Skip to content

B/v14.3.34#1

Open
Bogyie wants to merge 1213 commits into
b/v14.3.3from
b/v14.3.34
Open

B/v14.3.34#1
Bogyie wants to merge 1213 commits into
b/v14.3.3from
b/v14.3.34

Conversation

@Bogyie

@Bogyie Bogyie commented Dec 31, 2024

Copy link
Copy Markdown
Owner

No description provided.

strideynet and others added 30 commits August 7, 2024 07:54
This PR introduces validation to AWS regions in Access Graph Matchers.
It will prevent creating or updating discovery_configs with incorrect regions.

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
…ravitational#45068)

* fix some events not getting converted to AuditEvents correctly

* test converting events

---------

Co-authored-by: Andrew LeFevre <Andrew LeFevre>
…`auth.Services` (gravitational#45058) (gravitational#45190)

* Simplify cache setup

* Remove client methods from auth.Services

* Update godoc comments

* Move accesspoint creation back

* Rename AccessCache -> Cache

* Small naming tweaks/signature tweaks suggested by Alan

* Add licensing header

* Try making configuration of services explicit
* docs: include description in role reference

* docs: update verbiage on example role description

Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>

---------

Co-authored-by: Steven Martin <stevenmartin@Stevens-MBP.fios-router.home>
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
* Update `e` ref for linux workflow release changes

* Release 14.3.23
Co-authored-by: GitHub <noreply@github.com>
…4+incompatible (gravitational#45310)

* Bump github.com/docker/docker from 26.1.1+incompatible to 26.1.4+incompatible (gravitational#44798)

* Bump github.com/docker/docker

Bumps [github.com/docker/docker](https://github.com/docker/docker) from 26.1.1+incompatible to 26.1.4+incompatible.
- [Release notes](https://github.com/docker/docker/releases)
- [Commits](moby/moby@v26.1.1...v26.1.4)

---
updated-dependencies:
- dependency-name: github.com/docker/docker
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

* go mod tidy integrations

* Patch docker in examples/

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Tim Ross <tim.ross@goteleport.com>
Co-authored-by: Alan Parra <alan.parra@goteleport.com>

* Bump docker to v26.1.5

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Tim Ross <tim.ross@goteleport.com>
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* docs: update backup and restore

* docs: update language used for tctl get all
…ccess (gravitational#45351)

* correcting role creation steps

* Update docs/pages/enroll-resources/application-access/cloud-apis/aws-console.mdx

Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>

---------

Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Set all gogo -M options

* Update generated protos
…l#45082)

* Updating from master

* Pinned version

* Updating to only be silent if passed in
Co-authored-by: Steven Martin <stevenmartin@Stevens-MBP.fios-router.home>
…5426)

* [v14] docs: expand internal/external trait reference

Backport gravitational#39545 to branch/v14

* fix links
Closes gravitational#24803

Show how to include the entity descriptor URL for OneLogin when
configuring the authentication connector. In `tctl sso configure`, the
flag is the same if you are using a URL or a local file.

The current guide includes a separate H3 for downloading the XML file.
This change uses a single set of numbered steps to make the instructions
easier to follow.
… (gravitational#45087)

* Update install script references to use CDN (gravitational#44838)

* Update link in main doc page

* Add back blank line at the end of `docs/config.json`

Co-authored-by: fheinecke <23390735+fheinecke@users.noreply.github.com>

---------

Co-authored-by: fheinecke <23390735+fheinecke@users.noreply.github.com>
* docs: include k8s in session_tracker reference

* docs: update session.participants verbiage

* docs: update verbiage for session_tracker.participants

---------

Co-authored-by: Steven Martin <stevenmartin@Stevens-MBP.fios-router.home>
mjsmithnh and others added 30 commits October 30, 2024 20:12
* Fix the RDP licensing flow on v14

Licenses are stored in-memory, so if the agent restarts it will be
forced to go through the "new license" flow for the first session.

* Store RDP licenses in a LRU cache instead of a HashMap

This ensures memory doesn't grow unbounded if we end up caching
a large number of licenses.
* Release 14.3.33

* docs: Add "keepalive" to spelling list

"keepalives" was already there, we just need the singular for a
changelog entry.
Co-authored-by: GitHub <noreply@github.com>
* Add auto-enroll troubleshooting to docs (gravitational#47681)

* Update version to v14.3.33
…al#48083)

* Add troubleshooting info to Usage and Billing page

Turn the section on validating usage data into the intro paragraph for a
troubleshooting section. We don't actually need to compare the usage
reporting system to audit events, and removing the comparison makes this
information concise enough for an introductory paragraph.

Add H2s for issues we have identified with usage reporting and billing
on self-hosted clusters.

* Fix grammar in the Usage/Billing guide
The test relied on the fact that AppSessionRequests did not
implement TrimToMaxSize. However, now that all events are forced
to implemement TrimToMaxSize the test was always failing. To fix
a wrapper around the event was added that overrides TrimToMaxSize
that does no trimming.
* Increasing timeout for pam tests

* Adding commentary
…l#48321) (gravitational#48386)

* [kube] use local image for kubernetes integration tests

This PR replaces the use of the `nginx:latest` Docker image in Kubernetes integration tests with a custom-built image based on `alpine:3.20.3`. This custom image includes a shell for `kubectl exec` integration tests and a compiled binary to act as an HTTP server.

This change addresses recent issues where test workflows failed due to problems downloading the `nginx` image.

* add information about the image

* source files from alpine cdn

* copy files from alpine

* Update fixtures/alpine/README.md



* Update fixtures/alpine/README.md



* source files from alpine cdn (again)

---------

Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Support double dash delimiter in tsh ssh

This PR extends the tsh ssh command by adding support for the
double dash (--) delimiter before remote commands (e.g.
`tsh ssh -- echo test`), aligning its behavior with the standard
ssh binary. This improves compatibility with tools that rely on the
standard ssh binary behavior, such as sshuttle.

Fixes gravitational#18453, gravitational#16589.

Signed-off-by: Tim Ross <tim.ross@goteleport.com>

* Support double dash delimiter in tsh ssh

This PR extends the tsh ssh command by adding support for the
double dash (--) delimiter before remote commands (e.g.
`tsh ssh -- echo test`), aligning its behavior with the standard
ssh binary. This improves compatibility with tools that rely on the
standard ssh binary behavior, such as sshuttle.

Fixes gravitational#18453, gravitational#16589.

Signed-off-by: Tim Ross <tim.ross@goteleport.com>

* fix: update tests

---------

Signed-off-by: Tim Ross <tim.ross@goteleport.com>
Co-authored-by: Samir Aguiar <sjorgedeaguiar@netskope.com>
Running markdown-lint in the Docusaurus site flags some issues that the
gravitational/docs markdown-lint configuration doesn't catch. This
change resolves these issues, fixing indentation and list item spacing.
* Simplify IsBoringCrypto

* fix-license for new files
…48577)

* helm: Add serviceAccountName to pre-deploy jobs

Fixes gravitational#48477

* Create separate serviceAccount resources for running pre-deploy hooks

* Clarification
…ravitational#48740)

This PR addresses a bug in Kubernetes session recordings where both the root proxy and the leaf cluster's Kubernetes services were recording the same session, resulting in the session being available in both clusters.

This behavior was inconsistent with other protocols, where recordings of leaf resources are only accessible in leaf clusters. To maintain consistency, this PR removes session recordings on the root clusters.

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
…st-delete Jobs (gravitational#47748)

* teleport-kube-agent: Propagate resources to post-install and post-delete Jobs (gravitational#47677)

* Update snapshots

* Update snapshots
gravitational#48981)

Signed-off-by: Guntis Karulis <guntis.karulis@gmail.com>
Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
Co-authored-by: Guntis Karulis <guntis.karulis@gmail.com>
)

Backport gravitational#48723 to branch/v14

This is a partial backport since the signature algorithms reference page
does not exist pre-17.
The changes to the YubiHSM guide should be useful on any version.
…CD deployments to fail (gravitational#49071)

* teleport-cluster: Use separate SA in hooks when possible

* test that SAs are not created when hooks are disabled

* fix chart typos
The test was only waiting for a subset of services to be ready,
proceeding with the test, and then closing the process. This caused
a few problems that contributed to the flakiness. First, not calling
`process.Wait` resulted in some services still being active and
writing to the data directory while the testing framework was cleaning
up the temp directory. Second, adding the Wait alone, would cause
deadlocks because the test did not wait for all services to be
initialized and ready before shutting down.

In addition to making both of th changes above, the test was also
modified to reduce the number of services being launched to slightly
speed up the test.

Closes gravitational#46958.
…avitational#47954)

* Cache PIV connections to share across the program execution (gravitational#47091)

* Cache yubikey objects.

* Cache PIV connections to share across the program execution.

* Do not release the connection until `sign` returns

* Do not ignore errors

* Perform a "warm up" call to YubiKey

* Fix tests

* Use a specific interface to check if the key can be "warmed up"

* Allow abandoning `signer.Sign` call when context is canceled

* Make sure that the cached key is valid for the given private key policy

The reason for adding this check was failing `invalid key policies` test.

* Make `hardwareKeyWarmer` private

* Force callers to release connection

* Improve comments

* Fix lint

* Improve `connect` comment

* Fix race condition

* Simplify `release` logic

* Trigger license/cla

---------

Co-authored-by: joerger <bjoerger@goteleport.com>

(cherry picked from commit bd6fdbf)

* Sign a hashed message in hardware key warmup call (gravitational#48206)

Otherwise, signing may fail with "input must be a hashed message" error.

(cherry picked from commit 47494db)

* Remove delayed closing of yubikey connection to prevent the connection from leaking after program execution. (gravitational#48414)

(cherry picked from commit b7c0e79)

---------

Co-authored-by: Brian Joerger <bjoerger@goteleport.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.