Update dev-ai with the latest master#24239
Merged
Conversation
* Metrics: add IsSSO to Discover Events * review pt1 * use services.UserGetter interface * godocs, renamings * add isSSO to user identity * remove ctx from convert * add godocs to usermetadata fields * add UserType enum
* Integration resource: add types and grpc methods This commit adds the new types for Integration resource. It also adds the gRPC methods that will be used later on for: - Integrations CRUD management - Integrations resource caching * decouple integration service from auth * return resource on CRU operations * Add OneOf prop to distinguish Integrations subkind * Version subkind spec * godocs
* refactor(windows): use CA type to define CRL path * chore(windows): update updateCRL comment * chore(windows): fix imports
* Fix Flaky Tests Detector bypass on merge queue * Do not run fld in the mq --------- Co-authored-by: Roman Tkachenko <roman@goteleport.com>
* Implement `tctl create -f` for devices * Update e/ reference
Instead of returning and aborting a session if an unknown request is received servers now log the warning and continue on.
Update SFTP fork to include gravitational/sftp@dfe4e0d Fixes #22263
* Use OpenSSL 3.0.x (buildbox) * Use OpenSSL 3.0.x (buildbox-centos7) * Use OpenSSL 3.0.x (macOS)
* Respect route exactness in TopNav * Allow submitting CSRF token via form * Skip "safe" methods in CSRF checks * Export getXCSRFToken * Add WithAuth2 * Passthrough "name" of FieldInput Allows it to be used in an actual form * icomoon: add hashtag icon * Add GetAvailablePluginTypes to PluginService proto * Expose ProxyPublicAddr For use in Enterprise web Plugin * Run prettier * Factor out app.MetaRedirect * Rename: WithAuth2 -> WithAuthCookieAndCSRF * Run GCI * Renegerate protos
When gravitational/teleport-plugins imports this test suite in CI, the repo root gravitational/teleport/... is not writable. This uses GitHub's `RUNNER_TEMP` instead, if it is set.
* kube-updater: write main function, fix scheme, reduce grace period * fixup! kube-updater: write main function, fix scheme, reduce grace period * Address feedback * Update integrations/kube-agent-updater/cmd/teleport-kube-agent-updater/main.go Co-authored-by: Roman Tkachenko <roman@goteleport.com> --------- Co-authored-by: Roman Tkachenko <roman@goteleport.com>
* Add Flaky Bypass before merging * edit to descriptions
…23575) * Add advisory and troubleshooting on non-tls mode for machineid kube * Apply suggestions from code review Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com> --------- Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com>
When the web UI was updated to dial by UUID instead of hostname, access denied erorrs started to surface a UUID that is not visible in the UI. Where possible, pass through the node name so that we can raise a better error.
* chore: Bump libfido2 from 1.12.0 to 1.13.0 * Bump OpenSSL on Dockerfile-multiarch
See #21305 In order to standardize the docs around connecting Teleport services to the Proxy Service, rather than the Auth Service, change Event Handler guides to remove instructions for connecting to the Auth Service. This includes modifying partials used by the Access Request plugin guides so they work for the Event Handler guides as well.
* Prevent tunneling if the os login doesn't exist A user.Lookup was added to srv.RunForward to prevent dialing and forwarding any data if the os login is not found. The check alone only terminates the direct-tcpip ssh channel and not the underlying ssh connection. In order for the parent process to determine if the ssh connection should be terminated it needs to know why the child exited. That was not possible by looking at the exit code and any data written to standard error of the child process was forwarded to standard error on the parent; which was used to simply log the error and move on. To pass more detailed errors to the parent, the child process spawned by srv.RunForward now json marshals the trace.Error to standard error which is then decoded by the parent process. If the parent detects the error was due to a missing user it terminates the ssh connection. tsh ssh -N was also modified to terminate if the command context of tsh OR the ssh connection to the node is closes. Prior, it only terminated if the user cancelled the process by blocking on ctx.Done(). While this was necessary to end session if the os login does not exit, it also forces tsh to exit if the node goes offline. Note: This does not include any propagation of error messages to the user, so there won't be any indication from tsh about why the connection was closed. The session also will not be terminated until the first attempt to forward data and NOT when the session is created due to the way -N is implemented. Fixes #217 * Prevent unauthorized access to kube clusters by upserting kube_servers This PR changes the behavior of the kubernetes_service when validating access to kubernetes clusters. Previously, the kubernetes_service would use the first kubernetes cluster it found in the Auth server backend to validate access. This was problematic because if the first kubernetes cluster was upserted with a the same name as a kubernetes cluster the user was trying to access but with different labels, the user would be able to access the cluster even though they shouldn't be able to. This PR changes the behavior of the kubernetes_service to use the in memory kubernetes cluster representation used for heartbeats instead of relying on the information received from the auth server. This would block the user from accessing the cluster if the cluster was upserted with a different set of labels since the kubernetes_service would not have the updated labels in memory and would deny access. Fixes #469 --------- Co-authored-by: Tim Ross <tim.ross@goteleport.com> Co-authored-by: Tiago Silva <tiago.silva@goteleport.com>
Update the e ref to make sure that e CI will run properly with the recent OSS Okta changes.
* Add a guide to creating Teleport roles via the API See #19716 This guide uses a small demo application to show how to create Teleport roles based on an external RBAC system. The demo revolves around a local `minikube` cluster. I chose this approach because Teleport works well with Kubernetes RBAC, and Kubernetes RBAC resources are pretty straightforward to set up locally. * Based the guide on a program in the examples dir * Respond to zmb3 PR feedback * Run make fix-license * Respond to PR feedback * Respond to alexfornuto feedback
This change adds documentation for Azure VM auto-joining.
An idle timeout of 6m keeps web api connections open too long on Proxies that have any agents which do not have the changes from #22832. Because the http.Server.IdleTimeout is set on all release versions now, even when built with go.19, we experience this issue because we no longer exercise the bug that was fixed in go1.20.
This is useful for making private test builds.
* Add Docker Hub login to kubernetes pipelines After moving Drone to AWS, we're seeing image pulls get rate limited because they're all coming from the same IP (an AWS NAT gateway). To avoid this, we refactor pipelines to cache/reuse images where possible, as well as add authentication to dockerhub pulls. * Drop dockerVolumes and dockerVolumeRefs We don't actually consistently want these in all places. E.g. parallel pipelines cannot share a volumeRefDockerConfig, as they'll stop on each others login information. * Remove shared docker config from parallel pipelines A shared volume results in the different steps racing against each other. * Remove docker config from relcli steps We don't actually pull from dockerhub in these steps. * Fix typos Co-authored-by: Reed Loden <reed@goteleport.com> Co-authored-by: Walt <walt@goteleport.com> --------- Co-authored-by: Trent Clarke <trent@goteleport.com> Co-authored-by: Reed Loden <reed@goteleport.com>
Update the build scripts to properly set up the key for signing packages using `productsign`, and parameterise the bundle ID for packages in the packaging scripts.
RFD for the new credentials forwarding mechanism for Kubernetes access. This RFD pretends to drop the requirement of keeping the cert-key pair in cache for each user that accesses the cluster. Part of #21609
* athena audit logs - config * use sqs timeout as duration * compile regexp once * Rename to QueueURL * add aws docs and comments * update log decsription * add license * rename getQueryResultsInterval * use aws sdk v2
github-actions
Bot
added
helm
kubernetes-access
rfd
github-actions
Bot
requested review from
alexfornuto,
codingllama,
ptgott,
rosstimothy,
rudream,
ryanclark and
xinding33
jakule
requested review from
xacrimon
and removed request for
alexfornuto,
codingllama,
klizhentas,
ptgott,
r0mant,
rosstimothy,
rudream,
russjones,
xinding33 and
zmb3
ryanclark
approved these changes
Apr 7, 2023
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Merge instead of rebase to not alter dev-ai history. I couldn't fast forward because of merge conflicts.