From 2c32fff6d5f7fd44bb6ad1e5bb19fafd4a583037 Mon Sep 17 00:00:00 2001 From: Paul Gottschling Date: Mon, 22 Aug 2022 15:45:32 -0400 Subject: [PATCH] Organize docs guide sections chronologically Backports #15357 * Organize docs guide sections chronologically This change aims to make docs navigation easier by organizing some docs sections according to the sequence of steps a user would take to set up Teleport. The current docs organization uses a variety of categories and schemes to organize the docs. For example, there is a "Home" section that includes the Changelog, Installation page, and Getting Started guides; a "Setup" section that includes references and admin guides; and edition-specific sections (Enterprise, Cloud). For a user who is setting up Teleport--or who has already done some setup work and wants more advanced instructions--it's difficult to know where in the docs to find the right information. This change organizes our how-to guides into the following categories that describe the process of setting up Teleport: - Try out Teleport - Deploy a Cluster (including choosing an edition) - Configure Access (including SSO, RBAC, and Access Requests) - Manage your Cluster (admin guides, operations, etc.) - Use Teleport (this section already exists) I moved the Reference section after this chronology, since users can access the reference guides anywhere in the setup process. As part of the change, I have also moved the content from the "Enterprise" and "Cloud" sections into "Deploy a Cluster", since this content has to do with how to deploy a specific edition of Teleport. Note that this change does _not_ attempt to reorganize our protocol-specific sections. While adding resources is part of the Teleport setup process, we have a lot of content in our protocol-specific sections, and moving it all into a single section related to adding resources to a cluster would (a) exceed the maximum depth for subsections in the nav bar and (b) cause more confusion than it alleviates. * Respond to PR feedback - Create a "Compliance Frameworks" section of "Configure Access" with the FedRAMP and SOC 2 guides - Rename "Use Teleport" to "Connect your Client" - Move the database GUI client guide into "Connect your Client" * Add redirects * Fix linter issues --- CHANGELOG.md | 10 +- docs/config.json | 1209 +++++++++++------ .../ssh-approval-jira-server.mdx | 2 +- .../access-requests/resource-requests.mdx | 2 +- .../access-controls/compliance-frameworks.mdx | 14 + .../compliance-frameworks}/fedramp.mdx | 10 +- .../compliance-frameworks}/soc2.mdx | 48 +- .../pages/access-controls/getting-started.mdx | 4 +- docs/pages/access-controls/guides.mdx | 2 +- .../access-controls/guides/dual-authz.mdx | 2 +- .../access-controls/guides/impersonation.mdx | 2 +- docs/pages/access-controls/guides/locking.mdx | 2 +- .../guides/per-session-mfa.mdx | 2 +- .../pages/access-controls/guides/webauthn.mdx | 2 +- docs/pages/access-controls/reference.mdx | 10 +- .../{enterprise => access-controls}/sso.mdx | 7 +- .../sso/adfs.mdx | 2 +- .../sso/azuread.mdx | 2 +- .../sso}/github-sso.mdx | 0 .../sso/gitlab.mdx | 2 +- .../sso/google-workspace.mdx | 2 +- .../sso/oidc.mdx | 4 +- .../sso/okta.mdx | 2 +- .../sso/one-login.mdx | 2 +- docs/pages/api/architecture.mdx | 2 +- docs/pages/api/getting-started.mdx | 2 +- docs/pages/api/introduction.mdx | 2 +- docs/pages/application-access/controls.mdx | 12 +- docs/pages/architecture/authentication.mdx | 4 +- docs/pages/architecture/authorization.mdx | 4 +- docs/pages/architecture/nodes.mdx | 4 +- docs/pages/architecture/overview.mdx | 4 +- docs/pages/architecture/tls-routing.mdx | 4 +- docs/pages/architecture/trustedclusters.mdx | 2 +- .../gui-clients.mdx | 66 +- .../teleport-connect.mdx | 0 .../tsh.mdx | 30 +- docs/pages/database-access/architecture.mdx | 2 +- docs/pages/database-access/faq.mdx | 2 +- .../pages/database-access/getting-started.mdx | 2 +- docs/pages/database-access/rbac.mdx | 2 +- .../deployments.mdx | 0 .../deployments/aws-terraform.mdx | 16 +- .../deployments/digitalocean.mdx | 2 +- .../deployments/gcp.mdx | 4 +- .../deployments/ibm.mdx | 0 .../helm-deployments.mdx | 0 .../helm-deployments/aws.mdx | 6 +- .../helm-deployments/custom.mdx | 8 +- .../helm-deployments/digitalocean.mdx | 0 .../helm-deployments/gcp.mdx | 6 +- .../helm-deployments}/kubernetes-cluster.mdx | 19 +- .../helm-deployments/migration.mdx | 2 +- .../open-source.mdx} | 12 +- .../teleport-cloud}/architecture.mdx | 2 +- .../teleport-cloud}/downloads.mdx | 0 .../teleport-cloud}/faq.mdx | 8 +- .../teleport-cloud}/getting-started.mdx | 10 +- .../teleport-cloud}/introduction.mdx | 0 .../teleport-enterprise}/getting-started.mdx | 16 +- .../teleport-enterprise}/hsm.mdx | 2 +- .../teleport-enterprise}/introduction.mdx | 12 +- .../teleport-enterprise}/license.mdx | 0 docs/pages/desktop-access/getting-started.mdx | 2 +- docs/pages/faq.mdx | 18 +- docs/pages/getting-started.mdx | 14 +- .../pages/includes/database-access/guides.mdx | 1 - .../database-access/rotation-note.mdx | 2 +- docs/pages/index.mdx | 14 +- docs/pages/installation.mdx | 14 +- docs/pages/kubernetes-access/controls.mdx | 12 +- .../kubernetes-access/getting-started.mdx | 2 +- docs/pages/kubernetes-access/guides/cicd.mdx | 2 +- .../kubernetes-access/guides/federation.mdx | 10 +- .../teleport-cluster-cloud-warning.mdx | 2 +- docs/pages/machine-id/reference/cli.mdx | 2 +- docs/pages/{setup => management}/admin.mdx | 1 - .../admin/adding-nodes.mdx | 2 +- .../{setup => management}/admin/daemon.mdx | 8 +- .../{setup => management}/admin/labels.mdx | 4 +- .../admin/troubleshooting.mdx | 4 +- .../admin/trustedclusters.mdx | 0 .../admin/upgrading-the-teleport-binary.mdx | 2 +- .../{setup => management}/admin/users.mdx | 13 +- docs/pages/{setup => management}/guides.mdx | 0 .../{setup => management}/guides/docker.mdx | 2 +- .../{setup => management}/guides/ec2-tags.mdx | 0 .../{setup => management}/guides/fluentd.mdx | 0 .../guides/joining-nodes-aws-ec2.mdx | 4 +- .../guides/joining-nodes-aws-iam.mdx | 0 .../guides/ssh-key-extensions.mdx | 2 +- .../guides/teleport-operator.mdx | 4 +- .../guides/terraform-provider.mdx | 2 +- .../{setup => management}/operations.mdx | 0 .../operations/backup-restore.mdx | 0 .../operations/ca-rotation.mdx | 0 .../operations/scaling.mdx | 2 +- .../operations/tls-routing.mdx | 0 .../operations/upgrading.mdx | 0 docs/pages/{setup => management}/security.mdx | 0 .../security/reduce-blast-radius.mdx | 2 +- docs/pages/preview/upcoming-releases.mdx | 10 +- docs/pages/{setup => }/reference/audit.mdx | 2 +- .../{setup => }/reference/authentication.mdx | 8 +- docs/pages/{setup => }/reference/backends.mdx | 10 +- docs/pages/{setup => }/reference/cli.mdx | 24 +- docs/pages/{setup => }/reference/config.mdx | 0 .../{setup => reference}/helm-reference.mdx | 0 .../helm-reference/teleport-cluster.mdx | 46 +- .../helm-reference/teleport-kube-agent.mdx | 8 +- docs/pages/{setup => }/reference/metrics.mdx | 0 .../{setup => }/reference/networking.mdx | 4 +- .../reference/predicate-language.mdx | 4 +- .../pages/{setup => }/reference/resources.mdx | 4 +- docs/pages/{setup => }/reference/signals.mdx | 0 .../reference/terraform-provider.mdx | 0 docs/pages/server-access/getting-started.mdx | 6 +- .../guides/bpf-session-recording.mdx | 2 +- .../guides/recording-proxy-mode.mdx | 4 +- .../guides/restricted-session.mdx | 4 +- docs/pages/server-access/guides/ssh-pam.mdx | 2 +- docs/pages/setup/reference.mdx | 43 - docs/pages/try-out-teleport/browser-labs.mdx | 36 + .../docker-compose.mdx | 8 +- .../local-kubernetes.mdx | 2 +- 125 files changed, 1178 insertions(+), 809 deletions(-) create mode 100644 docs/pages/access-controls/compliance-frameworks.mdx rename docs/pages/{enterprise => access-controls/compliance-frameworks}/fedramp.mdx (87%) rename docs/pages/{enterprise => access-controls/compliance-frameworks}/soc2.mdx (80%) rename docs/pages/{enterprise => access-controls}/sso.mdx (98%) rename docs/pages/{enterprise => access-controls}/sso/adfs.mdx (98%) rename docs/pages/{enterprise => access-controls}/sso/azuread.mdx (99%) rename docs/pages/{setup/admin => access-controls/sso}/github-sso.mdx (100%) rename docs/pages/{enterprise => access-controls}/sso/gitlab.mdx (98%) rename docs/pages/{enterprise => access-controls}/sso/google-workspace.mdx (98%) rename docs/pages/{enterprise => access-controls}/sso/oidc.mdx (97%) rename docs/pages/{enterprise => access-controls}/sso/okta.mdx (98%) rename docs/pages/{enterprise => access-controls}/sso/one-login.mdx (98%) rename docs/pages/{database-access/guides => connect-your-client}/gui-clients.mdx (81%) rename docs/pages/{use-teleport => connect-your-client}/teleport-connect.mdx (100%) rename docs/pages/{use-teleport => connect-your-client}/tsh.mdx (95%) rename docs/pages/{setup => deploy-a-cluster}/deployments.mdx (100%) rename docs/pages/{setup => deploy-a-cluster}/deployments/aws-terraform.mdx (98%) rename docs/pages/{setup => deploy-a-cluster}/deployments/digitalocean.mdx (98%) rename docs/pages/{setup => deploy-a-cluster}/deployments/gcp.mdx (96%) rename docs/pages/{setup => deploy-a-cluster}/deployments/ibm.mdx (100%) rename docs/pages/{setup => deploy-a-cluster}/helm-deployments.mdx (100%) rename docs/pages/{setup => deploy-a-cluster}/helm-deployments/aws.mdx (98%) rename docs/pages/{setup => deploy-a-cluster}/helm-deployments/custom.mdx (96%) rename docs/pages/{setup => deploy-a-cluster}/helm-deployments/digitalocean.mdx (100%) rename docs/pages/{setup => deploy-a-cluster}/helm-deployments/gcp.mdx (98%) rename docs/pages/{getting-started => deploy-a-cluster/helm-deployments}/kubernetes-cluster.mdx (94%) rename docs/pages/{setup => deploy-a-cluster}/helm-deployments/migration.mdx (98%) rename docs/pages/{getting-started/linux-server.mdx => deploy-a-cluster/open-source.mdx} (96%) rename docs/pages/{cloud => deploy-a-cluster/teleport-cloud}/architecture.mdx (97%) rename docs/pages/{cloud => deploy-a-cluster/teleport-cloud}/downloads.mdx (100%) rename docs/pages/{cloud => deploy-a-cluster/teleport-cloud}/faq.mdx (96%) rename docs/pages/{cloud => deploy-a-cluster/teleport-cloud}/getting-started.mdx (86%) rename docs/pages/{cloud => deploy-a-cluster/teleport-cloud}/introduction.mdx (100%) rename docs/pages/{enterprise => deploy-a-cluster/teleport-enterprise}/getting-started.mdx (96%) rename docs/pages/{enterprise => deploy-a-cluster/teleport-enterprise}/hsm.mdx (98%) rename docs/pages/{enterprise => deploy-a-cluster/teleport-enterprise}/introduction.mdx (88%) rename docs/pages/{enterprise => deploy-a-cluster/teleport-enterprise}/license.mdx (100%) rename docs/pages/{setup => management}/admin.mdx (94%) rename docs/pages/{setup => management}/admin/adding-nodes.mdx (99%) rename docs/pages/{setup => management}/admin/daemon.mdx (95%) rename docs/pages/{setup => management}/admin/labels.mdx (99%) rename docs/pages/{setup => management}/admin/troubleshooting.mdx (96%) rename docs/pages/{setup => management}/admin/trustedclusters.mdx (100%) rename docs/pages/{setup => management}/admin/upgrading-the-teleport-binary.mdx (98%) rename docs/pages/{setup => management}/admin/users.mdx (90%) rename docs/pages/{setup => management}/guides.mdx (100%) rename docs/pages/{setup => management}/guides/docker.mdx (98%) rename docs/pages/{setup => management}/guides/ec2-tags.mdx (100%) rename docs/pages/{setup => management}/guides/fluentd.mdx (100%) rename docs/pages/{setup => management}/guides/joining-nodes-aws-ec2.mdx (98%) rename docs/pages/{setup => management}/guides/joining-nodes-aws-iam.mdx (100%) rename docs/pages/{setup => management}/guides/ssh-key-extensions.mdx (98%) rename docs/pages/{setup => management}/guides/teleport-operator.mdx (97%) rename docs/pages/{setup => management}/guides/terraform-provider.mdx (99%) rename docs/pages/{setup => management}/operations.mdx (100%) rename docs/pages/{setup => management}/operations/backup-restore.mdx (100%) rename docs/pages/{setup => management}/operations/ca-rotation.mdx (100%) rename docs/pages/{setup => management}/operations/scaling.mdx (95%) rename docs/pages/{setup => management}/operations/tls-routing.mdx (100%) rename docs/pages/{setup => management}/operations/upgrading.mdx (100%) rename docs/pages/{setup => management}/security.mdx (100%) rename docs/pages/{setup => management}/security/reduce-blast-radius.mdx (99%) rename docs/pages/{setup => }/reference/audit.mdx (98%) rename docs/pages/{setup => }/reference/authentication.mdx (94%) rename docs/pages/{setup => }/reference/backends.mdx (98%) rename docs/pages/{setup => }/reference/cli.mdx (98%) rename docs/pages/{setup => }/reference/config.mdx (100%) rename docs/pages/{setup => reference}/helm-reference.mdx (100%) rename docs/pages/{setup => reference}/helm-reference/teleport-cluster.mdx (95%) rename docs/pages/{setup => reference}/helm-reference/teleport-kube-agent.mdx (99%) rename docs/pages/{setup => }/reference/metrics.mdx (100%) rename docs/pages/{setup => }/reference/networking.mdx (98%) rename docs/pages/{setup => }/reference/predicate-language.mdx (96%) rename docs/pages/{setup => }/reference/resources.mdx (96%) rename docs/pages/{setup => }/reference/signals.mdx (100%) rename docs/pages/{setup => }/reference/terraform-provider.mdx (100%) delete mode 100644 docs/pages/setup/reference.mdx create mode 100644 docs/pages/try-out-teleport/browser-labs.mdx rename docs/pages/{getting-started => try-out-teleport}/docker-compose.mdx (96%) rename docs/pages/{getting-started => try-out-teleport}/local-kubernetes.mdx (99%) diff --git a/CHANGELOG.md b/CHANGELOG.md index fe6fd8e7a1d3b..98ffae72a47b4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1989,8 +1989,8 @@ This is a minor Teleport release with a focus on new features and bug fixes. * Alpha: Enhanced Session Recording lets you know what's really happening during a Teleport Session. [#2948](https://github.com/gravitational/teleport/issues/2948) * Alpha: Workflows API lets admins escalate RBAC roles in response to user requests. [Read the docs](./docs/pages/access-controls/access-requests.mdx). [#3006](https://github.com/gravitational/teleport/issues/3006) -* Beta: Teleport provides HA Support using Firestore and Google Cloud Storage using Google Cloud Platform. [Read the docs](./docs/pages/setup/deployments/gcp.mdx). [#2821](https://github.com/gravitational/teleport/pull/2821) -* Remote tctl execution is now possible. [Read the docs](./docs/pages/setup/reference/cli.mdx#tctl). [#1525](https://github.com/gravitational/teleport/issues/1525) [#2991](https://github.com/gravitational/teleport/issues/2991) +* Beta: Teleport provides HA Support using Firestore and Google Cloud Storage using Google Cloud Platform. [Read the docs](./docs/pages/deploy-a-cluster/deployments/gcp.mdx). [#2821](https://github.com/gravitational/teleport/pull/2821) +* Remote tctl execution is now possible. [Read the docs](./docs/pages/reference/cli.mdx#tctl). [#1525](https://github.com/gravitational/teleport/issues/1525) [#2991](https://github.com/gravitational/teleport/issues/2991) ### Fixes @@ -1998,8 +1998,8 @@ This is a minor Teleport release with a focus on new features and bug fixes. ### Documentation -* Adopting root/leaf terminology for trusted clusters. [Trusted cluster documentation](./docs/pages/setup/admin/trustedclusters.mdx). -* Documented Teleport FedRAMP & FIPS Support. [FedRAMP & FIPS documentation](./docs/pages/enterprise/fedramp.mdx). +* Adopting root/leaf terminology for trusted clusters. [Trusted cluster documentation](./docs/pages/management/admin/trustedclusters.mdx). +* Documented Teleport FedRAMP & FIPS Support. [FedRAMP & FIPS documentation](./docs/pages/access-controls/compliance-frameworks/fedramp.mdx). ## 4.1.11 @@ -2230,7 +2230,7 @@ With this release of Teleport, we have built out the foundation to help Teleport ### Improvements -* Teleport now support 10,000 remote connections to a single Teleport cluster. [Using our recommend hardware setup.](./docs/pages/setup/operations/scaling.mdx#hardware-recommendations) +* Teleport now support 10,000 remote connections to a single Teleport cluster. [Using our recommend hardware setup.](./docs/pages/management/operations/scaling.mdx#hardware-recommendations) * Added ability to delete node using `tctl rm`. [#2685](https://github.com/gravitational/teleport/pull/2685) * Output of `tsh ls` is now sorted by node name. [#2534](https://github.com/gravitational/teleport/pull/2534) diff --git a/docs/config.json b/docs/config.json index 58ab7a4388812..8489d6445f511 100644 --- a/docs/config.json +++ b/docs/config.json @@ -1,7 +1,7 @@ { "navigation": [ { - "icon": "stack", + "icon": "home", "title": "Home", "entries": [ { @@ -12,32 +12,6 @@ "title": "Adopters", "slug": "/adopters/" }, - { - "title": "Getting Started", - "slug": "/getting-started/", - "entries": [ - { - "title": "Linux Server", - "slug": "/getting-started/linux-server/", - "forScopes": ["oss"] - }, - { - "title": "Docker Compose", - "slug": "/getting-started/docker-compose/", - "forScopes": ["oss"] - }, - { - "title": "Local Kubernetes Lab", - "slug": "/getting-started/local-kubernetes/", - "forScopes": ["oss"] - }, - { - "title": "Kubernetes Cluster", - "slug": "/getting-started/kubernetes-cluster/", - "forScopes": ["oss", "enterprise"] - } - ] - }, { "title": "Installation", "slug": "/installation/" @@ -53,247 +27,441 @@ ] }, { - "icon": "wrench", - "title": "Setup", + "icon": "play", + "title": "Try out Teleport", "entries": [ { - "title": "Admin Guides", - "slug": "/setup/admin/", + "title": "Browser Labs", + "slug": "/try-out-teleport/browser-labs/" + }, + { + "title": "Docker Compose", + "slug": "/try-out-teleport/docker-compose/", + "forScopes": ["oss"] + }, + { + "title": "Local Kubernetes Lab", + "slug": "/try-out-teleport/local-kubernetes/", + "forScopes": ["oss"] + } + ] + }, + { + "icon": "quickstart", + "title": "Deploy a Cluster", + "entries": [ + { + "title": "Open Source Teleport", + "slug": "/deploy-a-cluster/open-source/", + "forScopes": ["oss"] + }, + { + "title": "Teleport Cloud", + "slug": "/deploy-a-cluster/teleport-cloud/introduction/", + "forScopes": ["cloud"], "entries": [ { - "title": "GitHub SSO", - "slug": "/setup/admin/github-sso/" + "title": "Getting Started", + "slug": "/deploy-a-cluster/teleport-cloud/getting-started/", + "forScopes": ["cloud"] }, { - "title": "Adding Nodes", - "slug": "/setup/admin/adding-nodes/" + "title": "Architecture", + "slug": "/deploy-a-cluster/teleport-cloud/architecture/", + "forScopes": ["cloud"] }, { - "title": "Trusted Clusters", - "slug": "/setup/admin/trustedclusters/" + "title": "Downloads", + "slug": "/deploy-a-cluster/teleport-cloud/downloads/", + "forScopes": ["cloud"] }, { - "title": "Labels", - "slug": "/setup/admin/labels/" + "title": "FAQ", + "slug": "/deploy-a-cluster/teleport-cloud/faq/", + "forScopes": ["cloud"] + } + ] + }, + { + "title": "Teleport Enterprise", + "slug": "/deploy-a-cluster/teleport-enterprise/introduction/", + "forScopes": ["enterprise"], + "entries": [ + { + "title": "Getting Started", + "slug": "/deploy-a-cluster/teleport-enterprise/getting-started/", + "forScopes": ["enterprise"] }, { - "title": "Local Users", - "slug": "/setup/admin/users/" + "title": "HSM", + "slug": "/deploy-a-cluster/teleport-enterprise/hsm/", + "forScopes": ["enterprise"] }, { - "title": "Troubleshooting", - "slug": "/setup/admin/troubleshooting/", + "title": "Enterprise License File", + "slug": "/deploy-a-cluster/teleport-enterprise/license/", + "forScopes": ["enterprise"] + } + ] + }, + { + "title": "Deploy with Helm", + "slug": "/deploy-a-cluster/helm-deployments/", + "forScopes": ["oss", "enterprise"], + "entries": [ + { + "title": "Deploy Teleport on Kubernetes", + "slug": "/deploy-a-cluster/helm-deployments/kubernetes-cluster/", "forScopes": ["oss", "enterprise"] }, { - "title": "Upgrading the Teleport Binary", - "slug": "/setup/admin/upgrading-the-teleport-binary/" + "title": "AWS EKS Cluster", + "slug": "/deploy-a-cluster/helm-deployments/aws/", + "forScopes": ["oss", "enterprise"] }, { - "title": "Run Teleport as a Daemon", - "slug": "/setup/admin/daemon/" + "title": "Google Cloud GKE Cluster", + "slug": "/deploy-a-cluster/helm-deployments/gcp/", + "forScopes": ["oss", "enterprise"] + }, + { + "title": "DigitalOcean Kubernetes Cluster", + "slug": "/deploy-a-cluster/helm-deployments/digitalocean/", + "forScopes": ["oss", "enterprise"] + }, + { + "title": "Customize Deployment Config", + "slug": "/deploy-a-cluster/helm-deployments/custom/", + "forScopes": ["oss", "enterprise"] + }, + { + "title": "Migrating From Older Charts", + "slug": "/deploy-a-cluster/helm-deployments/migration/", + "forScopes": ["oss", "enterprise"] } ] }, { - "title": "Deployments", - "slug": "/setup/deployments/", + "title": "Deploy to your Cloud", + "slug": "/deploy-a-cluster/deployments/", "forScopes": ["oss", "enterprise"], "entries": [ { "title": "AWS Terraform", - "slug": "/setup/deployments/aws-terraform/", + "slug": "/deploy-a-cluster/deployments/aws-terraform/", "forScopes": ["oss", "enterprise"] }, { "title": "GCP", - "slug": "/setup/deployments/gcp/", + "slug": "/deploy-a-cluster/deployments/gcp/", "forScopes": ["oss", "enterprise"] }, { "title": "IBM", - "slug": "/setup/deployments/ibm/", + "slug": "/deploy-a-cluster/deployments/ibm/", "forScopes": ["oss", "enterprise"] }, { "title": "Digital Ocean", - "slug": "/setup/deployments/digitalocean/", + "slug": "/deploy-a-cluster/deployments/digitalocean/", "forScopes": ["oss", "enterprise"] } ] + } + ] + }, + { + "icon": "lock", + "title": "Configure Access", + "entries": [ + { + "title": "Introduction", + "slug": "/access-controls/introduction/" }, { - "title": "Helm Deployments", - "slug": "/setup/helm-deployments/", - "forScopes": ["oss", "enterprise"], + "title": "Getting Started", + "slug": "/access-controls/getting-started/" + }, + { + "title": "Cluster Access and RBAC", + "slug": "/access-controls/guides/", "entries": [ { - "title": "AWS EKS Cluster", - "slug": "/setup/helm-deployments/aws/", - "forScopes": ["oss", "enterprise"] + "title": "Role Templates", + "slug": "/access-controls/guides/role-templates/" }, { - "title": "Google Cloud GKE Cluster", - "slug": "/setup/helm-deployments/gcp/", - "forScopes": ["oss", "enterprise"] + "title": "Session Locking", + "slug": "/access-controls/guides/locking/" }, { - "title": "DigitalOcean Kubernetes Cluster", - "slug": "/setup/helm-deployments/digitalocean/", - "forScopes": ["oss", "enterprise"] + "title": "Passwordless (Preview)", + "slug": "/access-controls/guides/passwordless/" }, { - "title": "Customize Deployment Config", - "slug": "/setup/helm-deployments/custom/", - "forScopes": ["oss", "enterprise"] + "title": "Second Factor - WebAuthn", + "slug": "/access-controls/guides/webauthn/" }, { - "title": "Migrating From Older Charts", - "slug": "/setup/helm-deployments/migration/", - "forScopes": ["oss", "enterprise"] + "title": "Per-session MFA", + "slug": "/access-controls/guides/per-session-mfa/" + }, + { + "title": "Dual Authorization", + "slug": "/access-controls/guides/dual-authz/", + "forScopes": ["enterprise", "cloud"] + }, + { + "title": "Impersonation", + "slug": "/access-controls/guides/impersonation/" + }, + { + "title": "Moderated Sessions", + "slug": "/access-controls/guides/moderated-sessions/", + "forScopes": ["enterprise", "cloud"] } ] }, { - "title": "Operations", - "slug": "/setup/operations/", + "title": "Single Sign-On (SSO)", + "slug": "/access-controls/sso/", "entries": [ { - "title": "Scaling", - "slug": "/setup/operations/scaling/", - "forScopes": ["oss", "enterprise"] + "title": "GitHub SSO", + "slug": "/access-controls/sso/github-sso/" }, { - "title": "Upgrading a Cluster", - "slug": "/setup/operations/upgrading/" + "title": "Azure Active Directory (AD)", + "slug": "/access-controls/sso/azuread/", + "forScopes": ["enterprise", "cloud"] }, { - "title": "Backup and Restore", - "slug": "/setup/operations/backup-restore/", - "forScopes": ["oss", "enterprise"] + "title": "Active Directory (ADFS)", + "slug": "/access-controls/sso/adfs/", + "forScopes": ["enterprise", "cloud"] }, { - "title": "Cert Authority Rotation", - "slug": "/setup/operations/ca-rotation/" + "title": "Google Workspace", + "slug": "/access-controls/sso/google-workspace/", + "forScopes": ["enterprise", "cloud"] }, { - "title": "TLS Routing Migration", - "slug": "/setup/operations/tls-routing/", - "forScopes": ["oss", "enterprise"] + "title": "GitLab", + "slug": "/access-controls/sso/gitlab/", + "forScopes": ["enterprise", "cloud"] + }, + { + "title": "OneLogin", + "slug": "/access-controls/sso/one-login/", + "forScopes": ["enterprise", "cloud"] + }, + { + "title": "OIDC", + "slug": "/access-controls/sso/oidc/", + "forScopes": ["enterprise", "cloud"] + }, + { + "title": "Okta", + "slug": "/access-controls/sso/okta/", + "forScopes": ["enterprise", "cloud"] } ] }, { - "title": "Security", - "slug": "/setup/security/", + "title": "Access Requests", + "slug": "/access-controls/access-requests/", "entries": [ { - "title": "Reducing the Blast Radius of Attacks", - "slug": "/setup/security/reduce-blast-radius/" + "title": "Role Requests", + "slug": "/access-controls/access-requests/role-requests/", + "forScopes": ["enterprise", "cloud"] + }, + { + "title": "Resource Requests", + "slug": "/access-controls/access-requests/resource-requests/", + "forScopes": ["enterprise", "cloud"] } ] }, { - "title": "Integrations", - "slug": "/setup/guides/", + "title": "Access Request Plugins", + "slug": "/access-controls/access-request-plugins/", + "forScopes": ["enterprise", "cloud"], "entries": [ { - "title": "Kubernetes Operator (Preview)", - "slug": "/setup/guides/teleport-operator/" + "title": "Mattermost", + "slug": "/access-controls/access-request-plugins/ssh-approval-mattermost/", + "forScopes": ["enterprise", "cloud"] }, { - "title": "Terraform Provider", - "slug": "/setup/guides/terraform-provider/" + "title": "PagerDuty", + "slug": "/access-controls/access-request-plugins/ssh-approval-pagerduty/", + "forScopes": ["enterprise", "cloud"] }, { - "title": "Docker", - "slug": "/setup/guides/docker/" + "title": "Jira Server", + "slug": "/access-controls/access-request-plugins/ssh-approval-jira-server/", + "forScopes": ["enterprise", "cloud"] }, { - "title": "Fluentd", - "slug": "/setup/guides/fluentd/" + "title": "Jira Cloud", + "slug": "/access-controls/access-request-plugins/ssh-approval-jira-cloud/", + "forScopes": ["enterprise", "cloud"] }, { - "title": "EC2 Tags", - "slug": "/setup/guides/ec2-tags/" + "title": "Slack", + "slug": "/access-controls/access-request-plugins/ssh-approval-slack/", + "forScopes": ["enterprise", "cloud"] }, { - "title": "Joining Nodes via AWS IAM", - "slug": "/setup/guides/joining-nodes-aws-iam/" - }, + "title": "Email", + "slug": "/access-controls/access-request-plugins/ssh-approval-email/", + "forScopes": ["enterprise", "cloud"] + } + ] + }, + { + "title": "Compliance Frameworks", + "slug": "/access-controls/compliance-frameworks/", + "forScopes": ["enterprise", "cloud"], + "entries": [ { - "title": "Joining Nodes via AWS EC2", - "slug": "/setup/guides/joining-nodes-aws-ec2/", - "forScopes": ["oss", "enterprise"] + "title": "FedRAMP", + "slug": "/access-controls/compliance-frameworks/fedramp/", + "forScopes": ["enterprise"] }, { - "title": "Using Teleport's CA with GitHub", - "slug": "/setup/guides/ssh-key-extensions/" + "title": "SOC 2", + "slug": "/access-controls/compliance-frameworks/soc2/", + "forScopes": ["enterprise", "cloud"] } ] }, + { "title": "Reference", - "slug": "/setup/reference/", + "slug": "/access-controls/reference/" + }, + { + "title": "FAQ", + "slug": "/access-controls/faq/" + } + ] + }, + { + "icon": "wrench", + "title": "Manage your Cluster", + "entries": [ + { + "title": "Admin Guides", + "slug": "/management/admin/", "entries": [ { - "title": "Config File", - "slug": "/setup/reference/config/" + "title": "Adding Nodes", + "slug": "/management/admin/adding-nodes/" + }, + { + "title": "Trusted Clusters", + "slug": "/management/admin/trustedclusters/" }, { - "title": "Config Resources", - "slug": "/setup/reference/resources/" + "title": "Labels", + "slug": "/management/admin/labels/" }, { - "title": "Command Line", - "slug": "/setup/reference/cli/" + "title": "Local Users", + "slug": "/management/admin/users/" }, { - "title": "Metrics", - "slug": "/setup/reference/metrics/" + "title": "Troubleshooting", + "slug": "/management/admin/troubleshooting/", + "forScopes": ["oss", "enterprise"] }, { - "title": "Terraform Resources", - "slug": "/setup/reference/terraform-provider/" + "title": "Upgrading the Teleport Binary", + "slug": "/management/admin/upgrading-the-teleport-binary/" }, { - "title": "Audit Events and Records", - "slug": "/setup/reference/audit/" + "title": "Run Teleport as a Daemon", + "slug": "/management/admin/daemon/" + } + ] + }, + { + "title": "Operations", + "slug": "/management/operations/", + "entries": [ + { + "title": "Scaling", + "slug": "/management/operations/scaling/", + "forScopes": ["oss", "enterprise"] }, { - "title": "Authentication", - "slug": "/setup/reference/authentication/" + "title": "Upgrading a Cluster", + "slug": "/management/operations/upgrading/" }, { - "title": "Storage Backends", - "slug": "/setup/reference/backends/", + "title": "Backup and Restore", + "slug": "/management/operations/backup-restore/", "forScopes": ["oss", "enterprise"] }, { - "title": "Networking", - "slug": "/setup/reference/networking/" + "title": "Cert Authority Rotation", + "slug": "/management/operations/ca-rotation/" }, { - "title": "Predicate Language", - "slug": "/setup/reference/predicate-language/" - }, + "title": "TLS Routing Migration", + "slug": "/management/operations/tls-routing/", + "forScopes": ["oss", "enterprise"] + } + ] + }, + { + "title": "Security", + "slug": "/management/security/", + "entries": [ { - "title": "Signals", - "slug": "/setup/reference/signals/" + "title": "Reducing the Blast Radius of Attacks", + "slug": "/management/security/reduce-blast-radius/" } ] }, { - "title": "Helm Chart Reference", - "slug": "/setup/helm-reference/", + "title": "Integrations", + "slug": "/management/guides/", "entries": [ { - "title": "teleport-cluster", - "slug": "/setup/helm-reference/teleport-cluster/" + "title": "Kubernetes Operator (Preview)", + "slug": "/management/guides/teleport-operator/" }, { - "title": "teleport-kube-agent", - "slug": "/setup/helm-reference/teleport-kube-agent/" + "title": "Terraform Provider", + "slug": "/management/guides/terraform-provider/" + }, + { + "title": "Docker", + "slug": "/management/guides/docker/" + }, + { + "title": "Fluentd", + "slug": "/management/guides/fluentd/" + }, + { + "title": "EC2 Tags", + "slug": "/management/guides/ec2-tags/" + }, + { + "title": "Joining Nodes via AWS IAM", + "slug": "/management/guides/joining-nodes-aws-iam/" + }, + { + "title": "Joining Nodes via AWS EC2", + "slug": "/management/guides/joining-nodes-aws-ec2/", + "forScopes": ["oss", "enterprise"] + }, + { + "title": "Using Teleport's CA with GitHub", + "slug": "/management/guides/ssh-key-extensions/" } ] } @@ -301,15 +469,20 @@ }, { "icon": "connect", - "title": "Use Teleport", + "title": "Connect your Client", "entries": [ { "title": "Using tsh", - "slug": "/use-teleport/tsh/" + "slug": "/connect-your-client/tsh/" }, { "title": "Using Teleport Connect", - "slug": "/use-teleport/teleport-connect/" + "slug": "/connect-your-client/teleport-connect/" + }, + + { + "title": "Database GUI Clients", + "slug": "/connect-your-client/gui-clients/" } ] }, @@ -456,7 +629,6 @@ "title": "Standalone", "slug": "/kubernetes-access/guides/standalone-teleport/", "forScopes": ["enterprise", "oss"] - } ] }, @@ -546,10 +718,6 @@ "title": "Snowflake (Preview)", "slug": "/database-access/guides/snowflake/" }, - { - "title": "Database GUI Clients", - "slug": "/database-access/guides/gui-clients/" - }, { "title": "Dynamic Registration", "slug": "/database-access/guides/dynamic-registration/" @@ -707,118 +875,12 @@ ] }, { - "icon": "lock", - "title": "Access Controls", + "icon": "list", + "title": "API", "entries": [ { "title": "Introduction", - "slug": "/access-controls/introduction/" - }, - { - "title": "Getting Started", - "slug": "/access-controls/getting-started/" - }, - { - "title": "Cluster Access and RBAC", - "slug": "/access-controls/guides/", - "entries": [ - { - "title": "Role Templates", - "slug": "/access-controls/guides/role-templates/" - }, - { - "title": "Session Locking", - "slug": "/access-controls/guides/locking/" - }, - { - "title": "Passwordless (Preview)", - "slug": "/access-controls/guides/passwordless/" - }, - { - "title": "Second Factor - WebAuthn", - "slug": "/access-controls/guides/webauthn/" - }, - { - "title": "Per-session MFA", - "slug": "/access-controls/guides/per-session-mfa/" - }, - { - "title": "Dual Authorization", - "slug": "/access-controls/guides/dual-authz/", - "forScopes": ["enterprise", "cloud"] - }, - { - "title": "Impersonation", - "slug": "/access-controls/guides/impersonation/" - }, - { - "title": "Moderated Sessions", - "slug": "/access-controls/guides/moderated-sessions/", - "forScopes": ["enterprise", "cloud"] - } - ] - }, - { - "title": "Access Requests", - "slug": "/access-controls/access-requests/", - "entries": [ - { - "title": "Role Requests", - "slug":"/access-controls/access-requests/role-requests/" - }, - { - "title": "Resource Requests", - "slug":"/access-controls/access-requests/resource-requests/" - } - ] - }, - { - "title": "Access Request Plugins", - "slug": "/access-controls/access-request-plugins/", - "entries": [ - { - "title": "Mattermost", - "slug":"/access-controls/access-request-plugins/ssh-approval-mattermost/" - }, - { - "title": "PagerDuty", - "slug":"/access-controls/access-request-plugins/ssh-approval-pagerduty/" - }, - { - "title": "Jira Server", - "slug":"/access-controls/access-request-plugins/ssh-approval-jira-server/" - }, - { - "title": "Jira Cloud", - "slug":"/access-controls/access-request-plugins/ssh-approval-jira-cloud/" - }, - { - "title": "Slack", - "slug":"/access-controls/access-request-plugins/ssh-approval-slack/" - }, - { - "title": "Email", - "slug": "/access-controls/access-request-plugins/ssh-approval-email/" - } - ] - }, - { - "title": "Reference", - "slug": "/access-controls/reference/" - }, - { - "title": "FAQ", - "slug": "/access-controls/faq/" - } - ] - }, - { - "icon": "list", - "title": "API", - "entries": [ - { - "title": "Introduction", - "slug": "/api/introduction/" + "slug": "/api/introduction/" }, { "title": "Getting Started", @@ -841,110 +903,67 @@ ] }, { - "icon": "building", - "title": "Teleport Enterprise", + "icon": "book", + "title": "Reference", "entries": [ { - "title": "Introduction", - "slug": "/enterprise/introduction/", - "forScopes": ["enterprise"] + "title": "Config File", + "slug": "/reference/config/" }, { - "title": "Getting Started", - "slug": "/enterprise/getting-started/", - "forScopes": ["enterprise"] + "title": "Config Resources", + "slug": "/reference/resources/" }, { - "title": "Single Sign-On (SSO)", - "slug": "/enterprise/sso/", - "entries": [ - { - "title": "Azure Active Directory (AD)", - "slug": "/enterprise/sso/azuread/", - "forScopes": ["enterprise", "cloud"] - }, - { - "title": "Active Directory (ADFS)", - "slug": "/enterprise/sso/adfs/", - "forScopes": ["enterprise", "cloud"] - }, - { - "title": "Google Workspace", - "slug": "/enterprise/sso/google-workspace/", - "forScopes": ["enterprise", "cloud"] - }, - { - "title": "GitLab", - "slug": "/enterprise/sso/gitlab/", - "forScopes": ["enterprise", "cloud"] - }, - { - "title": "OneLogin", - "slug": "/enterprise/sso/one-login/", - "forScopes": ["enterprise", "cloud"] - }, - { - "title": "OIDC", - "slug": "/enterprise/sso/oidc/", - "forScopes": ["enterprise", "cloud"] - }, - { - "title": "Okta", - "slug": "/enterprise/sso/okta/", - "forScopes": ["enterprise", "cloud"] - } - ] + "title": "Command Line", + "slug": "/reference/cli/" }, { - "title": "FedRAMP", - "slug": "/enterprise/fedramp/", - "forScopes": ["enterprise"] + "title": "Metrics", + "slug": "/reference/metrics/" }, { - "title": "SOC 2", - "slug": "/enterprise/soc2/", - "forScopes": ["enterprise", "cloud"] + "title": "Terraform Resources", + "slug": "/reference/terraform-provider/" }, { - "title": "HSM", - "slug": "/enterprise/hsm/", - "forScopes": ["enterprise"] + "title": "Audit Events and Records", + "slug": "/reference/audit/" }, { - "title": "Enterprise License File", - "slug": "/enterprise/license/", - "forScopes": ["enterprise"] - } - ] - }, - { - "icon": "cloud", - "title": "Cloud", - "entries": [ + "title": "Authentication", + "slug": "/reference/authentication/" + }, { - "title": "Introduction", - "slug": "/cloud/introduction/", - "forScopes": ["cloud"] + "title": "Storage Backends", + "slug": "/reference/backends/", + "forScopes": ["oss", "enterprise"] }, { - "title": "Getting Started", - "slug": "/cloud/getting-started/", - "forScopes": ["cloud"] + "title": "Networking", + "slug": "/reference/networking/" }, { - "title": "Architecture", - "slug": "/cloud/architecture/", - "forScopes": ["cloud"] + "title": "Predicate Language", + "slug": "/reference/predicate-language/" }, { - "title": "Downloads", - "slug": "/cloud/downloads/", - "forScopes": ["cloud"] + "title": "Signals", + "slug": "/reference/signals/" }, { - "title": "FAQ", - "slug": "/cloud/faq/", - "forScopes": ["cloud"] + "title": "Helm Charts", + "slug": "/reference/helm-reference/", + "entries": [ + { + "title": "teleport-cluster", + "slug": "/reference/helm-reference/teleport-cluster/" + }, + { + "title": "teleport-kube-agent", + "slug": "/reference/helm-reference/teleport-kube-agent/" + } + ] } ] }, @@ -1080,17 +1099,17 @@ }, { "source": "/production/", - "destination": "/setup/deployments/", + "destination": "/deploy-a-cluster/deployments/", "permanent": true }, { "source": "/admin-guide/", - "destination": "/setup/admin/", + "destination": "/management/admin/", "permanent": true }, { "source": "/trustedclusters/", - "destination": "/setup/admin/trustedclusters/", + "destination": "/management/admin/trustedclusters/", "permanent": true }, { @@ -1110,87 +1129,87 @@ }, { "source": "/metrics-logs-reference/", - "destination": "/setup/reference/metrics/", + "destination": "/reference/metrics/", "permanent": true }, { "source": "/config-reference/", - "destination": "/setup/reference/config/", + "destination": "/reference/config/", "permanent": true }, { "source": "/cli-docs/", - "destination": "/setup/reference/cli/", + "destination": "/reference/cli/", "permanent": true }, { "source": "/enterprise/ssh-kubernetes-fedramp/", - "destination": "/enterprise/fedramp/", + "destination": "/access-controls/compliance-frameworks/fedramp/", "permanent": true }, { "source": "/enterprise/sso/ssh-one-login/", - "destination": "/enterprise/sso/one-login/", + "destination": "/access-controls/sso/one-login/", "permanent": true }, { "source": "/enterprise/sso/ssh-okta/", - "destination": "/enterprise/sso/okta/", + "destination": "/access-controls/sso/okta/", "permanent": true }, { "source": "/enterprise/sso/ssh-google-workspace/", - "destination": "/enterprise/sso/google-workspace/", + "destination": "/access-controls/sso/google-workspace/", "permanent": true }, { "source": "/enterprise/sso/ssh-azuread/", - "destination": "/enterprise/sso/azuread/", + "destination": "/access-controls/sso/azuread/", "permanent": true }, { "source": "/enterprise/sso/ssh-adfs/", - "destination": "/enterprise/sso/adfs/", + "destination": "/access-controls/sso/adfs/", "permanent": true }, { "source": "/enterprise/sso/ssh-sso/", - "destination": "/enterprise/sso/", + "destination": "/access-controls/sso/", "permanent": true }, { "source": "/enterprise/ssh_sso/", - "destination": "/enterprise/sso/", + "destination": "/access-controls/sso/", "permanent": true }, { "source": "/enterprise/quickstart-enterprise/", - "destination": "/enterprise/getting-started/", + "destination": "/deploy-a-cluster/teleport-enterprise/getting-started/", "permanent": true }, { "source": "/gcp-guide/", - "destination": "/setup/deployments/gcp/", + "destination": "/deploy-a-cluster/deployments/gcp/", "permanent": true }, { "source": "/ibm-cloud-guide/", - "destination": "/setup/deployments/ibm/", + "destination": "/deploy-a-cluster/deployments/ibm/", "permanent": true }, { "source": "/aws-terraform-guide/", - "destination": "/setup/deployments/aws-terraform/", + "destination": "/deploy-a-cluster/deployments/aws-terraform/", "permanent": true }, { "source": "/setup/guides/docker-compose/", - "destination": "/setup/guides/docker/", + "destination": "/management/guides/docker/", "permanent": true }, { "source": "/cloud/", - "destination": "/cloud/introduction/", + "destination": "/deploy-a-cluster/teleport-cloud/", "permanent": true }, { @@ -1225,7 +1244,7 @@ }, { "source": "/preview/cloud/", - "destination": "/cloud/", + "destination": "/deploy-a-cluster/teleport-cloud/", "permanent": true }, { @@ -1250,7 +1269,7 @@ }, { "source": "/quickstart-docker/", - "destination": "/setup/guides/docker/", + "destination": "/management/guides/docker/", "permanent": true }, { @@ -1280,12 +1299,12 @@ }, { "source": "/setup/guides/joining-nodes-aws/", - "destination": "/setup/guides/joining-nodes-aws-iam/", + "destination": "/management/guides/joining-nodes-aws-iam/", "permanent": true }, { "source": "/setup/reference/license/", - "destination": "/enterprise/license/", + "destination": "/deploy-a-cluster/teleport-enterprise/license/", "permanent": true }, { @@ -1310,7 +1329,7 @@ }, { "source": "/server-access/guides/tsh/", - "destination": "/use-teleport/tsh/", + "destination": "/connect-your-client/tsh/", "permanent": true }, { @@ -1325,7 +1344,7 @@ }, { "source": "/getting-started/digitalocean/", - "destination": "/setup/deployments/digitalocean/", + "destination": "/deploy-a-cluster/deployments/digitalocean/", "permanent": true }, { @@ -1335,12 +1354,12 @@ }, { "source": "/kubernetes-access/getting-started/cluster/", - "destination": "/getting-started/kubernetes-cluster/", + "destination": "/deploy-a-cluster/helm-deployments/kubernetes-cluster/", "permanent": true }, { "source": "/kubernetes-access/getting-started/local/", - "destination": "/getting-started/local-kubernetes/", + "destination": "/try-out-teleport/local-kubernetes/", "permanent": true }, { @@ -1350,138 +1369,488 @@ }, { "source": "/kubernetes-access/helm/guides/", - "destination": "/setup/helm-deployments/", + "destination": "/deploy-a-cluster/helm-deployments/", "permanent": true }, { "source": "/kubernetes-access/helm/guides/aws/", - "destination": "/setup/helm-deployments/aws/", + "destination": "/deploy-a-cluster/helm-deployments/aws/", "permanent": true }, { "source": "/kubernetes-access/helm/guides/custom/", - "destination": "/setup/helm-deployments/custom/", + "destination": "/deploy-a-cluster/helm-deployments/custom/", "permanent": true }, { "source": "/kubernetes-access/helm/guides/digitalocean/", - "destination": "/setup/helm-deployments/digitalocean/", + "destination": "/deploy-a-cluster/helm-deployments/digitalocean/", "permanent": true }, { "source": "/kubernetes-access/helm/guides/gcp/", - "destination": "/setup/helm-deployments/gcp/", + "destination": "/deploy-a-cluster/helm-deployments/gcp/", "permanent": true }, { "source": "/kubernetes-access/helm/guides/migration/", - "destination": "/setup/helm-deployments/migration/", + "destination": "/deploy-a-cluster/helm-deployments/migration/", "permanent": true }, { "source": "/kubernetes-access/helm/reference/", - "destination": "/setup/helm-reference/", + "destination": "/reference/helm-reference/", "permanent": true }, { "source": "/kubernetes-access/helm/reference/teleport-cluster/", - "destination": "/setup/helm-reference/teleport-cluster/", + "destination": "/reference/helm-reference/teleport-cluster/", "permanent": true }, { "source": "/kubernetes-access/helm/reference/teleport-kube-agent/", - "destination": "/setup/helm-reference/teleport-kube-agent/", + "destination": "/reference/helm-reference/teleport-kube-agent/", "permanent": true }, { - "source": "/getting-started/digitalocean/", - "destination": "/setup/deployments/digitalocean/", + "source": "/access-controls/guides/u2f/", + "destination": "/access-controls/guides/webauthn/", "permanent": true }, { - "source": "/kubernetes-access/helm/guides/", - "destination": "/setup/helm-deployments/", + "source": "/setup/admin/graceful-restarts/", + "destination": "/management/admin/upgrading-the-teleport-binary/", "permanent": true }, { - "source": "/kubernetes-access/helm/guides/aws/", - "destination": "/setup/helm-deployments/aws/", + "source": "/enterprise/workflow/", + "destination": "/access-controls/access-requests/", "permanent": true }, { - "source": "/kubernetes-access/helm/guides/custom/", - "destination": "/setup/helm-deployments/custom/", + "source": "/enterprise/workflow/ssh-approval-mattermost/", + "destination": "/access-controls/access-request-plugins/ssh-approval-mattermost/", "permanent": true }, { - "source": "/kubernetes-access/helm/guides/digitalocean/", - "destination": "/setup/helm-deployments/digitalocean/", + "source": "/enterprise/workflow/ssh-approval-mattermost/", + "destination": "/access-controls/access-request-plugins/ssh-approval-pagerduty/", "permanent": true }, { - "source": "/kubernetes-access/helm/guides/gcp/", - "destination": "/setup/helm-deployments/gcp/", + "source": "/enterprise/workflow/ssh-approval-jira-server/", + "destination": "/access-controls/access-request-plugins/ssh-approval-jira-server/", "permanent": true }, { - "source": "/kubernetes-access/helm/guides/migration/", - "destination": "/setup/helm-deployments/migration/", + "source": "/enterprise/workflow/ssh-approval-jira-cloud/", + "destination": "/access-controls/access-request-plugins/ssh-approval-jira-cloud/", "permanent": true }, { - "source": "/access-controls/guides/u2f/", - "destination": "/access-controls/guides/webauthn/", + "source": "/enterprise/workflow/ssh-approval-slack/", + "destination": "/access-controls/access-request-plugins/ssh-approval-slack/", "permanent": true }, { - "source": "/setup/admin/graceful-restarts/", - "destination": "/setup/admin/upgrading-the-teleport-binary/", + "source": "/enterprise/workflow/resource-requests/", + "destination": "/access-controls/access-requests/resource-requests/", "permanent": true }, { - "source": "/enterprise/workflow/", - "destination": "/access-controls/access-requests/", - "permanent": true + "source": "/enterprise/workflow/role-requests/", + "destination": "/access-controls/access-requests/role-requests/", + "permanent": true }, { - "source": "/enterprise/workflow/ssh-approval-mattermost/", - "destination": "/access-controls/access-request-plugins/ssh-approval-mattermost/", - "permanent": true + "source": "/user-manual/", + "destination": "/", + "permanent": true }, { - "source": "/enterprise/workflow/ssh-approval-mattermost/", - "destination": "/access-controls/access-request-plugins/ssh-approval-pagerduty/", - "permanent": true + "source": "/enterprise/fedramp/", + "destination": "/access-controls/compliance-frameworks/fedramp/", + "permanent": true }, { - "source": "/enterprise/workflow/ssh-approval-jira-server/", - "destination": "/access-controls/access-request-plugins/ssh-approval-jira-server/", - "permanent": true + "source": "/enterprise/soc2/", + "destination": "/access-controls/compliance-frameworks/soc2/", + "permanent": true + }, + { + "source": "/enterprise/sso/", + "destination": "/access-controls/sso/", + "permanent": true + }, + { + "source": "/enterprise/sso/adfs/", + "destination": "/access-controls/sso/adfs/", + "permanent": true + }, + { + "source": "/enterprise/sso/azuread/", + "destination": "/access-controls/sso/azuread/", + "permanent": true + }, + { + "source": "/setup/admin/github-sso/", + "destination": "/access-controls/sso/github-sso/", + "permanent": true }, { - "source": "/enterprise/workflow/ssh-approval-jira-cloud/", - "destination": "/access-controls/access-request-plugins/ssh-approval-jira-cloud/", - "permanent": true + "source": "/enterprise/sso/gitlab/", + "destination": "/access-controls/sso/gitlab/", + "permanent": true }, { - "source": "/enterprise/workflow/ssh-approval-slack/", - "destination": "/access-controls/access-request-plugins/ssh-approval-slack/", - "permanent": true + "source": "/enterprise/sso/google-workspace/", + "destination": "/access-controls/sso/google-workspace/", + "permanent": true }, { - "source": "/enterprise/workflow/resource-requests/", - "destination": "/access-controls/access-requests/resource-requests/", - "permanent": true + "source": "/enterprise/sso/oidc/", + "destination": "/access-controls/sso/oidc/", + "permanent": true }, { - "source": "/enterprise/workflow/role-requests/", - "destination": "/access-controls/access-requests/role-requests/", - "permanent": true + "source": "/enterprise/sso/okta/", + "destination": "/access-controls/sso/okta/", + "permanent": true }, { - "source": "/user-manual/", - "destination": "/", - "permanent": true + "source": "/enterprise/sso/one-login/", + "destination": "/access-controls/sso/one-login/", + "permanent": true + }, + { + "source": "/database-access/guides/gui-clients/", + "destination": "/connect-your-client/gui-clients/", + "permanent": true + }, + { + "source": "/use-teleport/teleport-connect/", + "destination": "/connect-your-client/teleport-connect/", + "permanent": true + }, + { + "source": "/use-teleport/tsh/", + "destination": "/connect-your-client/tsh/", + "permanent": true + }, + { + "source": "/setup/deployments/", + "destination": "/deploy-a-cluster/deployments/", + "permanent": true + }, + { + "source": "/setup/deployments/aws-terraform/", + "destination": "/deploy-a-cluster/deployments/aws-terraform/", + "permanent": true + }, + { + "source": "/setup/deployments/digitalocean/", + "destination": "/deploy-a-cluster/deployments/digitalocean/", + "permanent": true + }, + { + "source": "/setup/deployments/gcp/", + "destination": "/deploy-a-cluster/deployments/gcp/", + "permanent": true + }, + { + "source": "/setup/deployments/ibm/", + "destination": "/deploy-a-cluster/deployments/ibm/", + "permanent": true + }, + { + "source": "/setup/helm-deployments/", + "destination": "/deploy-a-cluster/helm-deployments/", + "permanent": true + }, + { + "source": "/setup/helm-deployments/aws/", + "destination": "/deploy-a-cluster/helm-deployments/aws/", + "permanent": true + }, + { + "source": "/setup/helm-deployments/custom/", + "destination": "/deploy-a-cluster/helm-deployments/custom/", + "permanent": true + }, + { + "source": "/setup/helm-deployments/digitalocean/", + "destination": "/deploy-a-cluster/helm-deployments/digitalocean/", + "permanent": true + }, + { + "source": "/setup/helm-deployments/gcp/", + "destination": "/deploy-a-cluster/helm-deployments/gcp/", + "permanent": true + }, + { + "source": "/getting-started/kubernetes-cluster/", + "destination": "/deploy-a-cluster/helm-deployments/kubernetes-cluster/", + "permanent": true + }, + { + "source": "/setup/helm-deployments/migration/", + "destination": "/deploy-a-cluster/helm-deployments/migration/", + "permanent": true + }, + { + "source": "/getting-started/linux-server/", + "destination": "/deploy-a-cluster/open-source/", + "permanent": true + }, + { + "source": "/cloud/architecture/", + "destination": "/deploy-a-cluster/teleport-cloud/architecture/", + "permanent": true + }, + { + "source": "/cloud/downloads/", + "destination": "/deploy-a-cluster/teleport-cloud/downloads/", + "permanent": true + }, + { + "source": "/cloud/faq/", + "destination": "/deploy-a-cluster/teleport-cloud/faq/", + "permanent": true + }, + { + "source": "/cloud/getting-started/", + "destination": "/deploy-a-cluster/teleport-cloud/getting-started/", + "permanent": true + }, + { + "source": "/cloud/introduction/", + "destination": "/deploy-a-cluster/teleport-cloud/introduction/", + "permanent": true + }, + { + "source": "/enterprise/getting-started/", + "destination": "/deploy-a-cluster/teleport-enterprise/getting-started/", + "permanent": true + }, + { + "source": "/enterprise/hsm/", + "destination": "/deploy-a-cluster/teleport-enterprise/hsm/", + "permanent": true + }, + { + "source": "/enterprise/introduction/", + "destination": "/deploy-a-cluster/teleport-enterprise/introduction/", + "permanent": true + }, + { + "source": "/enterprise/license/", + "destination": "/deploy-a-cluster/teleport-enterprise/license/", + "permanent": true + }, + { + "source": "/setup/admin/", + "destination": "/management/admin/", + "permanent": true + }, + { + "source": "/setup/admin/adding-nodes/", + "destination": "/management/admin/adding-nodes/", + "permanent": true + }, + { + "source": "/setup/admin/daemon/", + "destination": "/management/admin/daemon/", + "permanent": true + }, + { + "source": "/setup/admin/labels/", + "destination": "/management/admin/labels/", + "permanent": true + }, + { + "source": "/setup/admin/troubleshooting/", + "destination": "/management/admin/troubleshooting/", + "permanent": true + }, + { + "source": "/setup/admin/trustedclusters/", + "destination": "/management/admin/trustedclusters/", + "permanent": true + }, + { + "source": "/setup/admin/upgrading-the-teleport-binary/", + "destination": "/management/admin/upgrading-the-teleport-binary/", + "permanent": true + }, + { + "source": "/setup/admin/users/", + "destination": "/management/admin/users/", + "permanent": true + }, + { + "source": "/setup/guides/", + "destination": "/management/guides/", + "permanent": true + }, + { + "source": "/setup/guides/docker/", + "destination": "/management/guides/docker/", + "permanent": true + }, + { + "source": "/setup/guides/ec2-tags/", + "destination": "/management/guides/ec2-tags/", + "permanent": true + }, + { + "source": "/setup/guides/fluentd/", + "destination": "/management/guides/fluentd/", + "permanent": true + }, + { + "source": "/setup/guides/joining-nodes-aws-ec2/", + "destination": "/management/guides/joining-nodes-aws-ec2/", + "permanent": true + }, + { + "source": "/setup/guides/joining-nodes-aws-iam/", + "destination": "/management/guides/joining-nodes-aws-iam/", + "permanent": true + }, + { + "source": "/setup/guides/ssh-key-extensions/", + "destination": "/management/guides/ssh-key-extensions/", + "permanent": true + }, + { + "source": "/setup/guides/teleport-operator/", + "destination": "/management/guides/teleport-operator/", + "permanent": true + }, + { + "source": "/setup/guides/terraform-provider/", + "destination": "/management/guides/terraform-provider/", + "permanent": true + }, + { + "source": "/setup/operations/", + "destination": "/management/operations/", + "permanent": true + }, + { + "source": "/setup/operations/backup-restore/", + "destination": "/management/operations/backup-restore/", + "permanent": true + }, + { + "source": "/setup/operations/ca-rotation/", + "destination": "/management/operations/ca-rotation/", + "permanent": true + }, + { + "source": "/setup/operations/scaling/", + "destination": "/management/operations/scaling/", + "permanent": true + }, + { + "source": "/setup/operations/tls-routing/", + "destination": "/management/operations/tls-routing/", + "permanent": true + }, + { + "source": "/setup/operations/upgrading/", + "destination": "/management/operations/upgrading/", + "permanent": true + }, + { + "source": "/setup/security/", + "destination": "/management/security/", + "permanent": true + }, + { + "source": "/setup/security/reduce-blast-radius/", + "destination": "/management/security/reduce-blast-radius/", + "permanent": true + }, + { + "source": "/setup/reference/audit/", + "destination": "/reference/audit/", + "permanent": true + }, + { + "source": "/setup/reference/authentication/", + "destination": "/reference/authentication/", + "permanent": true + }, + { + "source": "/setup/reference/backends/", + "destination": "/reference/backends/", + "permanent": true + }, + { + "source": "/setup/reference/cli/", + "destination": "/reference/cli/", + "permanent": true + }, + { + "source": "/setup/reference/config/", + "destination": "/reference/config/", + "permanent": true + }, + { + "source": "/setup/helm-reference/", + "destination": "/reference/helm-reference/", + "permanent": true + }, + { + "source": "/setup/helm-reference/teleport-cluster/", + "destination": "/reference/helm-reference/teleport-cluster/", + "permanent": true + }, + { + "source": "/setup/helm-reference/teleport-kube-agent/", + "destination": "/reference/helm-reference/teleport-kube-agent/", + "permanent": true + }, + { + "source": "/setup/reference/metrics/", + "destination": "/reference/metrics/", + "permanent": true + }, + { + "source": "/setup/reference/networking/", + "destination": "/reference/networking/", + "permanent": true + }, + { + "source": "/setup/reference/predicate-language/", + "destination": "/reference/predicate-language/", + "permanent": true + }, + { + "source": "/setup/reference/resources/", + "destination": "/reference/resources/", + "permanent": true + }, + { + "source": "/setup/reference/signals/", + "destination": "/reference/signals/", + "permanent": true + }, + { + "source": "/setup/reference/terraform-provider/", + "destination": "/reference/terraform-provider/", + "permanent": true + }, + { + "source": "/getting-started/docker-compose/", + "destination": "/try-out-teleport/docker-compose/", + "permanent": true + }, + { + "source": "/getting-started/local-kubernetes/", + "destination": "/try-out-teleport/local-kubernetes/", + "permanent": true } ] } diff --git a/docs/pages/access-controls/access-request-plugins/ssh-approval-jira-server.mdx b/docs/pages/access-controls/access-request-plugins/ssh-approval-jira-server.mdx index 1d23ea59da46f..5dc396c394895 100644 --- a/docs/pages/access-controls/access-request-plugins/ssh-approval-jira-server.mdx +++ b/docs/pages/access-controls/access-request-plugins/ssh-approval-jira-server.mdx @@ -29,7 +29,7 @@ This guide will talk through how to set up Teleport with Jira Server. Teleport's ### Prerequisites - A running Teleport Cluster -- Admin Privileges with access and control of [`tctl`](../../setup/reference/cli.mdx#tctl) +- Admin Privileges with access and control of [`tctl`](../../reference/cli.mdx#tctl) - A Jira Server installation with owner privileges, specifically to set up webhooks, issue types, and workflows. This plugin has been tested with Jira Software 8.8.0 Teleport Cloud requires that plugins connect through the Proxy Service (`mytenant.teleport.sh:443`). Open Source and Enterprise installations can connect to the Auth Service (`auth.example.com:3025`) directly. diff --git a/docs/pages/access-controls/access-requests/resource-requests.mdx b/docs/pages/access-controls/access-requests/resource-requests.mdx index bf1579ed37647..4895c3876c194 100644 --- a/docs/pages/access-controls/access-requests/resource-requests.mdx +++ b/docs/pages/access-controls/access-requests/resource-requests.mdx @@ -130,7 +130,7 @@ To request access to these resources, run You can search for resources of kind `node`, `kube_cluster`, `db`, `app`, and `windows_desktop`. Advanced filters and queries are supported, see our -[filtering reference](../../setup/reference/cli.mdx#resource-filtering). +[filtering reference](../../reference/cli.mdx#resource-filtering). Try narrowing your search to a specific resource you want to access. diff --git a/docs/pages/access-controls/compliance-frameworks.mdx b/docs/pages/access-controls/compliance-frameworks.mdx new file mode 100644 index 0000000000000..7bc35e8c84a49 --- /dev/null +++ b/docs/pages/access-controls/compliance-frameworks.mdx @@ -0,0 +1,14 @@ +--- +title: "Compliance Frameworks" +description: "How to use Teleport's access controls to streamline compliance without sacrificing productivity." +--- + +Teleport makes it easier for your organization to achieve compliance with +different frameworks, including SOC 2 and FedRAMP. You can fulfill the access +control requirements of your compliance framework by applying configuration +settings within Teleport. + +Follow our guides to see how to use Teleport to achieve compliance: + +- [FedRAMP](./compliance-frameworks/fedramp.mdx) +- [SOC 2](./compliance-frameworks/soc2.mdx) diff --git a/docs/pages/enterprise/fedramp.mdx b/docs/pages/access-controls/compliance-frameworks/fedramp.mdx similarity index 87% rename from docs/pages/enterprise/fedramp.mdx rename to docs/pages/access-controls/compliance-frameworks/fedramp.mdx index 3904c4f3548ca..6173d1ec3df19 100644 --- a/docs/pages/enterprise/fedramp.mdx +++ b/docs/pages/access-controls/compliance-frameworks/fedramp.mdx @@ -14,12 +14,12 @@ government agencies. | Control | Teleport Features | | - | - | | [AC-02 Account Management]((=fedramp.control_url=)AC-2) | Audit events are emitted in the Auth Service when a user is created, updated, deleted, locked, or unlocked. | -| [AC-03 Access Enforcement]((=fedramp.control_url=)AC-3) | Teleport Enterprise supports robust [Role-based Access Controls (RBAC)](../access-controls/introduction.mdx) to:
• Control which SSH nodes a user can or cannot access.
• Control cluster level configuration (session recording, configuration, etc.)
• Control which UNIX logins a user is allowed to use when logging into a server. | +| [AC-03 Access Enforcement]((=fedramp.control_url=)AC-3) | Teleport Enterprise supports robust [Role-based Access Controls (RBAC)](../../access-controls/introduction.mdx) to:
• Control which SSH nodes a user can or cannot access.
• Control cluster level configuration (session recording, configuration, etc.)
• Control which UNIX logins a user is allowed to use when logging into a server. | | [AC-10 Concurrent Session Control]((=fedramp.control_url=)AC-10) | Teleport administrators can define concurrent session limits using Teleport’s RBAC. | -| [AC-12 Session Termination]((=fedramp.control_url=)AC-12) | Admins can terminate active sessions with [session locking](../access-controls/guides/locking.mdx). Teleport terminates sessions on expiry or inactivity.| +| [AC-12 Session Termination]((=fedramp.control_url=)AC-12) | Admins can terminate active sessions with [session locking](../../access-controls/guides/locking.mdx). Teleport terminates sessions on expiry or inactivity.| | [AC-17 Remote Access]((=fedramp.control_url=)AC-17) | Teleport administrators create users with configurable roles that can be used to allow or deny access to system resources. | -| [AC-20 Use of External Information Systems]((=fedramp.control_url=)AC-20) | Teleport supports connecting multiple independent clusters using a feature called [Trusted Clusters](../setup/admin/trustedclusters.mdx). When allowing access from one cluster to another, roles are mapped according to a pre-defined relationship of the scope of access. | -| [AU-03 Audit and Accountability]((=fedramp.control_url=)AU-3) – Content of Audit Records and [AU-12 Audit Generation]((=fedramp.control_url=)AU-12) | Teleport contains an [Audit Log](../setup/reference/audit.mdx) that records cluster-wide events such as:
• Failed login attempts.
• Commands that were executed (SSH “exec” commands).
• Ports that were forwarded.
• File transfers that were initiated. | +| [AC-20 Use of External Information Systems]((=fedramp.control_url=)AC-20) | Teleport supports connecting multiple independent clusters using a feature called [Trusted Clusters](../../management/admin/trustedclusters.mdx). When allowing access from one cluster to another, roles are mapped according to a pre-defined relationship of the scope of access. | +| [AU-03 Audit and Accountability]((=fedramp.control_url=)AU-3) – Content of Audit Records and [AU-12 Audit Generation]((=fedramp.control_url=)AU-12) | Teleport contains an [Audit Log](../../reference/audit.mdx) that records cluster-wide events such as:
• Failed login attempts.
• Commands that were executed (SSH “exec” commands).
• Ports that were forwarded.
• File transfers that were initiated. | | [AU-10 Non-Repudiation]((=fedramp.control_url=)AU-10) | Teleport audit logging supports both events as well as audit of an entire SSH session. For non-repudiation purposes, a full session can be replayed back and viewed. | | [CM-08 Information System Component Inventory]((=fedramp.control_url=)CM-8) | Teleport maintains a live list of all nodes within a cluster. This node list can be queried by users (who see a subset they have access to) and administrators any time. | | [IA-03 Device Identification and Authentication]((=fedramp.control_url=)IA-3) | Teleport requires valid x509 or SSH certificates issued by a Teleport Certificate Authority (CA) to establish a network connection for device-to-device network connection between Teleport components. | @@ -29,7 +29,7 @@ Enterprise customers can download the custom FIPS package from the [Dashboard](h # Setup -Customers can follow our [Enterprise Getting Started Guide](./getting-started.mdx) for +Customers can follow our [Enterprise Getting Started Guide](../../deploy-a-cluster/teleport-enterprise/getting-started.mdx) for instructions on how to setup Teleport Enterprise. You'll need to start with the Teleport Enterprise FIPS binary. diff --git a/docs/pages/enterprise/soc2.mdx b/docs/pages/access-controls/compliance-frameworks/soc2.mdx similarity index 80% rename from docs/pages/enterprise/soc2.mdx rename to docs/pages/access-controls/compliance-frameworks/soc2.mdx index ee76531223c8d..e3ad0d1c86b78 100644 --- a/docs/pages/enterprise/soc2.mdx +++ b/docs/pages/access-controls/compliance-frameworks/soc2.mdx @@ -50,35 +50,35 @@ Each principle has many “Points of Focus” which will apply differently to di | Principle Criteria | Point of Focus | Teleport Features | | --- | --- | --- | -| CC6.1 - Restricts Logical Access | Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative authorities, mobile devices, output, and offline system components is restricted through the use of access control software and rule sets. | Teleport Enterprise supports robust [Role-based Access Controls (RBAC)](../access-controls/introduction.mdx) to: | +| CC6.1 - Restricts Logical Access | Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative authorities, mobile devices, output, and offline system components is restricted through the use of access control software and rule sets. | Teleport Enterprise supports robust [Role-based Access Controls (RBAC)](../introduction.mdx) to: | | CC6.1 - Identifies and Authenticates Users | Persons, infrastructure, and software are identified and authenticated prior to accessing information assets, whether locally or remotely. | Provide role-based access controls (RBAC) using short-lived certificates and your existing identity management service. Connecting locally or remotely is just as easy. | -| CC6.1 - Considers Network Segmentation | Network segmentation permits unrelated portions of the entity's information system to be isolated from each other. | [Teleport enables beyond corp network segmentation](../setup/admin/trustedclusters.mdx)

[Connect to nodes behind Firewalls or create reverse tunnels to a proxy server](../faq.mdx#can-i-connect-to-nodes-behind-a-firewall) | -| CC6.1 - Manages Points of Access | Points of access by outside entities and the types of data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified, documented, and managed. | [Label Nodes to inventory and create rules](../setup/admin/labels.mdx)

[Create Labels from AWS Tags](../setup/guides/ec2-tags.mdx)

Teleport maintains a live list of all nodes within a cluster. This node list can be queried by users (who see a subset they have access to) and administrators any time. | -| CC6.1 - Restricts Access to Information Assets | Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access-control rules for information assets. | [Teleport uses Certificates to grant access and create access control rules](../architecture/overview.mdx) | +| CC6.1 - Considers Network Segmentation | Network segmentation permits unrelated portions of the entity's information system to be isolated from each other. | [Teleport enables beyond corp network segmentation](../../management/admin/trustedclusters.mdx)

[Connect to nodes behind Firewalls or create reverse tunnels to a proxy server](../../faq.mdx#can-i-connect-to-nodes-behind-a-firewall) | +| CC6.1 - Manages Points of Access | Points of access by outside entities and the types of data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified, documented, and managed. | [Label Nodes to inventory and create rules](../../management/admin/labels.mdx)

[Create Labels from AWS Tags](../../management/guides/ec2-tags.mdx)

Teleport maintains a live list of all nodes within a cluster. This node list can be queried by users (who see a subset they have access to) and administrators any time. | +| CC6.1 - Restricts Access to Information Assets | Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access-control rules for information assets. | [Teleport uses Certificates to grant access and create access control rules](../../architecture/overview.mdx) | | CC6.1 - Manages Identification and Authentication | Identification and authentication requirements are established, documented, and managed for individuals and systems accessing entity information, infrastructure, and software. | Teleport makes setting policies for SSH requirements easy since it works in the cloud and on premise with the same authentication security standards. | -| CC6.1 - Manages Credentials for Infrastructure and Software | New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and software are no longer in use. | [Invite nodes to your cluster with short lived tokens](../setup/admin/adding-nodes.mdx) | +| CC6.1 - Manages Credentials for Infrastructure and Software | New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and software are no longer in use. | [Invite nodes to your cluster with short lived tokens](../../management/admin/adding-nodes.mdx) | | CC6.1 - Uses Encryption to Protect Data | The entity uses encryption to supplement other measures used to protect data at rest, when such protections are deemed appropriate based on assessed risk. | Teleport Audit logs can use DynamoDB encryption at rest. | | CC6.1 - Protects Encryption Keys | Processes are in place to protect encryption keys during generation, storage, use, and destruction. | Teleport acts as a Certificate Authority to issue SSH and x509 user certificates that are signed by the CA and are (by default) short-lived. SSH host certificates are also signed by the CA and rotated automatically | -| CC6.2 - Controls Access Credentials to Protected Assets | Information asset access credentials are created based on an authorization from the system's asset owner or authorized custodian. | [Request Approval from the command line](../setup/reference/cli.mdx#tctl-request-approve)

[Build Approval Workflows with Access Requests](../access-controls/access-requests.mdx)

[Use Plugins to send approvals to tools like Slack or Jira](../access-controls/access-requests.mdx) | -| CC6.2 - Removes Access to Protected Assets When Appropriate | Processes are in place to remove credential access when an individual no longer requires such access. | [Teleport issues temporary credentials based on an employees role and are revoked upon job change, termination or end of a maintenance window](../access-controls/access-requests.mdx) | +| CC6.2 - Controls Access Credentials to Protected Assets | Information asset access credentials are created based on an authorization from the system's asset owner or authorized custodian. | [Request Approval from the command line](../../reference/cli.mdx#tctl-request-approve)

[Build Approval Workflows with Access Requests](../../access-controls/access-requests.mdx)

[Use Plugins to send approvals to tools like Slack or Jira](../../access-controls/access-requests.mdx) | +| CC6.2 - Removes Access to Protected Assets When Appropriate | Processes are in place to remove credential access when an individual no longer requires such access. | [Teleport issues temporary credentials based on an employees role and are revoked upon job change, termination or end of a maintenance window](../../access-controls/access-requests.mdx) | | CC6.2 - Reviews Appropriateness of Access Credentials | The appropriateness of access credentials is reviewed on a periodic basis for unnecessary and inappropriate individuals with credentials. | Teleport maintains a live list of all nodes within a cluster. This node list can be queried by users (who see a subset they have access to) and administrators any time. | -| CC6.3 - Creates or Modifies Access to Protected Information Assets | Processes are in place to create or modify access to protected information assets based on authorization from the asset’s owner. | [Build Approval Workflows with Access Requests](../access-controls/access-requests.mdx) to get authorization from asset owners. | -| CC6.3 - Removes Access to Protected Information Assets | Processes are in place to remove access to protected information assets when an individual no longer requires access. | Teleport uses temporary credentials and can be integrated with your version control system or even your HR system to [revoke access with the Access requests API](../api/introduction.mdx) | -| CC6.3 - Uses Role-Based Access Controls | Role-based access control is utilized to support segregation of incompatible functions. | [Role based access control ("RBAC") allows Teleport administrators to grant granular access permissions to users.](../access-controls/introduction.mdx) | +| CC6.3 - Creates or Modifies Access to Protected Information Assets | Processes are in place to create or modify access to protected information assets based on authorization from the asset’s owner. | [Build Approval Workflows with Access Requests](../../access-controls/access-requests.mdx) to get authorization from asset owners. | +| CC6.3 - Removes Access to Protected Information Assets | Processes are in place to remove access to protected information assets when an individual no longer requires access. | Teleport uses temporary credentials and can be integrated with your version control system or even your HR system to [revoke access with the Access requests API](../../api/introduction.mdx) | +| CC6.3 - Uses Role-Based Access Controls | Role-based access control is utilized to support segregation of incompatible functions. | [Role based access control ("RBAC") allows Teleport administrators to grant granular access permissions to users.](../../access-controls/introduction.mdx) | | CC6.3 - Reviews Access Roles and Rules | The appropriateness of access roles and access rules is reviewed on a periodic basis for unnecessary and inappropriate individuals with access and access rules are modified as appropriate. | Teleport maintains a live list of all nodes within a cluster. This node list can be queried by users (who see a subset they have access to) and administrators any time. | -| CC6.6 - Restricts Access | The types of activities that can occur through a communication channel (for example, FTP site, router port) are restricted. | Teleport makes it easy to restrict access to common ports like 21, 22 and instead have users [tunnel to the server](../faq.mdx#can-i-connect-to-nodes-behind-a-firewall) using Teleport. [Teleport uses the following default ports.](../setup/reference/networking.mdx#ports) | +| CC6.6 - Restricts Access | The types of activities that can occur through a communication channel (for example, FTP site, router port) are restricted. | Teleport makes it easy to restrict access to common ports like 21, 22 and instead have users [tunnel to the server](../../faq.mdx#can-i-connect-to-nodes-behind-a-firewall) using Teleport. [Teleport uses the following default ports.](../../reference/networking.mdx#ports) | | CC6.6 - Protects Identification and Authentication Credentials | Identification and authentication credentials are protected during transmission outside system boundaries. | [Yes, Teleport protects credentials outside your network allowing for Zero Trust network architecture](https://goteleport.com/blog/applying-principles-of-zero-trust-to-ssh/) | -| CC6.6 - Requires Additional Authentication or Credentials | Additional authentication information or credentials are required when accessing the system from outside its boundaries. | [Yes, Teleport can manage MFA with TOTP, WebAuthn or U2F Standards or connect to your Identity Provider using SAML, OAUTH or OIDC](./sso.mdx) | -| CC6.6 - Implements Boundary Protection Systems | Boundary protection systems (for example, firewalls, demilitarized zones, and intrusion detection systems) are implemented to protect external access points from attempts and unauthorized access and are monitored to detect such attempts. | [Trusted clusters](../setup/admin/trustedclusters.mdx) | +| CC6.6 - Requires Additional Authentication or Credentials | Additional authentication information or credentials are required when accessing the system from outside its boundaries. | [Yes, Teleport can manage MFA with TOTP, WebAuthn or U2F Standards or connect to your Identity Provider using SAML, OAUTH or OIDC](../../access-controls/sso.mdx) | +| CC6.6 - Implements Boundary Protection Systems | Boundary protection systems (for example, firewalls, demilitarized zones, and intrusion detection systems) are implemented to protect external access points from attempts and unauthorized access and are monitored to detect such attempts. | [Trusted clusters](../../management/admin/trustedclusters.mdx) | | CC6.7 - Uses Encryption Technologies or Secure Communication Channels to Protect Data | Encryption technologies or secured communication channels are used to protect transmission of data and other communications beyond connectivity access points. | [Teleport has strong encryption including a FedRAMP compliant FIPS mode](./fedramp.mdx#starting-teleport-in-fips-mode) | -| CC7.2 - Implements Detection Policies, Procedures, and Tools | Processes are in place to detect changes to software and configuration parameters that may be indicative of unauthorized or malicious software. | [Teleport creates detailed SSH Audit Logs with Metadata](../setup/reference/audit.mdx)

[Use BPF Session Recording to catch malicious program execution](../server-access/guides/bpf-session-recording.mdx) | -| CC7.2 - Designs Detection Measures | Detection measures are designed to identify anomalies that could result from actual or attempted (1) compromise of physical barriers; (2) unauthorized actions of authorized personnel; (3) use of compromised identification and authentication credentials; (4) unauthorized access from outside the system boundaries; (5) compromise of authorized external parties; and (6) implementation or connection of unauthorized hardware and software. | [Use Enhanced Session Recording to catch malicious program execution, capture TCP connections and log programs accessing files on the system the should not be accessing.](../server-access/guides/bpf-session-recording.mdx) | -| CC7.3 - Communicates and Reviews Detected Security Events | Detected security events are communicated to and reviewed by the individuals responsible for the management of the security program and actions are taken, if necessary. | [Use Session recording to replay and review suspicious sessions](../architecture/nodes.mdx#ssh-session-recording). | -| CC7.3 - Develops and Implements Procedures to Analyze Security Incidents | Procedures are in place to analyze security incidents and determine system impact. | [Analyze detailed logs and replay recorded sessions to determine impact. See exactly what files were accessed during an incident.](../server-access/guides/bpf-session-recording.mdx) | -| CC7.4 - Contains Security Incidents | Procedures are in place to contain security incidents that actively threaten entity objectives. | [Use Teleport to quickly revoke access and contain an active incident](../access-controls/guides/locking.mdx)

[Use Shared Sessions so Multiple On-Call Engineers can collaborate and fight fires together.](../use-teleport/tsh.mdx#sharing-sessions) | -| CC7.4 - Ends Threats Posed by Security Incidents | Procedures are in place to mitigate the effects of ongoing security incidents. | [Use Teleport to quickly revoke access and contain an active incident](../access-controls/guides/locking.mdx) | -| CC7.4 - Obtains Understanding of Nature of Incident and Determines Containment Strategy | An understanding of the nature (for example, the method by which the incident occurred and the affected system resources) and severity of the security incident is obtained to determine the appropriate containment strategy, including (1) a determination of the appropriate response time frame, and (2) the determination and execution of the containment approach. | [Use Teleport’s Session Recording and Replay along with logs to understand what actions led to an incident.](../setup/reference/audit.mdx#recorded-sessions) | -| CC7.4 - Evaluates the Effectiveness of Incident Response | The design of incident-response activities is evaluated for effectiveness on a periodic basis. | [Use audit logs and session recordings to find pain points in your incident response plan and improve effectiveness](../server-access/guides/bpf-session-recording.mdx). | -| CC7.4 - Periodically Evaluates Incidents | Periodically, management reviews incidents related to security, availability, processing integrity, confidentiality, and privacy and identifies the need for system changes based on incident patterns and root causes. | [Use Session recording and audit logs to find patterns that lead to incidents.](../server-access/guides/bpf-session-recording.mdx) | -| CC7.5 - Determines Root Cause of the Event | The root cause of the event is determined. | [Use Session recording and audit logs to find root cause.](../server-access/guides/bpf-session-recording.mdx) | -| CC7.5 - Improves Response and Recovery Procedures | Lessons learned are analyzed and the incident-response plan and recovery procedures are improved. | [Replay Session recordings at your 'after action review' or postmortem meetings](../server-access/guides/bpf-session-recording.mdx) | +| CC7.2 - Implements Detection Policies, Procedures, and Tools | Processes are in place to detect changes to software and configuration parameters that may be indicative of unauthorized or malicious software. | [Teleport creates detailed SSH Audit Logs with Metadata](../../reference/audit.mdx)

[Use BPF Session Recording to catch malicious program execution](../../server-access/guides/bpf-session-recording.mdx) | +| CC7.2 - Designs Detection Measures | Detection measures are designed to identify anomalies that could result from actual or attempted (1) compromise of physical barriers; (2) unauthorized actions of authorized personnel; (3) use of compromised identification and authentication credentials; (4) unauthorized access from outside the system boundaries; (5) compromise of authorized external parties; and (6) implementation or connection of unauthorized hardware and software. | [Use Enhanced Session Recording to catch malicious program execution, capture TCP connections and log programs accessing files on the system the should not be accessing.](../../server-access/guides/bpf-session-recording.mdx) | +| CC7.3 - Communicates and Reviews Detected Security Events | Detected security events are communicated to and reviewed by the individuals responsible for the management of the security program and actions are taken, if necessary. | [Use Session recording to replay and review suspicious sessions](../../architecture/nodes.mdx#ssh-session-recording). | +| CC7.3 - Develops and Implements Procedures to Analyze Security Incidents | Procedures are in place to analyze security incidents and determine system impact. | [Analyze detailed logs and replay recorded sessions to determine impact. See exactly what files were accessed during an incident.](../../server-access/guides/bpf-session-recording.mdx) | +| CC7.4 - Contains Security Incidents | Procedures are in place to contain security incidents that actively threaten entity objectives. | [Use Teleport to quickly revoke access and contain an active incident](../../access-controls/guides/locking.mdx)

[Use Shared Sessions so Multiple On-Call Engineers can collaborate and fight fires together.](../../connect-your-client/tsh.mdx#sharing-sessions) | +| CC7.4 - Ends Threats Posed by Security Incidents | Procedures are in place to mitigate the effects of ongoing security incidents. | [Use Teleport to quickly revoke access and contain an active incident](../../access-controls/guides/locking.mdx) | +| CC7.4 - Obtains Understanding of Nature of Incident and Determines Containment Strategy | An understanding of the nature (for example, the method by which the incident occurred and the affected system resources) and severity of the security incident is obtained to determine the appropriate containment strategy, including (1) a determination of the appropriate response time frame, and (2) the determination and execution of the containment approach. | [Use Teleport’s Session Recording and Replay along with logs to understand what actions led to an incident.](../../reference/audit.mdx#recorded-sessions) | +| CC7.4 - Evaluates the Effectiveness of Incident Response | The design of incident-response activities is evaluated for effectiveness on a periodic basis. | [Use audit logs and session recordings to find pain points in your incident response plan and improve effectiveness](../../server-access/guides/bpf-session-recording.mdx). | +| CC7.4 - Periodically Evaluates Incidents | Periodically, management reviews incidents related to security, availability, processing integrity, confidentiality, and privacy and identifies the need for system changes based on incident patterns and root causes. | [Use Session recording and audit logs to find patterns that lead to incidents.](../../server-access/guides/bpf-session-recording.mdx) | +| CC7.5 - Determines Root Cause of the Event | The root cause of the event is determined. | [Use Session recording and audit logs to find root cause.](../../server-access/guides/bpf-session-recording.mdx) | +| CC7.5 - Improves Response and Recovery Procedures | Lessons learned are analyzed and the incident-response plan and recovery procedures are improved. | [Replay Session recordings at your 'after action review' or postmortem meetings](../../server-access/guides/bpf-session-recording.mdx) | diff --git a/docs/pages/access-controls/getting-started.mdx b/docs/pages/access-controls/getting-started.mdx index fc9f952b055a6..3dfa9e5fd2602 100644 --- a/docs/pages/access-controls/getting-started.mdx +++ b/docs/pages/access-controls/getting-started.mdx @@ -104,7 +104,7 @@ users within your SSO solution to Teleport roles. - Follow our [SAML Okta Guide](../enterprise/sso/okta.mdx#configure-okta) to + Follow our [SAML Okta Guide](./sso/okta.mdx#configure-okta) to create a SAML application. Save the file below as `okta.yaml` and update the `acs` field. @@ -133,7 +133,7 @@ users within your SSO solution to Teleport roles. - Follow our [OIDC guides](../enterprise/sso/oidc.mdx#identity-providers) to + Follow our [OIDC guides](./sso/oidc.mdx#identity-providers) to create an OIDC application. Copy the YAML below to a file called `oidc.yaml` and edit the information to diff --git a/docs/pages/access-controls/guides.mdx b/docs/pages/access-controls/guides.mdx index 98485e9d5e500..2636eeaa05784 100644 --- a/docs/pages/access-controls/guides.mdx +++ b/docs/pages/access-controls/guides.mdx @@ -1,5 +1,5 @@ --- -title: Configure Access +title: Cluster Access and RBAC description: How to configure access to specific resources in your infrastructure or your Teleport cluster as a whole. layout: tocless-doc --- diff --git a/docs/pages/access-controls/guides/dual-authz.mdx b/docs/pages/access-controls/guides/dual-authz.mdx index cc00e3e2794c4..f730b0c7bfae6 100644 --- a/docs/pages/access-controls/guides/dual-authz.mdx +++ b/docs/pages/access-controls/guides/dual-authz.mdx @@ -16,7 +16,7 @@ of two team members for a privileged role `dbadmin`. This guide requires a commercial edition of Teleport. The open source - edition of Teleport only supports [GitHub](../../setup/admin/github-sso.mdx) as + edition of Teleport only supports [GitHub](../../access-controls/sso/github-sso.mdx) as an SSO provider. diff --git a/docs/pages/access-controls/guides/impersonation.mdx b/docs/pages/access-controls/guides/impersonation.mdx index 297156fce4f2e..2489761616817 100644 --- a/docs/pages/access-controls/guides/impersonation.mdx +++ b/docs/pages/access-controls/guides/impersonation.mdx @@ -341,5 +341,5 @@ Here is an explanation of the fields used in the `where` conditions within this | `impersonate_role.metadata.labels[" -If you're using Teleport in [TLS routing](../../setup/operations/tls-routing.mdx) +If you're using Teleport in [TLS routing](../management/operations/tls-routing.mdx) mode where each database protocol is multiplexed on the same web proxy port, use the following command to start a local TLS proxy your GUI database client will be connecting to: @@ -175,21 +175,21 @@ PostgreSQL servers. To configure a new connection, right-click on "Servers" in the main browser view and create a new server: -![pgAdmin Add Server](../../../img/database-access/pgadmin-add-server@2x.png) +![pgAdmin Add Server](../../img/database-access/pgadmin-add-server@2x.png) In the "General" tab of the new server dialog, enter the server connection name: -![pgAdmin General](../../../img/database-access/pgadmin-general@2x.png) +![pgAdmin General](../../img/database-access/pgadmin-general@2x.png) In the "Connection" tab, fill in the hostname, port, user and database name from the configuration above: -![pgAdmin Connection](../../../img/database-access/pgadmin-connection@2x.png) +![pgAdmin Connection](../../img/database-access/pgadmin-connection@2x.png) In the "SSL" tab, set "SSL Mode" to `Verify-Full` and fill in paths for client certificate, key and root certificate from the configuration above: -![pgAdmin SSL](../../../img/database-access/pgadmin-ssl@2x.png) +![pgAdmin SSL](../../img/database-access/pgadmin-ssl@2x.png) Click "Save", and pgAdmin should immediately connect. If pgAdmin prompts you for password, leave the password field empty and click OK. @@ -203,7 +203,7 @@ for more information). Use the "Database native" authentication with an empty password: ![DBeaver Postgres Configure -Server](../../../img/database-access/dbeaver-pg-configure-server.png) +Server](../../img/database-access/dbeaver-pg-configure-server.png) Clicking on "Test connection" should return a connection success message. Then, click on "Finish" to save the configuration. @@ -218,17 +218,17 @@ In the MySQL Workbench "Setup New Connection" dialog, fill out "Connection Name", "Hostname", "Port", and "Username": ![MySQL Workbench -Parameters](../../../img/database-access/workbench-parameters@2x.png) +Parameters](../../img/database-access/workbench-parameters@2x.png) In the "SSL" tab, set "Use SSL" to `Require and Verify Identity` and enter the paths to your CA, certificate, and private key files (see [Get connection information](./gui-clients.mdx#get-connection-information)): -![MySQL Workbench SSL](../../../img/database-access/workbench-ssl@2x.png) +![MySQL Workbench SSL](../../img/database-access/workbench-ssl@2x.png) Optionally, click "Test Connection" to verify connectivity: -![MySQL Workbench Test](../../../img/database-access/workbench-test@2x.png) +![MySQL Workbench Test](../../img/database-access/workbench-test@2x.png) Save the connection and connect to the database. @@ -236,26 +236,26 @@ Save the connection and connect to the database. Right-click in the "Database Navigator" menu in the main view and select Create > Connection: -![DBeaver Add Server](../../../img/database-access/dbeaver-add-server.png) +![DBeaver Add Server](../../img/database-access/dbeaver-add-server.png) In the search bar of the "Connect to a database" window that opens up, type "mysql", select the MySQL driver, and click "Next": -![DBeaver Select Driver](../../../img/database-access/dbeaver-select-driver.png) +![DBeaver Select Driver](../../img/database-access/dbeaver-select-driver.png) In the newly-opened "Connection Settings" tab, use the Host as `localhost` and Port as the one returned by the proxy command (`62652` in the example above): -![DBeaver Select Configure Server](../../../img/database-access/dbeaver-configure-server.png) +![DBeaver Select Configure Server](../../img/database-access/dbeaver-configure-server.png) In that same tab, set the username to match the one that you are connecting to using Teleport and uncheck the "Save password locally" box: -![DBeaver Select Configure User](../../../img/database-access/dbeaver-configure-user.png) +![DBeaver Select Configure User](../../img/database-access/dbeaver-configure-user.png) Click the "Edit Driver Settings" button on the "Main" tab, check the "No Authentication" box, and click "Ok" to save: -![DBeaver Driver Settings](../../../img/database-access/dbeaver-driver-settings.png) +![DBeaver Driver Settings](../../img/database-access/dbeaver-driver-settings.png) Once you are back in the "Connection Settings" window, click "Ok" to finish and DBeaver should connect to the remote MySQL server automatically. @@ -267,21 +267,21 @@ graphical client. On the "New Connection" panel, click on "Fill in connection fields individually". -![MongoDB Compass new connection](../../../img/database-access/compass-new-connection@2x.png) +![MongoDB Compass new connection](../../img/database-access/compass-new-connection@2x.png) On the "Hostname" tab, enter the hostname and port of the proxy you will use to access the database (see [Get connection information](./gui-clients.mdx#get-connection-information)). Leave "Authentication" as None. -![MongoDB Compass hostname](../../../img/database-access/compass-hostname@2x.png) +![MongoDB Compass hostname](../../img/database-access/compass-hostname@2x.png) On the "More Options" tab, set SSL to "Client and Server Validation" and set the CA as well as the client key and certificate. Note that a CA path must be provided and be able to validate the certificate presented by your Teleport Proxy Service's web endpoint. -![MongoDB Compass more options](../../../img/database-access/compass-more-options@2x.png) +![MongoDB Compass more options](../../img/database-access/compass-more-options@2x.png) Click on the "Connect" button. @@ -294,7 +294,7 @@ more information.) Use the SQL Server Authentication option and keep the Password field empty: -![DBeaver connection options](../../../img/database-access/guides/sqlserver/dbeaver-connection@2x.png) +![DBeaver connection options](../../img/database-access/guides/sqlserver/dbeaver-connection@2x.png) Click OK to connect. @@ -308,7 +308,7 @@ more information.) Select the "User & Password" authentication option and keep the "Password" field empty: -![DataGrip connection options](../../../img/database-access/guides/sqlserver/datagrip-connection@2x.png) +![DataGrip connection options](../../img/database-access/guides/sqlserver/datagrip-connection@2x.png) Click "OK" to connect. @@ -320,7 +320,7 @@ Click "OK" to connect. After opening Redis Insight click `ADD REDIS DATABASE`. -![Redis Insight Startup Screen](../../../img/database-access/guides/redis/redisinsight-startup.png) +![Redis Insight Startup Screen](../../img/database-access/guides/redis/redisinsight-startup.png) Now start a local proxy to your Redis instance: @@ -331,18 +331,18 @@ the `tsh` command you ran in [Get connection information](#get-connection-inform Provide your Redis username as `Username` and password as `Password`. -![Redis Insight Configuration](../../../img/database-access/guides/redis/redisinsight-add-config.png) +![Redis Insight Configuration](../../img/database-access/guides/redis/redisinsight-add-config.png) Next, check the `Use TLS` and `Verify TLS Certificates` boxes and copy the CA certificate returned by `tsh proxy db`. Copy the private key and certificate to corresponding fields. Click `Add Redis Database`. -![Redis Insight TLS Configuration](../../../img/database-access/guides/redis/redisinsight-tls-config.png) +![Redis Insight TLS Configuration](../../img/database-access/guides/redis/redisinsight-tls-config.png) Congratulations! You have just connected to your Redis instance. -![Redis Insight Connected](../../../img/database-access/guides/redis/redisinsight-connected.png) +![Redis Insight Connected](../../img/database-access/guides/redis/redisinsight-connected.png) ## Snowflake: JetBrains (IntelliJ, Goland, DataGrip, PyCharm, etc.) @@ -355,25 +355,25 @@ tsh proxy db --tunnel --port 2000 snowflake In "Database Explorer" click the "add" button, pick "Data Source", and then pick "Snowflake": -![JetBrains Add Database](../../../img/database-access/guides/snowflake/jetbrains-add-database.png) +![JetBrains Add Database](../../img/database-access/guides/snowflake/jetbrains-add-database.png) Next, set "Host" to `localhost` and "Port" to the port returned by the `tsh proxy db` command you ran earlier (`2000` in the example above). Set the "Username" to match the one that you are assuming when you connect to Snowflake via Teleport and enter any value (e.g., "teleport") in the "Password" field (the value of "Password" will be ignored but is required to create a data source in your IDE): -![JetBrains General](../../../img/database-access/guides/snowflake/jetbrains-general.png) +![JetBrains General](../../img/database-access/guides/snowflake/jetbrains-general.png) Switch to the "Advanced" tab, set any value (e.g., "teleport") for "account", and add a new record named `ssl` with value `off` (as with "Password", "account" is ignored while establishing the connection but required by your IDE): -![JetBrains Advanced](../../../img/database-access/guides/snowflake/jetbrains-advanced.png) +![JetBrains Advanced](../../img/database-access/guides/snowflake/jetbrains-advanced.png) Teleport ignores the provided password and the account name as internally it uses values from the Database Agent configuration. Setting "SSL" to `off` only disables encryption on your local machine. The connection to Snowflake is encrypted by Teleport. Now you can click "Test Connection" to check your configuration. -![JetBrains Success](../../../img/database-access/guides/snowflake/jetbrains-success.png) +![JetBrains Success](../../img/database-access/guides/snowflake/jetbrains-success.png) Congratulations! You have just connected to your Snowflake instance. @@ -386,29 +386,29 @@ tsh proxy db --tunnel --port 2000 snowflake Add a new database by clicking the "add" icon in the top-left corner: -![DBeaver Main Screen](../../../img/database-access/guides/snowflake/dbeaver-main-screen.png) +![DBeaver Main Screen](../../img/database-access/guides/snowflake/dbeaver-main-screen.png) In the search bar of the "Connect to a database" window that opens up, type "snowflake", select the Snowflake driver, and click "Next": -![DBeaver Select Database](../../../img/database-access/guides/snowflake/dbeaver-select-database.png) +![DBeaver Select Database](../../img/database-access/guides/snowflake/dbeaver-select-database.png) Set "Host" to `localhost` and "Port" to the port returned by the `tsh proxy db` command you ran earlier (`2000` in the example above). In the "Authentication" section set the "Username" to match the database username passed to Teleport with `--db-user` and enter any value (e.g., "teleport") in the "Password" field (the value of "Password" will be ignored when establishing a connection but is required by DBeaver to register your database): -![DBeaver Main](../../../img/database-access/guides/snowflake/dbeaver-main.png) +![DBeaver Main](../../img/database-access/guides/snowflake/dbeaver-main.png) Next, click the "Driver properties" tab and set "account" to any value (e.g., "teleport"; as with "Password", the value of "account" will be ignored when establishing a connection but is required by DBeaver to register your database). In "User properties", set "ssl" to `off`: -![DBeaver Driver](../../../img/database-access/guides/snowflake/dbeaver-driver.png) +![DBeaver Driver](../../img/database-access/guides/snowflake/dbeaver-driver.png) Teleport ignores the provided password and the account name as internally it uses values from the Database Agent configuration. SSL set to `off` disables only encryption on local machine. Connection to Snowflake is encrypted by Teleport. Now you can click on "Test Connection..." in the bottom-left corner: -![DBeaver Success](../../../img/database-access/guides/snowflake/dbeaver-success.png) +![DBeaver Success](../../img/database-access/guides/snowflake/dbeaver-success.png) Congratulations! You have just connected to your Snowflake instance. diff --git a/docs/pages/use-teleport/teleport-connect.mdx b/docs/pages/connect-your-client/teleport-connect.mdx similarity index 100% rename from docs/pages/use-teleport/teleport-connect.mdx rename to docs/pages/connect-your-client/teleport-connect.mdx diff --git a/docs/pages/use-teleport/tsh.mdx b/docs/pages/connect-your-client/tsh.mdx similarity index 95% rename from docs/pages/use-teleport/tsh.mdx rename to docs/pages/connect-your-client/tsh.mdx index 9655f97ddf59e..3a2afa9631e59 100644 --- a/docs/pages/use-teleport/tsh.mdx +++ b/docs/pages/connect-your-client/tsh.mdx @@ -21,7 +21,7 @@ terminal for the CLI reference. ## Introduction For the impatient, here's an example of how a user would typically use -[`tsh`](../setup/reference/cli.mdx#tsh): +[`tsh`](../reference/cli.mdx#tsh): @@ -76,7 +76,7 @@ $ tsh logout In other words, Teleport was designed to be fully compatible with existing SSH-based workflows and does not require users to learn anything new, other than -to call [`tsh login`](../setup/reference/cli.mdx#tsh-login) in the beginning. +to call [`tsh login`](../reference/cli.mdx#tsh-login) in the beginning. ## Installing tsh @@ -114,7 +114,7 @@ $ tsh ssh --proxy=mytenant.teleport.sh --user=joe root@node -[CLI Docs - tsh ssh](../setup/reference/cli.mdx#tsh-ssh) +[CLI Docs - tsh ssh](../reference/cli.mdx#tsh-ssh) ## Logging in @@ -148,7 +148,7 @@ $ tsh login --proxy=mytenant.teleport.sh -[CLI Docs - tsh login](../setup/reference/cli.mdx#tsh-login) +[CLI Docs - tsh login](../reference/cli.mdx#tsh-login) | Port | Description | | - | - | @@ -164,10 +164,10 @@ This allows you to authenticate just once, maybe at the beginning of the day. Su type="tip" title="Tip" > - It is recommended to always use [`tsh login`](../setup/reference/cli.mdx#tsh-login) before using any other `tsh` commands. This allows users to omit `--proxy` flag in subsequent tsh commands. For example `tsh ssh user@host` will work. + It is recommended to always use [`tsh login`](../reference/cli.mdx#tsh-login) before using any other `tsh` commands. This allows users to omit `--proxy` flag in subsequent tsh commands. For example `tsh ssh user@host` will work. -A Teleport cluster can be configured for multiple user identity sources. For example, a cluster may have a local user called `admin` while regular users should [authenticate via GitHub](../setup/admin/github-sso.mdx). In this case, you have to pass `--auth` flag to `tsh login` to specify which identity storage to use: +A Teleport cluster can be configured for multiple user identity sources. For example, a cluster may have a local user called `admin` while regular users should [authenticate via GitHub](../access-controls/sso/github-sso.mdx). In this case, you have to pass `--auth` flag to `tsh login` to specify which identity storage to use: @@ -217,7 +217,7 @@ $ tsh login --proxy=mytenant.teleport.sh --browser=none In this situation, a link will be printed on the screen. You can copy and paste this link into a browser of your choice to continue the login flow. -[CLI Docs - tsh login](../setup/reference/cli.mdx#tsh-login) +[CLI Docs - tsh login](../reference/cli.mdx#tsh-login) ### Inspecting an SSH certificate @@ -257,7 +257,7 @@ $ tsh status -[CLI Docs - tsh status](../setup/reference/cli.mdx#tsh-status) +[CLI Docs - tsh status](../reference/cli.mdx#tsh-status) ### SSH agent support @@ -278,7 +278,7 @@ variable to `false` in your shell profile to make this permanent. ### Identity files -[`tsh login`](../setup/reference/cli.mdx#tsh-login) can also save the user certificate into a +[`tsh login`](../reference/cli.mdx#tsh-login) can also save the user certificate into a file: @@ -370,7 +370,7 @@ $ tctl auth sign --ttl=1h --user=jenkins --out=jenkins.pem -[CLI Docs - tctl auth sign](../setup/reference/cli.mdx#tctl-auth-sign) +[CLI Docs - tctl auth sign](../reference/cli.mdx#tctl-auth-sign) Now `jenkins.pem` can be copied to the Jenkins server and passed to the `-i` (identity file) flag of `tsh`. @@ -399,7 +399,7 @@ $ tsh ls # graviton 10.1.0.7:3022 os:osx ``` -[CLI Docs - tsh ls](../setup/reference/cli.mdx#tsh-ls) +[CLI Docs - tsh ls](../reference/cli.mdx#tsh-ls) `tsh ls` can apply a filter based on the node labels. @@ -412,7 +412,7 @@ $ tsh ls os=osx # graviton 33333333-aaaa-1284 10.1.0.7:3022 os:osx ``` -[CLI Docs -tsh ls](../setup/reference/cli.mdx#tsh-ls) +[CLI Docs -tsh ls](../reference/cli.mdx#tsh-ls)
@@ -645,7 +645,7 @@ Teleport supports creating clusters of servers located behind firewalls **without any open listening TCP ports**. This works by creating reverse SSH tunnels from behind-firewall environments into a Teleport Proxy Service you have access to. -These features are called **Trusted Clusters**. Refer to [the Trusted Clusters guide](../setup/admin/trustedclusters.mdx) +These features are called **Trusted Clusters**. Refer to [the Trusted Clusters guide](../management/admin/trustedclusters.mdx) to learn how a Trusted Cluster can be configured. @@ -679,7 +679,7 @@ $ tsh --proxy=mytenant.teleport.sh clusters -[CLI Docs - tsh clusters](../setup/reference/cli.mdx#tsh-clusters) +[CLI Docs - tsh clusters](../reference/cli.mdx#tsh-clusters) Now you can use the `--cluster` flag with any `tsh` command. For example, to list SSH nodes that are members of the `production` cluster, simply run: @@ -839,4 +839,4 @@ DEBU [TSH] Self re-exec command: tsh [status --format=json]. tsh/aliases.g ``` ## Further reading -- [CLI Reference](../setup/reference/cli.mdx). +- [CLI Reference](../reference/cli.mdx). diff --git a/docs/pages/database-access/architecture.mdx b/docs/pages/database-access/architecture.mdx index 8f49077496bff..554f84e981307 100644 --- a/docs/pages/database-access/architecture.mdx +++ b/docs/pages/database-access/architecture.mdx @@ -100,7 +100,7 @@ the Proxy. For configuring graphical clients, use the `tsh proxy db` command, which prints detailed information about the connection such as the host, port, and location -of the secrets. See [GUI Clients](./guides/gui-clients.mdx) for details. +of the secrets. See [GUI Clients](../connect-your-client/gui-clients.mdx) for details. ### Proxy to Database service diff --git a/docs/pages/database-access/faq.mdx b/docs/pages/database-access/faq.mdx index feaba17969556..a5f959ca5a2e9 100644 --- a/docs/pages/database-access/faq.mdx +++ b/docs/pages/database-access/faq.mdx @@ -74,7 +74,7 @@ should work. Standard command-line clients such as `psql`, `mysql`, `mongo` or `mongosh` are supported. There are also instructions for configuring select -[graphical clients](./guides/gui-clients.mdx). +[graphical clients](../connect-your-client/gui-clients.mdx). ## When will you support X database? diff --git a/docs/pages/database-access/getting-started.mdx b/docs/pages/database-access/getting-started.mdx index 230cfaa368df0..fbebf0e2a2e22 100644 --- a/docs/pages/database-access/getting-started.mdx +++ b/docs/pages/database-access/getting-started.mdx @@ -227,6 +227,6 @@ For the next steps, dive deeper into the topics relevant to your Database Access use-case, for example: - Check out configuration [guides](./guides.mdx). -- Learn how to configure [GUI clients](./guides/gui-clients.mdx). +- Learn how to configure [GUI clients](../connect-your-client/gui-clients.mdx). - Learn about Database Access [role-based access control](./rbac.mdx). - See [frequently asked questions](./faq.mdx). diff --git a/docs/pages/database-access/rbac.mdx b/docs/pages/database-access/rbac.mdx index ab9f96be220bd..0af8c3457f67f 100644 --- a/docs/pages/database-access/rbac.mdx +++ b/docs/pages/database-access/rbac.mdx @@ -100,7 +100,7 @@ is not currently enforced on MySQL connection attempts. Similar to other role fields, `db_*` fields support templating variables. -The `{{external.xyz}}` variables are replaced with values from external [SSO](../enterprise/sso.mdx) +The `{{external.xyz}}` variables are replaced with values from external [SSO](../access-controls/sso.mdx) providers. For OIDC, they will be expanded with a value of an "xyz" claim; for SAML — with an "xyz" assertion value. diff --git a/docs/pages/setup/deployments.mdx b/docs/pages/deploy-a-cluster/deployments.mdx similarity index 100% rename from docs/pages/setup/deployments.mdx rename to docs/pages/deploy-a-cluster/deployments.mdx diff --git a/docs/pages/setup/deployments/aws-terraform.mdx b/docs/pages/deploy-a-cluster/deployments/aws-terraform.mdx similarity index 98% rename from docs/pages/setup/deployments/aws-terraform.mdx rename to docs/pages/deploy-a-cluster/deployments/aws-terraform.mdx index 03dfe0d8840b8..a338a65821da4 100644 --- a/docs/pages/setup/deployments/aws-terraform.mdx +++ b/docs/pages/deploy-a-cluster/deployments/aws-terraform.mdx @@ -297,7 +297,7 @@ table for cluster state will be the same as the cluster name configured in the [ In our example, the DynamoDB table would be called `example-cluster`. -More information about how Teleport works with DynamoDB can be found in our [Storage Backends guide](../reference/backends.mdx#dynamodb). +More information about how Teleport works with DynamoDB can be found in our [Storage Backends guide](../../reference/backends.mdx#dynamodb). ### Audit event storage @@ -307,7 +307,7 @@ with `-events` appended to the end. In our example, the DynamoDB table would be called `example-cluster-events`. -More information about how Teleport works with DynamoDB can be found in our [Storage Backends guide](../reference/backends.mdx#dynamodb). +More information about how Teleport works with DynamoDB can be found in our [Storage Backends guide](../../reference/backends.mdx#dynamodb). ### Recorded session storage @@ -707,9 +707,9 @@ ways to integrate Teleport onto your servers. We recommend looking at our [Insta To add new nodes/EC2 servers that you can "SSH into" you'll need to: - [Install the Teleport binary on the Server](../../installation.mdx) -- [Run Teleport - we recommend using systemd](../admin/daemon.mdx) -- [Set the correct settings in /etc/teleport.yaml](../reference/config.mdx) -- [Add Nodes to the Teleport cluster](../admin/adding-nodes.mdx) +- [Run Teleport - we recommend using systemd](../../management/admin/daemon.mdx) +- [Set the correct settings in /etc/teleport.yaml](../../reference/config.mdx) +- [Add Nodes to the Teleport cluster](../../management/admin/adding-nodes.mdx) ### Getting the CA pin hash @@ -731,7 +731,7 @@ $ aws ssm get-parameter --region ${TF_VAR_region} --name "/teleport/${TF_VAR_clu # 992a9725-0a64-428d-8e5e-308e6877743d ``` -You can also generate a Node join token using `tctl tokens add --type=node` [as detailed here in our admin guide](../admin/adding-nodes.mdx). +You can also generate a Node join token using `tctl tokens add --type=node` [as detailed here in our admin guide](../../management/admin/adding-nodes.mdx). ### Joining Nodes via the Teleport Auth Service @@ -753,7 +753,7 @@ auth_servers: ### Joining Nodes via Teleport IoT/Node tunneling To join Teleport Nodes from outside the same VPC, you will either need to investigate VPC peering/gateways (out of scope -for this document) or join your nodes using [Teleport's node tunneling](../admin/adding-nodes.mdx) functionality. +for this document) or join your nodes using [Teleport's node tunneling](../../management/admin/adding-nodes.mdx) functionality. With this method, you can join the nodes using the public facing proxy address - `teleport.example.com:443` for our example. @@ -781,7 +781,7 @@ spec: ``` You can generate a token for adding the trusted cluster using `tctl tokens add --type=trusted_cluster` after connecting -to an auth server. Follow the instructions in our [Trusted Clusters guide](../admin/trustedclusters.mdx). +to an auth server. Follow the instructions in our [Trusted Clusters guide](../../management/admin/trustedclusters.mdx). ## Script to quickly connect to instances diff --git a/docs/pages/setup/deployments/digitalocean.mdx b/docs/pages/deploy-a-cluster/deployments/digitalocean.mdx similarity index 98% rename from docs/pages/setup/deployments/digitalocean.mdx rename to docs/pages/deploy-a-cluster/deployments/digitalocean.mdx index e20ebd96e63cb..6dfbf5b438f56 100644 --- a/docs/pages/setup/deployments/digitalocean.mdx +++ b/docs/pages/deploy-a-cluster/deployments/digitalocean.mdx @@ -9,7 +9,7 @@ DigitalOcean with the Teleport 1-Click Droplet app. -If you are looking for a manual installation, refer to our [Linux installation guide](../../getting-started/linux-server.mdx). +If you are looking for a manual installation, refer to our [Linux installation guide](../../deploy-a-cluster/open-source.mdx). diff --git a/docs/pages/setup/deployments/gcp.mdx b/docs/pages/deploy-a-cluster/deployments/gcp.mdx similarity index 96% rename from docs/pages/setup/deployments/gcp.mdx rename to docs/pages/deploy-a-cluster/deployments/gcp.mdx index 2ac2e8784a817..89d248f0f8f4b 100644 --- a/docs/pages/setup/deployments/gcp.mdx +++ b/docs/pages/deploy-a-cluster/deployments/gcp.mdx @@ -78,7 +78,7 @@ GCP relies heavily on [Health Checks](https://cloud.google.com/load-balancing/do this is helpful when adding new instances to an instance group. To enable health checks in Teleport start with `teleport start --diag-addr=0.0.0.0:3000` -see [Admin Guide: Troubleshooting](../admin/troubleshooting.mdx) for more information. +see [Admin Guide: Troubleshooting](../../management/admin/troubleshooting.mdx) for more information. ### Storage: Cloud Firestore @@ -230,4 +230,4 @@ proxy_service: **4. Add Users** -Follow [adding users](../../enterprise/getting-started.mdx#adding-users) or integrate with [Google Workspace](../../enterprise/sso/google-workspace.mdx) to provide SSO access. +Follow [adding users](../../deploy-a-cluster/teleport-enterprise/getting-started.mdx#adding-users) or integrate with [Google Workspace](../../access-controls/sso/google-workspace.mdx) to provide SSO access. diff --git a/docs/pages/setup/deployments/ibm.mdx b/docs/pages/deploy-a-cluster/deployments/ibm.mdx similarity index 100% rename from docs/pages/setup/deployments/ibm.mdx rename to docs/pages/deploy-a-cluster/deployments/ibm.mdx diff --git a/docs/pages/setup/helm-deployments.mdx b/docs/pages/deploy-a-cluster/helm-deployments.mdx similarity index 100% rename from docs/pages/setup/helm-deployments.mdx rename to docs/pages/deploy-a-cluster/helm-deployments.mdx diff --git a/docs/pages/setup/helm-deployments/aws.mdx b/docs/pages/deploy-a-cluster/helm-deployments/aws.mdx similarity index 98% rename from docs/pages/setup/helm-deployments/aws.mdx rename to docs/pages/deploy-a-cluster/helm-deployments/aws.mdx index f0d4ce6cbda9c..4858f82972735 100644 --- a/docs/pages/setup/helm-deployments/aws.mdx +++ b/docs/pages/deploy-a-cluster/helm-deployments/aws.mdx @@ -545,7 +545,7 @@ You can delegate your autoscaling configuration to Teleport or manage it by crea The following steps will set up Teleport-configured DynamoDB autoscaling. You must grant autoscaling configuration rights to Teleport, as documented in -[the DynamoDB autoscaling section](../reference/backends.mdx#dynamodb-autoscaling). +[the DynamoDB autoscaling section](../../reference/backends.mdx#dynamodb-autoscaling). Set the following fields in your existing `aws-values.yaml` file and replace the numeric values with yours: @@ -587,10 +587,10 @@ $ helm --namespace cert-manager uninstall cert-manager ## Next steps -You can follow our [Getting Started with Teleport guide](../guides/docker.mdx#step-34-creating-a-teleport-user) to finish setting up your +You can follow our [Getting Started with Teleport guide](../../management/guides/docker.mdx#step-34-creating-a-teleport-user) to finish setting up your Teleport cluster. -See the [high availability section of our Helm chart reference](../helm-reference/teleport-cluster.mdx#highavailability) for more details on high availability. +See the [high availability section of our Helm chart reference](../../reference/helm-reference/teleport-cluster.mdx#highavailability) for more details on high availability. Read the [`cert-manager` documentation](https://cert-manager.io/docs/). diff --git a/docs/pages/setup/helm-deployments/custom.mdx b/docs/pages/deploy-a-cluster/helm-deployments/custom.mdx similarity index 96% rename from docs/pages/setup/helm-deployments/custom.mdx rename to docs/pages/deploy-a-cluster/helm-deployments/custom.mdx index c5d8bdf712f81..224d8465b9fe6 100644 --- a/docs/pages/setup/helm-deployments/custom.mdx +++ b/docs/pages/deploy-a-cluster/helm-deployments/custom.mdx @@ -3,7 +3,7 @@ title: Running Teleport with a Custom Configuration using Helm description: Install and configure a Teleport cluster with a custom configuration using Helm --- -In this guide, we'll explain how to set up a Teleport cluster in Kubernetes using a custom [`teleport.yaml`](../reference/config.mdx) +In this guide, we'll explain how to set up a Teleport cluster in Kubernetes using a custom [`teleport.yaml`](../../reference/config.mdx) config file using Teleport Helm charts. This setup can be useful when you already have an existing Teleport cluster and would like to start running it in Kubernetes, or when @@ -26,7 +26,7 @@ migrating your setup from a legacy version of the Helm charts. In `custom` mode, the `teleport-cluster` Helm chart does not create a `ConfigMap` containing a `teleport.yaml` file for you, but expects that you will provide this yourself. -For this example, we'll be using this `teleport.yaml` configuration file with a static join token (for more information on join tokens, see [Adding Nodes to the Cluster](../admin/adding-nodes.mdx)): +For this example, we'll be using this `teleport.yaml` configuration file with a static join token (for more information on join tokens, see [Adding Nodes to the Cluster](../../management/admin/adding-nodes.mdx)): ```code $ cat << EOF > teleport.yaml @@ -251,7 +251,7 @@ $ helm upgrade teleport teleport/teleport-cluster \ When using `custom` mode, you **must** use highly-available storage (e.g. etcd, DynamoDB, or Firestore) for multiple replicas to be supported. - [Information on supported Teleport storage backends](../reference/backends.mdx) + [Information on supported Teleport storage backends](../../reference/backends.mdx) Manually configuring NFS-based storage or `ReadWriteMany` volume claims is **NOT** supported for an HA deployment and will result in errors. @@ -270,5 +270,5 @@ $ helm --namespace teleport uninstall teleport ## Next steps -You can follow our [Getting Started with Teleport guide](../guides/docker.mdx#step-34-creating-a-teleport-user) to finish setting up your +You can follow our [Getting Started with Teleport guide](../../management/guides/docker.mdx#step-34-creating-a-teleport-user) to finish setting up your Teleport cluster. diff --git a/docs/pages/setup/helm-deployments/digitalocean.mdx b/docs/pages/deploy-a-cluster/helm-deployments/digitalocean.mdx similarity index 100% rename from docs/pages/setup/helm-deployments/digitalocean.mdx rename to docs/pages/deploy-a-cluster/helm-deployments/digitalocean.mdx diff --git a/docs/pages/setup/helm-deployments/gcp.mdx b/docs/pages/deploy-a-cluster/helm-deployments/gcp.mdx similarity index 98% rename from docs/pages/setup/helm-deployments/gcp.mdx rename to docs/pages/deploy-a-cluster/helm-deployments/gcp.mdx index 83ec605f1aeda..fd16eb2fc0817 100644 --- a/docs/pages/setup/helm-deployments/gcp.mdx +++ b/docs/pages/deploy-a-cluster/helm-deployments/gcp.mdx @@ -429,7 +429,7 @@ To make changes to your Teleport cluster after deployment, you can use `helm upg Helm defaults to using the latest version of the chart available in the repo, which will also correspond to the latest version of Teleport. You can make sure that the repo is up to date by running `helm repo update`. -If you want to use a different version of Teleport, set the [`teleportVersionOverride`](../helm-reference/teleport-cluster.mdx#teleportversionoverride) value. +If you want to use a different version of Teleport, set the [`teleportVersionOverride`](../../reference/helm-reference/teleport-cluster.mdx#teleportversionoverride) value. Here's an example where we set the chart to use 3 replicas: @@ -480,8 +480,8 @@ $ helm --namespace cert-manager uninstall cert-manager ## Next steps -You can follow our [Getting Started with Teleport guide](../guides/docker.mdx#step-34-creating-a-teleport-user) to finish setting up your +You can follow our [Getting Started with Teleport guide](../../management/guides/docker.mdx#step-34-creating-a-teleport-user) to finish setting up your Teleport cluster. -See the [high availability section of our Helm chart reference](../helm-reference/teleport-cluster.mdx#highavailability) for more details on high availability. +See the [high availability section of our Helm chart reference](../../reference/helm-reference/teleport-cluster.mdx#highavailability) for more details on high availability. diff --git a/docs/pages/getting-started/kubernetes-cluster.mdx b/docs/pages/deploy-a-cluster/helm-deployments/kubernetes-cluster.mdx similarity index 94% rename from docs/pages/getting-started/kubernetes-cluster.mdx rename to docs/pages/deploy-a-cluster/helm-deployments/kubernetes-cluster.mdx index 3eaef020ff31f..1c2df642b950f 100644 --- a/docs/pages/getting-started/kubernetes-cluster.mdx +++ b/docs/pages/deploy-a-cluster/helm-deployments/kubernetes-cluster.mdx @@ -18,7 +18,7 @@ Teleport can provide secure, unified access to your Kubernetes clusters. This gu While completing this guide, you will deploy a single Teleport pod running the Auth Service and Proxy Service in your Kubernetes cluster, and a load balancer that allows outside traffic to your Teleport cluster. Users can then access your Kubernetes cluster via the Teleport cluster running within it. -If you are already running Teleport on another platform, you can use your existing Teleport deployment to access your Kubernetes cluster. [Follow our guide](../kubernetes-access/getting-started.mdx) to connect your Kubernetes cluster to Teleport. +If you are already running Teleport on another platform, you can use your existing Teleport deployment to access your Kubernetes cluster. [Follow our guide](../../kubernetes-access/getting-started.mdx) to connect your Kubernetes cluster to Teleport. (!docs/pages/includes/cloud/call-to-action.mdx!) @@ -39,7 +39,7 @@ If you are already running Teleport on another platform, you can use your existi - A Kubernetes cluster hosted by a cloud provider, which is required for the load balancer we deploy in this guide. -Teleport also supports Kubernetes in on-premise and air-gapped environments. If you would like to try out Teleport on your local machine, we recommend following our [Docker Compose guide](./docker-compose.mdx). +Teleport also supports Kubernetes in on-premise and air-gapped environments. If you would like to try out Teleport on your local machine, we recommend following our [Docker Compose guide](../../try-out-teleport/docker-compose.mdx). (!docs/pages/includes/kubernetes-access/helm-k8s.mdx!) @@ -189,7 +189,7 @@ $ kubectl exec -ti ${POD?} -- tctl users add alice --roles=member ``` Let's install `tsh` and `tctl` on Linux. -For other install options, check out the [installation guide](../installation.mdx) +For other install options, check out the [installation guide](../../installation.mdx) @@ -271,8 +271,8 @@ In this step, we will set up the GitHub Single Sign-On connector for the OSS ver - Follow the [SAML Okta Guide](../enterprise/sso/okta.mdx#configure-okta) to create a SAML app. - Check out [OIDC guides](../enterprise/sso/oidc.mdx#identity-providers) for OpenID Connect apps. + Follow the [SAML Okta Guide](../../access-controls/sso/okta.mdx#configure-okta) to create a SAML app. + Check out [OIDC guides](../../access-controls/sso/oidc.mdx#identity-providers) for OpenID Connect apps. Save the file below as `okta.yaml` and update the `acs` field. Any member in Okta group `okta-admin` will assume a builtin role `access`. @@ -348,8 +348,7 @@ the default one in case there is a problem. ## Next steps -- [Connect Multiple Kubernetes Clusters](../kubernetes-access/guides/multiple-clusters.mdx) -- [Setup CI/CD Access with Teleport](../kubernetes-access/guides/cicd.mdx) -- [Federated Access using Trusted Clusters](../kubernetes-access/guides/federation.mdx) -- [Single-Sign On and Kubernetes Access Control](../kubernetes-access/controls.mdx) - +- [Connect Multiple Kubernetes Clusters](../../kubernetes-access/guides/multiple-clusters.mdx) +- [Setup CI/CD Access with Teleport](../../kubernetes-access/guides/cicd.mdx) +- [Federated Access using Trusted Clusters](../../kubernetes-access/guides/federation.mdx) +- [Single-Sign On and Kubernetes Access Control](../../kubernetes-access/controls.mdx) diff --git a/docs/pages/setup/helm-deployments/migration.mdx b/docs/pages/deploy-a-cluster/helm-deployments/migration.mdx similarity index 98% rename from docs/pages/setup/helm-deployments/migration.mdx rename to docs/pages/deploy-a-cluster/helm-deployments/migration.mdx index 790dbcaa7a52e..a235f52fe2356 100644 --- a/docs/pages/setup/helm-deployments/migration.mdx +++ b/docs/pages/deploy-a-cluster/helm-deployments/migration.mdx @@ -10,7 +10,7 @@ to use the newer `teleport-cluster` Helm chart instead. This guide details a very simple migration scenario for a smaller Teleport cluster which is not deployed for high availability. If your Teleport cluster is required to support many users and should be deployed in a highly available configuration, you should - consider [following a different guide](../guides.mdx) and storing your cluster's data in AWS DynamoDB or Google Cloud Firestore. + consider [following a different guide](../helm-deployments.mdx) and storing your cluster's data in AWS DynamoDB or Google Cloud Firestore. diff --git a/docs/pages/getting-started/linux-server.mdx b/docs/pages/deploy-a-cluster/open-source.mdx similarity index 96% rename from docs/pages/getting-started/linux-server.mdx rename to docs/pages/deploy-a-cluster/open-source.mdx index 2aaccb691681f..4338aba4ee7ef 100644 --- a/docs/pages/getting-started/linux-server.mdx +++ b/docs/pages/deploy-a-cluster/open-source.mdx @@ -1,5 +1,5 @@ --- -title: Getting started on a Linux Server +title: Deploy Open Source Teleport on a Linux Server description: This tutorial will guide you through the steps needed to install and run Teleport on a Linux server videoBanner: 6ynLlAUipNE --- @@ -52,7 +52,7 @@ You must also have one of the following: If you would like to try out Teleport on your local machine—e.g., you do not have access to DNS resources or internal public key infrastructure—we recommend -following our [Docker Compose guide](./docker-compose.mdx). +following our [Docker Compose guide](../try-out-teleport/docker-compose.mdx). @@ -251,7 +251,7 @@ Install `tsh` on your local machine: If you choose to use Homebrew, you must verify that the versions of `tsh` and `tctl` are compatible with the versions you run server-side. Homebrew usually ships the latest release of Teleport, which may be incompatible with older - versions. See our [compatibility policy](../setup/operations/upgrading.mdx#component-compatibility) for details. + versions. See our [compatibility policy](../management/operations/upgrading.mdx#component-compatibility) for details. @@ -359,10 +359,10 @@ resources in your infrastructure with Teleport: You can also check out our collection of step-by-step guides for common Teleport tasks, such as: -- [Managing users](../setup/admin/users.mdx) -- [Setting up single sign-on with GitHub](../setup/admin/github-sso.mdx) +- [Managing users](../management/admin/users.mdx) +- [Setting up single sign-on with GitHub](../access-controls/sso/github-sso.mdx) - [Recording SSH sessions](../server-access/guides/bpf-session-recording.mdx) -- [Labeling Teleport resources](../setup/admin/labels.mdx) +- [Labeling Teleport resources](../management/admin/labels.mdx) ## Further reading diff --git a/docs/pages/cloud/architecture.mdx b/docs/pages/deploy-a-cluster/teleport-cloud/architecture.mdx similarity index 97% rename from docs/pages/cloud/architecture.mdx rename to docs/pages/deploy-a-cluster/teleport-cloud/architecture.mdx index 64da446ad6fe9..2bd682e400868 100644 --- a/docs/pages/cloud/architecture.mdx +++ b/docs/pages/deploy-a-cluster/teleport-cloud/architecture.mdx @@ -16,7 +16,7 @@ compliance use-cases. ## Managed Teleport Settings -SSH sessions are recorded [on nodes](../architecture/nodes.mdx). +SSH sessions are recorded [on nodes](../../architecture/nodes.mdx). Teleport Cloud Proxy does not terminate SSH sessions when using OpenSSH and `tsh` sessions. The Cloud Proxy terminates TLS for Application, Database, and Kubernetes sessions. diff --git a/docs/pages/cloud/downloads.mdx b/docs/pages/deploy-a-cluster/teleport-cloud/downloads.mdx similarity index 100% rename from docs/pages/cloud/downloads.mdx rename to docs/pages/deploy-a-cluster/teleport-cloud/downloads.mdx diff --git a/docs/pages/cloud/faq.mdx b/docs/pages/deploy-a-cluster/teleport-cloud/faq.mdx similarity index 96% rename from docs/pages/cloud/faq.mdx rename to docs/pages/deploy-a-cluster/teleport-cloud/faq.mdx index 88a582cd70c39..de3e7a35d11c4 100644 --- a/docs/pages/cloud/faq.mdx +++ b/docs/pages/deploy-a-cluster/teleport-cloud/faq.mdx @@ -49,7 +49,7 @@ See our documentation on [data retention](./architecture.mdx#data-retention). ## How do I add Nodes to Teleport Cloud? You can connect servers, Kubernetes clusters, databases and applications -using [reverse tunnels](../setup/admin/adding-nodes.mdx). +using [reverse tunnels](../../management/admin/adding-nodes.mdx). There is no need to open any ports on your infrastructure for inbound traffic. @@ -97,7 +97,7 @@ than through a port allocated to that service. In this case, you can see that TLS routing is enabled, and that the Proxy Service's public web address (`ssh.public_addr`) is `mytenant.teleport.sh:443`. -Read more in our [TLS Routing](../architecture/tls-routing.mdx) guide. +Read more in our [TLS Routing](../../architecture/tls-routing.mdx) guide. ## How can I access the tctl admin tool? @@ -122,7 +122,7 @@ $ tctl tokens add --type=node ## Are dynamic node tokens available? After [connecting](#how-can-i-access-the-tctl-admin-tool) `tctl` to Teleport Cloud, users can generate -[dynamic tokens](../setup/admin/adding-nodes.mdx): +[dynamic tokens](../../management/admin/adding-nodes.mdx): ```code $ tctl nodes add --ttl=5m --roles=node,proxy --token=$(uuid) @@ -209,7 +209,7 @@ The ability to download recordings for offline viewing will be available in a fu ## Is there a way to forward Teleport Cloud audit events to my company's internal Security Information and Event Management (SIEM)? -Yes. We recommend Teleport's [event handler plugin](../setup/guides/fluentd.mdx) to export Teleport Cloud audit events. +Yes. We recommend Teleport's [event handler plugin](../../management/guides/fluentd.mdx) to export Teleport Cloud audit events. ## I'm noticing high latency / terminal sessions are slow ? diff --git a/docs/pages/cloud/getting-started.mdx b/docs/pages/deploy-a-cluster/teleport-cloud/getting-started.mdx similarity index 86% rename from docs/pages/cloud/getting-started.mdx rename to docs/pages/deploy-a-cluster/teleport-cloud/getting-started.mdx index 53662ef5f9d28..8af5239e81c4a 100644 --- a/docs/pages/cloud/getting-started.mdx +++ b/docs/pages/deploy-a-cluster/teleport-cloud/getting-started.mdx @@ -12,24 +12,24 @@ Sign up for a cloud account [here](https://goteleport.com/signup/). ## Step 2/5 Access Web Console Access Web Console -![Access Web Console](../../img/cloud/homepage-1.png) +![Access Web Console](../../../img/cloud/homepage-1.png) Select Add Server and press COPY to copy the script command -![Add Server Script](../../img/cloud/addserver-2.png) +![Add Server Script](../../../img/cloud/addserver-2.png) ## Step 3/5 Install Teleport Agent on Server Paste and run script -![Past Install Script](../../img/cloud/runscript-3.png) +![Past Install Script](../../../img/cloud/runscript-3.png) Teleport Agent Installed -![Completed Install](../../img/cloud/completed-script-4.png) +![Completed Install](../../../img/cloud/completed-script-4.png) ## Step 4/5 Access Server Select close and Server can be accessed -![Access Server](../../img/cloud/online-session-5.png) +![Access Server](../../../img/cloud/online-session-5.png) ## Step 5/5 Access from Command Line diff --git a/docs/pages/cloud/introduction.mdx b/docs/pages/deploy-a-cluster/teleport-cloud/introduction.mdx similarity index 100% rename from docs/pages/cloud/introduction.mdx rename to docs/pages/deploy-a-cluster/teleport-cloud/introduction.mdx diff --git a/docs/pages/enterprise/getting-started.mdx b/docs/pages/deploy-a-cluster/teleport-enterprise/getting-started.mdx similarity index 96% rename from docs/pages/enterprise/getting-started.mdx rename to docs/pages/deploy-a-cluster/teleport-enterprise/getting-started.mdx index c422481001cc6..6bc9e2fb4a8cf 100644 --- a/docs/pages/enterprise/getting-started.mdx +++ b/docs/pages/deploy-a-cluster/teleport-enterprise/getting-started.mdx @@ -173,7 +173,7 @@ You can review the logs of the Teleport service with `journalctl -fu teleport` a with `sudo systemctl status teleport`. You can use `netstat -lptne` to review the port that Teleport is -listening on on [TCP/IP ports](../setup/reference/networking.mdx#ports). On *auth.example.com*, it should +listening on on [TCP/IP ports](../../reference/networking.mdx#ports). On *auth.example.com*, it should look something like this: ```code @@ -205,7 +205,7 @@ on *auth.example.com* Every user in a Teleport cluster must be assigned at least one role. By default, Teleport comes with several pre-configured roles known as -["presets"](../access-controls/reference.mdx#preset-roles). You can see +["presets"](../../access-controls/reference.mdx#preset-roles). You can see these roles by executing `sudo tctl get roles`. Pay attention to the *allow/logins* field in the role definition: by default, this @@ -236,7 +236,7 @@ allow: type="note" title="Note" > - See the [Kubernetes Guide](../kubernetes-access/introduction.mdx) and [Application Guide](../application-access/introduction.mdx) for enabling access to additional resources. + See the [Kubernetes Guide](../../kubernetes-access/introduction.mdx) and [Application Guide](../../application-access/introduction.mdx) for enabling access to additional resources. Then send it back into Teleport: @@ -332,14 +332,14 @@ $ tsh logout The local account is good for administrative purposes but regular users of Teleport Enterprise should be using a Single Sign-On (SSO) mechanism that use SAML or OIDC protocols. -Take a look at the [Single Sign-on](sso.mdx) chapter to learn the basics of +Take a look at the [Single Sign-on](../../access-controls/sso.mdx) chapter to learn the basics of integrating Teleport with SSO providers. We have the following detailed guides for configuring SSO providers: -- [Okta](sso/okta.mdx) -- [Active Directory](sso/adfs.mdx) -- [One Login](sso/one-login.mdx) -- [GitHub](../setup/admin/github-sso.mdx) +- [Okta](../../access-controls/sso/okta.mdx) +- [Active Directory](../../access-controls/sso/adfs.mdx) +- [One Login](../../access-controls/sso/one-login.mdx) +- [GitHub](../../access-controls/sso/github-sso.mdx) Any SAML-compliant provider can be configured with Teleport by following the same steps. There are Teleport Enterprise customers who are using Oracle IDM, diff --git a/docs/pages/enterprise/hsm.mdx b/docs/pages/deploy-a-cluster/teleport-enterprise/hsm.mdx similarity index 98% rename from docs/pages/enterprise/hsm.mdx rename to docs/pages/deploy-a-cluster/teleport-enterprise/hsm.mdx index b43b4e70781cc..f485e59e32b34 100644 --- a/docs/pages/enterprise/hsm.mdx +++ b/docs/pages/deploy-a-cluster/teleport-enterprise/hsm.mdx @@ -189,7 +189,7 @@ be signed by a temporary HSM key). A warning will also be printed in `tctl status` if this is required for any Auth server in the cluster. CA rotation can be performed manually or semi-automatically, see our admin guide -on [Certificate rotation](../setup/operations/ca-rotation.mdx). To rotate the +on [Certificate rotation](../../management/operations/ca-rotation.mdx). To rotate the CAs manually you can run: ```code diff --git a/docs/pages/enterprise/introduction.mdx b/docs/pages/deploy-a-cluster/teleport-enterprise/introduction.mdx similarity index 88% rename from docs/pages/enterprise/introduction.mdx rename to docs/pages/deploy-a-cluster/teleport-enterprise/introduction.mdx index 389459cbcd129..e7b5cdc71ec1b 100644 --- a/docs/pages/enterprise/introduction.mdx +++ b/docs/pages/deploy-a-cluster/teleport-enterprise/introduction.mdx @@ -15,10 +15,10 @@ The table below gives a quick overview of the benefits of Teleport Enterprise. | Teleport Enterprise Feature | Description | | - | - | | [Single Sign-On (SSO)](#sso) | Allows Teleport to integrate with existing enterprise identity systems. Examples include Active Directory, GitHub, Google Apps and numerous identity middleware solutions like Auth0, Okta, and so on. Teleport supports SAML and OAuth/OpenID Connect protocols to interact with them. | -| [Access Requests](../access-controls/access-requests.mdx) | User interface for teams to create and review requests to access infrastructure with escalated privileges. | +| [Access Requests](../../access-controls/access-requests.mdx) | User interface for teams to create and review requests to access infrastructure with escalated privileges. | | [FedRAMP/FIPS](#fedrampfips) | Access controls to meet the requirements in a FedRAMP System Security Plan (SSP). This includes a FIPS 140-2 friendly build of Teleport Enterprise as well as a variety of improvements to aid in complying with security controls even in FedRAMP High environments. | | [Hardware Security Module support](./hsm.mdx)|The Teleport Auth Service can use your organization's HSM to generate TLS credentials, ensuring a highly reliable and secure public key infrastructure.| -| [Moderated Sessions](../access-controls/guides/moderated-sessions.mdx)|Allow or require moderators to be present in SSH or Kubernetes sessions.| +| [Moderated Sessions](../../access-controls/guides/moderated-sessions.mdx)|Allow or require moderators to be present in SSH or Kubernetes sessions.| | Commercial Support | Support SLA with guaranteed response times. | Prior to v8.0, the Teleport CA was not compatible with Windows logins. If you're setting up Desktop Access in an existing cluster created before v8.0, - you must first perform a [CA rotation](../setup/operations/ca-rotation.mdx) in + you must first perform a [CA rotation](../management/operations/ca-rotation.mdx) in order to resolve this. diff --git a/docs/pages/faq.mdx b/docs/pages/faq.mdx index d3e12a5aee19f..854f0b7d8c084 100644 --- a/docs/pages/faq.mdx +++ b/docs/pages/faq.mdx @@ -46,14 +46,14 @@ look at [Using OpenSSH Guide](./server-access/guides/openssh.mdx). Yes, Teleport supports reverse SSH tunnels out of the box. To configure behind-firewall clusters refer to our -[Trusted Clusters](./setup/admin/trustedclusters.mdx) guide. +[Trusted Clusters](./management/admin/trustedclusters.mdx) guide. ## Can individual agents create reverse tunnels to the Proxy Service without creating a new cluster? Yes. When running a Teleport agent, use the `--auth-server` flag to point to the Proxy Service address (this would be `public_addr` and `web_listen_addr` in your file configuration). For more information, see -[Adding Nodes to the Cluster](./setup/admin/adding-nodes.mdx). +[Adding Nodes to the Cluster](./management/admin/adding-nodes.mdx). ## Can Nodes use a single port for reverse tunnels? @@ -77,7 +77,7 @@ Here is a detailed breakdown of the differences between Teleport's editions. ||Open Source|Enterprise|Cloud| |---|---|---|---| |[Access Requests](./access-controls/guides/dual-authz.mdx)|Limited|✔|✔| -|[Single Sign-On](./enterprise/sso.mdx)|GitHub|GitHub, Google Workspace, OIDC, SAML|GitHub, Google Workspace, OIDC, SAML| +|[Single Sign-On](./access-controls/sso.mdx)|GitHub|GitHub, Google Workspace, OIDC, SAML|GitHub, Google Workspace, OIDC, SAML| |[Role-Based Access Control](./access-controls/guides/role-templates.mdx)|✔|✔|✔| |[Moderated Sessions](./access-controls/guides/moderated-sessions.mdx)|✖|✔|✔| @@ -104,7 +104,7 @@ Here is a detailed breakdown of the differences between Teleport's editions. ||Open Source|Enterprise|Cloud| |---|---|---|---| -|[FedRAMP Control](./enterprise/fedramp.mdx)|✖|✔|✖| +|[FedRAMP Control](./access-controls/compliance-frameworks/fedramp.mdx)|✖|✔|✖| |PCI DSS Features|Limited|✔|✔| |SOC 2 Features|Limited|✔|✔| |FIPS-compliant binaries available for FedRAMP High|✖|✔|✖| @@ -116,9 +116,9 @@ Here is a detailed breakdown of the differences between Teleport's editions. |Auth and Proxy Service management|Self-hosted|Self-hosted|Fully managed| |Proxy Service domain name|Custom|Custom|A subdomain of `teleport.sh`| |Version support|All supported releases available to install and download.|All supported releases available to install and download.|Deploys last stable release with 2-3 week lag for stability.| -|[Backend support](setup/reference/backends.mdx)|Any S3-compatible storage for session records, many managed backends for custom audit log storage.|Any S3-compatible storage for session records, many managed backends for custom audit log storage|All data is stored in DynamoDB and S3 with server-side encryption| +|[Backend support](set../../reference/backends.mdx)|Any S3-compatible storage for session records, many managed backends for custom audit log storage.|Any S3-compatible storage for session records, many managed backends for custom audit log storage|All data is stored in DynamoDB and S3 with server-side encryption| |Data storage location|Can store data anywhere in the world, on most managed cloud backends|Can store data anywhere in the world, on most managed cloud backends| Data is stored in `us-west-2`, with Proxy Service instances deployed across the world for low-latency access| -|[Hardware Security Module support](./enterprise/hsm.mdx) for encryption at rest|✖|✔|✖| +|[Hardware Security Module support](./deploy-a-cluster/teleport-enterprise/hsm.mdx) for encryption at rest|✖|✔|✖| ### Support @@ -139,7 +139,7 @@ Here is a detailed breakdown of the differences between Teleport's editions. Teleport provides security-critical support for the current and two previous releases. With our typical release cadence, this means a release is usually supported for 9 months. -See our [Upgrading](./setup/operations/upgrading.mdx) guide for more +See our [Upgrading](./management/operations/upgrading.mdx) guide for more information. ## Does the Web UI support copy and paste? @@ -156,11 +156,11 @@ mode by pressing `[`. When in text selection mode: ## What TCP ports does Teleport use? -Please refer to our [Networking](./setup/reference/networking.mdx) guide. +Please refer to our [Networking](./reference/networking.mdx) guide. ## Does Teleport support authentication via OAuth, SAML, or Active Directory? -Teleport offers this feature for the [Enterprise versions of Teleport](enterprise/introduction.mdx). +Teleport offers this feature for the [Enterprise versions of Teleport](deploy-a-cluster/teleport-enterprise/introduction.mdx). ## Does Teleport send any data back to the cloud? diff --git a/docs/pages/getting-started.mdx b/docs/pages/getting-started.mdx index fbad6066c17e9..5e19009928417 100644 --- a/docs/pages/getting-started.mdx +++ b/docs/pages/getting-started.mdx @@ -9,8 +9,8 @@ Follow these guides to get started using Teleport. ## Try a lab on your local machine - [Browser Lab](https://goteleport.com/labs): Try Teleport using our guided interactive labs. -- [Docker Compose Lab](./getting-started/docker-compose.mdx): Try Teleport locally using Docker Compose. -- [Kubernetes Lab](./getting-started/local-kubernetes.mdx): See how Teleport runs on Kubernetes with this local lab. +- [Docker Compose Lab](./try-out-teleport/docker-compose.mdx): Try Teleport locally using Docker Compose. +- [Kubernetes Lab](./try-out-teleport/local-kubernetes.mdx): See how Teleport runs on Kubernetes with this local lab. ## Try Teleport in your infrastructure @@ -21,8 +21,8 @@ Not sure which edition of Teleport is right for you? View our [comparison chart] Host your own Teleport deployment. -- [Linux Server](./getting-started/linux-server.mdx): Learn how to host your own open source Teleport deployment on a standalone Linux server. -- [Kubernetes](./getting-started/kubernetes-cluster.mdx): Learn how to host your own open source Teleport deployment on Kubernetes. +- [Linux Server](./deploy-a-cluster/open-source.mdx): Learn how to host your own open source Teleport deployment on a standalone Linux server. +- [Kubernetes](./deploy-a-cluster/helm-deployments/kubernetes-cluster.mdx): Learn how to host your own open source Teleport deployment on Kubernetes. @@ -30,7 +30,7 @@ Host your own Teleport deployment. Teleport Cloud is a deployment of the Auth Service and Proxy Service, managed by a dedicated team at Teleport. -- [Learn More](./cloud/getting-started.mdx): Learn how to start using Teleport Cloud. +- [Learn More](./deploy-a-cluster/teleport-cloud/getting-started.mdx): Learn how to start using Teleport Cloud. - [Start your Free Trial](https://goteleport.com/signup): Try Teleport hosted by us in the cloud for free. @@ -39,8 +39,8 @@ managed by a dedicated team at Teleport. Get started with a self-hosted Teleport Enterprise deployment, which gives you more advanced features and full customization. -- [Getting Started](./enterprise/getting-started.mdx): Learn how to deploy Teleport Enterprise. -- [Kubernetes](./getting-started/kubernetes-cluster.mdx): Learn how to host your Teleport Enterprise deployment on Kubernetes. +- [Getting Started](./deploy-a-cluster/teleport-enterprise/getting-started.mdx): Learn how to deploy Teleport Enterprise. +- [Kubernetes](./deploy-a-cluster/helm-deployments/kubernetes-cluster.mdx): Learn how to host your Teleport Enterprise deployment on Kubernetes. diff --git a/docs/pages/includes/database-access/guides.mdx b/docs/pages/includes/database-access/guides.mdx index 6e769320e89a6..222b909e9b9ab 100644 --- a/docs/pages/includes/database-access/guides.mdx +++ b/docs/pages/includes/database-access/guides.mdx @@ -19,6 +19,5 @@ ## Other guides -- [GUI clients](../../database-access/guides/gui-clients.mdx): Configure database graphical clients. - [Dynamic Registration](../../database-access/guides/dynamic-registration.mdx): Register/unregister databases without restarting Teleport. - [High Availability](../../database-access/guides/ha.mdx): Deploy database access in HA configuration. diff --git a/docs/pages/includes/database-access/rotation-note.mdx b/docs/pages/includes/database-access/rotation-note.mdx index 7b57d167f0808..76d7184499821 100644 --- a/docs/pages/includes/database-access/rotation-note.mdx +++ b/docs/pages/includes/database-access/rotation-note.mdx @@ -3,7 +3,7 @@ Older Teleport versions use a host certificate to sign Database Access certificates. After upgrading to Teleport 10.0, the host certificate authority will still be used by Database Access to maintain compatibility. - The first [certificate rotation](../../setup/operations/ca-rotation.mdx) will rotate host and database certificates. + The first [certificate rotation](../../management/operations/ca-rotation.mdx) will rotate host and database certificates. New Teleport 10.0+ installations generate the database certificate authority when they first start, and are not affected by the rotation procedure described above. diff --git a/docs/pages/index.mdx b/docs/pages/index.mdx index 807c3036295f2..35908abf68179 100644 --- a/docs/pages/index.mdx +++ b/docs/pages/index.mdx @@ -20,8 +20,8 @@ With Teleport you can: Quickly see how Teleport works in one of our demo environments. - [Browser Lab](https://goteleport.com/labs/): Try Teleport using our guided interactive labs. -- [Docker Compose Lab](./getting-started/docker-compose.mdx): Try Teleport locally using Docker Compose. -- [Kubernetes Lab](./getting-started/local-kubernetes.mdx): See how Teleport runs on Kubernetes with this local lab. +- [Docker Compose Lab](./try-out-teleport/docker-compose.mdx): Try Teleport locally using Docker Compose. +- [Kubernetes Lab](./try-out-teleport/local-kubernetes.mdx): See how Teleport runs on Kubernetes with this local lab. ## Choose an edition @@ -30,19 +30,19 @@ Teleport, Teleport Enterprise, or Teleport Cloud. You can also [compare Teleport editions](faq.mdx#how-is-open-source-different-from-enterprise). -- [Open Source Teleport](./getting-started/linux-server.mdx): Learn how to host your own open source Teleport deployment on a standalone Linux server. -- [Teleport Enterprise](./enterprise/introduction.mdx): Get started with a self-hosted Teleport Enterprise deployment, which gives you more advanced features and full customization. -- [Teleport Cloud](./cloud/getting-started.mdx): Try Teleport hosted by us in the cloud for free. +- [Open Source Teleport](./deploy-a-cluster/open-source.mdx): Learn how to host your own open source Teleport deployment on a standalone Linux server. +- [Teleport Enterprise](./deploy-a-cluster/teleport-enterprise/introduction.mdx): Get started with a self-hosted Teleport Enterprise deployment, which gives you more advanced features and full customization. +- [Teleport Cloud](./deploy-a-cluster/teleport-cloud/getting-started.mdx): Try Teleport hosted by us in the cloud for free. ## Configure access Secure your infrastructure while keeping your engineers productive. -- [Set up SSO](./enterprise/sso.mdx):Configure Teleport's integration with your SSO provider so you can automaticallyon– and off-board users. +- [Set up SSO](./access-controls/sso.mdx):Configure Teleport's integration with your SSO provider so you can automaticallyon– and off-board users. -- [Set up SSO](./setup/admin/github-sso.mdx):Configure Teleport's integration with GitHub so you can automatically on– andoff-board users. +- [Set up SSO](./access-controls/sso/github-sso.mdx):Configure Teleport's integration with GitHub so you can automatically on– andoff-board users. - [Define roles](./access-controls/guides/role-templates.mdx):Manage who can access which parts of your infrastructure. diff --git a/docs/pages/installation.mdx b/docs/pages/installation.mdx index 3fb68caeba675..775a8025a8f3a 100644 --- a/docs/pages/installation.mdx +++ b/docs/pages/installation.mdx @@ -59,7 +59,7 @@ up-to-date information. -Check the [Cloud Downloads](./cloud/downloads.mdx) page for the most up-to-date +Check the [Cloud Downloads](./deploy-a-cluster/teleport-cloud/downloads.mdx) page for the most up-to-date information on obtaining Teleport binaries compatible with Teleport Cloud. @@ -89,7 +89,7 @@ date. For testing, we always recommend that you use the latest released version of Teleport, which is currently `(=teleport.latest_oss_docker_image=)`. For instructions on running containers with these images, see -[Getting started with Teleport using Docker](./setup/guides/docker.mdx). +[Getting started with Teleport using Docker](./management/guides/docker.mdx). @@ -98,7 +98,7 @@ We provide pre-built Docker images for every version of Teleport. (!docs/pages/includes/enterprise/docker-images.mdx!) For instructions on running containers with these images, see -[Teleport Enterprise using Docker](enterprise/getting-started.mdx#run-teleport-enterprise-using-docker). +[Teleport Enterprise using Docker](deploy-a-cluster/teleport-enterprise/getting-started.mdx#run-teleport-enterprise-using-docker). @@ -117,8 +117,8 @@ chart. |Chart|Included Services|Values Reference| |-|-|-| -|`teleport-cluster`|Auth Service
Proxy Service
Other Teleport services if using a custom configuration|[Reference](setup/helm-reference/teleport-cluster.mdx) -|`teleport-kube-agent`|Kubernetes Service
Application Service
Database Service|[Reference](setup/helm-reference/teleport-kube-agent.mdx)| +|`teleport-cluster`|Auth Service
Proxy Service
Other Teleport services if using a custom configuration|[Reference](reference/helm-reference/teleport-cluster.mdx) +|`teleport-kube-agent`|Kubernetes Service
Application Service
Database Service|[Reference](reference/helm-reference/teleport-kube-agent.mdx)| ## macOS @@ -170,7 +170,7 @@ chart. and `tctl` you run on your local machine are compatible with the versions you run on your infrastructure. Homebrew usually ships the latest release of Teleport, which may be incompatible with older versions. See our - [compatibility policy](./setup/operations/upgrading.mdx) for details. + [compatibility policy](./management/operations/upgrading.mdx) for details. Log in to your cluster: @@ -336,4 +336,4 @@ infrastructure. Get started with: - [Database Access](database-access/introduction.mdx) - [Application Access](application-access/introduction.mdx) - [Desktop Access](desktop-access/introduction.mdx) -- [Machine ID](machine-id/introduction.mdx) \ No newline at end of file +- [Machine ID](machine-id/introduction.mdx) diff --git a/docs/pages/kubernetes-access/controls.mdx b/docs/pages/kubernetes-access/controls.mdx index 0abae7b253673..d83842b3083da 100644 --- a/docs/pages/kubernetes-access/controls.mdx +++ b/docs/pages/kubernetes-access/controls.mdx @@ -314,9 +314,9 @@ Take a look at the example usage in a [Teleport Helm chart](https://github.com/g Integrate with your identity provider: -- [OIDC guide](../enterprise/sso/oidc.mdx) -- [ADFS guide](../enterprise/sso/adfs.mdx) -- [Azure AD guide](../enterprise/sso/azuread.mdx) -- [Google Workspace guide](../enterprise/sso/google-workspace.mdx) -- [Onelogin guide](../enterprise/sso/one-login.mdx) -- [Okta guide](../enterprise/sso/okta.mdx) +- [OIDC guide](../access-controls/sso/oidc.mdx) +- [ADFS guide](../access-controls/sso/adfs.mdx) +- [Azure AD guide](../access-controls/sso/azuread.mdx) +- [Google Workspace guide](../access-controls/sso/google-workspace.mdx) +- [Onelogin guide](../access-controls/sso/one-login.mdx) +- [Okta guide](../access-controls/sso/okta.mdx) diff --git a/docs/pages/kubernetes-access/getting-started.mdx b/docs/pages/kubernetes-access/getting-started.mdx index 317305b13842a..502ab5c60b56f 100644 --- a/docs/pages/kubernetes-access/getting-started.mdx +++ b/docs/pages/kubernetes-access/getting-started.mdx @@ -119,4 +119,4 @@ $ kubectl get pods ## Next Steps -- Take a look at a [kube-agent helm chart reference](../setup/helm-reference/teleport-kube-agent.mdx) for a full list of parameters. +- Take a look at a [kube-agent helm chart reference](../reference/helm-reference/teleport-kube-agent.mdx) for a full list of parameters. diff --git a/docs/pages/kubernetes-access/guides/cicd.mdx b/docs/pages/kubernetes-access/guides/cicd.mdx index 657ece4aa943b..ea6596b2b1cdf 100644 --- a/docs/pages/kubernetes-access/guides/cicd.mdx +++ b/docs/pages/kubernetes-access/guides/cicd.mdx @@ -38,7 +38,7 @@ spec: (!docs/pages/includes/permission-warning.mdx!) -Generate a `kubeconfig` using the `jenkins` user and its roles using [`tctl auth sign`](../../setup/reference/cli.mdx#tctl-auth-sign): +Generate a `kubeconfig` using the `jenkins` user and its roles using [`tctl auth sign`](../../reference/cli.mdx#tctl-auth-sign): diff --git a/docs/pages/kubernetes-access/guides/federation.mdx b/docs/pages/kubernetes-access/guides/federation.mdx index 48b7bd010723d..128b41b755610 100644 --- a/docs/pages/kubernetes-access/guides/federation.mdx +++ b/docs/pages/kubernetes-access/guides/federation.mdx @@ -6,16 +6,16 @@ description: Federated Access using Teleport Trusted Clusters. There are cases when you have Kubernetes clusters that have to operate independently, for example, they are part of a different organization or have intermittent connectivity. -You can take advantage of [Trusted Clusters](../../setup/admin/trustedclusters.mdx) +You can take advantage of [Trusted Clusters](../../management/admin/trustedclusters.mdx) to federate trust across Kubernetes clusters. When multiple Trusted Clusters are present behind the Teleport Proxy Service, the -`kubeconfig` generated by [tsh login](../../setup/reference/cli.mdx#tsh-login) will contain the +`kubeconfig` generated by [tsh login](../../reference/cli.mdx#tsh-login) will contain the Kubernetes API endpoint determined by the `` argument to [tsh -login](../../setup/reference/cli.mdx#tsh-login). +login](../../reference/cli.mdx#tsh-login). For example, consider the following setup: @@ -45,9 +45,9 @@ $ tsh --proxy=main.example.com login east When multiple Trusted Clusters are present behind the Teleport Proxy Service, the -`kubeconfig` generated by [tsh login](../../setup/reference/cli.mdx#tsh-login) will contain the +`kubeconfig` generated by [tsh login](../../reference/cli.mdx#tsh-login) will contain the Kubernetes API endpoint determined by the `` argument to [tsh -login](../../setup/reference/cli.mdx#tsh-login). +login](../../reference/cli.mdx#tsh-login). For example, consider the following setup: diff --git a/docs/pages/kubernetes-access/helm/includes/teleport-cluster-cloud-warning.mdx b/docs/pages/kubernetes-access/helm/includes/teleport-cluster-cloud-warning.mdx index 33ebf17c50d03..ee408efc6f88a 100644 --- a/docs/pages/kubernetes-access/helm/includes/teleport-cluster-cloud-warning.mdx +++ b/docs/pages/kubernetes-access/helm/includes/teleport-cluster-cloud-warning.mdx @@ -5,4 +5,4 @@ Since the Auth and Proxy Services are fully managed in Teleport Cloud, you shoul You can use the `teleport-kube-agent` chart to enable the Application Service and Database Service in addition to the Kubernetes Service. -For more information, see our [Helm chart reference](../../../setup/helm-reference/teleport-kube-agent.mdx). \ No newline at end of file +For more information, see our [Helm chart reference](../../../reference/helm-reference/teleport-kube-agent.mdx). diff --git a/docs/pages/machine-id/reference/cli.mdx b/docs/pages/machine-id/reference/cli.mdx index ae343bd14b188..b367eea8de254 100644 --- a/docs/pages/machine-id/reference/cli.mdx +++ b/docs/pages/machine-id/reference/cli.mdx @@ -139,7 +139,7 @@ Additionally, be aware of the following limitations of `tbot db`: ## `tbot proxy` If you want to access Teleport resources on a cluster using -[TLS Routing](../../setup/operations/tls-routing.mdx), you'll need to +[TLS Routing](../../management/operations/tls-routing.mdx), you'll need to run a local ALPN/SNI proxy to access the resources. The `tbot proxy` command wraps `tsh proxy` to provide local proxy functionality for various protocols, including SSH and database access. diff --git a/docs/pages/setup/admin.mdx b/docs/pages/management/admin.mdx similarity index 94% rename from docs/pages/setup/admin.mdx rename to docs/pages/management/admin.mdx index ef934861853d4..45c1967c42bde 100644 --- a/docs/pages/setup/admin.mdx +++ b/docs/pages/management/admin.mdx @@ -19,7 +19,6 @@ cluster maintenance tasks. ## Manage users and resources -- [GitHub SSO](./admin/github-sso.mdx): Set up single sign-on with GitHub. - [Adding Nodes](./admin/adding-nodes.mdx): Add Nodes to your Teleport cluster. - [Trusted Clusters](./admin/trustedclusters.mdx): Connect multiple Teleport clusters using Trusted Clusters. - [Labels](./admin/labels.mdx): Manage resource metadata with labels. diff --git a/docs/pages/setup/admin/adding-nodes.mdx b/docs/pages/management/admin/adding-nodes.mdx similarity index 99% rename from docs/pages/setup/admin/adding-nodes.mdx rename to docs/pages/management/admin/adding-nodes.mdx index 74428405b366e..9329d3ceaf97b 100644 --- a/docs/pages/setup/admin/adding-nodes.mdx +++ b/docs/pages/management/admin/adding-nodes.mdx @@ -53,7 +53,7 @@ print a warning message. The CA pin becomes invalid if a Teleport administrator performs the CA rotation -by executing [`tctl auth rotate`](../reference/cli.mdx#tctl-auth-rotate). +by executing [`tctl auth rotate`](../../reference/cli.mdx#tctl-auth-rotate). diff --git a/docs/pages/setup/admin/daemon.mdx b/docs/pages/management/admin/daemon.mdx similarity index 95% rename from docs/pages/setup/admin/daemon.mdx rename to docs/pages/management/admin/daemon.mdx index 8c8f2781907c7..754f3726a2b11 100644 --- a/docs/pages/setup/admin/daemon.mdx +++ b/docs/pages/management/admin/daemon.mdx @@ -137,8 +137,8 @@ until existing clients disconnect. To upgrade a host to a newer version of Teleport, you must: -- Replace the Teleport binaries, usually [`teleport`](../reference/cli.mdx#teleport) - and [`tctl`](../reference/cli.mdx#tctl). +- Replace the Teleport binaries, usually [`teleport`](../../reference/cli.mdx#teleport) + and [`tctl`](../../reference/cli.mdx#tctl). - Execute `systemctl reload teleport`. @@ -147,11 +147,11 @@ To upgrade a host to a newer version of Teleport, you must: In this guide, we showed you how to run `teleport start` as a systemd service. To see all commands that you can run via the `teleport` binary, see the -[Teleport CLI Reference](../reference/cli.mdx#teleport). +[Teleport CLI Reference](../../reference/cli.mdx#teleport). While we used a minimal configuration in this guide, for a production Teleport cluster, you should consult our -[Configuration Reference](../reference/config.mdx). +[Configuration Reference](../../reference/config.mdx). For more information on how `systemctl reload teleport` works, see our guide to [upgrading a `teleport` binary](./upgrading-the-teleport-binary.mdx). diff --git a/docs/pages/setup/admin/labels.mdx b/docs/pages/management/admin/labels.mdx similarity index 99% rename from docs/pages/setup/admin/labels.mdx rename to docs/pages/management/admin/labels.mdx index 881e78eacb59c..3ceed7217f90a 100644 --- a/docs/pages/setup/admin/labels.mdx +++ b/docs/pages/management/admin/labels.mdx @@ -381,8 +381,8 @@ If this doesn't work, delete the directory your Node uses to maintain its state, Once you have labeled your resources, you can refer to your labels when running `tsh` and `tctl` commands to filter the resources that the commands will query. For more information, see -[Resource filtering](../reference/predicate-language.mdx). +[Resource filtering](../../reference/predicate-language.mdx). You can also use labels to limit the access that different roles have to specific classes of resources. For more information, see -[Teleport Role Templates](../../access-controls/guides/role-templates.mdx). \ No newline at end of file +[Teleport Role Templates](../../access-controls/guides/role-templates.mdx). diff --git a/docs/pages/setup/admin/troubleshooting.mdx b/docs/pages/management/admin/troubleshooting.mdx similarity index 96% rename from docs/pages/setup/admin/troubleshooting.mdx rename to docs/pages/management/admin/troubleshooting.mdx index bd2127bcde10f..da6e7d49b9c9d 100644 --- a/docs/pages/setup/admin/troubleshooting.mdx +++ b/docs/pages/management/admin/troubleshooting.mdx @@ -148,7 +148,7 @@ If you need help, please ask on our [community forum](https://github.com/gravita If you need help, please ask on our [community forum](https://github.com/gravitational/teleport/discussions). You can also open an [issue on GitHub](https://github.com/gravitational/teleport/issues). -For more information about custom features, or to try our [Enterprise edition](../../enterprise/introduction.mdx) of Teleport, please reach out to us at [sales](https://goteleport.com/signup/enterprise/). +For more information about custom features, or to try our [Enterprise edition](../../deploy-a-cluster/teleport-enterprise/introduction.mdx) of Teleport, please reach out to us at [sales](https://goteleport.com/signup/enterprise/). @@ -156,7 +156,7 @@ For more information about custom features, or to try our [Enterprise edition](. This guide showed how to investigate issues with the `teleport` process. To see how you can monitor more general health and performance data from your Teleport -cluster, read our [Teleport Diagnostics](../reference/metrics.mdx) guide. +cluster, read our [Teleport Diagnostics](../../reference/metrics.mdx) guide. For additional sources of Teleport support, please see the [Teleport Support and Education Center](https://goteleport.com/support/). diff --git a/docs/pages/setup/admin/trustedclusters.mdx b/docs/pages/management/admin/trustedclusters.mdx similarity index 100% rename from docs/pages/setup/admin/trustedclusters.mdx rename to docs/pages/management/admin/trustedclusters.mdx diff --git a/docs/pages/setup/admin/upgrading-the-teleport-binary.mdx b/docs/pages/management/admin/upgrading-the-teleport-binary.mdx similarity index 98% rename from docs/pages/setup/admin/upgrading-the-teleport-binary.mdx rename to docs/pages/management/admin/upgrading-the-teleport-binary.mdx index 74e75d6d2031a..c969401286dd4 100644 --- a/docs/pages/setup/admin/upgrading-the-teleport-binary.mdx +++ b/docs/pages/management/admin/upgrading-the-teleport-binary.mdx @@ -170,5 +170,5 @@ Teleport cluster while preserving compatibility, read [Upgrading a Teleport Cluster](../operations/upgrading.mdx). See the full list of supported signals in the -[Teleport Signals Reference](../reference/signals.mdx). +[Teleport Signals Reference](../../reference/signals.mdx). diff --git a/docs/pages/setup/admin/users.mdx b/docs/pages/management/admin/users.mdx similarity index 90% rename from docs/pages/setup/admin/users.mdx rename to docs/pages/management/admin/users.mdx index 29fb57d944337..97008bc2c0614 100644 --- a/docs/pages/setup/admin/users.mdx +++ b/docs/pages/management/admin/users.mdx @@ -108,27 +108,26 @@ $ tctl users rm joe In addition to users, you can use `tctl` to manage roles and other dynamic -resources. See our [Teleport Resources Reference](../reference/resources.mdx). +resources. See our [Teleport Resources Reference](../../reference/resources.mdx). -For all available `tctl` commands and flags, see our [CLI Reference](../reference/cli.mdx#tctl). +For all available `tctl` commands and flags, see our [CLI Reference](../../reference/cli.mdx#tctl). You can also configure Teleport so that users can log in using an SSO provider. For more information, see: -- [Single Sign-On](../../enterprise/sso.mdx) -- [GitHub SSO](./github-sso.mdx) +- [Single Sign-On](../../access-controls/sso.mdx) In addition to users, you can use `tctl` to manage roles and other dynamic -resources. See our [Teleport Resources Reference](../reference/resources.mdx). +resources. See our [Teleport Resources Reference](../../reference/resources.mdx). For all available `tctl` commands and flags, see our -[CLI Reference](../reference/cli.mdx#tctl). +[CLI Reference](../../reference/cli.mdx#tctl). You can also configure Teleport so that users can log in using GitHub. For more -information, see [GitHub SSO](./github-sso.mdx). +information, see [GitHub SSO](../../access-controls/sso/github-sso.mdx). diff --git a/docs/pages/setup/guides.mdx b/docs/pages/management/guides.mdx similarity index 100% rename from docs/pages/setup/guides.mdx rename to docs/pages/management/guides.mdx diff --git a/docs/pages/setup/guides/docker.mdx b/docs/pages/management/guides/docker.mdx similarity index 98% rename from docs/pages/setup/guides/docker.mdx rename to docs/pages/management/guides/docker.mdx index 53c16bfd61313..a43a9a5582e40 100644 --- a/docs/pages/setup/guides/docker.mdx +++ b/docs/pages/management/guides/docker.mdx @@ -215,6 +215,6 @@ root@localhost:~# ## Next steps -- Try out one of our [Helm Guides](../../setup/helm-deployments.mdx). +- Try out one of our [Helm Guides](../../deploy-a-cluster/helm-deployments.mdx). - Try out one of our [Database Access Guides](../../database-access/guides.mdx). - Learn about [Teleport Server Access](../../server-access/introduction.mdx). diff --git a/docs/pages/setup/guides/ec2-tags.mdx b/docs/pages/management/guides/ec2-tags.mdx similarity index 100% rename from docs/pages/setup/guides/ec2-tags.mdx rename to docs/pages/management/guides/ec2-tags.mdx diff --git a/docs/pages/setup/guides/fluentd.mdx b/docs/pages/management/guides/fluentd.mdx similarity index 100% rename from docs/pages/setup/guides/fluentd.mdx rename to docs/pages/management/guides/fluentd.mdx diff --git a/docs/pages/setup/guides/joining-nodes-aws-ec2.mdx b/docs/pages/management/guides/joining-nodes-aws-ec2.mdx similarity index 98% rename from docs/pages/setup/guides/joining-nodes-aws-ec2.mdx rename to docs/pages/management/guides/joining-nodes-aws-ec2.mdx index 854ac7d556fa5..1fba1e281de8c 100644 --- a/docs/pages/setup/guides/joining-nodes-aws-ec2.mdx +++ b/docs/pages/management/guides/joining-nodes-aws-ec2.mdx @@ -51,7 +51,7 @@ more in the following guide: - A running Teleport cluster. For details on how to set this up, see [Getting - Started on a Linux Server](../../getting-started/linux-server.mdx). + Started on a Linux Server](../../deploy-a-cluster/open-source.mdx). - The `tctl` admin tool version >= (=teleport.version=). @@ -70,7 +70,7 @@ more in the following guide: scope={["enterprise"]} label="Enterprise"> - A running Teleport cluster. For details on setting this up, see our - [Enterprise getting started guide](../../enterprise/getting-started.mdx). + [Enterprise getting started guide](../../deploy-a-cluster/teleport-enterprise/getting-started.mdx). - The `tctl` admin tool version >= (=teleport.version=), which you can download by visiting the diff --git a/docs/pages/setup/guides/joining-nodes-aws-iam.mdx b/docs/pages/management/guides/joining-nodes-aws-iam.mdx similarity index 100% rename from docs/pages/setup/guides/joining-nodes-aws-iam.mdx rename to docs/pages/management/guides/joining-nodes-aws-iam.mdx diff --git a/docs/pages/setup/guides/ssh-key-extensions.mdx b/docs/pages/management/guides/ssh-key-extensions.mdx similarity index 98% rename from docs/pages/setup/guides/ssh-key-extensions.mdx rename to docs/pages/management/guides/ssh-key-extensions.mdx index 5b3016f1a1d6d..3898a668d428e 100644 --- a/docs/pages/setup/guides/ssh-key-extensions.mdx +++ b/docs/pages/management/guides/ssh-key-extensions.mdx @@ -8,7 +8,7 @@ Teleport supports exporting user SSH certificates with configurable key extensio ## Prerequisites - The Teleport Auth Service and Proxy Service v(=teleport.version=), either self hosted or deployed on Teleport Cloud. -- The GitHub SSO authentication connector. For more information, see [GitHub SSO](../admin/github-sso.mdx). +- The GitHub SSO authentication connector. For more information, see [GitHub SSO](../../access-controls/sso/github-sso.mdx). - Access to GitHub Enterprise and permissions to modify GitHub's SSH Certificate Authorities. ## Step 1/3. Import the Teleport CA into GitHub diff --git a/docs/pages/setup/guides/teleport-operator.mdx b/docs/pages/management/guides/teleport-operator.mdx similarity index 97% rename from docs/pages/setup/guides/teleport-operator.mdx rename to docs/pages/management/guides/teleport-operator.mdx index 7cb42bbfce0f7..9050e24265775 100644 --- a/docs/pages/setup/guides/teleport-operator.mdx +++ b/docs/pages/management/guides/teleport-operator.mdx @@ -215,8 +215,8 @@ $ kubectl logs "$PROXY_POD" -c operator ## Next Steps -Helm Chart parameters are documented in the [`teleport-cluster `Helm chart reference](../helm-reference/teleport-cluster.mdx). +Helm Chart parameters are documented in the [`teleport-cluster `Helm chart reference](../../reference/helm-reference/teleport-cluster.mdx). -See the [Helm Deployment guides](../helm-deployments.mdx) detailing specific setups like running teleport on AWS or GCP. +See the [Helm Deployment guides](../../deploy-a-cluster/helm-deployments.mdx) detailing specific setups like running teleport on AWS or GCP. Check out [access controls documentation](../../access-controls/introduction.mdx) diff --git a/docs/pages/setup/guides/terraform-provider.mdx b/docs/pages/management/guides/terraform-provider.mdx similarity index 99% rename from docs/pages/setup/guides/terraform-provider.mdx rename to docs/pages/management/guides/terraform-provider.mdx index a7eb8d23f5f89..acff0639561c0 100644 --- a/docs/pages/setup/guides/terraform-provider.mdx +++ b/docs/pages/management/guides/terraform-provider.mdx @@ -177,5 +177,5 @@ $ terraform apply ## Next Steps -- Find the full list of [supported Terraform provider resources](../reference/terraform-provider.mdx). +- Find the full list of [supported Terraform provider resources](../../reference/terraform-provider.mdx). - Read more about [impersonation](../../access-controls/guides/impersonation.mdx). diff --git a/docs/pages/setup/operations.mdx b/docs/pages/management/operations.mdx similarity index 100% rename from docs/pages/setup/operations.mdx rename to docs/pages/management/operations.mdx diff --git a/docs/pages/setup/operations/backup-restore.mdx b/docs/pages/management/operations/backup-restore.mdx similarity index 100% rename from docs/pages/setup/operations/backup-restore.mdx rename to docs/pages/management/operations/backup-restore.mdx diff --git a/docs/pages/setup/operations/ca-rotation.mdx b/docs/pages/management/operations/ca-rotation.mdx similarity index 100% rename from docs/pages/setup/operations/ca-rotation.mdx rename to docs/pages/management/operations/ca-rotation.mdx diff --git a/docs/pages/setup/operations/scaling.mdx b/docs/pages/management/operations/scaling.mdx similarity index 95% rename from docs/pages/setup/operations/scaling.mdx rename to docs/pages/management/operations/scaling.mdx index ba4f7b093c8aa..0e730b394c96b 100644 --- a/docs/pages/setup/operations/scaling.mdx +++ b/docs/pages/management/operations/scaling.mdx @@ -21,7 +21,7 @@ automatically. ## Hardware recommendations -Set up Teleport with a [High Availability configuration](../reference/backends.mdx). +Set up Teleport with a [High Availability configuration](../../reference/backends.mdx). | Scenario | Max Recommended Count | Proxy | Auth Server | AWS Instance Types | | - | - | - | - | - | diff --git a/docs/pages/setup/operations/tls-routing.mdx b/docs/pages/management/operations/tls-routing.mdx similarity index 100% rename from docs/pages/setup/operations/tls-routing.mdx rename to docs/pages/management/operations/tls-routing.mdx diff --git a/docs/pages/setup/operations/upgrading.mdx b/docs/pages/management/operations/upgrading.mdx similarity index 100% rename from docs/pages/setup/operations/upgrading.mdx rename to docs/pages/management/operations/upgrading.mdx diff --git a/docs/pages/setup/security.mdx b/docs/pages/management/security.mdx similarity index 100% rename from docs/pages/setup/security.mdx rename to docs/pages/management/security.mdx diff --git a/docs/pages/setup/security/reduce-blast-radius.mdx b/docs/pages/management/security/reduce-blast-radius.mdx similarity index 99% rename from docs/pages/setup/security/reduce-blast-radius.mdx rename to docs/pages/management/security/reduce-blast-radius.mdx index fc398fdac8a4e..9ef1b896b3b83 100644 --- a/docs/pages/setup/security/reduce-blast-radius.mdx +++ b/docs/pages/management/security/reduce-blast-radius.mdx @@ -291,6 +291,6 @@ Two `user`s can grant elevated privileges to another `user` temporarily without - [Access Requests](../../access-controls/access-requests.mdx) ### Background reading -- [Authentication connectors](../reference/authentication.mdx) +- [Authentication connectors](../../reference/authentication.mdx) - [Proxy Service](../../architecture/proxy.mdx) - [Auth Service](../../architecture/authentication.mdx) diff --git a/docs/pages/preview/upcoming-releases.mdx b/docs/pages/preview/upcoming-releases.mdx index cfaede212db37..f4ffa90b84e1c 100644 --- a/docs/pages/preview/upcoming-releases.mdx +++ b/docs/pages/preview/upcoming-releases.mdx @@ -92,9 +92,7 @@ production: Releases are ready for production use. -- Releases `5.0.0` and `6.0.0` are major releases. We publish 4 major releases - each year. Read more about upgrades and compatibility in [Upgrading a Teleport Cluster](../setup/operations/upgrading.mdx). -- Releases `5.1.0` are minor releases. They contain minor backwards-compatible - improvements and backports. -- Versions like `5.0.1` are quick patches. They contain backwards-compatible - fixes. +- Releases `5.0.0` and `6.0.0` are major releases. We publish 4 major releases each year. + Read more about upgrades and compatibility [here](../management/operations/upgrading.mdx). +- Releases `5.1.0` are minor releases. They contain minor backwards-compatible improvements and backports. +- Versions like `5.0.1` are quick patches. They contain backwards-compatible fixes. diff --git a/docs/pages/setup/reference/audit.mdx b/docs/pages/reference/audit.mdx similarity index 98% rename from docs/pages/setup/reference/audit.mdx rename to docs/pages/reference/audit.mdx index 4a92019baa247..7473066658f4a 100644 --- a/docs/pages/setup/reference/audit.mdx +++ b/docs/pages/reference/audit.mdx @@ -32,7 +32,7 @@ two components of the audit log: You can use -[Enhanced Session Recording with BPF](../../server-access/guides/bpf-session-recording.mdx) +[Enhanced Session Recording with BPF](../server-access/guides/bpf-session-recording.mdx) to get even more comprehensive audit logs with advanced security. diff --git a/docs/pages/setup/reference/authentication.mdx b/docs/pages/reference/authentication.mdx similarity index 94% rename from docs/pages/setup/reference/authentication.mdx rename to docs/pages/reference/authentication.mdx index 7eb680a66039a..f9509a92430a1 100644 --- a/docs/pages/setup/reference/authentication.mdx +++ b/docs/pages/reference/authentication.mdx @@ -19,7 +19,7 @@ connector. There are several possible values (types) of MFA: second factor authenticators and hardware devices. You can use [YubiKeys](https://www.yubico.com/), [SoloKeys](https://solokeys.com/) or any other authenticator that implements FIDO2 or FIDO U2F standards. - See our [Second Factor - WebAuthn](../../access-controls/guides/webauthn.mdx) guide for detailed + See our [Second Factor - WebAuthn](../access-controls/guides/webauthn.mdx) guide for detailed instructions on setting up WebAuthn for Teleport. - `on` enables both TOTP and WebAuthn, and all local users are required to have at least one MFA device registered. - `optional` enables both TOTP and WebAuthn but makes it optional for users. Local users that register a MFA device will @@ -144,7 +144,7 @@ spec: version: v2 ``` -See [GitHub OAuth 2.0](../admin/github-sso.mdx) for details on how to configure it. +See [GitHub OAuth 2.0](../access-controls/sso/github-sso.mdx) for details on how to configure it. ### SAML @@ -192,7 +192,7 @@ auth_service: type: github ``` -See [GitHub OAuth 2.0](../admin/github-sso.mdx) for details on how to configure it. +See [GitHub OAuth 2.0](../access-controls/sso/github-sso.mdx) for details on how to configure it. ### SAML @@ -234,7 +234,7 @@ auth_service: type: github ``` -See [GitHub OAuth 2.0](../admin/github-sso.mdx) for details on how to configure it. +See [GitHub OAuth 2.0](../access-controls/sso/github-sso.mdx) for details on how to configure it. diff --git a/docs/pages/setup/reference/backends.mdx b/docs/pages/reference/backends.mdx similarity index 98% rename from docs/pages/setup/reference/backends.mdx rename to docs/pages/reference/backends.mdx index b8665f591c748..f56823d13ee8e 100644 --- a/docs/pages/setup/reference/backends.mdx +++ b/docs/pages/reference/backends.mdx @@ -25,7 +25,7 @@ no need to configure a backend. type="tip" title="Tip" > - Before continuing, please make sure to take a look at the [Cluster State section](../../architecture/nodes.mdx#cluster-state) + Before continuing, please make sure to take a look at the [Cluster State section](../architecture/nodes.mdx#cluster-state) in the Teleport Architecture documentation. @@ -181,7 +181,7 @@ teleport: type="tip" title="Tip" > - Before continuing, please make sure to take a look at the [Cluster State section](../../architecture/nodes.mdx#cluster-state) + Before continuing, please make sure to take a look at the [Cluster State section](../architecture/nodes.mdx#cluster-state) in Teleport Architecture documentation. @@ -386,7 +386,7 @@ For more information, see the [AWS Documentation](https://docs.aws.amazon.com/Am type="tip" title="Tip" > - Before continuing, please make sure to take a look at the [Cluster State section](../../architecture/nodes.mdx#cluster-state) + Before continuing, please make sure to take a look at the [Cluster State section](../architecture/nodes.mdx#cluster-state) in Teleport Architecture documentation. @@ -547,7 +547,7 @@ To enable these options you will need to update the IAM Policy for Teleport. type="tip" title="Tip" > - Before continuing, please make sure to take a look at the [Cluster State section](../../architecture/nodes.mdx#cluster-state) + Before continuing, please make sure to take a look at the [Cluster State section](../architecture/nodes.mdx#cluster-state) in Teleport Architecture documentation. @@ -585,7 +585,7 @@ Replace the following variables in the above example with your own values: type="tip" title="Tip" > - Before continuing, please make sure to take a look at the [Cluster State section](../../architecture/nodes.mdx#cluster-state) + Before continuing, please make sure to take a look at the [Cluster State section](../architecture/nodes.mdx#cluster-state) in Teleport Architecture documentation. diff --git a/docs/pages/setup/reference/cli.mdx b/docs/pages/reference/cli.mdx similarity index 98% rename from docs/pages/setup/reference/cli.mdx rename to docs/pages/reference/cli.mdx index 27aff81ef7f26..4338914a3219e 100644 --- a/docs/pages/setup/reference/cli.mdx +++ b/docs/pages/reference/cli.mdx @@ -30,14 +30,14 @@ clusters. | Service | Role Name | Description | | - | - | - | -| [Node](../../architecture/nodes.mdx) | `node` | Runs a daemon on a host that allows SSH connections from authenticated clients. | -| [Auth](../../architecture/authentication.mdx) | `auth` | Authenticates hosts and users who want access to Teleport-managed resources or information about a cluster. | -| [Proxy](../../architecture/proxy.mdx) | `proxy` | The gateway that clients use to connect to the Auth Service or resources managed by Teleport. | -| [App](../../application-access/introduction.mdx) | `app` | Runs a daemon on a host that provides access to applications using an SSH reverse tunnel. | -| [Kube](../../kubernetes-access/introduction.mdx) | `kube` | The Teleport daemon will run the Kubernetes Service. | -| [DB](../../database-access/reference.mdx) | `db` | The Teleport daemon will run the Database Service. | -| [Trusted Cluster](../../setup/admin/trustedclusters.mdx) | `trusted_cluster` | The Teleport daemon will support a leaf cluster used to connect to another Teleport cluster. | -| [Windows Desktop](../../desktop-access/getting-started.mdx) | `windowsdesktop` | The Teleport daemon will run the Windows Desktop Service. | +| [Node](../architecture/nodes.mdx) | `node` | Runs a daemon on a host that allows SSH connections from authenticated clients. | +| [Auth](../architecture/authentication.mdx) | `auth` | Authenticates hosts and users who want access to Teleport-managed resources or information about a cluster. | +| [Proxy](../architecture/proxy.mdx) | `proxy` | The gateway that clients use to connect to the Auth Service or resources managed by Teleport. | +| [App](../application-access/introduction.mdx) | `app` | Runs a daemon on a host that provides access to applications using an SSH reverse tunnel. | +| [Kube](../kubernetes-access/introduction.mdx) | `kube` | The Teleport daemon will run the Kubernetes Service. | +| [DB](../database-access/reference.mdx) | `db` | The Teleport daemon will run the Database Service. | +| [Trusted Cluster](../management/admin/trustedclusters.mdx) | `trusted_cluster` | The Teleport daemon will support a leaf cluster used to connect to another Teleport cluster. | +| [Windows Desktop](../desktop-access/getting-started.mdx) | `windowsdesktop` | The Teleport daemon will run the Windows Desktop Service. | ### teleport start @@ -47,7 +47,7 @@ clusters. | - | - | - | - | | `-d, --debug` | none | none | enable verbose logging to stderr | | `--insecure-no-tls` | `false` | `true` or `false` | Tells proxy to not generate default self-signed TLS certificates. This is useful when running Teleport on kubernetes (behind reverse proxy) or behind things like AWS ELBs, GCP LBs or Azure Load Balancers where SSL termination is provided externally. | -| `-r, --roles` | `proxy,node,auth` | **string** comma-separated list of `proxy, auth, node, db, app` or `windowsdesktop` | start listed services/roles. These roles are explained in the [Teleport Architecture](../../architecture/overview.mdx) document. | +| `-r, --roles` | `proxy,node,auth` | **string** comma-separated list of `proxy, auth, node, db, app` or `windowsdesktop` | start listed services/roles. These roles are explained in the [Teleport Architecture](../architecture/overview.mdx) document. | | `--pid-file` | none | **string** filepath | create a PID file at the path | | `--advertise-ip` | none | **string** IP | advertise IP to clients, often used behind NAT | | `-l, --listen-ip` | `0.0.0.0` | [**net. IP**](https://golang.org/pkg/net/#IP) | binds services to IP | @@ -57,7 +57,7 @@ clusters. | `--nodename` | value returned by the `hostname` command on the machine | **string** | assigns an alternative name for the node which can be used by clients to log in. | | `-c, --config` | `/etc/teleport.yaml` | **string** `.yaml` filepath | starts services with config specified in the YAML file, overrides CLI flags if set | | `--bootstrap` | none | **string** `.yaml` filepath | bootstrap configured YAML resources {/* TODO link how to configure this file */} | -| `--labels` | none | **string** comma-separated list | assigns a set of labels to a node, for example env=dev,app=web. See the explanation of labeling mechanism in the [Labeling Nodes](../admin/labels.mdx) section. | +| `--labels` | none | **string** comma-separated list | assigns a set of labels to a node, for example env=dev,app=web. See the explanation of labeling mechanism in the [Labeling Nodes](../management/admin/labels.mdx) section. | | `--insecure` | none | none | disable certificate validation on Proxy Service, validation still occurs on Auth Service. | | `--fips` | none | none | start Teleport in FedRAMP/FIPS 140-2 mode. | | `--skip-version-check` | `false` | `true` or `false` | Skips version checks between the Auth Server this Teleport instance | @@ -517,7 +517,7 @@ $ tsh login [] [] #### Arguments -- `` - the name of the cluster, see [Trusted Cluster](../../setup/admin/trustedclusters.mdx) for more information. +- `` - the name of the cluster, see [Trusted Cluster](../management/admin/trustedclusters.mdx) for more information. #### Flags @@ -952,7 +952,7 @@ file using an identity stored in its local backend. To provide an accurate audit trail, it is important to limit direct SSH access to the Auth Service with - [Access Controls](../../access-controls/introduction.mdx) and ensure that + [Access Controls](../access-controls/introduction.mdx) and ensure that admins use `tctl` remotely instead. diff --git a/docs/pages/setup/reference/config.mdx b/docs/pages/reference/config.mdx similarity index 100% rename from docs/pages/setup/reference/config.mdx rename to docs/pages/reference/config.mdx diff --git a/docs/pages/setup/helm-reference.mdx b/docs/pages/reference/helm-reference.mdx similarity index 100% rename from docs/pages/setup/helm-reference.mdx rename to docs/pages/reference/helm-reference.mdx diff --git a/docs/pages/setup/helm-reference/teleport-cluster.mdx b/docs/pages/reference/helm-reference/teleport-cluster.mdx similarity index 95% rename from docs/pages/setup/helm-reference/teleport-cluster.mdx rename to docs/pages/reference/helm-reference/teleport-cluster.mdx index 68957cbef4ee8..1c52d30f87b09 100644 --- a/docs/pages/setup/helm-reference/teleport-cluster.mdx +++ b/docs/pages/reference/helm-reference/teleport-cluster.mdx @@ -22,10 +22,10 @@ The `teleport-cluster` chart can be deployed in four different modes. Get starte | `chartMode` | Guide | | - | - | -| `standalone` | [Getting Started - Kubernetes with SSO](../helm-deployments/aws.mdx) | -| `aws` | [Running an HA Teleport cluster using an AWS EKS Cluster](../helm-deployments/aws.mdx) | -| `gcp` | [Running an HA Teleport cluster using a Google Cloud GKE cluster](../helm-deployments/gcp.mdx) | -| `custom` | [Running a Teleport cluster with a custom config](../helm-deployments/custom.mdx) | +| `standalone` | [Getting Started - Kubernetes with SSO](../../deploy-a-cluster/helm-deployments/kubernetes-cluster.mdx) | +| `aws` | [Running an HA Teleport cluster using an AWS EKS Cluster](../../deploy-a-cluster/helm-deployments/aws.mdx) | +| `gcp` | [Running an HA Teleport cluster using a Google Cloud GKE cluster](../../deploy-a-cluster/helm-deployments/gcp.mdx) | +| `custom` | [Running a Teleport cluster with a custom config](../../deploy-a-cluster/helm-deployments/custom.mdx) | This reference details available values for the `teleport-cluster` chart. @@ -80,10 +80,10 @@ This reference details available values for the `teleport-cluster` chart. | `string` | `""` | No | `auth_service.authentication.connector_name` | ❌ | `authentication.connectorName` sets the default authentication connector. -[The SSO documentation](../../enterprise/sso.mdx) explains how to create authentication connectors for common identity +[The SSO documentation](../../access-controls/sso.mdx) explains how to create authentication connectors for common identity providers. In addition to SSO connector names, the following built-in connectors are supported: -- [`local`](../admin/users.mdx) for local users +- [`local`](../../management/admin/users.mdx) for local users - [`passwordless`](../../access-controls/guides/passwordless.mdx#optional-enable-passwordless-by-default) to enable by default passwordless authentication. @@ -98,7 +98,7 @@ Defaults to `local`. `authentication.localAuth` controls whether local authentication is enabled. When disabled, users can only log in through authentication connectors like `saml`, `oidc` or `github`. -[Disabling local auth is required for FedRAMP / FIPS](../../enterprise/fedramp.mdx#teleport-auth-server). +[Disabling local auth is required for FedRAMP / FIPS](../../access-controls/compliance-frameworks/fedramp.mdx#teleport-auth-server). ### `authentication.lockingMode` @@ -181,7 +181,7 @@ By default no devices are forbidden. `sessionRecording` controls the `session_recording` field in the `teleport.yaml` configuration. It is passed as-is in the configuration. -For possible values, [see the Teleport Configuration Reference](../reference/config.mdx#teleportyaml). +For possible values, [see the Teleport Configuration Reference](../../reference/config.mdx#teleportyaml). @@ -601,8 +601,8 @@ You can optionally override this to use a different published Teleport Docker im See these links for information on Docker image versions: -- [Community Docker image information](../guides/docker.mdx#step-14-pick-your-image) -- [Enterprise Docker image information](../../enterprise/getting-started.mdx#run-teleport-enterprise-using-docker) +- [Community Docker image information](../../management/guides/docker.mdx#step-14-pick-your-image) +- [Enterprise Docker image information](../../deploy-a-cluster/teleport-enterprise/getting-started.mdx#run-teleport-enterprise-using-docker) @@ -743,10 +743,10 @@ Teleport's RBAC policies to define access rules for the cluster. | `chartMode` | Guide | | - | - | -| `standalone` | [Getting Started - Kubernetes with SSO](../../getting-started/kubernetes-cluster.mdx) | -| `aws` | [Running an HA Teleport cluster using an AWS EKS Cluster](../helm-deployments/aws.mdx) | -| `gcp` | [Running an HA Teleport cluster using a Google Cloud GKE cluster](../helm-deployments/gcp.mdx) | -| `custom` | [Running a Teleport cluster with a custom config](../helm-deployments/custom.mdx) | +| `standalone` | [Getting Started - Kubernetes with SSO](../../deploy-a-cluster/helm-deployments/kubernetes-cluster.mdx) | +| `aws` | [Running an HA Teleport cluster using an AWS EKS Cluster](../../deploy-a-cluster/helm-deployments/aws.mdx) | +| `gcp` | [Running an HA Teleport cluster using a Google Cloud GKE cluster](../../deploy-a-cluster/helm-deployments/gcp.mdx) | +| `custom` | [Running a Teleport cluster with a custom config](../../deploy-a-cluster/helm-deployments/custom.mdx) | ## `persistence` @@ -826,17 +826,17 @@ You can set `volumeSize` to request a different size of persistent volume when i | Can be used in `custom` mode? | `teleport.yaml` equivalent | | - | - | -| ❌ | See [Using DynamoDB](../reference/backends.mdx#dynamodb) and [Using Amazon S3](../reference/backends.mdx#s3) for details | +| ❌ | See [Using DynamoDB](../../reference/backends.mdx#dynamodb) and [Using Amazon S3](../../reference/backends.mdx#s3) for details | -`aws` settings are described in the AWS guide: [Running an HA Teleport cluster using an AWS EKS Cluster](../helm-deployments/aws.mdx) +`aws` settings are described in the AWS guide: [Running an HA Teleport cluster using an AWS EKS Cluster](../../deploy-a-cluster/helm-deployments/aws.mdx) ## `gcp` | Can be used in `custom` mode? | `teleport.yaml` equivalent | | - | - | -| ❌ | See [Using Firestore](../reference/backends.mdx#dynamodb) and [Using GCS](../reference/backends.mdx#gcs) for details | +| ❌ | See [Using Firestore](../../reference/backends.mdx#dynamodb) and [Using GCS](../../reference/backends.mdx#gcs) for details | -`gcp` settings are described in the GCP guide: [Running an HA Teleport cluster using a Google Cloud GKE cluster](../helm-deployments/gcp.mdx) +`gcp` settings are described in the GCP guide: [Running an HA Teleport cluster using a Google Cloud GKE cluster](../../deploy-a-cluster/helm-deployments/gcp.mdx) ### `highAvailability` @@ -864,7 +864,7 @@ Set to a number higher than `1` for a high availability mode where multiple Tele When using `custom` mode, you **must** use highly-available storage (e.g. etcd, DynamoDB or Firestore) for multiple replicas to be supported. - [Information on supported Teleport storage backends](../reference/backends.mdx) + [Information on supported Teleport storage backends](../../reference/backends.mdx) Manually configuring NFS-based storage or `ReadWriteMany` volume claims is **NOT** supported for an HA deployment and will result in errors. @@ -988,7 +988,7 @@ cluster deployed in HA mode. You must install and configure `cert-manager` in your Kubernetes cluster yourself. See the [cert-manager Helm install instructions](https://cert-manager.io/docs/installation/kubernetes/#option-2-install-crds-as-part-of-the-helm-release) - and the relevant sections of the [AWS](../helm-deployments/aws.mdx#step-47-configure-tls-certificates-for-teleport) and [GCP](../helm-deployments/gcp.mdx#step-47-install-and-configure-cert-manager) guides for more information. + and the relevant sections of the [AWS](../../deploy-a-cluster/helm-deployments/aws.mdx#step-47-configure-tls-certificates-for-teleport) and [GCP](../../deploy-a-cluster/helm-deployments/gcp.mdx#step-47-install-and-configure-cert-manager) guides for more information. ### `highAvailability.certManager.addCommonName` @@ -1003,7 +1003,7 @@ Setting `highAvailability.certManager.addCommonName` to `true` will instruct `ce You must install and configure `cert-manager` in your Kubernetes cluster yourself. See the [cert-manager Helm install instructions](https://cert-manager.io/docs/installation/kubernetes/#option-2-install-crds-as-part-of-the-helm-release) - and the relevant sections of the [AWS](../helm-deployments/aws.mdx#step-47-configure-tls-certificates-for-teleport) and [GCP](../helm-deployments/gcp.mdx#step-47-install-and-configure-cert-manager) guides for more information. + and the relevant sections of the [AWS](../../deploy-a-cluster/helm-deployments/aws.mdx#step-47-configure-tls-certificates-for-teleport) and [GCP](../../deploy-a-cluster/helm-deployments/gcp.mdx#step-47-install-and-configure-cert-manager) guides for more information. @@ -1037,7 +1037,7 @@ Sets the name of the `cert-manager` `Issuer` or `ClusterIssuer` to use for issui You must install configure an appropriate `Issuer` supporting a DNS01 challenge yourself. Please see the [cert-manager DNS01 docs](https://cert-manager.io/docs/configuration/acme/dns01/#supported-dns01-providers) and the relevant sections - of the [AWS](../helm-deployments/aws.mdx#step-47-configure-tls-certificates-for-teleport) and [GCP](../helm-deployments/gcp.mdx#step-47-install-and-configure-cert-manager) guides for more information. + of the [AWS](../../deploy-a-cluster/helm-deployments/aws.mdx#step-47-configure-tls-certificates-for-teleport) and [GCP](../../deploy-a-cluster/helm-deployments/gcp.mdx#step-47-install-and-configure-cert-manager) guides for more information. @@ -1310,7 +1310,7 @@ Possible values are `text` (default) or `json`. `log.extraFields` sets the fields used in logging for the Teleport process. -See the [Teleport config file reference](../reference/config.mdx) for more details on possible values for `extra_fields`. +See the [Teleport config file reference](../../reference/config.mdx) for more details on possible values for `extra_fields`. diff --git a/docs/pages/setup/helm-reference/teleport-kube-agent.mdx b/docs/pages/reference/helm-reference/teleport-kube-agent.mdx similarity index 99% rename from docs/pages/setup/helm-reference/teleport-kube-agent.mdx rename to docs/pages/reference/helm-reference/teleport-kube-agent.mdx index 8bbdf581debf9..c4c601ea900d6 100644 --- a/docs/pages/setup/helm-reference/teleport-kube-agent.mdx +++ b/docs/pages/reference/helm-reference/teleport-kube-agent.mdx @@ -446,7 +446,7 @@ Normally the version of Teleport being used will match the version of the chart You can optionally override this to use a different published Teleport Docker image tag like `6.0.2` or `7`. -See [this link for information on Community Docker image versions](../../setup/guides/docker.mdx#step-14-pick-your-image). +See [this link for information on Community Docker image versions](../../management/guides/docker.mdx#step-14-pick-your-image). The `teleport-kube-agent` chart always runs using Teleport Community edition as it does not require any Enterprise features, so it does @@ -475,7 +475,7 @@ See [this link for information on Community Docker image versions](../../setup/g When `caPin` is set, the Teleport pod will use its values to check the Auth Service's identity when first joining a cluster. This enables a more secure way of adding new Teleport instances to a cluster. See -["Adding Nodes to the Cluster"](../../setup/admin/adding-nodes.mdx). +["Adding Nodes to the Cluster"](../../management/admin/adding-nodes.mdx). Each list element can be the pin itself (recommended, works out of the box), or a path to a file containing the pin. For the latter it is your @@ -635,7 +635,7 @@ These labels can then be used with Teleport's RBAC policies to define access rul To set labels for applications, add a `labels` element to the [`apps`](#apps) section. To set labels for databases, add a `static_labels` element to the [`databases`](#databases) section. - For more information on how to set static/dynamic labels for Teleport services, see [labelling nodes and applications](../../setup/admin/labels.mdx). + For more information on how to set static/dynamic labels for Teleport services, see [labelling nodes and applications](../../management/admin/labels.mdx). @@ -1119,7 +1119,7 @@ Possible values are `text` (default) or `json`. `log.extraFields` sets the fields used in logging for the Teleport process. -See the [Teleport config file reference](../../setup/reference/config.mdx) for more details on possible values for `extra_fields`. +See the [Teleport config file reference](../../reference/config.mdx) for more details on possible values for `extra_fields`. diff --git a/docs/pages/setup/reference/metrics.mdx b/docs/pages/reference/metrics.mdx similarity index 100% rename from docs/pages/setup/reference/metrics.mdx rename to docs/pages/reference/metrics.mdx diff --git a/docs/pages/setup/reference/networking.mdx b/docs/pages/reference/networking.mdx similarity index 98% rename from docs/pages/setup/reference/networking.mdx rename to docs/pages/reference/networking.mdx index eec64161bba19..214e2884c874b 100644 --- a/docs/pages/setup/reference/networking.mdx +++ b/docs/pages/reference/networking.mdx @@ -130,7 +130,7 @@ numbers for each service. TLS routing is enabled by default. In this mode, all connections to a Teleport service (e.g., the Teleport SSH Service or Kubernetes) are routed through the Proxy Service's public web address. -Read more in our [TLS Routing](../../architecture/tls-routing.mdx) guide. +Read more in our [TLS Routing](../architecture/tls-routing.mdx) guide. | Port | Service | Description | | - | - | - | @@ -201,7 +201,7 @@ than through a port allocated to that service. In this case, you can see that TLS routing is enabled, and that the Proxy Service's public web address (`ssh.public_addr`) is `mytenant.teleport.sh:443`. -Read more in our [TLS Routing](../../architecture/tls-routing.mdx) guide. +Read more in our [TLS Routing](../architecture/tls-routing.mdx) guide. diff --git a/docs/pages/setup/reference/predicate-language.mdx b/docs/pages/reference/predicate-language.mdx similarity index 96% rename from docs/pages/setup/reference/predicate-language.mdx rename to docs/pages/reference/predicate-language.mdx index d287a12d1fa95..25eecc6c38d2e 100644 --- a/docs/pages/setup/reference/predicate-language.mdx +++ b/docs/pages/reference/predicate-language.mdx @@ -15,8 +15,8 @@ The predicate language uses a slightly different syntax depending on whether it Some fields in Teleport's role resources use the predicate language to define the scope of a role's permissions: -- [Dynamic Impersonation](../../access-controls/guides/impersonation.mdx#filter-fields) -- [RBAC for sessions](../../access-controls/reference.mdx#filter-fields) +- [Dynamic Impersonation](../access-controls/guides/impersonation.mdx#filter-fields) +- [RBAC for sessions](../access-controls/reference.mdx#filter-fields) When used in role resources, the predicate language supports the following operators: diff --git a/docs/pages/setup/reference/resources.mdx b/docs/pages/reference/resources.mdx similarity index 96% rename from docs/pages/setup/reference/resources.mdx rename to docs/pages/reference/resources.mdx index fa97c0d8a002e..fc63d35eb9ba3 100644 --- a/docs/pages/setup/reference/resources.mdx +++ b/docs/pages/reference/resources.mdx @@ -116,9 +116,9 @@ Here's the list of resources currently exposed via [`tctl`](./cli.mdx#tctl): | - | - | | [user](#user) | A user record in the internal Teleport user DB. | | [role](#role) | A role assumed by interactive and non-interactive users. | -| connector | Authentication connectors for [Single Sign-On](../../enterprise/sso.mdx) (SSO) for SAML, OIDC and GitHub. | +| connector | Authentication connectors for [Single Sign-On](../access-controls/sso.mdx) (SSO) for SAML, OIDC and GitHub. | | node | A registered SSH node. The same record is displayed via `tctl nodes ls` | -| cluster | A trusted cluster. See [here](../../setup/admin/trustedclusters.mdx) for more details on connecting clusters together. | +| cluster | A trusted cluster. See [here](../management/admin/trustedclusters.mdx) for more details on connecting clusters together. | **Examples:** diff --git a/docs/pages/setup/reference/signals.mdx b/docs/pages/reference/signals.mdx similarity index 100% rename from docs/pages/setup/reference/signals.mdx rename to docs/pages/reference/signals.mdx diff --git a/docs/pages/setup/reference/terraform-provider.mdx b/docs/pages/reference/terraform-provider.mdx similarity index 100% rename from docs/pages/setup/reference/terraform-provider.mdx rename to docs/pages/reference/terraform-provider.mdx diff --git a/docs/pages/server-access/getting-started.mdx b/docs/pages/server-access/getting-started.mdx index 2181dfae1e2c2..46d16f577bdce 100644 --- a/docs/pages/server-access/getting-started.mdx +++ b/docs/pages/server-access/getting-started.mdx @@ -346,13 +346,13 @@ Feel free to shut down, clean up, and delete your resources, or use them in furt ## Next steps -- Learn more about Teleport `tsh` through the [reference documentation](../setup/reference/cli.mdx#tsh-ssh). +- Learn more about Teleport `tsh` through the [reference documentation](../set../../reference/cli.mdx#tsh-ssh). - Learn more about [Teleport Nodes](../architecture/nodes.mdx#connecting-to-nodes) -- For a complete list of ports used by Teleport, read [The Admin Guide](../setup/reference/networking.mdx). +- For a complete list of ports used by Teleport, read the [Networking Guide](../reference/networking.mdx). ## Resources - [Setting Up an SSH Bastion Host](https://goteleport.com/blog/ssh-bastion-host/) - [Announcing Teleport SSH Server](https://goteleport.com/blog/announcing-teleport-ssh-server/) - [How to SSH properly](https://goteleport.com/blog/how-to-ssh-properly/) - Consider whether [OpenSSH or Teleport SSH](https://goteleport.com/blog/openssh-vs-teleport/) is right for you. -- [Labels](../setup/admin/labels.mdx) +- [Labels](../management/admin/labels.mdx) diff --git a/docs/pages/server-access/guides/bpf-session-recording.mdx b/docs/pages/server-access/guides/bpf-session-recording.mdx index 02f211ed2804d..c13abdbe95654 100644 --- a/docs/pages/server-access/guides/bpf-session-recording.mdx +++ b/docs/pages/server-access/guides/bpf-session-recording.mdx @@ -282,4 +282,4 @@ Sessions with Enhanced Session Recording will include the - Read more about [session recording](../../architecture/nodes.mdx#ssh-session-recording). - See all configuration options for Enhanced Session Recording in our - [Configuration Reference](../../setup/reference/config.mdx). + [Configuration Reference](../../reference/config.mdx). diff --git a/docs/pages/server-access/guides/recording-proxy-mode.mdx b/docs/pages/server-access/guides/recording-proxy-mode.mdx index 99c6812d23fad..b1d633978a3d5 100644 --- a/docs/pages/server-access/guides/recording-proxy-mode.mdx +++ b/docs/pages/server-access/guides/recording-proxy-mode.mdx @@ -39,7 +39,7 @@ The Teleport Proxy Service should be available to clients and set up with TLS. - A running Teleport cluster. For details on how to set this up, see [Getting - Started on a Linux Server](../../getting-started/linux-server.mdx). + Started on a Linux Server](../../deploy-a-cluster/open-source.mdx). - The `tctl` admin tool version >= (=teleport.version=). @@ -57,7 +57,7 @@ The Teleport Proxy Service should be available to clients and set up with TLS. scope={["enterprise"]} label="Enterprise"> - A running Teleport cluster. For details on setting this up, see our - [Enterprise getting started guide](../../enterprise/getting-started.mdx). + [Enterprise getting started guide](../../deploy-a-cluster/teleport-enterprise/getting-started.mdx). - The `tctl` admin tool version >= (=teleport.version=), which you can download by visiting the diff --git a/docs/pages/server-access/guides/restricted-session.mdx b/docs/pages/server-access/guides/restricted-session.mdx index f1ca2319cc1ca..b0bb5eb8b6667 100644 --- a/docs/pages/server-access/guides/restricted-session.mdx +++ b/docs/pages/server-access/guides/restricted-session.mdx @@ -190,5 +190,5 @@ Enhanced Recording sets the `action` to `0` (`OBSERVED`) while a Restricted Sess ## Next steps -- See the [Teleport Configuration Reference](../../setup/reference/config.mdx) for more -information on configuring Restricted Sessions. \ No newline at end of file +- See the [Teleport Configuration Reference](../../reference/config.mdx) for more +information on configuring Restricted Sessions. diff --git a/docs/pages/server-access/guides/ssh-pam.mdx b/docs/pages/server-access/guides/ssh-pam.mdx index b91d55b7df7c5..3ec760007f6e1 100644 --- a/docs/pages/server-access/guides/ssh-pam.mdx +++ b/docs/pages/server-access/guides/ssh-pam.mdx @@ -267,7 +267,7 @@ even biometrics. Note that Teleport enables strong SSH authentication out of the box using certificates. For most users, hardening [the initial Teleport -authentication](../../setup/reference/authentication.mdx) (e.g. `tsh login`) is preferred. +authentication](../../reference/authentication.mdx) (e.g. `tsh login`) is preferred. By default, `auth` modules are not used to avoid the default system behavior (usually using local Unix passwords). You can enable them by setting diff --git a/docs/pages/setup/reference.mdx b/docs/pages/setup/reference.mdx deleted file mode 100644 index cfc5cd96bd8a5..0000000000000 --- a/docs/pages/setup/reference.mdx +++ /dev/null @@ -1,43 +0,0 @@ ---- -title: Setup Reference -description: Teleport Installation and Configuration Reference. -layout: tocless-doc ---- - -
    -
  • - [Config Resources](./reference/resources.mdx). Dynamic cluster configuration resources. -
    • -
  • - [Config File](./reference/config.mdx). Teleport daemon static configuration file. -
    • -
  • - [Terraform Provider](./reference/terraform-provider.mdx). Configuration resources and parameters supported by terraform provider. -
    • -
  • - [CLI](./reference/cli.mdx). Command line flags and parameters. -
    • -
  • - [Metrics](./reference/metrics.mdx). Prometheus metrics. -
    • -
  • - [Audit Records](./reference/audit.mdx). Audit events and records. -
    • -
  • - [Authentication](./reference/authentication.mdx). Cluster authentication options. -
    • - -
  • - [Backends](./reference/backends.mdx). Supported storage backends. -
    • -     -
  • - [Networking](./reference/networking.mdx). Ports, protocols and networking requirements. -
    • -
  • - [Signals](./reference/signals.mdx). Signals you can send to the `teleport` daemon. -
    • -
  • - [Predicate Language](./reference/predicate-language.mdx). The language used to define filter conditions. -
    • -
diff --git a/docs/pages/try-out-teleport/browser-labs.mdx b/docs/pages/try-out-teleport/browser-labs.mdx new file mode 100644 index 0000000000000..8c8ac1388ebf6 --- /dev/null +++ b/docs/pages/try-out-teleport/browser-labs.mdx @@ -0,0 +1,36 @@ +--- +title: Teleport Labs +description: Try out Teleport with these hands-on, browser-based labs. +layout: tocless-doc +--- + +You can quickly try out some of Teleport's key features from your browser. + +Choose one of our interactive learning tracks, which are hosted by Instruqt: + + + + + Explore the basics of interacting with a Teleport cluster, including `tctl`, + the Web UI, `tsh`, and session auditing. + + + + + Try Teleport Application Access, which gives you secure access to your + internal web applications. + + + + + Try Teleport Server Access, which makes it easier to configure onboarding, + RBAC, and auditing for SSH connections to remote hosts. + + + + + Try Teleport Kubernetes Access, which provides advanced RBAC controls and + auditing for `kubectl` commands. + + + diff --git a/docs/pages/getting-started/docker-compose.mdx b/docs/pages/try-out-teleport/docker-compose.mdx similarity index 96% rename from docs/pages/getting-started/docker-compose.mdx rename to docs/pages/try-out-teleport/docker-compose.mdx index 164bfb98a8c8c..792875cb20da1 100644 --- a/docs/pages/getting-started/docker-compose.mdx +++ b/docs/pages/try-out-teleport/docker-compose.mdx @@ -15,17 +15,17 @@ like to set up Teleport for production usage, please see: -[Getting Started on a Linux Server](./linux-server.mdx) +[Getting Started on a Linux Server](../deploy-a-cluster/open-source.mdx) -[Getting Started](../cloud/getting-started.mdx) +[Getting Started](../deploy-a-cluster/teleport-cloud/getting-started.mdx) -[Getting Started](../enterprise/getting-started.mdx) +[Getting Started](../deploy-a-cluster/teleport-enterprise/getting-started.mdx) @@ -146,7 +146,7 @@ Port `443` on the Teleport container is published to the local host, so you can - Learn about [Teleport Access Controls](../access-controls/getting-started.mdx). - Get started with [Teleport Session Recording](../server-access/guides/bpf-session-recording.mdx). - Try out one of our [Database Access Guides](../database-access/guides.mdx). -- For Kubernetes environments, try out one of our [Helm Guides](../setup/helm-deployments.mdx). +- For Kubernetes environments, try out one of our [Helm Guides](../deploy-a-cluster/helm-deployments.mdx). ## Under the hood diff --git a/docs/pages/getting-started/local-kubernetes.mdx b/docs/pages/try-out-teleport/local-kubernetes.mdx similarity index 99% rename from docs/pages/getting-started/local-kubernetes.mdx rename to docs/pages/try-out-teleport/local-kubernetes.mdx index 3bcfc9a17ea26..f4f6580d11411 100644 --- a/docs/pages/getting-started/local-kubernetes.mdx +++ b/docs/pages/try-out-teleport/local-kubernetes.mdx @@ -380,7 +380,7 @@ Kubernetes cluster, read our guides to setting up Teleport for Kubernetes in production. - Get started with Teleport on AWS EKS: [Running an HA Teleport cluster using - AWS, EKS, and Helm](../setup/helm-deployments/aws.mdx) + AWS, EKS, and Helm](../deploy-a-cluster/helm-deployments/aws.mdx) - Manage access to your Kubernetes cluster with the Teleport Kubernetes Service: [Connect Kubernetes Cluster to Teleport](../kubernetes-access/getting-started.mdx) - Integrate Teleport with your SSO provider: