gravitational · jakule · Apr 10, 2023 · Mar 31, 2023 · Mar 31, 2023 · Mar 31, 2023
diff --git a/.drone.yml b/.drone.yml
diff --git a/.github/ISSUE_TEMPLATE/testplan.md b/.github/ISSUE_TEMPLATE/testplan.md
@@ -30,7 +30,7 @@ as well as an upgrade of the previous version of Teleport.
 
 - [ ] RBAC
 
-  Make sure that invalid and valid attempts are reflected in audit log.
+  Make sure that invalid and valid attempts are reflected in audit log. Do this with both Teleport and [Agentless nodes](https://goteleport.com/docs/server-access/guides/openssh/).
 
   - [ ] Successfully connect to node with correct role
   - [ ] Unsuccessfully connect to a node in a role restricting access by label
@@ -166,33 +166,57 @@ as well as an upgrade of the previous version of Teleport.
 
   - [ ] tsh ssh \<regular-node\>
   - [ ] tsh ssh \<node-remote-cluster\>
+  - [ ] tsh ssh \<agentless-node\>
+  - [ ] tsh ssh \<agentless-node-remote-cluster\>
   - [ ] tsh ssh -A \<regular-node\>
   - [ ] tsh ssh -A \<node-remote-cluster\>
+  - [ ] tsh ssh -A \<agentless-node\>
+  - [ ] tsh ssh -A \<agentless-node-remote-cluster\>
   - [ ] tsh ssh \<regular-node\> ls
   - [ ] tsh ssh \<node-remote-cluster\> ls
+  - [ ] tsh ssh \<agentless-node\> ls
+  - [ ] tsh ssh \<agentless-node-remote-cluster\> ls
   - [ ] tsh join \<regular-node\>
   - [ ] tsh join \<node-remote-cluster\>
+  - [ ] tsh join \<agentless-node\>
+  - [ ] tsh join \<agentless-node-remote-cluster\>
   - [ ] tsh play \<regular-node\>
   - [ ] tsh play \<node-remote-cluster\>
+  - [ ] tsh play \<agentless-node\>
+  - [ ] tsh play \<agentless-node-remote-cluster\>
   - [ ] tsh scp \<regular-node\>
   - [ ] tsh scp \<node-remote-cluster\>
+  - [ ] tsh scp \<agentless-node\>
+  - [ ] tsh scp \<agentless-node-remote-cluster\>
   - [ ] tsh ssh -L \<regular-node\>
   - [ ] tsh ssh -L \<node-remote-cluster\>
+  - [ ] tsh ssh -L \<agentless-node\>
+  - [ ] tsh ssh -L \<agentless-node-remote-cluster\>
   - [ ] tsh ls
   - [ ] tsh clusters
 
 - [ ] Interact with a cluster using `ssh`
    Make sure to test both recording and regular proxy modes.
   - [ ] ssh \<regular-node\>
   - [ ] ssh \<node-remote-cluster\>
+  - [ ] ssh \<agentless-node\>
+  - [ ] ssh \<agentless-node-remote-cluster\>
   - [ ] ssh -A \<regular-node\>
   - [ ] ssh -A \<node-remote-cluster\>
+  - [ ] ssh -A \<agentless-node\>
+  - [ ] ssh -A \<agentless-node-remote-cluster\>
   - [ ] ssh \<regular-node\> ls
   - [ ] ssh \<node-remote-cluster\> ls
+  - [ ] ssh \<agentless-node\> ls
+  - [ ] ssh \<agentless-node-remote-cluster\> ls
   - [ ] scp \<regular-node\>
   - [ ] scp \<node-remote-cluster\>
+  - [ ] scp \<agentless-node\>
+  - [ ] scp \<agentless-node-remote-cluster\>
   - [ ] ssh -L \<regular-node\>
   - [ ] ssh -L \<node-remote-cluster\>
+  - [ ] ssh -L \<agentless-node\>
+  - [ ] ssh -L \<agentless-node-remote-cluster\>
 
 - [ ] Verify proxy jump functionality
   Log into leaf cluster via root, shut down the root proxy and verify proxy jump works.
@@ -206,6 +230,7 @@ as well as an upgrade of the previous version of Teleport.
 - [ ] Interact with a cluster using the Web UI
   - [ ] Connect to a Teleport node
   - [ ] Connect to a OpenSSH node
+  - [ ] Connect to a Agentless node
   - [ ] Check agent forwarding is correct based on role and proxy mode.
 
 - [ ] `tsh` CA loading
@@ -241,12 +266,18 @@ interactive sessions the 12 combinations are below.
 - [ ] Connect to a OpenSSH node in a local cluster using OpenSSH.
 - [ ] Connect to a OpenSSH node in a local cluster using Teleport.
 - [ ] Connect to a OpenSSH node in a local cluster using the Web UI.
+- [ ] Connect to an Agentless node in a local cluster using OpenSSH.
+- [ ] Connect to an Agentless node in a local cluster using Teleport.
+- [ ] Connect to an Agentless node in a local cluster using the Web UI.
 - [ ] Connect to a Teleport node in a local cluster using OpenSSH.
 - [ ] Connect to a Teleport node in a local cluster using Teleport.
 - [ ] Connect to a Teleport node in a local cluster using the Web UI.
 - [ ] Connect to a OpenSSH node in a remote cluster using OpenSSH.
 - [ ] Connect to a OpenSSH node in a remote cluster using Teleport.
 - [ ] Connect to a OpenSSH node in a remote cluster using the Web UI.
+- [ ] Connect to an Agentless node in a remote cluster using OpenSSH.
+- [ ] Connect to an Agentless node in a remote cluster using Teleport.
+- [ ] Connect to an Agentless node in a remote cluster using the Web UI.
 - [ ] Connect to a Teleport node in a remote cluster using OpenSSH.
 - [ ] Connect to a Teleport node in a remote cluster using Teleport.
 - [ ] Connect to a Teleport node in a remote cluster using the Web UI.

@@ -14,6 +14,7 @@ run-name: Skip Build on Mac OS
 on:
   pull_request:
     paths-ignore:
+      - '.github/workflows/build-macos.yaml'
       - '**.go'
       - 'go.mod'
       - 'go.sum'
@@ -22,8 +23,10 @@ on:
       - 'Cargo.lock'
       - 'build.assets/Makefile'
       - 'build.assets/Dockerfile*'
+      - 'Makefile'
   merge_group:
     paths-ignore:
+      - '.github/workflows/build-macos.yaml'
       - '**.go'
       - 'go.mod'
       - 'go.sum'
@@ -32,6 +35,7 @@ on:
       - 'Cargo.lock'
       - 'build.assets/Makefile'
       - 'build.assets/Dockerfile*'
+      - 'Makefile'
 
 jobs:
   build:

@@ -4,6 +4,7 @@ run-name: Build on Mac OS
 on:
   pull_request:
     paths:
+      - '.github/workflows/build-macos.yaml'
       - '**.go'
       - 'go.mod'
       - 'go.sum'
@@ -12,8 +13,10 @@ on:
       - 'Cargo.lock'
       - 'build.assets/Makefile'
       - 'build.assets/Dockerfile*'
+      - 'Makefile'
   merge_group:
     paths:
+      - '.github/workflows/build-macos.yaml'
       - '**.go'
       - 'go.mod'
       - 'go.sum'
@@ -22,6 +25,7 @@ on:
       - 'Cargo.lock'
       - 'build.assets/Makefile'
       - 'build.assets/Dockerfile*'
+      - 'Makefile'
 
 jobs:
   build:
@@ -36,15 +40,37 @@ jobs:
       - name: Checkout Teleport
         uses: actions/checkout@v3
 
-      - name: Get Go version
-        id: go-version
-        shell: bash
-        run: echo "go-version=$(make --no-print-directory print-go-version | tr -d '\n')" >> $GITHUB_OUTPUT
+      - name: Determine Toolchain Versions and cache paths
+        run: |
+          echo NODE_VERSION=$(make -C build.assets print-node-version) >> $GITHUB_ENV
+          echo GOLANG_VERSION=$(make -C build.assets print-go-version | sed 's/^go//') >> $GITHUB_ENV
+          echo RUST_VERSION=$(make -C build.assets print-rust-version) >> $GITHUB_ENV
+          echo PKG_CONFIG_PATH="$(build.assets/build-fido2-macos.sh pkg_config_path)" >> $GITHUB_ENV
 
-      - name: Setup Go
+      - name: Print versions
+        run: |
+          echo "make: $(make --version)"
+          echo "node: ${NODE_VERSION}"
+          echo "go: ${GOLANG_VERSION}"
+          echo "rust: ${RUST_VERSION}"
+
+      - name: Install Node Toolchain
+        uses: actions/setup-node@v3
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+
+      - name: Setup yarn
+        run: |
+          corepack enable yarn
+
+      - name: Install Go Toolchain
         uses: actions/setup-go@v3
         with:
-          go-version: ${{ steps.go-version.outputs.go-version }}
+          go-version: ${{ env.GOLANG_VERSION }}
+
+      - name: Configure Rust Toolchain
+        run: |
+          rustup override set ${{ env.RUST_VERSION }}
 
       - name: Build
         run: make binaries
@@ -16,20 +16,24 @@ on:
     # We only build tsh on Windows so only consider Go code as tsh doesn't
     # run any Rust.
     paths-ignore:
+      - '.github/workflows/build-windows.yaml'
       - '**.go'
       - 'go.mod'
       - 'go.sum'
       - 'build.assets/Makefile'
       - 'build.assets/Dockerfile*'
+      - 'Makefile'
   merge_group:
     # We only build tsh on Windows so only consider Go code as tsh doesn't
     # run any Rust.
     paths-ignore:
+      - '.github/workflows/build-windows.yaml'
       - '**.go'
       - 'go.mod'
       - 'go.sum'
       - 'build.assets/Makefile'
       - 'build.assets/Dockerfile*'
+      - 'Makefile'
 
 jobs:
   build:

@@ -6,20 +6,24 @@ on:
     # We only build tsh on Windows so only consider Go code as tsh doesn't
     # run any Rust.
     paths:
+      - '.github/workflows/build-windows.yaml'
       - '**.go'
       - 'go.mod'
       - 'go.sum'
       - 'build.assets/Makefile'
       - 'build.assets/Dockerfile*'
+      - 'Makefile'
   merge_group:
     # We only build tsh on Windows so only consider Go code as tsh doesn't
     # run any Rust.
     paths:
+      - '.github/workflows/build-windows.yaml'
       - '**.go'
       - 'go.mod'
       - 'go.sum'
       - 'build.assets/Makefile'
       - 'build.assets/Dockerfile*'
+      - 'Makefile'
 
 jobs:
   build:

@@ -1,21 +1,20 @@
 # This workflow is required to ensure that required Github check passes even if
-# the actual "Flaky Tests Detector" workflow is skipped due to path filtering.
-# Otherwise it will stay forever pending.
+# the actual "Flaky Tests Detector" workflow is skipped due to path filtering. Otherwise
+# it will stay forever pending.  Another bypass is used for the merge queue.
 #
 # See "Handling skipped but required checks" for more info:
 #
 # https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/troubleshooting-required-status-checks#handling-skipped-but-required-checks
 #
 # Note both workflows must have the same name.
-
 name: Flaky Tests Detector
-run-name: Skip Flaky Tests Detector - ${{ github.run_id }} - @${{ github.actor }}
+run-name: Flaky Tests Detector
 
 on:
   pull_request:
     paths-ignore:
       - '**.go'
-
+      - '.github/workflows/flaky-tests.yaml'
 jobs:
   test:
     name: Flaky Tests Detector

@@ -0,0 +1,25 @@
+# This check runs only on PRs that are in the merge queue.
+#
+# PRs in the merge queue have already been approved but the reviewers check
+# is still required so this workflow allows the required check to succeed,
+# otherwise PRs in the merge queue would be blocked indefinitely.
+#
+# See "Handling skipped but required checks" for more info:
+#
+# https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/troubleshooting-required-status-checks#handling-skipped-but-required-checks
+#
+# Note both workflows must have the same name.
+name: Flaky Tests Detector
+on:
+  merge_group:
+
+jobs:
+  test:
+    name: Flaky Tests Detector
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: none
+
+    steps:
+      - run: 'echo "Skipping reviewers check in merge queue"'
@@ -5,6 +5,7 @@ on:
   pull_request:
     paths:
       - '**.go'
+      - '.github/workflows/flaky-tests.yaml'
 
 jobs:
   test:

@@ -14,18 +14,22 @@ run-name: Skip Integration Tests (Non-root) - ${{ github.run_id }} - @${{ github
 on:
   pull_request:
     paths-ignore:
+      - '.github/workflows/integration-tests-non-root.yaml'
       - '**.go'
       - 'go.mod'
       - 'go.sum'
       - 'build.assets/Makefile'
       - 'build.assets/Dockerfile*'
+      - 'Makefile'
   merge_group:
     paths-ignore:
+      - '.github/workflows/integration-tests-non-root.yaml'
       - '**.go'
       - 'go.mod'
       - 'go.sum'
       - 'build.assets/Makefile'
       - 'build.assets/Dockerfile*'
+      - 'Makefile'
 
 jobs:
   test:

@@ -8,18 +8,22 @@ on:
       - branch/*
   pull_request:
     paths:
+      - '.github/workflows/integration-tests-non-root.yaml'
       - '**.go'
       - 'go.mod'
       - 'go.sum'
       - 'build.assets/Makefile'
       - 'build.assets/Dockerfile*'
+      - 'Makefile'
   merge_group:
     paths:
+      - '.github/workflows/integration-tests-non-root.yaml'
       - '**.go'
       - 'go.mod'
       - 'go.sum'
       - 'build.assets/Makefile'
       - 'build.assets/Dockerfile*'
+      - 'Makefile'
 
 jobs:
   test:

@@ -14,18 +14,22 @@ run-name: Skip Integration Tests (Root) - ${{ github.run_id }} - @${{ github.act
 on:
   pull_request:
     paths-ignore:
+      - '.github/workflows/integration-tests-root.yaml'
       - '**.go'
       - 'go.mod'
       - 'go.sum'
       - 'build.assets/Makefile'
       - 'build.assets/Dockerfile*'
+      - 'Makefile'
   merge_group:
     paths-ignore:
+      - '.github/workflows/integration-tests-root.yaml'
       - '**.go'
       - 'go.mod'
       - 'go.sum'
       - 'build.assets/Makefile'
       - 'build.assets/Dockerfile*'
+      - 'Makefile'
 
 jobs:
   test:

@@ -8,18 +8,22 @@ on:
       - branch/*
   pull_request:
     paths:
+      - '.github/workflows/integration-tests-root.yaml'
       - '**.go'
       - 'go.mod'
       - 'go.sum'
       - 'build.assets/Makefile'
       - 'build.assets/Dockerfile*'
+      - 'Makefile'
   merge_group:
     paths:
+      - '.github/workflows/integration-tests-root.yaml'
       - '**.go'
       - 'go.mod'
       - 'go.sum'
       - 'build.assets/Makefile'
       - 'build.assets/Dockerfile*'
+      - 'Makefile'
 
 jobs:
   test:
-Original file line number
+Diff line change
@@ Expand Up / @@ -5,6 +5,7 @@ on: @@
       pull_request:
         paths:
           - '**.go'
+          - '.github/workflows/flaky-tests.yaml'
     jobs:
       test:
@@ Expand Down @@