B/v14.3.34#1
Open
Bogyie wants to merge 1213 commits into
Open
Conversation
This PR introduces validation to AWS regions in Access Graph Matchers. It will prevent creating or updating discovery_configs with incorrect regions. Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
…ravitational#45068) * fix some events not getting converted to AuditEvents correctly * test converting events --------- Co-authored-by: Andrew LeFevre <Andrew LeFevre>
…`auth.Services` (gravitational#45058) (gravitational#45190) * Simplify cache setup * Remove client methods from auth.Services * Update godoc comments * Move accesspoint creation back * Rename AccessCache -> Cache * Small naming tweaks/signature tweaks suggested by Alan * Add licensing header * Try making configuration of services explicit
* docs: include description in role reference * docs: update verbiage on example role description Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> --------- Co-authored-by: Steven Martin <stevenmartin@Stevens-MBP.fios-router.home> Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
* Update `e` ref for linux workflow release changes * Release 14.3.23
Co-authored-by: GitHub <noreply@github.com>
…ational#45314) introduced in https://github.com/gravitational/teleport/pull/18644/files but not docuemented
…4+incompatible (gravitational#45310) * Bump github.com/docker/docker from 26.1.1+incompatible to 26.1.4+incompatible (gravitational#44798) * Bump github.com/docker/docker Bumps [github.com/docker/docker](https://github.com/docker/docker) from 26.1.1+incompatible to 26.1.4+incompatible. - [Release notes](https://github.com/docker/docker/releases) - [Commits](moby/moby@v26.1.1...v26.1.4) --- updated-dependencies: - dependency-name: github.com/docker/docker dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> * go mod tidy integrations * Patch docker in examples/ --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Tim Ross <tim.ross@goteleport.com> Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Bump docker to v26.1.5 --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Tim Ross <tim.ross@goteleport.com> Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* docs: update backup and restore * docs: update language used for tctl get all
…ccess (gravitational#45351) * correcting role creation steps * Update docs/pages/enroll-resources/application-access/cloud-apis/aws-console.mdx Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com> --------- Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Set all gogo -M options * Update generated protos
…l#45082) * Updating from master * Pinned version * Updating to only be silent if passed in
Co-authored-by: Steven Martin <stevenmartin@Stevens-MBP.fios-router.home>
…5426) * [v14] docs: expand internal/external trait reference Backport gravitational#39545 to branch/v14 * fix links
Closes gravitational#24803 Show how to include the entity descriptor URL for OneLogin when configuring the authentication connector. In `tctl sso configure`, the flag is the same if you are using a URL or a local file. The current guide includes a separate H3 for downloading the XML file. This change uses a single set of numbered steps to make the instructions easier to follow.
… (gravitational#45087) * Update install script references to use CDN (gravitational#44838) * Update link in main doc page * Add back blank line at the end of `docs/config.json` Co-authored-by: fheinecke <23390735+fheinecke@users.noreply.github.com> --------- Co-authored-by: fheinecke <23390735+fheinecke@users.noreply.github.com>
* docs: include k8s in session_tracker reference * docs: update session.participants verbiage * docs: update verbiage for session_tracker.participants --------- Co-authored-by: Steven Martin <stevenmartin@Stevens-MBP.fios-router.home>
* Fix the RDP licensing flow on v14 Licenses are stored in-memory, so if the agent restarts it will be forced to go through the "new license" flow for the first session. * Store RDP licenses in a LRU cache instead of a HashMap This ensures memory doesn't grow unbounded if we end up caching a large number of licenses.
Backport gravitational#37068 to branch/v14
* Release 14.3.33 * docs: Add "keepalive" to spelling list "keepalives" was already there, we just need the singular for a changelog entry.
Co-authored-by: GitHub <noreply@github.com>
* Add auto-enroll troubleshooting to docs (gravitational#47681) * Update version to v14.3.33
…s or password locks for managed teleport users (gravitational#48161)
…al#48083) * Add troubleshooting info to Usage and Billing page Turn the section on validating usage data into the intro paragraph for a troubleshooting section. We don't actually need to compare the usage reporting system to audit events, and removing the comparison makes this information concise enough for an introductory paragraph. Add H2s for issues we have identified with usage reporting and billing on self-hosted clusters. * Fix grammar in the Usage/Billing guide
The test relied on the fact that AppSessionRequests did not implement TrimToMaxSize. However, now that all events are forced to implemement TrimToMaxSize the test was always failing. To fix a wrapper around the event was added that overrides TrimToMaxSize that does no trimming.
* Increasing timeout for pam tests * Adding commentary
…l#48321) (gravitational#48386) * [kube] use local image for kubernetes integration tests This PR replaces the use of the `nginx:latest` Docker image in Kubernetes integration tests with a custom-built image based on `alpine:3.20.3`. This custom image includes a shell for `kubectl exec` integration tests and a compiled binary to act as an HTTP server. This change addresses recent issues where test workflows failed due to problems downloading the `nginx` image. * add information about the image * source files from alpine cdn * copy files from alpine * Update fixtures/alpine/README.md * Update fixtures/alpine/README.md * source files from alpine cdn (again) --------- Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* Support double dash delimiter in tsh ssh This PR extends the tsh ssh command by adding support for the double dash (--) delimiter before remote commands (e.g. `tsh ssh -- echo test`), aligning its behavior with the standard ssh binary. This improves compatibility with tools that rely on the standard ssh binary behavior, such as sshuttle. Fixes gravitational#18453, gravitational#16589. Signed-off-by: Tim Ross <tim.ross@goteleport.com> * Support double dash delimiter in tsh ssh This PR extends the tsh ssh command by adding support for the double dash (--) delimiter before remote commands (e.g. `tsh ssh -- echo test`), aligning its behavior with the standard ssh binary. This improves compatibility with tools that rely on the standard ssh binary behavior, such as sshuttle. Fixes gravitational#18453, gravitational#16589. Signed-off-by: Tim Ross <tim.ross@goteleport.com> * fix: update tests --------- Signed-off-by: Tim Ross <tim.ross@goteleport.com> Co-authored-by: Samir Aguiar <sjorgedeaguiar@netskope.com>
Running markdown-lint in the Docusaurus site flags some issues that the gravitational/docs markdown-lint configuration doesn't catch. This change resolves these issues, fixing indentation and list item spacing.
* Simplify IsBoringCrypto * fix-license for new files
…48577) * helm: Add serviceAccountName to pre-deploy jobs Fixes gravitational#48477 * Create separate serviceAccount resources for running pre-deploy hooks * Clarification
…ravitational#48740) This PR addresses a bug in Kubernetes session recordings where both the root proxy and the leaf cluster's Kubernetes services were recording the same session, resulting in the session being available in both clusters. This behavior was inconsistent with other protocols, where recordings of leaf resources are only accessible in leaf clusters. To maintain consistency, this PR removes session recordings on the root clusters. Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
…st-delete Jobs (gravitational#47748) * teleport-kube-agent: Propagate resources to post-install and post-delete Jobs (gravitational#47677) * Update snapshots * Update snapshots
gravitational#48981) Signed-off-by: Guntis Karulis <guntis.karulis@gmail.com> Signed-off-by: Tiago Silva <tiago.silva@goteleport.com> Co-authored-by: Guntis Karulis <guntis.karulis@gmail.com>
) Backport gravitational#48723 to branch/v14 This is a partial backport since the signature algorithms reference page does not exist pre-17. The changes to the YubiHSM guide should be useful on any version.
…CD deployments to fail (gravitational#49071) * teleport-cluster: Use separate SA in hooks when possible * test that SAs are not created when hooks are disabled * fix chart typos
The test was only waiting for a subset of services to be ready, proceeding with the test, and then closing the process. This caused a few problems that contributed to the flakiness. First, not calling `process.Wait` resulted in some services still being active and writing to the data directory while the testing framework was cleaning up the temp directory. Second, adding the Wait alone, would cause deadlocks because the test did not wait for all services to be initialized and ready before shutting down. In addition to making both of th changes above, the test was also modified to reduce the number of services being launched to slightly speed up the test. Closes gravitational#46958.
…avitational#47954) * Cache PIV connections to share across the program execution (gravitational#47091) * Cache yubikey objects. * Cache PIV connections to share across the program execution. * Do not release the connection until `sign` returns * Do not ignore errors * Perform a "warm up" call to YubiKey * Fix tests * Use a specific interface to check if the key can be "warmed up" * Allow abandoning `signer.Sign` call when context is canceled * Make sure that the cached key is valid for the given private key policy The reason for adding this check was failing `invalid key policies` test. * Make `hardwareKeyWarmer` private * Force callers to release connection * Improve comments * Fix lint * Improve `connect` comment * Fix race condition * Simplify `release` logic * Trigger license/cla --------- Co-authored-by: joerger <bjoerger@goteleport.com> (cherry picked from commit bd6fdbf) * Sign a hashed message in hardware key warmup call (gravitational#48206) Otherwise, signing may fail with "input must be a hashed message" error. (cherry picked from commit 47494db) * Remove delayed closing of yubikey connection to prevent the connection from leaking after program execution. (gravitational#48414) (cherry picked from commit b7c0e79) --------- Co-authored-by: Brian Joerger <bjoerger@goteleport.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.