[docs] - V16 config correction #43501
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This PR completes the work introduced by #42157 to all usages of `ServerMetadata`. Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
* Show real proxy hosts in VNet UI * Remove fake VNet connections from UI
* Remove unnecessary type casts in tshd events They are not needed after we switched to protobuf-ts. * Add exhaustive checks for relogin reason and notification subject * Make VNet service request a relogin from Electron app * Handle relogin request in UI * Handle notification about failure to proxy connection in UI
…cOS (#42310) * Change new terminal tab keyboard shortcut for macOS * Fix incorrect shortcuts for macOS
Co-authored-by: Gus Luxton <gus@goteleport.com>
* Add docs for web_idle_timeout * Remove leftovers from copying tabs from another page * Rephrase docs to target end users
Co-authored-by: Merbin Russel <merbin8300@gmail.com>
Co-authored-by: Gus Luxton <gus@goteleport.com>
* add Google Cloud Spanner integration docs * spanner database-access guide * update database config reference * update GUI client docs with DBeaver and DataGrip instructions for Cloud Spanner * use code to avoid hyperlinking example email
* Document Jamf API credentials support * Add "urlencode" to dictionary * Add `$` to code block commands
These recordings only contain session.start, session.end and session.leave events, all of which are already included in the audit log. Removing these recordings should produce no data loss but will greatly reduce the amount of work performed by the agents, the auth service, and storage costs. The only case where non-interactive sessions are still recording is when BPF is enabled. This is required, for now, because enhanced session recording can generate more events than the audit log has traditionally been able to ingest.
…rerequisites (#42172) (#42294) * Remove integration name validation from web script Not used by the script. It is validated by the "plugins/validate" endpoint. * Add required frontend constants for Entra ID * Support Azure/Entra integrations in the list * Add IsPolicyEnabled to web config * Allow custom URL for ButtonLockedFeature * Add CTA_ENTRA_ID event type * Expose TAGInfoCache for use in e * Add LackingIgs option * Add Entra ID icon * Add Entra ID plugin to storybook * Bump e for dev build * Return underlying error in getPrivateAPIToken * Find default Azure subscription instead of the first one * Require user to re-login when provisioning Azure OIDC * Update prehog protos with Entra ID values From https://github.com/gravitational/cloud/pull/9111 * Suppress verbose warnings / information from az * Add an additional message after successful auth Lets user know that `az login` has completed and `teleport` is continuing its work. * Move EntraId constant to the bottom * Revert unintended changes to usageevents CTA is 1-to-1 with prehog, but IntegrationEnrollKind is not. * Remove integrationName validation asserts from test This parameter is no longer accepted by the endpoint * Revert "Bump e for dev build" This reverts commit fc747a0.
* Refactor the Database Object Permissions guide Closes #41917 Merge the Database Object Permissions guide into the Database Access RBAC guide for greater discoverability and a clearer division of labor between the two guides. This change also includes the following edits to make the refactor cleaner, since we can include each troubleshooting step as a separate H3 in the dateabase object permissions H2: - Remove an unnecessary troubleshooting step: One step indicates that import rules are validated, which is unnecessary to document, since validation errors are self explanatory. - Instead of mentioning the admin user as a troubleshooting step, add a separate H3 for the admin user and describe the `admin_user` field, which was not mentioned in the original database object permissions guide. * Respond to Tener feedback - Clarify the placing of the `admin_user` field * Restore intro section Per Tener and r0mant feedback, integrate the introduction from the Database Access Controls page into the newly merged RBAC guide. Frame Database Access Controls as encompassing both databases and database objects. * Respond to r0mant feedback * Fix spelling * Fix linter issues
This commit will "invalidate" #42200 as it now defaults to NONE instead of ALL. This will allow us to change the visual of the included resource filter. NONE and ALL still function the same from a backend perspective, and will return the same resources. But now, if NONE is selected, the filter shows nothing checked and if ALL is selected, all the options are checked and the filter indicator is present
…llment. (#42387) * Fix getting chart url for non standard releases during EKS enrollment. * Return url with JoinPath
These flags are part of the moderated sessions feature and are used to update the session tracker resource. As mentioned in the RFD, they were supposed to be added to `tsh kube exec` and `tsh ssh`. While `tsh kube exec` works as intended, for SSH we mistakenly added these flags to `tsh join`. As a result, these flags were effectively no-ops for SSH sessions. Additionally, the environment variable used to propagate session invite information was incorrect named "JOIN_MODE" presumably due to a copy-paste error. This has been fixed, but we will continue to check the old env var for 1 major release to maintain backwards compatibility. Closes #42255
* instrument pgevents * fixup! instrument pgevents * namespace metrics + fix missing error handling * fixup! namespace metrics + fix missing error handling * cleanup -> batchDelete + reference * fix misspel
Session trackers were originally added to facilitate joining sessions and enforcing moderation policies. When a session is created, a new tracker is written to the backend and a background routine is spawned to periodically update the status of the tracker until the session is terminated. This can cause a massive amount of backend activity for a cluster that is spawning large quantities of sessions per second. While in most cases where humans are starting the sessions this isn't a problem, any machine id heavy use cases could trigger backend throttling. Since non-interactive sessions and sessions started by tbot are not meant to be joined or moderated, the existence of a session tracker for them doesn't provide much benefit, especially now that session recordings are disabled for non-interactive sessions. To prevent excess backend writes session trackers are no longer created for non-interactive and tbot sessions.
… location (#42390) * "Bot guided flow back button for first step correctly routes to previous loc" * Remove pointer events for existing or disabled integration tiles
* Document require-trusted-device limitations * Mention DEB or RPM Connect for Linux * Address review comments for require-trusted-device * Explain why the Connect tarball doesn't work
Backport #41545 to branch/v16
* Include BuildCommunity in built type checks This commit will add two new methods to the modules interface, IsEnterprise and IsOSS. This is to help alieviate any pain around the code base that used to look specifically for BuildOSS. Now that we have two "oss types" (oss and community), we can use these methods to do enterprise/oss checks, rather than specifically looking at the build type. This also will allow any future build types to not affect these checks again in the future. * Update e
* use --format=text for discovery guide join token * generalize the tctl join token include * remove default tokenFile from partial * fix redshift serverless include
The `source` key in slog.Logger is a reserved key and should not be used because it causes a panic. This commit removes the `source` key from the logger. Note: We already enforce the forbidden keys as per #42049. However, our lint jobs currently only run on Ubuntu runners, while the code in question compiles for Darwin targets only. Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
* Add custom DNS zone docs for VNet * Link to VNet guide from web and TCP guides * Add info about IPv4 CIDR range * Add VNet config to resource reference * Reword the first part of "How it works", use concrete example * Move first uses of Var to Prerequisites * Add dscacheutil instructions to end user docs * Auth Server → Auth Service * Mention HTTP APIs, clarify HSTS issue * Correct info about IPv4 ranges * Mention multiple TXT records on single domain * Mention vnet.mdx in guides.mdx * Add dscacheutil and osconfig to cspell * Fix link to headers passthrough * Fix yet another link
* allow setting TLS material in event-handler * fix image for test for event-handler helm --------- Co-authored-by: Steven Martin <stevenmartin@stevens-mbp.lan> Co-authored-by: Steven Martin <stevenmartin@Stevens-MBP.fios-router.home>
The auth state package contained both process state information and the backing storage used to persist the state. This turns out to be an expensive package for consumers that only care about state and not storage since it brings sqlite into the dependency tree. By splitting storage out to a separate package consumers it makes it possible to build client tools that don't require knowing about process storage to be built without cgo enabled.
* Prevent panic in mis-using the SourceKey in slog * check other fields * remove extra empty comment line * remove lint in tests
…#43408) * Add debug logging configuration and env option for eventhandler * moved debug logger setting to highest level * fix helm test * remove unused variable setting * lint fix for eventhandler * drop EnableDebugLogging and use Debug only * line changes Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> --------- Co-authored-by: Steven Martin <stevenmartin@stevens-mbp.lan> Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com>
U2F support was deprecated in favor of WebAuthn many releases ago, however, not all references were removed when working on #10375. This eliminates the last remaining inclusions of github.com/flynn/u2f and github.com/flynn/hid from lib/client and drops all support of falling back to U2F if client tools are not built with FIDO2 enabled. In practice, this should only cause problems for people building tsh/tctl locally without setting the correct build flags. All release artifacts published should already be built with the appropriate flags and not cause any issues as a result. Updates #43112.
…ps (#43407) * docs: Add disable_exec_plugin to Machine ID troubleshooting steps * Update troubleshooting.mdx Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com> * Update troubleshooting.mdx --------- Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
…isite and new input label copy (#43326) * mention gcp workforce admin role prerequisites * update gcp input screenshot * reflect input label changes * update image link * Update docs/pages/access-controls/idps/saml-gcp-workforce-identity-federation.mdx Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com> --------- Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* * Allow headless auth when local auth is disabled. * Restore headless auth for sso user. * Remove user locking from headless auth, just like SSO login. * Fix lint.
`tsh app login` will print an example curl command for webapps, but it doesn't quote the --cert and --key flags. As a result, you can't copy-paste the command if $TELEPORT_HOME contains spaces.
…#43419) * backend: add migration tool to migrate between any two backends * cleanup bad rebase * missing return value Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> * close backends * Use workers and fixed size channel to limit in memory items * Update tool/teleport/common/migrate.go Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * use a single errgroup for both get and put operations * refactor migration to clone * Add destination check and force config option * Update lib/backend/clone/clone.go Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * Update lib/backend/clone/clone.go Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * Update lib/backend/clone/clone.go Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * move clone to lib/backend and remove struct * Update tool/teleport/common/backend.go Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * Update lib/backend/clone.go Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * Update lib/backend/clone.go Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * Update lib/backend/clone_test.go Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * Update lib/backend/clone.go Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * Update lib/backend/clone_test.go Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * fix lint * fix license * add example config in alias --------- Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>
* policy updates - v16 docs backport * policy updates - v16 docs backport * policy backport - images
* Script oneoff: add optional command prefix (sudo) We are converting the installer script used for Server Auto Discover to use go instead of shell script. As an example, in EC2 Auto Discover, the script runs as `ssm-user` which has access to using `sudo`. This script is currently using `sudo` to change system wide configurations (adding repos, installing packages, create file locks, ....). In order to convert this script into go code, we must also run with elevated privileges. This PR changes the `oneoff` script to optionally run with a prefix. Only `sudo` can be used as a command prefix. * use t.cleanup and fix sudo usage when testing
mmcallister
added
documentation
no-changelog
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Due to the backport #43396, the version number displayed is incorrect