists/access-lists.mdx). ## See how Access Requests work @@ -26,12 +26,12 @@ and **Resource Access Requests**. With Role Access Requests, engineers can request temporary credentials with elevated roles in order to perform critical system-wide tasks. -[Get started with Role Access Requests](./access-requests/role-requests.mdx). +[Get started with Role Access Requests](role-requests.mdx). With Resource Access Requests, engineers can easily get access to only the individual resources they need, when they need it. -[Get started with Resource Access Requests](./access-requests/resource-requests.mdx). +[Get started with Resource Access Requests](resource-requests.mdx). ## Configure Access Requests @@ -44,7 +44,7 @@ including: - How many users can approve or deny different kinds of requests. Read the [Access Request -Configuration](access-requests/access-request-configuration.mdx) guide for an +Configuration](access-request-configuration.mdx) guide for an overview of the configuration options available for Access Requests. ## Teleport Community Edition users @@ -56,6 +56,6 @@ including Resource Access Requests managing Access Requests via the Web UI are available in Teleport Enterprise. For information on how to use Just-in-time Access Requests with Teleport Community -Edition, see [Teleport Community Access Requests](./access-requests/oss-role-requests.mdx). +Edition, see [Teleport Community Access Requests](oss-role-requests.mdx). diff --git a/docs/pages/admin-guides/access-controls/access-requests/oss-role-requests.mdx b/docs/pages/admin-guides/access-controls/access-requests/oss-role-requests.mdx index 7e08b72e09aad..cd364ddc76544 100644 --- a/docs/pages/admin-guides/access-controls/access-requests/oss-role-requests.mdx +++ b/docs/pages/admin-guides/access-controls/access-requests/oss-role-requests.mdx @@ -153,7 +153,7 @@ $ tctl request approve \ ## Next Steps -- Learn more about [Access Requests](../access-requests.mdx) +- Learn more about [Access Requests](access-requests.mdx) - See what additional features are available for [role requests](./role-requests.mdx) in Teleport Enterprise - Request access to [specific resources](./resource-requests.mdx) with Teleport Enterprise \ No newline at end of file diff --git a/docs/pages/admin-guides/access-controls/access-requests/resource-requests.mdx b/docs/pages/admin-guides/access-controls/access-requests/resource-requests.mdx index d377f2d5aac66..a25c57eb0295a 100644 --- a/docs/pages/admin-guides/access-controls/access-requests/resource-requests.mdx +++ b/docs/pages/admin-guides/access-controls/access-requests/resource-requests.mdx @@ -165,7 +165,7 @@ However, it prevents you from access any resources belonging to another namespac Advanced filters and queries are supported. See our -[filtering reference](../../../reference/cli.mdx) for more information. +[filtering reference](../../../reference/cli/cli.mdx) for more information. Try narrowing your search to a specific resource you want to access. @@ -636,4 +636,4 @@ within your organization's existing messaging and project management solutions. ## Next Steps -- Learn more about [Access Lists](../access-lists.mdx) +- Learn more about [Access Lists](../access-lists/access-lists.mdx) diff --git a/docs/pages/admin-guides/access-controls/access-requests/role-requests.mdx b/docs/pages/admin-guides/access-controls/access-requests/role-requests.mdx index e6d9d16a7b043..cf225d2e7c6b8 100644 --- a/docs/pages/admin-guides/access-controls/access-requests/role-requests.mdx +++ b/docs/pages/admin-guides/access-controls/access-requests/role-requests.mdx @@ -170,5 +170,5 @@ just-in-time Access Request workflow for your organization. Access Lists enable you to assign privileges to groups of users for a fixed period of time. Learn more about Access Lists in the -[documentation](../access-lists.mdx). +[documentation](../access-lists/access-lists.mdx). diff --git a/docs/pages/admin-guides/access-controls/compliance-frameworks.mdx b/docs/pages/admin-guides/access-controls/compliance-frameworks/compliance-frameworks.mdx similarity index 83% rename from docs/pages/admin-guides/access-controls/compliance-frameworks.mdx rename to docs/pages/admin-guides/access-controls/compliance-frameworks/compliance-frameworks.mdx index 7bc35e8c84a49..6ee2dcd7f4484 100644 --- a/docs/pages/admin-guides/access-controls/compliance-frameworks.mdx +++ b/docs/pages/admin-guides/access-controls/compliance-frameworks/compliance-frameworks.mdx @@ -10,5 +10,5 @@ settings within Teleport. Follow our guides to see how to use Teleport to achieve compliance: -- [FedRAMP](./compliance-frameworks/fedramp.mdx) -- [SOC 2](./compliance-frameworks/soc2.mdx) +- [FedRAMP](fedramp.mdx) +- [SOC 2](soc2.mdx) diff --git a/docs/pages/admin-guides/access-controls/compliance-frameworks/soc2.mdx b/docs/pages/admin-guides/access-controls/compliance-frameworks/soc2.mdx index 784bb3c83edf0..2b2f04847c331 100644 --- a/docs/pages/admin-guides/access-controls/compliance-frameworks/soc2.mdx +++ b/docs/pages/admin-guides/access-controls/compliance-frameworks/soc2.mdx @@ -58,16 +58,16 @@ Each principle has many "Points of Focus" which will apply differently to differ | CC6.1 - Manages Credentials for Infrastructure and Software | New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and software are no longer in use. | [Invite nodes to your cluster with short lived tokens](../../../enroll-resources/agents/join-services-to-your-cluster/join-token.mdx) | | CC6.1 - Uses Encryption to Protect Data | The entity uses encryption to supplement other measures used to protect data at rest, when such protections are deemed appropriate based on assessed risk. | Teleport Audit logs can use DynamoDB encryption at rest. | | CC6.1 - Protects Encryption Keys | Processes are in place to protect encryption keys during generation, storage, use, and destruction. | Teleport acts as a Certificate Authority to issue SSH and x509 user certificates that are signed by the CA and are (by default) short-lived. SSH host certificates are also signed by the CA and rotated automatically | -| CC6.2 - Controls Access Credentials to Protected Assets | Information asset access credentials are created based on an authorization from the system's asset owner or authorized custodian. | [Request Approval from the command line](../../../reference/cli/tctl.mdx)

[Build Approval Workflows with Access Requests](../../access-controls/access-requests.mdx)

[Use Plugins to send approvals to tools like Slack or Jira](../../access-controls/access-requests.mdx) | -| CC6.2 - Removes Access to Protected Assets When Appropriate | Processes are in place to remove credential access when an individual no longer requires such access. | [Teleport issues temporary credentials based on an employees role and are revoked upon job change, termination or end of a maintenance window](../../access-controls/access-requests.mdx) | +| CC6.2 - Controls Access Credentials to Protected Assets | Information asset access credentials are created based on an authorization from the system's asset owner or authorized custodian. | [Request Approval from the command line](../../../reference/cli/tctl.mdx)

[Build Approval Workflows with Access Requests](../access-requests/access-requests.mdx)

[Use Plugins to send approvals to tools like Slack or Jira](../access-requests/access-requests.mdx) | +| CC6.2 - Removes Access to Protected Assets When Appropriate | Processes are in place to remove credential access when an individual no longer requires such access. | [Teleport issues temporary credentials based on an employees role and are revoked upon job change, termination or end of a maintenance window](../access-requests/access-requests.mdx) | | CC6.2 - Reviews Appropriateness of Access Credentials | The appropriateness of access credentials is reviewed on a periodic basis for unnecessary and inappropriate individuals with credentials. | Teleport maintains a live list of all nodes within a cluster. This node list can be queried by users (who see a subset they have access to) and administrators any time. | -| CC6.3 - Creates or Modifies Access to Protected Information Assets | Processes are in place to create or modify access to protected information assets based on authorization from the asset’s owner. | [Build Approval Workflows with Access Requests](../../access-controls/access-requests.mdx) to get authorization from asset owners. | +| CC6.3 - Creates or Modifies Access to Protected Information Assets | Processes are in place to create or modify access to protected information assets based on authorization from the asset’s owner. | [Build Approval Workflows with Access Requests](../access-requests/access-requests.mdx) to get authorization from asset owners. | | CC6.3 - Removes Access to Protected Information Assets | Processes are in place to remove access to protected information assets when an individual no longer requires access. | Teleport uses temporary credentials and can be integrated with your version control system or even your HR system to [revoke access with the Access requests API](../../api/api.mdx) | | CC6.3 - Uses Role-Based Access Controls | Role-based access control is utilized to support segregation of incompatible functions. | [Role based access control ("RBAC") allows Teleport administrators to grant granular access permissions to users.](../access-controls.mdx) | | CC6.3 - Reviews Access Roles and Rules | The appropriateness of access roles and access rules is reviewed on a periodic basis for unnecessary and inappropriate individuals with access and access rules are modified as appropriate. | Teleport maintains a live list of all nodes within a cluster. This node list can be queried by users (who see a subset they have access to) and administrators any time. | | CC6.6 - Restricts Access | The types of activities that can occur through a communication channel (for example, FTP site, router port) are restricted. | Teleport makes it easy to restrict access to common ports like 21, 22 and instead have users [tunnel to the server](../../../faq.mdx) using Teleport. [Teleport uses the following default ports.](../../../reference/networking.mdx) | | CC6.6 - Protects Identification and Authentication Credentials | Identification and authentication credentials are protected during transmission outside system boundaries. | [Yes, Teleport protects credentials outside your network allowing for Zero Trust network architecture](https://goteleport.com/blog/applying-principles-of-zero-trust-to-ssh/) | -| CC6.6 - Requires Additional Authentication or Credentials | Additional authentication information or credentials are required when accessing the system from outside its boundaries. | [Yes, Teleport can manage MFA with TOTP, WebAuthn or U2F Standards or connect to your Identity Provider using SAML, OAUTH or OIDC](../../access-controls/sso.mdx) | +| CC6.6 - Requires Additional Authentication or Credentials | Additional authentication information or credentials are required when accessing the system from outside its boundaries. | [Yes, Teleport can manage MFA with TOTP, WebAuthn or U2F Standards or connect to your Identity Provider using SAML, OAUTH or OIDC](../sso/sso.mdx) | | CC6.6 - Implements Boundary Protection Systems | Boundary protection systems (for example, firewalls, demilitarized zones, and intrusion detection systems) are implemented to protect external access points from attempts and unauthorized access and are monitored to detect such attempts. | [Trusted clusters](../../management/admin/trustedclusters.mdx) | | CC6.7 - Uses Encryption Technologies or Secure Communication Channels to Protect Data | Encryption technologies or secured communication channels are used to protect transmission of data and other communications beyond connectivity access points. | [Teleport has strong encryption including a FedRAMP compliant FIPS mode](./fedramp.mdx#start-teleport-in-fips-mode) | | CC7.2 - Implements Detection Policies, Procedures, and Tools | Processes are in place to detect changes to software and configuration parameters that may be indicative of unauthorized or malicious software. | [Teleport creates detailed SSH Audit Logs with Metadata](../../../reference/monitoring/audit.mdx)

[Use BPF Session Recording to catch malicious program execution](../../../enroll-resources/server-access/guides/bpf-session-recording.mdx) | diff --git a/docs/pages/admin-guides/access-controls/device-trust.mdx b/docs/pages/admin-guides/access-controls/device-trust/device-trust.mdx similarity index 94% rename from docs/pages/admin-guides/access-controls/device-trust.mdx rename to docs/pages/admin-guides/access-controls/device-trust/device-trust.mdx index c918933bf3e85..acb1da81d4520 100644 --- a/docs/pages/admin-guides/access-controls/device-trust.mdx +++ b/docs/pages/admin-guides/access-controls/device-trust/device-trust.mdx @@ -91,7 +91,7 @@ enforcement and Cluster-wide enforcement. ## Guides -- [Getting Started with Device Trust](./device-trust/guide.mdx) -- [Device Management](./device-trust/device-management.mdx) -- [Enforcing Device Trust](./device-trust/enforcing-device-trust.mdx) -- [Jamf Pro Integration](./device-trust/jamf-integration.mdx) +- [Getting Started with Device Trust](guide.mdx) +- [Device Management](device-management.mdx) +- [Enforcing Device Trust](enforcing-device-trust.mdx) +- [Jamf Pro Integration](jamf-integration.mdx) diff --git a/docs/pages/admin-guides/access-controls/device-trust/jamf-integration.mdx b/docs/pages/admin-guides/access-controls/device-trust/jamf-integration.mdx index 38a4c553582a4..6bd2d53cbe122 100644 --- a/docs/pages/admin-guides/access-controls/device-trust/jamf-integration.mdx +++ b/docs/pages/admin-guides/access-controls/device-trust/jamf-integration.mdx @@ -14,7 +14,7 @@ Teleport if a computer is removed from Jamf Pro. Syncing devices from Jamf Pro is an **inventory management** step, equivalent to automatically running the corresponding `tctl devices add` commands. -See the [Device Trust guide](../device-trust.mdx) for fundamental Device Trust concepts +See the [Device Trust guide](device-trust.mdx) for fundamental Device Trust concepts and behavior.
diff --git a/docs/pages/admin-guides/access-controls/guides/dual-authz.mdx b/docs/pages/admin-guides/access-controls/guides/dual-authz.mdx index a2911d4988df2..74819d3612c15 100644 --- a/docs/pages/admin-guides/access-controls/guides/dual-authz.mdx +++ b/docs/pages/admin-guides/access-controls/guides/dual-authz.mdx @@ -14,7 +14,7 @@ In this guide, we will set up Teleport's Just-in-Time Access Requests to require the approval of two team members for a privileged role `dbadmin`. The steps below describe how to use Teleport with Mattermost. You can also -[integrate with many other providers](../access-requests.mdx). +[integrate with many other providers](../access-requests/access-requests.mdx). diff --git a/docs/pages/admin-guides/access-controls/guides.mdx b/docs/pages/admin-guides/access-controls/guides/guides.mdx similarity index 100% rename from docs/pages/admin-guides/access-controls/guides.mdx rename to docs/pages/admin-guides/access-controls/guides/guides.mdx diff --git a/docs/pages/admin-guides/access-controls/guides/locking.mdx b/docs/pages/admin-guides/access-controls/guides/locking.mdx index 1141a216a01d6..bb8cef918c4b2 100644 --- a/docs/pages/admin-guides/access-controls/guides/locking.mdx +++ b/docs/pages/admin-guides/access-controls/guides/locking.mdx @@ -22,7 +22,7 @@ A lock can target the following objects or attributes: - a Teleport agent by the agent's server UUID (effectively unregistering it from the cluster) - a Windows desktop by the desktop's name -- an [Access Request](../access-requests.mdx) by UUID +- an [Access Request](../access-requests/access-requests.mdx) by UUID ## Prerequisites diff --git a/docs/pages/admin-guides/access-controls/idps.mdx b/docs/pages/admin-guides/access-controls/idps.mdx deleted file mode 100644 index 347b7840b9391..0000000000000 --- a/docs/pages/admin-guides/access-controls/idps.mdx +++ /dev/null @@ -1,13 +0,0 @@ ---- -title: Configure Teleport as an identity provider -description: How to set up Teleport's identity provider functionality ---- - -Users can authenticate to both internal and external applications -through the use of a built in identity provider in Teleport. - -- [SAML Guide](./idps/saml-guide.mdx): A guide for setting up an example application to integration with the SAML identity provider. -- [SAML Attribute Mapping](./idps/saml-attribute-mapping.mdx): A reference on how attribute mapping works in Teleport and how to -use it to assert custom user attribute name and values in a SAML response. -- [Use Teleport's SAML Provider to authenticate with Grafana](./idps/saml-grafana.mdx): Configure Grafana to authenticate using Teleport identities. -- [SAML Reference](../../reference/access-controls/saml-idp.mdx): A reference for Teleport's SAML identity provider. diff --git a/docs/pages/admin-guides/access-controls/idps/idps.mdx b/docs/pages/admin-guides/access-controls/idps/idps.mdx new file mode 100644 index 0000000000000..2c4daa37a4ae8 --- /dev/null +++ b/docs/pages/admin-guides/access-controls/idps/idps.mdx @@ -0,0 +1,13 @@ +--- +title: Configure Teleport as an identity provider +description: How to set up Teleport's identity provider functionality +--- + +Users can authenticate to both internal and external applications +through the use of a built in identity provider in Teleport. + +- [SAML Guide](saml-guide.mdx): A guide for setting up an example application to integration with the SAML identity provider. +- [SAML Attribute Mapping](saml-attribute-mapping.mdx): A reference on how attribute mapping works in Teleport and how to +use it to assert custom user attribute name and values in a SAML response. +- [Use Teleport's SAML Provider to authenticate with Grafana](saml-grafana.mdx): Configure Grafana to authenticate using Teleport identities. +- [SAML Reference](../../../reference/access-controls/saml-idp.mdx): A reference for Teleport's SAML identity provider. diff --git a/docs/pages/admin-guides/access-controls/login-rules/guide.mdx b/docs/pages/admin-guides/access-controls/login-rules/guide.mdx index c42a66e4548c3..9ddcc3203a72e 100644 --- a/docs/pages/admin-guides/access-controls/login-rules/guide.mdx +++ b/docs/pages/admin-guides/access-controls/login-rules/guide.mdx @@ -17,7 +17,7 @@ cluster on version `11.3.1` or greater. Login Rules only operate on SSO logins, so make sure you have configured an OIDC, SAML, or GitHub connector before you begin. -Check the [Single Sign-On](../sso.mdx) docs to learn how to set this up. +Check the [Single Sign-On](../sso/sso.mdx) docs to learn how to set this up. ## Step 1/5. Configure RBAC diff --git a/docs/pages/admin-guides/access-controls/login-rules.mdx b/docs/pages/admin-guides/access-controls/login-rules/login-rules.mdx similarity index 90% rename from docs/pages/admin-guides/access-controls/login-rules.mdx rename to docs/pages/admin-guides/access-controls/login-rules/login-rules.mdx index 3b4ca696ae8d6..f1aa1fdb8cb57 100644 --- a/docs/pages/admin-guides/access-controls/login-rules.mdx +++ b/docs/pages/admin-guides/access-controls/login-rules/login-rules.mdx @@ -20,7 +20,7 @@ Some use cases for Login Rules are: traits will be included in your user's SSH certificates and JWTs, which can become too large for some third-party applications to handle. Login Rules can filter out unnecessary traits and keep just the ones you need. -- When you have multiple [Role Templates](./guides/role-templates.mdx) repeating +- When you have multiple [Role Templates](../guides/role-templates.mdx) repeating the same logic to combine and transform external traits, consider using Login Rules to consolidate the logic to one place and simplify your Roles. @@ -43,13 +43,13 @@ traits_map: - 'ifelse(external.groups.contains("db-admins"), external.groups.add("db-users"), external.groups)' ``` -Check out the [Login Rules guide](./login-rules/guide.mdx) for a quick walkthrough +Check out the [Login Rules guide](guide.mdx) for a quick walkthrough that will show you how to write, test, and add the first Login Rule to your -cluster. See [example Login Rules](./login-rules/guide.mdx#example-login-rules) to +cluster. See [example Login Rules](guide.mdx) to learn how to address common use cases. When you're ready to take full advantage of Login Rules in your cluster, see the -[Login Rules Reference](../../reference/access-controls/login-rules.mdx) for details on the expression +[Login Rules Reference](../../../reference/access-controls/login-rules.mdx) for details on the expression language that powers them. ## FAQ diff --git a/docs/pages/admin-guides/access-controls/sso.mdx b/docs/pages/admin-guides/access-controls/sso/sso.mdx similarity index 89% rename from docs/pages/admin-guides/access-controls/sso.mdx rename to docs/pages/admin-guides/access-controls/sso/sso.mdx index 68944e85814a1..f0c336b62e517 100644 --- a/docs/pages/admin-guides/access-controls/sso.mdx +++ b/docs/pages/admin-guides/access-controls/sso/sso.mdx @@ -7,15 +7,15 @@ Teleport users can log in to servers, Kubernetes clusters, databases, web applications, and Windows desktops through their organization's Single Sign-On (SSO) provider. -- [Azure Active Directory (AD)](./sso/azuread.mdx): Configure Azure Active Directory SSO for SSH, Kubernetes, databases, desktops and web apps. -- [Active Directory (ADFS)](./sso/adfs.mdx): Configure Windows Active Directory SSO for SSH, Kubernetes, databases, desktops and web apps. -- [Google Workspace](./sso/google-workspace.mdx): Configure Google Workspace SSO for SSH, Kubernetes, databases, desktops and web apps. -- [GitHub](./sso/github-sso.mdx): Configure GitHub SSO for SSH, +- [Azure Active Directory (AD)](azuread.mdx): Configure Azure Active Directory SSO for SSH, Kubernetes, databases, desktops and web apps. +- [Active Directory (ADFS)](adfs.mdx): Configure Windows Active Directory SSO for SSH, Kubernetes, databases, desktops and web apps. +- [Google Workspace](google-workspace.mdx): Configure Google Workspace SSO for SSH, Kubernetes, databases, desktops and web apps. +- [GitHub](github-sso.mdx): Configure GitHub SSO for SSH, Kubernetes, databases, desktops, and web apps. -- [GitLab](./sso/gitlab.mdx): Configure GitLab SSO for SSH, Kubernetes, databases, desktops and web apps. -- [OneLogin](./sso/one-login.mdx): Configure OneLogin SSO for SSH, Kubernetes, databases, desktops and web apps. -- [OIDC](./sso/oidc.mdx): Configure OIDC SSO for SSH, Kubernetes, databases, desktops and web apps. -- [Okta](./sso/okta.mdx): Configure Okta SSO for SSH, Kubernetes, databases, desktops and web apps. +- [GitLab](gitlab.mdx): Configure GitLab SSO for SSH, Kubernetes, databases, desktops and web apps. +- [OneLogin](one-login.mdx): Configure OneLogin SSO for SSH, Kubernetes, databases, desktops and web apps. +- [OIDC](oidc.mdx): Configure OIDC SSO for SSH, Kubernetes, databases, desktops and web apps. +- [Okta](okta.mdx): Configure Okta SSO for SSH, Kubernetes, databases, desktops and web apps. ## How Teleport uses SSO @@ -392,9 +392,9 @@ flow. These provider-specific changes can be enabled by setting the values to match your identity provider: - `adfs` (SAML): Required for compatibility with Active Directory (ADFS); refer - to the full [ADFS guide](./sso/adfs.mdx#step-23-create-teleport-roles) for details. + to the full [ADFS guide](adfs.mdx) for details. - `netiq` (OIDC): Used to enable NetIQ-specific ACR value processing; refer to - the [OIDC guide](./sso/oidc.mdx#optional-acr-values) for details. + the [OIDC guide](oidc.mdx) for details. - `ping` (SAML and OIDC): Required for compatibility with Ping Identity (including PingOne and PingFederate). - `okta` (OIDC): Required when using Okta as an OIDC provider. @@ -446,7 +446,7 @@ $ tctl get connectors ``` To delete/update connectors, use the usual `tctl rm` and `tctl create` commands -as described in the [Resources Reference](../../reference/resources.mdx). +as described in the [Resources Reference](../../../reference/resources.mdx). If multiple authentication connectors exist, the clients must supply a connector name to `tsh login` via `--auth` argument: @@ -462,10 +462,10 @@ $ tsh --proxy=proxy.example.com login --auth=local --user=admin Refer to the following guides to configure authentication connectors of both SAML and OIDC types: -- [SSH Authentication with Okta](./sso/okta.mdx) -- [SSH Authentication with OneLogin](./sso/one-login.mdx) -- [SSH Authentication with ADFS](./sso/adfs.mdx) -- [SSH Authentication with OAuth2 / OpenID Connect](./sso/oidc.mdx) +- [SSH Authentication with Okta](okta.mdx) +- [SSH Authentication with OneLogin](one-login.mdx) +- [SSH Authentication with ADFS](adfs.mdx) +- [SSH Authentication with OAuth2 / OpenID Connect](oidc.mdx) ## SSO customization @@ -474,11 +474,11 @@ of SSO buttons in the Teleport Web UI. | Provider | YAML | Example | | - | - | - | -| GitHub | `display: GitHub` | ![github](../../../img/teleport-sso/github@2x.png) | -| Microsoft | `display: Microsoft` | ![microsoft](../../../img/teleport-sso/microsoft@2x.png) | -| Google | `display: Google` | ![google](../../../img/teleport-sso/google@2x.png) | -| BitBucket | `display: Bitbucket` | ![bitbucket](../../../img/teleport-sso/bitbucket@2x.png) | -| OpenID | `display: Okta` | ![Okta](../../../img/teleport-sso/openId@2x.png) | +| GitHub | `display: GitHub` | ![github](../../../../img/teleport-sso/github@2x.png) | +| Microsoft | `display: Microsoft` | ![microsoft](../../../../img/teleport-sso/microsoft@2x.png) | +| Google | `display: Google` | ![google](../../../../img/teleport-sso/google@2x.png) | +| BitBucket | `display: Bitbucket` | ![bitbucket](../../../../img/teleport-sso/bitbucket@2x.png) | +| OpenID | `display: Okta` | ![Okta](../../../../img/teleport-sso/openId@2x.png) | ## Troubleshooting @@ -506,7 +506,7 @@ If something is not working, we recommend to: If you get "access denied" or other login errors, the number one place to check is the Audit Log. You can access it in the **Activity** tab of the Teleport Web UI. -![Audit Log Entry for SSO Login error](../../../img/sso/teleportauditlogssofailed.png) +![Audit Log Entry for SSO Login error](../../../../img/sso/teleportauditlogssofailed.png) Example of a user being denied because the role `clusteradmin` wasn't set up: @@ -551,5 +551,5 @@ The roles we illustrated in this guide use `external` traits, which Teleport replaces with values from the single sign-on provider that the user used to authenticate with Teleport. For full details on how variable expansion works in Teleport roles, see the [Teleport Access Controls -Reference](../../reference/access-controls/roles.mdx). +Reference](../../../reference/access-controls/roles.mdx). diff --git a/docs/pages/admin-guides/api/access-plugin.mdx b/docs/pages/admin-guides/api/access-plugin.mdx index c15e7a9c95c11..329885add716d 100644 --- a/docs/pages/admin-guides/api/access-plugin.mdx +++ b/docs/pages/admin-guides/api/access-plugin.mdx @@ -3,12 +3,12 @@ title: How to Build an Access Request Plugin description: Manage Access Requests using custom workflows with the Teleport API --- -With Teleport [Access Requests](../access-controls/access-requests.mdx), you can +With Teleport [Access Requests](../access-controls/access-requests/access-requests.mdx), you can assign Teleport users to less privileged roles by default and allow them to temporarily escalate their privileges. Reviewers can grant or deny Access Requests within your organization's existing communication workflows (e.g., Slack, email, and PagerDuty) using [Access Request -plugins](../access-controls/access-request-plugins.mdx). +plugins](../access-controls/access-request-plugins/access-request-plugins.mdx). You can use Teleport's API client library to build an Access Request plugin that integrates with your organization's unique workflows. diff --git a/docs/pages/admin-guides/api/api.mdx b/docs/pages/admin-guides/api/api.mdx index 7a4233680e87e..c376b1271bfb0 100644 --- a/docs/pages/admin-guides/api/api.mdx +++ b/docs/pages/admin-guides/api/api.mdx @@ -11,13 +11,13 @@ cluster. In this section, we will show you how to use Teleport's API. Teleport has a public [Go client](https://pkg.go.dev/github.com/gravitational/teleport/api/client) to -programatically interact with the API. [tsh and tctl](../../reference/cli.mdx) use +programatically interact with the API. [tsh and tctl](../../reference/cli/cli.mdx) use the same API. Here is what you can do with the Go Client: - Integrate with external tools, e.g., to write an [Access Request - plugin](../access-controls/access-request-plugins.mdx). Teleport + plugin](../access-controls/access-request-plugins/access-request-plugins.mdx). Teleport maintains Access Request plugins for tools like Slack, Jira, and Mattermost. - Perform CRUD actions on resources, such as roles, authentication connectors, and provisioning tokens. diff --git a/docs/pages/admin-guides/api/automatically-register-agents.mdx b/docs/pages/admin-guides/api/automatically-register-agents.mdx index 173b93a8f9e03..edbbbd006d5ec 100644 --- a/docs/pages/admin-guides/api/automatically-register-agents.mdx +++ b/docs/pages/admin-guides/api/automatically-register-agents.mdx @@ -6,12 +6,6 @@ description: Learn how to use the Teleport API to start agents automatically whe You can use Teleport's API to automatically register resources in your infrastructure with your Teleport cluster. -Teleport already supports the automatic discovery of [Kubernetes -clusters](../../enroll-resources/kubernetes-access/discovery.mdx) in AWS, Azure, and Google Cloud, -as well as [servers](../../enroll-resources/server-access/guides/ec2-discovery.mdx) on Amazon EC2. -To support other resources and cloud providers, you can use the API to write -your own workflow. - In this guide, we will demonstrate some libraries you can use to automatically register resources with Teleport. We will use an example you can run locally on your workstation. diff --git a/docs/pages/admin-guides/api/getting-started.mdx b/docs/pages/admin-guides/api/getting-started.mdx index 4f9287fc5e14e..cfdbe207dedc5 100644 --- a/docs/pages/admin-guides/api/getting-started.mdx +++ b/docs/pages/admin-guides/api/getting-started.mdx @@ -127,4 +127,4 @@ $ go run main.go - Read about Teleport [API architecture](../../reference/architecture/api-architecture.mdx) for an in-depth overview of the API and API clients. - Read [API authorization](../../reference/architecture/api-architecture.mdx) to learn more about defining custom roles for your API client. - Review the `client` [pkg.go reference documentation](https://pkg.go.dev/github.com/gravitational/teleport/api/client) for more information about working with the Teleport API programmatically. -- Familiarize yourself with the [admin manual](../management/admin.mdx) to make the best use of the API. +- Familiarize yourself with the [admin manual](../management/admin/admin.mdx) to make the best use of the API. diff --git a/docs/pages/admin-guides/api/rbac.mdx b/docs/pages/admin-guides/api/rbac.mdx index 83e1fe363e3c6..c15efe0a06138 100644 --- a/docs/pages/admin-guides/api/rbac.mdx +++ b/docs/pages/admin-guides/api/rbac.mdx @@ -938,7 +938,7 @@ See the links below for guides to fields related to different infrastructure resources: - [Servers](../../enroll-resources/server-access/rbac.mdx) -- [Databases](../../enroll-resources/database-access/rbac.mdx) +- [Databases](../../enroll-resources/database-access/rbac/rbac.mdx) - [Kubernetes clusters](../../enroll-resources/kubernetes-access/manage-access/rbac.mdx) - [Windows Desktops](../../enroll-resources/desktop-access/rbac.mdx) - [Applications](../../enroll-resources/application-access/controls.mdx) diff --git a/docs/pages/admin-guides/deploy-a-cluster/access-graph/self-hosted-helm.mdx b/docs/pages/admin-guides/deploy-a-cluster/access-graph/self-hosted-helm.mdx index cf346f50edfe0..9451bb2489b92 100644 --- a/docs/pages/admin-guides/deploy-a-cluster/access-graph/self-hosted-helm.mdx +++ b/docs/pages/admin-guides/deploy-a-cluster/access-graph/self-hosted-helm.mdx @@ -24,7 +24,7 @@ to Teleport Enterprise customers. - Helm >= (=helm.version=) - A running Teleport Enterprise cluster v14.3.6 or later. - For the purposes of this guide, we assume that the Teleport cluster is set up - [using the `teleport-cluster` Helm chart](../../deploy-a-cluster/helm-deployments.mdx) + [using the `teleport-cluster` Helm chart](../helm-deployments/helm-deployments.mdx) in the same Kubernetes cluster that will be used to deploy Teleport Access Graph. - An updated `license.pem` with Teleport Policy enabled. - A PostgreSQL database server v14 or later. diff --git a/docs/pages/admin-guides/deploy-a-cluster/deployments.mdx b/docs/pages/admin-guides/deploy-a-cluster/deployments.mdx deleted file mode 100644 index 706eb1c405ea9..0000000000000 --- a/docs/pages/admin-guides/deploy-a-cluster/deployments.mdx +++ /dev/null @@ -1,19 +0,0 @@ ---- -title: Reference Deployment Guides -description: Teleport Installation and Configuration Reference Deployment Guides. -layout: tocless-doc ---- - -These guides show you how to set up a full self-hosted Teleport deployment on -the platform of your choice. - -- [AWS High Availability Deployment with Terraform](./deployments/aws-ha-autoscale-cluster-terraform.mdx): Deploy HA Teleport with - Terraform on AWS. -- [AWS Single-Instance Deployment with Terraform](./deployments/aws-starter-cluster-terraform.mdx): Deploy Teleport on a single instance with - Terraform on AWS. -- [AWS Multi-Region Proxy - Deployment](./deployments/aws-gslb-proxy-peering-ha-deployment.mdx): Deploy HA - Teleport with Proxy Service instances in multiple regions for low-latency - access. -- [GCP](./deployments/gcp.mdx): Deploy HA Teleport on GCP. -- [IBM Cloud](./deployments/ibm.mdx): Deploy HA Teleport on IBM cloud. diff --git a/docs/pages/admin-guides/deploy-a-cluster/deployments/aws-ha-autoscale-cluster-terraform.mdx b/docs/pages/admin-guides/deploy-a-cluster/deployments/aws-ha-autoscale-cluster-terraform.mdx index b74e7e8b3c141..cad211bff1af8 100644 --- a/docs/pages/admin-guides/deploy-a-cluster/deployments/aws-ha-autoscale-cluster-terraform.mdx +++ b/docs/pages/admin-guides/deploy-a-cluster/deployments/aws-ha-autoscale-cluster-terraform.mdx @@ -811,7 +811,7 @@ To add new nodes/EC2 servers that you can "SSH into" you'll need to: - [Run Teleport - we recommend using systemd](../../management/admin/daemon.mdx) - [Set the correct settings in /etc/teleport.yaml](../../../reference/config.mdx) - [Add Nodes to the Teleport - cluster](../../../enroll-resources/agents/join-services-to-your-cluster.mdx) + cluster](../../../enroll-resources/agents/join-services-to-your-cluster/join-services-to-your-cluster.mdx) ### Getting the SSH Service join token diff --git a/docs/pages/admin-guides/deploy-a-cluster/deployments/aws-starter-cluster-terraform.mdx b/docs/pages/admin-guides/deploy-a-cluster/deployments/aws-starter-cluster-terraform.mdx index 1d23659ac8845..2c2d66d69b2e3 100644 --- a/docs/pages/admin-guides/deploy-a-cluster/deployments/aws-starter-cluster-terraform.mdx +++ b/docs/pages/admin-guides/deploy-a-cluster/deployments/aws-starter-cluster-terraform.mdx @@ -726,7 +726,7 @@ To add new nodes/EC2 servers that you can "SSH into" you'll need to: - [Run Teleport - we recommend using systemd](../../management/admin/daemon.mdx) - [Set the correct settings in /etc/teleport.yaml](../../../reference/config.mdx) - [Add Nodes to the Teleport - cluster](../../../enroll-resources/agents/join-services-to-your-cluster.mdx) + cluster](../../../enroll-resources/agents/join-services-to-your-cluster/join-services-to-your-cluster.mdx) ## Troubleshooting diff --git a/docs/pages/admin-guides/deploy-a-cluster/deployments/deployments.mdx b/docs/pages/admin-guides/deploy-a-cluster/deployments/deployments.mdx new file mode 100644 index 0000000000000..a30782f9ca3c4 --- /dev/null +++ b/docs/pages/admin-guides/deploy-a-cluster/deployments/deployments.mdx @@ -0,0 +1,19 @@ +--- +title: Reference Deployment Guides +description: Teleport Installation and Configuration Reference Deployment Guides. +layout: tocless-doc +--- + +These guides show you how to set up a full self-hosted Teleport deployment on +the platform of your choice. + +- [AWS High Availability Deployment with Terraform](aws-ha-autoscale-cluster-terraform.mdx): Deploy HA Teleport with + Terraform on AWS. +- [AWS Single-Instance Deployment with Terraform](aws-starter-cluster-terraform.mdx): Deploy Teleport on a single instance with + Terraform on AWS. +- [AWS Multi-Region Proxy + Deployment](aws-gslb-proxy-peering-ha-deployment.mdx): Deploy HA + Teleport with Proxy Service instances in multiple regions for low-latency + access. +- [GCP](gcp.mdx): Deploy HA Teleport on GCP. +- [IBM Cloud](ibm.mdx): Deploy HA Teleport on IBM cloud. diff --git a/docs/pages/admin-guides/deploy-a-cluster/helm-deployments.mdx b/docs/pages/admin-guides/deploy-a-cluster/helm-deployments/helm-deployments.mdx similarity index 55% rename from docs/pages/admin-guides/deploy-a-cluster/helm-deployments.mdx rename to docs/pages/admin-guides/deploy-a-cluster/helm-deployments/helm-deployments.mdx index fb62933678eea..e35528834cf72 100644 --- a/docs/pages/admin-guides/deploy-a-cluster/helm-deployments.mdx +++ b/docs/pages/admin-guides/deploy-a-cluster/helm-deployments/helm-deployments.mdx @@ -15,24 +15,24 @@ order to protect a Kubernetes cluster with Teleport, and it is possible to enroll a Kubernetes cluster on Teleport Cloud or by running the Teleport Kubernetes Service on a Linux server. For instructions on enrolling a Kubernetes cluster with Teleport, read the [Kubernetes -Access](../../enroll-resources/kubernetes-access/introduction.mdx) documentation. +Access](../../../enroll-resources/kubernetes-access/introduction.mdx) documentation. ## Helm deployment guides These guides show you how to set up a full self-hosted Teleport deployment using our `teleport-cluster` Helm chart. -- [Deploy Teleport on Kubernetes](./helm-deployments/kubernetes-cluster.mdx): Run a Teleport cluster in a Kubernetes cluster using +- [Deploy Teleport on Kubernetes](kubernetes-cluster.mdx): Run a Teleport cluster in a Kubernetes cluster using the default configuration. This deployment is a great starting point to try a self-hosted Teleport with minimal resources. -- [HA AWS Teleport Cluster](./helm-deployments/aws.mdx): Running an HA Teleport cluster in Kubernetes using an AWS EKS Cluster -- [HA Azure Teleport Cluster](./helm-deployments/azure.mdx): Running an HA Teleport cluster in Kubernetes using an Azure AKS Cluster -- [HA GCP Teleport Cluster](./helm-deployments/gcp.mdx): Running an HA Teleport cluster in Kubernetes using a Google Cloud GKE Cluster -- [DigitalOcean Kubernetes Cluster](./helm-deployments/digitalocean.mdx): +- [HA AWS Teleport Cluster](aws.mdx): Running an HA Teleport cluster in Kubernetes using an AWS EKS Cluster +- [HA Azure Teleport Cluster](azure.mdx): Running an HA Teleport cluster in Kubernetes using an Azure AKS Cluster +- [HA GCP Teleport Cluster](gcp.mdx): Running an HA Teleport cluster in Kubernetes using a Google Cloud GKE Cluster +- [DigitalOcean Kubernetes Cluster](digitalocean.mdx): Running Teleport on DigitalOcean Kubernetes. -- [Custom Teleport config](./helm-deployments/custom.mdx): Running a Teleport cluster in Kubernetes with a custom Teleport config +- [Custom Teleport config](custom.mdx): Running a Teleport cluster in Kubernetes with a custom Teleport config ## Migration Guides -- [Migrating from v11 to v12](./helm-deployments/migration-v12.mdx) -- [Kubernetes 1.25 and PSP removal](./helm-deployments/migration-kubernetes-1-25-psp.mdx) +- [Migrating from v11 to v12](migration-v12.mdx) +- [Kubernetes 1.25 and PSP removal](migration-kubernetes-1-25-psp.mdx) diff --git a/docs/pages/admin-guides/deploy-a-cluster/helm-deployments/kubernetes-cluster.mdx b/docs/pages/admin-guides/deploy-a-cluster/helm-deployments/kubernetes-cluster.mdx index e7af64df52e3b..0152ee196ba3e 100644 --- a/docs/pages/admin-guides/deploy-a-cluster/helm-deployments/kubernetes-cluster.mdx +++ b/docs/pages/admin-guides/deploy-a-cluster/helm-deployments/kubernetes-cluster.mdx @@ -369,7 +369,7 @@ cluster. - **Set up Single Sign-On:** In this guide, we showed you how to create a local user, which is appropriate for demo environments. For a production deployment, you should set up Single Sign-On with your provider of choice. See our [Single - Sign-On guides](../../access-controls/sso.mdx) for how to do this. + Sign-On guides](../../access-controls/sso/sso.mdx) for how to do this. - **Configure your Teleport deployment:** To see all of the options you can set in the values file for the `teleport-cluster` Helm chart, consult our [reference guide](../../../reference/helm-reference/teleport-cluster.mdx). diff --git a/docs/pages/admin-guides/deploy-a-cluster/high-availability.mdx b/docs/pages/admin-guides/deploy-a-cluster/high-availability.mdx index 8cb1ef96326d3..88896d5e47d6b 100644 --- a/docs/pages/admin-guides/deploy-a-cluster/high-availability.mdx +++ b/docs/pages/admin-guides/deploy-a-cluster/high-availability.mdx @@ -296,7 +296,7 @@ pod or virtual machine in your group. If you plan to run Teleport on Kubernetes, the `teleport-cluster` Helm chart deploys the Auth Service and Proxy Service pools for you. To see how to use this -Helm chart, read our [Helm Deployments](helm-deployments.mdx) documentation. +Helm chart, read our [Helm Deployments](helm-deployments/helm-deployments.mdx) documentation. @@ -353,7 +353,7 @@ Create a configuration file and provide it to each of your Proxy Service instances at `/etc/teleport.yaml`. We will explain the required configuration fields for a high-availability Teleport deployment below. These are the minimum requirements, and when planning your high-availability deployment, you will want -to follow a more specific [deployment guide](../../index.mdx) for your +to follow a more specific [deployment guide](deployments/deployments.mdx) for your environment. #### `proxy_service` and `auth_service` @@ -467,7 +467,7 @@ Create a configuration file and provide it to each of your Auth Service instances at `/etc/teleport.yaml`. We will explain the required configuration fields for a high-availability Teleport deployment below. These are the minimum requirements, and when planning your high-availability deployment, you will want -to follow a more specific [deployment guide](../../index.mdx) for your +to follow a more specific [deployment guide](deployments/deployments.mdx) for your environment. #### `storage` @@ -540,8 +540,8 @@ deployment, read about how to design your own deployment on Kubernetes or a cluster of virtual machines in your cloud of choice: - [High-availability Teleport Deployments on Kubernetes with - Helm](helm-deployments.mdx) -- [Reference Deployments](deployments.mdx) for running Teleport on a cluster of + Helm](helm-deployments/helm-deployments.mdx) +- [Reference Deployments](deployments/deployments.mdx) for running Teleport on a cluster of virtual machines ### Ensure high performance @@ -550,7 +550,7 @@ You should also get familiar with how to ensure that your Teleport deployment is performing as expected: - [Scaling a Teleport cluster](../management/operations/scaling.mdx) -- [Monitoring a Teleport cluster](../management/diagnostics.mdx) +- [Monitoring a Teleport cluster](../management/diagnostics/diagnostics.mdx) ### Deploy Teleport services diff --git a/docs/pages/admin-guides/infrastructure-as-code.mdx b/docs/pages/admin-guides/infrastructure-as-code/infrastructure-as-code.mdx similarity index 93% rename from docs/pages/admin-guides/infrastructure-as-code.mdx rename to docs/pages/admin-guides/infrastructure-as-code/infrastructure-as-code.mdx index 0bb2e06bda487..4097d107b6ba8 100644 --- a/docs/pages/admin-guides/infrastructure-as-code.mdx +++ b/docs/pages/admin-guides/infrastructure-as-code/infrastructure-as-code.mdx @@ -27,7 +27,7 @@ There are two ways to configure a Teleport cluster: This approach makes it possible to incrementally adjust your Teleport configuration without restarting Teleport instances. -![Architecture of dynamic resources](../../img/dynamic-resources.png) +![Architecture of dynamic resources](../../../img/dynamic-resources.png) A cluster is composed of different objects (i.e., resources) and there are three common operations that can be performed on them: `get` , `create` , and `remove` @@ -64,7 +64,7 @@ infrastructure-as-code and GitOps approaches. For more information on Teleport roles, including the `internal.logins` trait we use in these example roles, see the [Teleport Access -Controls Reference](../reference/access-controls/roles.mdx). +Controls Reference](../../reference/access-controls/roles.mdx). ### YAML documents with `tctl` @@ -86,7 +86,7 @@ spec: Since `tctl` works from the local filesystem, you can write commands that apply all configuration documents in a directory tree. See the [CLI -reference](../reference/cli/tctl.mdx) for more information on `tctl`. +reference](../../reference/cli/tctl.mdx) for more information on `tctl`. ### Teleport Terraform provider @@ -114,7 +114,7 @@ resource "teleport_role" "developer" { ``` [Get started with the Terraform -provider](infrastructure-as-code/terraform-provider.mdx). +provider](terraform-provider/terraform-provider.mdx). ### Teleport Kubernetes Operator @@ -135,7 +135,7 @@ spec: 'env': 'test' ``` -[Get started with the Kubernetes Operator](infrastructure-as-code/teleport-operator.mdx). +[Get started with the Kubernetes Operator](teleport-operator/teleport-operator.mdx). ## Reconciling the configuration file with dynamic resources @@ -245,16 +245,16 @@ configuration resources with the `teleport.dev/origin=config-file` label. ### Configuration references - For a comprehensive reference of Teleport's static configuration options, read - the [Configuration Reference](../reference/config.mdx). + the [Configuration Reference](../../reference/config.mdx). - To see the dynamic configuration resources available to apply, read the - [Configuration Resource Reference](../reference/resources.mdx). There are also + [Configuration Resource Reference](../../reference/resources.mdx). There are also dedicated configuration resource references for - [applications](../reference/agent-services/application-access.mdx) and - [databases](../reference/agent-services/database-access-reference/configuration.mdx). + [applications](../../reference/agent-services/application-access.mdx) and + [databases](../../reference/agent-services/database-access-reference/configuration.mdx). ### Other ways to use the Teleport API The Teleport Kubernetes Operator, Terraform provider, and `tctl` are all clients of the Teleport Auth Service's gRPC API. To build your own API client to extend Teleport for your organization's needs, read our [API -guides](api/api.mdx). +guides](../api/api.mdx). diff --git a/docs/pages/admin-guides/infrastructure-as-code/kubernetes.mdx b/docs/pages/admin-guides/infrastructure-as-code/kubernetes.mdx index 7f743695be3d4..6186730f756d8 100644 --- a/docs/pages/admin-guides/infrastructure-as-code/kubernetes.mdx +++ b/docs/pages/admin-guides/infrastructure-as-code/kubernetes.mdx @@ -39,7 +39,7 @@ This guide is applicable if you self-host Teleport in Kubernetes using the -- Follow the [Teleport operator guides](teleport-operator.mdx) +- Follow the [Teleport operator guides](teleport-operator/teleport-operator.mdx) to install the Teleport Operator in your Kubernetes cluster. Make sure to follow the Enterprise instructions. @@ -245,7 +245,7 @@ logins: ## Next Steps -- Read the [Teleport Operator Guide](teleport-operator.mdx) to +- Read the [Teleport Operator Guide](teleport-operator/teleport-operator.mdx) to learn more about the Teleport Operator. - Read the [Login Rules reference](../../reference/access-controls/login-rules.mdx) to learn mode about the Login Rule expression syntax. diff --git a/docs/pages/admin-guides/infrastructure-as-code/teleport-operator.mdx b/docs/pages/admin-guides/infrastructure-as-code/teleport-operator/teleport-operator.mdx similarity index 97% rename from docs/pages/admin-guides/infrastructure-as-code/teleport-operator.mdx rename to docs/pages/admin-guides/infrastructure-as-code/teleport-operator/teleport-operator.mdx index cf4579641f646..aa240845072a0 100644 --- a/docs/pages/admin-guides/infrastructure-as-code/teleport-operator.mdx +++ b/docs/pages/admin-guides/infrastructure-as-code/teleport-operator/teleport-operator.mdx @@ -271,9 +271,8 @@ Kubernetes cluster or namespace. Then redeploy the Auth Server pods. When the ## Next steps -Helm Chart parameters are documented in the [`teleport-cluster` Helm chart reference](../../reference/helm-reference/teleport-cluster.mdx). +Helm Chart parameters are documented in the [`teleport-cluster` Helm chart reference](../../../reference/helm-reference/teleport-cluster.mdx). -See the [Helm Deployment guides](../deploy-a-cluster/helm-deployments.mdx) detailing specific setups like running Teleport on AWS or GCP. +Check out [access controls documentation](../../access-controls/access-controls.mdx) -Check out [access controls documentation](../access-controls/access-controls.mdx) diff --git a/docs/pages/admin-guides/infrastructure-as-code/terraform-provider.mdx b/docs/pages/admin-guides/infrastructure-as-code/terraform-provider/terraform-provider.mdx similarity index 93% rename from docs/pages/admin-guides/infrastructure-as-code/terraform-provider.mdx rename to docs/pages/admin-guides/infrastructure-as-code/terraform-provider/terraform-provider.mdx index bb9b73d5578f2..da662137e2a98 100644 --- a/docs/pages/admin-guides/infrastructure-as-code/terraform-provider.mdx +++ b/docs/pages/admin-guides/infrastructure-as-code/terraform-provider/terraform-provider.mdx @@ -11,7 +11,7 @@ This guide demonstrates how to: For instructions on managing the Teleport dynamic resources as code using GitOps, read the guide to using the Teleport Terraform provider with [Spacelift -and Machine ID](../../enroll-resources/machine-id/deployment/spacelift.mdx). +and Machine ID](../../../enroll-resources/machine-id/deployment/spacelift.mdx). ## Prerequisites @@ -31,13 +31,13 @@ and Machine ID](../../enroll-resources/machine-id/deployment/spacelift.mdx). Terraform needs a signed identity file from the Teleport cluster certificate authority to manage resources in the cluster. You can create a local Teleport user for this purpose or you can use the machine identity agent -[(Machine ID)](../../enroll-resources/machine-id/introduction.mdx) to generate credentials. +[(Machine ID)](../../../enroll-resources/machine-id/introduction.mdx) to generate credentials. If you intend to run Terraform from a CI/CD platform, Machine ID is often a better option for generating credentials. Machine ID can provision ephemeral short-lived certificates that are appropriate for CI/CD workflows instead of using manually-generated credentials that have a longer time-to-live (TTL) period. For more information about -using Machine ID, see the [Machine ID Getting Started Guide](../../enroll-resources/machine-id/getting-started.mdx). +using Machine ID, see the [Machine ID Getting Started Guide](../../../enroll-resources/machine-id/getting-started.mdx). To prepare credentials for a local Teleport user: @@ -186,6 +186,6 @@ following command: ## Next steps -- Explore the full list of supported [Terraform provider resources](../../reference/terraform-provider.mdx). -- Read more about [impersonation](../access-controls/guides/impersonation.mdx). +- Explore the full list of supported [Terraform provider resources](../../../reference/terraform-provider.mdx). +- Read more about [impersonation](../../access-controls/guides/impersonation.mdx). diff --git a/docs/pages/admin-guides/infrastructure-as-code/terraform.mdx b/docs/pages/admin-guides/infrastructure-as-code/terraform.mdx index ebf167a520c84..aec689bee696f 100644 --- a/docs/pages/admin-guides/infrastructure-as-code/terraform.mdx +++ b/docs/pages/admin-guides/infrastructure-as-code/terraform.mdx @@ -27,7 +27,7 @@ For simplicity, this guide will configure the Terraform provider to use your current logged-in user's Teleport credentials obtained from `tsh login`. -The [Terraform provider guide](terraform-provider.mdx) +The [Terraform provider guide](terraform-provider/terraform-provider.mdx) includes instructions for configuring a dedicated `terraform` user and role, which is a better option when running Terraform in a non-interactive environment. @@ -152,7 +152,7 @@ logins: ## Next Steps -- Read the [Terraform Guide](terraform-provider.mdx) to +- Read the [Terraform Guide](terraform-provider/terraform-provider.mdx) to learn more about configuring the Terraform provider. - Read the [Login Rules reference](../../reference/access-controls/login-rules.mdx) to learn mode about the Login Rule expression syntax. diff --git a/docs/pages/admin-guides/management/admin.mdx b/docs/pages/admin-guides/management/admin.mdx deleted file mode 100644 index 817618350db8d..0000000000000 --- a/docs/pages/admin-guides/management/admin.mdx +++ /dev/null @@ -1,30 +0,0 @@ ---- -title: Cluster Administration Guides -description: Teleport Cluster Administration Guides. -layout: tocless-doc ---- - -The guides in this section show you the fundamentals of setting up and running a -Teleport cluster. You will learn how to run the `teleport` daemon, manage users -and resources, and troubleshoot any issues that arise. - -If you already understand how to set up a Teleport cluster, consult the -[Operations](./operations.mdx) section so you can start conducting periodic -cluster maintenance tasks. - -## Run Teleport - -- [Teleport Daemon](./admin/daemon.mdx): Set up Teleport as a daemon on Linux with systemd. -- [Run Teleport with Self-Signed Certificates](./admin/self-signed-certs.mdx): Set up Teleport in a local -environment without configuring TLS certificates. - -## Manage users and resources - -- [Trusted Clusters](./admin/trustedclusters.mdx): Connect multiple Teleport clusters using trusted clusters. -- [Labels](./admin/labels.mdx): Manage resource metadata with labels. -- [Local Users](./admin/users.mdx): Manage local user accounts. - -## Troubleshoot issues - -- [Troubleshooting](./admin/troubleshooting.mdx): Collect metrics and diagnostic information from Teleport. -- [Uninstall Teleport](./admin/uninstall-teleport.mdx): Uninstall Teleport from your system. diff --git a/docs/pages/admin-guides/management/admin/admin.mdx b/docs/pages/admin-guides/management/admin/admin.mdx new file mode 100644 index 0000000000000..4e11195231369 --- /dev/null +++ b/docs/pages/admin-guides/management/admin/admin.mdx @@ -0,0 +1,30 @@ +--- +title: Cluster Administration Guides +description: Teleport Cluster Administration Guides. +layout: tocless-doc +--- + +The guides in this section show you the fundamentals of setting up and running a +Teleport cluster. You will learn how to run the `teleport` daemon, manage users +and resources, and troubleshoot any issues that arise. + +If you already understand how to set up a Teleport cluster, consult the +[Operations](../operations/operations.mdx) section so you can start conducting periodic +cluster maintenance tasks. + +## Run Teleport + +- [Teleport Daemon](daemon.mdx): Set up Teleport as a daemon on Linux with systemd. +- [Run Teleport with Self-Signed Certificates](self-signed-certs.mdx): Set up Teleport in a local +environment without configuring TLS certificates. + +## Manage users and resources + +- [Trusted Clusters](trustedclusters.mdx): Connect multiple Teleport clusters using trusted clusters. +- [Labels](labels.mdx): Manage resource metadata with labels. +- [Local Users](users.mdx): Manage local user accounts. + +## Troubleshoot issues + +- [Troubleshooting](troubleshooting.mdx): Collect metrics and diagnostic information from Teleport. +- [Uninstall Teleport](uninstall-teleport.mdx): Uninstall Teleport from your system. diff --git a/docs/pages/admin-guides/management/admin/trustedclusters.mdx b/docs/pages/admin-guides/management/admin/trustedclusters.mdx index b992196341440..50dde7b22b1a1 100644 --- a/docs/pages/admin-guides/management/admin/trustedclusters.mdx +++ b/docs/pages/admin-guides/management/admin/trustedclusters.mdx @@ -110,7 +110,7 @@ configured with a single sign-on identity provider that authenticates her identi Based on the information from the identity provider, the root cluster assigns Alice the `full-access` role and issues her a certificate. The mapping of single sign-on properties to Teleport roles is configured when you add an authentication connector to the Teleport cluster. To learn more about configuring single sign-on -through an external identity provider, see [Configure Single Sign-on](../../access-controls/sso.mdx). +through an external identity provider, see [Configure Single Sign-on](../../access-controls/sso/sso.mdx). Alice receives the certificate that specifies the roles assigned to her in the root cluster. This metadata about her roles is contained in the certificate extensions and is protected by the signature of the root @@ -167,7 +167,7 @@ To complete the steps in this guide, verify your environment meets the following - A Teleport SSH server that is joined to the cluster you plan to use as the **leaf cluster**. For information about how to enroll a resource in your cluster, see - [Join Services to your Cluster](../../../enroll-resources/agents/join-services-to-your-cluster.mdx). + [Join Services to your Cluster](../../../enroll-resources/agents/join-services-to-your-cluster/join-services-to-your-cluster.mdx). (!docs/pages/includes/permission-warning.mdx!) diff --git a/docs/pages/admin-guides/management/admin/users.mdx b/docs/pages/admin-guides/management/admin/users.mdx index 9182c65719387..d6c3b06f1ff7e 100644 --- a/docs/pages/admin-guides/management/admin/users.mdx +++ b/docs/pages/admin-guides/management/admin/users.mdx @@ -123,7 +123,7 @@ For all available `tctl` commands and flags, see our [CLI Reference](../../../re You can also configure Teleport so that users can log in using an SSO provider. For more information, see: -- [Single Sign-On](../../access-controls/sso.mdx) +- [Single Sign-On](../../access-controls/sso/sso.mdx) diff --git a/docs/pages/admin-guides/management/diagnostics.mdx b/docs/pages/admin-guides/management/diagnostics.mdx deleted file mode 100644 index dbfe87be11f73..0000000000000 --- a/docs/pages/admin-guides/management/diagnostics.mdx +++ /dev/null @@ -1,11 +0,0 @@ ---- -title: Monitoring your Cluster -description: Monitoring your Teleport deployment -layout: tocless-doc ---- - -- [Health Monitoring](./diagnostics/monitoring.mdx): How to monitor the health of a Teleport instance. -- [Metrics](./diagnostics/metrics.mdx): How to enable exporting Prometheus metrics. -- [Collecting Profiles](./diagnostics/profiles.mdx): How to collect runtime profiling data from a Teleport instance. -- [Distributed Tracing](./diagnostics/tracing.mdx): How to enable distributed tracing for a Teleport instance. - diff --git a/docs/pages/admin-guides/management/diagnostics/diagnostics.mdx b/docs/pages/admin-guides/management/diagnostics/diagnostics.mdx new file mode 100644 index 0000000000000..8513e6f0b1357 --- /dev/null +++ b/docs/pages/admin-guides/management/diagnostics/diagnostics.mdx @@ -0,0 +1,11 @@ +--- +title: Monitoring your Cluster +description: Monitoring your Teleport deployment +layout: tocless-doc +--- + +- [Health Monitoring](monitoring.mdx): How to monitor the health of a Teleport instance. +- [Metrics](metrics.mdx): How to enable exporting Prometheus metrics. +- [Collecting Profiles](profiles.mdx): How to collect runtime profiling data from a Teleport instance. +- [Distributed Tracing](tracing.mdx): How to enable distributed tracing for a Teleport instance. + diff --git a/docs/pages/admin-guides/management/diagnostics/metrics.mdx b/docs/pages/admin-guides/management/diagnostics/metrics.mdx index 3888390bcd795..f150e4d1fc3f7 100644 --- a/docs/pages/admin-guides/management/diagnostics/metrics.mdx +++ b/docs/pages/admin-guides/management/diagnostics/metrics.mdx @@ -199,6 +199,6 @@ guarantees](../../../upgrading/overview.mdx). We strongly encourage self-hosted Teleport users to enroll their Agents in automatic updates. You can track the count of Teleport Agents that are not enrolled in automatic updates using the metric, `teleport_enrolled_in_upgrades`. -[Read the documentation](../../../upgrading.mdx) for how to enroll Agents in +[Read the documentation](../../../upgrading/upgrading.mdx) for how to enroll Agents in automatic updates. diff --git a/docs/pages/admin-guides/management/export-audit-events.mdx b/docs/pages/admin-guides/management/export-audit-events/export-audit-events.mdx similarity index 81% rename from docs/pages/admin-guides/management/export-audit-events.mdx rename to docs/pages/admin-guides/management/export-audit-events/export-audit-events.mdx index c287f63bb8c91..8a48fa02922bf 100644 --- a/docs/pages/admin-guides/management/export-audit-events.mdx +++ b/docs/pages/admin-guides/management/export-audit-events/export-audit-events.mdx @@ -10,7 +10,7 @@ You can use Teleport's Event Handler plugin to export audit events from Teleport so you can store them in a log management platform or custom backend. If you are new to exporting audit events with Teleport, read [Forwarding Events -with Fluentd](./export-audit-events/fluentd.mdx) to learn the basics of how our +with Fluentd](fluentd.mdx) to learn the basics of how our Event Handler plugin works. While this guide focuses on Fluentd, the Event Handler plugin can export audit events to any endpoint that ingests JSON messages via HTTP. @@ -19,9 +19,10 @@ Next, read our guides to setting up the Event Handler plugin to export audit events to your solution of choice: - [Monitor Teleport Audit Events with the Elastic - Stack](./export-audit-events/elastic-stack.mdx): How to configure the Event + Stack](elastic-stack.mdx): How to configure the Event Handler plugin to forward Teleport audit logs to Logstash for ingestion in Elasticsearch so you can explore them in Kibana. -- [Monitor Teleport Audit Events with Splunk](./export-audit-events/splunk.mdx): +- [Monitor Teleport Audit Events with Splunk](splunk.mdx): How to configure the Event Handler plugin to send logs to Splunk's Universal Forwarder so you can explore your audit events in Splunk. + diff --git a/docs/pages/admin-guides/management/external-audit-storage.mdx b/docs/pages/admin-guides/management/external-audit-storage.mdx index 9fc3d4f3f16a0..6f5d9c97d583e 100644 --- a/docs/pages/admin-guides/management/external-audit-storage.mdx +++ b/docs/pages/admin-guides/management/external-audit-storage.mdx @@ -154,7 +154,7 @@ recordings will be stored in your S3 bucket, and they will *not* be stored in the Teleport Cloud infrastructure. If you currently use the -[Event Handler](export-audit-events.mdx) plugin to export +[Event Handler](export-audit-events/export-audit-events.mdx) plugin to export events, it will follow the switch from the old to new backends and new events will continue to be exported. Only events emitted after the transition to External Audit Storage will be visible in the Teleport UI or accessible to diff --git a/docs/pages/admin-guides/management/guides/ec2-tags.mdx b/docs/pages/admin-guides/management/guides/ec2-tags.mdx index e89eddfdcb0e2..6c4c64cb381df 100644 --- a/docs/pages/admin-guides/management/guides/ec2-tags.mdx +++ b/docs/pages/admin-guides/management/guides/ec2-tags.mdx @@ -28,7 +28,7 @@ fakehost.example.com 127.0.0.1:3022 env=example,hostname=ip-172-31-53-70,aws/Nam (!docs/pages/includes/edition-prereqs-tabs.mdx!) - One Teleport agent running on an Amazon EC2 instance. See - [our guides](../../../enroll-resources/agents/join-services-to-your-cluster.mdx) for how to set up Teleport agents. + [our guides](../../../enroll-resources/agents/join-services-to-your-cluster/join-services-to-your-cluster.mdx) for how to set up Teleport agents. ## Enable tags in instance metadata diff --git a/docs/pages/admin-guides/management/guides.mdx b/docs/pages/admin-guides/management/guides/guides.mdx similarity index 68% rename from docs/pages/admin-guides/management/guides.mdx rename to docs/pages/admin-guides/management/guides/guides.mdx index 66dc8665edf60..5724a24fd2930 100644 --- a/docs/pages/admin-guides/management/guides.mdx +++ b/docs/pages/admin-guides/management/guides/guides.mdx @@ -8,8 +8,9 @@ You can integrate Teleport with third-party tools in order to complete various tasks in your cluster. These guides describe Teleport integrations that are not documented elsewhere: - - [EC2 tags as Teleport Node labels](./guides/ec2-tags.mdx). How to set up - Teleport Node labels based on EC2 tags. + - [EC2 tags as Teleport agent labels](ec2-tags.mdx). How to set up + Teleport agent labels based on EC2 tags. - [Using Teleport's Certificate Authority with - GitHub](./guides/ssh-key-extensions.mdx). Use Teleport's short-lived + GitHub](ssh-key-extensions.mdx). Use Teleport's short-lived certificates with GitHub's Certificate Authority. + diff --git a/docs/pages/admin-guides/management/operations.mdx b/docs/pages/admin-guides/management/operations.mdx deleted file mode 100644 index 602159573383b..0000000000000 --- a/docs/pages/admin-guides/management/operations.mdx +++ /dev/null @@ -1,19 +0,0 @@ ---- -title: Operations -description: Teleport Operations - Scaling and High-Availability. -layout: tocless-doc ---- - -The guides in this section show you how to carry out common administration tasks -on an already running Teleport cluster. - -For guides on the fundamentals of setting up your cluster, you should consult -the [Cluster Administration Guides](./admin.mdx) section. - -- [Scaling](./operations/scaling.mdx): How to configure Teleport for large-scale deployments. -- [Backup and Restore](./operations/backup-restore.mdx): Backing up and restoring the cluster. -- [CA Rotation](./operations/ca-rotation.mdx): Rotating Teleport certificate authorities. -- [Database CA Rotation](./operations/db-ca-rotation.mdx): Rotating Teleport's `db` or `db_client` certificate authorities. -- [TLS Routing Migration](./operations/tls-routing.mdx): Migrating your Teleport cluster to single-port TLS routing mode. -- [Proxy Peering Migration](./operations/proxy-peering.mdx): Migrating your Teleport cluster to Proxy Peering mode. -- [Database CA Migrations](./operations/db-ca-migrations.mdx): Completing Teleport's Database CA migrations. diff --git a/docs/pages/admin-guides/management/operations/db-ca-rotation.mdx b/docs/pages/admin-guides/management/operations/db-ca-rotation.mdx index 630167aff1697..2a2a24e5260ed 100644 --- a/docs/pages/admin-guides/management/operations/db-ca-rotation.mdx +++ b/docs/pages/admin-guides/management/operations/db-ca-rotation.mdx @@ -128,7 +128,7 @@ You do not need to reconfigure databases at this point if you are rotating only the `db` CA, although there is no harm in doing so. Consult the appropriate -[Teleport Database Access Guide](../../../enroll-resources/database-access/guides.mdx) for your +[Teleport Database Access Guide](../../../enroll-resources/database-access/guides/guides.mdx) for your databases before proceeding to the `update_clients` rotation phase. @@ -172,7 +172,7 @@ lose access** to those databases after transitioning to the `standby` phase in this final step. To avoid down time, consult the appropriate -[Teleport Database Access Guide](../../../enroll-resources/database-access/guides.mdx) and reconfigure +[Teleport Database Access Guide](../../../enroll-resources/database-access/guides/guides.mdx) and reconfigure your databases before proceeding. Otherwise, access may still be restored by reconfiguring your self-hosted databases after this step. diff --git a/docs/pages/admin-guides/management/operations/operations.mdx b/docs/pages/admin-guides/management/operations/operations.mdx new file mode 100644 index 0000000000000..6225dcaa3bbac --- /dev/null +++ b/docs/pages/admin-guides/management/operations/operations.mdx @@ -0,0 +1,16 @@ +--- +title: Operations +description: Teleport Operations - Scaling and High-Availability. +layout: tocless-doc +--- + +The guides in this section show you how to carry out common administration tasks +on an already running Teleport cluster. + +- [Scaling](scaling.mdx): How to configure Teleport for large-scale deployments. +- [Backup and Restore](backup-restore.mdx): Backing up and restoring the cluster. +- [CA Rotation](ca-rotation.mdx): Rotating Teleport certificate authorities. +- [Database CA Rotation](db-ca-rotation.mdx): Rotating Teleport's `db` or `db_client` certificate authorities. +- [TLS Routing Migration](tls-routing.mdx): Migrating your Teleport cluster to single-port TLS routing mode. +- [Proxy Peering Migration](proxy-peering.mdx): Migrating your Teleport cluster to Proxy Peering mode. +- [Database CA Migrations](db-ca-migrations.mdx): Completing Teleport's Database CA migrations. diff --git a/docs/pages/admin-guides/management/operations/tls-routing.mdx b/docs/pages/admin-guides/management/operations/tls-routing.mdx index 657848187d9e0..d53f75ee4f97c 100644 --- a/docs/pages/admin-guides/management/operations/tls-routing.mdx +++ b/docs/pages/admin-guides/management/operations/tls-routing.mdx @@ -42,7 +42,7 @@ $ curl https://mytenant.teleport.sh/webapi/ping | jq '.proxy' Download Teleport from the [downloads page](https://goteleport.com/download) or your enterprise portal and follow the standard [upgrade -procedure](../../../upgrading.mdx). Make sure to upgrade both root and leaf clusters +procedure](../../../upgrading/upgrading.mdx). Make sure to upgrade both root and leaf clusters as well as `tsh` client. ## Step 2/7. Enable proxy multiplexing diff --git a/docs/pages/admin-guides/management/security/reduce-blast-radius.mdx b/docs/pages/admin-guides/management/security/reduce-blast-radius.mdx index 7397a25ec2bc9..dc20d1bf7643e 100644 --- a/docs/pages/admin-guides/management/security/reduce-blast-radius.mdx +++ b/docs/pages/admin-guides/management/security/reduce-blast-radius.mdx @@ -284,7 +284,7 @@ Two `user`s can grant elevated privileges to another `user` temporarily without - [Per-session MFA](../../access-controls/guides/per-session-mfa.mdx) - [Dual authorization](../../access-controls/guides/dual-authz.mdx) - [Role templates, allow/deny rules, and traits](../../access-controls/guides/role-templates.mdx) -- [Access Requests](../../access-controls/access-requests.mdx) +- [Access Requests](../../access-controls/access-requests/access-requests.mdx) ### Background reading - [Authentication connectors](../../../reference/access-controls/authentication.mdx) diff --git a/docs/pages/admin-guides/management/security.mdx b/docs/pages/admin-guides/management/security/security.mdx similarity index 76% rename from docs/pages/admin-guides/management/security.mdx rename to docs/pages/admin-guides/management/security/security.mdx index 02f0cbf168111..ab9c62e9cc316 100644 --- a/docs/pages/admin-guides/management/security.mdx +++ b/docs/pages/admin-guides/management/security/security.mdx @@ -15,10 +15,10 @@ You should note that the security practices covered in this section aren't neces examples used in the documentation. Examples in the documentation are primarily intended for demonstration purposes and for development environments. -- [Restrict Access for Privileged Accounts](./security/restrict-privileges.mdx). Learn about potential - risks of allowing privileged access and how to mitigate them. -- [Reducing the Blast Radius of Attacks](./security/reduce-blast-radius.mdx). +- [Restrict Access for Privileged Accounts](restrict-privileges.mdx). Learn about potential + risks of allowing privileged access and how to mitigate them. +- [Reducing the Blast Radius of Attacks](reduce-blast-radius.mdx). Prevent attackers from accessing your infrastructure even if they manage to obtain passwords or certificates. -- [Revoking Access](./security/revoking-access.mdx). Revoke access in the event +- [Revoking Access](revoking-access.mdx). Revoke access in the event of a compromise. diff --git a/docs/pages/ai-assist.mdx b/docs/pages/ai-assist.mdx index 94bf345c043a1..b7eb60bc754ed 100644 --- a/docs/pages/ai-assist.mdx +++ b/docs/pages/ai-assist.mdx @@ -139,4 +139,4 @@ our documentation. - [Server Access](enroll-resources/server-access/introduction.mdx) - [Access controls](admin-guides/access-controls/getting-started.mdx) - [Resource filtering](reference/predicate-language.mdx) -- [Access Request plugins](admin-guides/access-controls/access-request-plugins.mdx) +- [Access Request plugins](admin-guides/access-controls/access-request-plugins/access-request-plugins.mdx) diff --git a/docs/pages/connect-your-client/gui-clients.mdx b/docs/pages/connect-your-client/gui-clients.mdx index f82a2cd7bc38e..519f9b7acb346 100644 --- a/docs/pages/connect-your-client/gui-clients.mdx +++ b/docs/pages/connect-your-client/gui-clients.mdx @@ -14,7 +14,7 @@ work with Teleport. - (!docs/pages/includes/tctl.mdx!) - The Teleport Database Service configured to access a database. See one of our - [guides](../enroll-resources/database-access/guides.mdx) for how to set up the Teleport + [guides](../enroll-resources/database-access/guides/guides.mdx) for how to set up the Teleport Database Service for your database. ### Get connection information diff --git a/docs/pages/connect-your-client/tsh.mdx b/docs/pages/connect-your-client/tsh.mdx index 751985a9025d7..5fbb5c1432eab 100644 --- a/docs/pages/connect-your-client/tsh.mdx +++ b/docs/pages/connect-your-client/tsh.mdx @@ -1136,4 +1136,4 @@ To remove `tsh` and associated user data see [Uninstalling Teleport](../admin-guides/management/admin/uninstall-teleport.mdx). ## Further reading -- [CLI Reference](../reference/cli.mdx). +- [CLI Reference](../reference/cli/cli.mdx). diff --git a/docs/pages/contributing/documentation.mdx b/docs/pages/contributing/documentation/documentation.mdx similarity index 76% rename from docs/pages/contributing/documentation.mdx rename to docs/pages/contributing/documentation/documentation.mdx index e0e994f402dea..5b9ef11a3e155 100644 --- a/docs/pages/contributing/documentation.mdx +++ b/docs/pages/contributing/documentation/documentation.mdx @@ -24,14 +24,14 @@ the kind of documentation we want to transform our current documentation into. -- [How to Contribute to the Teleport Documentation](./documentation/how-to-contribute.mdx) describes +- [How to Contribute to the Teleport Documentation](how-to-contribute.mdx) describes how to set up a local environment and contribute changes to the Teleport documentation. -- [How to Review Documentation Changes](./documentation/reviewing-docs.mdx) explains how to +- [How to Review Documentation Changes](reviewing-docs.mdx) explains how to set up a development server to preview documentation changes so you can review pull requests. -- [Documentation UI Components](./documentation/reference.mdx) provides reference +- [Documentation UI Components](reference.mdx) provides reference information for how to include user interface components in Teleport documentation. -- [Style Guide](./documentation/style-guide.mdx) describes the documentation principles and +- [Style Guide](style-guide.mdx) describes the documentation principles and conventions to follow to ensure contributions are consistent and effective. -- [Creating Documentation Issues](./documentation/issues.mdx) offers guidelines for +- [Creating Documentation Issues](issues.mdx) offers guidelines for creating issues on GitHub to request changes to Teleport documentation. diff --git a/docs/pages/core-concepts.mdx b/docs/pages/core-concepts.mdx index 1661824926cfb..1803c40dcdcae 100644 --- a/docs/pages/core-concepts.mdx +++ b/docs/pages/core-concepts.mdx @@ -195,7 +195,7 @@ subject of the certificate—including its username and Teleport roles—to authorize the user. Read more about [local users](reference/access-controls/authentication.mdx) and how [SSO -authentication works in Teleport](admin-guides/access-controls/sso.mdx). +authentication works in Teleport](admin-guides/access-controls/sso/sso.mdx). ### Authentication connector diff --git a/docs/pages/enroll-resources/agents/deploy-agents-terraform.mdx b/docs/pages/enroll-resources/agents/deploy-agents-terraform.mdx index f696eb9aee750..25c723b9776d2 100644 --- a/docs/pages/enroll-resources/agents/deploy-agents-terraform.mdx +++ b/docs/pages/enroll-resources/agents/deploy-agents-terraform.mdx @@ -13,9 +13,10 @@ machines by declaring it as code using Terraform. There are several methods you can use to join a Teleport agent to your cluster, which we discuss in the [Joining Services to your -Cluster](join-services-to-your-cluster.mdx) guide. In this guide, we will use -the **join token** method, where the operator stores a secure token on the Auth -Service, and an agent presents the token in order to join a cluster. +Cluster](join-services-to-your-cluster/join-services-to-your-cluster.mdx) guide. +In this guide, we will use the **join token** method, where the operator stores +a secure token on the Auth Service, and an agent presents the token in order to +join a cluster. No matter which join method you use, it will involve the following Terraform resources: @@ -56,7 +57,7 @@ a demo cluster using: - An identity file for the Teleport Terraform provider. Make sure you are familiar with [how to set up the Teleport Terraform - provider](../../admin-guides/infrastructure-as-code/terraform-provider.mdx) before + provider](../../admin-guides/infrastructure-as-code/terraform-provider/terraform-provider.mdx) before following this guide. - (!docs/pages/includes/tctl.mdx!) diff --git a/docs/pages/enroll-resources/agents/introduction.mdx b/docs/pages/enroll-resources/agents/introduction.mdx index 344dc8b656cbc..3d8f8bfb42769 100644 --- a/docs/pages/enroll-resources/agents/introduction.mdx +++ b/docs/pages/enroll-resources/agents/introduction.mdx @@ -46,7 +46,7 @@ Teleport agents need to establish trust with the Teleport Auth Service in order to join a cluster. There are several ways to join an agent to your Teleport cluster, making it possible to automate the join process for your environment. Read about the available join methods in our [Join Services to your -Cluster](./join-services-to-your-cluster.mdx) guides. +Cluster](join-services-to-your-cluster/join-services-to-your-cluster.mdx) guides. When a Teleport process first runs, it checks its configuration file to determine which services are enabled. Each service then connects separately to @@ -88,7 +88,7 @@ There are two ways to enroll infrastructure resources with Teleport agents: - **Static**: Edit an agent's configuration file to configure a specific infrastructure resource to proxy. - **Dynamic**: Apply a [configuration - resource](../../admin-guides/infrastructure-as-code.mdx) that configures a resource to + resource](../../admin-guides/infrastructure-as-code/infrastructure-as-code.mdx) that configures a resource to proxy. The dynamic method allows Teleport to discover resources automatically. The diff --git a/docs/pages/enroll-resources/agents/join-services-to-your-cluster.mdx b/docs/pages/enroll-resources/agents/join-services-to-your-cluster.mdx deleted file mode 100644 index caa23b19d00d1..0000000000000 --- a/docs/pages/enroll-resources/agents/join-services-to-your-cluster.mdx +++ /dev/null @@ -1,22 +0,0 @@ ---- -title: Join Services to your Teleport Cluster -description: How to register the Proxy Service, Database Service, and other Teleport services with your cluster. ---- - -A **Teleport service** manages access to resources in your infrastructure, such -as Kubernetes clusters, Windows desktops, internal web applications, and -databases. A single **Teleport process** can run multiple Teleport services. - -There are multiple methods you can use to join a Teleport process to your -cluster in order to run Teleport services, including an instance of the Proxy -Service. Choose the method that best suits your infrastructure: - -|Method|Description|When to use| -|------|-----------|-----------| -|[EC2 Identity Document](./join-services-to-your-cluster/aws-ec2.mdx)|A Teleport process running on an EC2 instance authenticates to your cluster via a signed EC2 instance identity document.|Your Teleport process will run on EC2 and your Teleport cluster is self hosted.| -|[AWS IAM](./join-services-to-your-cluster/aws-iam.mdx)|A Teleport process uses AWS credentials to join the cluster, whether running on EC2 or not.|At least some of your infrastructure runs on AWS.| -|[Azure Managed Identity](./join-services-to-your-cluster/azure.mdx)|A Teleport process demonstrates that it runs in your Azure subscription by sending a signed attested data document and access token to the Teleport Auth Service.|Your Teleport process will run on Azure.| -|[Kubernetes ServiceAccount](./join-services-to-your-cluster/kubernetes.mdx)|A Teleport process uses a Kubernetes-signed proof to establish a trust relationship with your Teleport cluster.|Your Teleport process will run on Kubernetes.| -|[GCP IAM](./join-services-to-your-cluster/gcp.mdx)|A Teleport process uses a GCP-signed token to establish a trust relationship with your Teleport cluster.|Your Teleport process will run on a GCP VM.| -|[Join Token](./join-services-to-your-cluster/join-token.mdx)|A Teleport process presents a join token provided when starting the service.|There is no other supported method for your cloud provider.| - diff --git a/docs/pages/enroll-resources/agents/join-services-to-your-cluster/azure.mdx b/docs/pages/enroll-resources/agents/join-services-to-your-cluster/azure.mdx index 499c9d0938535..551395ee186bb 100644 --- a/docs/pages/enroll-resources/agents/join-services-to-your-cluster/azure.mdx +++ b/docs/pages/enroll-resources/agents/join-services-to-your-cluster/azure.mdx @@ -12,7 +12,7 @@ Azure Virtual Machine. Support for joining a cluster with the Proxy Service behind a layer 7 load balancer or reverse proxy is available in Teleport 13.0+. For other methods of joining a Teleport process to a cluster, see [Joining -Teleport Services to a Cluster](../join-services-to-your-cluster.mdx). +Teleport Services to a Cluster](join-services-to-your-cluster.mdx). ## Prerequisites diff --git a/docs/pages/enroll-resources/agents/join-services-to-your-cluster/join-services-to-your-cluster.mdx b/docs/pages/enroll-resources/agents/join-services-to-your-cluster/join-services-to-your-cluster.mdx new file mode 100644 index 0000000000000..c2443619e1517 --- /dev/null +++ b/docs/pages/enroll-resources/agents/join-services-to-your-cluster/join-services-to-your-cluster.mdx @@ -0,0 +1,22 @@ +--- +title: Join Services to your Teleport Cluster +description: How to register the Proxy Service, Database Service, and other Teleport services with your cluster. +--- + +A **Teleport service** manages access to resources in your infrastructure, such +as Kubernetes clusters, Windows desktops, internal web applications, and +databases. A single **Teleport process** can run multiple Teleport services. + +There are multiple methods you can use to join a Teleport process to your +cluster in order to run Teleport services, including an instance of the Proxy +Service. Choose the method that best suits your infrastructure: + +|Method|Description|When to use| +|------|-----------|-----------| +|[EC2 Identity Document](aws-ec2.mdx)|A Teleport process running on an EC2 instance authenticates to your cluster via a signed EC2 instance identity document.|Your Teleport process will run on EC2 and your Teleport cluster is self hosted.| +|[AWS IAM](aws-iam.mdx)|A Teleport process uses AWS credentials to join the cluster, whether running on EC2 or not.|At least some of your infrastructure runs on AWS.| +|[Azure Managed Identity](azure.mdx)|A Teleport process demonstrates that it runs in your Azure subscription by sending a signed attested data document and access token to the Teleport Auth Service.|Your Teleport process will run on Azure.| +|[Kubernetes ServiceAccount](kubernetes.mdx)|A Teleport process uses a Kubernetes-signed proof to establish a trust relationship with your Teleport cluster.|Your Teleport process will run on Kubernetes.| +|[GCP IAM](gcp.mdx)|A Teleport process uses a GCP-signed token to establish a trust relationship with your Teleport cluster.|Your Teleport process will run on a GCP VM.| +|[Join Token](join-token.mdx)|A Teleport process presents a join token provided when starting the service.|There is no other supported method for your cloud provider.| + diff --git a/docs/pages/enroll-resources/agents/join-services-to-your-cluster/kubernetes.mdx b/docs/pages/enroll-resources/agents/join-services-to-your-cluster/kubernetes.mdx index 4372887169ab6..38d70223dbd13 100644 --- a/docs/pages/enroll-resources/agents/join-services-to-your-cluster/kubernetes.mdx +++ b/docs/pages/enroll-resources/agents/join-services-to-your-cluster/kubernetes.mdx @@ -27,7 +27,7 @@ as the Auth Service. ## Prerequisites - A running Teleport cluster in Kubernetes. For details on how to set this up, - see [Guides for running Teleport using Helm](../../../admin-guides/deploy-a-cluster/helm-deployments.mdx). + see [Guides for running Teleport using Helm](../../../admin-guides/deploy-a-cluster/helm-deployments/helm-deployments.mdx). - Editor access to the Kubernetes cluster running the Teleport cluster. You must be able to create Namespaces and Deployments. - A Teleport user with `access` role, or any other role that allows access to @@ -240,5 +240,5 @@ namespace "teleport-agent" deleted - The possible values for `teleport-kube-agent` chart are documented [in its reference](../../../reference/helm-reference/teleport-kube-agent.mdx). -- See [Application Access Guides](../../application-access/guides.mdx) -- See [Database Access Guides](../../database-access/guides.mdx) +- See [Application Access Guides](../../application-access/guides/guides.mdx) +- See [Database Access Guides](../../database-access/guides/guides.mdx) diff --git a/docs/pages/enroll-resources/application-access/cloud-apis/aws-console.mdx b/docs/pages/enroll-resources/application-access/cloud-apis/aws-console.mdx index b6b3fd16627a3..71ad6cccb8a4c 100644 --- a/docs/pages/enroll-resources/application-access/cloud-apis/aws-console.mdx +++ b/docs/pages/enroll-resources/application-access/cloud-apis/aws-console.mdx @@ -809,7 +809,7 @@ applications](../guides/dynamic-registration.mdx). This guide shows you how to use the **join token method** to enroll the Teleport Application Service in your cluster. This is one of several available methods, and we recommend reading the [Join Services to your Teleport -Cluster](../../agents/join-services-to-your-cluster.mdx) guide to configure the +Cluster](../../agents/join-services-to-your-cluster/join-services-to-your-cluster.mdx) guide to configure the most appropriate method for your environment. ## Further reading diff --git a/docs/pages/enroll-resources/application-access/cloud-apis/azure.mdx b/docs/pages/enroll-resources/application-access/cloud-apis/azure.mdx index e91ad6c96405e..bb4facb76aef8 100644 --- a/docs/pages/enroll-resources/application-access/cloud-apis/azure.mdx +++ b/docs/pages/enroll-resources/application-access/cloud-apis/azure.mdx @@ -538,7 +538,7 @@ background and uses it to execute the command. longstanding admin roles for attackers to hijack. View our documentation on [Role Access Requests](../../../admin-guides/access-controls/access-requests/role-requests.mdx) and - [Access Request plugins](../../../admin-guides/access-controls/access-request-plugins.mdx). + [Access Request plugins](../../../admin-guides/access-controls/access-request-plugins/access-request-plugins.mdx). - Consult the Azure documentation for information about [Azure managed identities](https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview) and how to [manage user-assigned managed diff --git a/docs/pages/enroll-resources/application-access/cloud-apis.mdx b/docs/pages/enroll-resources/application-access/cloud-apis/cloud-apis.mdx similarity index 80% rename from docs/pages/enroll-resources/application-access/cloud-apis.mdx rename to docs/pages/enroll-resources/application-access/cloud-apis/cloud-apis.mdx index 4a5505b5ef6bc..0a9cc948028cb 100644 --- a/docs/pages/enroll-resources/application-access/cloud-apis.mdx +++ b/docs/pages/enroll-resources/application-access/cloud-apis/cloud-apis.mdx @@ -15,8 +15,6 @@ longstanding admin accounts to target. Learn how to protect your cloud provider APIs with Teleport: -- [AWS (console and CLI applications)](./cloud-apis/aws-console.mdx) -- [Azure CLI applications](./cloud-apis/azure.mdx) -- [Google Cloud CLI applications](./cloud-apis/google-cloud.mdx) - - +- [AWS (console and CLI applications)](aws-console.mdx) +- [Azure CLI applications](azure.mdx) +- [Google Cloud CLI applications](google-cloud.mdx) diff --git a/docs/pages/enroll-resources/application-access/cloud-apis/google-cloud.mdx b/docs/pages/enroll-resources/application-access/cloud-apis/google-cloud.mdx index 4cb993b5c7e29..a48c6d1a8ac04 100644 --- a/docs/pages/enroll-resources/application-access/cloud-apis/google-cloud.mdx +++ b/docs/pages/enroll-resources/application-access/cloud-apis/google-cloud.mdx @@ -631,7 +631,7 @@ command. temporarily, with no longstanding admin roles for attackers to hijack. View our documentation on [Role Access Requests](../../../admin-guides/access-controls/access-requests/role-requests.mdx) and [Access - Request plugins](../../../admin-guides/access-controls/access-request-plugins.mdx). + Request plugins](../../../admin-guides/access-controls/access-request-plugins/access-request-plugins.mdx). - You can proxy any `gcloud` or `gsutil` command via Teleport. For a full reference of commands, view the Google Cloud documentation for [`gcloud`](https://cloud.google.com/sdk/gcloud/reference) and diff --git a/docs/pages/enroll-resources/application-access/controls.mdx b/docs/pages/enroll-resources/application-access/controls.mdx index ee3fa03b7f0f6..8ed46d000aa2b 100644 --- a/docs/pages/enroll-resources/application-access/controls.mdx +++ b/docs/pages/enroll-resources/application-access/controls.mdx @@ -133,12 +133,12 @@ for more information on enabling access to Azure managed identities. ## Next steps - View access controls [Getting Started](../../admin-guides/access-controls/getting-started.mdx) - and other available [guides](../../admin-guides/access-controls/guides.mdx). + and other available [guides](../../admin-guides/access-controls/guides/guides.mdx). - For full details on how Teleport populates the `internal` and `external` traits we illustrated in this guide, see the [Teleport Access Controls Reference](../../reference/access-controls/roles.mdx). - View access controls [Getting Started](../../admin-guides/access-controls/getting-started.mdx) - and other available [guides](../../admin-guides/access-controls/guides.mdx). + and other available [guides](../../admin-guides/access-controls/guides/guides.mdx). - Learn about using [JWT tokens](./jwt/introduction.mdx) to implement access controls in your application. - Integrate with your identity provider: diff --git a/docs/pages/enroll-resources/application-access/enroll-kubernetes-applications.mdx b/docs/pages/enroll-resources/application-access/enroll-kubernetes-applications/enroll-kubernetes-applications.mdx similarity index 80% rename from docs/pages/enroll-resources/application-access/enroll-kubernetes-applications.mdx rename to docs/pages/enroll-resources/application-access/enroll-kubernetes-applications/enroll-kubernetes-applications.mdx index 38f96ec67e768..097a4106c7652 100644 --- a/docs/pages/enroll-resources/application-access/enroll-kubernetes-applications.mdx +++ b/docs/pages/enroll-resources/application-access/enroll-kubernetes-applications/enroll-kubernetes-applications.mdx @@ -16,11 +16,11 @@ applications, and registers these applications with your cluster. The Teleport Application Service then detects the new application resources and proxies user traffic to them. -- [Get started](./enroll-kubernetes-applications/get-started.mdx): Set up automatic +- [Get started](get-started.mdx): Set up automatic application discovery with the `teleport-kube-agent` Helm chart. -- [Architecture](../../reference/architecture/kubernetes-applications-architecture.mdx): Learn how +- [Architecture](../../../reference/architecture/kubernetes-applications-architecture.mdx): Learn how automatic application discovery works. -- [Reference](../../reference/agent-services/kubernetes-application-discovery.mdx): Consult this guide +- [Reference](../../../reference/agent-services/kubernetes-application-discovery.mdx): Consult this guide for options and Kubernetes annotations you can use to configure automatic Kubernetes application discovery. diff --git a/docs/pages/enroll-resources/application-access/enroll-kubernetes-applications/kubernetes-applications.mdx b/docs/pages/enroll-resources/application-access/enroll-kubernetes-applications/kubernetes-applications.mdx new file mode 100644 index 0000000000000..097a4106c7652 --- /dev/null +++ b/docs/pages/enroll-resources/application-access/enroll-kubernetes-applications/kubernetes-applications.mdx @@ -0,0 +1,26 @@ +--- +title: "Enroll Kubernetes Services as Teleport Applications" +description: "Teleport can automatically detect applications running in your Kubernetes clusters and register them with Teleport for secure access." +--- + +Teleport can automatically detect applications running in your Kubernetes +clusters and register them with your Teleport cluster. In this setup, users with +Kubernetes-hosted infrastructure can configure secure access to any new +applications they deploy with no need for manual intervention beyond the initial +setup step. + +To enroll Kubernetes applications automatically, your Teleport cluster requires +the Teleport Discovery Service and Teleport Application Service. The Teleport +Discovery Service queries your Kubernetes clusters to detect running +applications, and registers these applications with your cluster. The Teleport +Application Service then detects the new application resources and proxies user +traffic to them. + +- [Get started](get-started.mdx): Set up automatic + application discovery with the `teleport-kube-agent` Helm chart. +- [Architecture](../../../reference/architecture/kubernetes-applications-architecture.mdx): Learn how + automatic application discovery works. +- [Reference](../../../reference/agent-services/kubernetes-application-discovery.mdx): Consult this guide + for options and Kubernetes annotations you can use to configure automatic + Kubernetes application discovery. + diff --git a/docs/pages/enroll-resources/application-access/guides.mdx b/docs/pages/enroll-resources/application-access/guides.mdx deleted file mode 100644 index 96f2ec2807276..0000000000000 --- a/docs/pages/enroll-resources/application-access/guides.mdx +++ /dev/null @@ -1,19 +0,0 @@ ---- -title: Application Access Guides -description: Guides for configuring Teleport application access. -layout: tocless-doc ---- - -These guides explain how to use the Teleport Application Service, which allows -your teams to connect to applications within private networks with fine-grained -RBAC and audit logging. - -Manage access to internal applications: - -- [Web App Access](./guides/connecting-apps.mdx): How to access web apps with Teleport. -- [TCP App Access](./guides/tcp.mdx): How to access plain TCP apps with Teleport. -- [API Access](./guides/api-access.mdx): How to access REST APIs with Teleport. -- [Dynamic Registration](./guides/dynamic-registration.mdx): Register/unregister apps without restarting Teleport. -- [Amazon Athena Access](./guides/amazon-athena.mdx): How to access Amazon Athena with Teleport. -- [Amazon DynamoDB Access](./guides/dynamodb.mdx): How to access Amazon DynamoDB as an application. -- [Application Access HA](./guides/ha.mdx): How to configure the Teleport Application Service for high availability. diff --git a/docs/pages/enroll-resources/application-access/guides/dynamic-registration.mdx b/docs/pages/enroll-resources/application-access/guides/dynamic-registration.mdx index 3f5b195b5049e..8b1ae98838a9e 100644 --- a/docs/pages/enroll-resources/application-access/guides/dynamic-registration.mdx +++ b/docs/pages/enroll-resources/application-access/guides/dynamic-registration.mdx @@ -11,11 +11,6 @@ Application Service instances periodically query the Teleport Auth Service for `app` resources, each of which includes the information that the Application Service needs to proxy an application. -Dynamic registration is useful for [managing pools of Application Service -instances](../../agents/deploy-agents-terraform.mdx). And behind the scenes, the -Teleport Discovery Service uses dynamic registration to [register Kubernetes -applications](../enroll-kubernetes-applications.mdx). - ## Required permissions In order to interact with dynamically registered applications, a user must have diff --git a/docs/pages/enroll-resources/application-access/guides/guides.mdx b/docs/pages/enroll-resources/application-access/guides/guides.mdx new file mode 100644 index 0000000000000..3c33e215cd6ff --- /dev/null +++ b/docs/pages/enroll-resources/application-access/guides/guides.mdx @@ -0,0 +1,19 @@ +--- +title: Application Access Guides +description: Guides for configuring Teleport application access. +layout: tocless-doc +--- + +These guides explain how to use the Teleport Application Service, which allows +your teams to connect to applications within private networks with fine-grained +RBAC and audit logging. + +Manage access to internal applications: + +- [Web App Access](connecting-apps.mdx): How to access web apps with Teleport. +- [TCP App Access](tcp.mdx): How to access plain TCP apps with Teleport. +- [API Access](api-access.mdx): How to access REST APIs with Teleport. +- [Dynamic Registration](dynamic-registration.mdx): Register/unregister apps without restarting Teleport. +- [Amazon Athena Access](amazon-athena.mdx): How to access Amazon Athena with Teleport. +- [Amazon DynamoDB Access](dynamodb.mdx): How to access Amazon DynamoDB as an application. +- [Application Access HA](ha.mdx): How to configure the Teleport Application Service for high availability. diff --git a/docs/pages/enroll-resources/application-access/introduction.mdx b/docs/pages/enroll-resources/application-access/introduction.mdx index d42a4d6e47f92..92636bc8e8fce 100644 --- a/docs/pages/enroll-resources/application-access/introduction.mdx +++ b/docs/pages/enroll-resources/application-access/introduction.mdx @@ -56,7 +56,7 @@ These guides explain how to protect internal applications with Teleport: ## Automatically enroll Kubernetes applications If you are running applications on Kubernetes, you can [enroll them in your -Teleport cluster automatically](./enroll-kubernetes-applications.mdx). +Teleport cluster automatically](enroll-kubernetes-applications/enroll-kubernetes-applications.mdx). ## Teleport-signed JSON Web Tokens @@ -73,4 +73,4 @@ can access Okta applications through the Teleport Web UI and `tsh`, and administrators can manage access to these applications by defining RBAC policies in Teleport roles. -Learn more about the [Teleport Okta integration](./okta.mdx). +Learn more about the [Teleport Okta integration](okta/okta.mdx). diff --git a/docs/pages/enroll-resources/application-access/jwt.mdx b/docs/pages/enroll-resources/application-access/jwt/jwt.mdx similarity index 62% rename from docs/pages/enroll-resources/application-access/jwt.mdx rename to docs/pages/enroll-resources/application-access/jwt/jwt.mdx index b1574b11aa7a6..aab990bf03f89 100644 --- a/docs/pages/enroll-resources/application-access/jwt.mdx +++ b/docs/pages/enroll-resources/application-access/jwt/jwt.mdx @@ -8,5 +8,5 @@ These guides explain how web apps behind the Teleport Application Service can leverage Teleport-signed JWT tokens to implement authentication and authorization. -- [Introduction](./jwt/introduction.mdx): Introduction to JWT tokens with application access. -- [Elasticsearch](./jwt/elasticsearch.mdx): How to use JWT authentication with Elasticsearch. +- [Introduction](introduction.mdx): Introduction to JWT tokens with application access. +- [Elasticsearch](elasticsearch.mdx): How to use JWT authentication with Elasticsearch. diff --git a/docs/pages/enroll-resources/application-access/okta.mdx b/docs/pages/enroll-resources/application-access/okta.mdx deleted file mode 100644 index 11bf968f47bef..0000000000000 --- a/docs/pages/enroll-resources/application-access/okta.mdx +++ /dev/null @@ -1,12 +0,0 @@ ---- -title: Okta Integration with Application Access -description: Guides for using Teleport Okta integration. -layout: tocless-doc ---- - -Configure Teleport to import and grant access to Okta applications and user groups. - -- [Setting up the Okta Service](./okta/guide.mdx): A guide for setting up a simple Okta service in Teleport. -- [Architecture](./okta/architecture.mdx): The architecture of the Okta service. -- [Reference](../../reference/agent-services/okta.mdx): A reference for the Okta service. - diff --git a/docs/pages/enroll-resources/application-access/okta/okta.mdx b/docs/pages/enroll-resources/application-access/okta/okta.mdx new file mode 100644 index 0000000000000..00912982f79f1 --- /dev/null +++ b/docs/pages/enroll-resources/application-access/okta/okta.mdx @@ -0,0 +1,12 @@ +--- +title: Okta Integration with Application Access +description: Guides for using Teleport Okta integration. +layout: tocless-doc +--- + +Configure Teleport to import and grant access to Okta applications and user groups. + +- [Setting up the Okta Service](guide.mdx): A guide for setting up a simple Okta service in Teleport. +- [Architecture](architecture.mdx): The architecture of the Okta service. +- [Reference](../../../reference/agent-services/okta.mdx): A reference for the Okta service. + diff --git a/docs/pages/enroll-resources/database-access/architecture.mdx b/docs/pages/enroll-resources/database-access/architecture.mdx index beeb268bf05cd..53a9f0a42e4fe 100644 --- a/docs/pages/enroll-resources/database-access/architecture.mdx +++ b/docs/pages/enroll-resources/database-access/architecture.mdx @@ -128,7 +128,7 @@ databases hosted by AWS. Teleport Database Service uses client certificate authentication with self-hosted database servers. -See respective [guides](./guides.mdx) for details on configuring client +See respective [guides](guides/guides.mdx) for details on configuring client certificate authentication. #### Cloud-hosted @@ -137,7 +137,7 @@ Teleport Database Service uses IAM authentication for Amazon-hosted and Google-Cloud-hosted database servers, and uses Active Directory authentication for Azure-hosted database servers. -See respective [guides](./guides.mdx) for details on configuring IAM/AD +See respective [guides](guides/guides.mdx) for details on configuring IAM/AD authentication. ## Discovery diff --git a/docs/pages/enroll-resources/database-access/auto-user-provisioning.mdx b/docs/pages/enroll-resources/database-access/auto-user-provisioning.mdx deleted file mode 100644 index f04d14b1278d1..0000000000000 --- a/docs/pages/enroll-resources/database-access/auto-user-provisioning.mdx +++ /dev/null @@ -1,13 +0,0 @@ ---- -title: Database Automatic User Provisioning -description: Configure automatic user provisioning for databases. ---- - -(!docs/pages/includes/database-access/auto-user-provisioning/intro.mdx!) - -Currently, automatic user provisioning is supported for the following databases: -- [Self-hosted and AWS RDS PostgreSQL databases](./auto-user-provisioning/postgres.mdx) -- [Self-hosted and AWS RDS MySQL databases](./auto-user-provisioning/mysql.mdx) -- [Self-hosted and AWS RDS MariaDB databases](./auto-user-provisioning/mariadb.mdx) -- [AWS Redshift databases](./auto-user-provisioning/aws-redshift.mdx) -- [Self-hosted MongoDB](./auto-user-provisioning/mongodb.mdx) diff --git a/docs/pages/enroll-resources/database-access/auto-user-provisioning/auto-user-provisioning.mdx b/docs/pages/enroll-resources/database-access/auto-user-provisioning/auto-user-provisioning.mdx new file mode 100644 index 0000000000000..cfe99bfb4c339 --- /dev/null +++ b/docs/pages/enroll-resources/database-access/auto-user-provisioning/auto-user-provisioning.mdx @@ -0,0 +1,16 @@ +--- +title: Database Automatic User Provisioning +description: Configure automatic user provisioning for databases. +--- + +(!docs/pages/includes/database-access/auto-user-provisioning/intro.mdx!) + +Currently, automatic user provisioning is supported for the following databases: +- [PostgreSQL databases (self-hosted and Amazon RDS)](postgres.mdx) +- [MySQL databases (self-hosted and Amazon RDS)](mysql.mdx) +- [MariaDB databases (self-hosted and Amazon RDS)](mariadb.mdx) +- [Amazon Redshift databases](aws-redshift.mdx) +- [MongoDB databases (self-hosted)](mongodb.mdx) + + + diff --git a/docs/pages/enroll-resources/database-access/database-access.mdx b/docs/pages/enroll-resources/database-access/database-access.mdx index 850266b192d6a..f4dab9b131b02 100644 --- a/docs/pages/enroll-resources/database-access/database-access.mdx +++ b/docs/pages/enroll-resources/database-access/database-access.mdx @@ -11,7 +11,7 @@ Some of the things you can do with database access: - Enable users to retrieve short-lived database certificates using a Single Sign-On flow, thus maintaining their organization-wide identity. - Configure role-based access controls for databases and implement custom - [Access Request](../../admin-guides/access-controls/access-requests.mdx) workflows. + [Access Request](../../admin-guides/access-controls/access-requests/access-requests.mdx) workflows. - Capture database activity in the Teleport audit log. Teleport protects databases through the Teleport Database Service, which is a diff --git a/docs/pages/enroll-resources/database-access/faq.mdx b/docs/pages/enroll-resources/database-access/faq.mdx index 59ab92704e03f..eaf628f7fbf4e 100644 --- a/docs/pages/enroll-resources/database-access/faq.mdx +++ b/docs/pages/enroll-resources/database-access/faq.mdx @@ -29,7 +29,7 @@ For PostgreSQL and MySQL, the following Cloud-hosted versions are supported in a - Google Cloud SQL - Azure Database -See the available [guides](./guides.mdx) for all supported configurations. +See the available [guides](guides/guides.mdx) for all supported configurations. ## Which PostgreSQL protocol features are not supported? diff --git a/docs/pages/enroll-resources/database-access/getting-started.mdx b/docs/pages/enroll-resources/database-access/getting-started.mdx index 3249d7ada471e..2ea177df6b973 100644 --- a/docs/pages/enroll-resources/database-access/getting-started.mdx +++ b/docs/pages/enroll-resources/database-access/getting-started.mdx @@ -239,8 +239,8 @@ $ tsh db connect --db-user=alice --db-name postgres aurora For the next steps, dive deeper into the topics relevant to your Database Access use-case, for example: -- Check out configuration [guides](./guides.mdx). +- Check out configuration [guides](guides/guides.mdx). - Learn how to configure [GUI clients](../../connect-your-client/gui-clients.mdx). -- Learn about database access [role-based access control](./rbac.mdx). +- Learn about database access [role-based access control](rbac/rbac.mdx). - See [frequently asked questions](./faq.mdx). diff --git a/docs/pages/enroll-resources/database-access/guides/aws-cross-account.mdx b/docs/pages/enroll-resources/database-access/guides/aws-cross-account.mdx index fd8d766c9fc0e..d91eac7e6435d 100644 --- a/docs/pages/enroll-resources/database-access/guides/aws-cross-account.mdx +++ b/docs/pages/enroll-resources/database-access/guides/aws-cross-account.mdx @@ -30,8 +30,7 @@ Teleport Database Service to connect to the databases. This guide does not cover AWS network configuration, because it depends on your specific AWS network setup and the kind(s) of AWS databases you wish to connect -to Teleport. For more information, see: -[how to connect your database](../guides.mdx#how-to-connect-your-database-to-teleport). +to Teleport. ## Teleport configuration @@ -232,4 +231,4 @@ role, then the trust policy might look like: ## Next steps -- Get started by [connecting](../guides.mdx) your database. +- Get started by [connecting](../guides/guides.mdx) your database. diff --git a/docs/pages/enroll-resources/database-access/guides/aws-discovery.mdx b/docs/pages/enroll-resources/database-access/guides/aws-discovery.mdx index 61cbbe46a30a4..2e72f7c0854e2 100644 --- a/docs/pages/enroll-resources/database-access/guides/aws-discovery.mdx +++ b/docs/pages/enroll-resources/database-access/guides/aws-discovery.mdx @@ -168,5 +168,5 @@ tag to the AWS database resource. ## Next - Learn about [Dynamic Registration](./dynamic-registration.mdx) by the Teleport Database Service. -- Get started by [connecting](../guides.mdx) your database. -- Connect AWS databases in [external AWS accounts](./aws-cross-account.mdx). +- Get started by [connecting](../../database-access/guides/guides.mdx) your database. + diff --git a/docs/pages/enroll-resources/database-access/guides/dynamic-registration.mdx b/docs/pages/enroll-resources/database-access/guides/dynamic-registration.mdx index 92e6204aafc3f..4f94ebf80c400 100644 --- a/docs/pages/enroll-resources/database-access/guides/dynamic-registration.mdx +++ b/docs/pages/enroll-resources/database-access/guides/dynamic-registration.mdx @@ -121,10 +121,9 @@ $ tctl rm db/example ``` Aside from `tctl`, dynamic resources can also be added by: -- [AWS Discovery](./aws-discovery.mdx) -- [Terraform Provider](../../../admin-guides/infrastructure-as-code/terraform-provider.mdx) -- [Kubernetes Operator](../../../admin-guides/infrastructure-as-code/teleport-operator.mdx) +- [Terraform Provider](../../../admin-guides/infrastructure-as-code/terraform-provider/terraform-provider.mdx) +- [Kubernetes Operator](../../../admin-guides/infrastructure-as-code/teleport-operator/teleport-operator.mdx) - [Teleport API](../../../admin-guides/api/api.mdx) -See [Using Dynamic Resources](../../../admin-guides/infrastructure-as-code.mdx) to learn +See [Using Dynamic Resources](../../../admin-guides/infrastructure-as-code/infrastructure-as-code.mdx) to learn more about managing Teleport's dynamic resources in general. diff --git a/docs/pages/enroll-resources/database-access/guides/elastic.mdx b/docs/pages/enroll-resources/database-access/guides/elastic.mdx index e3d95ead8c121..68902e0de0c1c 100644 --- a/docs/pages/enroll-resources/database-access/guides/elastic.mdx +++ b/docs/pages/enroll-resources/database-access/guides/elastic.mdx @@ -68,7 +68,7 @@ $ curl -u elastic:your_elasticsearch_password -X POST "https://elasticsearch.exa
-In a scenario where Teleport is using [single sign-on](../../../admin-guides/access-controls/sso.mdx) you may want to define a mapping for all users to a role: +In a scenario where Teleport is using [single sign-on](../../../admin-guides/access-controls/sso/sso.mdx) you may want to define a mapping for all users to a role: ```code $ curl -u elastic:your_elasticsearch_password -X POST "https://elasticsearch.example.com:9200/_security/role_mapping/mapping1?pretty" -H 'Content-Type: application/json' -d' diff --git a/docs/pages/enroll-resources/database-access/guides.mdx b/docs/pages/enroll-resources/database-access/guides/guides.mdx similarity index 99% rename from docs/pages/enroll-resources/database-access/guides.mdx rename to docs/pages/enroll-resources/database-access/guides/guides.mdx index 2d552d12d88cc..0368c3001b4e7 100644 --- a/docs/pages/enroll-resources/database-access/guides.mdx +++ b/docs/pages/enroll-resources/database-access/guides/guides.mdx @@ -5,3 +5,4 @@ layout: tocless-doc --- (!docs/pages/includes/database-access/guides.mdx!) + diff --git a/docs/pages/enroll-resources/database-access/guides/ha.mdx b/docs/pages/enroll-resources/database-access/guides/ha.mdx index 1445e5ef466f6..54d8aa901f7fa 100644 --- a/docs/pages/enroll-resources/database-access/guides/ha.mdx +++ b/docs/pages/enroll-resources/database-access/guides/ha.mdx @@ -133,8 +133,5 @@ you're using to connect. ## Next steps -- Get started by [connecting](../guides.mdx) your database. -- Review the [architecture](../architecture.mdx) of the Teleport Database - Service. - +- Get started by [connecting](guides.mdx) your database. diff --git a/docs/pages/enroll-resources/database-access/guides/mysql-cloudsql.mdx b/docs/pages/enroll-resources/database-access/guides/mysql-cloudsql.mdx index 2992f6c9bf4af..2eeabe5f1af0d 100644 --- a/docs/pages/enroll-resources/database-access/guides/mysql-cloudsql.mdx +++ b/docs/pages/enroll-resources/database-access/guides/mysql-cloudsql.mdx @@ -175,7 +175,7 @@ $ tsh db ls type="note" > You will only be able to see databases that your Teleport role has -access to. See our [RBAC](../rbac.mdx) guide for more details. +access to. See our [RBAC](../rbac/rbac.mdx) guide for more details. When connecting to the database, use either the database user name or the diff --git a/docs/pages/enroll-resources/database-access/guides/mysql-self-hosted.mdx b/docs/pages/enroll-resources/database-access/guides/mysql-self-hosted.mdx index e416a396db94b..543d905a4b87e 100644 --- a/docs/pages/enroll-resources/database-access/guides/mysql-self-hosted.mdx +++ b/docs/pages/enroll-resources/database-access/guides/mysql-self-hosted.mdx @@ -190,7 +190,7 @@ $ tsh db ls Note that you will only be able to see databases your role has access to. See -the [RBAC](../rbac.mdx) guide for more details. +the [RBAC](../rbac/rbac.mdx) guide for more details. To retrieve credentials for a database and connect to it: diff --git a/docs/pages/enroll-resources/database-access/guides/oracle-self-hosted.mdx b/docs/pages/enroll-resources/database-access/guides/oracle-self-hosted.mdx index 20620e7d699f1..48074e7afa2f1 100644 --- a/docs/pages/enroll-resources/database-access/guides/oracle-self-hosted.mdx +++ b/docs/pages/enroll-resources/database-access/guides/oracle-self-hosted.mdx @@ -28,7 +28,7 @@ description: How to configure Teleport database access with Oracle. -To modify an existing user to provide access to the Database Service, see [Database Access Access Controls](../../database-access/rbac.mdx) +To modify an existing user to provide access to the Database Service, see [Database Access Access Controls](../rbac/rbac.mdx) @@ -53,7 +53,7 @@ $ tctl users add \ For more detailed information about database access controls and how to restrict -access see [RBAC](../../database-access/rbac.mdx) documentation. +access see [RBAC](../rbac/rbac.mdx) documentation. ## Step 2/6. Create a certificate/key pair and Teleport Oracle Wallet diff --git a/docs/pages/enroll-resources/database-access/guides/postgres-cloudsql.mdx b/docs/pages/enroll-resources/database-access/guides/postgres-cloudsql.mdx index deeca985bb731..6a12b656eef62 100644 --- a/docs/pages/enroll-resources/database-access/guides/postgres-cloudsql.mdx +++ b/docs/pages/enroll-resources/database-access/guides/postgres-cloudsql.mdx @@ -131,7 +131,7 @@ $ tsh db ls type="note" > You will only be able to see databases that your Teleport role has -access to. See our [RBAC](../rbac.mdx) guide for more details. +access to. See our [RBAC](../rbac/rbac.mdx) guide for more details. When connecting to the database, use the name of the database's service account diff --git a/docs/pages/enroll-resources/database-access/guides/postgres-self-hosted.mdx b/docs/pages/enroll-resources/database-access/guides/postgres-self-hosted.mdx index 97a78a71bd8e7..f08b08131c417 100644 --- a/docs/pages/enroll-resources/database-access/guides/postgres-self-hosted.mdx +++ b/docs/pages/enroll-resources/database-access/guides/postgres-self-hosted.mdx @@ -139,7 +139,7 @@ $ tsh db ls Note that you will only be able to see databases your role has access to. See -[RBAC](../rbac.mdx) section for more details. +[RBAC](../rbac/rbac.mdx) section for more details. To retrieve credentials for a database and connect to it: diff --git a/docs/pages/enroll-resources/database-access/guides/rds.mdx b/docs/pages/enroll-resources/database-access/guides/rds.mdx index b3edd742202e8..0a3639a866411 100644 --- a/docs/pages/enroll-resources/database-access/guides/rds.mdx +++ b/docs/pages/enroll-resources/database-access/guides/rds.mdx @@ -6,7 +6,7 @@ description: How to configure Teleport database access with AWS RDS and Aurora f Access to AWS or RDS Aurora databases can be provided by [Teleport Database Access](../../../index.mdx). This allows for -fine-grain access control through [Teleport's RBAC](../rbac.mdx). +fine-grain access control through [Teleport's RBAC](../rbac/rbac.mdx). This guide demonstrates how to use Teleport to connect to AWS or RDS Aurora databases. @@ -440,5 +440,5 @@ $ tsh db logout ## Next steps (!docs/pages/includes/database-access/guides-next-steps.mdx!) -- Set up [automatic database user provisioning](../auto-user-provisioning.mdx). +- Set up [automatic database user provisioning](../auto-user-provisioning/auto-user-provisioning.mdx). diff --git a/docs/pages/enroll-resources/database-access/guides/vitess.mdx b/docs/pages/enroll-resources/database-access/guides/vitess.mdx index daf1b6bc65728..ab4671b754f0b 100644 --- a/docs/pages/enroll-resources/database-access/guides/vitess.mdx +++ b/docs/pages/enroll-resources/database-access/guides/vitess.mdx @@ -197,7 +197,7 @@ $ tsh db ls Note that you will only be able to see databases your role has access to. See -the [RBAC](../rbac.mdx) guide for more details. +the [RBAC](../rbac/rbac.mdx) guide for more details. To retrieve credentials for a database and connect to it: diff --git a/docs/pages/enroll-resources/database-access/rbac.mdx b/docs/pages/enroll-resources/database-access/rbac.mdx deleted file mode 100644 index 3593139bec23c..0000000000000 --- a/docs/pages/enroll-resources/database-access/rbac.mdx +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: Database Access Control Guides -description: Role-based access control guides for Teleport database access. ---- - -These guides cover configuring access control policies for database users. - -Read the [RBAC](./rbac/configuring-access.mdx) guide to get a general understanding -of how to configure Teleport roles to grant or deny access to your database users. - -The [Automatic User Provisioning](./auto-user-provisioning.mdx) guides explain -how to get Teleport to create database user accounts on demand for MySQL, -PostgreSQL, and more. - - diff --git a/docs/pages/enroll-resources/database-access/rbac/configuring-access.mdx b/docs/pages/enroll-resources/database-access/rbac/configuring-access.mdx index 9f663b0f8eaea..ad927998c8466 100644 --- a/docs/pages/enroll-resources/database-access/rbac/configuring-access.mdx +++ b/docs/pages/enroll-resources/database-access/rbac/configuring-access.mdx @@ -99,7 +99,7 @@ is not currently enforced on MySQL connection attempts. Similar to other role fields, `db_*` fields support templating variables. The `external.xyz` traits are replaced with values from external [single -sign-on](../../../admin-guides/access-controls/sso.mdx) providers. For OIDC, they will be +sign-on](../../../admin-guides/access-controls/sso/sso.mdx) providers. For OIDC, they will be replaced with the value of an "xyz" claim. For SAML, they are replaced with an "xyz" assertion value. diff --git a/docs/pages/enroll-resources/database-access/rbac/rbac.mdx b/docs/pages/enroll-resources/database-access/rbac/rbac.mdx new file mode 100644 index 0000000000000..5071c9b2cd2d4 --- /dev/null +++ b/docs/pages/enroll-resources/database-access/rbac/rbac.mdx @@ -0,0 +1,8 @@ +--- +title: Database Access Control Guides +description: Role-based access control guides for Teleport database access. +--- + +These guides cover configuring access control policies for database users. + +(!toc!) diff --git a/docs/pages/enroll-resources/database-access/troubleshooting.mdx b/docs/pages/enroll-resources/database-access/troubleshooting.mdx index 0e32547e81662..fd24ec33816e0 100644 --- a/docs/pages/enroll-resources/database-access/troubleshooting.mdx +++ b/docs/pages/enroll-resources/database-access/troubleshooting.mdx @@ -145,7 +145,7 @@ Now Alice can connect to any database in the Teleport cluster using any database This example is intentionally simple; we could have configured Alice's permissions using more fine-grained control. For more detailed information about database access controls and how to restrict -access see the [RBAC](../database-access/rbac.mdx) documentation. +access see the [RBAC](rbac/rbac.mdx) documentation. ## Connection to MySQL database results in "Unknown system variable 'query_cache_size'" error diff --git a/docs/pages/enroll-resources/kubernetes-access/controls.mdx b/docs/pages/enroll-resources/kubernetes-access/controls.mdx index 235da2e0f7e65..4887bc00bda89 100644 --- a/docs/pages/enroll-resources/kubernetes-access/controls.mdx +++ b/docs/pages/enroll-resources/kubernetes-access/controls.mdx @@ -336,14 +336,6 @@ Below is a Kubernetes `ClusterRole` that grants the minimum set of permissions to enable impersonation, and a `ClusterRoleBinding` that grants these permissions to a service account. - - -There is usually no need to define these resources manually. The [manual -methods](./register-clusters.mdx) and [automatic methods](./discovery.mdx) for -registering Kubernetes clusters with Teleport include steps for setting up the -Kubernetes RBAC resources that Teleport needs to allow access to clusters. - - ```yaml apiVersion: rbac.authorization.k8s.io/v1 diff --git a/docs/pages/enroll-resources/kubernetes-access/discovery.mdx b/docs/pages/enroll-resources/kubernetes-access/discovery/discovery.mdx similarity index 96% rename from docs/pages/enroll-resources/kubernetes-access/discovery.mdx rename to docs/pages/enroll-resources/kubernetes-access/discovery/discovery.mdx index 6d5fb3b2f7a0b..944a4a28a363f 100644 --- a/docs/pages/enroll-resources/kubernetes-access/discovery.mdx +++ b/docs/pages/enroll-resources/kubernetes-access/discovery/discovery.mdx @@ -13,9 +13,9 @@ minimal access permissions. ## Supported clouds -- [AWS](./discovery/aws.mdx): Discovery for AWS EKS clusters. -- [Azure](./discovery/azure.mdx): Discovery for Azure AKS clusters. -- [Google Cloud](./discovery/google-cloud.mdx): Discovery for +- [AWS](aws.mdx): Discovery for AWS EKS clusters. +- [Azure](azure.mdx): Discovery for Azure AKS clusters. +- [Google Cloud](google-cloud.mdx): Discovery for Google Kubernetes Engine clusters. ## How Kubernetes Clusters Discovery works diff --git a/docs/pages/enroll-resources/kubernetes-access/faq.mdx b/docs/pages/enroll-resources/kubernetes-access/faq.mdx index 83d6bca552a19..f258b50794633 100644 --- a/docs/pages/enroll-resources/kubernetes-access/faq.mdx +++ b/docs/pages/enroll-resources/kubernetes-access/faq.mdx @@ -29,6 +29,3 @@ more information and examples. Since version 11, Teleport can discover your Kubernetes clusters on AWS, GCP, and Azure. -Check out the [Kubernetes Service Discovery Guide](./discovery.mdx) for more -documentation and examples. - diff --git a/docs/pages/enroll-resources/kubernetes-access/getting-started.mdx b/docs/pages/enroll-resources/kubernetes-access/getting-started.mdx index 6d9a31e9fe1bd..ba466c242dd63 100644 --- a/docs/pages/enroll-resources/kubernetes-access/getting-started.mdx +++ b/docs/pages/enroll-resources/kubernetes-access/getting-started.mdx @@ -16,7 +16,7 @@ Teleport Kubernetes Service running on the Kubernetes cluster: ![Enroll a Kubernetes cluster](../../../img/k8s/enroll-kubernetes.png) For information about other ways to enroll and discover Kubernetes clusters, see -[Registering Kubernetes Clusters with Teleport](./register-clusters.mdx). +[Registering Kubernetes Clusters with Teleport](register-clusters/register-clusters.mdx). ## Prerequisites @@ -205,9 +205,7 @@ To set up and test access: This guide demonstrated how to enroll a Kubernetes cluster by running the Teleport Kubernetes Service within the Kubernetes cluster. -- For information about discovering Kubernetes clusters hosted on cloud providers, see -[Kubernetes Cluster Discovery](./discovery.mdx). - To learn about other ways you can register a Kubernetes cluster with Teleport, see -[Registering Kubernetes Clusters with Teleport](./register-clusters.mdx). +[Registering Kubernetes Clusters with Teleport](register-clusters/register-clusters.mdx). - For a complete list of the parameters you can configure in the `teleport-kube-agent` helm chart, see the [Chart Reference](../../reference/helm-reference/teleport-kube-agent.mdx). diff --git a/docs/pages/enroll-resources/kubernetes-access/introduction.mdx b/docs/pages/enroll-resources/kubernetes-access/introduction.mdx index d936f2213941c..d81444985ac82 100644 --- a/docs/pages/enroll-resources/kubernetes-access/introduction.mdx +++ b/docs/pages/enroll-resources/kubernetes-access/introduction.mdx @@ -15,7 +15,7 @@ Teleport provides secure access to Kubernetes clusters: The guides in this section show you how to protect Kubernetes clusters with Teleport. For instructions on self-hosting Teleport Community Edition or Teleport Enterprise on Kubernetes, see the [Kubernetes Deployment -Guides](../../admin-guides/deploy-a-cluster/helm-deployments.mdx). +Guides](../../admin-guides/deploy-a-cluster/helm-deployments/helm-deployments.mdx). Here is an example of using Teleport to access a Kubernetes cluster, execute commands, and view your `kubectl` activity in Teleport's audit log: @@ -36,7 +36,7 @@ your cloud provider. When you create or destroy a Kubernetes cluster, Teleport registers or deregisters the cluster so your access controls stay up to date with your infrastructure. -[Read our overview](discovery.mdx) of how Teleport automatically discovers +[Read our overview](discovery/discovery.mdx) of how Teleport automatically discovers Kubernetes clusters. Read our guides to automatically registering Kubernetes clusters with Teleport diff --git a/docs/pages/enroll-resources/kubernetes-access/manage-access.mdx b/docs/pages/enroll-resources/kubernetes-access/manage-access/manage-access.mdx similarity index 81% rename from docs/pages/enroll-resources/kubernetes-access/manage-access.mdx rename to docs/pages/enroll-resources/kubernetes-access/manage-access/manage-access.mdx index e44be1e143dd2..219c95250592f 100644 --- a/docs/pages/enroll-resources/kubernetes-access/manage-access.mdx +++ b/docs/pages/enroll-resources/kubernetes-access/manage-access/manage-access.mdx @@ -6,13 +6,13 @@ description: Use Teleport's sophisticated RBAC and trusted clusters to ensure th Once you register a Kubernetes cluster with Teleport, you can apply sophisticated policies to manage the way users access your cluster. -Read our [Kubernetes RBAC guide](./manage-access/rbac.mdx) for step-by-step +Read our [Kubernetes RBAC guide](rbac.mdx) for step-by-step instructions on giving your users the correct access to Kubernetes clusters, groups, users, and resources. See how to federate your Kubernetes access controls using [Teleport Trusted -Clusters](./manage-access/federation.mdx). +Clusters](federation.mdx). For a comprehensive reference to configuring access controls in your Teleport-registered Kubernetes clusters, see our [Access Controls -Reference](./controls.mdx). +Reference](../controls.mdx). diff --git a/docs/pages/enroll-resources/kubernetes-access/manage-access/rbac.mdx b/docs/pages/enroll-resources/kubernetes-access/manage-access/rbac.mdx index b97a3379a6319..135079951bcfc 100644 --- a/docs/pages/enroll-resources/kubernetes-access/manage-access/rbac.mdx +++ b/docs/pages/enroll-resources/kubernetes-access/manage-access/rbac.mdx @@ -450,6 +450,6 @@ Now that you know how to configure Teleport's RBAC system to control access to Kubernetes clusters, learn how to set up [Resource Access Requests](../../../admin-guides/access-controls/access-requests/resource-requests.mdx) for just-in-time access and [Access Request -plugins](../../../admin-guides/access-controls/access-request-plugins.mdx) so you can manage +plugins](../../../admin-guides/access-controls/access-request-plugins/access-request-plugins.mdx) so you can manage access with your communication workflow of choice. diff --git a/docs/pages/enroll-resources/kubernetes-access/register-clusters.mdx b/docs/pages/enroll-resources/kubernetes-access/register-clusters/register-clusters.mdx similarity index 60% rename from docs/pages/enroll-resources/kubernetes-access/register-clusters.mdx rename to docs/pages/enroll-resources/kubernetes-access/register-clusters/register-clusters.mdx index 5d84fbc36a5c1..288c18813ffa8 100644 --- a/docs/pages/enroll-resources/kubernetes-access/register-clusters.mdx +++ b/docs/pages/enroll-resources/kubernetes-access/register-clusters/register-clusters.mdx @@ -5,16 +5,16 @@ layout: tocless-doc --- In some cases, you will want to register a Kubernetes cluster with Teleport -manually, rather than letting Teleport [discover the cluster -automatically](./discovery.mdx). There are a few ways to do this: +manually, rather than letting Teleport discover the cluster automatically. There +are a few ways to do this: - [Deploy the Teleport Kubernetes - Service with IAM Joining](./register-clusters/iam-joining.mdx) on your cluster of + Service with IAM Joining](iam-joining.mdx) on your cluster of choice. - Deploy the Teleport Kubernetes Service outside your Kubernetes cluster (e.g., directly on a virtual machine) and [give it access to a - kubeconfig](./register-clusters/static-kubeconfig.mdx). + kubeconfig](static-kubeconfig.mdx). - Deploy the Teleport Kubernetes Service outside of Kubernetes and [use dynamic - configuration resources](./register-clusters/dynamic-registration.mdx) to + configuration resources](dynamic-registration.mdx) to register your clusters. diff --git a/docs/pages/enroll-resources/machine-id/access-guides.mdx b/docs/pages/enroll-resources/machine-id/access-guides.mdx deleted file mode 100644 index 5b38f57dc64c6..0000000000000 --- a/docs/pages/enroll-resources/machine-id/access-guides.mdx +++ /dev/null @@ -1,25 +0,0 @@ ---- -title: Access your Infrastructure with Machine ID -description: How to use Machine ID to enable secure access to Teleport resources. -layout: tocless-doc ---- - -These guides cover how to configure a deployed Machine ID to produce credentials -that can be used for machine to machine access to different Teleport resources. - -It is a pre-requisite of these guides that Machine ID has been configured for -your platform, see the [Deploy Machine ID](./deployment.mdx) guides for information -on how to do so. - -## Resource Access - -- [Server Access](./access-guides/ssh.mdx): How to use Machine ID to access servers via SSH. -- [Kubernetes Access](./access-guides/kubernetes.mdx): How to use Machine ID to access Kubernetes clusters. -- [Database Access](./access-guides/databases.mdx): How to use Machine ID to access Database servers. -- [Application Access](./access-guides/applications.mdx): How to use Machine ID to access Applications. - -## Specific Tools - -- [tctl](./access-guides/tctl.mdx): How to use Machine ID with `tctl` to manage your Teleport configuration. -- [Teleport Terraform](./access-guides/terraform.mdx): How to use Machine ID with the Teleport Terraform provider to manage your Teleport configuration as IaC. -- [Ansible](./access-guides/ansible.mdx): How to use Machine ID with Ansible. diff --git a/docs/pages/enroll-resources/machine-id/access-guides/access-guides.mdx b/docs/pages/enroll-resources/machine-id/access-guides/access-guides.mdx new file mode 100644 index 0000000000000..a61e9b4b03124 --- /dev/null +++ b/docs/pages/enroll-resources/machine-id/access-guides/access-guides.mdx @@ -0,0 +1,25 @@ +--- +title: Access your Infrastructure with Machine ID +description: How to use Machine ID to enable secure access to Teleport resources. +layout: tocless-doc +--- + +These guides cover how to configure a deployed Machine ID to produce credentials +that can be used for machine to machine access to different Teleport resources. + +It is a pre-requisite of these guides that Machine ID has been configured for +your platform, see the [Deploy Machine ID](../deployment/deployment.mdx) guides for information +on how to do so. + +## Resource Access + +- [Server Access](ssh.mdx): How to use Machine ID to access servers via SSH. +- [Kubernetes Access](kubernetes.mdx): How to use Machine ID to access Kubernetes clusters. +- [Database Access](databases.mdx): How to use Machine ID to access Database servers. +- [Application Access](applications.mdx): How to use Machine ID to access Applications. + +## Specific Tools + +- [tctl](tctl.mdx): How to use Machine ID with `tctl` to manage your Teleport configuration. +- [Teleport Terraform](terraform.mdx): How to use Machine ID with the Teleport Terraform provider to manage your Teleport configuration as IaC. +- [Ansible](ansible.mdx): How to use Machine ID with Ansible. diff --git a/docs/pages/enroll-resources/machine-id/access-guides/ansible.mdx b/docs/pages/enroll-resources/machine-id/access-guides/ansible.mdx index 92518e21d4e75..5894a1bd41b41 100644 --- a/docs/pages/enroll-resources/machine-id/access-guides/ansible.mdx +++ b/docs/pages/enroll-resources/machine-id/access-guides/ansible.mdx @@ -26,7 +26,7 @@ You will need the following tools to use Teleport with Ansible. - `tbot` must already be installed and configured on the machine that will run Ansible. For more information, see the - [deployment guides](../deployment.mdx). + [deployment guides](../deployment/deployment.mdx). - If you followed the above guide, note the `--destination-dir=/opt/machine-id` flag, which defines the directory where SSH certificates and OpenSSH configuration diff --git a/docs/pages/enroll-resources/machine-id/access-guides/applications.mdx b/docs/pages/enroll-resources/machine-id/access-guides/applications.mdx index ea42911de9062..7b0f80449fca7 100644 --- a/docs/pages/enroll-resources/machine-id/access-guides/applications.mdx +++ b/docs/pages/enroll-resources/machine-id/access-guides/applications.mdx @@ -20,7 +20,7 @@ used to access an application enrolled in your Teleport cluster. - (!docs/pages/includes/tctl.mdx!) - `tbot` must already be installed and configured on the machine that will access applications. For more information, see the - [deployment guides](../deployment.mdx). + [deployment guides](../deployment/deployment.mdx). ## Step 1/3. Configure RBAC diff --git a/docs/pages/enroll-resources/machine-id/access-guides/databases.mdx b/docs/pages/enroll-resources/machine-id/access-guides/databases.mdx index cffe895247bd6..2ad694b40d283 100644 --- a/docs/pages/enroll-resources/machine-id/access-guides/databases.mdx +++ b/docs/pages/enroll-resources/machine-id/access-guides/databases.mdx @@ -23,7 +23,7 @@ used to access a database configured in Teleport. follow the [database access getting started guide](../../database-access/getting-started.mdx). The Teleport Database Service supports databases like PostgreSQL, MongoDB, Redis, and much more. See our [database access - guides](../../database-access/guides.mdx) for a complete list. + guides](../../database-access/guides/guides.mdx) for a complete list. - (!docs/pages/includes/tctl.mdx!) - The `tsh` binary must be installed on the machine that will access the database. Depending on how `tbot` was installed, this may already be @@ -31,7 +31,7 @@ used to access a database configured in Teleport. details. - `tbot` must already be installed and configured on the machine that will access the database. For more information, see the - [deployment guides](../deployment.mdx). + [deployment guides](../deployment/deployment.mdx). ## Step 1/4. Configure RBAC diff --git a/docs/pages/enroll-resources/machine-id/access-guides/kubernetes.mdx b/docs/pages/enroll-resources/machine-id/access-guides/kubernetes.mdx index bb76d56c33cbb..9bc2adba2fe58 100644 --- a/docs/pages/enroll-resources/machine-id/access-guides/kubernetes.mdx +++ b/docs/pages/enroll-resources/machine-id/access-guides/kubernetes.mdx @@ -28,7 +28,7 @@ used to access a Kubernetes cluster enrolled with your Teleport cluster. installation instructions. - `tbot` must already be installed and configured on the machine that will access Kubernetes clusters. For more information, see the - [deployment guides](../deployment.mdx). + [deployment guides](../deployment/deployment.mdx). - To demonstrate connecting to the Kubernetes cluster, the machine that will access Kubernetes clusters will need to have `kubectl` installed. See the [Kubernetes documentation](https://kubernetes.io/docs/tasks/tools/) for diff --git a/docs/pages/enroll-resources/machine-id/access-guides/ssh.mdx b/docs/pages/enroll-resources/machine-id/access-guides/ssh.mdx index 3a5582b2cbb55..9fcc0cc6b116c 100644 --- a/docs/pages/enroll-resources/machine-id/access-guides/ssh.mdx +++ b/docs/pages/enroll-resources/machine-id/access-guides/ssh.mdx @@ -21,7 +21,7 @@ will cover access using the Teleport CLI `tsh` as well as the OpenSSH client. - (!docs/pages/includes/tctl.mdx!) - `tbot` must already be installed and configured on the machine that will connect to Linux hosts with SSH. For more information, see the - [deployment guides](../deployment.mdx). + [deployment guides](../deployment/deployment.mdx). ## Step 1/3. Configure RBAC diff --git a/docs/pages/enroll-resources/machine-id/access-guides/tctl.mdx b/docs/pages/enroll-resources/machine-id/access-guides/tctl.mdx index 43999f3bd1356..be80f28a70bed 100644 --- a/docs/pages/enroll-resources/machine-id/access-guides/tctl.mdx +++ b/docs/pages/enroll-resources/machine-id/access-guides/tctl.mdx @@ -18,7 +18,7 @@ then use `tctl` to deploy Teleport roles defined in files. - (!docs/pages/includes/tctl.mdx!) - `tbot` must already be installed and configured on the machine that will use `tctl`. For more information, see the - [deployment guides](../deployment.mdx). + [deployment guides](../deployment/deployment.mdx). ## Step 1/3. Configure RBAC diff --git a/docs/pages/enroll-resources/machine-id/access-guides/terraform.mdx b/docs/pages/enroll-resources/machine-id/access-guides/terraform.mdx index 1e554afea6158..a697f4cdbc0f1 100644 --- a/docs/pages/enroll-resources/machine-id/access-guides/terraform.mdx +++ b/docs/pages/enroll-resources/machine-id/access-guides/terraform.mdx @@ -25,7 +25,7 @@ Terraform Provider and use Terraform to configure a Teleport role. - `tbot` must already be installed and configured on the machine that will run Terraform. For more information, see the - [deployment guides](../deployment.mdx). + [deployment guides](../deployment/deployment.mdx). ## Step 1/3. Configure RBAC diff --git a/docs/pages/enroll-resources/machine-id/deployment.mdx b/docs/pages/enroll-resources/machine-id/deployment.mdx deleted file mode 100644 index b65083201f155..0000000000000 --- a/docs/pages/enroll-resources/machine-id/deployment.mdx +++ /dev/null @@ -1,74 +0,0 @@ ---- -title: Deploy Machine ID -description: Explains how to deploy Machine ID on your platform and join it to your Teleport cluster. -tocDepth: 3 ---- - -The first step to set up Machine ID is to deploy the `tbot` binary and join a -Machine ID bot to your Teleport cluster. You can run the `tbot` binary on a -number of platforms, from AWS and GitHub Actions to a generic Linux server or -Kubernetes cluster. This guide shows you how to deploy Machine ID on your -infrastructure. - -## Choosing a deployment method - -There are two considerations to make when determining how to deploy Machine ID on -your infrastructure. - -### Your infrastructure - -The `tbot` binary runs as a container or on a Linux virtual machine. If you run -`tbot` on GitHub Actions, you can use one of the ready-made [Teleport GitHub -Actions workflows](https://github.com/teleport-actions). - -### Join method - -Machine ID joins your Teleport cluster by using one of the following -authentication methods: - -- **Platform-signed document:** The platform that hosts `tbot`, such as a - Kubernetes cluster or Amazon EC2 instance, provides a signed identity document - that Teleport can verify using the platform's certificate authority. This is - the recommended approach because it avoids the use of shared secrets. -- **Static join token:** Your Teleport client tool generates a string and stores - it on the Teleport Auth Service. Machine ID provides this string when it first - connects to your Teleport cluster, demonstrating to the Auth Service that it - belongs in the cluster. From then on, Machine ID authenticates to your - Teleport cluster with a renewable certificate. - -## Deployment guides - -The guides in this section show you how to deploy Machine ID and join it -to your cluster. Choose a guide based on the platform where you intend to run -Machine ID. - -If a specific guide does not exist for your platform, the [Linux -guide](./deployment/linux.mdx) is compatible with most platforms. For -custom approaches, you can also read the [Machine ID Reference](../../reference/machine-id/machine-id.mdx) -and [Architecture](../../reference/architecture/machine-id-architecture.mdx) to plan your deployment. - -### Self-hosted infrastructure - -Read the following guides for how to deploy Machine ID on your cloud platform or -on-prem infrastructure. - -|Platform|Installation method|Join method| -|---|---|---| -|[Linux](./deployment/linux.mdx)|Package manager or TAR archive|Static join token| -|[GCP](./deployment/gcp.mdx)|Package manager, TAR archive, or Kubernetes pod|Identity document signed by GCP| -|[AWS](./deployment/aws.mdx)|Package manager, TAR archive, or Kubernetes pod|Identity document signed by AWS| -|[Azure](./deployment/azure.mdx)|Package manager or TAR archive|Identity document signed by Azure| -|[Kubernetes](./deployment/kubernetes.mdx)|Kubernetes pod|Identity document signed by your Kubernetes cluster| - -### CI/CD - -Read the following guides for how to deploy Machine ID on a continuous -integration and continuous deployment platform - -|Platform|Installation method|Join method| -|---|---|---| -|[CircleCI](./deployment/circleci.mdx)|TAR archive|CircleCI-signed identity document| -|[GitLab](./deployment/gitlab.mdx)|TAR archive|GitLab-signed identity document| -|[GitHub Actions](./deployment/github-actions.mdx)|Teleport job available through the GitHub Actions marketplace|GitHub-signed identity document.| -|[Jenkins](./deployment/jenkins.mdx)|Package manager or TAR archive|Static join token| -|[Spacelift](./deployment/spacelift.mdx)|Docker Image|Spacelift-signed identity document| diff --git a/docs/pages/enroll-resources/machine-id/deployment/aws.mdx b/docs/pages/enroll-resources/machine-id/deployment/aws.mdx index 2b3693897425d..45b7a3bb61d2b 100644 --- a/docs/pages/enroll-resources/machine-id/deployment/aws.mdx +++ b/docs/pages/enroll-resources/machine-id/deployment/aws.mdx @@ -123,7 +123,7 @@ Replace: ## Next steps -- Follow the [access guides](../access-guides.mdx) to finish configuring `tbot` for +- Follow the [access guides](../access-guides/access-guides.mdx) to finish configuring `tbot` for your environment. - Read the [configuration reference](../../../reference/machine-id/configuration.mdx) to explore all the available configuration options. diff --git a/docs/pages/enroll-resources/machine-id/deployment/azure.mdx b/docs/pages/enroll-resources/machine-id/deployment/azure.mdx index 0567904dadc1e..11178e840732d 100644 --- a/docs/pages/enroll-resources/machine-id/deployment/azure.mdx +++ b/docs/pages/enroll-resources/machine-id/deployment/azure.mdx @@ -124,7 +124,7 @@ Replace: ## Next steps -- Follow the [access guides](../access-guides.mdx) to finish configuring `tbot` for +- Follow the [access guides](../access-guides/access-guides.mdx) to finish configuring `tbot` for your environment. - Read the [configuration reference](../../../reference/machine-id/configuration.mdx) to explore all the available configuration options. diff --git a/docs/pages/enroll-resources/machine-id/deployment/circleci.mdx b/docs/pages/enroll-resources/machine-id/deployment/circleci.mdx index 8a759109c66a2..bb255e4a60606 100644 --- a/docs/pages/enroll-resources/machine-id/deployment/circleci.mdx +++ b/docs/pages/enroll-resources/machine-id/deployment/circleci.mdx @@ -213,7 +213,7 @@ resources in your Teleport cluster that your CI/CD needs to interact with. ## Further steps -- Follow the [access guides](../access-guides.mdx) to finish configuring `tbot` for +- Follow the [access guides](../access-guides/access-guides.mdx) to finish configuring `tbot` for your environment. - Read the [configuration reference](../../../reference/machine-id/configuration.mdx) to explore all the available configuration options. diff --git a/docs/pages/enroll-resources/machine-id/deployment/deployment.mdx b/docs/pages/enroll-resources/machine-id/deployment/deployment.mdx new file mode 100644 index 0000000000000..da8051effae55 --- /dev/null +++ b/docs/pages/enroll-resources/machine-id/deployment/deployment.mdx @@ -0,0 +1,73 @@ +--- +title: Deploy Machine ID +description: Explains how to deploy Machine ID on your platform and join it to your Teleport cluster. +tocDepth: 3 +--- + +The first step to set up Machine ID is to deploy the `tbot` binary and join a +Machine ID bot to your Teleport cluster. You can run the `tbot` binary on a +number of platforms, from AWS and GitHub Actions to a generic Linux server or +Kubernetes cluster. This guide shows you how to deploy Machine ID on your +infrastructure. + +## Choosing a deployment method + +There are two considerations to make when determining how to deploy Machine ID on +your infrastructure. + +### Your infrastructure + +The `tbot` binary runs as a container or on a Linux virtual machine. If you run +`tbot` on GitHub Actions, you can use one of the ready-made [Teleport GitHub +Actions workflows](https://github.com/teleport-actions). + +### Join method + +Machine ID joins your Teleport cluster by using one of the following +authentication methods: + +- **Platform-signed document:** The platform that hosts `tbot`, such as a + Kubernetes cluster or Amazon EC2 instance, provides a signed identity document + that Teleport can verify using the platform's certificate authority. This is + the recommended approach because it avoids the use of shared secrets. +- **Static join token:** Your Teleport client tool generates a string and stores + it on the Teleport Auth Service. Machine ID provides this string when it first + connects to your Teleport cluster, demonstrating to the Auth Service that it + belongs in the cluster. From then on, Machine ID authenticates to your + Teleport cluster with a renewable certificate. + +## Deployment guides + +The guides in this section show you how to deploy Machine ID and join it +to your cluster. Choose a guide based on the platform where you intend to run +Machine ID. + +If a specific guide does not exist for your platform, the [Linux +guide](linux.mdx) is compatible with most platforms. For +custom approaches, you can also read the [Machine ID Reference](../../../reference/machine-id/machine-id.mdx) +and [Architecture](../../../reference/architecture/machine-id-architecture.mdx) to plan your deployment. + +### Self-hosted infrastructure + +Read the following guides for how to deploy Machine ID on your cloud platform or +on-prem infrastructure. + +| Platform | Installation method | Join method | +|-------------------------------------------|-------------------------------------------------|-----------------------------------------------------| +| [Linux](linux.mdx) | Package manager or TAR archive | Static join token | +| [GCP](gcp.mdx) | Package manager, TAR archive, or Kubernetes pod | Identity document signed by GCP | +| [AWS](aws.mdx) | Package manager, TAR archive, or Kubernetes pod | Identity document signed by AWS | +| [Azure](azure.mdx) | Package manager or TAR archive | Identity document signed by Azure | +| [Kubernetes](kubernetes.mdx) | Kubernetes pod | Identity document signed by your Kubernetes cluster | + +### CI/CD + +Read the following guides for how to deploy Machine ID on a continuous +integration and continuous deployment platform + +| Platform | Installation method | Join method | +|-----------------------------------------------------------------------------------------------------|---------------------------------------------------------------|------------------------------------| +| [CircleCI](circleci.mdx) | TAR archive | CircleCI-signed identity document | +| [GitLab](gitlab.mdx) | TAR archive | GitLab-signed identity document | +| [GitHub Actions](github-actions.mdx) | Teleport job available through the GitHub Actions marketplace | GitHub-signed identity document. | +| [Jenkins](jenkins.mdx) | Package manager or TAR archive | Static join token | diff --git a/docs/pages/enroll-resources/machine-id/deployment/gcp.mdx b/docs/pages/enroll-resources/machine-id/deployment/gcp.mdx index d0c4da83941c8..e5cf2a5e0f50d 100644 --- a/docs/pages/enroll-resources/machine-id/deployment/gcp.mdx +++ b/docs/pages/enroll-resources/machine-id/deployment/gcp.mdx @@ -125,7 +125,7 @@ Replace: ## Next steps -- Follow the [access guides](../access-guides.mdx) to finish configuring `tbot` for +- Follow the [access guides](../access-guides/access-guides.mdx) to finish configuring `tbot` for your environment. - Read the [configuration reference](../../../reference/machine-id/configuration.mdx) to explore all the available configuration options. diff --git a/docs/pages/enroll-resources/machine-id/deployment/gitlab.mdx b/docs/pages/enroll-resources/machine-id/deployment/gitlab.mdx index 24d2b73e4958c..43b08f6d399b1 100644 --- a/docs/pages/enroll-resources/machine-id/deployment/gitlab.mdx +++ b/docs/pages/enroll-resources/machine-id/deployment/gitlab.mdx @@ -179,7 +179,7 @@ failure. [GitLab CI reference page.](../../../reference/machine-id/gitlab.mdx) - For more information about GitLab itself, read [their documentation](https://docs.gitlab.com/ee/ci/). -- Follow the [access guides](../access-guides.mdx) to finish configuring `tbot` for +- Follow the [access guides](../access-guides/access-guides.mdx) to finish configuring `tbot` for your environment. - Read the [configuration reference](../../../reference/machine-id/configuration.mdx) to explore all the available configuration options. diff --git a/docs/pages/enroll-resources/machine-id/deployment/kubernetes.mdx b/docs/pages/enroll-resources/machine-id/deployment/kubernetes.mdx index 17c8fc18e6c4c..5c65640d26819 100644 --- a/docs/pages/enroll-resources/machine-id/deployment/kubernetes.mdx +++ b/docs/pages/enroll-resources/machine-id/deployment/kubernetes.mdx @@ -311,7 +311,7 @@ However, it is not yet producing any useful output. ## Step 4/4. Configure outputs -Follow one of the [access guides](../access-guides.mdx) to configure an output +Follow one of the [access guides](../access-guides/access-guides.mdx) to configure an output that meets your access needs. In order to adjust the access guides to work well with Kubernetes, use the @@ -357,7 +357,7 @@ spec: ## Next steps -- Follow the [access guides](../access-guides.mdx) to finish configuring `tbot` for +- Follow the [access guides](../access-guides/access-guides.mdx) to finish configuring `tbot` for your environment. - Read the [configuration reference](../../../reference/machine-id/configuration.mdx) to explore all the available configuration options. diff --git a/docs/pages/enroll-resources/machine-id/deployment/linux.mdx b/docs/pages/enroll-resources/machine-id/deployment/linux.mdx index 86f97ac6a04de..8f75891322ff3 100644 --- a/docs/pages/enroll-resources/machine-id/deployment/linux.mdx +++ b/docs/pages/enroll-resources/machine-id/deployment/linux.mdx @@ -112,7 +112,7 @@ $ sudo chown teleport:teleport /var/lib/teleport/bot ## Next steps -- Follow the [access guides](../access-guides.mdx) to finish configuring `tbot` for +- Follow the [access guides](../access-guides/access-guides.mdx) to finish configuring `tbot` for your environment. - Read the [configuration reference](../../../reference/machine-id/configuration.mdx) to explore all the available configuration options. diff --git a/docs/pages/enroll-resources/machine-id/getting-started.mdx b/docs/pages/enroll-resources/machine-id/getting-started.mdx index 6ae666a074f2b..131c97edbbceb 100644 --- a/docs/pages/enroll-resources/machine-id/getting-started.mdx +++ b/docs/pages/enroll-resources/machine-id/getting-started.mdx @@ -15,7 +15,7 @@ Here's an overview of what you will do: This guide covers configuring Machine ID for development and learning purposes. For a production-ready configuration of Machine ID, visit the [Deploying Machine -ID](./deployment.mdx) guides. +ID](deployment/deployment.mdx) guides. ## Prerequisites @@ -300,9 +300,9 @@ and controlled with all the familiar Teleport access controls. - Read the [architecture overview](../../reference/architecture/machine-id-architecture.mdx) to learn about how Machine ID works in more detail. -- Check out the [deployment guides](./deployment.mdx) to learn about +- Check out the [deployment guides](deployment/deployment.mdx) to learn about configuring `tbot` in a production-ready way for your platform. -- Check out the [access guides](./access-guides.mdx) to learn about configuring +- Check out the [access guides](access-guides/access-guides.mdx) to learn about configuring `tbot` for different use cases than SSH. - Read the [configuration reference](../../reference/machine-id/configuration.mdx) to explore all the available configuration options. diff --git a/docs/pages/enroll-resources/machine-id/introduction.mdx b/docs/pages/enroll-resources/machine-id/introduction.mdx index 010f60bae65aa..734159446437c 100644 --- a/docs/pages/enroll-resources/machine-id/introduction.mdx +++ b/docs/pages/enroll-resources/machine-id/introduction.mdx @@ -73,9 +73,9 @@ For a quickstart non-production introduction to Machine ID, read the Production-ready guidance on deploying Machine ID is broken out into two parts: -- [Deploying Machine ID](./deployment.mdx): How to install and configure +- [Deploying Machine ID](deployment/deployment.mdx): How to install and configure Machine ID for a specific platform. -- [Access your Infrastructure with Machine ID](./access-guides.mdx): How to use Machine ID to access +- [Access your Infrastructure with Machine ID](access-guides/access-guides.mdx): How to use Machine ID to access Teleport and Teleport resources. ## Further reading diff --git a/docs/pages/enroll-resources/server-access/getting-started.mdx b/docs/pages/enroll-resources/server-access/getting-started.mdx index 139813b29b00f..669be0463eb53 100644 --- a/docs/pages/enroll-resources/server-access/getting-started.mdx +++ b/docs/pages/enroll-resources/server-access/getting-started.mdx @@ -392,7 +392,7 @@ further Getting Started exercises. - While this guide shows you how to create a local user in order to access a server, you can also enable Teleport users to authenticate through a single sign-on provider. Read the - [documentation](../../admin-guides/access-controls/sso.mdx) to learn more. + [documentation](../../admin-guides/access-controls/sso/sso.mdx) to learn more. - Learn more about Teleport `tsh` through the [reference documentation](../../reference/cli/tsh.mdx#tsh-ssh). - Learn more about [Teleport servers](../../reference/architecture/nodes.mdx) - For a complete list of ports used by Teleport, read the [Networking Guide](../../reference/networking.mdx). diff --git a/docs/pages/enroll-resources/server-access/guides.mdx b/docs/pages/enroll-resources/server-access/guides.mdx deleted file mode 100644 index 18a3fbf80ffae..0000000000000 --- a/docs/pages/enroll-resources/server-access/guides.mdx +++ /dev/null @@ -1,22 +0,0 @@ ---- -title: Server Access Guides -description: Teleport server access guides. -layout: tocless-doc ---- - -- [Using Teleport with PAM](./guides/ssh-pam.mdx): How to configure Teleport SSH with PAM (Pluggable Authentication Modules). -- [Agentless OpenSSH Integration](guides/openssh/openssh-agentless.mdx): How to use Teleport in agentless mode on systems with OpenSSH and `sshd`. -- [Agentless OpenSSH Integration (Manual Installation)](./guides/openssh/openssh-manual-install.mdx): How to use Teleport in agentless mode - on systems with OpenSSH and `sshd` that can't run `teleport`. -- [Recording Proxy Mode](./guides/recording-proxy-mode.mdx): How to use Teleport Recording Proxy Mode to capture activity on OpenSSH servers. -- [BPF Session Recording](./guides/bpf-session-recording.mdx): How to use BPF to record SSH session commands, modified files and network connections. -- [Restricted Session](./guides/restricted-session.mdx): How to configure and use Restricted Session to apply security policies to SSH sessions. -- [Visual Studio Code](./guides/vscode.mdx): How to remotely develop with Visual Studio Code and Teleport. -- [JetBrains SFTP](./guides/jetbrains-sftp.mdx): How to use a JetBrains IDE to access SFTP with Teleport. -- [Host User Creation](./guides/host-user-creation.mdx): How to configure Teleport to automatically create transient host users. -- [Linux Auditing System](./guides/auditd.mdx): How to integrate Teleport with the Linux Auditing System (auditd). -- [EC2 Instance Discovery](./guides/ec2-discovery.mdx): How to configure Teleport to automatically enroll EC2 instances. -- [Azure Instance Discovery](./guides/azure-discovery.mdx): How to configure Teleport to automatically enroll Azure virtual machines. -- [GCP Instance Discovery](./guides/gcp-discovery.mdx): How to configure Teleport to automatically enroll GCP instances. -- [Using Teleport with Ansible](./guides/ansible.mdx): How to use Ansible with - Teleport-issued SSH credentials. diff --git a/docs/pages/enroll-resources/server-access/guides/guides.mdx b/docs/pages/enroll-resources/server-access/guides/guides.mdx new file mode 100644 index 0000000000000..53e2cb4c8ed33 --- /dev/null +++ b/docs/pages/enroll-resources/server-access/guides/guides.mdx @@ -0,0 +1,22 @@ +--- +title: Server Access Guides +description: Teleport server access guides. +layout: tocless-doc +--- + +- [Using Teleport with PAM](ssh-pam.mdx): How to configure Teleport SSH with PAM (Pluggable Authentication Modules). +- [Agentless OpenSSH Integration](openssh/openssh-agentless.mdx): How to use Teleport in agentless mode on systems with OpenSSH and `sshd`. +- [Agentless OpenSSH Integration (Manual Installation)](openssh/openssh-manual-install.mdx): How to use Teleport in agentless mode + on systems with OpenSSH and `sshd` that can't run `teleport`. +- [Recording Proxy Mode](recording-proxy-mode.mdx): How to use Teleport Recording Proxy Mode to capture activity on OpenSSH servers. +- [BPF Session Recording](bpf-session-recording.mdx): How to use BPF to record SSH session commands, modified files and network connections. +- [Restricted Session](restricted-session.mdx): How to configure and use Restricted Session to apply security policies to SSH sessions. +- [Visual Studio Code](vscode.mdx): How to remotely develop with Visual Studio Code and Teleport. +- [JetBrains SFTP](jetbrains-sftp.mdx): How to use a JetBrains IDE to access SFTP with Teleport. +- [Host User Creation](host-user-creation.mdx): How to configure Teleport to automatically create transient host users. +- [Linux Auditing System](auditd.mdx): How to integrate Teleport with the Linux Auditing System (auditd). +- [EC2 Instance Discovery](ec2-discovery.mdx): How to configure Teleport to automatically enroll EC2 instances. +- [Azure Instance Discovery](azure-discovery.mdx): How to configure Teleport to automatically enroll Azure virtual machines. +- [GCP Instance Discovery](gcp-discovery.mdx): How to configure Teleport to automatically enroll GCP instances. +- [Using Teleport with Ansible](ansible.mdx): How to use Ansible with + Teleport-issued SSH credentials. diff --git a/docs/pages/enroll-resources/server-access/guides/host-user-creation.mdx b/docs/pages/enroll-resources/server-access/guides/host-user-creation.mdx index 73778804ca847..8ecb5c2cad0cf 100644 --- a/docs/pages/enroll-resources/server-access/guides/host-user-creation.mdx +++ b/docs/pages/enroll-resources/server-access/guides/host-user-creation.mdx @@ -237,4 +237,4 @@ them to the `teleport-keep` group directly on the hosts you wish to migrate. ## Next steps -- Configure automatic user provisioning for [database access](../../database-access/auto-user-provisioning.mdx). +- Configure automatic user provisioning for [database access](../../../index.mdx). diff --git a/docs/pages/enroll-resources/server-access/guides/jetbrains-sftp.mdx b/docs/pages/enroll-resources/server-access/guides/jetbrains-sftp.mdx index a29b79c275ad8..604bb625cd406 100644 --- a/docs/pages/enroll-resources/server-access/guides/jetbrains-sftp.mdx +++ b/docs/pages/enroll-resources/server-access/guides/jetbrains-sftp.mdx @@ -66,8 +66,6 @@ $ ssh user@[server name].[cluster name] Include the port number for OpenSSH servers, by default `22`, or you can experience an error. - See the [OpenSSH guide](./openssh.mdx) for more information. - Example connecting to a OpenSSH server: ```code $ ssh -p 22 user@[server name].[cluster name] @@ -128,7 +126,7 @@ After closing the SSH configuration window, you should see `Remote Host` menu in ### Using OpenSSH clients This guide makes use of `tsh config`; refer to the -[dedicated guide](./openssh.mdx) for additional information. +[dedicated guide](openssh/openssh.mdx) for additional information. ## Further reading - [JetBrains - Create a remote server configuration](https://www.jetbrains.com/help/idea/creating-a-remote-server-configuration.html#overload) diff --git a/docs/pages/enroll-resources/server-access/guides/openssh.mdx b/docs/pages/enroll-resources/server-access/guides/openssh.mdx deleted file mode 100644 index e7632cfd9b097..0000000000000 --- a/docs/pages/enroll-resources/server-access/guides/openssh.mdx +++ /dev/null @@ -1,9 +0,0 @@ ---- -title: OpenSSH Guides -description: Teleport Agentless OpenSSH integration guides. -layout: tocless-doc ---- - -- [Agentless OpenSSH Integration](openssh/openssh-agentless.mdx): How to use Teleport in agentless mode on systems with OpenSSH and `sshd`. -- [Agentless OpenSSH Integration (Manual Installation)](./openssh/openssh-manual-install.mdx): How to use Teleport in agentless mode - on systems with OpenSSH and `sshd` that can't run `teleport`. diff --git a/docs/pages/enroll-resources/server-access/guides/openssh/openssh.mdx b/docs/pages/enroll-resources/server-access/guides/openssh/openssh.mdx new file mode 100644 index 0000000000000..2af40693b1fc5 --- /dev/null +++ b/docs/pages/enroll-resources/server-access/guides/openssh/openssh.mdx @@ -0,0 +1,9 @@ +--- +title: OpenSSH Guides +description: Teleport Agentless OpenSSH integration guides. +layout: tocless-doc +--- + +- [Agentless OpenSSH Integration](openssh-agentless.mdx): How to use Teleport in agentless mode on systems with OpenSSH and `sshd`. +- [Agentless OpenSSH Integration (Manual Installation)](openssh-manual-install.mdx): How to use Teleport in agentless mode + on systems with OpenSSH and `sshd` that can't run `teleport`. diff --git a/docs/pages/enroll-resources/server-access/guides/vscode.mdx b/docs/pages/enroll-resources/server-access/guides/vscode.mdx index ae8d33e1d975f..78d13787d754a 100644 --- a/docs/pages/enroll-resources/server-access/guides/vscode.mdx +++ b/docs/pages/enroll-resources/server-access/guides/vscode.mdx @@ -151,14 +151,14 @@ The Window Indicator in the bottom left highlights the currently connected remot It's possible to remotely develop on any OpenSSH host joined to a Teleport cluster so long as its host OS is supported by VS Code. Refer to the -[OpenSSH guide](./openssh.mdx) to configure the remote host to authenticate via +[OpenSSH guide](openssh/openssh.mdx) to configure the remote host to authenticate via Teleport certificates, after which the procedure outlined above can be used to connect to the host in VS Code. ### Using OpenSSH clients This guide makes use of `tsh config`; refer to the -[dedicated guide](./openssh.mdx) for additional information. +[dedicated guide](openssh/openssh.mdx) for additional information. ## Further reading - [VS Code Remote Development](https://code.visualstudio.com/docs/remote/remote-overview) diff --git a/docs/pages/enroll-resources/server-access/introduction.mdx b/docs/pages/enroll-resources/server-access/introduction.mdx index a0cef2b718d9b..d40557c143100 100644 --- a/docs/pages/enroll-resources/server-access/introduction.mdx +++ b/docs/pages/enroll-resources/server-access/introduction.mdx @@ -25,7 +25,7 @@ Teleport server access is designed for the following kinds of scenarios: ## Guides - [Using Teleport with PAM](./guides/ssh-pam.mdx): How to configure Teleport SSH with PAM (Pluggable Authentication Modules). -- [Agentless OpenSSH Integration](./guides/openssh.mdx): How to use Teleport in agentless mode on systems with OpenSSH and `sshd`. +- [Agentless OpenSSH Integration](./guides/openssh/openssh.mdx): How to use Teleport in agentless mode on systems with OpenSSH and `sshd`. - [Recording Proxy Mode](./guides/recording-proxy-mode.mdx): How to use Teleport Recording Proxy Mode to capture activity on OpenSSH servers. - [BPF Session Recording](./guides/bpf-session-recording.mdx): How to use BPF to record SSH session commands, modified files and network connections. - [Restricted Session](./guides/restricted-session.mdx): How to configure and use Restricted Session to apply security policies to SSH sessions. diff --git a/docs/pages/enroll-resources/server-access/rbac.mdx b/docs/pages/enroll-resources/server-access/rbac.mdx index 34e21fbfd4daa..31f07b562ae36 100644 --- a/docs/pages/enroll-resources/server-access/rbac.mdx +++ b/docs/pages/enroll-resources/server-access/rbac.mdx @@ -71,7 +71,7 @@ spec: Similar to role fields for accessing other resources in Teleport, server-related fields support template variables. -Variables with the format `{{external.xyz}}` are replaced with values from external [SSO](../../admin-guides/access-controls/sso.mdx) +Variables with the format `{{external.xyz}}` are replaced with values from external [SSO](../../admin-guides/access-controls/sso/sso.mdx) providers. For OIDC logins, `{{external.xyz}}` refers to the "xyz" claim; for SAML logins, `{{external.xyz}}` refers to the "xyz" assertion. diff --git a/docs/pages/faq.mdx b/docs/pages/faq.mdx index 85f422346e383..a99f40ced1c87 100644 --- a/docs/pages/faq.mdx +++ b/docs/pages/faq.mdx @@ -29,7 +29,7 @@ functionality without a net addition of an agent on your system. ## Can I use OpenSSH with a Teleport cluster? Yes, this question comes up often and is related to the previous one. Take a -look at [Using OpenSSH Guide](./enroll-resources/server-access/guides/openssh.mdx). +look at [Using OpenSSH Guide](index.mdx). ## Can I connect to nodes behind a firewall? diff --git a/docs/pages/includes/database-access/aws-auto-discovery-prerequisite.mdx b/docs/pages/includes/database-access/aws-auto-discovery-prerequisite.mdx index f964e69e993d8..d0b7e86b8d9f5 100644 --- a/docs/pages/includes/database-access/aws-auto-discovery-prerequisite.mdx +++ b/docs/pages/includes/database-access/aws-auto-discovery-prerequisite.mdx @@ -1,3 +1,2 @@ A running Teleport Discovery Service if you plan to use [Database -Auto-Discovery](./../../enroll-resources/database-access/guides/aws-discovery.mdx). - +Auto-Discovery](../../enroll-resources/database-access/guides/aws-discovery.mdx). diff --git a/docs/pages/includes/database-access/create-user.mdx b/docs/pages/includes/database-access/create-user.mdx index 3f2cf60989bcb..9ea550c3cff8a 100644 --- a/docs/pages/includes/database-access/create-user.mdx +++ b/docs/pages/includes/database-access/create-user.mdx @@ -1,6 +1,6 @@ -To modify an existing user to provide access to the Database Service, see [Database Access Access Controls](../../enroll-resources/database-access/rbac.mdx) +To modify an existing user to provide access to the Database Service, see [Database Access Access Controls](../../enroll-resources/database-access/rbac/rbac.mdx) @@ -40,4 +40,4 @@ $ tctl users add \ For more detailed information about database access controls and how to restrict -access see [RBAC](../../enroll-resources/database-access/rbac.mdx) documentation. +access see [RBAC](../../enroll-resources/database-access/rbac/rbac.mdx) documentation. diff --git a/docs/pages/includes/database-access/db-introduction.mdx b/docs/pages/includes/database-access/db-introduction.mdx index a85170658cdda..b7c55d905a1ee 100644 --- a/docs/pages/includes/database-access/db-introduction.mdx +++ b/docs/pages/includes/database-access/db-introduction.mdx @@ -1,6 +1,6 @@ Teleport can provide secure access to {{ dbName }} via the [Teleport Database Service](../../enroll-resources/database-access/database-access.mdx). This allows for -fine-grained access control through [Teleport's RBAC](../../enroll-resources/database-access/rbac.mdx). +fine-grained access control through [Teleport's RBAC](../../enroll-resources/database-access/rbac/rbac.mdx). In this guide, you will: diff --git a/docs/pages/includes/database-access/guides-next-steps.mdx b/docs/pages/includes/database-access/guides-next-steps.mdx index cf274a8296cd6..4a14a11079497 100644 --- a/docs/pages/includes/database-access/guides-next-steps.mdx +++ b/docs/pages/includes/database-access/guides-next-steps.mdx @@ -1,5 +1,5 @@ {/* lint ignore list-item-spacing remark-lint */} -- Learn how to [restrict access](../../enroll-resources/database-access/rbac.mdx) to certain users and databases. +- Learn how to [restrict access](../../enroll-resources/database-access/rbac/rbac.mdx) to certain users and databases. {/* lint ignore list-item-spacing remark-lint */} - Learn more about [dynamic database registration](../../enroll-resources/database-access/guides/dynamic-registration.mdx). diff --git a/docs/pages/includes/edition-comparison.mdx b/docs/pages/includes/edition-comparison.mdx index 9ad0f72662085..4e2c57600b491 100644 --- a/docs/pages/includes/edition-comparison.mdx +++ b/docs/pages/includes/edition-comparison.mdx @@ -6,7 +6,7 @@ |[Hardware Key Support](../admin-guides/access-controls/guides/hardware-key-support.mdx)|✖|✔|✔| |[Moderated Sessions](../admin-guides/access-controls/guides/moderated-sessions.mdx)|✖|✔|✔| |[Role-Based Access Control](../admin-guides/access-controls/guides/role-templates.mdx)|✔|✔|✔| -|[Single Sign-On](../admin-guides/access-controls/sso.mdx)|GitHub|GitHub, Google Workspace, OIDC, SAML, Teleport|GitHub, Google Workspace, OIDC, SAML, Teleport| +|[Single Sign-On](../admin-guides/access-controls/sso/sso.mdx)|GitHub|GitHub, Google Workspace, OIDC, SAML, Teleport|GitHub, Google Workspace, OIDC, SAML, Teleport| ### Audit logging and session recording @@ -33,8 +33,7 @@ _Available as an add-on to Teleport Enterprise_ ||Community Edition|Enterprise|Cloud| |---|---|---|---| -|Access Monitoring & Response|✖|✔|✔| -|[Access Lists & Access Reviews](../admin-guides/access-controls/access-lists.mdx)|✖|✔|✔| +|[Access Lists & Access Reviews](../admin-guides/access-controls/access-lists/access-lists.mdx)|✖|✔|✔| |[Device Trust](../admin-guides/access-controls/device-trust/guide.mdx)|✖|✔|✔| |[Endpoint Management: Jamf](../admin-guides/access-controls/device-trust/jamf-integration.mdx)|✖|✔|✔| |[JIT Access Requests](../admin-guides/access-controls/guides/dual-authz.mdx)|Limited|✔|✔| diff --git a/docs/pages/includes/machine-id/configure-outputs.mdx b/docs/pages/includes/machine-id/configure-outputs.mdx index 9020f2b367b25..b002290094ddc 100644 --- a/docs/pages/includes/machine-id/configure-outputs.mdx +++ b/docs/pages/includes/machine-id/configure-outputs.mdx @@ -2,5 +2,6 @@ You have now prepared the base configuration for `tbot`. At this point, it identifies itself to the Teleport cluster and renews its own credentials but does not output any credentials for other applications to use. -Follow one of the [access guides](../../enroll-resources/machine-id/access-guides.mdx) to configure an output -that meets your access needs. \ No newline at end of file +Follow one of the [access +guides](../../enroll-resources/machine-id/access-guides/access-guides.mdx) to +configure an output that meets your access needs. diff --git a/docs/pages/includes/machine-id/plugin-prerequisites.mdx b/docs/pages/includes/machine-id/plugin-prerequisites.mdx index 88b6390ae2b68..22d43626da035 100644 --- a/docs/pages/includes/machine-id/plugin-prerequisites.mdx +++ b/docs/pages/includes/machine-id/plugin-prerequisites.mdx @@ -1,6 +1,5 @@ **Recommended:** Configure Machine ID to provide short-lived Teleport credentials to the plugin. Before following this guide, follow a Machine ID -[deployment guide](../../enroll-resources/machine-id/deployment.mdx) to run the `tbot` binary on -your infrastructure. - +[deployment guide](../../enroll-resources/machine-id/deployment/deployment.mdx) +to run the `tbot` binary on your infrastructure. diff --git a/docs/pages/index.mdx b/docs/pages/index.mdx index bdd32740d8d36..a3d9cbe09af35 100644 --- a/docs/pages/index.mdx +++ b/docs/pages/index.mdx @@ -60,7 +60,7 @@ Get started with Teleport Access: - [Set up passwordless authentication](admin-guides/access-controls/guides/passwordless.mdx) to enable users to access resources with hardware keys, including biometric credentials like Touch ID and YubiKey Bio. -- [Integrate your Single Sign-On provider](admin-guides/access-controls/sso.mdx): Allow users +- [Integrate your Single Sign-On provider](admin-guides/access-controls/sso/sso.mdx): Allow users to access infrastructure resources with IdPs like Okta. - [Use Teleport as an identity provider](admin-guides/access-controls/idps/saml-guide.mdx) to authenticate to external services. @@ -84,12 +84,12 @@ restrictions and potential security breaches. Get started with Teleport Identity: -- [Access Requests](admin-guides/access-controls/access-requests.mdx): Temporarily +- [Access Requests](admin-guides/access-controls/access-requests/access-requests.mdx): Temporarily provision minimal privileges to complete a task. -- [Access Lists](admin-guides/access-controls/access-lists.mdx): Regularly audit and +- [Access Lists](admin-guides/access-controls/access-lists/access-lists.mdx): Regularly audit and control membership to specific roles and traits, which then tie easily back into Teleport's existing RBAC system. -- [Device Trust](admin-guides/access-controls/device-trust.mdx): Require an up-to-date, +- [Device Trust](admin-guides/access-controls/device-trust/device-trust.mdx): Require an up-to-date, registered device for each authentication by giving every device a cryptographic identity. - [Session & Identity Locks](admin-guides/access-controls/guides/locking.mdx): Lock diff --git a/docs/pages/installation.mdx b/docs/pages/installation.mdx index daec8197f9595..bcc9ce212b229 100644 --- a/docs/pages/installation.mdx +++ b/docs/pages/installation.mdx @@ -20,7 +20,7 @@ version as the cluster they are connecting to. Teleport servers are compatible with clients that are on the same major version or one major version older. Teleport servers do not support clients that are on a newer major version. -See our [Upgrading](./upgrading.mdx) guide for more information. +See our [Upgrading](upgrading/upgrading.mdx) guide for more information. ## Operating system support @@ -467,7 +467,7 @@ chart. and `tctl` you run on your local machine are compatible with the versions you run on your infrastructure. Homebrew usually ships the latest release of Teleport, which may be incompatible with older versions. See our - [compatibility policy](upgrading.mdx) for details. + [compatibility policy](upgrading/upgrading.mdx) for details. To verify versions, log in to your cluster and compare the output of `tctl status` against `tsh version` and `tctl version`. diff --git a/docs/pages/reference/access-controls/access-lists.mdx b/docs/pages/reference/access-controls/access-lists.mdx index 560505b10501e..e36b2c143bf3e 100644 --- a/docs/pages/reference/access-controls/access-lists.mdx +++ b/docs/pages/reference/access-controls/access-lists.mdx @@ -139,4 +139,4 @@ above) and run `tctl create `. Access Lists can be updated by using `t `tctl` also supports a subset of Access List focused commands under the `tctl acl` subcommand. Through these you can list Access Lists, get information about a particular Access Lists, and manage Access List users. To see more details, run `tctl acl --help`. More detail can be seen in the -[CLI Reference](../../reference/cli.mdx). +[CLI Reference](../cli/cli.mdx). diff --git a/docs/pages/reference/access-controls/roles.mdx b/docs/pages/reference/access-controls/roles.mdx index 48737637e5552..c0b2b6ee11f51 100644 --- a/docs/pages/reference/access-controls/roles.mdx +++ b/docs/pages/reference/access-controls/roles.mdx @@ -22,7 +22,7 @@ resources: - [Custom API clients](../../admin-guides/api/rbac.mdx) To read more about managing dynamic resources, see the [Dynamic -Resources](../../admin-guides/infrastructure-as-code.mdx) guide. +Resources](../../admin-guides/infrastructure-as-code/infrastructure-as-code.mdx) guide. You can view all roles in your cluster on your local workstation by running the following commands: @@ -70,7 +70,7 @@ user: | `pin_source_ip` | Enable source IP pinning for SSH certificates. | Logical "OR" i.e. evaluates to "yes" if at least one role requires session termination | | `cert_extensions` | Specifies extensions to be included in SSH certificates | | | `create_host_user_mode` | Allow users to be automatically created on a host | Logical "AND" i.e. if all roles matching a server specify host user creation (`off`, `drop`, `keep`), it will evaluate to the option specified by all of the roles. If some roles specify both `drop` or `keep` it will evaluate to `keep`| -| `create_db_user_mode` | Allow [database user auto provisioning](../../enroll-resources/database-access/auto-user-provisioning.mdx). Options: `off` (disable database user auto-provisioning), `keep` (disables the user at session end, removing the roles and locking it), and `best_effort_drop` (try to drop the user at session end, if it doesn't succeed, fallback to disabling it). | Logical "OR" i.e. if any role allows database user auto-provisioning, it's allowed | +| `create_db_user_mode` | Allow database user auto provisioning. Options: `off` (disable database user auto-provisioning), `keep` (disables the user at session end, removing the roles and locking it), and `best_effort_drop` (try to drop the user at session end, if it doesn't succeed, fallback to disabling it). | Logical "OR" i.e. if any role allows database user auto-provisioning, it's allowed | ## Preset roles @@ -438,7 +438,7 @@ Labels for resources enrolled with Teleport: |---|---| |`app_labels`|[Applications](../../enroll-resources/application-access/controls.mdx)| |`cluster_labels`|[Trusted Clusters](../../admin-guides/management/admin/trustedclusters.mdx)| -|`db_labels`|[Databases](../../enroll-resources/database-access/rbac.mdx)| +|`db_labels`|[Databases](../../enroll-resources/database-access/rbac/rbac.mdx)| |`db_service_labels`|[Database Service](../../enroll-resources/database-access/database-access.mdx) instances| |`kubernetes_labels`|[Kubernetes clusters](../../enroll-resources/kubernetes-access/controls.mdx)| |`node_labels`|[SSH Servers](../../enroll-resources/server-access/server-access.mdx)| diff --git a/docs/pages/reference/agent-services/database-access-reference/cli.mdx b/docs/pages/reference/agent-services/database-access-reference/cli.mdx index 94c68b36c6246..0f8781b0b1cc3 100644 --- a/docs/pages/reference/agent-services/database-access-reference/cli.mdx +++ b/docs/pages/reference/agent-services/database-access-reference/cli.mdx @@ -282,7 +282,7 @@ Lists available databases and their connection information. $ tsh db ls ``` -Displays only the databases a user has access to (see [RBAC](../../../enroll-resources/database-access/rbac.mdx)). +Displays only the databases a user has access to (see [RBAC](../../../enroll-resources/database-access/rbac/rbac.mdx)). ## tsh db login diff --git a/docs/pages/reference/architecture/agent-update-management.mdx b/docs/pages/reference/architecture/agent-update-management.mdx index 8c8c3ee1c7508..5234b43235811 100644 --- a/docs/pages/reference/architecture/agent-update-management.mdx +++ b/docs/pages/reference/architecture/agent-update-management.mdx @@ -56,7 +56,7 @@ The agent version is subject to the following constraints: The best practice is to always align the agent version with the Proxy and Auth ones. To upgrade Auth and Proxy, follow [the Teleport Cluster upgrade guide -](../../upgrading.mdx). +](../../upgrading/upgrading.mdx). For this reason, all updaters must subscribe to a release channel targeting versions that are compatible with their Teleport cluster. Teleport Cloud users @@ -90,6 +90,5 @@ ensure every agent is healthy and running the correct version. Self-hosted users must first [set up self-hosted automatic agent upgrades ](../../upgrading/self-hosted-automatic-agent-updates.mdx). -After that, you can set enroll agents in automatic upgrades as part of the -[upgrading procedure](../../upgrading.mdx). - +After that, you can set enroll agents in automatic updates as part of the +[upgrading procedure](../../upgrading/upgrading.mdx). diff --git a/docs/pages/reference/architecture/api-architecture.mdx b/docs/pages/reference/architecture/api-architecture.mdx index 7ebb9bba6541c..c02c311a7d51e 100644 --- a/docs/pages/reference/architecture/api-architecture.mdx +++ b/docs/pages/reference/architecture/api-architecture.mdx @@ -53,7 +53,7 @@ The Teleport Go client requires credentials in order to authenticate with a Teleport cluster. Credentials are created by using Credential loaders, which gather certificates -and data generated by [Teleport CLIs](../cli.mdx). +and data generated by [Teleport CLIs](../cli/cli.mdx). Since there are several Credential loaders to choose from with distinct benefits, here's a quick breakdown: diff --git a/docs/pages/reference/architecture/architecture.mdx b/docs/pages/reference/architecture/architecture.mdx index 965b65ac25524..ebbae3df3961e 100644 --- a/docs/pages/reference/architecture/architecture.mdx +++ b/docs/pages/reference/architecture/architecture.mdx @@ -83,7 +83,7 @@ deny access to a resource. Agents must establish trust with the Teleport Auth Service when first joining a cluster, and there is are [variety of -methods](../../enroll-resources/agents/join-services-to-your-cluster.mdx) that +methods](../../enroll-resources/agents/join-services-to-your-cluster/join-services-to-your-cluster.mdx) that Agents use for this. Read about the architecture of Teleport Agent features: @@ -109,7 +109,7 @@ Instances of the `tbot` binary communicate with the Teleport Auth Service to continuously refresh credentials. As with Agents, administrators must deploy `tbot` instances on their own infrastructure, including on CI/CD platforms such as GitHub Actions, and [join -them](../../enroll-resources/machine-id/deployment.mdx) to a cluster. +them](../../enroll-resources/machine-id/deployment/deployment.mdx) to a cluster. Read more about [Machine ID Architecture](machine-id-architecture.mdx). diff --git a/docs/pages/reference/architecture/authorization.mdx b/docs/pages/reference/architecture/authorization.mdx index 9f11b2dcf969a..cf2a96a1f359e 100644 --- a/docs/pages/reference/architecture/authorization.mdx +++ b/docs/pages/reference/architecture/authorization.mdx @@ -52,7 +52,7 @@ that this cluster trusts. In this case, Teleport activates [trusted cluster mapp Local interactive users have a record in Teleport's backend with credentials. A cluster administrator have to create account entries for every Teleport user with -[`tctl users add`](../cli.mdx) or API call. +[`tctl users add`](../cli/cli.mdx) or API call. Every local Teleport User must be associated with a list of one or more roles. This list is called "role mappings". @@ -394,7 +394,7 @@ spec: - [Access Control Reference](../access-controls/roles.mdx). - [Teleport Predicate Language](../predicate-language.mdx). -- [Access Requests Guides](../../admin-guides/access-controls/access-requests.mdx) +- [Access Requests Guides](../../admin-guides/access-controls/access-requests/access-requests.mdx) - [Architecture Overview](../../core-concepts.mdx) - [Teleport Auth](authentication.mdx) - [Teleport Nodes](nodes.mdx) diff --git a/docs/pages/reference/architecture/nodes.mdx b/docs/pages/reference/architecture/nodes.mdx index 1ba38ef624de6..3da39b4d11028 100644 --- a/docs/pages/reference/architecture/nodes.mdx +++ b/docs/pages/reference/architecture/nodes.mdx @@ -17,7 +17,7 @@ Here is why we recommend Teleport Node service instead of OpenSSH: Just like with OpenSSH, the `node` service provides SSH access to every node with any clients supporting client SSH certificates: -- [OpenSSH: `ssh`](../../enroll-resources/server-access/guides/openssh.mdx) +- [OpenSSH: `ssh`](../../enroll-resources/server-access/guides/openssh/openssh.mdx) - [Teleport CLI client: `tsh ssh`](../cli/tsh.mdx) - [Teleport Proxy UI](./proxy.mdx) accessed via a web browser. - Ansible and other SSH compatible clients. diff --git a/docs/pages/reference/architecture/tls-routing.mdx b/docs/pages/reference/architecture/tls-routing.mdx index 70d6cb24783ec..cb2410ece8e13 100644 --- a/docs/pages/reference/architecture/tls-routing.mdx +++ b/docs/pages/reference/architecture/tls-routing.mdx @@ -77,7 +77,7 @@ which can be used as a `ProxyCommand`. Similarly to `tsh ssh`, `tsh proxy ssh` establishes a TLS tunnel to Teleport proxy with `teleport-proxy-ssh` ALPN protocol, which `ssh` then connects over. -See the [OpenSSH client](../../enroll-resources/server-access/guides/openssh.mdx) guide for details on +See the [OpenSSH client](../../index.mdx) guide for details on how it's configured. ## Reverse tunnels diff --git a/docs/pages/reference/cli.mdx b/docs/pages/reference/cli/cli.mdx similarity index 79% rename from docs/pages/reference/cli.mdx rename to docs/pages/reference/cli/cli.mdx index 4a6960a7bdfef..68093e7bc6b9b 100644 --- a/docs/pages/reference/cli.mdx +++ b/docs/pages/reference/cli/cli.mdx @@ -6,10 +6,10 @@ description: Detailed guide and reference documentation for Teleport's command l Teleport is made up of four CLI tools. -- [teleport](./cli/teleport.mdx): Supports the Teleport Access Platform by starting and configuring various Teleport services. -- [tsh](./cli/tsh.mdx): Allows end users to authenticate to Teleport and access resources in a cluster. -- [tctl](./cli/tctl.mdx): Used to configure the Teleport Auth Service. -- [tbot](./cli/tbot.mdx): Supports Machine ID, which provides short lived credentials to service accounts (e.g, a CI/CD server). +- [teleport](teleport.mdx): Supports the Teleport Access Platform by starting and configuring various Teleport services. +- [tsh](tsh.mdx): Allows end users to authenticate to Teleport and access resources in a cluster. +- [tctl](tctl.mdx): Used to configure the Teleport Auth Service. +- [tbot](tbot.mdx): Supports Machine ID, which provides short lived credentials to service accounts (e.g, a CI/CD server). (!docs/pages/includes/permission-warning.mdx!) @@ -52,7 +52,7 @@ desktops, and Kubernetes clusters using the `--search` and `--query` flags. The `--search` flag performs a simple fuzzy search on resource fields. For example, `--search=mac` searches for resources containing `mac`. -The `--query` flag allows you to perform more sophisticated searches using a [predicate language](predicate-language.mdx#resource-filtering). +The `--query` flag allows you to perform more sophisticated searches using a [predicate language](../predicate-language.mdx). In both cases, you can further refine the results by appending a list of comma-separated labels to the command. For example: diff --git a/docs/pages/reference/cloud-faq.mdx b/docs/pages/reference/cloud-faq.mdx index 0eb5fa16c5c0d..8922728f96403 100644 --- a/docs/pages/reference/cloud-faq.mdx +++ b/docs/pages/reference/cloud-faq.mdx @@ -77,7 +77,7 @@ S3, are established using encryption provided by AWS, both at rest and in transi You can connect servers, Kubernetes clusters, databases, desktops, and applications using [reverse -tunnels](../enroll-resources/agents/join-services-to-your-cluster.mdx). +tunnels](../enroll-resources/agents/join-services-to-your-cluster/join-services-to-your-cluster.mdx). There is no need to open any ports on your infrastructure for inbound traffic. diff --git a/docs/pages/reference/helm-reference.mdx b/docs/pages/reference/helm-reference/helm-reference.mdx similarity index 60% rename from docs/pages/reference/helm-reference.mdx rename to docs/pages/reference/helm-reference/helm-reference.mdx index 1aece251ec4e6..9f4821b8c6b41 100644 --- a/docs/pages/reference/helm-reference.mdx +++ b/docs/pages/reference/helm-reference/helm-reference.mdx @@ -5,26 +5,26 @@ description: Comprehensive lists of configuration values in Teleport's Helm char layout: tocless-doc --- -- [teleport-cluster](./helm-reference/teleport-cluster.mdx): Deploy the +- [teleport-cluster](teleport-cluster.mdx): Deploy the `teleport` daemon on Kubernetes with preset configurations for the Auth and Proxy Services and support for any Teleport service configuration. -- [teleport-kube-agent](./helm-reference/teleport-kube-agent.mdx): Deploy the +- [teleport-kube-agent](teleport-kube-agent.mdx): Deploy the Teleport Kubernetes Service, Application Service, or Database Service on Kubernetes. -- [teleport-access-graph](./helm-reference/teleport-access-graph.mdx): Deploy the +- [teleport-access-graph](teleport-access-graph.mdx): Deploy the Teleport Access Graph service. -- [teleport-plugin-event-handler](./helm-reference/teleport-plugin-event-handler.mdx): +- [teleport-plugin-event-handler](teleport-plugin-event-handler.mdx): Deploy the Teleport Event Handler plugin which sends events and session logs to Fluentd. -- [teleport-plugin-jira](./helm-reference/teleport-plugin-jira.mdx): Deploy +- [teleport-plugin-jira](teleport-plugin-jira.mdx): Deploy the Teleport Jira Access Request Plugin, which allows approving of denying Access Requests via a Jira Project. -- [teleport-plugin-pagerduty](./helm-reference/teleport-plugin-pagerduty.mdx): +- [teleport-plugin-pagerduty](teleport-plugin-pagerduty.mdx): Deploy the Teleport PagerDuty Plugin, which allows sending PagerDuty alerts when Access Requests are made. -- [teleport-plugin-mattermost](./helm-reference/teleport-plugin-mattermost.mdx): +- [teleport-plugin-mattermost](teleport-plugin-mattermost.mdx): Deploy the Teleport Mattermost Access Request Plugin, which allows approving or denying Access Requests via Mattermost. -- [teleport-plugin-slack](./helm-reference/teleport-plugin-slack.mdx): Deploy +- [teleport-plugin-slack](teleport-plugin-slack.mdx): Deploy the Teleport Slack Plugin, which allows notifying Slack users and channels when Access Requests are made. diff --git a/docs/pages/reference/helm-reference/teleport-cluster.mdx b/docs/pages/reference/helm-reference/teleport-cluster.mdx index 56a3b5d6081ab..962e64582c9b1 100644 --- a/docs/pages/reference/helm-reference/teleport-cluster.mdx +++ b/docs/pages/reference/helm-reference/teleport-cluster.mdx @@ -256,7 +256,7 @@ Possible values are `local` and `github` for Teleport Community Edition, plus `o | `string` | `""` | No | `auth_service.authentication.connector_name` | `authentication.connectorName` sets the default authentication connector. -[The SSO documentation](../../admin-guides/access-controls/sso.mdx) explains how to create +[The SSO documentation](../../admin-guides/access-controls/sso/sso.mdx) explains how to create authentication connectors for common identity providers. In addition to SSO connector names, the following built-in connectors are supported: diff --git a/docs/pages/reference/helm-reference/teleport-kube-agent.mdx b/docs/pages/reference/helm-reference/teleport-kube-agent.mdx index 9475c6f76c4da..b78c8124c14f1 100644 --- a/docs/pages/reference/helm-reference/teleport-kube-agent.mdx +++ b/docs/pages/reference/helm-reference/teleport-kube-agent.mdx @@ -20,11 +20,11 @@ This reference details available values for the `teleport-kube-agent` chart. The `teleport-kube-agent` chart can run any or all of three Teleport services: -| Teleport service | Name for `roles` and `tctl tokens add` | Purpose | -|--------------------------------------------------------------|----------------------------------------|----------------------------------------------------------------------------------------| -| [`kubernetes_service`](../../enroll-resources/kubernetes-access/introduction.mdx) | `kube` | Uses Teleport to handle authentication
with and proxy access to a Kubernetes cluster | -| [`application_service`](../../enroll-resources/application-access/guides.mdx) | `app` | Uses Teleport to handle authentication
with and proxy access to web-based applications | -| [`database_service`](../../enroll-resources/database-access/guides.mdx) | `db` | Uses Teleport to handle authentication
with and proxy access to databases | +| Teleport service | Name for `roles` and `tctl tokens add` | Purpose | +|---------------------------------------------------------------------------|----------------------------------------|----------------------------------------------------------------------------------------------| +| [`kubernetes_service`](../../enroll-resources/kubernetes-access/introduction.mdx) | `kube` | Uses Teleport to handle authentication
with and proxy access to a Kubernetes cluster | +| [`application_service`](../../enroll-resources/application-access/guides/guides.mdx) | `app` | Uses Teleport to handle authentication
with and proxy access to web-based applications | +| [`database_service`](../../enroll-resources/database-access/guides/guides.mdx) | `db` | Uses Teleport to handle authentication
with and proxy access to databases | ### Legacy releases diff --git a/docs/pages/reference/monitoring/audit.mdx b/docs/pages/reference/monitoring/audit.mdx index d772f076a33ba..c547c3c91e717 100644 --- a/docs/pages/reference/monitoring/audit.mdx +++ b/docs/pages/reference/monitoring/audit.mdx @@ -127,7 +127,7 @@ Below are some possible types of audit events. This list is not comprehensive. We recommend exporting audit events to a platform that automatically parses event payloads so you can group and filter them by their `event` key and discover trends. To set up audit event exporting, -read [Exporting Teleport Audit Events](../../admin-guides/management/export-audit-events.mdx). +read [Exporting Teleport Audit Events](../../admin-guides/management/export-audit-events/export-audit-events.mdx). diff --git a/docs/pages/reference/predicate-language.mdx b/docs/pages/reference/predicate-language.mdx index 2da0ce3c7e110..921436f125519 100644 --- a/docs/pages/reference/predicate-language.mdx +++ b/docs/pages/reference/predicate-language.mdx @@ -72,7 +72,7 @@ The language also supports the following functions: | `split(labels["foo"], ",")` | converts a delimited string into a list | | `contains(split(labels["foo"], ","), "bar")` | determines if a value exists in a list | -See some [examples](cli.mdx#filter-examples) of the different ways you can filter resources. +See some [examples](cli/cli.mdx) of the different ways you can filter resources. ## Label expressions diff --git a/docs/pages/reference/resources.mdx b/docs/pages/reference/resources.mdx index 8c9b8a47b7e99..74c8c8830dc6e 100644 --- a/docs/pages/reference/resources.mdx +++ b/docs/pages/reference/resources.mdx @@ -6,7 +6,7 @@ description: Reference documentation for Teleport resources This reference guide lists dynamic resources you can manage with Teleport. For more information on dynamic resources, see our guide to [Using Dynamic -Resources](../admin-guides/infrastructure-as-code.mdx). +Resources](../admin-guides/infrastructure-as-code/infrastructure-as-code.mdx). Examples of applying dynamic resources with `tctl`: @@ -51,11 +51,11 @@ Here's the list of resources currently exposed via [`tctl`](./cli/tctl.mdx): | - | - | | [user](#user) | A user record in the internal Teleport user DB. | | [role](#role) | A role assumed by interactive and non-interactive users. | -| connector | Authentication connectors for [Single Sign-On](../admin-guides/access-controls/sso.mdx) (SSO) for SAML, OIDC and GitHub. | -| node | A registered SSH node. The same record is displayed via `tctl nodes ls` | +| connector | Authentication connectors for [Single Sign-On](../admin-guides/access-controls/sso/sso.mdx) (SSO) for SAML, OIDC and GitHub. | +| node | A registered SSH node. The same record is displayed via `tctl nodes ls`. | | windows_desktop | A registered Windows desktop. | | cluster | A trusted cluster. See [here](../admin-guides/management/admin/trustedclusters.mdx) for more details on connecting clusters together. | -| [login_rule](#login-rules) | A Login Rule, see the [Login Rules guide](../admin-guides/access-controls/login-rules.mdx) for more info. | +| [login_rule](#login-rules) | A Login Rule, see the [Login Rules guide](../admin-guides/access-controls/login-rules/login-rules.mdx) for more info. | | [device](#device) | A Teleport Trusted Device, see the [Device Trust guide](../admin-guides/access-controls/device-trust/guide.mdx) for more info. | | [ui_config](#ui-config) | Configuration for the Web UI served by the Proxy Service | | [cluster_auth_preference](#cluster-auth-preferences) | Configuration for the cluster's auth preferences. | diff --git a/docs/pages/upgrading/overview.mdx b/docs/pages/upgrading/overview.mdx index f6fd3c03e0740..0f229ba86f285 100644 --- a/docs/pages/upgrading/overview.mdx +++ b/docs/pages/upgrading/overview.mdx @@ -69,5 +69,5 @@ upgrade from v10 to v11. ## Next steps -Return to the [Upgrading Introduction](../upgrading.mdx) for how to upgrade +Return to the [Upgrading Introduction](upgrading.mdx) for how to upgrade individual components within your Teleport cluster. diff --git a/docs/pages/upgrading/self-hosted-automatic-agent-updates.mdx b/docs/pages/upgrading/self-hosted-automatic-agent-updates.mdx index 6bf84210e0900..14746f2b98554 100644 --- a/docs/pages/upgrading/self-hosted-automatic-agent-updates.mdx +++ b/docs/pages/upgrading/self-hosted-automatic-agent-updates.mdx @@ -10,7 +10,7 @@ clusters. Teleport agents run an **upgrader** that queries a **version server** to determine whether they are out of date. This guide describes how to set up your infrastructure to support automatic upgrades. If you are a Teleport Cloud user -or run a version server already, return to the [Upgrading](../upgrading.mdx) +or run a version server already, return to the [Upgrading](upgrading.mdx) menu for the appropriate next steps to upgrade Teleport. The [Automatic Update Architecture](../reference/architecture/agent-update-management.mdx) diff --git a/docs/pages/upgrading.mdx b/docs/pages/upgrading/upgrading.mdx similarity index 77% rename from docs/pages/upgrading.mdx rename to docs/pages/upgrading/upgrading.mdx index 45f8cdc811d23..aba4f806e069f 100644 --- a/docs/pages/upgrading.mdx +++ b/docs/pages/upgrading/upgrading.mdx @@ -13,7 +13,7 @@ Since Teleport is a distributed system with a number of services that run on potentially many hosts, you should take care when upgrading the cluster to ensure that all components remain compatible. -The [Upgrading Compatibility Overview](./upgrading/overview.mdx) explains how to +The [Upgrading Compatibility Overview](overview.mdx) explains how to upgrade components in your Teleport cluster to ensure that they communicate as expected. @@ -26,13 +26,13 @@ services: Teleport Cloud: -- [Linux Servers](./upgrading/cloud-linux.mdx) -- [Kubernetes](./upgrading/cloud-kubernetes.mdx) +- [Linux Servers](cloud-linux.mdx) +- [Kubernetes](cloud-kubernetes.mdx) Self-hosted deployments: -- [Linux Servers](./upgrading/self-hosted-linux.mdx) -- [Kubernetes](./upgrading/self-hosted-kubernetes.mdx) +- [Linux Servers](self-hosted-linux.mdx) +- [Kubernetes](self-hosted-kubernetes.mdx) ## Automatic agent upgrades @@ -43,6 +43,6 @@ and need to install a new version of Teleport. On Teleport Cloud, the version server is managed for you. If you are running Teleport Enterprise, read the [Self-Hosted Automatic Agent -Updates](./upgrading/self-hosted-automatic-agent-updates.mdx) guide to set up +Updates](self-hosted-automatic-agent-updates.mdx) guide to set up the version server yourself.