Security fixes 03/23 #23864
Merged
Security fixes 03/23 #23864
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
A user.Lookup was added to srv.RunForward to prevent dialing and forwarding any data if the os login is not found. The check alone only terminates the direct-tcpip ssh channel and not the underlying ssh connection. In order for the parent process to determine if the ssh connection should be terminated it needs to know why the child exited. That was not possible by looking at the exit code and any data written to standard error of the child process was forwarded to standard error on the parent; which was used to simply log the error and move on. To pass more detailed errors to the parent, the child process spawned by srv.RunForward now json marshals the trace.Error to standard error which is then decoded by the parent process. If the parent detects the error was due to a missing user it terminates the ssh connection. tsh ssh -N was also modified to terminate if the command context of tsh OR the ssh connection to the node is closes. Prior, it only terminated if the user cancelled the process by blocking on ctx.Done(). While this was necessary to end session if the os login does not exit, it also forces tsh to exit if the node goes offline. Note: This does not include any propagation of error messages to the user, so there won't be any indication from tsh about why the connection was closed. The session also will not be terminated until the first attempt to forward data and NOT when the session is created due to the way -N is implemented. Fixes #217
This PR changes the behavior of the kubernetes_service when validating access to kubernetes clusters. Previously, the kubernetes_service would use the first kubernetes cluster it found in the Auth server backend to validate access. This was problematic because if the first kubernetes cluster was upserted with a the same name as a kubernetes cluster the user was trying to access but with different labels, the user would be able to access the cluster even though they shouldn't be able to. This PR changes the behavior of the kubernetes_service to use the in memory kubernetes cluster representation used for heartbeats instead of relying on the information received from the auth server. This would block the user from accessing the cluster if the cluster was upserted with a different set of labels since the kubernetes_service would not have the updated labels in memory and would deny access. Fixes #469
tigrato
approved these changes
Mar 30, 2023
rosstimothy
approved these changes
Mar 30, 2023
public-teleport-github-review-bot
bot
removed request for
hatched and
fspmarshall
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
github-merge-queue
bot
removed this pull request from the merge queue due to no response for status checks
github-merge-queue
bot
removed this pull request from the merge queue due to no response for status checks
github-merge-queue
bot
removed this pull request from the merge queue due to no response for status checks
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
12 tasks
jakule
added a commit
that referenced
this pull request
Apr 10, 2023
* Metrics: add IsSSO to Discover Events (#23791) * Metrics: add IsSSO to Discover Events * review pt1 * use services.UserGetter interface * godocs, renamings * add isSSO to user identity * remove ctx from convert * add godocs to usermetadata fields * add UserType enum * Integration resource: add types and grpc methods (#23553) * Integration resource: add types and grpc methods This commit adds the new types for Integration resource. It also adds the gRPC methods that will be used later on for: - Integrations CRUD management - Integrations resource caching * decouple integration service from auth * return resource on CRU operations * Add OneOf prop to distinguish Integrations subkind * Version subkind spec * godocs * Set CRL LDAP path based on certificate authority type (#23814) * refactor(windows): use CA type to define CRL path * chore(windows): update updateCRL comment * chore(windows): fix imports * split and notate new vs existing mysql user (#18010) * Fix Flaky Tests Detector bypass on merge queue (#23896) * Fix Flaky Tests Detector bypass on merge queue * Do not run fld in the mq --------- Co-authored-by: Roman Tkachenko <[email protected]> * Implement `tctl create -f` for devices (#23801) * Implement `tctl create -f` for devices * Update e/ reference * Prevent unknown ssh requests from terminating sessions (#23874) Instead of returning and aborting a session if an unknown request is received servers now log the warning and continue on. * Update SFTP library (#23711) Update SFTP fork to include gravitational/sftp@dfe4e0d Fixes #22263 * Migrate to OpenSSL 3.0 (#23810) * Use OpenSSL 3.0.x (buildbox) * Use OpenSSL 3.0.x (buildbox-centos7) * Use OpenSSL 3.0.x (macOS) * Hosted plugins onboarding prerequisites (#23234) * Respect route exactness in TopNav * Allow submitting CSRF token via form * Skip "safe" methods in CSRF checks * Export getXCSRFToken * Add WithAuth2 * Passthrough "name" of FieldInput Allows it to be used in an actual form * icomoon: add hashtag icon * Add GetAvailablePluginTypes to PluginService proto * Expose ProxyPublicAddr For use in Enterprise web Plugin * Run prettier * Factor out app.MetaRedirect * Rename: WithAuth2 -> WithAuthCookieAndCSRF * Run GCI * Renegerate protos * Use RUNNER_TEMP for teleport bins in plugin tests (#23773) When gravitational/teleport-plugins imports this test suite in CI, the repo root gravitational/teleport/... is not writable. This uses GitHub's `RUNNER_TEMP` instead, if it is set. * Add Support for Oracle protocol (#23227) * kube-updater: Wire up main executable (#23565) * kube-updater: write main function, fix scheme, reduce grace period * fixup! kube-updater: write main function, fix scheme, reduce grace period * Address feedback * Update integrations/kube-agent-updater/cmd/teleport-kube-agent-updater/main.go Co-authored-by: Roman Tkachenko <[email protected]> --------- Co-authored-by: Roman Tkachenko <[email protected]> * Add Flaky detector Bypass before merging (#23923) * Add Flaky Bypass before merging * edit to descriptions * Add advisory and troubleshooting on non-tls mode for machineid kube (#23575) * Add advisory and troubleshooting on non-tls mode for machineid kube * Apply suggestions from code review Co-authored-by: Alex Fornuto <[email protected]> --------- Co-authored-by: Alex Fornuto <[email protected]> * Show the server name (instead of UUID) in errors (#23724) When the web UI was updated to dial by UUID instead of hostname, access denied erorrs started to surface a UUID that is not visible in the UI. Where possible, pass through the node name so that we can raise a better error. * chore: Bump libfido2 from 1.12.0 to 1.13.0 (#23926) * chore: Bump libfido2 from 1.12.0 to 1.13.0 * Bump OpenSSL on Dockerfile-multiarch * docs: add description of config versions (#23624) This was originally added as part of #15761, but removed during the review cycle. Closes #20016 * Recommend Proxy Service in event-handler guides (#23879) See #21305 In order to standardize the docs around connecting Teleport services to the Proxy Service, rather than the Auth Service, change Event Handler guides to remove instructions for connecting to the Auth Service. This includes modifying partials used by the Access Request plugin guides so they work for the Event Handler guides as well. * Security fixes 03/23 (#23864) * Prevent tunneling if the os login doesn't exist A user.Lookup was added to srv.RunForward to prevent dialing and forwarding any data if the os login is not found. The check alone only terminates the direct-tcpip ssh channel and not the underlying ssh connection. In order for the parent process to determine if the ssh connection should be terminated it needs to know why the child exited. That was not possible by looking at the exit code and any data written to standard error of the child process was forwarded to standard error on the parent; which was used to simply log the error and move on. To pass more detailed errors to the parent, the child process spawned by srv.RunForward now json marshals the trace.Error to standard error which is then decoded by the parent process. If the parent detects the error was due to a missing user it terminates the ssh connection. tsh ssh -N was also modified to terminate if the command context of tsh OR the ssh connection to the node is closes. Prior, it only terminated if the user cancelled the process by blocking on ctx.Done(). While this was necessary to end session if the os login does not exit, it also forces tsh to exit if the node goes offline. Note: This does not include any propagation of error messages to the user, so there won't be any indication from tsh about why the connection was closed. The session also will not be terminated until the first attempt to forward data and NOT when the session is created due to the way -N is implemented. Fixes #217 * Prevent unauthorized access to kube clusters by upserting kube_servers This PR changes the behavior of the kubernetes_service when validating access to kubernetes clusters. Previously, the kubernetes_service would use the first kubernetes cluster it found in the Auth server backend to validate access. This was problematic because if the first kubernetes cluster was upserted with a the same name as a kubernetes cluster the user was trying to access but with different labels, the user would be able to access the cluster even though they shouldn't be able to. This PR changes the behavior of the kubernetes_service to use the in memory kubernetes cluster representation used for heartbeats instead of relying on the information received from the auth server. This would block the user from accessing the cluster if the cluster was upserted with a different set of labels since the kubernetes_service would not have the updated labels in memory and would deny access. Fixes #469 --------- Co-authored-by: Tim Ross <[email protected]> Co-authored-by: Tiago Silva <[email protected]> * Update e ref. (#23938) Update the e ref to make sure that e CI will run properly with the recent OSS Okta changes. * Add a guide to creating Teleport roles via the API (#23204) * Add a guide to creating Teleport roles via the API See #19716 This guide uses a small demo application to show how to create Teleport roles based on an external RBAC system. The demo revolves around a local `minikube` cluster. I chose this approach because Teleport works well with Kubernetes RBAC, and Kubernetes RBAC resources are pretty straightforward to set up locally. * Based the guide on a program in the examples dir * Respond to zmb3 PR feedback * Run make fix-license * Respond to PR feedback * Respond to alexfornuto feedback * Add Azure auto-join docs (#22752) This change adds documentation for Azure VM auto-joining. * Reduce DefaultIdleTimeout to 30s (#23943) An idle timeout of 6m keeps web api connections open too long on Proxies that have any agents which do not have the changes from #22832. Because the http.Server.IdleTimeout is set on all release versions now, even when built with go.19, we experience this issue because we no longer exercise the bug that was fixed in go1.20. * Allow make update-tag to push to teleport-private (#23957) This is useful for making private test builds. * Add Docker Hub login to Drone's Kubernetes pipelines (#23956) * Add Docker Hub login to kubernetes pipelines After moving Drone to AWS, we're seeing image pulls get rate limited because they're all coming from the same IP (an AWS NAT gateway). To avoid this, we refactor pipelines to cache/reuse images where possible, as well as add authentication to dockerhub pulls. * Drop dockerVolumes and dockerVolumeRefs We don't actually consistently want these in all places. E.g. parallel pipelines cannot share a volumeRefDockerConfig, as they'll stop on each others login information. * Remove shared docker config from parallel pipelines A shared volume results in the different steps racing against each other. * Remove docker config from relcli steps We don't actually pull from dockerhub in these steps. * Fix typos Co-authored-by: Reed Loden <[email protected]> Co-authored-by: Walt <[email protected]> --------- Co-authored-by: Trent Clarke <[email protected]> Co-authored-by: Reed Loden <[email protected]> * release: Update build for product signing (#23820) Update the build scripts to properly set up the key for signing packages using `productsign`, and parameterise the bundle ID for packages in the packaging scripts. * RFD Spell fixes (#23954) * Kube forward identity RFD (#22533) RFD for the new credentials forwarding mechanism for Kubernetes access. This RFD pretends to drop the requirement of keeping the cert-key pair in cache for each user that accesses the cluster. Part of #21609 * athena audit logs - config (#23703) * athena audit logs - config * use sqs timeout as duration * compile regexp once * Rename to QueueURL * add aws docs and comments * update log decsription * add license * rename getQueryResultsInterval * use aws sdk v2 * Fixes unsused flags from `tsh kube exec` command (#23836) * Fixes unsused flags from `tsh kube exec` command Since its introduction, `tsh kube exec` didn't have any use for the `--reason` and `--invite` flags and completely ignored what users did with it. This PR transports those flags as query parameters to Teleport Kubernetes Service which includes them when creating the session resource in Teleport. * add tests * fix flaky test * GitLab Delegated Joining docs (#23047) * Skeleton out docs for GitLab joining * Adjust description of guide * Add more GitLab docs * Explain the possible constraints * Add final example of GitLab CI * Correct token name * Further clarify a few parts of the documentation * Correct example of project_path constraint * Add more specific link to GitLab docs * Update docs/pages/machine-id/guides/gitlab.mdx Co-authored-by: Zac Bergquist <[email protected]> * Update docs/pages/machine-id/guides/github-actions.mdx Co-authored-by: Zac Bergquist <[email protected]> * Update docs/pages/machine-id/guides/gitlab.mdx Co-authored-by: Alex Fornuto <[email protected]> * add new guide to navbar * Update docs/pages/machine-id/guides/gitlab.mdx Co-authored-by: Alex Fornuto <[email protected]> * Update docs/pages/machine-id/guides/github-actions.mdx Co-authored-by: Alex Fornuto <[email protected]> * Update docs/pages/machine-id/guides/gitlab.mdx Co-authored-by: Alex Fornuto <[email protected]> * Update docs/pages/machine-id/guides/gitlab.mdx Co-authored-by: Alex Fornuto <[email protected]> * Update docs/pages/machine-id/guides/gitlab.mdx Co-authored-by: Alex Fornuto <[email protected]> * More concise/precise language in bot creation * Add further explanation of fields * Update docs/pages/machine-id/guides/gitlab.mdx Co-authored-by: Alex Fornuto <[email protected]> * Add reference page for gitlab joining * Fix link * line break adjustments * note bot role is built in * Minor spag correction --------- Co-authored-by: Zac Bergquist <[email protected]> Co-authored-by: Alex Fornuto <[email protected]> * Enforce Kubernetes license when creating Kube resources (#23755) This PR prevents the registration of Kubernetes clusters in Teleport Auth server when the auth isn't licensed for Kubernetes access. This is required because with the new credentials forwarding mechanism, services won't call Auth server `ProcessKubeCSR` endpoint and thus we cannot enforce the license. This change prevents any agent to register its `KubeServers` in Auth server if the server isn't properly licensed to Kube. It only affects enterprise users because the open source version of Auth is licensed for Kubernetes access. Part of #22533 * Docs: prefer `curl .../auth/export` instead of `tctl auth export` (#23560) * Docs: prefer `curl .../auth/export` instead of `tctl auth export` * consistent usage of curl command * Update docs/pages/desktop-access/active-directory-manual.mdx Co-authored-by: Paul Gottschling <[email protected]> * Update docs/pages/server-access/guides/openssh.mdx Co-authored-by: Paul Gottschling <[email protected]> * add proxy Var instead of using ScopedBlock * Update docs/pages/desktop-access/active-directory-manual.mdx Co-authored-by: Paul Gottschling <[email protected]> * Update docs/pages/management/guides/ssh-key-extensions.mdx Co-authored-by: Paul Gottschling <[email protected]> * Update docs/pages/desktop-access/troubleshooting.mdx Co-authored-by: Paul Gottschling <[email protected]> * Update docs/pages/server-access/guides/openssh.mdx Co-authored-by: Paul Gottschling <[email protected]> * Update docs/pages/server-access/guides/recording-proxy-mode.mdx Co-authored-by: Paul Gottschling <[email protected]> --------- Co-authored-by: Paul Gottschling <[email protected]> * Make `proxy.Client` infer the cluster name from Proxy (#23644) Instead of relying on users to provide the cluster name, the client now determines the cluster name by inspecting the certificate presented by the Proxy during the TLS or SSH handshake. This is required when connecting to a Proxy via a jump host since the name of the cluster may not match the currently logged in cluster. This is achieved by leveraging a custom `credentials.TransportCredentials` when connecting via gRPC and a custom `ssh.HostKeyCallback` when connecting SSH. * tsh: Fix redundant error in PPK generation on relogin (#23899) * tsh: Fix redundant error in PPK generation on relogin The logic for when we outputted an error was not very sound. Reworked it. Fixes #23778 * Switch to error at debug level rather than stack trace Co-authored-by: Zac Bergquist <[email protected]> --------- Co-authored-by: Zac Bergquist <[email protected]> * docs: include enable teleport service in systemctl start (#23971) * docs: include enable teleport service. * Mention to enable * ClusterItem: Remove usage of colors.secondary.lighter (#23979) * Integration status: proto (#23912) * Integration status: proto * Caps IntegrationStatus values * Update e reference (#23983) * Fix relaxed moderator joining for Kube Access (#23674) This PR fixes the relaxed mode for moderator joining moderated sessions. Previously, when the moderator didn't had access to the Kubernetes cluster where the session he tried to join was active, Teleport would panic because the user didn't had at least one `kubernetes_user` or `kubernetes_group`. This PR moves the check of kubernetes principals into the autorization step instead of the authentication step in order to prevent the failure of authentication followed by a panic. * Move ALPN dialer, ALPN conn upgrade, Ping conn to api (#23860) * Bump github.com/crewjam/saml in /examples/api-sync-roles (#23942) Bumps [github.com/crewjam/saml](https://github.com/crewjam/saml) from 0.4.12 to 0.4.13. - [Release notes](https://github.com/crewjam/saml/releases) - [Commits](crewjam/saml@v0.4.12...v0.4.13) --- updated-dependencies: - dependency-name: github.com/crewjam/saml dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Batched Dependabot updates (#23975) * Bump github.com/crewjam/saml in /examples/api-sync-roles Bumps [github.com/crewjam/saml](https://github.com/crewjam/saml) from 0.4.12 to 0.4.13. - [Release notes](https://github.com/crewjam/saml/releases) - [Commits](crewjam/saml@v0.4.12...v0.4.13) --- updated-dependencies: - dependency-name: github.com/crewjam/saml dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> * Bump github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/subscription/armsubscription Bumps [github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/subscription/armsubscription](https://github.com/Azure/azure-sdk-for-go) from 1.0.0 to 1.1.0. - [Release notes](https://github.com/Azure/azure-sdk-for-go/releases) - [Changelog](https://github.com/Azure/azure-sdk-for-go/blob/main/documentation/release.md) - [Commits](Azure/azure-sdk-for-go@v1.0...v1.1) --- updated-dependencies: - dependency-name: github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/subscription/armsubscription dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * Bump github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/mysql/armmysql Bumps [github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/mysql/armmysql](https://github.com/Azure/azure-sdk-for-go) from 1.0.0 to 1.1.0. - [Release notes](https://github.com/Azure/azure-sdk-for-go/releases) - [Changelog](https://github.com/Azure/azure-sdk-for-go/blob/main/documentation/release.md) - [Commits](Azure/azure-sdk-for-go@v1.0...v1.1) --- updated-dependencies: - dependency-name: github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/mysql/armmysql dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * Bump github.com/elastic/go-elasticsearch/v8 from 8.6.0 to 8.7.0 Bumps [github.com/elastic/go-elasticsearch/v8](https://github.com/elastic/go-elasticsearch) from 8.6.0 to 8.7.0. - [Release notes](https://github.com/elastic/go-elasticsearch/releases) - [Changelog](https://github.com/elastic/go-elasticsearch/blob/main/CHANGELOG.md) - [Commits](elastic/go-elasticsearch@v8.6.0...v8.7.0) --- updated-dependencies: - dependency-name: github.com/elastic/go-elasticsearch/v8 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * Bump github.com/go-logr/logr from 1.2.3 to 1.2.4 Bumps [github.com/go-logr/logr](https://github.com/go-logr/logr) from 1.2.3 to 1.2.4. - [Release notes](https://github.com/go-logr/logr/releases) - [Changelog](https://github.com/go-logr/logr/blob/master/CHANGELOG.md) - [Commits](go-logr/logr@v1.2.3...v1.2.4) --- updated-dependencies: - dependency-name: github.com/go-logr/logr dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * Bump github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/redis/armredis/v2 Bumps [github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/redis/armredis/v2](https://github.com/Azure/azure-sdk-for-go) from 2.1.0 to 2.2.0. - [Release notes](https://github.com/Azure/azure-sdk-for-go/releases) - [Changelog](https://github.com/Azure/azure-sdk-for-go/blob/main/documentation/release.md) - [Commits](Azure/azure-sdk-for-go@sdk/resourcemanager/nginx/armnginx/v2.1.0...sdk/resourcemanager/redis/armredis/v2.2.0) --- updated-dependencies: - dependency-name: github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/redis/armredis/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * Bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.91.0 to 1.92.1 Bumps [github.com/aws/aws-sdk-go-v2/service/ec2](https://github.com/aws/aws-sdk-go-v2) from 1.91.0 to 1.92.1. - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md) - [Commits](aws/aws-sdk-go-v2@service/ec2/v1.91.0...service/ec2/v1.92.1) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/service/ec2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * Bump github.com/jonboulle/clockwork from 0.3.0 to 0.4.0 Bumps [github.com/jonboulle/clockwork](https://github.com/jonboulle/clockwork) from 0.3.0 to 0.4.0. - [Release notes](https://github.com/jonboulle/clockwork/releases) - [Commits](jonboulle/clockwork@v0.3.0...v0.4.0) --- updated-dependencies: - dependency-name: github.com/jonboulle/clockwork dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * Bump github.com/jonboulle/clockwork from 0.3.0 to 0.4.0 in /api Bumps [github.com/jonboulle/clockwork](https://github.com/jonboulle/clockwork) from 0.3.0 to 0.4.0. - [Release notes](https://github.com/jonboulle/clockwork/releases) - [Commits](jonboulle/clockwork@v0.3.0...v0.4.0) --- updated-dependencies: - dependency-name: github.com/jonboulle/clockwork dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * Bump github.com/aws/aws-sdk-go from 1.44.231 to 1.44.234 Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.44.231 to 1.44.234. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Commits](aws/aws-sdk-go@v1.44.231...v1.44.234) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * Revert "Bump github.com/jonboulle/clockwork from 0.3.0 to 0.4.0 in /api" This reverts commit 9ac0990. * Revert "Bump github.com/jonboulle/clockwork from 0.3.0 to 0.4.0" This reverts commit aa32f5d. --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: dependabot-batcher[bot] <122306277+dependabot-batcher[bot]@users.noreply.github.com> Co-authored-by: Nic Klaassen <[email protected]> * Headless Authn: documentation (#23272) * Add docs. * Update docs/pages/access-controls/guides/headless-login.mdx Co-authored-by: Zac Bergquist <[email protected]> * Fix lint error. * Ellaborate on how headless login differs from standard login. * Resolve comments; Fix capitalization. * Resolves comments. * Add cli reference docs. * Restructure guide; Remove scoped blocks; Update descriptions; resolve other comments. * Make configuration options/alternatives collapsible; Fix typos. * Fix file names, titles, and make new config details begin as closed. * Fix hidden merge conflict. * Add line breaks. * Fix dead link. --------- Co-authored-by: Zac Bergquist <[email protected]> * Bump github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/mysql/armmysqlflexibleservers (#23962) Bumps [github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/mysql/armmysqlflexibleservers](https://github.com/Azure/azure-sdk-for-go) from 1.0.0 to 1.1.0. - [Release notes](https://github.com/Azure/azure-sdk-for-go/releases) - [Changelog](https://github.com/Azure/azure-sdk-for-go/blob/main/documentation/release.md) - [Commits](Azure/azure-sdk-for-go@v1.0...v1.1) --- updated-dependencies: - dependency-name: github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/mysql/armmysqlflexibleservers dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * helm: Add support for imagePullSecrets to teleport-cluster chart (#23927) * helm: Add support for imagePullSecrets to teleport-cluster chart This was added to the teleport-kube-agent chart in #6941 but for some reason we never added it to teleport-cluster. This PR rectifies that. * Add imagePullSecrets to teleport-cluster chart reference * Close auth clients in tctl tests (#24011) Goroutine dumps from failed tests show a large number of goroutines blocked in GRPC client code. Our tctl tests create auth clients but only expose them via auth.ClientI, which doesn't have a close method. Updates #19372 and #24005 * fix joining moderated sessions in ui (#23807) * Define an explicit device resource as DeviceV1 (#23901) * Define the DeviceV1 resource proto * Update generated protos * Move device conversions to API * Test device conversions * Handle nil gracefully * Add license to new files * Add agentless items to test plan (#23918) * add agentless items to test plan * add link to agentless docs * operator: revert to old dockerfile and oci image build process (#24022) * Declare device resource CRUD methods (#23913) * docs: device trust edits (#23639) * docs: make device trust cluster auth config cloud scoped * docs: include required version for device trust * Simplify cap example * Fix listing of participant modes in UI (#23858) * change default session join mode to observer and add message (#23886) * Update default session join mode in docs (#23934) * GHA: Update path filters to include workflow files and Makefile (#23940) * Add missing `join_method` in azure joining docs (#24013) * add `set -eu` to discovery installer (#23761) * Connect: Collect protocol origin (#23898) * Add `origin` field to protocol event * Capture protocol event origin * Use positional arguments * Missing rename * Connect: Add SearchBar (#23980) This commit adds an MVP of the search bar to Connect. Currently it's behind a feature flag (`feature.searchBar`) but we'll enable it by default before the release. The plan was to merge the code ASAP, potentially even straight to v12 when we have the chance, which didn't exactly pan out but there's no harm to having this feature flag for now. On top of that, this commit adds a new shortcut to open the search bar (this replaces the current shortcut to open the command bar) and a shortcut to open a new terminal tab. The search works by essentially making a `ListResources` request for each supported resource type to every cluster the user is logged in to. We repurposed the old command palette UI for that but rewritten it to use React context and hooks rather than a class and a store. This allowed us to be a little bit more flexible as the old approach required every picker to conform to the same interface, both in terms of UI and code. This implementation has two main pickers so far: * `ActionPicker` which is the main one. It searches for resources but at the moment it also supports applying filters. In the future, we plan to add more actions to it such as "Open a new tab" or "Install tsh". * `ParameterPicker` is activated when you pick an action from the `ActionPicker` that requires an additional parameter. Think choosing an SSH server or a db – you need to provide an SSH login or a db user for those item. In those situations, `ActionPicker` will switch to `ParameterPicker` and let you pick a relevant item from the list. Everything is contained within `web/packages/teleterm/src/ui/Search`. Arguably, `useSearch` could be refactored a little bit to maybe make its structure a little more clear as it handles both the resource search and the filter search. However, at the moment we're not totally sure how the search bar will evolve, so we want to leave any bigger refactors for later. We added a couple of basic tests for regressions that happened so far. We also have stories for the items from the action picker. Error handling will be added in an upcoming PR. Docs updates will be done in a separate PR as well. Co-authored-by: Rafał Cieślak <[email protected]> * docs: correct mongodb atlas example config (#24041) * Support SQL Server through RDS Proxy (#23600) * feat(db): add support for sqlserver rds proxy * chore(gomod): go mod tidy * chore(gomod): go mod tidy * chore(sqlserver): move params keys to constants * Update RFD Template for security reviewers to include @jentfoo (#24010) * Update RFD Template for security @ Add myself to the list of security reviewers. * Update rfd/0000-rfds.md Co-authored-by: Reed Loden <[email protected]> --------- Co-authored-by: Reed Loden <[email protected]> * Introduce `tsh bench kube` tool (#23781) This PR introduces a Kubernetes benchmark tool that allows us to test the Kubernetes access flow using a similar approach used for ssh. This PR renames the default SSH benchmark to `tsh bench ssh` while Kube benchmarks are available using `tsh bench kube`. Closes #23763 * helm: delete hook-related resource on re-apply (#24054) In case of a previously failed deployment this will allow users to attempt directly another chart release without having to delete the jobs. This behaviour is less awkward but might hide previous failures. We can legitimnately expect users to monitor their own failures though. * Docs: Remove Details block from tctl partial. (#24000) * remove details blocks in tctl partial * add bullet point when calling tctl partial * docs linter fixes * Add MDM-related protobuf definitions (#23880) * Add device_data to CreateDeviceEnrollTokenRequest * Add definitions for the SyncInventory RPC * Add source to Device * Add profile to Device * Add profile information to DeviceCollectedData * Update generated protos * update Makefile to use cargo sparse protocol in all cargo commands (#23856) * update Makefile to use cargo sparse protocol in all cargo commands * Adds a cargo version print to build-macos for debugging * uses the same setup steps for the rust and go toolchains as are being used in the similar enterprise workflow * Uses the prepare-toolchain-mac composite action in the build-macos.yaml workflow. * checkout e so that the prepare-toolchain-mac composite action is available * Fetch the correct e ref for the composite action * Attempts to checkout with submodules * fetch-depth: 0 * seems that I can't get to teleport.e from the oss actions * updates bypass * testing ci * testing ci * testing for ci * fixing indentation * trying to get CI to actually run * fixing indentation * fixing lib/srv/desktop/rdp/rdpclient/client.go * Bump Cloud SLA to 99.9% (#24076) * Remove the Access Controls FAQ (#23997) Fixes #11829 Teleport's Access Controls section is pretty sprawling, with 8 top-level subsections and 46 pages. The Access Controls FAQ, meanwhile, is unusually short, with only three questions. This can become misleading, since there's a good chance that any information someone is looking for in the FAQ will not exist there. This change removes the Access Controls FAQ. If an answer found in the FAQ does not exist explicitly elsewhere in the docs, I have added it. * Discover: Add more database type event names (#23742) * Add unguided database event names * Add database doc event names * Clarify how to decide undocumented style questions (#23999) Fixes #10716 There are too many style rules for us to have a style guide entry for everything. We could use a professional style guide, e.g., the AP manual, but these usually require subscriptions, which isn't great for an open source documentation site. Instead, we can side with consistency within a single page. * chore: Bump Go to 1.20.3 (#24060) * chore: Bump Go to 1.20.3 * Run `make dronegen` * Update e/ reference * Convert `tsh ssh` to use the proxy transport service instead of ssh (#23228) * Convert tsh ssh to use the proxy transport service instead of ssh In an effort to reduce latency establishing sessions `tsh ssh` is migrating away from connecting to the Proxy via SSH in favor of using gRPC. The SSH handshakes with the Proxy increase latency in situations where the distance between geolocations of the client and Proxy are large. TLS handshakes used by the gRPC service have proven to reduce latency by ~20% in the same scenario. A new `lib/client.ClusterClient` has been introduced that should be used instead of `lib/client.ProxyClient` to connect to a Teleport cluster. Most of the functionality within the `ClusterClient` was a direct copy from the `ProxyClient`. The `lib/client.TeleportClient` now has a `ConnectToCluster` method which will connect to both the Proxy and Auth service via the `api/client.ProxyClient` which first attempts to use gRPC and reverts back to SSH to preserve backwards compatability. The `ClusterClient` should be passed around and reused instead of following the established pattern of `tc.ConnectToProxy` followed by a `proxy.ConnectToCluster` to get an `auth.ClientI`. Additionally some of the `agentless` package was refactored to reduce dependencies and allow it to work with connections to the Proxy that originated via gRPC instead of SSH. Changes to the integration tests are mostly to accomodate IP Pinning and ensure that it works for both connections established via SSH and gPRC. This is the final PR needed to complete #19812. * fix typos and unify span attributes * pass node name to ConnectToNode * simplify jump host resetting * DiscoverWeb: Emit events when clicking on unguided resources (#23746) * Rename following naming convention * Rename and add more db protocols * Define new events and add event names to resource spec * Emit events for unguided resources Also clear the loc state if the search bar was cleared to fix a weird quirk where when user goes back to the select resources screen, the preserved loc state applied filter again * Update tests * Add database doc event types * Remove deprecated web api routes (#24050) * Fix compilation errors after branch update --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: Marco André Dinis <[email protected]> Co-authored-by: Gabriel Corado <[email protected]> Co-authored-by: Alex Fornuto <[email protected]> Co-authored-by: Tiago Silva <[email protected]> Co-authored-by: Roman Tkachenko <[email protected]> Co-authored-by: Alan Parra <[email protected]> Co-authored-by: rosstimothy <[email protected]> Co-authored-by: Justinas Stankevičius <[email protected]> Co-authored-by: Marek Smoliński <[email protected]> Co-authored-by: Hugo Shaka <[email protected]> Co-authored-by: Steven Martin <[email protected]> Co-authored-by: Zac Bergquist <[email protected]> Co-authored-by: Paul Gottschling <[email protected]> Co-authored-by: Tim Ross <[email protected]> Co-authored-by: Michael Wilson <[email protected]> Co-authored-by: Andrew Burke <[email protected]> Co-authored-by: Walt <[email protected]> Co-authored-by: Trent Clarke <[email protected]> Co-authored-by: Reed Loden <[email protected]> Co-authored-by: Cam Hutchison <[email protected]> Co-authored-by: Tobiasz Heller <[email protected]> Co-authored-by: Noah Stride <[email protected]> Co-authored-by: Gus Luxton <[email protected]> Co-authored-by: Rafał Cieślak <[email protected]> Co-authored-by: STeve (Xin) Huang <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: dependabot-batcher[bot] <122306277+dependabot-batcher[bot]@users.noreply.github.com> Co-authored-by: Nic Klaassen <[email protected]> Co-authored-by: Brian Joerger <[email protected]> Co-authored-by: Yassine Bounekhla <[email protected]> Co-authored-by: Andrew LeFevre <[email protected]> Co-authored-by: Alex McGrath <[email protected]> Co-authored-by: Grzegorz Zdunek <[email protected]> Co-authored-by: Mike Jensen <[email protected]> Co-authored-by: Isaiah Becker-Mayer <[email protected]> Co-authored-by: Jim Bishopp <[email protected]> Co-authored-by: Lisa Kim <[email protected]> Co-authored-by: Michael <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Port last week's private security fixes to master from:
https://github.com/gravitational/teleport-private/pull/478
https://github.com/gravitational/teleport-private/pull/345
PRs for release branches were already submitted:
#23847
#23848
#23849