chore: Bump gcloud modules

docs/pages/reference/operator-resources/resources.teleport.dev_oidcconnectors.mdx

@@ -38,6 +38,7 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |google_service_account_uri|string|GoogleServiceAccountURI is a path to a google service account uri.|
 |issuer_url|string|IssuerURL is the endpoint of the provider, e.g. https://accounts.google.com.|
 |max_age|string|MaxAge is the amount of time that user logins are valid for. If a user logs in, but then does not login again within this time period, they will be forced to re-authenticate.|
+|mfa|[object](#specmfa)|MFASettings contains settings to enable SSO MFA checks through this auth connector.|
 |prompt|string|Prompt is an optional OIDC prompt. An empty string omits prompt. If not specified, it defaults to select_account for backwards compatibility.|
 |provider|string|Provider is the external identity provider.|
 |redirect_url|[]string|RedirectURLs is a list of callback URLs which the identity provider can use to redirect the client back to the Teleport Proxy to complete authentication. This list should match the URLs on the provider's side. The URL used for a given auth request will be chosen to match the requesting Proxy's public address. If there is no match, the first url in the list will be used.|
@@ -59,3 +60,13 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |allowed_https_hostnames|[]string|a list of hostnames allowed for https client redirect URLs|
 |insecure_allowed_cidr_ranges|[]string|a list of CIDRs allowed for HTTP or HTTPS client redirect URLs|
 
+### spec.mfa
+
+|Field|Type|Description|
+|---|---|---|
+|acr_values|string|AcrValues are Authentication Context Class Reference values. The meaning of the ACR value is context-specific and varies for identity providers. Some identity providers support MFA specific contexts, such Okta with its "phr" (phishing-resistant) ACR.|
+|client_id|string|ClientID is the OIDC OAuth app client ID.|
+|client_secret|string|ClientSecret is the OIDC OAuth app client secret.|
+|enabled|boolean|Enabled specified whether this OIDC connector supports MFA checks. Defaults to false.|
+|prompt|string|Prompt is an optional OIDC prompt. An empty string omits prompt. If not specified, it defaults to select_account for backwards compatibility.|
+

docs/pages/reference/operator-resources/resources.teleport.dev_samlconnectors.mdx

@@ -37,6 +37,7 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |entity_descriptor|string|EntityDescriptor is XML with descriptor. It can be used to supply configuration parameters in one XML file rather than supplying them in the individual elements.|
 |entity_descriptor_url|string|EntityDescriptorURL is a URL that supplies a configuration XML.|
 |issuer|string|Issuer is the identity provider issuer.|
+|mfa|[object](#specmfa)|MFASettings contains settings to enable SSO MFA checks through this auth connector.|
 |provider|string|Provider is the external identity provider.|
 |service_provider_issuer|string|ServiceProviderIssuer is the issuer of the service provider (Teleport).|
 |signing_key_pair|[object](#specsigning_key_pair)|SigningKeyPair is an x509 key pair used to sign AuthnRequest.|
@@ -65,6 +66,14 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |allowed_https_hostnames|[]string|a list of hostnames allowed for https client redirect URLs|
 |insecure_allowed_cidr_ranges|[]string|a list of CIDRs allowed for HTTP or HTTPS client redirect URLs|
 
+### spec.mfa
+
+|Field|Type|Description|
+|---|---|---|
+|enabled|boolean|Enabled specified whether this SAML connector supports MFA checks. Defaults to false.|
+|entity_descriptor|string|EntityDescriptor is XML with descriptor. It can be used to supply configuration parameters in one XML file rather than supplying them in the individual elements.|
+|entity_descriptor_url|string|EntityDescriptorUrl is a URL that supplies a configuration XML.|
+
 ### spec.signing_key_pair
 
 |Field|Type|Description|

docs/pages/reference/terraform-provider/data-sources/oidc_connector.mdx

@@ -39,6 +39,7 @@ Optional:
 - `google_service_account_uri` (String) GoogleServiceAccountURI is a path to a google service account uri.
 - `issuer_url` (String) IssuerURL is the endpoint of the provider, e.g. https://accounts.google.com.
 - `max_age` (String)
+- `mfa` (Attributes) MFASettings contains settings to enable SSO MFA checks through this auth connector. (see [below for nested schema](#nested-schema-for-specmfa))
 - `prompt` (String) Prompt is an optional OIDC prompt. An empty string omits prompt. If not specified, it defaults to select_account for backwards compatibility.
 - `provider` (String) Provider is the external identity provider.
 - `redirect_url` (List of String)
@@ -62,6 +63,17 @@ Optional:
 - `insecure_allowed_cidr_ranges` (List of String) a list of CIDRs allowed for HTTP or HTTPS client redirect URLs
 
 
+### Nested Schema for `spec.mfa`
+
+Optional:
+
+- `acr_values` (String) AcrValues are Authentication Context Class Reference values. The meaning of the ACR value is context-specific and varies for identity providers. Some identity providers support MFA specific contexts, such Okta with its "phr" (phishing-resistant) ACR.
+- `client_id` (String) ClientID is the OIDC OAuth app client ID.
+- `client_secret` (String) ClientSecret is the OIDC OAuth app client secret.
+- `enabled` (Boolean) Enabled specified whether this OIDC connector supports MFA checks. Defaults to false.
+- `prompt` (String) Prompt is an optional OIDC prompt. An empty string omits prompt. If not specified, it defaults to select_account for backwards compatibility.
+
+
 
 ### Nested Schema for `metadata`
 

docs/pages/reference/terraform-provider/data-sources/saml_connector.mdx

@@ -41,6 +41,7 @@ Optional:
 - `entity_descriptor` (String, Sensitive) EntityDescriptor is XML with descriptor. It can be used to supply configuration parameters in one XML file rather than supplying them in the individual elements.
 - `entity_descriptor_url` (String) EntityDescriptorURL is a URL that supplies a configuration XML.
 - `issuer` (String) Issuer is the identity provider issuer.
+- `mfa` (Attributes) MFASettings contains settings to enable SSO MFA checks through this auth connector. (see [below for nested schema](#nested-schema-for-specmfa))
 - `provider` (String) Provider is the external identity provider.
 - `service_provider_issuer` (String) ServiceProviderIssuer is the issuer of the service provider (Teleport).
 - `signing_key_pair` (Attributes) SigningKeyPair is an x509 key pair used to sign AuthnRequest. (see [below for nested schema](#nested-schema-for-specsigning_key_pair))
@@ -72,6 +73,15 @@ Optional:
 - `insecure_allowed_cidr_ranges` (List of String) a list of CIDRs allowed for HTTP or HTTPS client redirect URLs
 
 
+### Nested Schema for `spec.mfa`
+
+Optional:
+
+- `enabled` (Boolean) Enabled specified whether this SAML connector supports MFA checks. Defaults to false.
+- `entity_descriptor` (String) EntityDescriptor is XML with descriptor. It can be used to supply configuration parameters in one XML file rather than supplying them in the individual elements.
+- `entity_descriptor_url` (String) EntityDescriptorUrl is a URL that supplies a configuration XML.
+
+
 ### Nested Schema for `spec.signing_key_pair`
 
 Optional:

docs/pages/reference/terraform-provider/resources/oidc_connector.mdx

@@ -68,6 +68,7 @@ Optional:
 - `google_service_account_uri` (String) GoogleServiceAccountURI is a path to a google service account uri.
 - `issuer_url` (String) IssuerURL is the endpoint of the provider, e.g. https://accounts.google.com.
 - `max_age` (String)
+- `mfa` (Attributes) MFASettings contains settings to enable SSO MFA checks through this auth connector. (see [below for nested schema](#nested-schema-for-specmfa))
 - `prompt` (String) Prompt is an optional OIDC prompt. An empty string omits prompt. If not specified, it defaults to select_account for backwards compatibility.
 - `provider` (String) Provider is the external identity provider.
 - `redirect_url` (List of String)
@@ -91,6 +92,17 @@ Optional:
 - `insecure_allowed_cidr_ranges` (List of String) a list of CIDRs allowed for HTTP or HTTPS client redirect URLs
 
 
+### Nested Schema for `spec.mfa`
+
+Optional:
+
+- `acr_values` (String) AcrValues are Authentication Context Class Reference values. The meaning of the ACR value is context-specific and varies for identity providers. Some identity providers support MFA specific contexts, such Okta with its "phr" (phishing-resistant) ACR.
+- `client_id` (String) ClientID is the OIDC OAuth app client ID.
+- `client_secret` (String) ClientSecret is the OIDC OAuth app client secret.
+- `enabled` (Boolean) Enabled specified whether this OIDC connector supports MFA checks. Defaults to false.
+- `prompt` (String) Prompt is an optional OIDC prompt. An empty string omits prompt. If not specified, it defaults to select_account for backwards compatibility.
+
+
 
 ### Nested Schema for `metadata`
 

docs/pages/reference/terraform-provider/resources/saml_connector.mdx

@@ -86,6 +86,7 @@ Optional:
 - `entity_descriptor` (String, Sensitive) EntityDescriptor is XML with descriptor. It can be used to supply configuration parameters in one XML file rather than supplying them in the individual elements.
 - `entity_descriptor_url` (String) EntityDescriptorURL is a URL that supplies a configuration XML.
 - `issuer` (String) Issuer is the identity provider issuer.
+- `mfa` (Attributes) MFASettings contains settings to enable SSO MFA checks through this auth connector. (see [below for nested schema](#nested-schema-for-specmfa))
 - `provider` (String) Provider is the external identity provider.
 - `service_provider_issuer` (String) ServiceProviderIssuer is the issuer of the service provider (Teleport).
 - `signing_key_pair` (Attributes) SigningKeyPair is an x509 key pair used to sign AuthnRequest. (see [below for nested schema](#nested-schema-for-specsigning_key_pair))
@@ -117,6 +118,15 @@ Optional:
 - `insecure_allowed_cidr_ranges` (List of String) a list of CIDRs allowed for HTTP or HTTPS client redirect URLs
 
 
+### Nested Schema for `spec.mfa`
+
+Optional:
+
+- `enabled` (Boolean) Enabled specified whether this SAML connector supports MFA checks. Defaults to false.
+- `entity_descriptor` (String) EntityDescriptor is XML with descriptor. It can be used to supply configuration parameters in one XML file rather than supplying them in the individual elements.
+- `entity_descriptor_url` (String) EntityDescriptorUrl is a URL that supplies a configuration XML.
+
+
 ### Nested Schema for `spec.signing_key_pair`
 
 Optional:

examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_oidcconnectors.yaml

@@ -116,6 +116,34 @@ spec:
                   time period, they will be forced to re-authenticate.
                 format: duration
                 type: string
+              mfa:
+                description: MFASettings contains settings to enable SSO MFA checks
+                  through this auth connector.
+                nullable: true
+                properties:
+                  acr_values:
+                    description: AcrValues are Authentication Context Class Reference
+                      values. The meaning of the ACR value is context-specific and
+                      varies for identity providers. Some identity providers support
+                      MFA specific contexts, such Okta with its "phr" (phishing-resistant)
+                      ACR.
+                    type: string
+                  client_id:
+                    description: ClientID is the OIDC OAuth app client ID.
+                    type: string
+                  client_secret:
+                    description: ClientSecret is the OIDC OAuth app client secret.
+                    type: string
+                  enabled:
+                    description: Enabled specified whether this OIDC connector supports
+                      MFA checks. Defaults to false.
+                    type: boolean
+                  prompt:
+                    description: Prompt is an optional OIDC prompt. An empty string
+                      omits prompt. If not specified, it defaults to select_account
+                      for backwards compatibility.
+                    type: string
+                type: object
               prompt:
                 description: Prompt is an optional OIDC prompt. An empty string omits
                   prompt. If not specified, it defaults to select_account for backwards

examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_samlconnectors.yaml

@@ -118,6 +118,25 @@ spec:
               issuer:
                 description: Issuer is the identity provider issuer.
                 type: string
+              mfa:
+                description: MFASettings contains settings to enable SSO MFA checks
+                  through this auth connector.
+                nullable: true
+                properties:
+                  enabled:
+                    description: Enabled specified whether this SAML connector supports
+                      MFA checks. Defaults to false.
+                    type: boolean
+                  entity_descriptor:
+                    description: EntityDescriptor is XML with descriptor. It can be
+                      used to supply configuration parameters in one XML file rather
+                      than supplying them in the individual elements.
+                    type: string
+                  entity_descriptor_url:
+                    description: EntityDescriptorUrl is a URL that supplies a configuration
+                      XML.
+                    type: string
+                type: object
               provider:
                 description: Provider is the external identity provider.
                 type: string

go.mod

@@ -3,15 +3,15 @@ module github.com/gravitational/teleport
 go 1.23.1
 
 require (
-	cloud.google.com/go/cloudsqlconn v1.12.0
-	cloud.google.com/go/compute v1.28.0
-	cloud.google.com/go/compute/metadata v0.5.0
-	cloud.google.com/go/container v1.39.0
-	cloud.google.com/go/firestore v1.16.0
-	cloud.google.com/go/iam v1.2.0
-	cloud.google.com/go/kms v1.19.0
-	cloud.google.com/go/resourcemanager v1.10.0
-	cloud.google.com/go/spanner v1.67.0
+	cloud.google.com/go/cloudsqlconn v1.12.1
+	cloud.google.com/go/compute v1.28.1
+	cloud.google.com/go/compute/metadata v0.5.2
+	cloud.google.com/go/container v1.40.0
+	cloud.google.com/go/firestore v1.17.0
+	cloud.google.com/go/iam v1.2.1
+	cloud.google.com/go/kms v1.20.0
+	cloud.google.com/go/resourcemanager v1.10.1
+	cloud.google.com/go/spanner v1.68.0
 	cloud.google.com/go/storage v1.43.0
 	connectrpc.com/connect v1.16.2
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0
@@ -134,7 +134,7 @@ require (
 	github.com/jackc/pgproto3/v2 v2.3.3
 	github.com/jackc/pgtype v1.14.3
 	github.com/jackc/pgx/v4 v4.18.3
-	github.com/jackc/pgx/v5 v5.6.0
+	github.com/jackc/pgx/v5 v5.7.1
 	github.com/jcmturner/gokrb5/v8 v8.4.4
 	github.com/johannesboyne/gofakes3 v0.0.0-20240217095638-c55a48f17be6
 	github.com/jonboulle/clockwork v0.4.0
@@ -199,16 +199,16 @@ require (
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56
 	golang.org/x/mod v0.20.0
 	golang.org/x/net v0.29.0
-	golang.org/x/oauth2 v0.22.0
+	golang.org/x/oauth2 v0.23.0
 	golang.org/x/sync v0.8.0
 	golang.org/x/sys v0.25.0
 	golang.org/x/term v0.24.0
 	golang.org/x/text v0.18.0
 	golang.org/x/time v0.6.0
 	golang.zx2c4.com/wireguard v0.0.0-20231211153847-12269c276173
-	google.golang.org/api v0.195.0
+	google.golang.org/api v0.197.0
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1
-	google.golang.org/grpc v1.66.1
+	google.golang.org/grpc v1.66.2
 	google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.5.1
 	google.golang.org/protobuf v1.34.2
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c
@@ -240,11 +240,12 @@ require (
 require github.com/mailgun/minheap v0.0.0-20170619185613-3dbe6c6bf55f // indirect
 
 require (
-	cel.dev/expr v0.15.0 // indirect
+	cel.dev/expr v0.16.0 // indirect
 	cloud.google.com/go v0.115.1 // indirect
-	cloud.google.com/go/auth v0.9.1 // indirect
+	cloud.google.com/go/auth v0.9.3 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.4 // indirect
-	cloud.google.com/go/longrunning v0.5.12 // indirect
+	cloud.google.com/go/longrunning v0.6.1 // indirect
+	cloud.google.com/go/monitoring v1.21.0 // indirect
 	cloud.google.com/go/pubsub v1.42.0 // indirect
 	dario.cat/mergo v1.0.1 // indirect
 	github.com/99designs/go-keychain v0.0.0-20191008050251-8e49817e8af4 // indirect
@@ -255,6 +256,7 @@ require (
 	github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 // indirect
 	github.com/BurntSushi/toml v1.3.2 // indirect
 	github.com/GoogleCloudPlatform/grpc-gcp-go/grpcgcp v1.5.0 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.24.1 // indirect
 	github.com/JohnCGriffin/overflow v0.0.0-20211019200055-46fa312c352c // indirect
 	github.com/MakeNowJust/heredoc v1.0.0 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
@@ -293,7 +295,7 @@ require (
 	github.com/charmbracelet/x/term v0.1.1 // indirect
 	github.com/charmbracelet/x/windows v0.1.0 // indirect
 	github.com/cloudflare/cfssl v1.6.4 // indirect
-	github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b // indirect
+	github.com/cncf/xds/go v0.0.0-20240822171458-6449f94b4d59 // indirect
 	github.com/containerd/containerd v1.7.18 // indirect
 	github.com/containerd/errdefs v0.1.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
@@ -320,7 +322,7 @@ require (
 	github.com/dvsekhvalnov/jose2go v1.6.0 // indirect
 	github.com/elastic/elastic-transport-go/v8 v8.6.0 // indirect
 	github.com/emicklei/go-restful/v3 v3.11.3 // indirect
-	github.com/envoyproxy/protoc-gen-validate v1.0.4 // indirect
+	github.com/envoyproxy/protoc-gen-validate v1.1.0 // indirect
 	github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f // indirect
 	github.com/evanphx/json-patch/v5 v5.9.0 // indirect
 	github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect
@@ -369,7 +371,7 @@ require (
 	github.com/google/go-tspi v0.3.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/s2a-go v0.1.8 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.4 // indirect
 	github.com/gorilla/handlers v1.5.2 // indirect
 	github.com/gorilla/mux v1.8.1 // indirect
 	github.com/gosuri/uitable v0.0.4 // indirect
@@ -391,8 +393,8 @@ require (
 	github.com/jackc/chunkreader/v2 v2.0.1 // indirect
 	github.com/jackc/pgio v1.0.0 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
-	github.com/jackc/pgservicefile v0.0.0-20231201235250-de7065d80cb9 // indirect
-	github.com/jackc/puddle/v2 v2.2.1 // indirect
+	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
+	github.com/jackc/puddle/v2 v2.2.2 // indirect
 	github.com/jcmturner/aescts/v2 v2.0.0 // indirect
 	github.com/jcmturner/dnsutils/v2 v2.0.0 // indirect
 	github.com/jcmturner/gofork v1.7.6 // indirect
@@ -520,15 +522,17 @@ require (
 	github.com/zmap/zlint/v3 v3.6.0 // indirect
 	go.etcd.io/etcd/client/pkg/v3 v3.5.15 // indirect
 	go.opencensus.io v0.24.0 // indirect
+	go.opentelemetry.io/contrib/detectors/gcp v1.29.0 // indirect
 	go.opentelemetry.io/otel/metric v1.30.0 // indirect
+	go.opentelemetry.io/otel/sdk/metric v1.29.0 // indirect
 	go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect
 	go.uber.org/atomic v1.11.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/tools v0.24.0 // indirect
 	golang.org/x/xerrors v0.0.0-20240716161551-93cc26a95ae9 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
-	google.golang.org/genproto v0.0.0-20240823204242-4ba0660f739c // indirect
+	google.golang.org/genproto v0.0.0-20240903143218-8af14fe29dc1 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 // indirect
 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect