[v10] Check manifest before attempting to push docker images #15094
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Drop the `v` from the tsh installer version number, which was inadvertently changed by #12751. Makes the installer reappear as a download option in Houston. Note that the final .app name still has the `v`. Ie: * tsh-10.0.0-dev.pkg (installer) tsh-10.0.0-dev.pkg.sha256 (installer hash) * tsh-v10.0.0-dev.app (Application package) Backport #13896 to branch/v10
#13903) updates rdp-rs ref to new HEAD where scroll wheel delta is fixed
* Add Machine ID enterprise license enforcement This adds two checks to Machine ID for license enforcement: one on initial bot create, and another on join. * Use modules.SetTestModules(); fix failing test
* Update Video URL * extra labs and video update
Use high-cpu pools for CI tasks
Apply traits to Windows Desktop labels It was noticed that this functionality has been missing. Updates #5973
…f requiring a trait be templated. (#14038) Prefix sudoers lines with user being logged in as
Document new pin_source_ip role option (#13495)
Backport #14033 to branch/v10 Add a credential picker to the tsh FIDO2/WebAuthn backend. The PR pulls a recent patch in our go-libfido2 fork that makes it correctly return multiple assertions from the authenticator. This allows us to implement the credential picker for FIDO2, simplify our implementation and provide the exact same UX that browsers use (always 1-touch for bio, touch->PIN->touch otherwise). I've dropped concepts like "optimistic assertions" and "eager PIN prompts" in favor of a simple, uniform implementation. Issue #13901. * Prompt for credentials in LoginPrompt * Update go-libfido2 * Implement FIDO2 credential picker * Drop optimistic assertions, only set user if explicit * Add license to fido2_prompt_test.go
Update CAs on connection in remoteSite
#14048) * pass and preserve a path parameter during the app access authentication process * added missing semicolons * more javascript formatting * removed incorrect path redirect. replace URL with URL.Path * added a test for HasName * added another test for default path * ensure path param is valid path * build url without string concat
Add documentation for automatic host user creation
* Fix drone pipeline * Update drone signature
helm: Deploy CRDs when the operator is enabled
…15033) This is a twofold change with the aim of reducing possible pains with the tsh installer. - Dropping the version number from "tsh.app" makes it more alike other apps (including Connect) - Making the installer non-relocatable makes it easy to reason about (and ensures our postinstall script is correct!) A relocatable installer will look for the app in places other the specified install path, according to the bundle ID. This means that if the user moves or renames the app, the installer will overwrite it no matter where it is. It also means our path assumptions can be wrong. Note that the installer itself is still numbered, so it won't break Houston or change the downloads page. Backport #15018 to branch/v10
Download mTLS files from Web (#14526) In the context of Teleport Discover we are trying to ease the usage of Teleport for the user's first interaction. When adding a new database resource the user must, among other things, generate the mTLS files Examples: https://goteleport.com/docs/database-access/guides/postgres-self-hosted/#step-25-create-a-certificatekey-pair https://goteleport.com/docs/database-access/guides/mysql-self-hosted/#step-24-create-a-certificatekey-pair This PR aims to reduce this friction: the user should be able to setup the resource without prior setup of local tools (`tsh login`) We're doing this by providing an endpoint that will return those exact files Demo ```shell marco@lenix ~/p/downloadmtls> curl --silent --insecure 'https://127.0.0.1.nip.io:3080/v1/webapi/sites/lenix/sign' --dat a '{"hostname":"discover.example.com", "ttl":"9999h", "format": "db"}' --header 'Authorization: Bearer 308bf3dd3019ddc4 2cff44a48e028480' --header 'Content-Type: application/json' -OJ marco@lenix ~/p/downloadmtls> tar -xvf teleport_mTLS_discover.example.com.tar.gz server.key server.crt server.cas marco@lenix ~/p/downloadmtls> head -1 server.* ==> server.cas <== -----BEGIN CERTIFICATE----- ==> server.crt <== -----BEGIN CERTIFICATE----- ==> server.key <== -----BEGIN RSA PRIVATE KEY----- ``` Fixes #14049
SSH request tracing (#14124) Add tracing support for ssh global requests and channels. Wrappers for `ssh.Client`, `ssh.Channel`, and `ssh.NewChannel` provide a mechanism for tracing context to be propagated via a `context.Context`. In order to maintain backwards compatibility the ssh.Client wrapper tries to open a TracingChannel when constructed. Any servers that don't support tracing will reject the unknown channel. The client will only provide tracing context to servers which do NOT reject the TracingChannel request. In order to include pass tracing context along all ssh payloads are wrapped in an Envelope that includes the original payload AND any tracing context. Servers now try to unmarshal all payloads into said Envelope when processing messages. If there is an Envelope provided, a new span will be created and the original payload will be pass along to handlers. Part of #12241
github-actions
bot
requested review from
avatus,
ptgott,
r0mant,
sagesyr,
smallinsky,
xinding33 and
zmb3
|
@logand22 - this PR is large and will require admin approval to merge. Consider breaking it up into a series smaller changes. |
github-actions
bot
added
application-access
audit-log
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport of #15093
Testing