gravitational · ptgott · Jun 14, 2023 · Jun 14, 2023 · Jun 14, 2023 · Jun 14, 2023
diff --git a/.drone.yml b/.drone.yml
@@ -39,7 +39,7 @@ name: push-build-linux-amd64
 environment:
   BUILDBOX_VERSION: teleport14
   GID: "1000"
-  RUNTIME: go1.20.4
+  RUNTIME: go1.20.5
   UID: "1000"
 trigger:
   event:
@@ -155,7 +155,7 @@ name: push-build-linux-386
 environment:
   BUILDBOX_VERSION: teleport14
   GID: "1000"
-  RUNTIME: go1.20.4
+  RUNTIME: go1.20.5
   UID: "1000"
 trigger:
   event:
@@ -269,7 +269,7 @@ name: push-build-linux-amd64-fips
 environment:
   BUILDBOX_VERSION: teleport14
   GID: "1000"
-  RUNTIME: go1.20.4
+  RUNTIME: go1.20.5
   UID: "1000"
 trigger:
   event:
@@ -387,7 +387,7 @@ name: push-build-windows-amd64
 environment:
   BUILDBOX_VERSION: teleport14
   GID: "1000"
-  RUNTIME: go1.20.4
+  RUNTIME: go1.20.5
   UID: "1000"
 trigger:
   event:
@@ -1042,7 +1042,7 @@ name: push-build-linux-arm
 environment:
   BUILDBOX_VERSION: teleport14
   GID: "1000"
-  RUNTIME: go1.20.4
+  RUNTIME: go1.20.5
   UID: "1000"
 trigger:
   event:
@@ -1479,7 +1479,7 @@ type: kubernetes
 name: build-linux-amd64-centos7
 environment:
   BUILDBOX_VERSION: teleport14
-  RUNTIME: go1.20.4
+  RUNTIME: go1.20.5
 trigger:
   event:
     include:
@@ -1688,7 +1688,7 @@ type: kubernetes
 name: build-linux-amd64-centos7-fips
 environment:
   BUILDBOX_VERSION: teleport14
-  RUNTIME: go1.20.4
+  RUNTIME: go1.20.5
 trigger:
   event:
     include:
@@ -1896,7 +1896,7 @@ type: kubernetes
 name: build-linux-amd64
 environment:
   BUILDBOX_VERSION: teleport14
-  RUNTIME: go1.20.4
+  RUNTIME: go1.20.5
 trigger:
   event:
     include:
@@ -2111,7 +2111,7 @@ type: kubernetes
 name: build-linux-amd64-fips
 environment:
   BUILDBOX_VERSION: teleport14
-  RUNTIME: go1.20.4
+  RUNTIME: go1.20.5
 trigger:
   event:
     include:
@@ -3411,7 +3411,7 @@ type: kubernetes
 name: build-linux-386
 environment:
   BUILDBOX_VERSION: teleport14
-  RUNTIME: go1.20.4
+  RUNTIME: go1.20.5
 trigger:
   event:
     include:
@@ -4237,7 +4237,7 @@ type: kubernetes
 name: build-linux-arm
 environment:
   BUILDBOX_VERSION: teleport14
-  RUNTIME: go1.20.4
+  RUNTIME: go1.20.5
 trigger:
   event:
     include:
@@ -5566,7 +5566,7 @@ type: kubernetes
 name: build-windows-amd64
 environment:
   BUILDBOX_VERSION: teleport14
-  RUNTIME: go1.20.4
+  RUNTIME: go1.20.5
 trigger:
   event:
     include:
@@ -6236,29 +6236,6 @@ steps:
     path: /var/run
   - name: dockerconfig
     path: /root/.docker
-- name: Build and push buildbox-fips
-  image: docker
-  pull: if-not-exists
-  commands:
-  - apk add --no-cache make aws-cli
-  - chown -R $UID:$GID /go
-  - aws ecr get-login-password --profile staging --region=us-west-2 | docker login
-    -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com
-  - make -C build.assets buildbox-fips
-  - docker tag public.ecr.aws/gravitational/teleport-buildbox-fips:$BUILDBOX_VERSION
-    146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox-fips:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA
-  - docker push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox-fips:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA
-  - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com
-  - aws ecr-public get-login-password --profile production --region=us-east-1 | docker
-    login -u="AWS" --password-stdin public.ecr.aws
-  - docker push public.ecr.aws/gravitational/teleport-buildbox-fips:$BUILDBOX_VERSION
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-  - name: dockersock
-    path: /var/run
-  - name: dockerconfig
-    path: /root/.docker
 - name: Build and push buildbox-arm
   image: docker
   pull: if-not-exists
@@ -7051,6 +7028,66 @@ image_pull_secrets:
 # Generated at dronegen/gha.go (main.ghaMultiBuildPipeline)
 ################################################
 
+kind: pipeline
+type: kubernetes
+name: promote-teleport-hardened-amis
+trigger:
+  event:
+    include:
+    - promote
+  target:
+    include:
+    - production
+    - promote-hardened-amis
+  repo:
+    include:
+    - gravitational/*
+workspace:
+  path: /go
+clone:
+  disable: true
+steps:
+- name: Check out code
+  image: docker:git
+  pull: if-not-exists
+  commands:
+  - mkdir -pv "/go/src/github.com/gravitational/teleport"
+  - cd "/go/src/github.com/gravitational/teleport"
+  - git init
+  - git remote add origin ${DRONE_REMOTE_URL}
+  - git fetch origin --tags
+  - git checkout -qf "${DRONE_COMMIT_SHA}"
+  - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa &&
+    chmod 600 /root/.ssh/id_rsa
+  - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts
+  - git submodule update --init e
+  - mkdir -pv /go/cache
+  - rm -f /root/.ssh/id_rsa
+  environment:
+    GITHUB_PRIVATE_KEY:
+      from_secret: GITHUB_PRIVATE_KEY
+- name: Delegate build to GitHub
+  image: golang:1.18-alpine
+  pull: if-not-exists
+  commands:
+  - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling"
+  - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e
+    -tag-workflow -timeout 2h30m0s -workflow promote-teleport-hardened-amis.yaml -workflow-ref=${DRONE_TAG}
+    -input oss-teleport-repo=${DRONE_REPO} -input oss-teleport-ref=${DRONE_TAG} -input
+    "release-source-tag=${DRONE_TAG}" '
+  environment:
+    GHA_APP_KEY:
+      from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY
+image_pull_secrets:
+- DOCKERHUB_CREDENTIALS
+
+---
+################################################
+# Generated using dronegen, do not edit by hand!
+# Use 'make dronegen' to update.
+# Generated at dronegen/gha.go (main.ghaMultiBuildPipeline)
+################################################
+
 kind: pipeline
 type: kubernetes
 name: promote-teleport-kube-agent-updater-oci-images
@@ -8420,7 +8457,9 @@ clone:
 depends_on:
 - clean-up-previous-build
 - build-linux-amd64-deb
+- build-linux-amd64-fips-deb
 - build-linux-arm64-deb
+- build-linux-arm-deb
 steps:
 - name: Check out code
   image: docker:git
@@ -8462,6 +8501,68 @@ image_pull_secrets:
 # Generated at dronegen/gha.go (main.ghaMultiBuildPipeline)
 ################################################
 
+kind: pipeline
+type: kubernetes
+name: build-teleport-hardened-amis
+trigger:
+  event:
+    include:
+    - tag
+  ref:
+    include:
+    - refs/tags/v*
+  repo:
+    include:
+    - gravitational/*
+workspace:
+  path: /go
+clone:
+  disable: true
+depends_on:
+- clean-up-previous-build
+- build-linux-amd64-deb
+- build-linux-amd64-fips-deb
+steps:
+- name: Check out code
+  image: docker:git
+  pull: if-not-exists
+  commands:
+  - mkdir -pv "/go/src/github.com/gravitational/teleport"
+  - cd "/go/src/github.com/gravitational/teleport"
+  - git init
+  - git remote add origin ${DRONE_REMOTE_URL}
+  - git fetch origin --tags
+  - git checkout -qf "${DRONE_COMMIT_SHA}"
+  - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa &&
+    chmod 600 /root/.ssh/id_rsa
+  - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts
+  - git submodule update --init e
+  - mkdir -pv /go/cache
+  - rm -f /root/.ssh/id_rsa
+  environment:
+    GITHUB_PRIVATE_KEY:
+      from_secret: GITHUB_PRIVATE_KEY
+- name: Delegate build to GitHub
+  image: golang:1.18-alpine
+  pull: if-not-exists
+  commands:
+  - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling"
+  - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e
+    -tag-workflow -timeout 2h30m0s -workflow release-teleport-hardened-amis.yaml -workflow-ref=${DRONE_TAG}
+    -input oss-teleport-repo=${DRONE_REPO} -input oss-teleport-ref=${DRONE_TAG} '
+  environment:
+    GHA_APP_KEY:
+      from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY
+image_pull_secrets:
+- DOCKERHUB_CREDENTIALS
+
+---
+################################################
+# Generated using dronegen, do not edit by hand!
+# Use 'make dronegen' to update.
+# Generated at dronegen/gha.go (main.ghaMultiBuildPipeline)
+################################################
+
 kind: pipeline
 type: kubernetes
 name: build-teleport-kube-agent-updater-oci-images
@@ -16996,6 +17097,7 @@ depends_on:
 - teleport-container-images-branch-promote
 - publish-os-package-repos
 - promote-teleport-oci-distroless-images
+- promote-teleport-hardened-amis
 - promote-teleport-kube-agent-updater-oci-images
 steps:
 - name: Check if commit is tagged
@@ -17106,6 +17208,6 @@ image_pull_secrets:
 - DOCKERHUB_CREDENTIALS
 ---
 kind: signature
-hmac: c12537f0b20719e1d7b3247410ec676e00d60db9c892bdaf02b08f13b0c224d0
+hmac: d3185434ba38b96a9cbf435a59a3ab0d7e4d3ef6ef39a198164e0e2198f1286d
 
 ...
diff --git a/.github/ISSUE_TEMPLATE/webtestplan.md b/.github/ISSUE_TEMPLATE/webtestplan.md
@@ -572,8 +572,6 @@ Use Discover Wizard to enroll new resources and access them:
       - Run the program: `$ mc`
       - Resize Teleport Connect to see if the panels resize with it
    - [ ] Verify that the tab automatically closes on `$ exit` command.
-   - [ ] Execute `tsh ssh nonexistent-node` in the command bar. Verify that you see a new tab with an
-     error from tsh ssh.
 - Kubernetes access
    - [ ] Open a new kubernetes tab, run `echo $KUBECONFIG` and check if it points to the file within Connect's app data directory.
    - [ ] Close the tab and open it again (to the same resource). Verify if the kubeconfig path didn't change.
@@ -634,23 +632,24 @@ Use Discover Wizard to enroll new resources and access them:
    - [ ] Click "Add another cluster", provide an address to a new cluster and submit the form. Close
      the modal when asked for credentials. Verify that the cluster was still added and is visible in
      the profile selector.
-- Command bar & autocomplete
-   - Do the steps for the root cluster, then switch to a leaf cluster and repeat them.
-   - [ ] Verify that the autocomplete for tsh ssh filters SSH logins and autocompletes them.
-   - [ ] Verify that the autocomplete for tsh ssh filters SSH hosts by name and label and
-     autocompletes them.
-   - [ ] Verify that launching an invalid tsh ssh command shows the error in a new tab.
-   - [ ] Verify that launching a valid tsh ssh command opens a new tab with the session opened.
-   - [ ] Verify that the autocomplete for tsh proxy db filters databases by name and label and
-     autocompletes them.
-   - [ ] Verify that launching a tsh proxy db command opens a new local shell with the command
-     running.
-   - [ ] Verify that the autocomplete for tsh ssh doesn't break when you cut/paste commands in
-     various points.
-   - [ ] Verify that manually typing out what the autocomplete would suggest doesn't break the
-     command bar.
-   - [ ] Verify that launching any other command that's not supported by the autocomplete opens a
-     new local shell with that command running.
+- Search bar
+   - [ ] Verify that you can connect to all three resources types on root clusters and leaf
+     clusters.
+   - [ ] Verify that picking a resource filter and a cluster filter at the same time works as
+     expected.
+   - [ ] Verify that connecting to a resource from a different root cluster switches to the
+     workspace of that root cluster.
+   - Shut down a root cluster.
+      - [ ] Verify that attempting to search returns "Some of the search results are incomplete" in
+        the search bar.
+      - [ ] Verify that clicking "Show details" next to the error message and then closing the modal
+        by clicking one of the buttons or by pressing Escape does not close the search bar.
+   - Log in as a user with a short TTL. Make sure you're not logged in to any other cluster. Wait for
+     the cert to expire. Enter a search term that usually returns some results.
+      - [ ] Relogin when asked. Verify that the search bar is not collapsed and shows search
+        results.
+      - [ ] Close the login modal instead of logging in. Verify that the search bar is not collapsed
+        and shows "No matching results found".
 - Resilience when resources become unavailable
    - DocumentCluster
       - For each scenario, create at least one DocumentCluster tab for each available resource kind.
@@ -701,7 +700,8 @@ Use Discover Wizard to enroll new resources and access them:
       - [ ] Verify that closing the login modal without logging in shows an appropriate error.
    - Log in, create a db connection, then remove access to that db server for that user; wait for
      the cert to expire, then attempt to make a connection through the proxy; log in.
-      - [ ] Verify that the db tab shows an appropriate error.
+      - [ ] Verify that psql shows an appropriate access denied error ("access to db denied. User
+        does not have permissions. Confirm database user and name").
    - Log in, open a cluster tab, wait for the cert to expire. Switch from a servers view to
      databases view.
       - [ ] Verify that a login modal was shown.

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -11,8 +11,6 @@ updates:
       - dependency-name: github.com/gravitational/ttlmap
       # Breaks backwards compatibility
       - dependency-name: github.com/go-webauthn/webauthn
-      # TODO(greedy52): Update mongo-driver and fix API changes.
-      - dependency-name: go.mongodb.org/mongo-driver
       # Must be kept in-sync with libbpf
       - dependency-name: github.com/aquasecurity/libbpfgo
       # Forked/replaced dependencies