diff --git a/docs/config.json b/docs/config.json index a1dcd9d6d2e63..28e1039b0a2b8 100644 --- a/docs/config.json +++ b/docs/config.json @@ -98,8 +98,7 @@ "entries": [ { "title": "Getting Started", - "slug": "/choose-an-edition/teleport-enterprise/getting-started/", - "forScopes": ["enterprise"] + "slug": "/choose-an-edition/teleport-enterprise/getting-started/" }, { "title": "HSM", @@ -126,7 +125,8 @@ "entries": [ { "title": "Introduction", - "slug": "/deploy-a-cluster/introduction/" + "slug": "/deploy-a-cluster/introduction/", + "forScopes": ["oss", "enterprise"] }, { "title": "High Availability Deployments", @@ -259,12 +259,11 @@ { "title": "Single Sign-On (SSO)", "slug": "/access-controls/sso/", - "forScopes": ["enterprise", "oss", "cloud"], + "forScopes": ["oss", "team", "enterprise", "cloud"], "entries": [ { "title": "GitHub SSO", - "slug": "/access-controls/sso/github-sso/", - "forScopes": ["enterprise", "cloud", "oss"] + "slug": "/access-controls/sso/github-sso/" }, { "title": "Azure Active Directory (AD)", @@ -327,7 +326,8 @@ "entries": [ { "title": "Role Requests", - "slug": "/access-controls/access-requests/role-requests/" + "slug": "/access-controls/access-requests/role-requests/", + "forScopes": ["enterprise", "cloud"] }, { "title": "Resource Requests", @@ -337,7 +337,7 @@ { "title": "Role Requests in OSS Teleport", "slug": "/access-controls/access-requests/oss-role-requests/", - "forScopes": ["oss", "enterprise", "cloud"] + "forScopes": ["oss"] } ] }, @@ -441,8 +441,7 @@ }, { "title": "Troubleshooting", - "slug": "/management/admin/troubleshooting/", - "forScopes": ["oss", "enterprise", "cloud"] + "slug": "/management/admin/troubleshooting/" }, { "title": "Upgrading the Teleport Binary", @@ -454,7 +453,8 @@ }, { "title": "Run Teleport with Self-Signed Certificates", - "slug": "/management/admin/self-signed-certs/" + "slug": "/management/admin/self-signed-certs/", + "forScopes": ["oss", "enterprise"] }, { "title": "Uninstall Teleport", @@ -477,8 +477,7 @@ }, { "title": "Backup and Restore", - "slug": "/management/operations/backup-restore/", - "forScopes": ["oss", "enterprise"] + "slug": "/management/operations/backup-restore/" }, { "title": "Cert Authority Rotation", @@ -509,10 +508,12 @@ { "title": "Integrations", "slug": "/management/guides/", + "forScopes":["oss","enterprise","cloud","team"], "entries": [ { "title": "Kubernetes Operator (Preview)", - "slug": "/management/guides/teleport-operator/" + "slug": "/management/guides/teleport-operator/", + "forScopes": ["enterprise","oss"] }, { "title": "Terraform Provider", @@ -573,18 +574,15 @@ "entries": [ { "title": "Exporting Audit Events to Fluentd", - "slug": "/management/export-audit-events/fluentd/", - "forScopes": ["enterprise", "cloud"] + "slug": "/management/export-audit-events/fluentd/" }, { "title": "Monitoring Audit Events with the Elastic Stack", - "slug": "/management/export-audit-events/elastic-stack/", - "forScopes": ["enterprise", "cloud"] + "slug": "/management/export-audit-events/elastic-stack/" }, { "title": "Monitoring Audit Events with Splunk", - "slug": "/management/export-audit-events/splunk/", - "forScopes": ["enterprise", "cloud"] + "slug": "/management/export-audit-events/splunk/" } ] } @@ -1112,7 +1110,8 @@ }, { "title": "How to Build an Access Request Plugin", - "slug": "/api/access-plugin/" + "slug": "/api/access-plugin/", + "forScopes": ["enterprise", "cloud"] }, { "title": "Automatically Register Teleport Agents", @@ -1189,7 +1188,11 @@ "entries": [ { "title": "teleport-cluster", - "slug": "/reference/helm-reference/teleport-cluster/" + "slug": "/reference/helm-reference/teleport-cluster/", + "forScopes": [ + "oss", + "enterprise" + ] }, { "title": "teleport-kube-agent", diff --git a/docs/pages/access-controls/access-request-plugins/ssh-approval-discord.mdx b/docs/pages/access-controls/access-request-plugins/ssh-approval-discord.mdx index 3ac2f995f84eb..8a890396ae522 100644 --- a/docs/pages/access-controls/access-request-plugins/ssh-approval-discord.mdx +++ b/docs/pages/access-controls/access-request-plugins/ssh-approval-discord.mdx @@ -287,7 +287,7 @@ Once Teleport is running, you've created the Discord app, and the plugin is configured, you can now run the plugin and test the workflow. - + Start the plugin: ```code @@ -302,7 +302,7 @@ INFO Starting Teleport Access Discord Plugin 7.2.1: discord/app.go:80 INFO Plugin is ready discord/app.go:101 ``` - + Install the plugin: ```code diff --git a/docs/pages/access-controls/access-request-plugins/ssh-approval-email.mdx b/docs/pages/access-controls/access-request-plugins/ssh-approval-email.mdx index 7433df840a71d..c84bf2776a7d7 100644 --- a/docs/pages/access-controls/access-request-plugins/ssh-approval-email.mdx +++ b/docs/pages/access-controls/access-request-plugins/ssh-approval-email.mdx @@ -38,20 +38,23 @@ in your Teleport cluster. ## Step 2/7. Install the Teleport email plugin - +In this step, you will install the Teleport email plugin. + + + We recommend installing Teleport plugins on the same host as the Teleport Proxy Service. This is an ideal location as plugins have a low memory footprint, and will require both public internet access and Teleport Auth Service access. - - - + + Install the Teleport email plugin on a host that can access both your Teleport Cloud tenant and your SMTP service. - + +
diff --git a/docs/pages/access-controls/access-request-plugins/ssh-approval-mattermost.mdx b/docs/pages/access-controls/access-request-plugins/ssh-approval-mattermost.mdx index 3fb5052cdde05..06af1308c9ae9 100644 --- a/docs/pages/access-controls/access-request-plugins/ssh-approval-mattermost.mdx +++ b/docs/pages/access-controls/access-request-plugins/ssh-approval-mattermost.mdx @@ -153,7 +153,7 @@ Edit the configuration as explained below: ### `[mattermost]` - + **`url`**: Include the scheme (`https://`) and fully qualified domain name of your Mattermost deployment. @@ -184,7 +184,7 @@ recipients = [ ``` - + **`url`**: Include the scheme (`https://`) and fully qualified domain name of your Mattermost deployment. @@ -277,7 +277,7 @@ severity = "INFO" # Logger severity. Could be "INFO", "ERROR", "DEBUG" or "WARN" - + After modifying your configuration, run the bot with the following command: ```code @@ -296,7 +296,7 @@ DEBU Watcher connected mattermost/main.go:260 DEBU Mattermost API health check finished ok mattermost/main.go:19 ``` - + After modifying your configuration, run the bot with the following command: ```code diff --git a/docs/pages/access-controls/access-request-plugins/ssh-approval-pagerduty.mdx b/docs/pages/access-controls/access-request-plugins/ssh-approval-pagerduty.mdx index 2aa9d8bd6d87b..120c28ba88f7c 100644 --- a/docs/pages/access-controls/access-request-plugins/ssh-approval-pagerduty.mdx +++ b/docs/pages/access-controls/access-request-plugins/ssh-approval-pagerduty.mdx @@ -32,20 +32,21 @@ PagerDuty. - Either a Linux host or Kubernetes cluster where you will run the PagerDuty plugin. - + + We recommend installing Teleport plugins on the same host as the Teleport Proxy Service. This is an ideal location as plugins have a low memory footprint, and will require both public internet access and Teleport Auth Service access. - - - + + Install the Teleport PagerDuty plugin on a host that can access both your Teleport Cloud tenant and PagerDuty. - + + (!docs/pages/includes/tctl.mdx!) @@ -522,7 +523,7 @@ The final configuration should resemble the following: ## Step 7/8. Test the PagerDuty plugin - + After you configure the PagerDuty plugin, run the following command to start it. The `-d` flag will provide debug information to ensure that the plugin can connect to PagerDuty and your Teleport cluster: @@ -540,7 +541,7 @@ $ teleport-pagerduty start -d # DEBU Setting up the webhook extensions pagerduty/main.go:178 ``` - + After modifying your configuration, run the bot with the following command: ```code @@ -599,7 +600,7 @@ should still check the Teleport audit log to ensure that the right users are reviewing the right requests. When auditing Access Request reviews, check for events with the type `Access -Request Reviewed` in the Teleport Web UI and `access_request.review` if reviewing the audit log on the Auth Service host. diff --git a/docs/pages/access-controls/access-request-plugins/ssh-approval-slack.mdx b/docs/pages/access-controls/access-request-plugins/ssh-approval-slack.mdx index f3552feb21feb..412f79a6f7726 100644 --- a/docs/pages/access-controls/access-request-plugins/ssh-approval-slack.mdx +++ b/docs/pages/access-controls/access-request-plugins/ssh-approval-slack.mdx @@ -339,7 +339,7 @@ Once Teleport is running, you've created the Slack app, and the plugin is configured, you can now run the plugin and test the workflow. - + Start the plugin: ```code @@ -354,7 +354,7 @@ INFO Starting Teleport Access Slack Plugin 7.2.1: slack/app.go:80 INFO Plugin is ready slack/app.go:101 ``` - + Install the plugin: ```code diff --git a/docs/pages/access-controls/access-requests/role-requests.mdx b/docs/pages/access-controls/access-requests/role-requests.mdx index bbb0311dadb5f..172e65c75ff61 100644 --- a/docs/pages/access-controls/access-requests/role-requests.mdx +++ b/docs/pages/access-controls/access-requests/role-requests.mdx @@ -10,7 +10,7 @@ via ChatOps or anywhere else via our flexible Authorization Workflow API. ## Prerequisites -(!docs/pages/includes/edition-prereqs-tabs.mdx!) +(!docs/pages/includes/commercial-prereqs-tabs.mdx!) (!docs/pages/includes/tctl.mdx!) diff --git a/docs/pages/access-controls/compliance-frameworks/soc2.mdx b/docs/pages/access-controls/compliance-frameworks/soc2.mdx index 9f9d116f5003d..76c15c1012511 100644 --- a/docs/pages/access-controls/compliance-frameworks/soc2.mdx +++ b/docs/pages/access-controls/compliance-frameworks/soc2.mdx @@ -7,13 +7,12 @@ h1: SOC 2 Compliance for SSH, Kubernetes, Databases, Desktops, and Web Apps Teleport is designed to meet SOC 2 requirements for the purposes of accessing infrastructure, change management, and system operations. This document outlines a high level overview of how Teleport can be used to help your company to become SOC 2 compliant. - + - This guide requires Teleport Cloud or Teleport Enterprise. + SOC 2 compliance features are only available for Teleport Enterprise and + Teleport Enterprise Cloud. - + ## Achieving SOC 2 Compliance with Teleport SOC 2 or Service Organization Controls were developed by the American Institute of CPAs (AICPA). They are based on five trust services criteria: security, availability, processing integrity, confidentiality, and privacy. diff --git a/docs/pages/access-controls/guides/dual-authz.mdx b/docs/pages/access-controls/guides/dual-authz.mdx index 52d97461d5759..708972611ef13 100644 --- a/docs/pages/access-controls/guides/dual-authz.mdx +++ b/docs/pages/access-controls/guides/dual-authz.mdx @@ -10,20 +10,19 @@ Here are the most common scenarios: - Improve the security of your system and prevent one successful phishing attack from compromising your system. - Satisfy FedRAMP AC-3 Dual authorization control that requires approval of two authorized individuals. -In this guide, we will set up Teleport's Just-in-Time Access Requests to require the approval -of two team members for a privileged role `dbadmin`. +In this guide, we will set up Teleport's Just-in-Time Access Requests to require +the approval of two team members for a privileged role `dbadmin`. - +The steps below describe how to use Teleport with Mattermost. You can also +[integrate with many other providers](../access-requests.mdx). - This guide requires a commercial edition of Teleport. The open source - edition of Teleport only supports [GitHub](../../access-controls/sso/github-sso.mdx) as - an SSO provider. + - +This guide requires a commercial edition of Teleport. The open source edition of +Teleport only supports [GitHub](../../access-controls/sso/github-sso.mdx) as an +SSO provider. - - The steps below describe how to use Teleport with Mattermost. You can also [integrate with many other providers](../access-requests.mdx). - + ## Prerequisites @@ -212,7 +211,7 @@ Bob can also assume granted Access Request roles using Web UI: {/* TODO: This H2 will show up in the table of contents when this section is invisible. We need a way to hide invisible H2s from the TOC. */} - + ## Troubleshooting diff --git a/docs/pages/access-controls/guides/hardware-key-support.mdx b/docs/pages/access-controls/guides/hardware-key-support.mdx index 72b3b9ba74a16..bc7147d887cd3 100644 --- a/docs/pages/access-controls/guides/hardware-key-support.mdx +++ b/docs/pages/access-controls/guides/hardware-key-support.mdx @@ -54,7 +54,7 @@ Additionally, this feature can be configured to require touch for every Teleport ## Prerequisites -(!docs/pages/includes/edition-prereqs-tabs.mdx!) +(!docs/pages/includes/commercial-prereqs-tabs.mdx!) - A series 5+ YubiKey diff --git a/docs/pages/access-controls/guides/moderated-sessions.mdx b/docs/pages/access-controls/guides/moderated-sessions.mdx index 01931a24fec2b..fdfe507380152 100644 --- a/docs/pages/access-controls/guides/moderated-sessions.mdx +++ b/docs/pages/access-controls/guides/moderated-sessions.mdx @@ -15,11 +15,11 @@ the session, and terminate the session at will. In addition, Teleport administrators can [define rules](#join_sessions) that allow users to join each other's sessions from `tsh` and the Web UI. - + - Moderated Sessions requires Teleport Enterprise or Teleport Cloud. + Moderated Sessions requires Teleport Enterprise or Teleport Enterprise Cloud. - + ### Use cases diff --git a/docs/pages/access-controls/guides/webauthn.mdx b/docs/pages/access-controls/guides/webauthn.mdx index 6b4c1fa0d112c..e5bcfa7f8de6f 100644 --- a/docs/pages/access-controls/guides/webauthn.mdx +++ b/docs/pages/access-controls/guides/webauthn.mdx @@ -29,7 +29,7 @@ WebAuthn is disabled by default. To enable WebAuthn support, update your Teleport configuration as below: - + Edit the `cluster_auth_preference` resource: diff --git a/docs/pages/access-controls/sso.mdx b/docs/pages/access-controls/sso.mdx index 7b1e8fd30de4c..5aa642f27fd6d 100644 --- a/docs/pages/access-controls/sso.mdx +++ b/docs/pages/access-controls/sso.mdx @@ -242,7 +242,7 @@ scope={["enterprise"]}>either modify your Auth Service configuration file or create a `cluster_auth_preference` resource. - + Update `/etc/teleport.yaml` in the `auth_service` section and restart the `teleport` daemon. ```yaml auth_service: @@ -253,7 +253,7 @@ or create a `cluster_auth_preference` resource. (!docs/pages/includes/sso/idp-initiated.mdx!) - + Create a file called `cap.yaml`: ```yaml kind: cluster_auth_preference diff --git a/docs/pages/access-controls/sso/google-workspace.mdx b/docs/pages/access-controls/sso/google-workspace.mdx index 6eb98480b0824..b0727abfbb1b3 100644 --- a/docs/pages/access-controls/sso/google-workspace.mdx +++ b/docs/pages/access-controls/sso/google-workspace.mdx @@ -218,13 +218,13 @@ Configure [domain-wide Create the following OIDC connector [resource spec](../../reference/resources.mdx) as `gworkspace-connector.yaml`. We will explain how to choose values for fields within the resource spec below. - + ```yaml (!examples/resources/gworkspace-connector.yaml!) ``` - + ```yaml (!examples/resources/gworkspace-connector-inline.yaml!) ``` diff --git a/docs/pages/architecture/proxy-peering.mdx b/docs/pages/architecture/proxy-peering.mdx index 974a7b2bbe4f5..25f307f6a314e 100644 --- a/docs/pages/architecture/proxy-peering.mdx +++ b/docs/pages/architecture/proxy-peering.mdx @@ -6,8 +6,6 @@ description: How Teleport implements more efficient networking with Proxy Peerin
Proxy Peering is available in Preview starting from Teleport `10.0`. diff --git a/docs/pages/choose-an-edition/teleport-enterprise/gcp-kms.mdx b/docs/pages/choose-an-edition/teleport-enterprise/gcp-kms.mdx index d0099c079bb9f..90fa5eb7e84c6 100644 --- a/docs/pages/choose-an-edition/teleport-enterprise/gcp-kms.mdx +++ b/docs/pages/choose-an-edition/teleport-enterprise/gcp-kms.mdx @@ -26,11 +26,7 @@ only ever exists in KMS when this feature is enabled. Read on to [migrating an existing cluster](#migrating-an-existing-cluster) to learn more. - - -This guide is intended for self-hosted Teleport Enterprise users. - - +(!docs/pages/includes/cloud/call-to-action.mdx!) ## Prerequisites diff --git a/docs/pages/connect-your-client/gui-clients.mdx b/docs/pages/connect-your-client/gui-clients.mdx index 0da99220be40d..a04a14143451b 100644 --- a/docs/pages/connect-your-client/gui-clients.mdx +++ b/docs/pages/connect-your-client/gui-clients.mdx @@ -43,10 +43,10 @@ Ensure that your environment includes the following: ``` - + -- A Teleport Cloud account. If you do not have one, visit the +- A Teleport Team or Enterprise Cloud account. If you do not have one, visit the [sign up page](https://goteleport.com/signup/) to begin your free trial. - The `tsh` client tool version >= (=cloud.version=). To download these tools, diff --git a/docs/pages/contributing/documentation/reference.mdx b/docs/pages/contributing/documentation/reference.mdx index f0659ccc53819..43f8026d06f1b 100644 --- a/docs/pages/contributing/documentation/reference.mdx +++ b/docs/pages/contributing/documentation/reference.mdx @@ -573,7 +573,7 @@ Here is the result: Enterprise. - + Here are instructions for Teleport Cloud users. diff --git a/docs/pages/database-access/faq.mdx b/docs/pages/database-access/faq.mdx index 2a03b94a346eb..7f1fa64bec29f 100644 --- a/docs/pages/database-access/faq.mdx +++ b/docs/pages/database-access/faq.mdx @@ -52,10 +52,10 @@ This is useful when the Teleport Web UI is running behind an L7 load balancer on a plain TCP load balancer (e.g. NLB in AWS). - + -In Teleport Cloud, the Proxy Service uses the following ports for -Database Service client traffic: +In Teleport Team and Teleport Enterprise Cloud, the Proxy Service uses the +following ports for Database Service client traffic: |Configuration setting|Port| |---|---| diff --git a/docs/pages/database-access/guides/mongodb-atlas.mdx b/docs/pages/database-access/guides/mongodb-atlas.mdx index c99be4e0c9c5f..aa98e01ad297e 100644 --- a/docs/pages/database-access/guides/mongodb-atlas.mdx +++ b/docs/pages/database-access/guides/mongodb-atlas.mdx @@ -248,7 +248,7 @@ $ tsh db ls ``` - + ```code $ tsh login --proxy=mytenant.teleport.sh --user=alice $ tsh db ls diff --git a/docs/pages/database-access/guides/redis-aws.mdx b/docs/pages/database-access/guides/redis-aws.mdx index 8ad2e6a23f734..12fc3b5518314 100644 --- a/docs/pages/database-access/guides/redis-aws.mdx +++ b/docs/pages/database-access/guides/redis-aws.mdx @@ -12,7 +12,7 @@ This guide will help you to: ![Teleport Database Access RDS Self-Hosted](../../../img/database-access/guides/redis_elasticache_selfhosted.png) - + ![Teleport Database Access RDS Cloud](../../../img/database-access/guides/redis_elasticache_cloud.png) diff --git a/docs/pages/database-access/guides/redis-cluster.mdx b/docs/pages/database-access/guides/redis-cluster.mdx index 0f4ff89a1a247..bd0eea2e6b41c 100644 --- a/docs/pages/database-access/guides/redis-cluster.mdx +++ b/docs/pages/database-access/guides/redis-cluster.mdx @@ -24,7 +24,7 @@ This guide will help you to: ![Teleport Database Access Redis Cluster Self-Hosted](../../../img/database-access/guides/rediscluster_selfhosted.png) - + ![Teleport Database Access Redis Cluster Cloud](../../../img/database-access/guides/rediscluster_cloud.png) diff --git a/docs/pages/database-access/guides/redis.mdx b/docs/pages/database-access/guides/redis.mdx index db174bd7b4a67..c4575e78c5305 100644 --- a/docs/pages/database-access/guides/redis.mdx +++ b/docs/pages/database-access/guides/redis.mdx @@ -24,7 +24,7 @@ This guide will help you to: ![Teleport Database Access Redis Self-Hosted](../../../img/database-access/guides/redis_selfhosted.png) - + ![Teleport Database Access Redis Cloud](../../../img/database-access/guides/redis_cloud.png) diff --git a/docs/pages/database-access/guides/snowflake.mdx b/docs/pages/database-access/guides/snowflake.mdx index 05cc07a01ae32..3dd72c5359021 100644 --- a/docs/pages/database-access/guides/snowflake.mdx +++ b/docs/pages/database-access/guides/snowflake.mdx @@ -118,7 +118,7 @@ Log in to your Teleport cluster and see the available databases: # example-snowflake Example Snowflake ❄ env=dev ``` - + ```code $ tsh login --proxy=mytenant.teleport.sh --user=alice $ tsh db ls diff --git a/docs/pages/database-access/reference/configuration.mdx b/docs/pages/database-access/reference/configuration.mdx index c600280998b50..739cd4b234032 100644 --- a/docs/pages/database-access/reference/configuration.mdx +++ b/docs/pages/database-access/reference/configuration.mdx @@ -54,12 +54,12 @@ proxy_service: ``` - + -Teleport Cloud automatically configures the Teleport Proxy Service with the -following settings that are relevant to database access. This reference -configuration uses `mytenant.teleport.sh` in place of your Teleport Cloud tenant -address. +Teleport Team and Teleport Enterprise Cloud automatically configure the Teleport +Proxy Service with the following settings that are relevant to database access. +This reference configuration uses `mytenant.teleport.sh` in place of your +Teleport Team/Enterprise Cloud tenant address. ```yaml proxy_service: diff --git a/docs/pages/deploy-a-cluster/deployments/gcp.mdx b/docs/pages/deploy-a-cluster/deployments/gcp.mdx index 8d16c1d9a09bf..0002ee689144d 100644 --- a/docs/pages/deploy-a-cluster/deployments/gcp.mdx +++ b/docs/pages/deploy-a-cluster/deployments/gcp.mdx @@ -3,16 +3,10 @@ title: Running Teleport on GCP description: How to install and configure Teleport on GCP --- -We've created this guide to give customers an overview of how to use Teleport on -[Google Cloud](https://cloud.google.com/gcp/) (GCP). This guide provides a -high-level introduction to setting up and running Teleport in production. - - - -This guide shows you how to deploy the Auth Service and Proxy Service, which -Teleport Cloud manages for you. - - +We've created this guide to give customers an overview of how to deploy a +self-hosted Teleport cluster on [Google Cloud](https://cloud.google.com/gcp/) +(GCP). This guide provides a high-level introduction to setting up and running +Teleport in production. We have split this guide into: @@ -225,7 +219,7 @@ Follow install instructions from our [installation page](../../installation.mdx# We recommend configuring Teleport as per the below steps: - + **1. Configure Teleport Auth Server** using the below example `teleport.yaml`, and start it using [systemd](../../management/admin/daemon.mdx). The DEB/RPM installations will automatically include the `systemd` configuration. diff --git a/docs/pages/deploy-a-cluster/deployments/ibm.mdx b/docs/pages/deploy-a-cluster/deployments/ibm.mdx index 6f9e8e4665e8f..3c894a8b2b005 100644 --- a/docs/pages/deploy-a-cluster/deployments/ibm.mdx +++ b/docs/pages/deploy-a-cluster/deployments/ibm.mdx @@ -7,13 +7,6 @@ We've created this guide to give customers an overview of how to use Teleport on [IBM Cloud](https://www.ibm.com/cloud). This guide provides a high-level introduction to setting up and running Teleport in production. - - -This guide shows you how to deploy the Auth Service and Proxy Service, which -Teleport Cloud manages for you. - - - We have split this guide into: - [Teleport on IBM FAQ](#teleport-on-ibm-cloud-faq) diff --git a/docs/pages/deploy-a-cluster/helm-deployments/aws.mdx b/docs/pages/deploy-a-cluster/helm-deployments/aws.mdx index 30b83e8a13fb9..9d7af85cb0d92 100644 --- a/docs/pages/deploy-a-cluster/helm-deployments/aws.mdx +++ b/docs/pages/deploy-a-cluster/helm-deployments/aws.mdx @@ -6,11 +6,11 @@ description: Install and configure an HA Teleport cluster using an AWS EKS clust In this guide, we'll go through how to set up a High Availability Teleport cluster with multiple replicas in Kubernetes using Teleport Helm charts and AWS products (DynamoDB and S3). - + (!docs/pages/kubernetes-access/helm/includes/teleport-cluster-cloud-warning.mdx!) - + (!docs/pages/includes/cloud/call-to-action.mdx!) @@ -347,7 +347,7 @@ $ kubectl -n teleport create secret generic license --from-file=license.pem Next, configure the `teleport-cluster` Helm chart to use the `aws` mode. Create a file called `aws-values.yaml` and write the values you've chosen above to it: - + @@ -678,4 +678,3 @@ Teleport cluster. See the [high availability section of our Helm chart reference](../../reference/helm-reference/teleport-cluster.mdx#highavailability) for more details on high availability. Read the [`cert-manager` documentation](https://cert-manager.io/docs/). - diff --git a/docs/pages/deploy-a-cluster/helm-deployments/digitalocean.mdx b/docs/pages/deploy-a-cluster/helm-deployments/digitalocean.mdx index 568b68f2daa33..a17cadb1f9f08 100644 --- a/docs/pages/deploy-a-cluster/helm-deployments/digitalocean.mdx +++ b/docs/pages/deploy-a-cluster/helm-deployments/digitalocean.mdx @@ -3,24 +3,8 @@ title: Get started with Teleport on DigitalOcean Kubernetes description: How to get started with Teleport on DigitalOcean Kubernetes --- - - -This guide shows you how to deploy the Teleport Auth Service and Proxy Service -on a DigitalOcean Kubernetes cluster. These services are fully managed in -Teleport Cloud. - -Instead, Teleport Cloud users should consult the following guide, which shows -you how to connect a Teleport Kubernetes Service instance to an existing Teleport -cluster: - -- [Connect a Kubernetes Cluster to - Teleport](../../kubernetes-access/getting-started.mdx): - - - - -This guide will show you how to get started with Teleport on DigitalOcean -Kubernetes. +This guide will show you how to get started with a self-hosted Teleport cluster +on DigitalOcean Kubernetes. (!docs/pages/includes/cloud/call-to-action.mdx!) diff --git a/docs/pages/deploy-a-cluster/helm-deployments/gcp.mdx b/docs/pages/deploy-a-cluster/helm-deployments/gcp.mdx index e50bd7ffb7a62..19422066a40dd 100644 --- a/docs/pages/deploy-a-cluster/helm-deployments/gcp.mdx +++ b/docs/pages/deploy-a-cluster/helm-deployments/gcp.mdx @@ -6,12 +6,6 @@ description: Install and configure an HA Teleport cluster using a Google Cloud G In this guide, we'll go through how to set up a High Availability Teleport cluster with multiple replicas in Kubernetes using Teleport Helm charts and Google Cloud Platform products (Firestore and Google Cloud Storage). - - -(!docs/pages/kubernetes-access/helm/includes/teleport-cluster-cloud-warning.mdx!) - - - (!docs/pages/includes/cloud/call-to-action.mdx!) ## Prerequisites @@ -302,7 +296,7 @@ Next, configure the `teleport-cluster` Helm chart to use the `gcp` mode. Create file called `gcp-values.yaml` file and write the values you've chosen above to it: - + ```yaml chartMode: gcp diff --git a/docs/pages/deploy-a-cluster/helm-deployments/kubernetes-cluster.mdx b/docs/pages/deploy-a-cluster/helm-deployments/kubernetes-cluster.mdx index 014fc47dba784..a76f01c8487ac 100644 --- a/docs/pages/deploy-a-cluster/helm-deployments/kubernetes-cluster.mdx +++ b/docs/pages/deploy-a-cluster/helm-deployments/kubernetes-cluster.mdx @@ -3,20 +3,13 @@ title: Getting Started - Kubernetes with SSO description: Getting started with Teleport. Let's deploy Teleport in a Kubernetes with SSO and Audit logs --- - -This guide shows you how to deploy the Teleport Auth Service and Proxy Service on a Kubernetes cluster. These services are fully managed in Teleport Cloud. - -Instead, Teleport Cloud users should consult the following guide, which shows you how to connect a Teleport Kubernetes Service instance to an existing Teleport cluster: - - - Teleport can provide secure, unified access to your Kubernetes clusters. This guide will show you how to: -- Deploy Teleport Enterprise in a Kubernetes cluster. +- Deploy a self-hosted Teleport Enterprise cluster in a Kubernetes cluster. - -- Deploy Teleport in a Kubernetes cluster. + +- Deploy a self-hosted Teleport cluster in a Kubernetes cluster. - Set up Single Sign-On (SSO) for authentication to your Teleport cluster. @@ -58,7 +51,7 @@ Let's start with a Teleport deployment using a persistent volume as a backend. M (!docs/pages/kubernetes-access/helm/includes/helm-repo-add.mdx!) - + ```code $ CLUSTER_NAME="tele.example.com" $ EMAIL="mail@example.com" @@ -107,7 +100,7 @@ Teleport's Helm chart uses an [external load balancer](https://kubernetes.io/doc to create a public IP for Teleport. - + ```code # Set kubectl context to the namespace to save some typing $ kubectl config set-context --current --namespace=teleport-cluster @@ -207,7 +200,7 @@ Let's install `tsh` and `tctl` on Linux. For other install options, check out the [installation guide](../../installation.mdx) - + ```code $ curl -L -O https://get.gravitational.com/teleport-v(=teleport.version=)-linux-amd64-bin.tar.gz $ tar -xzf teleport-v(=teleport.version=)-linux-amd64-bin.tar.gz @@ -256,7 +249,7 @@ $ KUBECONFIG=${HOME?}/teleport.yaml kubectl get -n teleport-cluster pods In this step, we will set up the GitHub Single Sign-On connector for the OSS version of Teleport and Okta for the Enterprise version. - + Save the file below as `github.yaml` and update the fields. You will need to set up the [GitHub OAuth 2.0 Connector](https://developer.github.com/apps/building-oauth-apps/creating-an-oauth-app/) app. Any member with the team `admin` in the organization `octocats` will be able to assume a builtin role `access`. @@ -310,7 +303,7 @@ In this step, we will set up the GitHub Single Sign-On connector for the OSS ver To create a connector, we are going to run Teleport's admin tool `tctl` from the pod. - + ```code $ kubectl config set-context --current --namespace=teleport-cluster $ POD=$(kubectl get po -l app=teleport-cluster -o jsonpath='{.items[0].metadata.name}') @@ -335,7 +328,7 @@ Try `tsh login` with a GitHub user. This example uses a custom `KUBECONFIG` to p the default one in case there is a problem. - + ```code $ KUBECONFIG=${HOME?}/teleport.yaml tsh login --proxy=tele.example.com --auth=github ``` diff --git a/docs/pages/deploy-a-cluster/helm-deployments/migration.mdx b/docs/pages/deploy-a-cluster/helm-deployments/migration.mdx index b72220cbb287a..5274be04608c6 100644 --- a/docs/pages/deploy-a-cluster/helm-deployments/migration.mdx +++ b/docs/pages/deploy-a-cluster/helm-deployments/migration.mdx @@ -13,13 +13,13 @@ to use the newer `teleport-cluster` Helm chart instead. consider [following a different guide](../helm-deployments.mdx) and storing your cluster's data in AWS DynamoDB or Google Cloud Firestore. - + (!docs/pages/kubernetes-access/helm/includes/teleport-cluster-cloud-warning.mdx!) You can also view this guide as a user of another Teleport edition: - + ## Prerequisites diff --git a/docs/pages/desktop-access/manual-setup.mdx b/docs/pages/desktop-access/manual-setup.mdx index f68bdc21e0361..e5540181a59df 100644 --- a/docs/pages/desktop-access/manual-setup.mdx +++ b/docs/pages/desktop-access/manual-setup.mdx @@ -523,10 +523,11 @@ ssh_service: enabled: no ``` - -For Teleport Cloud, Windows Desktop Service should establish a reverse tunnel to -the hosted proxy. This requires setting `proxy_server` to your cloud tenant and -providing a join token. + + +For Teleport Team and Teleport Enterprise Cloud, the Windows Desktop Service +should establish a reverse tunnel to the hosted Teleport Proxy Service. This +requires setting `proxy_server` to your cloud tenant and providing a join token. First, generate a join token with the following command: diff --git a/docs/pages/includes/cloud/call-to-action.mdx b/docs/pages/includes/cloud/call-to-action.mdx index 6ce7e6b538f18..4a038d7c09ccb 100644 --- a/docs/pages/includes/cloud/call-to-action.mdx +++ b/docs/pages/includes/cloud/call-to-action.mdx @@ -1,6 +1,5 @@ Teleport Cloud takes care of this setup for you so you can provide secure access diff --git a/docs/pages/includes/database-access/db-configure-start.mdx b/docs/pages/includes/database-access/db-configure-start.mdx index de490acba732a..4f026904a1c62 100644 --- a/docs/pages/includes/database-access/db-configure-start.mdx +++ b/docs/pages/includes/database-access/db-configure-start.mdx @@ -1,6 +1,4 @@ {{ dbName="test" }} - - On the host where you will run the Teleport Database Service, start Teleport with the appropriate configuration. @@ -12,7 +10,8 @@ your terminal, and manually adjust `/etc/teleport.yaml`. Generate a configuration file at `/etc/teleport.yaml` for the Database Service: - + + ```code $ teleport db configure create \ @@ -25,8 +24,8 @@ $ teleport db configure create \ --labels=env=dev ``` - - + + ```code $ teleport db configure create \ @@ -39,84 +38,7 @@ $ teleport db configure create \ --labels=env=dev ``` - - -Configure the Database Service to start automatically when the host boots up by -creating a systemd service for it. The instructions depend on how you installed -the Database Service. - - - - -On the host where you will run {{ service }}, start Teleport: - -```code -$ sudo systemctl enable teleport -$ sudo systemctl start teleport -``` - - - - -On the host where you will run {{ service }}, create a systemd service -configuration for Teleport, enable the Teleport service, and start Teleport: - -```code -$ sudo teleport install systemd -o /etc/systemd/system/teleport.service -$ sudo systemctl enable teleport -$ sudo systemctl start teleport -``` - - - - -You can start the Teleport Database Service without configuration file using a -CLI command: - - - -```code -$ teleport db start \ - --token=/tmp/token \ - --auth-server=teleport.example.com:443 \ - --name={{ dbName }} \ - --protocol={{ dbProtocol }} \ - --uri={{ databaseAddress }} \ - --labels=env=dev -``` - -Note that the `--auth-server` flag must point to the Teleport cluster's Proxy -Service endpoint because the Database Service always connects back to the -cluster over a reverse tunnel. - - - - -```code -$ teleport db start \ - --token=/tmp/token \ - --auth-server=mytenant.teleport.sh:443 \ - --name={{ dbName }} \ - --protocol={{ dbProtocol }} \ - --uri={{ databaseAddress }} \ - --labels=env=dev -``` - -Note that the `--auth-server` flag must point to your Teleport Cloud tenant -address. - - - - - - - - -The `--auth-server` flag must point to the Teleport cluster's Proxy Service -endpoint because the Database Service always connects back to the cluster over a -reverse tunnel. - - +(!docs/pages/includes/start-teleport.mdx service="the Teleport Database Service"!) diff --git a/docs/pages/includes/database-access/db-helm-install.mdx b/docs/pages/includes/database-access/db-helm-install.mdx index 101973bb0a461..4a838889b1614 100644 --- a/docs/pages/includes/database-access/db-helm-install.mdx +++ b/docs/pages/includes/database-access/db-helm-install.mdx @@ -1,5 +1,6 @@ {{ dbName="test" }} - + + Install the Teleport Kube Agent into your Kubernetes Cluster with the Teleport Database Service configuration. @@ -18,8 +19,8 @@ $ helm install teleport-kube-agent teleport/teleport-kube-agent \ --version (=teleport.version=) ``` - - + + Install the Teleport Kube Agent into your Kubernetes Cluster with the Teleport Database Service configuration. @@ -38,4 +39,5 @@ $ helm install teleport-kube-agent teleport/teleport-kube-agent \ --version (=cloud.version=) ``` - + + diff --git a/docs/pages/includes/database-access/redis-connect.mdx b/docs/pages/includes/database-access/redis-connect.mdx index b8808b3a7c728..e0533b764f236 100644 --- a/docs/pages/includes/database-access/redis-connect.mdx +++ b/docs/pages/includes/database-access/redis-connect.mdx @@ -10,7 +10,7 @@ Log into your Teleport cluster and see available databases: # example-redis Example Redis env=dev ``` - + ```code $ tsh login --proxy=mytenant.teleport.sh --user=alice $ tsh db ls diff --git a/docs/pages/includes/edition-prereqs-tabs.mdx b/docs/pages/includes/edition-prereqs-tabs.mdx index 3bdd279dbe449..fe9d54219a2e8 100644 --- a/docs/pages/includes/edition-prereqs-tabs.mdx +++ b/docs/pages/includes/edition-prereqs-tabs.mdx @@ -1,5 +1,23 @@ - + + +- A Teleport Team account. If you do not have one, visit the [signup + page](https://goteleport.com/signup/) to begin your free trial. + +- The `tctl` admin tool and `tsh` client tool version >= (=teleport.version=). + + ```code + $ tctl version + # Teleport v(=teleport.version=) go(=teleport.golang=) + + $ tsh version + # Teleport v(=teleport.version=) go(=teleport.golang=) + ``` + + See [Installation](../installation.mdx) for details. + + + - A running Teleport cluster. For details on how to set this up, see our [Getting Started](../try-out-teleport/linux-server.mdx) guide. @@ -18,7 +36,7 @@ + scope={["enterprise"]} label="Teleport Enterprise"> - A running Teleport Enterprise cluster. For details on how to set this up, see our Enterprise [Getting Started](../choose-an-edition/teleport-enterprise/introduction.mdx) guide. @@ -36,7 +54,7 @@ + label="Teleport Enterprise Cloud"> - A Teleport Cloud account. If you do not have one, visit the [sign up page](https://goteleport.com/signup/) to begin your free trial. diff --git a/docs/pages/includes/enterprise/oidcauthentication.mdx b/docs/pages/includes/enterprise/oidcauthentication.mdx index ddfb8277de76a..ffe640a6c868c 100644 --- a/docs/pages/includes/enterprise/oidcauthentication.mdx +++ b/docs/pages/includes/enterprise/oidcauthentication.mdx @@ -1,7 +1,7 @@ Configure Teleport to use OIDC authentication as the default instead of the local user database. - + You can either edit your Teleport configuration file or create a dynamic resource. diff --git a/docs/pages/includes/enterprise/samlauthentication.mdx b/docs/pages/includes/enterprise/samlauthentication.mdx index b9b8fbb8b247a..0cb1d0f3d4b2b 100644 --- a/docs/pages/includes/enterprise/samlauthentication.mdx +++ b/docs/pages/includes/enterprise/samlauthentication.mdx @@ -2,11 +2,6 @@ - Configure Teleport to use SAML authentication as the default instead of the local user database. - - You can either edit the Teleport Auth Service configuration file or create a dynamic - resource. - - diff --git a/docs/pages/includes/install-linux.mdx b/docs/pages/includes/install-linux.mdx index eca190a4f8bbe..db7154ac892b3 100644 --- a/docs/pages/includes/install-linux.mdx +++ b/docs/pages/includes/install-linux.mdx @@ -14,9 +14,26 @@ and select the URL for your package of choice. Next, use the appropriate commands for your environment to install your package. + + + ```code + $ curl https://goteleport.com/static/install.sh | bash -s (=cloud.version=) + ``` + +
+ + Before installing a `teleport` binary with a version besides + v(=cloud.major_version=), read our compatibility rules to ensure that the + binary is compatible with Teleport Cloud. + + (!docs/pages/includes/compatibility.mdx!) + +
+ + - + Add the Teleport repository to your repository list: @@ -40,7 +57,7 @@ Next, use the appropriate commands for your environment to install your package. ``` - + ```code # Source variables about OS version @@ -73,7 +90,7 @@ Next, use the appropriate commands for your environment to install your package. - + In the example commands below, update `$SYSTEM-ARCH` with the appropriate value (`amd64`, `arm64`, or `arm`). All example commands using this variable @@ -100,7 +117,7 @@ Next, use the appropriate commands for your environment to install your package. will update after one is filled out. - + After Downloading the `.deb` file for your system architecture, install it with `dpkg`. The example below assumes the `root` user: @@ -115,7 +132,7 @@ Next, use the appropriate commands for your environment to install your package. ``` - + After Downloading the `.rpm` file for your system architecture, install it with `rpm`: @@ -125,7 +142,7 @@ Next, use the appropriate commands for your environment to install your package. ``` - + ```code $ curl https://get.gravitational.com/teleport-ent-v(=teleport.version=)-linux--bin.tar.gz.sha256 @@ -162,7 +179,7 @@ Next, use the appropriate commands for your environment to install your package. will update after one is filled out. - + After Downloading the `.deb` file for your system architecture, install it with `dpkg`. The example below assumes the `root` user: @@ -177,7 +194,7 @@ Next, use the appropriate commands for your environment to install your package. ``` - + After Downloading the `.rpm` file for your system architecture, install it with `rpm`: @@ -187,7 +204,7 @@ Next, use the appropriate commands for your environment to install your package. ``` - + ```code $ curl https://get.gravitational.com/teleport-ent-v(=cloud.version=)-linux--bin.tar.gz.sha256 @@ -206,7 +223,7 @@ Next, use the appropriate commands for your environment to install your package. Before installing a `teleport` binary with a version besides v(=cloud.major_version=), read our compatibility rules to ensure that the binary is compatible with - Teleport Cloud. + Teleport Enterprise Cloud. (!docs/pages/includes/compatibility.mdx!) diff --git a/docs/pages/includes/install-windows.mdx b/docs/pages/includes/install-windows.mdx index 18300ab3bf170..9778e8e29d9de 100644 --- a/docs/pages/includes/install-windows.mdx +++ b/docs/pages/includes/install-windows.mdx @@ -30,3 +30,4 @@ To install `tsh` on Windows, run the following commands in PowerShell: ``` Make sure to move `tsh.exe` into your PATH. + diff --git a/docs/pages/includes/no-oss-prereqs-tabs.mdx b/docs/pages/includes/no-oss-prereqs-tabs.mdx new file mode 100644 index 0000000000000..c42ce6b543e34 --- /dev/null +++ b/docs/pages/includes/no-oss-prereqs-tabs.mdx @@ -0,0 +1,56 @@ + + + +- A Teleport Team account. If you do not have one, visit the [signup + page](https://goteleport.com/signup/) to begin your free trial. + +- The `tctl` admin tool and `tsh` client tool version >= (=teleport.version=). + + ```code + $ tctl version + # Teleport v(=teleport.version=) go(=teleport.golang=) + + $ tsh version + # Teleport v(=teleport.version=) go(=teleport.golang=) + ``` + + See [Installation](../installation.mdx) for details. + + + + +- A running Teleport Enterprise cluster. For details on how to set this up, see our Enterprise + [Getting Started](../choose-an-edition/teleport-enterprise/introduction.mdx) guide. + +- The Enterprise `tctl` admin tool and `tsh` client tool version >= (=teleport.version=), + which you can download by visiting your [Teleport account](https://teleport.sh). + + ```code + $ tctl version + # Teleport Enterprise v(=teleport.version=) go(=teleport.golang=) + + $ tsh version + # Teleport v(=teleport.version=) go(=teleport.golang=) + ``` + + + + +- A Teleport Enterprise Cloud account. If you do not have one, visit the [signup + page](https://goteleport.com/signup/) to begin your free trial. + +- The Enterprise `tctl` admin tool and `tsh` client tool version >= (=cloud.version=). + To download these tools, visit the [Downloads](../choose-an-edition/teleport-cloud/downloads.mdx) page. + + ```code + $ tctl version + # Teleport Enterprise v(=cloud.version=) go(=teleport.golang=) + + $ tsh version + # Teleport v(=cloud.version=) go(=teleport.golang=) + ``` + + + diff --git a/docs/pages/includes/self-hosted-prereqs-tabs.mdx b/docs/pages/includes/self-hosted-prereqs-tabs.mdx new file mode 100644 index 0000000000000..5c0fb1cd155c0 --- /dev/null +++ b/docs/pages/includes/self-hosted-prereqs-tabs.mdx @@ -0,0 +1,38 @@ + + + +- A running Teleport cluster. For details on how to set this up, see our + [Getting Started](../index.mdx) guide. + +- The `tctl` admin tool and `tsh` client tool version >= (=teleport.version=). + + ```code + $ tctl version + # Teleport v(=teleport.version=) go(=teleport.golang=) + + $ tsh version + # Teleport v(=teleport.version=) go(=teleport.golang=) + ``` + + See [Installation](../installation.mdx) for details. + + + + +- A running Teleport Enterprise cluster. For details on how to set this up, see our Enterprise + [Getting Started](../choose-an-edition/teleport-enterprise/introduction.mdx) guide. + +- The Enterprise `tctl` admin tool and `tsh` client tool version >= (=teleport.version=), + which you can download by visiting your [Teleport account](https://teleport.sh). + + ```code + $ tctl version + # Teleport Enterprise v(=teleport.version=) go(=teleport.golang=) + + $ tsh version + # Teleport v(=teleport.version=) go(=teleport.golang=) + ``` + + + diff --git a/docs/pages/includes/sso/loginerrortroubleshooting.mdx b/docs/pages/includes/sso/loginerrortroubleshooting.mdx index 6aa4aef8f656f..4fda228a6534c 100644 --- a/docs/pages/includes/sso/loginerrortroubleshooting.mdx +++ b/docs/pages/includes/sso/loginerrortroubleshooting.mdx @@ -1,9 +1,9 @@ Troubleshooting SSO configuration can be challenging. Usually a Teleport administrator must be able to: - -- Ensure that HTTP/TLS certificates are configured properly for both Teleport - proxy and the SSO provider. + +- Ensure that HTTP/TLS certificates are configured properly for both the Teleport + Proxy Service and the SSO provider. - Be able to see what SAML/OIDC claims and values are getting exported and passed by the SSO provider to Teleport. diff --git a/docs/pages/includes/tctl.mdx b/docs/pages/includes/tctl.mdx index 4b697ba811210..0de6d3dd8dba3 100644 --- a/docs/pages/includes/tctl.mdx +++ b/docs/pages/includes/tctl.mdx @@ -1,13 +1,11 @@ -
- -To connect to Teleport, log in to your cluster using `tsh`, then use `tctl` +Make sure you can connect to Teleport. Log in to your cluster using `tsh`, then use `tctl` remotely: +{/* Ignoring scope linting since we use this partial throughout the docs and +cannot guarantee that it will line up with a page's configured scopes*/} +{/*lint ignore scopes*/} + + ```code $ tsh login --proxy=teleport.example.com --user=email@example.com $ tctl status @@ -20,16 +18,9 @@ You can run subsequent `tctl` commands in this guide on your local machine. For full privileges, you can also run `tctl` commands on your Auth Service host. -
-
- -To connect to Teleport, log in to your cluster using `tsh`, then use `tctl` -remotely: + +{/*lint ignore scopes*/} + ```code $ tsh login --proxy=myinstance.teleport.sh --user=email@example.com @@ -41,4 +32,4 @@ $ tctl status You must run subsequent `tctl` commands in this guide on your local machine. -
+ diff --git a/docs/pages/installation.mdx b/docs/pages/installation.mdx index 3276d28923050..28025fc9e405c 100644 --- a/docs/pages/installation.mdx +++ b/docs/pages/installation.mdx @@ -105,7 +105,7 @@ chart. ## macOS - + diff --git a/docs/pages/kubernetes-access/getting-started.mdx b/docs/pages/kubernetes-access/getting-started.mdx index b96f4566803b2..6a0f443f9a85a 100644 --- a/docs/pages/kubernetes-access/getting-started.mdx +++ b/docs/pages/kubernetes-access/getting-started.mdx @@ -76,7 +76,7 @@ or up to one major version back. You can set the version override with the overr (!docs/pages/kubernetes-access/helm/includes/helm-repo-add.mdx!) - + Switch `kubectl` to the Kubernetes cluster `cookie` and run the following commands, assigning `PROXY_ADDR` to the address of your Auth Service or Proxy diff --git a/docs/pages/kubernetes-access/guides/federation.mdx b/docs/pages/kubernetes-access/guides/federation.mdx index 128b41b755610..341faa4830c42 100644 --- a/docs/pages/kubernetes-access/guides/federation.mdx +++ b/docs/pages/kubernetes-access/guides/federation.mdx @@ -42,7 +42,7 @@ $ tsh --proxy=main.example.com login east ``` - + When multiple Trusted Clusters are present behind the Teleport Proxy Service, the `kubeconfig` generated by [tsh login](../../reference/cli.mdx#tsh-login) will contain the @@ -52,7 +52,7 @@ login](../../reference/cli.mdx#tsh-login). For example, consider the following setup: - There are two Teleport/Kubernetes clusters, `east` and `west`. These are the names set in `cluster_name` setting in their configuration files. -- The clusters `east` and `west` are Trusted Clusters for a Teleport Cloud tenant, `mytenant.teleport.sh`. +- The clusters `east` and `west` are Trusted Clusters for a Teleport Team or Enterprise Cloud tenant, `mytenant.teleport.sh`. - Users always authenticate against `mytenant.teleport.sh` but use their certificates to access SSH nodes and the Kubernetes API in all three clusters. diff --git a/docs/pages/management/admin/troubleshooting.mdx b/docs/pages/management/admin/troubleshooting.mdx index fe7d58950b2c9..f0c533c84b403 100644 --- a/docs/pages/management/admin/troubleshooting.mdx +++ b/docs/pages/management/admin/troubleshooting.mdx @@ -150,11 +150,11 @@ Teleport v9.0.4 git: go1.18 ### Pose your question - + If you need help, please ask on our [community forum](https://github.com/gravitational/teleport/discussions). You can also open an [issue on GitHub](https://github.com/gravitational/teleport/issues) or create a ticket through your [Teleport account](https://teleport.sh). - + If you need help, please ask on our [community forum](https://github.com/gravitational/teleport/discussions). You can also open an [issue on GitHub](https://github.com/gravitational/teleport/issues). For more information about custom features, or to try our [Enterprise edition](../../choose-an-edition/teleport-enterprise/introduction.mdx) of Teleport, please reach out to us at [sales](https://goteleport.com/signup/enterprise/). diff --git a/docs/pages/management/admin/trustedclusters.mdx b/docs/pages/management/admin/trustedclusters.mdx index ced77da5ffa1b..dc4b9326df069 100644 --- a/docs/pages/management/admin/trustedclusters.mdx +++ b/docs/pages/management/admin/trustedclusters.mdx @@ -42,6 +42,26 @@ This guide will explain how to: ## Prerequisites + + +- A Teleport Team account. If you do not have one, visit the [signup + page](https://goteleport.com/signup/) to begin your free trial. + +- A second Teleport cluster, which will act as the leaf cluster. For details on + how to set up this cluster, see our [Getting Started](../../index.mdx) + guide. + + As an alternative, you can set up a second Teleport Team account. + +- (!docs/pages/includes/cloud/tctl-tsh-prerequisite.mdx!) + +- A Teleport Node that is joined to one of your clusters. We will refer to this + cluster as the **leaf cluster** throughout this guide. + + See [Join Services to your Cluster](adding-nodes.mdx) for how to launch a + Teleport Node in your cluster. + + - Two running Teleport clusters. For details on how to set up your clusters, see @@ -75,7 +95,7 @@ This guide will explain how to: + label="Teleport Enterprise Cloud"> - A Teleport Cloud account. If you do not have one, visit the [sign up page](https://goteleport.com/signup/) to begin your free trial. @@ -963,7 +983,7 @@ should check to see the following: cluster. Check the audit log messages on both clusters to get answers for the questions above. - + Troubleshooting "access denied" messages can be challenging. A Teleport administrator should check to see the following: @@ -977,6 +997,7 @@ should check to see the following: ## Further reading + - Read more about how Trusted Clusters fit into Teleport's overall architecture: [Architecture Introduction](../../architecture/trustedclusters.mdx). diff --git a/docs/pages/management/admin/uninstall-teleport.mdx b/docs/pages/management/admin/uninstall-teleport.mdx index e85d225ca33a3..c7b978e273686 100644 --- a/docs/pages/management/admin/uninstall-teleport.mdx +++ b/docs/pages/management/admin/uninstall-teleport.mdx @@ -70,9 +70,9 @@ $ docker stop teleport ## Step 2/3. Remove Teleport binaries - + - + Uninstall the Teleport binary using APT: @@ -95,7 +95,7 @@ $ docker stop teleport - + Uninstall the Teleport binary using YUM: @@ -120,7 +120,7 @@ $ docker stop teleport - + These are the default paths to the Teleport binaries. If you have changed these from the defaults on your system, substitute those paths here. @@ -137,7 +137,7 @@ $ docker stop teleport ``` - + These are the default paths to the Teleport binaries. If you have changed these from the defaults on your system, substitute those paths here. @@ -163,7 +163,7 @@ $ docker stop teleport - + Remove the `tsh.exe` binary from the machine: @@ -179,7 +179,7 @@ $ docker stop teleport - + Uninstall the Teleport binary using APT: @@ -207,7 +207,7 @@ $ docker stop teleport - + Uninstall the Teleport binary using YUM: @@ -238,7 +238,7 @@ $ docker stop teleport - + These are the default paths to the Teleport binaries. If you have changed these from the defaults on your system, substitute those paths here. @@ -255,7 +255,7 @@ $ docker stop teleport ``` - + These are the default paths to the Teleport binaries. If you have changed these from the defaults on your system, substitute those paths here. @@ -281,7 +281,7 @@ $ docker stop teleport - + Remove the `tsh.exe` binary from the machine: @@ -294,10 +294,10 @@ $ docker stop teleport - + - + Uninstall the Teleport binary using APT: @@ -324,7 +324,7 @@ $ docker stop teleport - + Uninstall the Teleport binary using YUM: @@ -354,7 +354,7 @@ $ docker stop teleport - + These are the default paths to the Teleport binaries. If you have changed these from the defaults on your system, substitute those paths here. @@ -371,7 +371,7 @@ $ docker stop teleport ``` - + These are the default paths to the Teleport binaries. If you have changed these from the defaults on your system, substitute those paths here. @@ -397,7 +397,7 @@ $ docker stop teleport - + Remove the `tsh.exe` binary from the machine: diff --git a/docs/pages/management/admin/users.mdx b/docs/pages/management/admin/users.mdx index 02aa02d889786..3ccb6aecaa65e 100644 --- a/docs/pages/management/admin/users.mdx +++ b/docs/pages/management/admin/users.mdx @@ -105,7 +105,7 @@ $ tctl users rm joe ## Next steps - + In addition to users, you can use `tctl` to manage roles and other dynamic resources. See our [Teleport Resources Reference](../../reference/resources.mdx). @@ -118,7 +118,7 @@ For more information, see: - [Single Sign-On](../../access-controls/sso.mdx) - + In addition to users, you can use `tctl` to manage roles and other dynamic resources. See our [Teleport Resources Reference](../../reference/resources.mdx). diff --git a/docs/pages/management/export-audit-events/elastic-stack.mdx b/docs/pages/management/export-audit-events/elastic-stack.mdx index eca687ffed34e..d5d2d8bea0a82 100644 --- a/docs/pages/management/export-audit-events/elastic-stack.mdx +++ b/docs/pages/management/export-audit-events/elastic-stack.mdx @@ -15,7 +15,7 @@ stores them in Elasticsearch for visualization and alerting in Kibana. ## Prerequisites -(!docs/pages/includes/commercial-prereqs-tabs.mdx!) +(!docs/pages/includes/edition-prereqs-tabs.mdx!) - Logstash version 8.4.1 or above running on a Linux host. Logstash must be listening on a TCP port that is open to traffic from - + Run the `configure` command to generate a sample configuration. Replace `mytenant.teleport.sh` with the DNS name of your Teleport Cloud tenant: @@ -279,7 +279,7 @@ connection to the Auth Service. The plugin uses this reverse tunnel, along with your TLS credentials, to connect to the Auth Service's gRPC endpoint. - + ```code $ tctl auth sign --user=teleport-event-handler --out=identity ``` @@ -291,7 +291,7 @@ connection to the Auth Service. The plugin uses this reverse tunnel, along with your TLS credentials, to connect to the Auth Service's gRPC endpoint. - + If you are planning to use the Helm Chart, you'll need to generate the keys with the `file` format, then create a secret in Kubernetes. @@ -383,7 +383,7 @@ Earlier, we generated a file called `teleport-event-handler.toml` to configure the Fluentd event handler. This file includes setting similar to the following: - + ```toml storage = "./storage" diff --git a/docs/pages/management/export-audit-events/splunk.mdx b/docs/pages/management/export-audit-events/splunk.mdx index f4109299eae2a..799b2ee6f8257 100644 --- a/docs/pages/management/export-audit-events/splunk.mdx +++ b/docs/pages/management/export-audit-events/splunk.mdx @@ -16,7 +16,7 @@ visualization and alerting. ## Prerequisites -(!docs/pages/includes/commercial-prereqs-tabs.mdx!) +(!docs/pages/includes/edition-prereqs-tabs.mdx!) - Splunk Cloud Platform or Splunk Enterprise v9.0.1 or above. diff --git a/docs/pages/management/guides/docker.mdx b/docs/pages/management/guides/docker.mdx index 3b6b49714907f..4e8688a67e0db 100644 --- a/docs/pages/management/guides/docker.mdx +++ b/docs/pages/management/guides/docker.mdx @@ -18,7 +18,7 @@ Service) or explore the Auth and Proxy Services locally. ## Prerequisites - + - Docker v(=docker.version=) or later. @@ -52,7 +52,7 @@ $ docker version ## Step 1/4. Pick your image - + (!docs/pages/includes/docker-images-oss.mdx!) @@ -66,7 +66,7 @@ We provide pre-built `amd64`, `arm`, and `arm64` Docker images for every version ## Step 2/4. Start Teleport - + Create Teleport configs and start the process with the following `docker run` commands: diff --git a/docs/pages/management/guides/joining-nodes-aws-ec2.mdx b/docs/pages/management/guides/joining-nodes-aws-ec2.mdx index 45d62d7706f57..2dbb7dba30ceb 100644 --- a/docs/pages/management/guides/joining-nodes-aws-ec2.mdx +++ b/docs/pages/management/guides/joining-nodes-aws-ec2.mdx @@ -7,13 +7,14 @@ This guide will explain how to use the **EC2 join method** to configure Teleport Nodes and Proxy Service instances to join your Teleport cluster without sharing any secrets when they are running in AWS. - + -The EC2 join method is not available in Teleport Cloud. Teleport Cloud customers -can use the [IAM join method](./joining-nodes-aws-iam.mdx) or -[secret tokens](../admin/adding-nodes.mdx). +The EC2 join method is not available in Teleport Team and Enterprise Cloud. +Cloud-hosted Teleport customers can use the [IAM join +method](./joining-nodes-aws-iam.mdx) or [secret +tokens](../admin/adding-nodes.mdx). - + The EC2 join method is available in self-hosted versions of Teleport 7.3+. It is available to any Teleport Node or Proxy running on an EC2 instance. Only one @@ -23,6 +24,14 @@ IAM credentials with `ec2:DescribeInstances` permissions are required on your Teleport Auth Service. No IAM credentials are required on the Nodes or Proxy Service instances. + + +The EC2 join method is not available in Teleport Enterprise Cloud and Teleport +Team. Teleport Enterprise Cloud and Team customers can use the [IAM join +method](./joining-nodes-aws-iam.mdx) or [secret tokens](../admin/adding-nodes.mdx). + + +
- + ```code $ tctl auth sign --user=terraform --out=terraform-identity ``` @@ -148,7 +148,7 @@ Paste the following into a file called `main.tf` to define an example user and role using Terraform. - + ``` (!examples/resources/terraform/terraform-user-role-cloud.tf!) ``` @@ -165,7 +165,7 @@ role using Terraform. Check the contents of the `teleport-terraform` folder: - + ```code $ ls diff --git a/docs/pages/management/operations/backup-restore.mdx b/docs/pages/management/operations/backup-restore.mdx index 10b134a0ee7b1..c2d38e10b04b0 100644 --- a/docs/pages/management/operations/backup-restore.mdx +++ b/docs/pages/management/operations/backup-restore.mdx @@ -47,9 +47,10 @@ Teleport audit logs, logged events have a TTL of 1 year. | Firestore | [Follow GCP's guidelines for automated backups](https://firebase.google.com/docs/database/backups) | - + -Teleport Cloud manages all Auth Service and Proxy Service backups. +Teleport Team and Teleport Enterprise Cloud manage all Auth Service and Proxy +Service backups. While Teleport Nodes are stateless, you should ensure that you can restore their configuration files. @@ -80,7 +81,7 @@ If you're running Teleport at scale, your teams need to have an automated way to if a resource already exists, so this command can be run regularly. - + - Store your dynamic resource configurations as discrete files in a git repository. @@ -224,9 +225,10 @@ also apply to a new cluster being bootstrapped from the state of an old cluster: dynamically will need to be re-invited. - + -In Teleport Cloud, backend data is managed for you automatically. +In Teleport Team and Teleport Enterprise Cloud, backend data is managed for you +automatically. If you would like to migrate configuration resources to a self-hosted Teleport cluster, follow our recommended backup practice of storing configuration diff --git a/docs/pages/management/operations/scaling.mdx b/docs/pages/management/operations/scaling.mdx index ca84dd3bfeec7..0d3ae0053aeee 100644 --- a/docs/pages/management/operations/scaling.mdx +++ b/docs/pages/management/operations/scaling.mdx @@ -4,14 +4,7 @@ description: How to configure Teleport for large-scale deployments --- This section explains the recommended configuration settings for large-scale -deployments of Teleport. - - - -For Teleport Cloud customers, the settings in this guide are configured -automatically. - - +self-hosted deployments of Teleport. (!docs/pages/includes/cloud/call-to-action.mdx!) diff --git a/docs/pages/management/operations/tls-routing.mdx b/docs/pages/management/operations/tls-routing.mdx index 92552d74bd8b9..2f652373c677c 100644 --- a/docs/pages/management/operations/tls-routing.mdx +++ b/docs/pages/management/operations/tls-routing.mdx @@ -13,12 +13,13 @@ description: How to upgrade an existing Teleport cluster to single-port TLS rout TLS routing is available starting from Teleport `8.0`.
- + -Teleport Cloud manages the Proxy Service's networking configuration for you. +Teleport Enterprise Cloud and Teleport Team manage the Proxy Service's +networking configuration for you. To see which ports and networking settings the Proxy Service is configured to -use in your Teleport Cloud tenant, run the following command, replacing +use in your Teleport tenant, run the following command, replacing `mytenant.teleport.sh` with your tenant address: ```code diff --git a/docs/pages/management/operations/upgrading.mdx b/docs/pages/management/operations/upgrading.mdx index 362bb7e7c99d5..e16a294756663 100644 --- a/docs/pages/management/operations/upgrading.mdx +++ b/docs/pages/management/operations/upgrading.mdx @@ -89,7 +89,7 @@ When upgrading multiple clusters: 2. Upgrade the Trusted Clusters. - + The Teleport Auth Service and Proxy Service are upgraded automatically. When upgrading resource services, you may upgrade in any sequence or at the same diff --git a/docs/pages/management/security/reduce-blast-radius.mdx b/docs/pages/management/security/reduce-blast-radius.mdx index 9ef1b896b3b83..5490ce0e1729c 100644 --- a/docs/pages/management/security/reduce-blast-radius.mdx +++ b/docs/pages/management/security/reduce-blast-radius.mdx @@ -22,7 +22,7 @@ Teleport lets you make it mandatory for a user to enroll an MFA device when they To do so, make the following changes depending on your environment: - + Ensure that the value of `auth_service.authentication.second_factor` is `otp`, `webauthn`, or `on`: @@ -34,7 +34,7 @@ auth_service: ``` - + Obtain your existing `cluster_auth_preference` resource: @@ -100,7 +100,7 @@ auth_service: require_session_mfa: yes ``` - + Create the following `cluster_auth_preference` dynamic resource: ```yaml diff --git a/docs/pages/reference/audit.mdx b/docs/pages/reference/audit.mdx index 0d90fbca0ea1b..342009f074de2 100644 --- a/docs/pages/reference/audit.mdx +++ b/docs/pages/reference/audit.mdx @@ -17,7 +17,7 @@ There are two components of the audit log: but can be configured to be done by the proxy. - + 1. **Cluster Events:** Teleport logs events like successful user logins along @@ -74,10 +74,10 @@ $ ls -l /var/lib/teleport/log/ ``` - + -Teleport Cloud manages the storage of audit logs for you. You can access your -audit logs via the Teleport Web UI by clicking: +Teleport Team and Teleport Enterprise Cloud manage the storage of audit logs for +you. You can access your audit logs via the Teleport Web UI by clicking: **Activity** > **Audit Log** @@ -183,9 +183,10 @@ $ tsh play 4c146ec8-eab6-11e6-b1b3-40167e68e931 --format=json ``` - + -Teleport Cloud automatically stores recorded sessions. +Teleport Team and Teleport Enterprise Cloud automatically store recorded +sessions. You can replay recorded sessions using the [`tsh play`](./cli.mdx#tsh-play) command or the Web UI. diff --git a/docs/pages/reference/authentication.mdx b/docs/pages/reference/authentication.mdx index f9509a92430a1..de7247114778b 100644 --- a/docs/pages/reference/authentication.mdx +++ b/docs/pages/reference/authentication.mdx @@ -80,12 +80,11 @@ Create the `cluster_auth_preference` resource via `tctl`: $ tctl create -f cap.yaml ``` - + You can modify these settings using dynamic configuration resources. -Log in to Teleport from your local machine so you can use the Enterprise -edition of the `tctl` admin tool: +Log in to Teleport from your local machine so you can use the `tctl` admin tool: ```code $ tsh login --proxy=myinstance.teleport.sh @@ -126,7 +125,28 @@ $ tctl create -f cap.yaml ## Authentication connectors - + + +### GitHub + +This connector implements GitHub's OAuth 2.0 authentication flow. Please refer to GitHub's documentation on [Creating an OAuth App](https://developer.github.com/apps/building-oauth-apps/creating-an-oauth-app/) +to learn how to create and register an OAuth app. + +Here is an example of this setting in a `cluster_auth_preference` resource: + +```yaml +kind: cluster_auth_preference +metadata: + name: cluster-auth-preference +spec: + type: github +version: v2 +``` + +See [GitHub OAuth 2.0](../access-controls/sso/github-sso.mdx) for details on how to configure it. + + + ### GitHub diff --git a/docs/pages/reference/backends.mdx b/docs/pages/reference/backends.mdx index 580f1b3eb5754..21f24ea6a9123 100644 --- a/docs/pages/reference/backends.mdx +++ b/docs/pages/reference/backends.mdx @@ -4,15 +4,11 @@ description: How to configure Teleport deployment for high-availability using st --- A Teleport cluster stores different types of data in different locations. By -default everything is stored in a local directory at the Auth server. -Integration with other storage types is implemented based on the nature of the -stored data (size, read/write ratio, mutability, etc.). +default everything is stored in a local directory on the Auth Service host. - - -Teleport Cloud manages Auth Service and Proxy Service data for you, so there is -no need to configure a backend. - +For self-hosted Teleport deployments, you can configure Teleport to integrate +with other storage types based on the nature of the stored data (size, +read/write ratio, mutability, etc.). | Data type | Description | Supported storage backends | | - | - | - | diff --git a/docs/pages/reference/cli.mdx b/docs/pages/reference/cli.mdx index b6659453b769b..6555e1d2082cf 100644 --- a/docs/pages/reference/cli.mdx +++ b/docs/pages/reference/cli.mdx @@ -1273,7 +1273,7 @@ which could result in the error, `ERROR: open /var/lib/teleport/host_uuid: permission denied`. - + When running `tctl` commands, administrators must authenticate to a Teleport cluster. This can be done in two ways: @@ -2613,7 +2613,7 @@ Starts the Machine ID client `tbot`, fetching and writing certificates to disk a #### Examples - + ```code $ tbot start \ @@ -2626,7 +2626,7 @@ $ tbot start \ ``` - + ```code $ tbot start \ diff --git a/docs/pages/reference/networking.mdx b/docs/pages/reference/networking.mdx index 331ecef741dbb..acbe6dd6bbdb4 100644 --- a/docs/pages/reference/networking.mdx +++ b/docs/pages/reference/networking.mdx @@ -25,7 +25,7 @@ following use cases: - You want Teleport to issue an SSH certificate for the service with additional principals, e.g., host names. - + All Teleport services (e.g., the Application Service and Database Service) have an optional `public_addr` property that you can modify in each service's @@ -158,7 +158,7 @@ In those cases, they can set up separate listeners in the config file. | 3025 | All Teleport services | TLS port used by the Auth Service to serve its gRPC API to other Teleport services in a cluster.| - + ### Proxy Service ports diff --git a/docs/pages/server-access/guides/bpf-session-recording.mdx b/docs/pages/server-access/guides/bpf-session-recording.mdx index 53ed3b7c7fea6..cb627503899ca 100644 --- a/docs/pages/server-access/guides/bpf-session-recording.mdx +++ b/docs/pages/server-access/guides/bpf-session-recording.mdx @@ -241,7 +241,7 @@ To quickly check the status of the audit log, you can simply tail the logs with `tail -f /var/lib/teleport/log/events.log`. The resulting capture from Teleport will be a JSON log for each command and network request. - + Enhanced session recording events will be shown in Teleport's audit log, which you can inspect by visiting Teleport's Web UI. diff --git a/docs/pages/server-access/guides/recording-proxy-mode.mdx b/docs/pages/server-access/guides/recording-proxy-mode.mdx index 39d3abf7ced7f..05d085236a0a2 100644 --- a/docs/pages/server-access/guides/recording-proxy-mode.mdx +++ b/docs/pages/server-access/guides/recording-proxy-mode.mdx @@ -16,14 +16,14 @@ when gradually transitioning large server fleets to Teleport. - + -Teleport Cloud only supports session recording at the Node level. If you are -interested in setting up session recording, read our +Teleport Enterprise Cloud and Teleport Team only support session recording at +the Node level. If you are interested in setting up session recording, read our [Server Access Getting Started Guide](../getting-started.mdx) so you can start replacing your OpenSSH servers with Teleport Nodes. - + We consider Recording Proxy Mode to be less secure than recording at the Node level for two reasons: