[teleport-update] Move teleport binaries to new path {deb,rpm}#49110
Merged
[teleport-update] Move teleport binaries to new path {deb,rpm}#49110
Conversation
vapopov
added
the
no-changelog
sclevine
reviewed
Nov 18, 2024
…ort-update-for-dist-packages
Move teleport.service to new path
…ort-update-for-dist-packages
sclevine
reviewed
Nov 19, 2024
Contributor
Author
|
dev tag build: https://github.com/gravitational/teleport.e/actions/runs/11926871694 publish might be failing by removal script since command not yet implemented, checking this one |
Contributor
Author
|
Example of upgrade deb package from Install root@92f7b4e17c5b:/go/teleport# dpkg -i teleport_17.0.1_arm64.deb
(Reading database ... 59626 files and directories currently installed.)
Preparing to unpack teleport_17.0.1_arm64.deb ...
Unpacking teleport (17.0.1) ...
Setting up teleport (17.0.1) ...
root@92f7b4e17c5b:/go/teleport# ls -la /usr/local/bin/
drwxr-xr-x 1 root root 4096 Nov 20 15:13 .
drwxr-xr-x 1 root root 4096 Nov 19 19:59 ..
-rwxr-xr-x 1 root root 395672 Nov 16 08:11 fdpass-teleport
-rwxr-xr-x 1 root root 84934916 Nov 16 08:11 tbot
-rwxr-xr-x 1 root root 104273432 Nov 16 08:11 tctl
-rwxr-xr-x 1 root root 341960152 Nov 16 08:11 teleport
-rwxr-xr-x 1 root root 51904664 Nov 19 19:22 teleport-update
-rwxr-xr-x 1 root root 118778368 Nov 16 08:11 tshUpgrade to |
Systemd reload now managed by teleport-update Make safe unlink not to block package removal
…ort-update-for-dist-packages
…ort-update-for-dist-packages
…ort-update-for-dist-packages
Contributor
Author
|
Latest tag build and publish: I also added changes for AMI build script, to move binaries according new path and @fheinecke @hugoShaka could you please review |
…ort-update-for-dist-packages
hugoShaka
reviewed
Dec 9, 2024
Contributor
There was a problem hiding this comment.
LGTM but I'd rather have someone familiar with out deb/rpm packages to review this as well.
I can stamp if @fheinecke or @camscale are comfortable with the changeset.
Contributor
+1 |
Contributor
|
The reason for changing I do not see any testing that this will work for RPMs - the test runs shown are only the Otherwise this all looks good to me. |
Member
|
Hey @camscale, this comment explains the selection of paths used by both For the
(It's also less common / compliant for OS packages to install into Let me know if you have questions / feedback. Definitely want to get this right 🙂 |
Contributor
That all makes sense. I had assumed that /usr/local/teleport-system -> /opt/teleport/system was because is not typical to create application directories in /usr/local (that is what /opt is for). I assumed the |
avatus
approved these changes
Dec 13, 2024
Contributor
Author
|
@camscale rpm installation example [root@7af89957437b /]# rpm -i /dw/teleport-18.0.0-dev.vapopov.19-1.arm64.rpm
warning: /dw/teleport-18.0.0-dev.vapopov.19-1.arm64.rpm: Header V4 RSA/SHA512 Signature, key ID 2f67ad73: NOKEY
Teleport system symlinks creation...
2024-12-16T20:18:17Z INFO [UPDATER] Validating binary name:fdpass-teleport agent/validate.go:68
2024-12-16T20:18:17Z INFO [UPDATER] Binary does not support version command name:fdpass-teleport agent/validate.go:79
2024-12-16T20:18:17Z INFO [UPDATER] Validating binary name:tbot agent/validate.go:68
2024-12-16T20:18:17Z INFO [UPDATER] [stdout] Teleport v18.0.0-dev.vapopov.19 git:v18.0.0-dev.vapopov.19-0-g1122d7d go1.23.4 agent/logger.go:69
2024-12-16T20:18:17Z INFO [UPDATER] Validating binary name:tctl agent/validate.go:68
2024-12-16T20:18:17Z INFO [UPDATER] [stdout] Teleport v18.0.0-dev.vapopov.19 git:v18.0.0-dev.vapopov.19-0-g1122d7d go1.23.4 agent/logger.go:69
2024-12-16T20:18:17Z INFO [UPDATER] Validating binary name:teleport agent/validate.go:68
2024-12-16T20:18:17Z INFO [UPDATER] [stdout] Teleport v18.0.0-dev.vapopov.19 git:v18.0.0-dev.vapopov.19-0-g1122d7d go1.23.4 agent/logger.go:69
2024-12-16T20:18:17Z INFO [UPDATER] Validating binary name:teleport-update agent/validate.go:68
2024-12-16T20:18:17Z INFO [UPDATER] [stdout] Teleport v18.0.0-dev.vapopov.19 git:v18.0.0-dev.vapopov.19-0-g1122d7d go1.23.4 agent/logger.go:69
2024-12-16T20:18:17Z INFO [UPDATER] Validating binary name:tsh agent/validate.go:68
2024-12-16T20:18:17Z INFO [UPDATER] [stdout] Teleport v18.0.0-dev.vapopov.19 git:v18.0.0-dev.vapopov.19-0-g1122d7d go1.23.4 agent/logger.go:69
2024-12-16T20:18:17Z ERRO [UPDATER] This system does not support systemd, which is required by the updater. agent/process.go:319
2024-12-16T20:18:17Z WARN [UPDATER] Systemd is not installed. Skipping sync. agent/updater.go:797
2024-12-16T20:18:17Z INFO [UPDATER] Successfully linked system package installation. agent/updater.go:801[root@7af89957437b /]# ls -la /opt/teleport/system/bin/
total 683072
drwxr-xr-x 2 root root 4096 Dec 16 20:18 .
drwxr-xr-x 4 root root 4096 Dec 16 20:18 ..
-rwxr-xr-x 1 root root 395672 Dec 16 18:27 fdpass-teleport
-rwxr-xr-x 1 root root 85786884 Dec 16 18:27 tbot
-rwxr-xr-x 1 root root 106600280 Dec 16 18:27 tctl
-rwxr-xr-x 1 root root 334658992 Dec 16 18:27 teleport
-rwxr-xr-x 1 root root 52494488 Dec 16 18:27 teleport-update
-rwxr-xr-x 1 root root 119491680 Dec 16 18:27 tsh
[root@7af89957437b /]# ls -la /usr/local/bin/
total 12
drwxr-xr-x 1 root root 4096 Dec 16 20:18 .
drwxr-xr-x 1 root root 4096 Sep 15 2021 ..
lrwxrwxrwx 1 root root 40 Dec 16 20:18 fdpass-teleport -> /opt/teleport/system/bin/fdpass-teleport
lrwxrwxrwx 1 root root 29 Dec 16 20:18 tbot -> /opt/teleport/system/bin/tbot
lrwxrwxrwx 1 root root 29 Dec 16 20:18 tctl -> /opt/teleport/system/bin/tctl
lrwxrwxrwx 1 root root 33 Dec 16 20:18 teleport -> /opt/teleport/system/bin/teleport
lrwxrwxrwx 1 root root 40 Dec 16 20:18 teleport-update -> /opt/teleport/system/bin/teleport-update
lrwxrwxrwx 1 root root 28 Dec 16 20:18 tsh -> /opt/teleport/system/bin/tsh
[root@7af89957437b /]# rpm -ql /dw/teleport-18.0.0-dev.vapopov.19-1.arm64.rpm
warning: /dw/teleport-18.0.0-dev.vapopov.19-1.arm64.rpm: Header V4 RSA/SHA512 Signature, key ID 2f67ad73: NOKEY
/opt/teleport/system/bin/fdpass-teleport
/opt/teleport/system/bin/tbot
/opt/teleport/system/bin/tctl
/opt/teleport/system/bin/teleport
/opt/teleport/system/bin/teleport-update
/opt/teleport/system/bin/tsh
/opt/teleport/system/lib/systemd/system/teleport.service
/var/lib/teleport
/var/lib/teleport/versions |
camscale
approved these changes
Dec 16, 2024
public-teleport-github-review-bot
bot
removed the request for review
from fheinecke
…ort-update-for-dist-packages
…ort-update-for-dist-packages
carloscastrojumo
pushed a commit
to carloscastrojumo/teleport
that referenced
this pull request
Feb 19, 2025
…tational#49110) * Move teleport binaries to new path * Use link/unlink command to manage links Move teleport.service to new path * Move teleport binaries under standard path for distroless Cleanup * Fix wrong move path * Create missing directory * Rename link/unlink commands * Exclude teleport-update from docker image Systemd reload now managed by teleport-update Make safe unlink not to block package removal * Add teleport-update to AMI image build * Fix RPM build, fpm automatically manage scripts * Fix AMI build, add missing teleport.service * Move binaries to /opt/teleport/system
vapopov
added a commit
that referenced
this pull request
Feb 20, 2025
* Move teleport binaries to new path * Use link/unlink command to manage links Move teleport.service to new path * Move teleport binaries under standard path for distroless Cleanup * Fix wrong move path * Create missing directory * Rename link/unlink commands * Exclude teleport-update from docker image Systemd reload now managed by teleport-update Make safe unlink not to block package removal * Add teleport-update to AMI image build * Fix RPM build, fpm automatically manage scripts * Fix AMI build, add missing teleport.service * Move binaries to /opt/teleport/system
hugoShaka
pushed a commit
that referenced
this pull request
Feb 26, 2025
* Move teleport binaries to new path * Use link/unlink command to manage links Move teleport.service to new path * Move teleport binaries under standard path for distroless Cleanup * Fix wrong move path * Create missing directory * Rename link/unlink commands * Exclude teleport-update from docker image Systemd reload now managed by teleport-update Make safe unlink not to block package removal * Add teleport-update to AMI image build * Fix RPM build, fpm automatically manage scripts * Fix AMI build, add missing teleport.service * Move binaries to /opt/teleport/system
github-merge-queue bot
pushed a commit
that referenced
this pull request
Feb 27, 2025
) * [teleport-update] Add Makefile build target (#48531) * Add build target for teleport-update * Set CGO_ENABLED=0 for building teleport-update * [teleport-update] Add teleport-update to build and archive (#48839) * Add teleport-update to build and archive * Add teleport-update to install scripts * Add build flags without buildmode pie * Add helper message for install.sh script * Exclude teleport-update from darwin platform * Add teleport-update to rpm and deb packages * Remove teleport-update from deb, rpm packages Add comment for the buildflags * [teleport-update] Move teleport binaries to new path {deb,rpm} (#49110) * Move teleport binaries to new path * Use link/unlink command to manage links Move teleport.service to new path * Move teleport binaries under standard path for distroless Cleanup * Fix wrong move path * Create missing directory * Rename link/unlink commands * Exclude teleport-update from docker image Systemd reload now managed by teleport-update Make safe unlink not to block package removal * Add teleport-update to AMI image build * Fix RPM build, fpm automatically manage scripts * Fix AMI build, add missing teleport.service * Move binaries to /opt/teleport/system * Add check to installation script when we copy files from tarball (#50368)
hugoShaka
pushed a commit
that referenced
this pull request
Mar 17, 2025
) * [teleport-update] Add Makefile build target (#48531) * Add build target for teleport-update * Set CGO_ENABLED=0 for building teleport-update * [teleport-update] Add teleport-update to build and archive (#48839) * Add teleport-update to build and archive * Add teleport-update to install scripts * Add build flags without buildmode pie * Add helper message for install.sh script * Exclude teleport-update from darwin platform * Add teleport-update to rpm and deb packages * Remove teleport-update from deb, rpm packages Add comment for the buildflags * [teleport-update] Move teleport binaries to new path {deb,rpm} (#49110) * Move teleport binaries to new path * Use link/unlink command to manage links Move teleport.service to new path * Move teleport binaries under standard path for distroless Cleanup * Fix wrong move path * Create missing directory * Rename link/unlink commands * Exclude teleport-update from docker image Systemd reload now managed by teleport-update Make safe unlink not to block package removal * Add teleport-update to AMI image build * Fix RPM build, fpm automatically manage scripts * Fix AMI build, add missing teleport.service * Move binaries to /opt/teleport/system * Add check to installation script when we copy files from tarball (#50368)
hugoShaka
pushed a commit
that referenced
this pull request
Mar 20, 2025
) * [teleport-update] Add Makefile build target (#48531) * Add build target for teleport-update * Set CGO_ENABLED=0 for building teleport-update * [teleport-update] Add teleport-update to build and archive (#48839) * Add teleport-update to build and archive * Add teleport-update to install scripts * Add build flags without buildmode pie * Add helper message for install.sh script * Exclude teleport-update from darwin platform * Add teleport-update to rpm and deb packages * Remove teleport-update from deb, rpm packages Add comment for the buildflags * [teleport-update] Move teleport binaries to new path {deb,rpm} (#49110) * Move teleport binaries to new path * Use link/unlink command to manage links Move teleport.service to new path * Move teleport binaries under standard path for distroless Cleanup * Fix wrong move path * Create missing directory * Rename link/unlink commands * Exclude teleport-update from docker image Systemd reload now managed by teleport-update Make safe unlink not to block package removal * Add teleport-update to AMI image build * Fix RPM build, fpm automatically manage scripts * Fix AMI build, add missing teleport.service * Move binaries to /opt/teleport/system * Add check to installation script when we copy files from tarball (#50368)
github-merge-queue bot
pushed a commit
that referenced
this pull request
Mar 20, 2025
…kage (#53054) * Add autoupdate agent protos (#47666) * Add autoupdate agent protos * fix tests * Add create/update/delete RPCs + add missing event proto * Update api/proto/teleport/autoupdate/v1/autoupdate.proto Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * address timr's feedback + fix tests * buf lint * buf lint pt.2 --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * fix agent autoupdate protos (#47830) * Add autoupdate agent type validations (#47831) * Add autoupdate agent validations * Add AutoUpdateAgentRollout constants * Fix autoupdate API licenses Teleport's `api/` and `integrations/` should be Apache-licensed. Only the main teleport process should be licenses under AGPLv3. * address feedback * Add AutoUpdateAgentRollout service and cache (#47833) * Fix defaults on incomplete AU config or version resources (#47872) * Fix panic on incomplete AU config or version resources * lint * address tiago's feedback * [v17] enforce conditional updates on AutoUpdate* + rename typos (#48390) * enforce conditaional updates on AutoUpdate* + rename typos * fix tests * [v17] implement autoupdate_agent_rollout reconciler (#48944) * implement autoupdate_agent_rollout reconciler * address edoardo's feedback * address edoardo's feedback pt.2 * fixup! address edoardo's feedback * lint * [v17] RFD 184: automatic updates, server-side logic (#52275) * Implement immediate schedule support for automatic updates (#47920) * Implement immediate schedule support * expose edition, fips, and ensure ping endpoint answers * fix after rebase * fix cache tests * introduce webclient.ReusableClient (#49296) * Move autoupdate code in proxy to make more sense (#49484) * Move autoupdate code in proxy to make more sense * lint + godoc * Start `autoupdate_agent_rollout` controller in auth service (#49101) * run autoupdate_agent_rollout controller * Recover from panics inside the controller * Address tim's feedback Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * kube-agent-updater: add RFD-184 trigger and version getter (#49297) * add proxy version getter and maintenance trigger * add failover trigger and versionGetter * lint * Apply suggestions from code review Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> * address marco's feedback * licensing --------- Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> * Rename lib/kubernetestoken to lib/kube/token (#49554) * Rename lib/kubernetestoken to lib/kube/token * Lint * Make the proxy read from autoupdate_agent_rollout (#49380) * Add autoupdate_agenbt_rollout support * fix ping proxy tests * address creack's feedback * Address sclevine's feedback Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> * fix panic in tests --------- Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> * Fix flaky TestAutoUpdateAgentShouldUpdate (#49883) * Fix flaky TestAutoUpdateAgentShouldUpdate * Update lib/web/apiserver_ping_test.go * Update lib/web/autoupdate_common_test.go * autoupdate: reconcile rollout status and add strategy interface (#49735) * autoupdate: reconcile rollout status and add strategy interface * fix missing constants + add license * lint * fix proto field id * Fix flaky TestAgentRolloutController (#49886) * Fix falky TestAgentRolloutController * switch to real clock + increase Eventually timeout * Make reconciliation period a parameter + add TELEPORT_UNSTABLE env var * Update lib/service/service_test.go Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Apply suggestions from code review Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Remove env var * lint --------- Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Compute global rollout state (#49945) * Compute global rollout state * Simplify + missing wrong proto message description * lint * simplify * for edoardo * fix compute status test * autoupdate: implement time-based strategy (#49736) This commit implements the time-based rollout strategy describen in RFD 184. The autoupdate_agent_rollout controller will make the groups active based on their start days, start hour, and maintenance duration. Once the maintenance window is over, the group becomes DONE. In the DONE state, new agents will instalkl the target version but existing agents will no longer be told to actively update. * Use CMC as default config when set (#50039) * autoupdate: Use CMC as default config when set Part of: [RFD-184](#47126) This commit implements backward compatibility when CMC is specified. After this PR, if the user has no `autoupdate_config` resource but a `cluster_maintenance_config` resource from RFD 109, we will use the CMC to generate the config (update hour and update days) and craft the `autoupdate_agent_rollout`. * Update lib/autoupdate/rollout/client_test.go Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * address feedback * lint --------- Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * Change autoupdate proto messages (#50234) * Change autoupdate proto messages This commits does 3 changes: - reflect the maintenance duration on the rollout in a new spec field - add a rollout start time field in its status - change wait_days into wait_hours * int64 -> in32 for consistency with other fields * Add autoupdate_config and autoupdate_agent_rollout validation (#50181) This commit removes the restrictions of the autoupdate_agent_rollout and autoupdate_config schedules but adds groups validation. It also adds some optional server-side validation that should not be enforced at the resource level. * autoupdate: implement halt-on-error strategy (#49737) * autoupdate: implement halt-on-error strategy * rewrite wait_days logic into wait_hours * Apply suggestions from code review Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> --------- Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> * add tctl create/get/edit support for autoupdate_agent_rollout (#50393) * add tctl create/get/edit support for autoupdate_agent_rollout * fix bad copy paste * set rollout start date and don't start updating if rollout just changed (#50365) This commit does two changes: - the controller now sets the rollout start time when resetting the rollout - the controller will not start a group if the rollout changed during the maintenance window (checks if the rollout start time is in the window) * Reduce clock usage + add time and period override in rollout controller (#50634) * Enable strategies in the autoupdate rollout controller (#50635) * autoupdate rollout: honour the maintenance window duration (#50745) * autoupdate rollout: honour the maintenance window duration * Update lib/autoupdate/rollout/reconciler.go Co-authored-by: Bartosz Leper <bartosz.leper@goteleport.com> * Address feedback * Update lib/autoupdate/rollout/strategy.go --------- Co-authored-by: Bartosz Leper <bartosz.leper@goteleport.com> * Fix proto resource 153 marshalling for autoupdate_* resources (#50688) * Fix proto resource 153 marshalling * Update tool/tctl/common/collection_test.go Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Update tool/tctl/common/collection_test.go Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Address feedback - Change from Resource153AdapterV2 to ProtoResource153Adapter - fix test failures and unmarshal proto resources properly - add a failing round-trip proto 153 test case - bonus: fix the table tesst reosurce create that did not support running a single row * Apply suggestions from code review Co-authored-by: Alan Parra <alan.parra@goteleport.com> * lint --------- Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Add autoupdate controller metrics (#50807) * Add autoupdate controller metrics * Do no panic in case of error conflict * kube-agent-update: Use the RFD-184 webapi proxy update protocol by default when possible (#50464) * kube-agent-update: Use the RFD-184 webapi proxy update protocol by default when possible * Update integrations/kube-agent-updater/cmd/teleport-kube-agent-updater/main.go Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> * log update group --------- Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> * Add 'tctl autoupdate agents status' (#51079) * Ensure proxy version getter adds the leading 'v' (#51687) * Always create debug socket and expose health endpoints (#51616) * Always create debug socket and expose health endpoints * Consolidate the diagnostic multiplexers in a single function * Fix tests * Apply suggestions from code review Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> --------- Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * Fix autoupdate rollout controller metrics (#51803) * kube-agent-updater pre-release builds trust the staging repo + insecure validator private repo fix (#51815) * Fix insecure resolver in private repos + trust pre-release builds * fixup! Fix insecure resolver in private repos + trust pre-release builds * Use new autoupdate APIs in discovery service (#51758) * Remove name parameter from proxy version getter * Use autoupdate_agent_rollout as a source of version in scripts and integrations * Fix tests * Handle gracefully absence of a proxy in kube discovery sevrice * Update lib/srv/discovery/kube_integration_watcher.go Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> * Address marco's feedback * Address marco's feedback pt.2 * Gracefully handle if we can't get autoupdate version * fixup! Update lib/srv/discovery/kube_integration_watcher.go --------- Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> * Autoupdate changelog entry in v17.3 * Fix tests after rebase, pt.1 * Update front preset fixtures since the preset role changed * Add install script using teleport-update and oneoff.sh (#52155) * Refactor node-join script to take safer options and reuse install option logic (#52196) * Add install script using teleport-update and oneoff.sh * Refactor node-join script to take safer options and reuse install option logic * GoDoc + make functions private * Address edoardo's feedback * Allow prerelease Teleport to install official artifacts (#52444) * Accept to install CE when running an AGPL build for backeard compat * Bump e to fix build (oneoff args change) * Make node install scripts install Teleport via teleport-update (#52226) * Make the node install script use teleport-update * Apply suggestions from code review Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * Fix curl args + address bash exec comments --------- Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * Use install.sh in discovery's default installer (#52368) * Use install.sh in discovery's default installer * fixup! Use install.sh in discovery's default installer * Address marco's feedback * Update lib/auth/grpcserver.go Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> * Update lib/srv/server/installer/defaultinstallers.go * apply edoard's feedback + write script to file * Execute the downloaded shell script * Add snapshot tests * fixup! Add snapshot tests --------- Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> * Fix error after rebase * Fix test after rebase --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> Co-authored-by: Alan Parra <alan.parra@goteleport.com> Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> Co-authored-by: Bartosz Leper <bartosz.leper@goteleport.com> Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> * [v17] Modulate install script when managed updates v2 are off (#52609) * Modulate install script when managed updates v2 are off * fixup! Modulate install script when managed updates v2 are off * Address Stephen's feedback * Set the autoupdate singleton names (#52751) * Add autoupdate events to web UI (#52748) (#52838) * Add autoupdate events to web UI * lint * Fix backport to include the label fix * lint * fix tests * Add teleport-update binary scaffolding and disable command (#46418) * Add main.go * wip * group flag * wip * wip * mvp * wip * separate files * cleanup * jitter * scaffold only * remove teleport changes * remove teleport changes - group * test * test lock * remove edition * feedback * clarify default data dir * cleanup * move version to status * consistent naming for update.yaml * improve lock test * explain lint * use shared locking logic * fix test * Move disable logic to lib * feedback * switch to default transport * [teleport-update] Add enable command (#47565) * Add enable scaffold * add installer * refactor * add enable tests * clean up download logic * Finish installer tests * cleanup * fix flags * fix errors * logging * cleanup * fix test * Fix download size logic * remove agent prefixes * namespace package * rename file * feedback * fips and ent support * hide force version * feedback * feedback 2 * fix test * move enterprise/fips to webapi * Fix interface * RFD 0184: Automatic Updates for Teleport Agents (#47126) * Create 0169-auto-updates-linux-agents.md * Fix github handle * Fix Github handle * Clarify jitter flag * Remove time question * Update rfd/0169-auto-updates-linux-agents.md Co-authored-by: Russell Jones <russjones@users.noreply.github.com> * Update rfd/0169-auto-updates-linux-agents.md Co-authored-by: Russell Jones <russjones@users.noreply.github.com> * Update rfd/0169-auto-updates-linux-agents.md Co-authored-by: Russell Jones <russjones@users.noreply.github.com> * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * add editions * Installers and docs * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * Downgrades * Feedback * Update 0169-auto-updates-linux-agents.md * Remove last working copy of teleport * add step to ensure free disk space * Typos * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * feedback * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * apt purge * Only enable auto-upgrades if successful * reentrant lock * reset * Update 0169-auto-updates-linux-agents.md * add note on backups * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * Clarify restore/rollback process and validations * Added section on logging * Add schedules * immediate schedule + note on cycles and chains * more details, more tctl commands * Update 0169-auto-updates-linux-agents.md * scalability * df * content-length * cache init * binary * more rollout mechanism changes * scalability * more scalability * use 100kib pages for plan * Add RPCs, tweak API design * clarify wording * wording * Update rfd/0169-auto-updates-linux-agents.md Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * Update rfd/0169-auto-updates-linux-agents.md Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * linting * Move all RPCs into autoupdate/v1 * Move groups to MVP * note about checksum * typos, consistency * clarify binary is teleport-update, package is teleport-ent-updater * switch from df to unix.Statfs * security feedback + naming adjustments * tweak rollout paging * tweak rollout paging again * feedback * adjust update.yaml to match implementation feedback * wip - new model * canaries * canary 2 * describe state, transitions, and proxy response * rpcs * finish rpcs * minor tweaks * Add user stories * Put new requirements at the top + edit UX + add TODOs * Edition work * cleanup + swap phases 1 and 2 * Move protobuf * Add installation scenarios * cleanup + move backpressure formulas * more cleanup * rename to unused number * fix title * more cleanup * correct inconsistencies * fix more inconsistencies * missing proxy flag * typo * Add CLI reference * feedback * alerts note * typos * Update rfd/0184-agent-auto-updates.md Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * clarify canary logic * Update rfd/0184-agent-auto-updates.md Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * Support for multiple installations / tarball * Address reviewer's feedback - Rephrase the UX section to not assume prior canary knowledge - Explicit how the canaries are picked, the limitations, and potential improvements - replace node with instance to avoid confusion between ssh nodes and generic teleport agent instances - Explicit how the previous updater interacts with the new one - More explicit names for command line args * agent_plan -> agent_rollout + reuse autoupdate_config * align tool version * Move package system dir * add time-based strategy * rename previous-must-succeed -> halt-on-failure --------- Co-authored-by: Russell Jones <russjones@users.noreply.github.com> Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> Co-authored-by: hugoShaka <hugo.hervieux@goteleport.com> * [v17] RFD 184: Agent Automatic Updates, teleport-update (#52372) * [teleport-update] Add linking into /usr/local (#47879) * clean up download logic * Finish installer tests * fips and ent support * feedback * move enterprise/fips to webapi * wip * wip2 * add cleanup * fix extract * wip * fix tests * remove safety * cleanup * cleanup extract * cleanup * cleanup * fix bugs * cleanup * [teleport-update] Use new webapi fields to find version (#47961) * Adapt teleport-update to new webapi endpoints * feedback * [teleport-update] Add support for reloading the agent & reverting symlinks on failed reload (#47929) * wip * cleanup * comments * test wip * test link revert * tests * cleanup * cleanup more * comments * comments * errors * comments * linting * fix bugs * fix typo * cleanup * cleanup * fix revert * lint * feedback * fix * fix test * clarify comment * use afterfunc * [teleport-update] Add update subcommand (#48244) * Add update subcommand * fix * lint * add command * warn on known edition * warn on unknown edition for update * [teleport-update] Add link subcommand (#48712) * wip * refactor * docs * updater * add link command * test LinkPackage * cleanup * fix enterprise paths * fix systemd linking * typo * comment * comments * typo * feedback * adjust systemd service locations * cleanup tests, adjust service link path * [teleport-update] PID-based failure detection and rollback (#49175) * Extract from other PR * comments * string * [teleport-update] Add systemd setup (#49174) * service and timer * comments * feedback * feedback * [teleport-update] Add unlink-package command (#49250) * unlink * test * lock type * comments * cleanup * Update lib/autoupdate/agent/installer.go Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> --------- Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * [teleport-update] Add support for version pinning (#49307) * pinning * cleanup * unskip * cleanup * unpin * typo * [teleport-update] status subcommand (#49308) * status * cleanup * comments * cleanup output by removing optional fields * rebase fix * [teleport-update] Uninstall subcommand (#49341) * Uninstall * tests * comment * Short-circuit link package on pinned * log * move error * Update lib/autoupdate/agent/process.go Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * Update lib/autoupdate/agent/process.go Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * Update lib/autoupdate/agent/process.go Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * Update lib/autoupdate/agent/process.go Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * fix --------- Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * [teleport-update] Protect against disk space leaks (#49309) * cleanup unused * cleanup * cleanup * [teleport-update] Show warning instead of return error for link/unlink (#49334) * Add warning instead of return error for link/unlink * Add test for sync call with ErrNotSupported * Change warning message * [teleport-update] Isolated installation suffix (#49364) * namespacing * words * cli * fix * err * use structured logs consistently * comments * bugs * test * switch to new paths * test * adjust * reserved * cleanup * cleanup * docs * fix uninstall * test * simplify init * cleanup * namespace -> install-suffix * log * [teleport-update] Fix usage of trace (#49388) * fix trace * rebase * [teleport-update] Support for Enterprise/FIPS migration (#49451) * store ent/fips data cleanup formatting revert updater rename cleanup Update lib/autoupdate/agent/config.go Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> feedback * feedback * feedback * lint * [teleport-update] Display download progress and stats (#49805) * download progress * typo * sub -> since * time -> duration * [teleport-update] update --now (#49807) * update --now * testdata * [teleport-update] Adjust download progress log output (#49845) * adjust logger * fix * fix * Extended binary validations (#49748) * [teleport-update] needrestart and systemd drop-in (#49806) * wip * Add more config * nit * feedback * Fix duplicate teleport-update short command (#50304) * [teleport-update] Version reporting and deprecated upgrader management (#50266) * wip * telemetry * abs * fix * tests * Disable deprecated timer * keep schedule on non-suffixed * Update maintenance.go * Update lib/autoupdate/agent/setup.go * update warnings * feedback pt 1 * feedback pt 2 * headers * [teleport-update] Remove warning when running Teleport on platforms without systemd (#51465) * improve detection logic on non-systemd platforms * adjust * remove OS check * [teleport-update] common MakeURL with ability to override BaseURL (#51383) * Add templates for client tools auto-update download url * Change to base url setting by env MakeURL moved to common function to be general for both, agent and client tools * Reuse MakeURL moved to common package * Fix linter warning * Add common env variable to override base url * Remove template from interface * Make template exported Change a stale comment * Remove unused code * [teleport-update] Adjustments for SELinux (#51474) * selinux fixes * extra checks * lint * lint * cleanup * better cleanup * fix rebase * [teleport-update] Add --overwrite flag to replace tarball installations (#51579) * add --overwrite flag * extra warning * [teleport-update] Only use CDN for community / enterprise editions (#51726) * Only use CDN for community / enterprise * wording * [teleport-update] Warn instead of erroring when disabling the deprecated updater (#51759) * Warn instead of erroring when disabling old updater * Update lib/service/service.go * Update lib/service/service.go * [teleport-update] Adjust non-critical SELinux contexts (#51793) * correct selinux contexts * Update lib/autoupdate/agent/installer.go Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * Update lib/autoupdate/agent/installer.go --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * [teleport-update] Add proper healthcheck for agents (#51613) * Add socket readiness monitor * cleanup * add 404 check * check * better cleanup * fix bug * typo * fix 404 * improve logging * cleanup * disable socket redirect * avoid race condition with socket removal * verify PID * cleanup * Update lib/autoupdate/agent/process.go Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * feedback * fix subtle race condition * debugging --------- Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * [teleport-update] Allow teleport-update uninstall to succeed with non-packaged installs (#51576) * Treat missing source bin dir same as missing binaries * prevent linking package outside /usr/local/bin * Apply suggestions from code review * [teleport-update] use new updater to reload and verify Teleport (#51734) * wip * finish implementation * fix tests * test setup * remove stale data * bug * spelling * pass log format and debug through * feedback * [teleport-update] Read proxy from teleport.yaml to improve UX (#51633) * derive proxy from config * fix parsing * cleanup * require force for uninstall (#51973) * [teleport-update] add insecure flag for testing (#52019) * insecure flag * fmt * [teleport-update] skip updater setup when systemd is missing (#52022) * skip updater installation when systemd is missing * test * wording * [teleport-update] Ensure stable interface between versions of teleport-update (#52152) * refactor data dir * finish refactor * fix path * cleanup * more tests * lint * prevent notice failure without systemd * feedback * url * revert log level change (#52416) --------- Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> Co-authored-by: Vadym Popov <vadym.popov@goteleport.com> Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * [v17] [teleport-update] Fix usage of default $PATH dir, overrides, and hanging (#52608) * Fix usage of default path * fix other overrides * fix hang on start * [v17] [teleport-update] Set umask 0022 for teleport-update to avoid errors on enable (#52755) * Set umask 0022 for teleport-update * init -> main * refactor * move const * add flag * missed not * fix inequality * remove flag * dead code * docs * docs 2 * feedback * [v17] [teleport-update] Support for CentOS 7 (#53017) * support systemd down to 219 * comments * Apply suggestions from code review Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> * Missed check on additional use of IsPresent * adjustments from testing various versions of centos7 * Typo * Use dedicated error for version incompat --------- Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> * [v17] [teleport-update] Improve clarity of error logs and address UX edge cases (#53048) * Usability fixes * cancel jitter * root + fix logs * check extra case * cleanup * extra warning * tests * feedback * add newlines * adjust message * consistent error type * update UI snapshots * [v17] Backport packaging restructuring and teleport-update build (#52361) * [teleport-update] Add Makefile build target (#48531) * Add build target for teleport-update * Set CGO_ENABLED=0 for building teleport-update * [teleport-update] Add teleport-update to build and archive (#48839) * Add teleport-update to build and archive * Add teleport-update to install scripts * Add build flags without buildmode pie * Add helper message for install.sh script * Exclude teleport-update from darwin platform * Add teleport-update to rpm and deb packages * Remove teleport-update from deb, rpm packages Add comment for the buildflags * [teleport-update] Move teleport binaries to new path {deb,rpm} (#49110) * Move teleport binaries to new path * Use link/unlink command to manage links Move teleport.service to new path * Move teleport binaries under standard path for distroless Cleanup * Fix wrong move path * Create missing directory * Rename link/unlink commands * Exclude teleport-update from docker image Systemd reload now managed by teleport-update Make safe unlink not to block package removal * Add teleport-update to AMI image build * Fix RPM build, fpm automatically manage scripts * Fix AMI build, add missing teleport.service * Move binaries to /opt/teleport/system * Add check to installation script when we copy files from tarball (#50368) * bump e * Fix RPM linking logic (#52704) * Use quoting style supported by pre-2015 systemd (#53179) (#53196) * [teleport-update] Additional log message and UX cleanup (#53180) (#53197) * More teleport-update UX cleanup * cleanup overwrite error * cleanup * more cleanup --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> Co-authored-by: Alan Parra <alan.parra@goteleport.com> Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> Co-authored-by: Bartosz Leper <bartosz.leper@goteleport.com> Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> Co-authored-by: Russell Jones <russjones@users.noreply.github.com> Co-authored-by: Vadym Popov <vadym.popov@goteleport.com> Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
hugoShaka
added a commit
that referenced
this pull request
Mar 21, 2025
…kage * Add autoupdate agent protos (#47666) * Add autoupdate agent protos * fix tests * Add create/update/delete RPCs + add missing event proto * Update api/proto/teleport/autoupdate/v1/autoupdate.proto Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * address timr's feedback + fix tests * buf lint * buf lint pt.2 --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * fix agent autoupdate protos (#47830) * Add autoupdate agent type validations (#47831) * Add autoupdate agent validations * Add AutoUpdateAgentRollout constants * Fix autoupdate API licenses Teleport's `api/` and `integrations/` should be Apache-licensed. Only the main teleport process should be licenses under AGPLv3. * address feedback * Add AutoUpdateAgentRollout service and cache (#47833) * Fix defaults on incomplete AU config or version resources (#47872) * Fix panic on incomplete AU config or version resources * lint * address tiago's feedback * [v17] enforce conditional updates on AutoUpdate* + rename typos (#48390) * enforce conditaional updates on AutoUpdate* + rename typos * fix tests * [v17] implement autoupdate_agent_rollout reconciler (#48944) * implement autoupdate_agent_rollout reconciler * address edoardo's feedback * address edoardo's feedback pt.2 * fixup! address edoardo's feedback * lint * [v17] RFD 184: automatic updates, server-side logic (#52275) * Implement immediate schedule support for automatic updates (#47920) * Implement immediate schedule support * expose edition, fips, and ensure ping endpoint answers * fix after rebase * fix cache tests * introduce webclient.ReusableClient (#49296) * Move autoupdate code in proxy to make more sense (#49484) * Move autoupdate code in proxy to make more sense * lint + godoc * Start `autoupdate_agent_rollout` controller in auth service (#49101) * run autoupdate_agent_rollout controller * Recover from panics inside the controller * Address tim's feedback Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * kube-agent-updater: add RFD-184 trigger and version getter (#49297) * add proxy version getter and maintenance trigger * add failover trigger and versionGetter * lint * Apply suggestions from code review Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> * address marco's feedback * licensing --------- Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> * Rename lib/kubernetestoken to lib/kube/token (#49554) * Rename lib/kubernetestoken to lib/kube/token * Lint * Make the proxy read from autoupdate_agent_rollout (#49380) * Add autoupdate_agenbt_rollout support * fix ping proxy tests * address creack's feedback * Address sclevine's feedback Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> * fix panic in tests --------- Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> * Fix flaky TestAutoUpdateAgentShouldUpdate (#49883) * Fix flaky TestAutoUpdateAgentShouldUpdate * Update lib/web/apiserver_ping_test.go * Update lib/web/autoupdate_common_test.go * autoupdate: reconcile rollout status and add strategy interface (#49735) * autoupdate: reconcile rollout status and add strategy interface * fix missing constants + add license * lint * fix proto field id * Fix flaky TestAgentRolloutController (#49886) * Fix falky TestAgentRolloutController * switch to real clock + increase Eventually timeout * Make reconciliation period a parameter + add TELEPORT_UNSTABLE env var * Update lib/service/service_test.go Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Apply suggestions from code review Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Remove env var * lint --------- Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Compute global rollout state (#49945) * Compute global rollout state * Simplify + missing wrong proto message description * lint * simplify * for edoardo * fix compute status test * autoupdate: implement time-based strategy (#49736) This commit implements the time-based rollout strategy describen in RFD 184. The autoupdate_agent_rollout controller will make the groups active based on their start days, start hour, and maintenance duration. Once the maintenance window is over, the group becomes DONE. In the DONE state, new agents will instalkl the target version but existing agents will no longer be told to actively update. * Use CMC as default config when set (#50039) * autoupdate: Use CMC as default config when set Part of: [RFD-184](#47126) This commit implements backward compatibility when CMC is specified. After this PR, if the user has no `autoupdate_config` resource but a `cluster_maintenance_config` resource from RFD 109, we will use the CMC to generate the config (update hour and update days) and craft the `autoupdate_agent_rollout`. * Update lib/autoupdate/rollout/client_test.go Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * address feedback * lint --------- Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * Change autoupdate proto messages (#50234) * Change autoupdate proto messages This commits does 3 changes: - reflect the maintenance duration on the rollout in a new spec field - add a rollout start time field in its status - change wait_days into wait_hours * int64 -> in32 for consistency with other fields * Add autoupdate_config and autoupdate_agent_rollout validation (#50181) This commit removes the restrictions of the autoupdate_agent_rollout and autoupdate_config schedules but adds groups validation. It also adds some optional server-side validation that should not be enforced at the resource level. * autoupdate: implement halt-on-error strategy (#49737) * autoupdate: implement halt-on-error strategy * rewrite wait_days logic into wait_hours * Apply suggestions from code review Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> --------- Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> * add tctl create/get/edit support for autoupdate_agent_rollout (#50393) * add tctl create/get/edit support for autoupdate_agent_rollout * fix bad copy paste * set rollout start date and don't start updating if rollout just changed (#50365) This commit does two changes: - the controller now sets the rollout start time when resetting the rollout - the controller will not start a group if the rollout changed during the maintenance window (checks if the rollout start time is in the window) * Reduce clock usage + add time and period override in rollout controller (#50634) * Enable strategies in the autoupdate rollout controller (#50635) * autoupdate rollout: honour the maintenance window duration (#50745) * autoupdate rollout: honour the maintenance window duration * Update lib/autoupdate/rollout/reconciler.go Co-authored-by: Bartosz Leper <bartosz.leper@goteleport.com> * Address feedback * Update lib/autoupdate/rollout/strategy.go --------- Co-authored-by: Bartosz Leper <bartosz.leper@goteleport.com> * Fix proto resource 153 marshalling for autoupdate_* resources (#50688) * Fix proto resource 153 marshalling * Update tool/tctl/common/collection_test.go Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Update tool/tctl/common/collection_test.go Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Address feedback - Change from Resource153AdapterV2 to ProtoResource153Adapter - fix test failures and unmarshal proto resources properly - add a failing round-trip proto 153 test case - bonus: fix the table tesst reosurce create that did not support running a single row * Apply suggestions from code review Co-authored-by: Alan Parra <alan.parra@goteleport.com> * lint --------- Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Add autoupdate controller metrics (#50807) * Add autoupdate controller metrics * Do no panic in case of error conflict * kube-agent-update: Use the RFD-184 webapi proxy update protocol by default when possible (#50464) * kube-agent-update: Use the RFD-184 webapi proxy update protocol by default when possible * Update integrations/kube-agent-updater/cmd/teleport-kube-agent-updater/main.go Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> * log update group --------- Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> * Add 'tctl autoupdate agents status' (#51079) * Ensure proxy version getter adds the leading 'v' (#51687) * Always create debug socket and expose health endpoints (#51616) * Always create debug socket and expose health endpoints * Consolidate the diagnostic multiplexers in a single function * Fix tests * Apply suggestions from code review Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> --------- Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * Fix autoupdate rollout controller metrics (#51803) * kube-agent-updater pre-release builds trust the staging repo + insecure validator private repo fix (#51815) * Fix insecure resolver in private repos + trust pre-release builds * fixup! Fix insecure resolver in private repos + trust pre-release builds * Use new autoupdate APIs in discovery service (#51758) * Remove name parameter from proxy version getter * Use autoupdate_agent_rollout as a source of version in scripts and integrations * Fix tests * Handle gracefully absence of a proxy in kube discovery sevrice * Update lib/srv/discovery/kube_integration_watcher.go Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> * Address marco's feedback * Address marco's feedback pt.2 * Gracefully handle if we can't get autoupdate version * fixup! Update lib/srv/discovery/kube_integration_watcher.go --------- Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> * Autoupdate changelog entry in v17.3 * Fix tests after rebase, pt.1 * Update front preset fixtures since the preset role changed * Add install script using teleport-update and oneoff.sh (#52155) * Refactor node-join script to take safer options and reuse install option logic (#52196) * Add install script using teleport-update and oneoff.sh * Refactor node-join script to take safer options and reuse install option logic * GoDoc + make functions private * Address edoardo's feedback * Allow prerelease Teleport to install official artifacts (#52444) * Accept to install CE when running an AGPL build for backeard compat * Bump e to fix build (oneoff args change) * Make node install scripts install Teleport via teleport-update (#52226) * Make the node install script use teleport-update * Apply suggestions from code review Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * Fix curl args + address bash exec comments --------- Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * Use install.sh in discovery's default installer (#52368) * Use install.sh in discovery's default installer * fixup! Use install.sh in discovery's default installer * Address marco's feedback * Update lib/auth/grpcserver.go Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> * Update lib/srv/server/installer/defaultinstallers.go * apply edoard's feedback + write script to file * Execute the downloaded shell script * Add snapshot tests * fixup! Add snapshot tests --------- Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> * Fix error after rebase * Fix test after rebase --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> Co-authored-by: Alan Parra <alan.parra@goteleport.com> Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> Co-authored-by: Bartosz Leper <bartosz.leper@goteleport.com> Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> * [v17] Modulate install script when managed updates v2 are off (#52609) * Modulate install script when managed updates v2 are off * fixup! Modulate install script when managed updates v2 are off * Address Stephen's feedback * Set the autoupdate singleton names (#52751) * Add autoupdate events to web UI (#52748) (#52838) * Add autoupdate events to web UI * lint * Fix backport to include the label fix * lint * fix tests * Add teleport-update binary scaffolding and disable command (#46418) * Add main.go * wip * group flag * wip * wip * mvp * wip * separate files * cleanup * jitter * scaffold only * remove teleport changes * remove teleport changes - group * test * test lock * remove edition * feedback * clarify default data dir * cleanup * move version to status * consistent naming for update.yaml * improve lock test * explain lint * use shared locking logic * fix test * Move disable logic to lib * feedback * switch to default transport * [teleport-update] Add enable command (#47565) * Add enable scaffold * add installer * refactor * add enable tests * clean up download logic * Finish installer tests * cleanup * fix flags * fix errors * logging * cleanup * fix test * Fix download size logic * remove agent prefixes * namespace package * rename file * feedback * fips and ent support * hide force version * feedback * feedback 2 * fix test * move enterprise/fips to webapi * Fix interface * RFD 0184: Automatic Updates for Teleport Agents (#47126) * Create 0169-auto-updates-linux-agents.md * Fix github handle * Fix Github handle * Clarify jitter flag * Remove time question * Update rfd/0169-auto-updates-linux-agents.md Co-authored-by: Russell Jones <russjones@users.noreply.github.com> * Update rfd/0169-auto-updates-linux-agents.md Co-authored-by: Russell Jones <russjones@users.noreply.github.com> * Update rfd/0169-auto-updates-linux-agents.md Co-authored-by: Russell Jones <russjones@users.noreply.github.com> * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * add editions * Installers and docs * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * Downgrades * Feedback * Update 0169-auto-updates-linux-agents.md * Remove last working copy of teleport * add step to ensure free disk space * Typos * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * feedback * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * apt purge * Only enable auto-upgrades if successful * reentrant lock * reset * Update 0169-auto-updates-linux-agents.md * add note on backups * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * Clarify restore/rollback process and validations * Added section on logging * Add schedules * immediate schedule + note on cycles and chains * more details, more tctl commands * Update 0169-auto-updates-linux-agents.md * scalability * df * content-length * cache init * binary * more rollout mechanism changes * scalability * more scalability * use 100kib pages for plan * Add RPCs, tweak API design * clarify wording * wording * Update rfd/0169-auto-updates-linux-agents.md Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * Update rfd/0169-auto-updates-linux-agents.md Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * linting * Move all RPCs into autoupdate/v1 * Move groups to MVP * note about checksum * typos, consistency * clarify binary is teleport-update, package is teleport-ent-updater * switch from df to unix.Statfs * security feedback + naming adjustments * tweak rollout paging * tweak rollout paging again * feedback * adjust update.yaml to match implementation feedback * wip - new model * canaries * canary 2 * describe state, transitions, and proxy response * rpcs * finish rpcs * minor tweaks * Add user stories * Put new requirements at the top + edit UX + add TODOs * Edition work * cleanup + swap phases 1 and 2 * Move protobuf * Add installation scenarios * cleanup + move backpressure formulas * more cleanup * rename to unused number * fix title * more cleanup * correct inconsistencies * fix more inconsistencies * missing proxy flag * typo * Add CLI reference * feedback * alerts note * typos * Update rfd/0184-agent-auto-updates.md Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * clarify canary logic * Update rfd/0184-agent-auto-updates.md Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * Support for multiple installations / tarball * Address reviewer's feedback - Rephrase the UX section to not assume prior canary knowledge - Explicit how the canaries are picked, the limitations, and potential improvements - replace node with instance to avoid confusion between ssh nodes and generic teleport agent instances - Explicit how the previous updater interacts with the new one - More explicit names for command line args * agent_plan -> agent_rollout + reuse autoupdate_config * align tool version * Move package system dir * add time-based strategy * rename previous-must-succeed -> halt-on-failure --------- Co-authored-by: Russell Jones <russjones@users.noreply.github.com> Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> Co-authored-by: hugoShaka <hugo.hervieux@goteleport.com> * [v17] RFD 184: Agent Automatic Updates, teleport-update (#52372) * [teleport-update] Add linking into /usr/local (#47879) * clean up download logic * Finish installer tests * fips and ent support * feedback * move enterprise/fips to webapi * wip * wip2 * add cleanup * fix extract * wip * fix tests * remove safety * cleanup * cleanup extract * cleanup * cleanup * fix bugs * cleanup * [teleport-update] Use new webapi fields to find version (#47961) * Adapt teleport-update to new webapi endpoints * feedback * [teleport-update] Add support for reloading the agent & reverting symlinks on failed reload (#47929) * wip * cleanup * comments * test wip * test link revert * tests * cleanup * cleanup more * comments * comments * errors * comments * linting * fix bugs * fix typo * cleanup * cleanup * fix revert * lint * feedback * fix * fix test * clarify comment * use afterfunc * [teleport-update] Add update subcommand (#48244) * Add update subcommand * fix * lint * add command * warn on known edition * warn on unknown edition for update * [teleport-update] Add link subcommand (#48712) * wip * refactor * docs * updater * add link command * test LinkPackage * cleanup * fix enterprise paths * fix systemd linking * typo * comment * comments * typo * feedback * adjust systemd service locations * cleanup tests, adjust service link path * [teleport-update] PID-based failure detection and rollback (#49175) * Extract from other PR * comments * string * [teleport-update] Add systemd setup (#49174) * service and timer * comments * feedback * feedback * [teleport-update] Add unlink-package command (#49250) * unlink * test * lock type * comments * cleanup * Update lib/autoupdate/agent/installer.go Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> --------- Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * [teleport-update] Add support for version pinning (#49307) * pinning * cleanup * unskip * cleanup * unpin * typo * [teleport-update] status subcommand (#49308) * status * cleanup * comments * cleanup output by removing optional fields * rebase fix * [teleport-update] Uninstall subcommand (#49341) * Uninstall * tests * comment * Short-circuit link package on pinned * log * move error * Update lib/autoupdate/agent/process.go Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * Update lib/autoupdate/agent/process.go Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * Update lib/autoupdate/agent/process.go Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * Update lib/autoupdate/agent/process.go Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * fix --------- Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * [teleport-update] Protect against disk space leaks (#49309) * cleanup unused * cleanup * cleanup * [teleport-update] Show warning instead of return error for link/unlink (#49334) * Add warning instead of return error for link/unlink * Add test for sync call with ErrNotSupported * Change warning message * [teleport-update] Isolated installation suffix (#49364) * namespacing * words * cli * fix * err * use structured logs consistently * comments * bugs * test * switch to new paths * test * adjust * reserved * cleanup * cleanup * docs * fix uninstall * test * simplify init * cleanup * namespace -> install-suffix * log * [teleport-update] Fix usage of trace (#49388) * fix trace * rebase * [teleport-update] Support for Enterprise/FIPS migration (#49451) * store ent/fips data cleanup formatting revert updater rename cleanup Update lib/autoupdate/agent/config.go Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> feedback * feedback * feedback * lint * [teleport-update] Display download progress and stats (#49805) * download progress * typo * sub -> since * time -> duration * [teleport-update] update --now (#49807) * update --now * testdata * [teleport-update] Adjust download progress log output (#49845) * adjust logger * fix * fix * Extended binary validations (#49748) * [teleport-update] needrestart and systemd drop-in (#49806) * wip * Add more config * nit * feedback * Fix duplicate teleport-update short command (#50304) * [teleport-update] Version reporting and deprecated upgrader management (#50266) * wip * telemetry * abs * fix * tests * Disable deprecated timer * keep schedule on non-suffixed * Update maintenance.go * Update lib/autoupdate/agent/setup.go * update warnings * feedback pt 1 * feedback pt 2 * headers * [teleport-update] Remove warning when running Teleport on platforms without systemd (#51465) * improve detection logic on non-systemd platforms * adjust * remove OS check * [teleport-update] common MakeURL with ability to override BaseURL (#51383) * Add templates for client tools auto-update download url * Change to base url setting by env MakeURL moved to common function to be general for both, agent and client tools * Reuse MakeURL moved to common package * Fix linter warning * Add common env variable to override base url * Remove template from interface * Make template exported Change a stale comment * Remove unused code * [teleport-update] Adjustments for SELinux (#51474) * selinux fixes * extra checks * lint * lint * cleanup * better cleanup * fix rebase * [teleport-update] Add --overwrite flag to replace tarball installations (#51579) * add --overwrite flag * extra warning * [teleport-update] Only use CDN for community / enterprise editions (#51726) * Only use CDN for community / enterprise * wording * [teleport-update] Warn instead of erroring when disabling the deprecated updater (#51759) * Warn instead of erroring when disabling old updater * Update lib/service/service.go * Update lib/service/service.go * [teleport-update] Adjust non-critical SELinux contexts (#51793) * correct selinux contexts * Update lib/autoupdate/agent/installer.go Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * Update lib/autoupdate/agent/installer.go --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * [teleport-update] Add proper healthcheck for agents (#51613) * Add socket readiness monitor * cleanup * add 404 check * check * better cleanup * fix bug * typo * fix 404 * improve logging * cleanup * disable socket redirect * avoid race condition with socket removal * verify PID * cleanup * Update lib/autoupdate/agent/process.go Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * feedback * fix subtle race condition * debugging --------- Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * [teleport-update] Allow teleport-update uninstall to succeed with non-packaged installs (#51576) * Treat missing source bin dir same as missing binaries * prevent linking package outside /usr/local/bin * Apply suggestions from code review * [teleport-update] use new updater to reload and verify Teleport (#51734) * wip * finish implementation * fix tests * test setup * remove stale data * bug * spelling * pass log format and debug through * feedback * [teleport-update] Read proxy from teleport.yaml to improve UX (#51633) * derive proxy from config * fix parsing * cleanup * require force for uninstall (#51973) * [teleport-update] add insecure flag for testing (#52019) * insecure flag * fmt * [teleport-update] skip updater setup when systemd is missing (#52022) * skip updater installation when systemd is missing * test * wording * [teleport-update] Ensure stable interface between versions of teleport-update (#52152) * refactor data dir * finish refactor * fix path * cleanup * more tests * lint * prevent notice failure without systemd * feedback * url * revert log level change (#52416) --------- Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> Co-authored-by: Vadym Popov <vadym.popov@goteleport.com> Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * [v17] [teleport-update] Fix usage of default $PATH dir, overrides, and hanging (#52608) * Fix usage of default path * fix other overrides * fix hang on start * [v17] [teleport-update] Set umask 0022 for teleport-update to avoid errors on enable (#52755) * Set umask 0022 for teleport-update * init -> main * refactor * move const * add flag * missed not * fix inequality * remove flag * dead code * docs * docs 2 * feedback * [v17] [teleport-update] Support for CentOS 7 (#53017) * support systemd down to 219 * comments * Apply suggestions from code review Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> * Missed check on additional use of IsPresent * adjustments from testing various versions of centos7 * Typo * Use dedicated error for version incompat --------- Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> * [v17] [teleport-update] Improve clarity of error logs and address UX edge cases (#53048) * Usability fixes * cancel jitter * root + fix logs * check extra case * cleanup * extra warning * tests * feedback * add newlines * adjust message * consistent error type * update UI snapshots * [v17] Backport packaging restructuring and teleport-update build (#52361) * [teleport-update] Add Makefile build target (#48531) * Add build target for teleport-update * Set CGO_ENABLED=0 for building teleport-update * [teleport-update] Add teleport-update to build and archive (#48839) * Add teleport-update to build and archive * Add teleport-update to install scripts * Add build flags without buildmode pie * Add helper message for install.sh script * Exclude teleport-update from darwin platform * Add teleport-update to rpm and deb packages * Remove teleport-update from deb, rpm packages Add comment for the buildflags * [teleport-update] Move teleport binaries to new path {deb,rpm} (#49110) * Move teleport binaries to new path * Use link/unlink command to manage links Move teleport.service to new path * Move teleport binaries under standard path for distroless Cleanup * Fix wrong move path * Create missing directory * Rename link/unlink commands * Exclude teleport-update from docker image Systemd reload now managed by teleport-update Make safe unlink not to block package removal * Add teleport-update to AMI image build * Fix RPM build, fpm automatically manage scripts * Fix AMI build, add missing teleport.service * Move binaries to /opt/teleport/system * Add check to installation script when we copy files from tarball (#50368) * bump e * Fix RPM linking logic (#52704) * Use quoting style supported by pre-2015 systemd (#53179) (#53196) * [teleport-update] Additional log message and UX cleanup (#53180) (#53197) * More teleport-update UX cleanup * cleanup overwrite error * cleanup * more cleanup --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> Co-authored-by: Alan Parra <alan.parra@goteleport.com> Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> Co-authored-by: Bartosz Leper <bartosz.leper@goteleport.com> Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> Co-authored-by: Russell Jones <russjones@users.noreply.github.com> Co-authored-by: Vadym Popov <vadym.popov@goteleport.com> Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
hugoShaka
added a commit
that referenced
this pull request
Mar 24, 2025
…kage * Add autoupdate agent protos (#47666) * Add autoupdate agent protos * fix tests * Add create/update/delete RPCs + add missing event proto * Update api/proto/teleport/autoupdate/v1/autoupdate.proto Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * address timr's feedback + fix tests * buf lint * buf lint pt.2 --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * fix agent autoupdate protos (#47830) * Add autoupdate agent type validations (#47831) * Add autoupdate agent validations * Add AutoUpdateAgentRollout constants * Fix autoupdate API licenses Teleport's `api/` and `integrations/` should be Apache-licensed. Only the main teleport process should be licenses under AGPLv3. * address feedback * Add AutoUpdateAgentRollout service and cache (#47833) * Fix defaults on incomplete AU config or version resources (#47872) * Fix panic on incomplete AU config or version resources * lint * address tiago's feedback * [v17] enforce conditional updates on AutoUpdate* + rename typos (#48390) * enforce conditaional updates on AutoUpdate* + rename typos * fix tests * [v17] implement autoupdate_agent_rollout reconciler (#48944) * implement autoupdate_agent_rollout reconciler * address edoardo's feedback * address edoardo's feedback pt.2 * fixup! address edoardo's feedback * lint * [v17] RFD 184: automatic updates, server-side logic (#52275) * Implement immediate schedule support for automatic updates (#47920) * Implement immediate schedule support * expose edition, fips, and ensure ping endpoint answers * fix after rebase * fix cache tests * introduce webclient.ReusableClient (#49296) * Move autoupdate code in proxy to make more sense (#49484) * Move autoupdate code in proxy to make more sense * lint + godoc * Start `autoupdate_agent_rollout` controller in auth service (#49101) * run autoupdate_agent_rollout controller * Recover from panics inside the controller * Address tim's feedback Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * kube-agent-updater: add RFD-184 trigger and version getter (#49297) * add proxy version getter and maintenance trigger * add failover trigger and versionGetter * lint * Apply suggestions from code review Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> * address marco's feedback * licensing --------- Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> * Rename lib/kubernetestoken to lib/kube/token (#49554) * Rename lib/kubernetestoken to lib/kube/token * Lint * Make the proxy read from autoupdate_agent_rollout (#49380) * Add autoupdate_agenbt_rollout support * fix ping proxy tests * address creack's feedback * Address sclevine's feedback Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> * fix panic in tests --------- Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> * Fix flaky TestAutoUpdateAgentShouldUpdate (#49883) * Fix flaky TestAutoUpdateAgentShouldUpdate * Update lib/web/apiserver_ping_test.go * Update lib/web/autoupdate_common_test.go * autoupdate: reconcile rollout status and add strategy interface (#49735) * autoupdate: reconcile rollout status and add strategy interface * fix missing constants + add license * lint * fix proto field id * Fix flaky TestAgentRolloutController (#49886) * Fix falky TestAgentRolloutController * switch to real clock + increase Eventually timeout * Make reconciliation period a parameter + add TELEPORT_UNSTABLE env var * Update lib/service/service_test.go Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Apply suggestions from code review Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Remove env var * lint --------- Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Compute global rollout state (#49945) * Compute global rollout state * Simplify + missing wrong proto message description * lint * simplify * for edoardo * fix compute status test * autoupdate: implement time-based strategy (#49736) This commit implements the time-based rollout strategy describen in RFD 184. The autoupdate_agent_rollout controller will make the groups active based on their start days, start hour, and maintenance duration. Once the maintenance window is over, the group becomes DONE. In the DONE state, new agents will instalkl the target version but existing agents will no longer be told to actively update. * Use CMC as default config when set (#50039) * autoupdate: Use CMC as default config when set Part of: [RFD-184](#47126) This commit implements backward compatibility when CMC is specified. After this PR, if the user has no `autoupdate_config` resource but a `cluster_maintenance_config` resource from RFD 109, we will use the CMC to generate the config (update hour and update days) and craft the `autoupdate_agent_rollout`. * Update lib/autoupdate/rollout/client_test.go Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * address feedback * lint --------- Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * Change autoupdate proto messages (#50234) * Change autoupdate proto messages This commits does 3 changes: - reflect the maintenance duration on the rollout in a new spec field - add a rollout start time field in its status - change wait_days into wait_hours * int64 -> in32 for consistency with other fields * Add autoupdate_config and autoupdate_agent_rollout validation (#50181) This commit removes the restrictions of the autoupdate_agent_rollout and autoupdate_config schedules but adds groups validation. It also adds some optional server-side validation that should not be enforced at the resource level. * autoupdate: implement halt-on-error strategy (#49737) * autoupdate: implement halt-on-error strategy * rewrite wait_days logic into wait_hours * Apply suggestions from code review Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> --------- Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> * add tctl create/get/edit support for autoupdate_agent_rollout (#50393) * add tctl create/get/edit support for autoupdate_agent_rollout * fix bad copy paste * set rollout start date and don't start updating if rollout just changed (#50365) This commit does two changes: - the controller now sets the rollout start time when resetting the rollout - the controller will not start a group if the rollout changed during the maintenance window (checks if the rollout start time is in the window) * Reduce clock usage + add time and period override in rollout controller (#50634) * Enable strategies in the autoupdate rollout controller (#50635) * autoupdate rollout: honour the maintenance window duration (#50745) * autoupdate rollout: honour the maintenance window duration * Update lib/autoupdate/rollout/reconciler.go Co-authored-by: Bartosz Leper <bartosz.leper@goteleport.com> * Address feedback * Update lib/autoupdate/rollout/strategy.go --------- Co-authored-by: Bartosz Leper <bartosz.leper@goteleport.com> * Fix proto resource 153 marshalling for autoupdate_* resources (#50688) * Fix proto resource 153 marshalling * Update tool/tctl/common/collection_test.go Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Update tool/tctl/common/collection_test.go Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Address feedback - Change from Resource153AdapterV2 to ProtoResource153Adapter - fix test failures and unmarshal proto resources properly - add a failing round-trip proto 153 test case - bonus: fix the table tesst reosurce create that did not support running a single row * Apply suggestions from code review Co-authored-by: Alan Parra <alan.parra@goteleport.com> * lint --------- Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Add autoupdate controller metrics (#50807) * Add autoupdate controller metrics * Do no panic in case of error conflict * kube-agent-update: Use the RFD-184 webapi proxy update protocol by default when possible (#50464) * kube-agent-update: Use the RFD-184 webapi proxy update protocol by default when possible * Update integrations/kube-agent-updater/cmd/teleport-kube-agent-updater/main.go Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> * log update group --------- Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> * Add 'tctl autoupdate agents status' (#51079) * Ensure proxy version getter adds the leading 'v' (#51687) * Always create debug socket and expose health endpoints (#51616) * Always create debug socket and expose health endpoints * Consolidate the diagnostic multiplexers in a single function * Fix tests * Apply suggestions from code review Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> --------- Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * Fix autoupdate rollout controller metrics (#51803) * kube-agent-updater pre-release builds trust the staging repo + insecure validator private repo fix (#51815) * Fix insecure resolver in private repos + trust pre-release builds * fixup! Fix insecure resolver in private repos + trust pre-release builds * Use new autoupdate APIs in discovery service (#51758) * Remove name parameter from proxy version getter * Use autoupdate_agent_rollout as a source of version in scripts and integrations * Fix tests * Handle gracefully absence of a proxy in kube discovery sevrice * Update lib/srv/discovery/kube_integration_watcher.go Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> * Address marco's feedback * Address marco's feedback pt.2 * Gracefully handle if we can't get autoupdate version * fixup! Update lib/srv/discovery/kube_integration_watcher.go --------- Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> * Autoupdate changelog entry in v17.3 * Fix tests after rebase, pt.1 * Update front preset fixtures since the preset role changed * Add install script using teleport-update and oneoff.sh (#52155) * Refactor node-join script to take safer options and reuse install option logic (#52196) * Add install script using teleport-update and oneoff.sh * Refactor node-join script to take safer options and reuse install option logic * GoDoc + make functions private * Address edoardo's feedback * Allow prerelease Teleport to install official artifacts (#52444) * Accept to install CE when running an AGPL build for backeard compat * Bump e to fix build (oneoff args change) * Make node install scripts install Teleport via teleport-update (#52226) * Make the node install script use teleport-update * Apply suggestions from code review Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * Fix curl args + address bash exec comments --------- Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * Use install.sh in discovery's default installer (#52368) * Use install.sh in discovery's default installer * fixup! Use install.sh in discovery's default installer * Address marco's feedback * Update lib/auth/grpcserver.go Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> * Update lib/srv/server/installer/defaultinstallers.go * apply edoard's feedback + write script to file * Execute the downloaded shell script * Add snapshot tests * fixup! Add snapshot tests --------- Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> * Fix error after rebase * Fix test after rebase --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> Co-authored-by: Alan Parra <alan.parra@goteleport.com> Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> Co-authored-by: Bartosz Leper <bartosz.leper@goteleport.com> Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> * [v17] Modulate install script when managed updates v2 are off (#52609) * Modulate install script when managed updates v2 are off * fixup! Modulate install script when managed updates v2 are off * Address Stephen's feedback * Set the autoupdate singleton names (#52751) * Add autoupdate events to web UI (#52748) (#52838) * Add autoupdate events to web UI * lint * Fix backport to include the label fix * lint * fix tests * Add teleport-update binary scaffolding and disable command (#46418) * Add main.go * wip * group flag * wip * wip * mvp * wip * separate files * cleanup * jitter * scaffold only * remove teleport changes * remove teleport changes - group * test * test lock * remove edition * feedback * clarify default data dir * cleanup * move version to status * consistent naming for update.yaml * improve lock test * explain lint * use shared locking logic * fix test * Move disable logic to lib * feedback * switch to default transport * [teleport-update] Add enable command (#47565) * Add enable scaffold * add installer * refactor * add enable tests * clean up download logic * Finish installer tests * cleanup * fix flags * fix errors * logging * cleanup * fix test * Fix download size logic * remove agent prefixes * namespace package * rename file * feedback * fips and ent support * hide force version * feedback * feedback 2 * fix test * move enterprise/fips to webapi * Fix interface * RFD 0184: Automatic Updates for Teleport Agents (#47126) * Create 0169-auto-updates-linux-agents.md * Fix github handle * Fix Github handle * Clarify jitter flag * Remove time question * Update rfd/0169-auto-updates-linux-agents.md Co-authored-by: Russell Jones <russjones@users.noreply.github.com> * Update rfd/0169-auto-updates-linux-agents.md Co-authored-by: Russell Jones <russjones@users.noreply.github.com> * Update rfd/0169-auto-updates-linux-agents.md Co-authored-by: Russell Jones <russjones@users.noreply.github.com> * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * add editions * Installers and docs * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * Downgrades * Feedback * Update 0169-auto-updates-linux-agents.md * Remove last working copy of teleport * add step to ensure free disk space * Typos * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * feedback * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * apt purge * Only enable auto-upgrades if successful * reentrant lock * reset * Update 0169-auto-updates-linux-agents.md * add note on backups * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * Clarify restore/rollback process and validations * Added section on logging * Add schedules * immediate schedule + note on cycles and chains * more details, more tctl commands * Update 0169-auto-updates-linux-agents.md * scalability * df * content-length * cache init * binary * more rollout mechanism changes * scalability * more scalability * use 100kib pages for plan * Add RPCs, tweak API design * clarify wording * wording * Update rfd/0169-auto-updates-linux-agents.md Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * Update rfd/0169-auto-updates-linux-agents.md Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * linting * Move all RPCs into autoupdate/v1 * Move groups to MVP * note about checksum * typos, consistency * clarify binary is teleport-update, package is teleport-ent-updater * switch from df to unix.Statfs * security feedback + naming adjustments * tweak rollout paging * tweak rollout paging again * feedback * adjust update.yaml to match implementation feedback * wip - new model * canaries * canary 2 * describe state, transitions, and proxy response * rpcs * finish rpcs * minor tweaks * Add user stories * Put new requirements at the top + edit UX + add TODOs * Edition work * cleanup + swap phases 1 and 2 * Move protobuf * Add installation scenarios * cleanup + move backpressure formulas * more cleanup * rename to unused number * fix title * more cleanup * correct inconsistencies * fix more inconsistencies * missing proxy flag * typo * Add CLI reference * feedback * alerts note * typos * Update rfd/0184-agent-auto-updates.md Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * clarify canary logic * Update rfd/0184-agent-auto-updates.md Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * Support for multiple installations / tarball * Address reviewer's feedback - Rephrase the UX section to not assume prior canary knowledge - Explicit how the canaries are picked, the limitations, and potential improvements - replace node with instance to avoid confusion between ssh nodes and generic teleport agent instances - Explicit how the previous updater interacts with the new one - More explicit names for command line args * agent_plan -> agent_rollout + reuse autoupdate_config * align tool version * Move package system dir * add time-based strategy * rename previous-must-succeed -> halt-on-failure --------- Co-authored-by: Russell Jones <russjones@users.noreply.github.com> Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> Co-authored-by: hugoShaka <hugo.hervieux@goteleport.com> * [v17] RFD 184: Agent Automatic Updates, teleport-update (#52372) * [teleport-update] Add linking into /usr/local (#47879) * clean up download logic * Finish installer tests * fips and ent support * feedback * move enterprise/fips to webapi * wip * wip2 * add cleanup * fix extract * wip * fix tests * remove safety * cleanup * cleanup extract * cleanup * cleanup * fix bugs * cleanup * [teleport-update] Use new webapi fields to find version (#47961) * Adapt teleport-update to new webapi endpoints * feedback * [teleport-update] Add support for reloading the agent & reverting symlinks on failed reload (#47929) * wip * cleanup * comments * test wip * test link revert * tests * cleanup * cleanup more * comments * comments * errors * comments * linting * fix bugs * fix typo * cleanup * cleanup * fix revert * lint * feedback * fix * fix test * clarify comment * use afterfunc * [teleport-update] Add update subcommand (#48244) * Add update subcommand * fix * lint * add command * warn on known edition * warn on unknown edition for update * [teleport-update] Add link subcommand (#48712) * wip * refactor * docs * updater * add link command * test LinkPackage * cleanup * fix enterprise paths * fix systemd linking * typo * comment * comments * typo * feedback * adjust systemd service locations * cleanup tests, adjust service link path * [teleport-update] PID-based failure detection and rollback (#49175) * Extract from other PR * comments * string * [teleport-update] Add systemd setup (#49174) * service and timer * comments * feedback * feedback * [teleport-update] Add unlink-package command (#49250) * unlink * test * lock type * comments * cleanup * Update lib/autoupdate/agent/installer.go Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> --------- Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * [teleport-update] Add support for version pinning (#49307) * pinning * cleanup * unskip * cleanup * unpin * typo * [teleport-update] status subcommand (#49308) * status * cleanup * comments * cleanup output by removing optional fields * rebase fix * [teleport-update] Uninstall subcommand (#49341) * Uninstall * tests * comment * Short-circuit link package on pinned * log * move error * Update lib/autoupdate/agent/process.go Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * Update lib/autoupdate/agent/process.go Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * Update lib/autoupdate/agent/process.go Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * Update lib/autoupdate/agent/process.go Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * fix --------- Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * [teleport-update] Protect against disk space leaks (#49309) * cleanup unused * cleanup * cleanup * [teleport-update] Show warning instead of return error for link/unlink (#49334) * Add warning instead of return error for link/unlink * Add test for sync call with ErrNotSupported * Change warning message * [teleport-update] Isolated installation suffix (#49364) * namespacing * words * cli * fix * err * use structured logs consistently * comments * bugs * test * switch to new paths * test * adjust * reserved * cleanup * cleanup * docs * fix uninstall * test * simplify init * cleanup * namespace -> install-suffix * log * [teleport-update] Fix usage of trace (#49388) * fix trace * rebase * [teleport-update] Support for Enterprise/FIPS migration (#49451) * store ent/fips data cleanup formatting revert updater rename cleanup Update lib/autoupdate/agent/config.go Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> feedback * feedback * feedback * lint * [teleport-update] Display download progress and stats (#49805) * download progress * typo * sub -> since * time -> duration * [teleport-update] update --now (#49807) * update --now * testdata * [teleport-update] Adjust download progress log output (#49845) * adjust logger * fix * fix * Extended binary validations (#49748) * [teleport-update] needrestart and systemd drop-in (#49806) * wip * Add more config * nit * feedback * Fix duplicate teleport-update short command (#50304) * [teleport-update] Version reporting and deprecated upgrader management (#50266) * wip * telemetry * abs * fix * tests * Disable deprecated timer * keep schedule on non-suffixed * Update maintenance.go * Update lib/autoupdate/agent/setup.go * update warnings * feedback pt 1 * feedback pt 2 * headers * [teleport-update] Remove warning when running Teleport on platforms without systemd (#51465) * improve detection logic on non-systemd platforms * adjust * remove OS check * [teleport-update] common MakeURL with ability to override BaseURL (#51383) * Add templates for client tools auto-update download url * Change to base url setting by env MakeURL moved to common function to be general for both, agent and client tools * Reuse MakeURL moved to common package * Fix linter warning * Add common env variable to override base url * Remove template from interface * Make template exported Change a stale comment * Remove unused code * [teleport-update] Adjustments for SELinux (#51474) * selinux fixes * extra checks * lint * lint * cleanup * better cleanup * fix rebase * [teleport-update] Add --overwrite flag to replace tarball installations (#51579) * add --overwrite flag * extra warning * [teleport-update] Only use CDN for community / enterprise editions (#51726) * Only use CDN for community / enterprise * wording * [teleport-update] Warn instead of erroring when disabling the deprecated updater (#51759) * Warn instead of erroring when disabling old updater * Update lib/service/service.go * Update lib/service/service.go * [teleport-update] Adjust non-critical SELinux contexts (#51793) * correct selinux contexts * Update lib/autoupdate/agent/installer.go Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * Update lib/autoupdate/agent/installer.go --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * [teleport-update] Add proper healthcheck for agents (#51613) * Add socket readiness monitor * cleanup * add 404 check * check * better cleanup * fix bug * typo * fix 404 * improve logging * cleanup * disable socket redirect * avoid race condition with socket removal * verify PID * cleanup * Update lib/autoupdate/agent/process.go Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * feedback * fix subtle race condition * debugging --------- Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * [teleport-update] Allow teleport-update uninstall to succeed with non-packaged installs (#51576) * Treat missing source bin dir same as missing binaries * prevent linking package outside /usr/local/bin * Apply suggestions from code review * [teleport-update] use new updater to reload and verify Teleport (#51734) * wip * finish implementation * fix tests * test setup * remove stale data * bug * spelling * pass log format and debug through * feedback * [teleport-update] Read proxy from teleport.yaml to improve UX (#51633) * derive proxy from config * fix parsing * cleanup * require force for uninstall (#51973) * [teleport-update] add insecure flag for testing (#52019) * insecure flag * fmt * [teleport-update] skip updater setup when systemd is missing (#52022) * skip updater installation when systemd is missing * test * wording * [teleport-update] Ensure stable interface between versions of teleport-update (#52152) * refactor data dir * finish refactor * fix path * cleanup * more tests * lint * prevent notice failure without systemd * feedback * url * revert log level change (#52416) --------- Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> Co-authored-by: Vadym Popov <vadym.popov@goteleport.com> Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * [v17] [teleport-update] Fix usage of default $PATH dir, overrides, and hanging (#52608) * Fix usage of default path * fix other overrides * fix hang on start * [v17] [teleport-update] Set umask 0022 for teleport-update to avoid errors on enable (#52755) * Set umask 0022 for teleport-update * init -> main * refactor * move const * add flag * missed not * fix inequality * remove flag * dead code * docs * docs 2 * feedback * [v17] [teleport-update] Support for CentOS 7 (#53017) * support systemd down to 219 * comments * Apply suggestions from code review Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> * Missed check on additional use of IsPresent * adjustments from testing various versions of centos7 * Typo * Use dedicated error for version incompat --------- Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> * [v17] [teleport-update] Improve clarity of error logs and address UX edge cases (#53048) * Usability fixes * cancel jitter * root + fix logs * check extra case * cleanup * extra warning * tests * feedback * add newlines * adjust message * consistent error type * update UI snapshots * [v17] Backport packaging restructuring and teleport-update build (#52361) * [teleport-update] Add Makefile build target (#48531) * Add build target for teleport-update * Set CGO_ENABLED=0 for building teleport-update * [teleport-update] Add teleport-update to build and archive (#48839) * Add teleport-update to build and archive * Add teleport-update to install scripts * Add build flags without buildmode pie * Add helper message for install.sh script * Exclude teleport-update from darwin platform * Add teleport-update to rpm and deb packages * Remove teleport-update from deb, rpm packages Add comment for the buildflags * [teleport-update] Move teleport binaries to new path {deb,rpm} (#49110) * Move teleport binaries to new path * Use link/unlink command to manage links Move teleport.service to new path * Move teleport binaries under standard path for distroless Cleanup * Fix wrong move path * Create missing directory * Rename link/unlink commands * Exclude teleport-update from docker image Systemd reload now managed by teleport-update Make safe unlink not to block package removal * Add teleport-update to AMI image build * Fix RPM build, fpm automatically manage scripts * Fix AMI build, add missing teleport.service * Move binaries to /opt/teleport/system * Add check to installation script when we copy files from tarball (#50368) * bump e * Fix RPM linking logic (#52704) * Use quoting style supported by pre-2015 systemd (#53179) (#53196) * [teleport-update] Additional log message and UX cleanup (#53180) (#53197) * More teleport-update UX cleanup * cleanup overwrite error * cleanup * more cleanup --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> Co-authored-by: Alan Parra <alan.parra@goteleport.com> Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> Co-authored-by: Bartosz Leper <bartosz.leper@goteleport.com> Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> Co-authored-by: Russell Jones <russjones@users.noreply.github.com> Co-authored-by: Vadym Popov <vadym.popov@goteleport.com> Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
hugoShaka
added a commit
that referenced
this pull request
Apr 11, 2025
…kage * Add autoupdate agent protos (#47666) * Add autoupdate agent protos * fix tests * Add create/update/delete RPCs + add missing event proto * Update api/proto/teleport/autoupdate/v1/autoupdate.proto Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * address timr's feedback + fix tests * buf lint * buf lint pt.2 --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * fix agent autoupdate protos (#47830) * Add autoupdate agent type validations (#47831) * Add autoupdate agent validations * Add AutoUpdateAgentRollout constants * Fix autoupdate API licenses Teleport's `api/` and `integrations/` should be Apache-licensed. Only the main teleport process should be licenses under AGPLv3. * address feedback * Add AutoUpdateAgentRollout service and cache (#47833) * Fix defaults on incomplete AU config or version resources (#47872) * Fix panic on incomplete AU config or version resources * lint * address tiago's feedback * [v17] enforce conditional updates on AutoUpdate* + rename typos (#48390) * enforce conditaional updates on AutoUpdate* + rename typos * fix tests * [v17] implement autoupdate_agent_rollout reconciler (#48944) * implement autoupdate_agent_rollout reconciler * address edoardo's feedback * address edoardo's feedback pt.2 * fixup! address edoardo's feedback * lint * [v17] RFD 184: automatic updates, server-side logic (#52275) * Implement immediate schedule support for automatic updates (#47920) * Implement immediate schedule support * expose edition, fips, and ensure ping endpoint answers * fix after rebase * fix cache tests * introduce webclient.ReusableClient (#49296) * Move autoupdate code in proxy to make more sense (#49484) * Move autoupdate code in proxy to make more sense * lint + godoc * Start `autoupdate_agent_rollout` controller in auth service (#49101) * run autoupdate_agent_rollout controller * Recover from panics inside the controller * Address tim's feedback Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * kube-agent-updater: add RFD-184 trigger and version getter (#49297) * add proxy version getter and maintenance trigger * add failover trigger and versionGetter * lint * Apply suggestions from code review Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> * address marco's feedback * licensing --------- Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> * Rename lib/kubernetestoken to lib/kube/token (#49554) * Rename lib/kubernetestoken to lib/kube/token * Lint * Make the proxy read from autoupdate_agent_rollout (#49380) * Add autoupdate_agenbt_rollout support * fix ping proxy tests * address creack's feedback * Address sclevine's feedback Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> * fix panic in tests --------- Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> * Fix flaky TestAutoUpdateAgentShouldUpdate (#49883) * Fix flaky TestAutoUpdateAgentShouldUpdate * Update lib/web/apiserver_ping_test.go * Update lib/web/autoupdate_common_test.go * autoupdate: reconcile rollout status and add strategy interface (#49735) * autoupdate: reconcile rollout status and add strategy interface * fix missing constants + add license * lint * fix proto field id * Fix flaky TestAgentRolloutController (#49886) * Fix falky TestAgentRolloutController * switch to real clock + increase Eventually timeout * Make reconciliation period a parameter + add TELEPORT_UNSTABLE env var * Update lib/service/service_test.go Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Apply suggestions from code review Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Remove env var * lint --------- Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Compute global rollout state (#49945) * Compute global rollout state * Simplify + missing wrong proto message description * lint * simplify * for edoardo * fix compute status test * autoupdate: implement time-based strategy (#49736) This commit implements the time-based rollout strategy describen in RFD 184. The autoupdate_agent_rollout controller will make the groups active based on their start days, start hour, and maintenance duration. Once the maintenance window is over, the group becomes DONE. In the DONE state, new agents will instalkl the target version but existing agents will no longer be told to actively update. * Use CMC as default config when set (#50039) * autoupdate: Use CMC as default config when set Part of: [RFD-184](#47126) This commit implements backward compatibility when CMC is specified. After this PR, if the user has no `autoupdate_config` resource but a `cluster_maintenance_config` resource from RFD 109, we will use the CMC to generate the config (update hour and update days) and craft the `autoupdate_agent_rollout`. * Update lib/autoupdate/rollout/client_test.go Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * address feedback * lint --------- Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * Change autoupdate proto messages (#50234) * Change autoupdate proto messages This commits does 3 changes: - reflect the maintenance duration on the rollout in a new spec field - add a rollout start time field in its status - change wait_days into wait_hours * int64 -> in32 for consistency with other fields * Add autoupdate_config and autoupdate_agent_rollout validation (#50181) This commit removes the restrictions of the autoupdate_agent_rollout and autoupdate_config schedules but adds groups validation. It also adds some optional server-side validation that should not be enforced at the resource level. * autoupdate: implement halt-on-error strategy (#49737) * autoupdate: implement halt-on-error strategy * rewrite wait_days logic into wait_hours * Apply suggestions from code review Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> --------- Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> * add tctl create/get/edit support for autoupdate_agent_rollout (#50393) * add tctl create/get/edit support for autoupdate_agent_rollout * fix bad copy paste * set rollout start date and don't start updating if rollout just changed (#50365) This commit does two changes: - the controller now sets the rollout start time when resetting the rollout - the controller will not start a group if the rollout changed during the maintenance window (checks if the rollout start time is in the window) * Reduce clock usage + add time and period override in rollout controller (#50634) * Enable strategies in the autoupdate rollout controller (#50635) * autoupdate rollout: honour the maintenance window duration (#50745) * autoupdate rollout: honour the maintenance window duration * Update lib/autoupdate/rollout/reconciler.go Co-authored-by: Bartosz Leper <bartosz.leper@goteleport.com> * Address feedback * Update lib/autoupdate/rollout/strategy.go --------- Co-authored-by: Bartosz Leper <bartosz.leper@goteleport.com> * Fix proto resource 153 marshalling for autoupdate_* resources (#50688) * Fix proto resource 153 marshalling * Update tool/tctl/common/collection_test.go Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Update tool/tctl/common/collection_test.go Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Address feedback - Change from Resource153AdapterV2 to ProtoResource153Adapter - fix test failures and unmarshal proto resources properly - add a failing round-trip proto 153 test case - bonus: fix the table tesst reosurce create that did not support running a single row * Apply suggestions from code review Co-authored-by: Alan Parra <alan.parra@goteleport.com> * lint --------- Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Add autoupdate controller metrics (#50807) * Add autoupdate controller metrics * Do no panic in case of error conflict * kube-agent-update: Use the RFD-184 webapi proxy update protocol by default when possible (#50464) * kube-agent-update: Use the RFD-184 webapi proxy update protocol by default when possible * Update integrations/kube-agent-updater/cmd/teleport-kube-agent-updater/main.go Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> * log update group --------- Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> * Add 'tctl autoupdate agents status' (#51079) * Ensure proxy version getter adds the leading 'v' (#51687) * Always create debug socket and expose health endpoints (#51616) * Always create debug socket and expose health endpoints * Consolidate the diagnostic multiplexers in a single function * Fix tests * Apply suggestions from code review Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> --------- Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * Fix autoupdate rollout controller metrics (#51803) * kube-agent-updater pre-release builds trust the staging repo + insecure validator private repo fix (#51815) * Fix insecure resolver in private repos + trust pre-release builds * fixup! Fix insecure resolver in private repos + trust pre-release builds * Use new autoupdate APIs in discovery service (#51758) * Remove name parameter from proxy version getter * Use autoupdate_agent_rollout as a source of version in scripts and integrations * Fix tests * Handle gracefully absence of a proxy in kube discovery sevrice * Update lib/srv/discovery/kube_integration_watcher.go Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> * Address marco's feedback * Address marco's feedback pt.2 * Gracefully handle if we can't get autoupdate version * fixup! Update lib/srv/discovery/kube_integration_watcher.go --------- Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> * Autoupdate changelog entry in v17.3 * Fix tests after rebase, pt.1 * Update front preset fixtures since the preset role changed * Add install script using teleport-update and oneoff.sh (#52155) * Refactor node-join script to take safer options and reuse install option logic (#52196) * Add install script using teleport-update and oneoff.sh * Refactor node-join script to take safer options and reuse install option logic * GoDoc + make functions private * Address edoardo's feedback * Allow prerelease Teleport to install official artifacts (#52444) * Accept to install CE when running an AGPL build for backeard compat * Bump e to fix build (oneoff args change) * Make node install scripts install Teleport via teleport-update (#52226) * Make the node install script use teleport-update * Apply suggestions from code review Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * Fix curl args + address bash exec comments --------- Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * Use install.sh in discovery's default installer (#52368) * Use install.sh in discovery's default installer * fixup! Use install.sh in discovery's default installer * Address marco's feedback * Update lib/auth/grpcserver.go Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> * Update lib/srv/server/installer/defaultinstallers.go * apply edoard's feedback + write script to file * Execute the downloaded shell script * Add snapshot tests * fixup! Add snapshot tests --------- Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> * Fix error after rebase * Fix test after rebase --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> Co-authored-by: Alan Parra <alan.parra@goteleport.com> Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> Co-authored-by: Bartosz Leper <bartosz.leper@goteleport.com> Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> * [v17] Modulate install script when managed updates v2 are off (#52609) * Modulate install script when managed updates v2 are off * fixup! Modulate install script when managed updates v2 are off * Address Stephen's feedback * Set the autoupdate singleton names (#52751) * Add autoupdate events to web UI (#52748) (#52838) * Add autoupdate events to web UI * lint * Fix backport to include the label fix * lint * fix tests * Add teleport-update binary scaffolding and disable command (#46418) * Add main.go * wip * group flag * wip * wip * mvp * wip * separate files * cleanup * jitter * scaffold only * remove teleport changes * remove teleport changes - group * test * test lock * remove edition * feedback * clarify default data dir * cleanup * move version to status * consistent naming for update.yaml * improve lock test * explain lint * use shared locking logic * fix test * Move disable logic to lib * feedback * switch to default transport * [teleport-update] Add enable command (#47565) * Add enable scaffold * add installer * refactor * add enable tests * clean up download logic * Finish installer tests * cleanup * fix flags * fix errors * logging * cleanup * fix test * Fix download size logic * remove agent prefixes * namespace package * rename file * feedback * fips and ent support * hide force version * feedback * feedback 2 * fix test * move enterprise/fips to webapi * Fix interface * RFD 0184: Automatic Updates for Teleport Agents (#47126) * Create 0169-auto-updates-linux-agents.md * Fix github handle * Fix Github handle * Clarify jitter flag * Remove time question * Update rfd/0169-auto-updates-linux-agents.md Co-authored-by: Russell Jones <russjones@users.noreply.github.com> * Update rfd/0169-auto-updates-linux-agents.md Co-authored-by: Russell Jones <russjones@users.noreply.github.com> * Update rfd/0169-auto-updates-linux-agents.md Co-authored-by: Russell Jones <russjones@users.noreply.github.com> * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * add editions * Installers and docs * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * Downgrades * Feedback * Update 0169-auto-updates-linux-agents.md * Remove last working copy of teleport * add step to ensure free disk space * Typos * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * feedback * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * apt purge * Only enable auto-upgrades if successful * reentrant lock * reset * Update 0169-auto-updates-linux-agents.md * add note on backups * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * Clarify restore/rollback process and validations * Added section on logging * Add schedules * immediate schedule + note on cycles and chains * more details, more tctl commands * Update 0169-auto-updates-linux-agents.md * scalability * df * content-length * cache init * binary * more rollout mechanism changes * scalability * more scalability * use 100kib pages for plan * Add RPCs, tweak API design * clarify wording * wording * Update rfd/0169-auto-updates-linux-agents.md Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * Update rfd/0169-auto-updates-linux-agents.md Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * linting * Move all RPCs into autoupdate/v1 * Move groups to MVP * note about checksum * typos, consistency * clarify binary is teleport-update, package is teleport-ent-updater * switch from df to unix.Statfs * security feedback + naming adjustments * tweak rollout paging * tweak rollout paging again * feedback * adjust update.yaml to match implementation feedback * wip - new model * canaries * canary 2 * describe state, transitions, and proxy response * rpcs * finish rpcs * minor tweaks * Add user stories * Put new requirements at the top + edit UX + add TODOs * Edition work * cleanup + swap phases 1 and 2 * Move protobuf * Add installation scenarios * cleanup + move backpressure formulas * more cleanup * rename to unused number * fix title * more cleanup * correct inconsistencies * fix more inconsistencies * missing proxy flag * typo * Add CLI reference * feedback * alerts note * typos * Update rfd/0184-agent-auto-updates.md Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * clarify canary logic * Update rfd/0184-agent-auto-updates.md Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * Support for multiple installations / tarball * Address reviewer's feedback - Rephrase the UX section to not assume prior canary knowledge - Explicit how the canaries are picked, the limitations, and potential improvements - replace node with instance to avoid confusion between ssh nodes and generic teleport agent instances - Explicit how the previous updater interacts with the new one - More explicit names for command line args * agent_plan -> agent_rollout + reuse autoupdate_config * align tool version * Move package system dir * add time-based strategy * rename previous-must-succeed -> halt-on-failure --------- Co-authored-by: Russell Jones <russjones@users.noreply.github.com> Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> Co-authored-by: hugoShaka <hugo.hervieux@goteleport.com> * [v17] RFD 184: Agent Automatic Updates, teleport-update (#52372) * [teleport-update] Add linking into /usr/local (#47879) * clean up download logic * Finish installer tests * fips and ent support * feedback * move enterprise/fips to webapi * wip * wip2 * add cleanup * fix extract * wip * fix tests * remove safety * cleanup * cleanup extract * cleanup * cleanup * fix bugs * cleanup * [teleport-update] Use new webapi fields to find version (#47961) * Adapt teleport-update to new webapi endpoints * feedback * [teleport-update] Add support for reloading the agent & reverting symlinks on failed reload (#47929) * wip * cleanup * comments * test wip * test link revert * tests * cleanup * cleanup more * comments * comments * errors * comments * linting * fix bugs * fix typo * cleanup * cleanup * fix revert * lint * feedback * fix * fix test * clarify comment * use afterfunc * [teleport-update] Add update subcommand (#48244) * Add update subcommand * fix * lint * add command * warn on known edition * warn on unknown edition for update * [teleport-update] Add link subcommand (#48712) * wip * refactor * docs * updater * add link command * test LinkPackage * cleanup * fix enterprise paths * fix systemd linking * typo * comment * comments * typo * feedback * adjust systemd service locations * cleanup tests, adjust service link path * [teleport-update] PID-based failure detection and rollback (#49175) * Extract from other PR * comments * string * [teleport-update] Add systemd setup (#49174) * service and timer * comments * feedback * feedback * [teleport-update] Add unlink-package command (#49250) * unlink * test * lock type * comments * cleanup * Update lib/autoupdate/agent/installer.go Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> --------- Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * [teleport-update] Add support for version pinning (#49307) * pinning * cleanup * unskip * cleanup * unpin * typo * [teleport-update] status subcommand (#49308) * status * cleanup * comments * cleanup output by removing optional fields * rebase fix * [teleport-update] Uninstall subcommand (#49341) * Uninstall * tests * comment * Short-circuit link package on pinned * log * move error * Update lib/autoupdate/agent/process.go Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * Update lib/autoupdate/agent/process.go Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * Update lib/autoupdate/agent/process.go Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * Update lib/autoupdate/agent/process.go Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * fix --------- Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * [teleport-update] Protect against disk space leaks (#49309) * cleanup unused * cleanup * cleanup * [teleport-update] Show warning instead of return error for link/unlink (#49334) * Add warning instead of return error for link/unlink * Add test for sync call with ErrNotSupported * Change warning message * [teleport-update] Isolated installation suffix (#49364) * namespacing * words * cli * fix * err * use structured logs consistently * comments * bugs * test * switch to new paths * test * adjust * reserved * cleanup * cleanup * docs * fix uninstall * test * simplify init * cleanup * namespace -> install-suffix * log * [teleport-update] Fix usage of trace (#49388) * fix trace * rebase * [teleport-update] Support for Enterprise/FIPS migration (#49451) * store ent/fips data cleanup formatting revert updater rename cleanup Update lib/autoupdate/agent/config.go Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> feedback * feedback * feedback * lint * [teleport-update] Display download progress and stats (#49805) * download progress * typo * sub -> since * time -> duration * [teleport-update] update --now (#49807) * update --now * testdata * [teleport-update] Adjust download progress log output (#49845) * adjust logger * fix * fix * Extended binary validations (#49748) * [teleport-update] needrestart and systemd drop-in (#49806) * wip * Add more config * nit * feedback * Fix duplicate teleport-update short command (#50304) * [teleport-update] Version reporting and deprecated upgrader management (#50266) * wip * telemetry * abs * fix * tests * Disable deprecated timer * keep schedule on non-suffixed * Update maintenance.go * Update lib/autoupdate/agent/setup.go * update warnings * feedback pt 1 * feedback pt 2 * headers * [teleport-update] Remove warning when running Teleport on platforms without systemd (#51465) * improve detection logic on non-systemd platforms * adjust * remove OS check * [teleport-update] common MakeURL with ability to override BaseURL (#51383) * Add templates for client tools auto-update download url * Change to base url setting by env MakeURL moved to common function to be general for both, agent and client tools * Reuse MakeURL moved to common package * Fix linter warning * Add common env variable to override base url * Remove template from interface * Make template exported Change a stale comment * Remove unused code * [teleport-update] Adjustments for SELinux (#51474) * selinux fixes * extra checks * lint * lint * cleanup * better cleanup * fix rebase * [teleport-update] Add --overwrite flag to replace tarball installations (#51579) * add --overwrite flag * extra warning * [teleport-update] Only use CDN for community / enterprise editions (#51726) * Only use CDN for community / enterprise * wording * [teleport-update] Warn instead of erroring when disabling the deprecated updater (#51759) * Warn instead of erroring when disabling old updater * Update lib/service/service.go * Update lib/service/service.go * [teleport-update] Adjust non-critical SELinux contexts (#51793) * correct selinux contexts * Update lib/autoupdate/agent/installer.go Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * Update lib/autoupdate/agent/installer.go --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * [teleport-update] Add proper healthcheck for agents (#51613) * Add socket readiness monitor * cleanup * add 404 check * check * better cleanup * fix bug * typo * fix 404 * improve logging * cleanup * disable socket redirect * avoid race condition with socket removal * verify PID * cleanup * Update lib/autoupdate/agent/process.go Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * feedback * fix subtle race condition * debugging --------- Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * [teleport-update] Allow teleport-update uninstall to succeed with non-packaged installs (#51576) * Treat missing source bin dir same as missing binaries * prevent linking package outside /usr/local/bin * Apply suggestions from code review * [teleport-update] use new updater to reload and verify Teleport (#51734) * wip * finish implementation * fix tests * test setup * remove stale data * bug * spelling * pass log format and debug through * feedback * [teleport-update] Read proxy from teleport.yaml to improve UX (#51633) * derive proxy from config * fix parsing * cleanup * require force for uninstall (#51973) * [teleport-update] add insecure flag for testing (#52019) * insecure flag * fmt * [teleport-update] skip updater setup when systemd is missing (#52022) * skip updater installation when systemd is missing * test * wording * [teleport-update] Ensure stable interface between versions of teleport-update (#52152) * refactor data dir * finish refactor * fix path * cleanup * more tests * lint * prevent notice failure without systemd * feedback * url * revert log level change (#52416) --------- Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> Co-authored-by: Vadym Popov <vadym.popov@goteleport.com> Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * [v17] [teleport-update] Fix usage of default $PATH dir, overrides, and hanging (#52608) * Fix usage of default path * fix other overrides * fix hang on start * [v17] [teleport-update] Set umask 0022 for teleport-update to avoid errors on enable (#52755) * Set umask 0022 for teleport-update * init -> main * refactor * move const * add flag * missed not * fix inequality * remove flag * dead code * docs * docs 2 * feedback * [v17] [teleport-update] Support for CentOS 7 (#53017) * support systemd down to 219 * comments * Apply suggestions from code review Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> * Missed check on additional use of IsPresent * adjustments from testing various versions of centos7 * Typo * Use dedicated error for version incompat --------- Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> * [v17] [teleport-update] Improve clarity of error logs and address UX edge cases (#53048) * Usability fixes * cancel jitter * root + fix logs * check extra case * cleanup * extra warning * tests * feedback * add newlines * adjust message * consistent error type * update UI snapshots * [v17] Backport packaging restructuring and teleport-update build (#52361) * [teleport-update] Add Makefile build target (#48531) * Add build target for teleport-update * Set CGO_ENABLED=0 for building teleport-update * [teleport-update] Add teleport-update to build and archive (#48839) * Add teleport-update to build and archive * Add teleport-update to install scripts * Add build flags without buildmode pie * Add helper message for install.sh script * Exclude teleport-update from darwin platform * Add teleport-update to rpm and deb packages * Remove teleport-update from deb, rpm packages Add comment for the buildflags * [teleport-update] Move teleport binaries to new path {deb,rpm} (#49110) * Move teleport binaries to new path * Use link/unlink command to manage links Move teleport.service to new path * Move teleport binaries under standard path for distroless Cleanup * Fix wrong move path * Create missing directory * Rename link/unlink commands * Exclude teleport-update from docker image Systemd reload now managed by teleport-update Make safe unlink not to block package removal * Add teleport-update to AMI image build * Fix RPM build, fpm automatically manage scripts * Fix AMI build, add missing teleport.service * Move binaries to /opt/teleport/system * Add check to installation script when we copy files from tarball (#50368) * bump e * Fix RPM linking logic (#52704) * Use quoting style supported by pre-2015 systemd (#53179) (#53196) * [teleport-update] Additional log message and UX cleanup (#53180) (#53197) * More teleport-update UX cleanup * cleanup overwrite error * cleanup * more cleanup --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> Co-authored-by: Alan Parra <alan.parra@goteleport.com> Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> Co-authored-by: Bartosz Leper <bartosz.leper@goteleport.com> Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> Co-authored-by: Russell Jones <russjones@users.noreply.github.com> Co-authored-by: Vadym Popov <vadym.popov@goteleport.com> Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
hugoShaka
added a commit
that referenced
this pull request
Apr 18, 2025
…kage * Add autoupdate agent protos (#47666) * Add autoupdate agent protos * fix tests * Add create/update/delete RPCs + add missing event proto * Update api/proto/teleport/autoupdate/v1/autoupdate.proto Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * address timr's feedback + fix tests * buf lint * buf lint pt.2 --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * fix agent autoupdate protos (#47830) * Add autoupdate agent type validations (#47831) * Add autoupdate agent validations * Add AutoUpdateAgentRollout constants * Fix autoupdate API licenses Teleport's `api/` and `integrations/` should be Apache-licensed. Only the main teleport process should be licenses under AGPLv3. * address feedback * Add AutoUpdateAgentRollout service and cache (#47833) * Fix defaults on incomplete AU config or version resources (#47872) * Fix panic on incomplete AU config or version resources * lint * address tiago's feedback * [v17] enforce conditional updates on AutoUpdate* + rename typos (#48390) * enforce conditaional updates on AutoUpdate* + rename typos * fix tests * [v17] implement autoupdate_agent_rollout reconciler (#48944) * implement autoupdate_agent_rollout reconciler * address edoardo's feedback * address edoardo's feedback pt.2 * fixup! address edoardo's feedback * lint * [v17] RFD 184: automatic updates, server-side logic (#52275) * Implement immediate schedule support for automatic updates (#47920) * Implement immediate schedule support * expose edition, fips, and ensure ping endpoint answers * fix after rebase * fix cache tests * introduce webclient.ReusableClient (#49296) * Move autoupdate code in proxy to make more sense (#49484) * Move autoupdate code in proxy to make more sense * lint + godoc * Start `autoupdate_agent_rollout` controller in auth service (#49101) * run autoupdate_agent_rollout controller * Recover from panics inside the controller * Address tim's feedback Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * kube-agent-updater: add RFD-184 trigger and version getter (#49297) * add proxy version getter and maintenance trigger * add failover trigger and versionGetter * lint * Apply suggestions from code review Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> * address marco's feedback * licensing --------- Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> * Rename lib/kubernetestoken to lib/kube/token (#49554) * Rename lib/kubernetestoken to lib/kube/token * Lint * Make the proxy read from autoupdate_agent_rollout (#49380) * Add autoupdate_agenbt_rollout support * fix ping proxy tests * address creack's feedback * Address sclevine's feedback Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> * fix panic in tests --------- Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> * Fix flaky TestAutoUpdateAgentShouldUpdate (#49883) * Fix flaky TestAutoUpdateAgentShouldUpdate * Update lib/web/apiserver_ping_test.go * Update lib/web/autoupdate_common_test.go * autoupdate: reconcile rollout status and add strategy interface (#49735) * autoupdate: reconcile rollout status and add strategy interface * fix missing constants + add license * lint * fix proto field id * Fix flaky TestAgentRolloutController (#49886) * Fix falky TestAgentRolloutController * switch to real clock + increase Eventually timeout * Make reconciliation period a parameter + add TELEPORT_UNSTABLE env var * Update lib/service/service_test.go Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Apply suggestions from code review Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Remove env var * lint --------- Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Compute global rollout state (#49945) * Compute global rollout state * Simplify + missing wrong proto message description * lint * simplify * for edoardo * fix compute status test * autoupdate: implement time-based strategy (#49736) This commit implements the time-based rollout strategy describen in RFD 184. The autoupdate_agent_rollout controller will make the groups active based on their start days, start hour, and maintenance duration. Once the maintenance window is over, the group becomes DONE. In the DONE state, new agents will instalkl the target version but existing agents will no longer be told to actively update. * Use CMC as default config when set (#50039) * autoupdate: Use CMC as default config when set Part of: [RFD-184](#47126) This commit implements backward compatibility when CMC is specified. After this PR, if the user has no `autoupdate_config` resource but a `cluster_maintenance_config` resource from RFD 109, we will use the CMC to generate the config (update hour and update days) and craft the `autoupdate_agent_rollout`. * Update lib/autoupdate/rollout/client_test.go Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * address feedback * lint --------- Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * Change autoupdate proto messages (#50234) * Change autoupdate proto messages This commits does 3 changes: - reflect the maintenance duration on the rollout in a new spec field - add a rollout start time field in its status - change wait_days into wait_hours * int64 -> in32 for consistency with other fields * Add autoupdate_config and autoupdate_agent_rollout validation (#50181) This commit removes the restrictions of the autoupdate_agent_rollout and autoupdate_config schedules but adds groups validation. It also adds some optional server-side validation that should not be enforced at the resource level. * autoupdate: implement halt-on-error strategy (#49737) * autoupdate: implement halt-on-error strategy * rewrite wait_days logic into wait_hours * Apply suggestions from code review Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> --------- Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> * add tctl create/get/edit support for autoupdate_agent_rollout (#50393) * add tctl create/get/edit support for autoupdate_agent_rollout * fix bad copy paste * set rollout start date and don't start updating if rollout just changed (#50365) This commit does two changes: - the controller now sets the rollout start time when resetting the rollout - the controller will not start a group if the rollout changed during the maintenance window (checks if the rollout start time is in the window) * Reduce clock usage + add time and period override in rollout controller (#50634) * Enable strategies in the autoupdate rollout controller (#50635) * autoupdate rollout: honour the maintenance window duration (#50745) * autoupdate rollout: honour the maintenance window duration * Update lib/autoupdate/rollout/reconciler.go Co-authored-by: Bartosz Leper <bartosz.leper@goteleport.com> * Address feedback * Update lib/autoupdate/rollout/strategy.go --------- Co-authored-by: Bartosz Leper <bartosz.leper@goteleport.com> * Fix proto resource 153 marshalling for autoupdate_* resources (#50688) * Fix proto resource 153 marshalling * Update tool/tctl/common/collection_test.go Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Update tool/tctl/common/collection_test.go Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Address feedback - Change from Resource153AdapterV2 to ProtoResource153Adapter - fix test failures and unmarshal proto resources properly - add a failing round-trip proto 153 test case - bonus: fix the table tesst reosurce create that did not support running a single row * Apply suggestions from code review Co-authored-by: Alan Parra <alan.parra@goteleport.com> * lint --------- Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Add autoupdate controller metrics (#50807) * Add autoupdate controller metrics * Do no panic in case of error conflict * kube-agent-update: Use the RFD-184 webapi proxy update protocol by default when possible (#50464) * kube-agent-update: Use the RFD-184 webapi proxy update protocol by default when possible * Update integrations/kube-agent-updater/cmd/teleport-kube-agent-updater/main.go Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> * log update group --------- Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> * Add 'tctl autoupdate agents status' (#51079) * Ensure proxy version getter adds the leading 'v' (#51687) * Always create debug socket and expose health endpoints (#51616) * Always create debug socket and expose health endpoints * Consolidate the diagnostic multiplexers in a single function * Fix tests * Apply suggestions from code review Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> --------- Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * Fix autoupdate rollout controller metrics (#51803) * kube-agent-updater pre-release builds trust the staging repo + insecure validator private repo fix (#51815) * Fix insecure resolver in private repos + trust pre-release builds * fixup! Fix insecure resolver in private repos + trust pre-release builds * Use new autoupdate APIs in discovery service (#51758) * Remove name parameter from proxy version getter * Use autoupdate_agent_rollout as a source of version in scripts and integrations * Fix tests * Handle gracefully absence of a proxy in kube discovery sevrice * Update lib/srv/discovery/kube_integration_watcher.go Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> * Address marco's feedback * Address marco's feedback pt.2 * Gracefully handle if we can't get autoupdate version * fixup! Update lib/srv/discovery/kube_integration_watcher.go --------- Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> * Autoupdate changelog entry in v17.3 * Fix tests after rebase, pt.1 * Update front preset fixtures since the preset role changed * Add install script using teleport-update and oneoff.sh (#52155) * Refactor node-join script to take safer options and reuse install option logic (#52196) * Add install script using teleport-update and oneoff.sh * Refactor node-join script to take safer options and reuse install option logic * GoDoc + make functions private * Address edoardo's feedback * Allow prerelease Teleport to install official artifacts (#52444) * Accept to install CE when running an AGPL build for backeard compat * Bump e to fix build (oneoff args change) * Make node install scripts install Teleport via teleport-update (#52226) * Make the node install script use teleport-update * Apply suggestions from code review Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * Fix curl args + address bash exec comments --------- Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * Use install.sh in discovery's default installer (#52368) * Use install.sh in discovery's default installer * fixup! Use install.sh in discovery's default installer * Address marco's feedback * Update lib/auth/grpcserver.go Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> * Update lib/srv/server/installer/defaultinstallers.go * apply edoard's feedback + write script to file * Execute the downloaded shell script * Add snapshot tests * fixup! Add snapshot tests --------- Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> * Fix error after rebase * Fix test after rebase --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> Co-authored-by: Alan Parra <alan.parra@goteleport.com> Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> Co-authored-by: Bartosz Leper <bartosz.leper@goteleport.com> Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> * [v17] Modulate install script when managed updates v2 are off (#52609) * Modulate install script when managed updates v2 are off * fixup! Modulate install script when managed updates v2 are off * Address Stephen's feedback * Set the autoupdate singleton names (#52751) * Add autoupdate events to web UI (#52748) (#52838) * Add autoupdate events to web UI * lint * Fix backport to include the label fix * lint * fix tests * Add teleport-update binary scaffolding and disable command (#46418) * Add main.go * wip * group flag * wip * wip * mvp * wip * separate files * cleanup * jitter * scaffold only * remove teleport changes * remove teleport changes - group * test * test lock * remove edition * feedback * clarify default data dir * cleanup * move version to status * consistent naming for update.yaml * improve lock test * explain lint * use shared locking logic * fix test * Move disable logic to lib * feedback * switch to default transport * [teleport-update] Add enable command (#47565) * Add enable scaffold * add installer * refactor * add enable tests * clean up download logic * Finish installer tests * cleanup * fix flags * fix errors * logging * cleanup * fix test * Fix download size logic * remove agent prefixes * namespace package * rename file * feedback * fips and ent support * hide force version * feedback * feedback 2 * fix test * move enterprise/fips to webapi * Fix interface * RFD 0184: Automatic Updates for Teleport Agents (#47126) * Create 0169-auto-updates-linux-agents.md * Fix github handle * Fix Github handle * Clarify jitter flag * Remove time question * Update rfd/0169-auto-updates-linux-agents.md Co-authored-by: Russell Jones <russjones@users.noreply.github.com> * Update rfd/0169-auto-updates-linux-agents.md Co-authored-by: Russell Jones <russjones@users.noreply.github.com> * Update rfd/0169-auto-updates-linux-agents.md Co-authored-by: Russell Jones <russjones@users.noreply.github.com> * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * add editions * Installers and docs * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * Downgrades * Feedback * Update 0169-auto-updates-linux-agents.md * Remove last working copy of teleport * add step to ensure free disk space * Typos * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * feedback * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * apt purge * Only enable auto-upgrades if successful * reentrant lock * reset * Update 0169-auto-updates-linux-agents.md * add note on backups * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * Clarify restore/rollback process and validations * Added section on logging * Add schedules * immediate schedule + note on cycles and chains * more details, more tctl commands * Update 0169-auto-updates-linux-agents.md * scalability * df * content-length * cache init * binary * more rollout mechanism changes * scalability * more scalability * use 100kib pages for plan * Add RPCs, tweak API design * clarify wording * wording * Update rfd/0169-auto-updates-linux-agents.md Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * Update rfd/0169-auto-updates-linux-agents.md Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * linting * Move all RPCs into autoupdate/v1 * Move groups to MVP * note about checksum * typos, consistency * clarify binary is teleport-update, package is teleport-ent-updater * switch from df to unix.Statfs * security feedback + naming adjustments * tweak rollout paging * tweak rollout paging again * feedback * adjust update.yaml to match implementation feedback * wip - new model * canaries * canary 2 * describe state, transitions, and proxy response * rpcs * finish rpcs * minor tweaks * Add user stories * Put new requirements at the top + edit UX + add TODOs * Edition work * cleanup + swap phases 1 and 2 * Move protobuf * Add installation scenarios * cleanup + move backpressure formulas * more cleanup * rename to unused number * fix title * more cleanup * correct inconsistencies * fix more inconsistencies * missing proxy flag * typo * Add CLI reference * feedback * alerts note * typos * Update rfd/0184-agent-auto-updates.md Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * clarify canary logic * Update rfd/0184-agent-auto-updates.md Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * Support for multiple installations / tarball * Address reviewer's feedback - Rephrase the UX section to not assume prior canary knowledge - Explicit how the canaries are picked, the limitations, and potential improvements - replace node with instance to avoid confusion between ssh nodes and generic teleport agent instances - Explicit how the previous updater interacts with the new one - More explicit names for command line args * agent_plan -> agent_rollout + reuse autoupdate_config * align tool version * Move package system dir * add time-based strategy * rename previous-must-succeed -> halt-on-failure --------- Co-authored-by: Russell Jones <russjones@users.noreply.github.com> Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> Co-authored-by: hugoShaka <hugo.hervieux@goteleport.com> * [v17] RFD 184: Agent Automatic Updates, teleport-update (#52372) * [teleport-update] Add linking into /usr/local (#47879) * clean up download logic * Finish installer tests * fips and ent support * feedback * move enterprise/fips to webapi * wip * wip2 * add cleanup * fix extract * wip * fix tests * remove safety * cleanup * cleanup extract * cleanup * cleanup * fix bugs * cleanup * [teleport-update] Use new webapi fields to find version (#47961) * Adapt teleport-update to new webapi endpoints * feedback * [teleport-update] Add support for reloading the agent & reverting symlinks on failed reload (#47929) * wip * cleanup * comments * test wip * test link revert * tests * cleanup * cleanup more * comments * comments * errors * comments * linting * fix bugs * fix typo * cleanup * cleanup * fix revert * lint * feedback * fix * fix test * clarify comment * use afterfunc * [teleport-update] Add update subcommand (#48244) * Add update subcommand * fix * lint * add command * warn on known edition * warn on unknown edition for update * [teleport-update] Add link subcommand (#48712) * wip * refactor * docs * updater * add link command * test LinkPackage * cleanup * fix enterprise paths * fix systemd linking * typo * comment * comments * typo * feedback * adjust systemd service locations * cleanup tests, adjust service link path * [teleport-update] PID-based failure detection and rollback (#49175) * Extract from other PR * comments * string * [teleport-update] Add systemd setup (#49174) * service and timer * comments * feedback * feedback * [teleport-update] Add unlink-package command (#49250) * unlink * test * lock type * comments * cleanup * Update lib/autoupdate/agent/installer.go Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> --------- Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * [teleport-update] Add support for version pinning (#49307) * pinning * cleanup * unskip * cleanup * unpin * typo * [teleport-update] status subcommand (#49308) * status * cleanup * comments * cleanup output by removing optional fields * rebase fix * [teleport-update] Uninstall subcommand (#49341) * Uninstall * tests * comment * Short-circuit link package on pinned * log * move error * Update lib/autoupdate/agent/process.go Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * Update lib/autoupdate/agent/process.go Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * Update lib/autoupdate/agent/process.go Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * Update lib/autoupdate/agent/process.go Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * fix --------- Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * [teleport-update] Protect against disk space leaks (#49309) * cleanup unused * cleanup * cleanup * [teleport-update] Show warning instead of return error for link/unlink (#49334) * Add warning instead of return error for link/unlink * Add test for sync call with ErrNotSupported * Change warning message * [teleport-update] Isolated installation suffix (#49364) * namespacing * words * cli * fix * err * use structured logs consistently * comments * bugs * test * switch to new paths * test * adjust * reserved * cleanup * cleanup * docs * fix uninstall * test * simplify init * cleanup * namespace -> install-suffix * log * [teleport-update] Fix usage of trace (#49388) * fix trace * rebase * [teleport-update] Support for Enterprise/FIPS migration (#49451) * store ent/fips data cleanup formatting revert updater rename cleanup Update lib/autoupdate/agent/config.go Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> feedback * feedback * feedback * lint * [teleport-update] Display download progress and stats (#49805) * download progress * typo * sub -> since * time -> duration * [teleport-update] update --now (#49807) * update --now * testdata * [teleport-update] Adjust download progress log output (#49845) * adjust logger * fix * fix * Extended binary validations (#49748) * [teleport-update] needrestart and systemd drop-in (#49806) * wip * Add more config * nit * feedback * Fix duplicate teleport-update short command (#50304) * [teleport-update] Version reporting and deprecated upgrader management (#50266) * wip * telemetry * abs * fix * tests * Disable deprecated timer * keep schedule on non-suffixed * Update maintenance.go * Update lib/autoupdate/agent/setup.go * update warnings * feedback pt 1 * feedback pt 2 * headers * [teleport-update] Remove warning when running Teleport on platforms without systemd (#51465) * improve detection logic on non-systemd platforms * adjust * remove OS check * [teleport-update] common MakeURL with ability to override BaseURL (#51383) * Add templates for client tools auto-update download url * Change to base url setting by env MakeURL moved to common function to be general for both, agent and client tools * Reuse MakeURL moved to common package * Fix linter warning * Add common env variable to override base url * Remove template from interface * Make template exported Change a stale comment * Remove unused code * [teleport-update] Adjustments for SELinux (#51474) * selinux fixes * extra checks * lint * lint * cleanup * better cleanup * fix rebase * [teleport-update] Add --overwrite flag to replace tarball installations (#51579) * add --overwrite flag * extra warning * [teleport-update] Only use CDN for community / enterprise editions (#51726) * Only use CDN for community / enterprise * wording * [teleport-update] Warn instead of erroring when disabling the deprecated updater (#51759) * Warn instead of erroring when disabling old updater * Update lib/service/service.go * Update lib/service/service.go * [teleport-update] Adjust non-critical SELinux contexts (#51793) * correct selinux contexts * Update lib/autoupdate/agent/installer.go Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * Update lib/autoupdate/agent/installer.go --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * [teleport-update] Add proper healthcheck for agents (#51613) * Add socket readiness monitor * cleanup * add 404 check * check * better cleanup * fix bug * typo * fix 404 * improve logging * cleanup * disable socket redirect * avoid race condition with socket removal * verify PID * cleanup * Update lib/autoupdate/agent/process.go Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * feedback * fix subtle race condition * debugging --------- Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * [teleport-update] Allow teleport-update uninstall to succeed with non-packaged installs (#51576) * Treat missing source bin dir same as missing binaries * prevent linking package outside /usr/local/bin * Apply suggestions from code review * [teleport-update] use new updater to reload and verify Teleport (#51734) * wip * finish implementation * fix tests * test setup * remove stale data * bug * spelling * pass log format and debug through * feedback * [teleport-update] Read proxy from teleport.yaml to improve UX (#51633) * derive proxy from config * fix parsing * cleanup * require force for uninstall (#51973) * [teleport-update] add insecure flag for testing (#52019) * insecure flag * fmt * [teleport-update] skip updater setup when systemd is missing (#52022) * skip updater installation when systemd is missing * test * wording * [teleport-update] Ensure stable interface between versions of teleport-update (#52152) * refactor data dir * finish refactor * fix path * cleanup * more tests * lint * prevent notice failure without systemd * feedback * url * revert log level change (#52416) --------- Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> Co-authored-by: Vadym Popov <vadym.popov@goteleport.com> Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * [v17] [teleport-update] Fix usage of default $PATH dir, overrides, and hanging (#52608) * Fix usage of default path * fix other overrides * fix hang on start * [v17] [teleport-update] Set umask 0022 for teleport-update to avoid errors on enable (#52755) * Set umask 0022 for teleport-update * init -> main * refactor * move const * add flag * missed not * fix inequality * remove flag * dead code * docs * docs 2 * feedback * [v17] [teleport-update] Support for CentOS 7 (#53017) * support systemd down to 219 * comments * Apply suggestions from code review Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> * Missed check on additional use of IsPresent * adjustments from testing various versions of centos7 * Typo * Use dedicated error for version incompat --------- Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> * [v17] [teleport-update] Improve clarity of error logs and address UX edge cases (#53048) * Usability fixes * cancel jitter * root + fix logs * check extra case * cleanup * extra warning * tests * feedback * add newlines * adjust message * consistent error type * update UI snapshots * [v17] Backport packaging restructuring and teleport-update build (#52361) * [teleport-update] Add Makefile build target (#48531) * Add build target for teleport-update * Set CGO_ENABLED=0 for building teleport-update * [teleport-update] Add teleport-update to build and archive (#48839) * Add teleport-update to build and archive * Add teleport-update to install scripts * Add build flags without buildmode pie * Add helper message for install.sh script * Exclude teleport-update from darwin platform * Add teleport-update to rpm and deb packages * Remove teleport-update from deb, rpm packages Add comment for the buildflags * [teleport-update] Move teleport binaries to new path {deb,rpm} (#49110) * Move teleport binaries to new path * Use link/unlink command to manage links Move teleport.service to new path * Move teleport binaries under standard path for distroless Cleanup * Fix wrong move path * Create missing directory * Rename link/unlink commands * Exclude teleport-update from docker image Systemd reload now managed by teleport-update Make safe unlink not to block package removal * Add teleport-update to AMI image build * Fix RPM build, fpm automatically manage scripts * Fix AMI build, add missing teleport.service * Move binaries to /opt/teleport/system * Add check to installation script when we copy files from tarball (#50368) * bump e * Fix RPM linking logic (#52704) * Use quoting style supported by pre-2015 systemd (#53179) (#53196) * [teleport-update] Additional log message and UX cleanup (#53180) (#53197) * More teleport-update UX cleanup * cleanup overwrite error * cleanup * more cleanup --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> Co-authored-by: Alan Parra <alan.parra@goteleport.com> Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> Co-authored-by: Bartosz Leper <bartosz.leper@goteleport.com> Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> Co-authored-by: Russell Jones <russjones@users.noreply.github.com> Co-authored-by: Vadym Popov <vadym.popov@goteleport.com> Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
github-merge-queue bot
pushed a commit
that referenced
this pull request
Apr 22, 2025
* [v15] RFD 184: managed updates v2, server-side logic, client, and package * Add autoupdate agent protos (#47666) * Add autoupdate agent protos * fix tests * Add create/update/delete RPCs + add missing event proto * Update api/proto/teleport/autoupdate/v1/autoupdate.proto Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * address timr's feedback + fix tests * buf lint * buf lint pt.2 --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * fix agent autoupdate protos (#47830) * Add autoupdate agent type validations (#47831) * Add autoupdate agent validations * Add AutoUpdateAgentRollout constants * Fix autoupdate API licenses Teleport's `api/` and `integrations/` should be Apache-licensed. Only the main teleport process should be licenses under AGPLv3. * address feedback * Add AutoUpdateAgentRollout service and cache (#47833) * Fix defaults on incomplete AU config or version resources (#47872) * Fix panic on incomplete AU config or version resources * lint * address tiago's feedback * [v17] enforce conditional updates on AutoUpdate* + rename typos (#48390) * enforce conditaional updates on AutoUpdate* + rename typos * fix tests * [v17] implement autoupdate_agent_rollout reconciler (#48944) * implement autoupdate_agent_rollout reconciler * address edoardo's feedback * address edoardo's feedback pt.2 * fixup! address edoardo's feedback * lint * [v17] RFD 184: automatic updates, server-side logic (#52275) * Implement immediate schedule support for automatic updates (#47920) * Implement immediate schedule support * expose edition, fips, and ensure ping endpoint answers * fix after rebase * fix cache tests * introduce webclient.ReusableClient (#49296) * Move autoupdate code in proxy to make more sense (#49484) * Move autoupdate code in proxy to make more sense * lint + godoc * Start `autoupdate_agent_rollout` controller in auth service (#49101) * run autoupdate_agent_rollout controller * Recover from panics inside the controller * Address tim's feedback Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * kube-agent-updater: add RFD-184 trigger and version getter (#49297) * add proxy version getter and maintenance trigger * add failover trigger and versionGetter * lint * Apply suggestions from code review Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> * address marco's feedback * licensing --------- Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> * Rename lib/kubernetestoken to lib/kube/token (#49554) * Rename lib/kubernetestoken to lib/kube/token * Lint * Make the proxy read from autoupdate_agent_rollout (#49380) * Add autoupdate_agenbt_rollout support * fix ping proxy tests * address creack's feedback * Address sclevine's feedback Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> * fix panic in tests --------- Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> * Fix flaky TestAutoUpdateAgentShouldUpdate (#49883) * Fix flaky TestAutoUpdateAgentShouldUpdate * Update lib/web/apiserver_ping_test.go * Update lib/web/autoupdate_common_test.go * autoupdate: reconcile rollout status and add strategy interface (#49735) * autoupdate: reconcile rollout status and add strategy interface * fix missing constants + add license * lint * fix proto field id * Fix flaky TestAgentRolloutController (#49886) * Fix falky TestAgentRolloutController * switch to real clock + increase Eventually timeout * Make reconciliation period a parameter + add TELEPORT_UNSTABLE env var * Update lib/service/service_test.go Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Apply suggestions from code review Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Remove env var * lint --------- Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Compute global rollout state (#49945) * Compute global rollout state * Simplify + missing wrong proto message description * lint * simplify * for edoardo * fix compute status test * autoupdate: implement time-based strategy (#49736) This commit implements the time-based rollout strategy describen in RFD 184. The autoupdate_agent_rollout controller will make the groups active based on their start days, start hour, and maintenance duration. Once the maintenance window is over, the group becomes DONE. In the DONE state, new agents will instalkl the target version but existing agents will no longer be told to actively update. * Use CMC as default config when set (#50039) * autoupdate: Use CMC as default config when set Part of: [RFD-184](#47126) This commit implements backward compatibility when CMC is specified. After this PR, if the user has no `autoupdate_config` resource but a `cluster_maintenance_config` resource from RFD 109, we will use the CMC to generate the config (update hour and update days) and craft the `autoupdate_agent_rollout`. * Update lib/autoupdate/rollout/client_test.go Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * address feedback * lint --------- Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * Change autoupdate proto messages (#50234) * Change autoupdate proto messages This commits does 3 changes: - reflect the maintenance duration on the rollout in a new spec field - add a rollout start time field in its status - change wait_days into wait_hours * int64 -> in32 for consistency with other fields * Add autoupdate_config and autoupdate_agent_rollout validation (#50181) This commit removes the restrictions of the autoupdate_agent_rollout and autoupdate_config schedules but adds groups validation. It also adds some optional server-side validation that should not be enforced at the resource level. * autoupdate: implement halt-on-error strategy (#49737) * autoupdate: implement halt-on-error strategy * rewrite wait_days logic into wait_hours * Apply suggestions from code review Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> --------- Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> * add tctl create/get/edit support for autoupdate_agent_rollout (#50393) * add tctl create/get/edit support for autoupdate_agent_rollout * fix bad copy paste * set rollout start date and don't start updating if rollout just changed (#50365) This commit does two changes: - the controller now sets the rollout start time when resetting the rollout - the controller will not start a group if the rollout changed during the maintenance window (checks if the rollout start time is in the window) * Reduce clock usage + add time and period override in rollout controller (#50634) * Enable strategies in the autoupdate rollout controller (#50635) * autoupdate rollout: honour the maintenance window duration (#50745) * autoupdate rollout: honour the maintenance window duration * Update lib/autoupdate/rollout/reconciler.go Co-authored-by: Bartosz Leper <bartosz.leper@goteleport.com> * Address feedback * Update lib/autoupdate/rollout/strategy.go --------- Co-authored-by: Bartosz Leper <bartosz.leper@goteleport.com> * Fix proto resource 153 marshalling for autoupdate_* resources (#50688) * Fix proto resource 153 marshalling * Update tool/tctl/common/collection_test.go Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Update tool/tctl/common/collection_test.go Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Address feedback - Change from Resource153AdapterV2 to ProtoResource153Adapter - fix test failures and unmarshal proto resources properly - add a failing round-trip proto 153 test case - bonus: fix the table tesst reosurce create that did not support running a single row * Apply suggestions from code review Co-authored-by: Alan Parra <alan.parra@goteleport.com> * lint --------- Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Add autoupdate controller metrics (#50807) * Add autoupdate controller metrics * Do no panic in case of error conflict * kube-agent-update: Use the RFD-184 webapi proxy update protocol by default when possible (#50464) * kube-agent-update: Use the RFD-184 webapi proxy update protocol by default when possible * Update integrations/kube-agent-updater/cmd/teleport-kube-agent-updater/main.go Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> * log update group --------- Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> * Add 'tctl autoupdate agents status' (#51079) * Ensure proxy version getter adds the leading 'v' (#51687) * Always create debug socket and expose health endpoints (#51616) * Always create debug socket and expose health endpoints * Consolidate the diagnostic multiplexers in a single function * Fix tests * Apply suggestions from code review Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> --------- Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * Fix autoupdate rollout controller metrics (#51803) * kube-agent-updater pre-release builds trust the staging repo + insecure validator private repo fix (#51815) * Fix insecure resolver in private repos + trust pre-release builds * fixup! Fix insecure resolver in private repos + trust pre-release builds * Use new autoupdate APIs in discovery service (#51758) * Remove name parameter from proxy version getter * Use autoupdate_agent_rollout as a source of version in scripts and integrations * Fix tests * Handle gracefully absence of a proxy in kube discovery sevrice * Update lib/srv/discovery/kube_integration_watcher.go Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> * Address marco's feedback * Address marco's feedback pt.2 * Gracefully handle if we can't get autoupdate version * fixup! Update lib/srv/discovery/kube_integration_watcher.go --------- Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> * Autoupdate changelog entry in v17.3 * Fix tests after rebase, pt.1 * Update front preset fixtures since the preset role changed * Add install script using teleport-update and oneoff.sh (#52155) * Refactor node-join script to take safer options and reuse install option logic (#52196) * Add install script using teleport-update and oneoff.sh * Refactor node-join script to take safer options and reuse install option logic * GoDoc + make functions private * Address edoardo's feedback * Allow prerelease Teleport to install official artifacts (#52444) * Accept to install CE when running an AGPL build for backeard compat * Bump e to fix build (oneoff args change) * Make node install scripts install Teleport via teleport-update (#52226) * Make the node install script use teleport-update * Apply suggestions from code review Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * Fix curl args + address bash exec comments --------- Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * Use install.sh in discovery's default installer (#52368) * Use install.sh in discovery's default installer * fixup! Use install.sh in discovery's default installer * Address marco's feedback * Update lib/auth/grpcserver.go Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> * Update lib/srv/server/installer/defaultinstallers.go * apply edoard's feedback + write script to file * Execute the downloaded shell script * Add snapshot tests * fixup! Add snapshot tests --------- Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> * Fix error after rebase * Fix test after rebase --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> Co-authored-by: Alan Parra <alan.parra@goteleport.com> Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> Co-authored-by: Bartosz Leper <bartosz.leper@goteleport.com> Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> * [v17] Modulate install script when managed updates v2 are off (#52609) * Modulate install script when managed updates v2 are off * fixup! Modulate install script when managed updates v2 are off * Address Stephen's feedback * Set the autoupdate singleton names (#52751) * Add autoupdate events to web UI (#52748) (#52838) * Add autoupdate events to web UI * lint * Fix backport to include the label fix * lint * fix tests * Add teleport-update binary scaffolding and disable command (#46418) * Add main.go * wip * group flag * wip * wip * mvp * wip * separate files * cleanup * jitter * scaffold only * remove teleport changes * remove teleport changes - group * test * test lock * remove edition * feedback * clarify default data dir * cleanup * move version to status * consistent naming for update.yaml * improve lock test * explain lint * use shared locking logic * fix test * Move disable logic to lib * feedback * switch to default transport * [teleport-update] Add enable command (#47565) * Add enable scaffold * add installer * refactor * add enable tests * clean up download logic * Finish installer tests * cleanup * fix flags * fix errors * logging * cleanup * fix test * Fix download size logic * remove agent prefixes * namespace package * rename file * feedback * fips and ent support * hide force version * feedback * feedback 2 * fix test * move enterprise/fips to webapi * Fix interface * RFD 0184: Automatic Updates for Teleport Agents (#47126) * Create 0169-auto-updates-linux-agents.md * Fix github handle * Fix Github handle * Clarify jitter flag * Remove time question * Update rfd/0169-auto-updates-linux-agents.md Co-authored-by: Russell Jones <russjones@users.noreply.github.com> * Update rfd/0169-auto-updates-linux-agents.md Co-authored-by: Russell Jones <russjones@users.noreply.github.com> * Update rfd/0169-auto-updates-linux-agents.md Co-authored-by: Russell Jones <russjones@users.noreply.github.com> * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * add editions * Installers and docs * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * Downgrades * Feedback * Update 0169-auto-updates-linux-agents.md * Remove last working copy of teleport * add step to ensure free disk space * Typos * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * feedback * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * apt purge * Only enable auto-upgrades if successful * reentrant lock * reset * Update 0169-auto-updates-linux-agents.md * add note on backups * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * Clarify restore/rollback process and validations * Added section on logging * Add schedules * immediate schedule + note on cycles and chains * more details, more tctl commands * Update 0169-auto-updates-linux-agents.md * scalability * df * content-length * cache init * binary * more rollout mechanism changes * scalability * more scalability * use 100kib pages for plan * Add RPCs, tweak API design * clarify wording * wording * Update rfd/0169-auto-updates-linux-agents.md Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * Update rfd/0169-auto-updates-linux-agents.md Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * linting * Move all RPCs into autoupdate/v1 * Move groups to MVP * note about checksum * typos, consistency * clarify binary is teleport-update, package is teleport-ent-updater * switch from df to unix.Statfs * security feedback + naming adjustments * tweak rollout paging * tweak rollout paging again * feedback * adjust update.yaml to match implementation feedback * wip - new model * canaries * canary 2 * describe state, transitions, and proxy response * rpcs * finish rpcs * minor tweaks * Add user stories * Put new requirements at the top + edit UX + add TODOs * Edition work * cleanup + swap phases 1 and 2 * Move protobuf * Add installation scenarios * cleanup + move backpressure formulas * more cleanup * rename to unused number * fix title * more cleanup * correct inconsistencies * fix more inconsistencies * missing proxy flag * typo * Add CLI reference * feedback * alerts note * typos * Update rfd/0184-agent-auto-updates.md Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * clarify canary logic * Update rfd/0184-agent-auto-updates.md Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * Support for multiple installations / tarball * Address reviewer's feedback - Rephrase the UX section to not assume prior canary knowledge - Explicit how the canaries are picked, the limitations, and potential improvements - replace node with instance to avoid confusion between ssh nodes and generic teleport agent instances - Explicit how the previous updater interacts with the new one - More explicit names for command line args * agent_plan -> agent_rollout + reuse autoupdate_config * align tool version * Move package system dir * add time-based strategy * rename previous-must-succeed -> halt-on-failure --------- Co-authored-by: Russell Jones <russjones@users.noreply.github.com> Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> Co-authored-by: hugoShaka <hugo.hervieux@goteleport.com> * [v17] RFD 184: Agent Automatic Updates, teleport-update (#52372) * [teleport-update] Add linking into /usr/local (#47879) * clean up download logic * Finish installer tests * fips and ent support * feedback * move enterprise/fips to webapi * wip * wip2 * add cleanup * fix extract * wip * fix tests * remove safety * cleanup * cleanup extract * cleanup * cleanup * fix bugs * cleanup * [teleport-update] Use new webapi fields to find version (#47961) * Adapt teleport-update to new webapi endpoints * feedback * [teleport-update] Add support for reloading the agent & reverting symlinks on failed reload (#47929) * wip * cleanup * comments * test wip * test link revert * tests * cleanup * cleanup more * comments * comments * errors * comments * linting * fix bugs * fix typo * cleanup * cleanup * fix revert * lint * feedback * fix * fix test * clarify comment * use afterfunc * [teleport-update] Add update subcommand (#48244) * Add update subcommand * fix * lint * add command * warn on known edition * warn on unknown edition for update * [teleport-update] Add link subcommand (#48712) * wip * refactor * docs * updater * add link command * test LinkPackage * cleanup * fix enterprise paths * fix systemd linking * typo * comment * comments * typo * feedback * adjust systemd service locations * cleanup tests, adjust service link path * [teleport-update] PID-based failure detection and rollback (#49175) * Extract from other PR * comments * string * [teleport-update] Add systemd setup (#49174) * service and timer * comments * feedback * feedback * [teleport-update] Add unlink-package command (#49250) * unlink * test * lock type * comments * cleanup * Update lib/autoupdate/agent/installer.go Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> --------- Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * [teleport-update] Add support for version pinning (#49307) * pinning * cleanup * unskip * cleanup * unpin * typo * [teleport-update] status subcommand (#49308) * status * cleanup * comments * cleanup output by removing optional fields * rebase fix * [teleport-update] Uninstall subcommand (#49341) * Uninstall * tests * comment * Short-circuit link package on pinned * log * move error * Update lib/autoupdate/agent/process.go Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * Update lib/autoupdate/agent/process.go Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * Update lib/autoupdate/agent/process.go Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * Update lib/autoupdate/agent/process.go Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * fix --------- Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * [teleport-update] Protect against disk space leaks (#49309) * cleanup unused * cleanup * cleanup * [teleport-update] Show warning instead of return error for link/unlink (#49334) * Add warning instead of return error for link/unlink * Add test for sync call with ErrNotSupported * Change warning message * [teleport-update] Isolated installation suffix (#49364) * namespacing * words * cli * fix * err * use structured logs consistently * comments * bugs * test * switch to new paths * test * adjust * reserved * cleanup * cleanup * docs * fix uninstall * test * simplify init * cleanup * namespace -> install-suffix * log * [teleport-update] Fix usage of trace (#49388) * fix trace * rebase * [teleport-update] Support for Enterprise/FIPS migration (#49451) * store ent/fips data cleanup formatting revert updater rename cleanup Update lib/autoupdate/agent/config.go Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> feedback * feedback * feedback * lint * [teleport-update] Display download progress and stats (#49805) * download progress * typo * sub -> since * time -> duration * [teleport-update] update --now (#49807) * update --now * testdata * [teleport-update] Adjust download progress log output (#49845) * adjust logger * fix * fix * Extended binary validations (#49748) * [teleport-update] needrestart and systemd drop-in (#49806) * wip * Add more config * nit * feedback * Fix duplicate teleport-update short command (#50304) * [teleport-update] Version reporting and deprecated upgrader management (#50266) * wip * telemetry * abs * fix * tests * Disable deprecated timer * keep schedule on non-suffixed * Update maintenance.go * Update lib/autoupdate/agent/setup.go * update warnings * feedback pt 1 * feedback pt 2 * headers * [teleport-update] Remove warning when running Teleport on platforms without systemd (#51465) * improve detection logic on non-systemd platforms * adjust * remove OS check * [teleport-update] common MakeURL with ability to override BaseURL (#51383) * Add templates for client tools auto-update download url * Change to base url setting by env MakeURL moved to common function to be general for both, agent and client tools * Reuse MakeURL moved to common package * Fix linter warning * Add common env variable to override base url * Remove template from interface * Make template exported Change a stale comment * Remove unused code * [teleport-update] Adjustments for SELinux (#51474) * selinux fixes * extra checks * lint * lint * cleanup * better cleanup * fix rebase * [teleport-update] Add --overwrite flag to replace tarball installations (#51579) * add --overwrite flag * extra warning * [teleport-update] Only use CDN for community / enterprise editions (#51726) * Only use CDN for community / enterprise * wording * [teleport-update] Warn instead of erroring when disabling the deprecated updater (#51759) * Warn instead of erroring when disabling old updater * Update lib/service/service.go * Update lib/service/service.go * [teleport-update] Adjust non-critical SELinux contexts (#51793) * correct selinux contexts * Update lib/autoupdate/agent/installer.go Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * Update lib/autoupdate/agent/installer.go --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * [teleport-update] Add proper healthcheck for agents (#51613) * Add socket readiness monitor * cleanup * add 404 check * check * better cleanup * fix bug * typo * fix 404 * improve logging * cleanup * disable socket redirect * avoid race condition with socket removal * verify PID * cleanup * Update lib/autoupdate/agent/process.go Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * feedback * fix subtle race condition * debugging --------- Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * [teleport-update] Allow teleport-update uninstall to succeed with non-packaged installs (#51576) * Treat missing source bin dir same as missing binaries * prevent linking package outside /usr/local/bin * Apply suggestions from code review * [teleport-update] use new updater to reload and verify Teleport (#51734) * wip * finish implementation * fix tests * test setup * remove stale data * bug * spelling * pass log format and debug through * feedback * [teleport-update] Read proxy from teleport.yaml to improve UX (#51633) * derive proxy from config * fix parsing * cleanup * require force for uninstall (#51973) * [teleport-update] add insecure flag for testing (#52019) * insecure flag * fmt * [teleport-update] skip updater setup when systemd is missing (#52022) * skip updater installation when systemd is missing * test * wording * [teleport-update] Ensure stable interface between versions of teleport-update (#52152) * refactor data dir * finish refactor * fix path * cleanup * more tests * lint * prevent notice failure without systemd * feedback * url * revert log level change (#52416) --------- Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> Co-authored-by: Vadym Popov <vadym.popov@goteleport.com> Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * [v17] [teleport-update] Fix usage of default $PATH dir, overrides, and hanging (#52608) * Fix usage of default path * fix other overrides * fix hang on start * [v17] [teleport-update] Set umask 0022 for teleport-update to avoid errors on enable (#52755) * Set umask 0022 for teleport-update * init -> main * refactor * move const * add flag * missed not * fix inequality * remove flag * dead code * docs * docs 2 * feedback * [v17] [teleport-update] Support for CentOS 7 (#53017) * support systemd down to 219 * comments * Apply suggestions from code review Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> * Missed check on additional use of IsPresent * adjustments from testing various versions of centos7 * Typo * Use dedicated error for version incompat --------- Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> * [v17] [teleport-update] Improve clarity of error logs and address UX edge cases (#53048) * Usability fixes * cancel jitter * root + fix logs * check extra case * cleanup * extra warning * tests * feedback * add newlines * adjust message * consistent error type * update UI snapshots * [v17] Backport packaging restructuring and teleport-update build (#52361) * [teleport-update] Add Makefile build target (#48531) * Add build target for teleport-update * Set CGO_ENABLED=0 for building teleport-update * [teleport-update] Add teleport-update to build and archive (#48839) * Add teleport-update to build and archive * Add teleport-update to install scripts * Add build flags without buildmode pie * Add helper message for install.sh script * Exclude teleport-update from darwin platform * Add teleport-update to rpm and deb packages * Remove teleport-update from deb, rpm packages Add comment for the buildflags * [teleport-update] Move teleport binaries to new path {deb,rpm} (#49110) * Move teleport binaries to new path * Use link/unlink command to manage links Move teleport.service to new path * Move teleport binaries under standard path for distroless Cleanup * Fix wrong move path * Create missing directory * Rename link/unlink commands * Exclude teleport-update from docker image Systemd reload now managed by teleport-update Make safe unlink not to block package removal * Add teleport-update to AMI image build * Fix RPM build, fpm automatically manage scripts * Fix AMI build, add missing teleport.service * Move binaries to /opt/teleport/system * Add check to installation script when we copy files from tarball (#50368) * bump e * Fix RPM linking logic (#52704) * Use quoting style supported by pre-2015 systemd (#53179) (#53196) * [teleport-update] Additional log message and UX cleanup (#53180) (#53197) * More teleport-update UX cleanup * cleanup overwrite error * cleanup * more cleanup --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> Co-authored-by: Alan Parra <alan.parra@goteleport.com> Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> Co-authored-by: Bartosz Leper <bartosz.leper@goteleport.com> Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> Co-authored-by: Russell Jones <russjones@users.noreply.github.com> Co-authored-by: Vadym Popov <vadym.popov@goteleport.com> Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> * Fix proto resource 153 marshalling for autoupdate_* resources (#50688) * Fix proto resource 153 marshalling * Update tool/tctl/common/collection_test.go Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Update tool/tctl/common/collection_test.go Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Address feedback - Change from Resource153AdapterV2 to ProtoResource153Adapter - fix test failures and unmarshal proto resources properly - add a failing round-trip proto 153 test case - bonus: fix the table tesst reosurce create that did not support running a single row * Apply suggestions from code review Co-authored-by: Alan Parra <alan.parra@goteleport.com> * lint --------- Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Craft a teleport-update based installer compatible iwth v15 code * fix frontend lint issue (not introduced by us?) * remove AGPL tests in updater as v15 oss is not AGPL * [teleport-update] Add local updater metadata (#53602) (#53829) * add metadata * newline * cleanup status error * refactor status error * fix print * order * fix test on linux * Truncate time to ms * add host param to request * jitter locally * rename host to id * rename func var * [v16] [teleport-update] Stop writing updater ID from teleport-update (#54012) * new strategy: use deterministic boot-persistent id * add error * check id length * unexport machine id * Set group to 'default' if unset + avoid setting default group in config (#54049) * [v16] [teleport-update] Change strategy for disabling teleport-upgrade timer (#54086) * Change strategy for disabling old upgrader * logging * remove file * remove const * cleanup * comment about namespaced installs * re-remove AGPL-related tests as there's no AGPL Teleport v15 --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> Co-authored-by: Alan Parra <alan.parra@goteleport.com> Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> Co-authored-by: Bartosz Leper <bartosz.leper@goteleport.com> Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> Co-authored-by: Russell Jones <russjones@users.noreply.github.com> Co-authored-by: Vadym Popov <vadym.popov@goteleport.com> Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
hugoShaka
added a commit
that referenced
this pull request
May 1, 2025
* [v15] RFD 184: managed updates v2, server-side logic, client, and package * Add autoupdate agent protos (#47666) * Add autoupdate agent protos * fix tests * Add create/update/delete RPCs + add missing event proto * Update api/proto/teleport/autoupdate/v1/autoupdate.proto Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * address timr's feedback + fix tests * buf lint * buf lint pt.2 --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * fix agent autoupdate protos (#47830) * Add autoupdate agent type validations (#47831) * Add autoupdate agent validations * Add AutoUpdateAgentRollout constants * Fix autoupdate API licenses Teleport's `api/` and `integrations/` should be Apache-licensed. Only the main teleport process should be licenses under AGPLv3. * address feedback * Add AutoUpdateAgentRollout service and cache (#47833) * Fix defaults on incomplete AU config or version resources (#47872) * Fix panic on incomplete AU config or version resources * lint * address tiago's feedback * [v17] enforce conditional updates on AutoUpdate* + rename typos (#48390) * enforce conditaional updates on AutoUpdate* + rename typos * fix tests * [v17] implement autoupdate_agent_rollout reconciler (#48944) * implement autoupdate_agent_rollout reconciler * address edoardo's feedback * address edoardo's feedback pt.2 * fixup! address edoardo's feedback * lint * [v17] RFD 184: automatic updates, server-side logic (#52275) * Implement immediate schedule support for automatic updates (#47920) * Implement immediate schedule support * expose edition, fips, and ensure ping endpoint answers * fix after rebase * fix cache tests * introduce webclient.ReusableClient (#49296) * Move autoupdate code in proxy to make more sense (#49484) * Move autoupdate code in proxy to make more sense * lint + godoc * Start `autoupdate_agent_rollout` controller in auth service (#49101) * run autoupdate_agent_rollout controller * Recover from panics inside the controller * Address tim's feedback Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * kube-agent-updater: add RFD-184 trigger and version getter (#49297) * add proxy version getter and maintenance trigger * add failover trigger and versionGetter * lint * Apply suggestions from code review Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> * address marco's feedback * licensing --------- Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> * Rename lib/kubernetestoken to lib/kube/token (#49554) * Rename lib/kubernetestoken to lib/kube/token * Lint * Make the proxy read from autoupdate_agent_rollout (#49380) * Add autoupdate_agenbt_rollout support * fix ping proxy tests * address creack's feedback * Address sclevine's feedback Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> * fix panic in tests --------- Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> * Fix flaky TestAutoUpdateAgentShouldUpdate (#49883) * Fix flaky TestAutoUpdateAgentShouldUpdate * Update lib/web/apiserver_ping_test.go * Update lib/web/autoupdate_common_test.go * autoupdate: reconcile rollout status and add strategy interface (#49735) * autoupdate: reconcile rollout status and add strategy interface * fix missing constants + add license * lint * fix proto field id * Fix flaky TestAgentRolloutController (#49886) * Fix falky TestAgentRolloutController * switch to real clock + increase Eventually timeout * Make reconciliation period a parameter + add TELEPORT_UNSTABLE env var * Update lib/service/service_test.go Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Apply suggestions from code review Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Remove env var * lint --------- Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Compute global rollout state (#49945) * Compute global rollout state * Simplify + missing wrong proto message description * lint * simplify * for edoardo * fix compute status test * autoupdate: implement time-based strategy (#49736) This commit implements the time-based rollout strategy describen in RFD 184. The autoupdate_agent_rollout controller will make the groups active based on their start days, start hour, and maintenance duration. Once the maintenance window is over, the group becomes DONE. In the DONE state, new agents will instalkl the target version but existing agents will no longer be told to actively update. * Use CMC as default config when set (#50039) * autoupdate: Use CMC as default config when set Part of: [RFD-184](#47126) This commit implements backward compatibility when CMC is specified. After this PR, if the user has no `autoupdate_config` resource but a `cluster_maintenance_config` resource from RFD 109, we will use the CMC to generate the config (update hour and update days) and craft the `autoupdate_agent_rollout`. * Update lib/autoupdate/rollout/client_test.go Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * address feedback * lint --------- Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * Change autoupdate proto messages (#50234) * Change autoupdate proto messages This commits does 3 changes: - reflect the maintenance duration on the rollout in a new spec field - add a rollout start time field in its status - change wait_days into wait_hours * int64 -> in32 for consistency with other fields * Add autoupdate_config and autoupdate_agent_rollout validation (#50181) This commit removes the restrictions of the autoupdate_agent_rollout and autoupdate_config schedules but adds groups validation. It also adds some optional server-side validation that should not be enforced at the resource level. * autoupdate: implement halt-on-error strategy (#49737) * autoupdate: implement halt-on-error strategy * rewrite wait_days logic into wait_hours * Apply suggestions from code review Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> --------- Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> * add tctl create/get/edit support for autoupdate_agent_rollout (#50393) * add tctl create/get/edit support for autoupdate_agent_rollout * fix bad copy paste * set rollout start date and don't start updating if rollout just changed (#50365) This commit does two changes: - the controller now sets the rollout start time when resetting the rollout - the controller will not start a group if the rollout changed during the maintenance window (checks if the rollout start time is in the window) * Reduce clock usage + add time and period override in rollout controller (#50634) * Enable strategies in the autoupdate rollout controller (#50635) * autoupdate rollout: honour the maintenance window duration (#50745) * autoupdate rollout: honour the maintenance window duration * Update lib/autoupdate/rollout/reconciler.go Co-authored-by: Bartosz Leper <bartosz.leper@goteleport.com> * Address feedback * Update lib/autoupdate/rollout/strategy.go --------- Co-authored-by: Bartosz Leper <bartosz.leper@goteleport.com> * Fix proto resource 153 marshalling for autoupdate_* resources (#50688) * Fix proto resource 153 marshalling * Update tool/tctl/common/collection_test.go Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Update tool/tctl/common/collection_test.go Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Address feedback - Change from Resource153AdapterV2 to ProtoResource153Adapter - fix test failures and unmarshal proto resources properly - add a failing round-trip proto 153 test case - bonus: fix the table tesst reosurce create that did not support running a single row * Apply suggestions from code review Co-authored-by: Alan Parra <alan.parra@goteleport.com> * lint --------- Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Add autoupdate controller metrics (#50807) * Add autoupdate controller metrics * Do no panic in case of error conflict * kube-agent-update: Use the RFD-184 webapi proxy update protocol by default when possible (#50464) * kube-agent-update: Use the RFD-184 webapi proxy update protocol by default when possible * Update integrations/kube-agent-updater/cmd/teleport-kube-agent-updater/main.go Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> * log update group --------- Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> * Add 'tctl autoupdate agents status' (#51079) * Ensure proxy version getter adds the leading 'v' (#51687) * Always create debug socket and expose health endpoints (#51616) * Always create debug socket and expose health endpoints * Consolidate the diagnostic multiplexers in a single function * Fix tests * Apply suggestions from code review Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> --------- Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * Fix autoupdate rollout controller metrics (#51803) * kube-agent-updater pre-release builds trust the staging repo + insecure validator private repo fix (#51815) * Fix insecure resolver in private repos + trust pre-release builds * fixup! Fix insecure resolver in private repos + trust pre-release builds * Use new autoupdate APIs in discovery service (#51758) * Remove name parameter from proxy version getter * Use autoupdate_agent_rollout as a source of version in scripts and integrations * Fix tests * Handle gracefully absence of a proxy in kube discovery sevrice * Update lib/srv/discovery/kube_integration_watcher.go Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> * Address marco's feedback * Address marco's feedback pt.2 * Gracefully handle if we can't get autoupdate version * fixup! Update lib/srv/discovery/kube_integration_watcher.go --------- Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> * Autoupdate changelog entry in v17.3 * Fix tests after rebase, pt.1 * Update front preset fixtures since the preset role changed * Add install script using teleport-update and oneoff.sh (#52155) * Refactor node-join script to take safer options and reuse install option logic (#52196) * Add install script using teleport-update and oneoff.sh * Refactor node-join script to take safer options and reuse install option logic * GoDoc + make functions private * Address edoardo's feedback * Allow prerelease Teleport to install official artifacts (#52444) * Accept to install CE when running an AGPL build for backeard compat * Bump e to fix build (oneoff args change) * Make node install scripts install Teleport via teleport-update (#52226) * Make the node install script use teleport-update * Apply suggestions from code review Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * Fix curl args + address bash exec comments --------- Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * Use install.sh in discovery's default installer (#52368) * Use install.sh in discovery's default installer * fixup! Use install.sh in discovery's default installer * Address marco's feedback * Update lib/auth/grpcserver.go Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> * Update lib/srv/server/installer/defaultinstallers.go * apply edoard's feedback + write script to file * Execute the downloaded shell script * Add snapshot tests * fixup! Add snapshot tests --------- Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> * Fix error after rebase * Fix test after rebase --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> Co-authored-by: Alan Parra <alan.parra@goteleport.com> Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> Co-authored-by: Bartosz Leper <bartosz.leper@goteleport.com> Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> * [v17] Modulate install script when managed updates v2 are off (#52609) * Modulate install script when managed updates v2 are off * fixup! Modulate install script when managed updates v2 are off * Address Stephen's feedback * Set the autoupdate singleton names (#52751) * Add autoupdate events to web UI (#52748) (#52838) * Add autoupdate events to web UI * lint * Fix backport to include the label fix * lint * fix tests * Add teleport-update binary scaffolding and disable command (#46418) * Add main.go * wip * group flag * wip * wip * mvp * wip * separate files * cleanup * jitter * scaffold only * remove teleport changes * remove teleport changes - group * test * test lock * remove edition * feedback * clarify default data dir * cleanup * move version to status * consistent naming for update.yaml * improve lock test * explain lint * use shared locking logic * fix test * Move disable logic to lib * feedback * switch to default transport * [teleport-update] Add enable command (#47565) * Add enable scaffold * add installer * refactor * add enable tests * clean up download logic * Finish installer tests * cleanup * fix flags * fix errors * logging * cleanup * fix test * Fix download size logic * remove agent prefixes * namespace package * rename file * feedback * fips and ent support * hide force version * feedback * feedback 2 * fix test * move enterprise/fips to webapi * Fix interface * RFD 0184: Automatic Updates for Teleport Agents (#47126) * Create 0169-auto-updates-linux-agents.md * Fix github handle * Fix Github handle * Clarify jitter flag * Remove time question * Update rfd/0169-auto-updates-linux-agents.md Co-authored-by: Russell Jones <russjones@users.noreply.github.com> * Update rfd/0169-auto-updates-linux-agents.md Co-authored-by: Russell Jones <russjones@users.noreply.github.com> * Update rfd/0169-auto-updates-linux-agents.md Co-authored-by: Russell Jones <russjones@users.noreply.github.com> * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * add editions * Installers and docs * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * Downgrades * Feedback * Update 0169-auto-updates-linux-agents.md * Remove last working copy of teleport * add step to ensure free disk space * Typos * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * feedback * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * apt purge * Only enable auto-upgrades if successful * reentrant lock * reset * Update 0169-auto-updates-linux-agents.md * add note on backups * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * Clarify restore/rollback process and validations * Added section on logging * Add schedules * immediate schedule + note on cycles and chains * more details, more tctl commands * Update 0169-auto-updates-linux-agents.md * scalability * df * content-length * cache init * binary * more rollout mechanism changes * scalability * more scalability * use 100kib pages for plan * Add RPCs, tweak API design * clarify wording * wording * Update rfd/0169-auto-updates-linux-agents.md Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * Update rfd/0169-auto-updates-linux-agents.md Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * linting * Move all RPCs into autoupdate/v1 * Move groups to MVP * note about checksum * typos, consistency * clarify binary is teleport-update, package is teleport-ent-updater * switch from df to unix.Statfs * security feedback + naming adjustments * tweak rollout paging * tweak rollout paging again * feedback * adjust update.yaml to match implementation feedback * wip - new model * canaries * canary 2 * describe state, transitions, and proxy response * rpcs * finish rpcs * minor tweaks * Add user stories * Put new requirements at the top + edit UX + add TODOs * Edition work * cleanup + swap phases 1 and 2 * Move protobuf * Add installation scenarios * cleanup + move backpressure formulas * more cleanup * rename to unused number * fix title * more cleanup * correct inconsistencies * fix more inconsistencies * missing proxy flag * typo * Add CLI reference * feedback * alerts note * typos * Update rfd/0184-agent-auto-updates.md Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * clarify canary logic * Update rfd/0184-agent-auto-updates.md Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * Support for multiple installations / tarball * Address reviewer's feedback - Rephrase the UX section to not assume prior canary knowledge - Explicit how the canaries are picked, the limitations, and potential improvements - replace node with instance to avoid confusion between ssh nodes and generic teleport agent instances - Explicit how the previous updater interacts with the new one - More explicit names for command line args * agent_plan -> agent_rollout + reuse autoupdate_config * align tool version * Move package system dir * add time-based strategy * rename previous-must-succeed -> halt-on-failure --------- Co-authored-by: Russell Jones <russjones@users.noreply.github.com> Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> Co-authored-by: hugoShaka <hugo.hervieux@goteleport.com> * [v17] RFD 184: Agent Automatic Updates, teleport-update (#52372) * [teleport-update] Add linking into /usr/local (#47879) * clean up download logic * Finish installer tests * fips and ent support * feedback * move enterprise/fips to webapi * wip * wip2 * add cleanup * fix extract * wip * fix tests * remove safety * cleanup * cleanup extract * cleanup * cleanup * fix bugs * cleanup * [teleport-update] Use new webapi fields to find version (#47961) * Adapt teleport-update to new webapi endpoints * feedback * [teleport-update] Add support for reloading the agent & reverting symlinks on failed reload (#47929) * wip * cleanup * comments * test wip * test link revert * tests * cleanup * cleanup more * comments * comments * errors * comments * linting * fix bugs * fix typo * cleanup * cleanup * fix revert * lint * feedback * fix * fix test * clarify comment * use afterfunc * [teleport-update] Add update subcommand (#48244) * Add update subcommand * fix * lint * add command * warn on known edition * warn on unknown edition for update * [teleport-update] Add link subcommand (#48712) * wip * refactor * docs * updater * add link command * test LinkPackage * cleanup * fix enterprise paths * fix systemd linking * typo * comment * comments * typo * feedback * adjust systemd service locations * cleanup tests, adjust service link path * [teleport-update] PID-based failure detection and rollback (#49175) * Extract from other PR * comments * string * [teleport-update] Add systemd setup (#49174) * service and timer * comments * feedback * feedback * [teleport-update] Add unlink-package command (#49250) * unlink * test * lock type * comments * cleanup * Update lib/autoupdate/agent/installer.go Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> --------- Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * [teleport-update] Add support for version pinning (#49307) * pinning * cleanup * unskip * cleanup * unpin * typo * [teleport-update] status subcommand (#49308) * status * cleanup * comments * cleanup output by removing optional fields * rebase fix * [teleport-update] Uninstall subcommand (#49341) * Uninstall * tests * comment * Short-circuit link package on pinned * log * move error * Update lib/autoupdate/agent/process.go Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * Update lib/autoupdate/agent/process.go Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * Update lib/autoupdate/agent/process.go Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * Update lib/autoupdate/agent/process.go Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * fix --------- Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * [teleport-update] Protect against disk space leaks (#49309) * cleanup unused * cleanup * cleanup * [teleport-update] Show warning instead of return error for link/unlink (#49334) * Add warning instead of return error for link/unlink * Add test for sync call with ErrNotSupported * Change warning message * [teleport-update] Isolated installation suffix (#49364) * namespacing * words * cli * fix * err * use structured logs consistently * comments * bugs * test * switch to new paths * test * adjust * reserved * cleanup * cleanup * docs * fix uninstall * test * simplify init * cleanup * namespace -> install-suffix * log * [teleport-update] Fix usage of trace (#49388) * fix trace * rebase * [teleport-update] Support for Enterprise/FIPS migration (#49451) * store ent/fips data cleanup formatting revert updater rename cleanup Update lib/autoupdate/agent/config.go Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> feedback * feedback * feedback * lint * [teleport-update] Display download progress and stats (#49805) * download progress * typo * sub -> since * time -> duration * [teleport-update] update --now (#49807) * update --now * testdata * [teleport-update] Adjust download progress log output (#49845) * adjust logger * fix * fix * Extended binary validations (#49748) * [teleport-update] needrestart and systemd drop-in (#49806) * wip * Add more config * nit * feedback * Fix duplicate teleport-update short command (#50304) * [teleport-update] Version reporting and deprecated upgrader management (#50266) * wip * telemetry * abs * fix * tests * Disable deprecated timer * keep schedule on non-suffixed * Update maintenance.go * Update lib/autoupdate/agent/setup.go * update warnings * feedback pt 1 * feedback pt 2 * headers * [teleport-update] Remove warning when running Teleport on platforms without systemd (#51465) * improve detection logic on non-systemd platforms * adjust * remove OS check * [teleport-update] common MakeURL with ability to override BaseURL (#51383) * Add templates for client tools auto-update download url * Change to base url setting by env MakeURL moved to common function to be general for both, agent and client tools * Reuse MakeURL moved to common package * Fix linter warning * Add common env variable to override base url * Remove template from interface * Make template exported Change a stale comment * Remove unused code * [teleport-update] Adjustments for SELinux (#51474) * selinux fixes * extra checks * lint * lint * cleanup * better cleanup * fix rebase * [teleport-update] Add --overwrite flag to replace tarball installations (#51579) * add --overwrite flag * extra warning * [teleport-update] Only use CDN for community / enterprise editions (#51726) * Only use CDN for community / enterprise * wording * [teleport-update] Warn instead of erroring when disabling the deprecated updater (#51759) * Warn instead of erroring when disabling old updater * Update lib/service/service.go * Update lib/service/service.go * [teleport-update] Adjust non-critical SELinux contexts (#51793) * correct selinux contexts * Update lib/autoupdate/agent/installer.go Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * Update lib/autoupdate/agent/installer.go --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * [teleport-update] Add proper healthcheck for agents (#51613) * Add socket readiness monitor * cleanup * add 404 check * check * better cleanup * fix bug * typo * fix 404 * improve logging * cleanup * disable socket redirect * avoid race condition with socket removal * verify PID * cleanup * Update lib/autoupdate/agent/process.go Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * feedback * fix subtle race condition * debugging --------- Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * [teleport-update] Allow teleport-update uninstall to succeed with non-packaged installs (#51576) * Treat missing source bin dir same as missing binaries * prevent linking package outside /usr/local/bin * Apply suggestions from code review * [teleport-update] use new updater to reload and verify Teleport (#51734) * wip * finish implementation * fix tests * test setup * remove stale data * bug * spelling * pass log format and debug through * feedback * [teleport-update] Read proxy from teleport.yaml to improve UX (#51633) * derive proxy from config * fix parsing * cleanup * require force for uninstall (#51973) * [teleport-update] add insecure flag for testing (#52019) * insecure flag * fmt * [teleport-update] skip updater setup when systemd is missing (#52022) * skip updater installation when systemd is missing * test * wording * [teleport-update] Ensure stable interface between versions of teleport-update (#52152) * refactor data dir * finish refactor * fix path * cleanup * more tests * lint * prevent notice failure without systemd * feedback * url * revert log level change (#52416) --------- Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> Co-authored-by: Vadym Popov <vadym.popov@goteleport.com> Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * [v17] [teleport-update] Fix usage of default $PATH dir, overrides, and hanging (#52608) * Fix usage of default path * fix other overrides * fix hang on start * [v17] [teleport-update] Set umask 0022 for teleport-update to avoid errors on enable (#52755) * Set umask 0022 for teleport-update * init -> main * refactor * move const * add flag * missed not * fix inequality * remove flag * dead code * docs * docs 2 * feedback * [v17] [teleport-update] Support for CentOS 7 (#53017) * support systemd down to 219 * comments * Apply suggestions from code review Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> * Missed check on additional use of IsPresent * adjustments from testing various versions of centos7 * Typo * Use dedicated error for version incompat --------- Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> * [v17] [teleport-update] Improve clarity of error logs and address UX edge cases (#53048) * Usability fixes * cancel jitter * root + fix logs * check extra case * cleanup * extra warning * tests * feedback * add newlines * adjust message * consistent error type * update UI snapshots * [v17] Backport packaging restructuring and teleport-update build (#52361) * [teleport-update] Add Makefile build target (#48531) * Add build target for teleport-update * Set CGO_ENABLED=0 for building teleport-update * [teleport-update] Add teleport-update to build and archive (#48839) * Add teleport-update to build and archive * Add teleport-update to install scripts * Add build flags without buildmode pie * Add helper message for install.sh script * Exclude teleport-update from darwin platform * Add teleport-update to rpm and deb packages * Remove teleport-update from deb, rpm packages Add comment for the buildflags * [teleport-update] Move teleport binaries to new path {deb,rpm} (#49110) * Move teleport binaries to new path * Use link/unlink command to manage links Move teleport.service to new path * Move teleport binaries under standard path for distroless Cleanup * Fix wrong move path * Create missing directory * Rename link/unlink commands * Exclude teleport-update from docker image Systemd reload now managed by teleport-update Make safe unlink not to block package removal * Add teleport-update to AMI image build * Fix RPM build, fpm automatically manage scripts * Fix AMI build, add missing teleport.service * Move binaries to /opt/teleport/system * Add check to installation script when we copy files from tarball (#50368) * bump e * Fix RPM linking logic (#52704) * Use quoting style supported by pre-2015 systemd (#53179) (#53196) * [teleport-update] Additional log message and UX cleanup (#53180) (#53197) * More teleport-update UX cleanup * cleanup overwrite error * cleanup * more cleanup --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> Co-authored-by: Alan Parra <alan.parra@goteleport.com> Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> Co-authored-by: Bartosz Leper <bartosz.leper@goteleport.com> Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> Co-authored-by: Russell Jones <russjones@users.noreply.github.com> Co-authored-by: Vadym Popov <vadym.popov@goteleport.com> Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> * Fix proto resource 153 marshalling for autoupdate_* resources (#50688) * Fix proto resource 153 marshalling * Update tool/tctl/common/collection_test.go Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Update tool/tctl/common/collection_test.go Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Address feedback - Change from Resource153AdapterV2 to ProtoResource153Adapter - fix test failures and unmarshal proto resources properly - add a failing round-trip proto 153 test case - bonus: fix the table tesst reosurce create that did not support running a single row * Apply suggestions from code review Co-authored-by: Alan Parra <alan.parra@goteleport.com> * lint --------- Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Craft a teleport-update based installer compatible iwth v15 code * fix frontend lint issue (not introduced by us?) * remove AGPL tests in updater as v15 oss is not AGPL * [teleport-update] Add local updater metadata (#53602) (#53829) * add metadata * newline * cleanup status error * refactor status error * fix print * order * fix test on linux * Truncate time to ms * add host param to request * jitter locally * rename host to id * rename func var * [v16] [teleport-update] Stop writing updater ID from teleport-update (#54012) * new strategy: use deterministic boot-persistent id * add error * check id length * unexport machine id * Set group to 'default' if unset + avoid setting default group in config (#54049) * [v16] [teleport-update] Change strategy for disabling teleport-upgrade timer (#54086) * Change strategy for disabling old upgrader * logging * remove file * remove const * cleanup * comment about namespaced installs * re-remove AGPL-related tests as there's no AGPL Teleport v15 --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> Co-authored-by: Alan Parra <alan.parra@goteleport.com> Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> Co-authored-by: Bartosz Leper <bartosz.leper@goteleport.com> Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> Co-authored-by: Russell Jones <russjones@users.noreply.github.com> Co-authored-by: Vadym Popov <vadym.popov@goteleport.com> Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
github-merge-queue bot
pushed a commit
that referenced
this pull request
May 12, 2025
* bump e * Make UnknownResource proto-friendly (#54047) * [v15] In-process metrics registry (#51204) * Use a non-global metrics registry in Teleport (#50913) * Support a non-global registry in Teleport * lint * Update lib/service/service.go Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * Serve metrics from the local registry in the diagnostic service (#51031) * Use local metrics registry in the diagnostic service * Test metrics are served by the diag service * Init local registry at runtime instead of config (#51074) * lint --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * Fix metrics registry after rebase * set cmc to mon-thu (#53767) * Fix CMC weekdays bug (#54076) (#54116) * [v15] Backport manage updates v2 (#53286) * [v15] RFD 184: managed updates v2, server-side logic, client, and package * Add autoupdate agent protos (#47666) * Add autoupdate agent protos * fix tests * Add create/update/delete RPCs + add missing event proto * Update api/proto/teleport/autoupdate/v1/autoupdate.proto Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * address timr's feedback + fix tests * buf lint * buf lint pt.2 --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * fix agent autoupdate protos (#47830) * Add autoupdate agent type validations (#47831) * Add autoupdate agent validations * Add AutoUpdateAgentRollout constants * Fix autoupdate API licenses Teleport's `api/` and `integrations/` should be Apache-licensed. Only the main teleport process should be licenses under AGPLv3. * address feedback * Add AutoUpdateAgentRollout service and cache (#47833) * Fix defaults on incomplete AU config or version resources (#47872) * Fix panic on incomplete AU config or version resources * lint * address tiago's feedback * [v17] enforce conditional updates on AutoUpdate* + rename typos (#48390) * enforce conditaional updates on AutoUpdate* + rename typos * fix tests * [v17] implement autoupdate_agent_rollout reconciler (#48944) * implement autoupdate_agent_rollout reconciler * address edoardo's feedback * address edoardo's feedback pt.2 * fixup! address edoardo's feedback * lint * [v17] RFD 184: automatic updates, server-side logic (#52275) * Implement immediate schedule support for automatic updates (#47920) * Implement immediate schedule support * expose edition, fips, and ensure ping endpoint answers * fix after rebase * fix cache tests * introduce webclient.ReusableClient (#49296) * Move autoupdate code in proxy to make more sense (#49484) * Move autoupdate code in proxy to make more sense * lint + godoc * Start `autoupdate_agent_rollout` controller in auth service (#49101) * run autoupdate_agent_rollout controller * Recover from panics inside the controller * Address tim's feedback Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * kube-agent-updater: add RFD-184 trigger and version getter (#49297) * add proxy version getter and maintenance trigger * add failover trigger and versionGetter * lint * Apply suggestions from code review Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> * address marco's feedback * licensing --------- Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> * Rename lib/kubernetestoken to lib/kube/token (#49554) * Rename lib/kubernetestoken to lib/kube/token * Lint * Make the proxy read from autoupdate_agent_rollout (#49380) * Add autoupdate_agenbt_rollout support * fix ping proxy tests * address creack's feedback * Address sclevine's feedback Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> * fix panic in tests --------- Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> * Fix flaky TestAutoUpdateAgentShouldUpdate (#49883) * Fix flaky TestAutoUpdateAgentShouldUpdate * Update lib/web/apiserver_ping_test.go * Update lib/web/autoupdate_common_test.go * autoupdate: reconcile rollout status and add strategy interface (#49735) * autoupdate: reconcile rollout status and add strategy interface * fix missing constants + add license * lint * fix proto field id * Fix flaky TestAgentRolloutController (#49886) * Fix falky TestAgentRolloutController * switch to real clock + increase Eventually timeout * Make reconciliation period a parameter + add TELEPORT_UNSTABLE env var * Update lib/service/service_test.go Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Apply suggestions from code review Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Remove env var * lint --------- Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Compute global rollout state (#49945) * Compute global rollout state * Simplify + missing wrong proto message description * lint * simplify * for edoardo * fix compute status test * autoupdate: implement time-based strategy (#49736) This commit implements the time-based rollout strategy describen in RFD 184. The autoupdate_agent_rollout controller will make the groups active based on their start days, start hour, and maintenance duration. Once the maintenance window is over, the group becomes DONE. In the DONE state, new agents will instalkl the target version but existing agents will no longer be told to actively update. * Use CMC as default config when set (#50039) * autoupdate: Use CMC as default config when set Part of: [RFD-184](#47126) This commit implements backward compatibility when CMC is specified. After this PR, if the user has no `autoupdate_config` resource but a `cluster_maintenance_config` resource from RFD 109, we will use the CMC to generate the config (update hour and update days) and craft the `autoupdate_agent_rollout`. * Update lib/autoupdate/rollout/client_test.go Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * address feedback * lint --------- Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * Change autoupdate proto messages (#50234) * Change autoupdate proto messages This commits does 3 changes: - reflect the maintenance duration on the rollout in a new spec field - add a rollout start time field in its status - change wait_days into wait_hours * int64 -> in32 for consistency with other fields * Add autoupdate_config and autoupdate_agent_rollout validation (#50181) This commit removes the restrictions of the autoupdate_agent_rollout and autoupdate_config schedules but adds groups validation. It also adds some optional server-side validation that should not be enforced at the resource level. * autoupdate: implement halt-on-error strategy (#49737) * autoupdate: implement halt-on-error strategy * rewrite wait_days logic into wait_hours * Apply suggestions from code review Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> --------- Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> * add tctl create/get/edit support for autoupdate_agent_rollout (#50393) * add tctl create/get/edit support for autoupdate_agent_rollout * fix bad copy paste * set rollout start date and don't start updating if rollout just changed (#50365) This commit does two changes: - the controller now sets the rollout start time when resetting the rollout - the controller will not start a group if the rollout changed during the maintenance window (checks if the rollout start time is in the window) * Reduce clock usage + add time and period override in rollout controller (#50634) * Enable strategies in the autoupdate rollout controller (#50635) * autoupdate rollout: honour the maintenance window duration (#50745) * autoupdate rollout: honour the maintenance window duration * Update lib/autoupdate/rollout/reconciler.go Co-authored-by: Bartosz Leper <bartosz.leper@goteleport.com> * Address feedback * Update lib/autoupdate/rollout/strategy.go --------- Co-authored-by: Bartosz Leper <bartosz.leper@goteleport.com> * Fix proto resource 153 marshalling for autoupdate_* resources (#50688) * Fix proto resource 153 marshalling * Update tool/tctl/common/collection_test.go Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Update tool/tctl/common/collection_test.go Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Address feedback - Change from Resource153AdapterV2 to ProtoResource153Adapter - fix test failures and unmarshal proto resources properly - add a failing round-trip proto 153 test case - bonus: fix the table tesst reosurce create that did not support running a single row * Apply suggestions from code review Co-authored-by: Alan Parra <alan.parra@goteleport.com> * lint --------- Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Add autoupdate controller metrics (#50807) * Add autoupdate controller metrics * Do no panic in case of error conflict * kube-agent-update: Use the RFD-184 webapi proxy update protocol by default when possible (#50464) * kube-agent-update: Use the RFD-184 webapi proxy update protocol by default when possible * Update integrations/kube-agent-updater/cmd/teleport-kube-agent-updater/main.go Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> * log update group --------- Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> * Add 'tctl autoupdate agents status' (#51079) * Ensure proxy version getter adds the leading 'v' (#51687) * Always create debug socket and expose health endpoints (#51616) * Always create debug socket and expose health endpoints * Consolidate the diagnostic multiplexers in a single function * Fix tests * Apply suggestions from code review Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> --------- Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * Fix autoupdate rollout controller metrics (#51803) * kube-agent-updater pre-release builds trust the staging repo + insecure validator private repo fix (#51815) * Fix insecure resolver in private repos + trust pre-release builds * fixup! Fix insecure resolver in private repos + trust pre-release builds * Use new autoupdate APIs in discovery service (#51758) * Remove name parameter from proxy version getter * Use autoupdate_agent_rollout as a source of version in scripts and integrations * Fix tests * Handle gracefully absence of a proxy in kube discovery sevrice * Update lib/srv/discovery/kube_integration_watcher.go Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> * Address marco's feedback * Address marco's feedback pt.2 * Gracefully handle if we can't get autoupdate version * fixup! Update lib/srv/discovery/kube_integration_watcher.go --------- Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> * Autoupdate changelog entry in v17.3 * Fix tests after rebase, pt.1 * Update front preset fixtures since the preset role changed * Add install script using teleport-update and oneoff.sh (#52155) * Refactor node-join script to take safer options and reuse install option logic (#52196) * Add install script using teleport-update and oneoff.sh * Refactor node-join script to take safer options and reuse install option logic * GoDoc + make functions private * Address edoardo's feedback * Allow prerelease Teleport to install official artifacts (#52444) * Accept to install CE when running an AGPL build for backeard compat * Bump e to fix build (oneoff args change) * Make node install scripts install Teleport via teleport-update (#52226) * Make the node install script use teleport-update * Apply suggestions from code review Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * Fix curl args + address bash exec comments --------- Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * Use install.sh in discovery's default installer (#52368) * Use install.sh in discovery's default installer * fixup! Use install.sh in discovery's default installer * Address marco's feedback * Update lib/auth/grpcserver.go Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> * Update lib/srv/server/installer/defaultinstallers.go * apply edoard's feedback + write script to file * Execute the downloaded shell script * Add snapshot tests * fixup! Add snapshot tests --------- Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> * Fix error after rebase * Fix test after rebase --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> Co-authored-by: Alan Parra <alan.parra@goteleport.com> Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> Co-authored-by: Bartosz Leper <bartosz.leper@goteleport.com> Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> * [v17] Modulate install script when managed updates v2 are off (#52609) * Modulate install script when managed updates v2 are off * fixup! Modulate install script when managed updates v2 are off * Address Stephen's feedback * Set the autoupdate singleton names (#52751) * Add autoupdate events to web UI (#52748) (#52838) * Add autoupdate events to web UI * lint * Fix backport to include the label fix * lint * fix tests * Add teleport-update binary scaffolding and disable command (#46418) * Add main.go * wip * group flag * wip * wip * mvp * wip * separate files * cleanup * jitter * scaffold only * remove teleport changes * remove teleport changes - group * test * test lock * remove edition * feedback * clarify default data dir * cleanup * move version to status * consistent naming for update.yaml * improve lock test * explain lint * use shared locking logic * fix test * Move disable logic to lib * feedback * switch to default transport * [teleport-update] Add enable command (#47565) * Add enable scaffold * add installer * refactor * add enable tests * clean up download logic * Finish installer tests * cleanup * fix flags * fix errors * logging * cleanup * fix test * Fix download size logic * remove agent prefixes * namespace package * rename file * feedback * fips and ent support * hide force version * feedback * feedback 2 * fix test * move enterprise/fips to webapi * Fix interface * RFD 0184: Automatic Updates for Teleport Agents (#47126) * Create 0169-auto-updates-linux-agents.md * Fix github handle * Fix Github handle * Clarify jitter flag * Remove time question * Update rfd/0169-auto-updates-linux-agents.md Co-authored-by: Russell Jones <russjones@users.noreply.github.com> * Update rfd/0169-auto-updates-linux-agents.md Co-authored-by: Russell Jones <russjones@users.noreply.github.com> * Update rfd/0169-auto-updates-linux-agents.md Co-authored-by: Russell Jones <russjones@users.noreply.github.com> * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * add editions * Installers and docs * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * Downgrades * Feedback * Update 0169-auto-updates-linux-agents.md * Remove last working copy of teleport * add step to ensure free disk space * Typos * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * feedback * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * apt purge * Only enable auto-upgrades if successful * reentrant lock * reset * Update 0169-auto-updates-linux-agents.md * add note on backups * Update 0169-auto-updates-linux-agents.md * Update 0169-auto-updates-linux-agents.md * Clarify restore/rollback process and validations * Added section on logging * Add schedules * immediate schedule + note on cycles and chains * more details, more tctl commands * Update 0169-auto-updates-linux-agents.md * scalability * df * content-length * cache init * binary * more rollout mechanism changes * scalability * more scalability * use 100kib pages for plan * Add RPCs, tweak API design * clarify wording * wording * Update rfd/0169-auto-updates-linux-agents.md Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * Update rfd/0169-auto-updates-linux-agents.md Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * linting * Move all RPCs into autoupdate/v1 * Move groups to MVP * note about checksum * typos, consistency * clarify binary is teleport-update, package is teleport-ent-updater * switch from df to unix.Statfs * security feedback + naming adjustments * tweak rollout paging * tweak rollout paging again * feedback * adjust update.yaml to match implementation feedback * wip - new model * canaries * canary 2 * describe state, transitions, and proxy response * rpcs * finish rpcs * minor tweaks * Add user stories * Put new requirements at the top + edit UX + add TODOs * Edition work * cleanup + swap phases 1 and 2 * Move protobuf * Add installation scenarios * cleanup + move backpressure formulas * more cleanup * rename to unused number * fix title * more cleanup * correct inconsistencies * fix more inconsistencies * missing proxy flag * typo * Add CLI reference * feedback * alerts note * typos * Update rfd/0184-agent-auto-updates.md Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * clarify canary logic * Update rfd/0184-agent-auto-updates.md Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * Support for multiple installations / tarball * Address reviewer's feedback - Rephrase the UX section to not assume prior canary knowledge - Explicit how the canaries are picked, the limitations, and potential improvements - replace node with instance to avoid confusion between ssh nodes and generic teleport agent instances - Explicit how the previous updater interacts with the new one - More explicit names for command line args * agent_plan -> agent_rollout + reuse autoupdate_config * align tool version * Move package system dir * add time-based strategy * rename previous-must-succeed -> halt-on-failure --------- Co-authored-by: Russell Jones <russjones@users.noreply.github.com> Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> Co-authored-by: hugoShaka <hugo.hervieux@goteleport.com> * [v17] RFD 184: Agent Automatic Updates, teleport-update (#52372) * [teleport-update] Add linking into /usr/local (#47879) * clean up download logic * Finish installer tests * fips and ent support * feedback * move enterprise/fips to webapi * wip * wip2 * add cleanup * fix extract * wip * fix tests * remove safety * cleanup * cleanup extract * cleanup * cleanup * fix bugs * cleanup * [teleport-update] Use new webapi fields to find version (#47961) * Adapt teleport-update to new webapi endpoints * feedback * [teleport-update] Add support for reloading the agent & reverting symlinks on failed reload (#47929) * wip * cleanup * comments * test wip * test link revert * tests * cleanup * cleanup more * comments * comments * errors * comments * linting * fix bugs * fix typo * cleanup * cleanup * fix revert * lint * feedback * fix * fix test * clarify comment * use afterfunc * [teleport-update] Add update subcommand (#48244) * Add update subcommand * fix * lint * add command * warn on known edition * warn on unknown edition for update * [teleport-update] Add link subcommand (#48712) * wip * refactor * docs * updater * add link command * test LinkPackage * cleanup * fix enterprise paths * fix systemd linking * typo * comment * comments * typo * feedback * adjust systemd service locations * cleanup tests, adjust service link path * [teleport-update] PID-based failure detection and rollback (#49175) * Extract from other PR * comments * string * [teleport-update] Add systemd setup (#49174) * service and timer * comments * feedback * feedback * [teleport-update] Add unlink-package command (#49250) * unlink * test * lock type * comments * cleanup * Update lib/autoupdate/agent/installer.go Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> --------- Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * [teleport-update] Add support for version pinning (#49307) * pinning * cleanup * unskip * cleanup * unpin * typo * [teleport-update] status subcommand (#49308) * status * cleanup * comments * cleanup output by removing optional fields * rebase fix * [teleport-update] Uninstall subcommand (#49341) * Uninstall * tests * comment * Short-circuit link package on pinned * log * move error * Update lib/autoupdate/agent/process.go Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * Update lib/autoupdate/agent/process.go Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * Update lib/autoupdate/agent/process.go Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * Update lib/autoupdate/agent/process.go Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * fix --------- Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> * [teleport-update] Protect against disk space leaks (#49309) * cleanup unused * cleanup * cleanup * [teleport-update] Show warning instead of return error for link/unlink (#49334) * Add warning instead of return error for link/unlink * Add test for sync call with ErrNotSupported * Change warning message * [teleport-update] Isolated installation suffix (#49364) * namespacing * words * cli * fix * err * use structured logs consistently * comments * bugs * test * switch to new paths * test * adjust * reserved * cleanup * cleanup * docs * fix uninstall * test * simplify init * cleanup * namespace -> install-suffix * log * [teleport-update] Fix usage of trace (#49388) * fix trace * rebase * [teleport-update] Support for Enterprise/FIPS migration (#49451) * store ent/fips data cleanup formatting revert updater rename cleanup Update lib/autoupdate/agent/config.go Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> feedback * feedback * feedback * lint * [teleport-update] Display download progress and stats (#49805) * download progress * typo * sub -> since * time -> duration * [teleport-update] update --now (#49807) * update --now * testdata * [teleport-update] Adjust download progress log output (#49845) * adjust logger * fix * fix * Extended binary validations (#49748) * [teleport-update] needrestart and systemd drop-in (#49806) * wip * Add more config * nit * feedback * Fix duplicate teleport-update short command (#50304) * [teleport-update] Version reporting and deprecated upgrader management (#50266) * wip * telemetry * abs * fix * tests * Disable deprecated timer * keep schedule on non-suffixed * Update maintenance.go * Update lib/autoupdate/agent/setup.go * update warnings * feedback pt 1 * feedback pt 2 * headers * [teleport-update] Remove warning when running Teleport on platforms without systemd (#51465) * improve detection logic on non-systemd platforms * adjust * remove OS check * [teleport-update] common MakeURL with ability to override BaseURL (#51383) * Add templates for client tools auto-update download url * Change to base url setting by env MakeURL moved to common function to be general for both, agent and client tools * Reuse MakeURL moved to common package * Fix linter warning * Add common env variable to override base url * Remove template from interface * Make template exported Change a stale comment * Remove unused code * [teleport-update] Adjustments for SELinux (#51474) * selinux fixes * extra checks * lint * lint * cleanup * better cleanup * fix rebase * [teleport-update] Add --overwrite flag to replace tarball installations (#51579) * add --overwrite flag * extra warning * [teleport-update] Only use CDN for community / enterprise editions (#51726) * Only use CDN for community / enterprise * wording * [teleport-update] Warn instead of erroring when disabling the deprecated updater (#51759) * Warn instead of erroring when disabling old updater * Update lib/service/service.go * Update lib/service/service.go * [teleport-update] Adjust non-critical SELinux contexts (#51793) * correct selinux contexts * Update lib/autoupdate/agent/installer.go Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * Update lib/autoupdate/agent/installer.go --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * [teleport-update] Add proper healthcheck for agents (#51613) * Add socket readiness monitor * cleanup * add 404 check * check * better cleanup * fix bug * typo * fix 404 * improve logging * cleanup * disable socket redirect * avoid race condition with socket removal * verify PID * cleanup * Update lib/autoupdate/agent/process.go Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * feedback * fix subtle race condition * debugging --------- Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * [teleport-update] Allow teleport-update uninstall to succeed with non-packaged installs (#51576) * Treat missing source bin dir same as missing binaries * prevent linking package outside /usr/local/bin * Apply suggestions from code review * [teleport-update] use new updater to reload and verify Teleport (#51734) * wip * finish implementation * fix tests * test setup * remove stale data * bug * spelling * pass log format and debug through * feedback * [teleport-update] Read proxy from teleport.yaml to improve UX (#51633) * derive proxy from config * fix parsing * cleanup * require force for uninstall (#51973) * [teleport-update] add insecure flag for testing (#52019) * insecure flag * fmt * [teleport-update] skip updater setup when systemd is missing (#52022) * skip updater installation when systemd is missing * test * wording * [teleport-update] Ensure stable interface between versions of teleport-update (#52152) * refactor data dir * finish refactor * fix path * cleanup * more tests * lint * prevent notice failure without systemd * feedback * url * revert log level change (#52416) --------- Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com> Co-authored-by: Vadym Popov <vadym.popov@goteleport.com> Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * [v17] [teleport-update] Fix usage of default $PATH dir, overrides, and hanging (#52608) * Fix usage of default path * fix other overrides * fix hang on start * [v17] [teleport-update] Set umask 0022 for teleport-update to avoid errors on enable (#52755) * Set umask 0022 for teleport-update * init -> main * refactor * move const * add flag * missed not * fix inequality * remove flag * dead code * docs * docs 2 * feedback * [v17] [teleport-update] Support for CentOS 7 (#53017) * support systemd down to 219 * comments * Apply suggestions from code review Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> * Missed check on additional use of IsPresent * adjustments from testing various versions of centos7 * Typo * Use dedicated error for version incompat --------- Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> * [v17] [teleport-update] Improve clarity of error logs and address UX edge cases (#53048) * Usability fixes * cancel jitter * root + fix logs * check extra case * cleanup * extra warning * tests * feedback * add newlines * adjust message * consistent error type * update UI snapshots * [v17] Backport packaging restructuring and teleport-update build (#52361) * [teleport-update] Add Makefile build target (#48531) * Add build target for teleport-update * Set CGO_ENABLED=0 for building teleport-update * [teleport-update] Add teleport-update to build and archive (#48839) * Add teleport-update to build and archive * Add teleport-update to install scripts * Add build flags without buildmode pie * Add helper message for install.sh script * Exclude teleport-update from darwin platform * Add teleport-update to rpm and deb packages * Remove teleport-update from deb, rpm packages Add comment for the buildflags * [teleport-update] Move teleport binaries to new path {deb,rpm} (#49110) * Move teleport binaries to new path * Use link/unlink command to manage links Move teleport.service to new path * Move teleport binaries under standard path for distroless Cleanup * Fix wrong move path * Create missing directory * Rename link/unlink commands * Exclude teleport-update from docker image Systemd reload now managed by teleport-update Make safe unlink not to block package removal * Add teleport-update to AMI image build * Fix RPM build, fpm automatically manage scripts * Fix AMI build, add missing teleport.service * Move binaries to /opt/teleport/system * Add check to installation script when we copy files from tarball (#50368) * bump e * Fix RPM linking logic (#52704) * Use quoting style supported by pre-2015 systemd (#53179) (#53196) * [teleport-update] Additional log message and UX cleanup (#53180) (#53197) * More teleport-update UX cleanup * cleanup overwrite error * cleanup * more cleanup --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> Co-authored-by: Alan Parra <alan.parra@goteleport.com> Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> Co-authored-by: Bartosz Leper <bartosz.leper@goteleport.com> Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> Co-authored-by: Russell Jones <russjones@users.noreply.github.com> Co-authored-by: Vadym Popov <vadym.popov@goteleport.com> Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> * Fix proto resource 153 marshalling for autoupdate_* resources (#50688) * Fix proto resource 153 marshalling * Update tool/tctl/common/collection_test.go Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Update tool/tctl/common/collection_test.go Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Address feedback - Change from Resource153AdapterV2 to ProtoResource153Adapter - fix test failures and unmarshal proto resources properly - add a failing round-trip proto 153 test case - bonus: fix the table tesst reosurce create that did not support running a single row * Apply suggestions from code review Co-authored-by: Alan Parra <alan.parra@goteleport.com> * lint --------- Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Craft a teleport-update based installer compatible iwth v15 code * fix frontend lint issue (not introduced by us?) * remove AGPL tests in updater as v15 oss is not AGPL * [teleport-update] Add local updater metadata (#53602) (#53829) * add metadata * newline * cleanup status error * refactor status error * fix print * order * fix test on linux * Truncate time to ms * add host param to request * jitter locally * rename host to id * rename func var * [v16] [teleport-update] Stop writing updater ID from teleport-update (#54012) * new strategy: use deterministic boot-persistent id * add error * check id length * unexport machine id * Set group to 'default' if unset + avoid setting default group in config (#54049) * [v16] [teleport-update] Change strategy for disabling teleport-upgrade timer (#54086) * Change strategy for disabling old upgrader * logging * remove file * remove const * cleanup * comment about namespaced installs * re-remove AGPL-related tests as there's no AGPL Teleport v15 --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> Co-authored-by: Alan Parra <alan.parra@goteleport.com> Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> Co-authored-by: Bartosz Leper <bartosz.leper@goteleport.com> Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> Co-authored-by: Russell Jones <russjones@users.noreply.github.com> Co-authored-by: Vadym Popov <vadym.popov@goteleport.com> Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> * backport testutils * Use vanilla slog logger in teleport update * go mod tidy * remove usage of new go features * run yarn prettier * fix autoupdate agent rollout tests pt.1 * add 'autoupdate' to cspell * add good ol' tt := tt in parallel test loop * remove missing debug service in test * gci + remove dead code * fix bad conflict resolution in script * make oneoff sh-compliant again * fix oneoff tests * tt := tt * lint * [teleport-update] Run FIPS teleport with --fips flag (#54529) * fix fips bug with systemd service * fix bugs, add testing flags * fix tests --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> Co-authored-by: Stephen Levine <stephen.levine@goteleport.com> Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> Co-authored-by: Alan Parra <alan.parra@goteleport.com> Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> Co-authored-by: Bartosz Leper <bartosz.leper@goteleport.com> Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> Co-authored-by: Russell Jones <russjones@users.noreply.github.com> Co-authored-by: Vadym Popov <vadym.popov@goteleport.com> Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
In this PR teleport binaries moved to new location according:
https://github.com/gravitational/teleport/blob/master/rfd/0184-agent-auto-updates.md?plain=1#L1774-L1780
Related: https://github.com/gravitational/cloud/issues/10289