Merge branch 'branch/v14' into bot/backport-46212-branch/v14

gravitational · Sep 4, 2024 · 7b37645 · 7b37645
2 parents 5e1244f + 42ce406
commit 7b37645
Show file tree

Hide file tree

Showing 21 changed files with 2,967 additions and 921 deletions.
diff --git a/.github/workflows/unit-tests-integrations.yaml b/.github/workflows/unit-tests-integrations.yaml
@@ -11,6 +11,8 @@ on:
       - '/go.mod'
       - '/go.sum'
       - 'integrations/**'
+      - 'api/proto/**'
+      - 'proto/**'
       - 'api/types/**'
       - 'gen/**'
       - 'lib/tbot/**'

diff --git a/buf-connect-go.gen.yaml b/buf-connect-go.gen.yaml
@@ -1,22 +1,28 @@
-version: v1
+version: v2
+
+inputs:
+  - directory: .
+    paths:
+      - proto/prehog/
+
 managed:
   enabled: true
-  go_package_prefix:
-    default: github.com/gravitational/teleport/gen/proto/go
+  override:
+    - file_option: go_package_prefix
+      value: github.com/gravitational/teleport/gen/proto/go
+
 plugins:
-  - name: go
-    strategy: all
-    path:
+  - local:
       - go
       - run
       - google.golang.org/protobuf/cmd/protoc-gen-go
     out: .
     opt: module=github.com/gravitational/teleport
-  - name: connect-go
     strategy: all
-    path:
+  - local:
       - go
       - run
       - connectrpc.com/connect/cmd/protoc-gen-connect-go
     out: .
     opt: module=github.com/gravitational/teleport
+    strategy: all
diff --git a/buf-go.gen.yaml b/buf-go.gen.yaml
@@ -1,24 +1,40 @@
-version: v1
+version: v2
+
+inputs:
+  - directory: .
+    exclude_paths:
+      # generated by buf-gogo.gen.yaml
+      - api/proto/teleport/attestation/
+      - api/proto/teleport/legacy/
+      - api/proto/teleport/usageevents/
+      - proto/teleport/lib/web/terminal/envelope.proto
+      # generated by buf-connect-go.gen.yaml
+      - proto/prehog/
+  - directory: .
+    paths:
+      # excluded by buf-gogo.gen.yaml
+      - api/proto/teleport/legacy/client/proto/event.proto
+
 plugins:
-  - name: go
-    strategy: all
-    path:
+  - local:
       - go
       - run
       - google.golang.org/protobuf/cmd/protoc-gen-go
     out: .
     opt:
       - module=github.com/gravitational/teleport
-      # needed by teleport/lib/teleterm/v1/usage_events.proto
+      # needed by teleport/lib/teleterm/v1/usage_events.proto because we use
+      # managed mode for the go package name there
       - Mprehog/v1alpha/connect.proto=github.com/gravitational/teleport/gen/proto/go/prehog/v1alpha;prehogv1alpha
-  - name: go-grpc
     strategy: all
-    path:
+  - local:
       - go
       - run
       - google.golang.org/grpc/cmd/protoc-gen-go-grpc
     out: .
     opt:
       - module=github.com/gravitational/teleport
-      # needed by teleport/lib/teleterm/v1/usage_events.proto
+      # needed by teleport/lib/teleterm/v1/usage_events.proto because we use
+      # managed mode for the go package name there
       - Mprehog/v1alpha/connect.proto=github.com/gravitational/teleport/gen/proto/go/prehog/v1alpha;prehogv1alpha
+    strategy: all
diff --git a/buf-gogo.gen.yaml b/buf-gogo.gen.yaml
@@ -1,6 +1,18 @@
-version: v1
+version: v2
+
+inputs:
+  - directory: .
+    paths:
+      - api/proto/teleport/attestation/
+      - api/proto/teleport/legacy/
+      - api/proto/teleport/usageevents/
+      - proto/teleport/lib/web/terminal/envelope.proto
+    exclude_paths:
+      # generated by buf-go.gen.yaml
+      - api/proto/teleport/legacy/client/proto/event.proto
+
 plugins:
-  - name: gogofast
+  - local: protoc-gen-gogofast
     out: ./gogogen
     opt:
       - Mgoogle/protobuf/any.proto=github.com/gogo/protobuf/types

diff --git a/buf-js.gen.yaml b/buf-js.gen.yaml
@@ -1,21 +1,30 @@
-version: v1
+version: v2
+
+inputs:
+  - directory: .
+    paths:
+      - api/proto/teleport/accesslist/
+      - api/proto/teleport/header/
+      - api/proto/teleport/trait/
+      - proto/prehog/
+      - proto/teleport/lib/teleterm/
+
 plugins:
   # https://github.com/protocolbuffers/protobuf/tree/v3.20.1/js
-  - name: js
-    strategy: all
+  - protoc_builtin: js
     out: gen/proto/js
     opt:
       - import_style=commonjs,binary
+    strategy: all
 
   # https://github.com/grpc/grpc-node/tree/grpc-tools%401.12.4/packages/grpc-tools/
-  - name: grpc
-    strategy: all
+  - local: grpc_tools_node_protoc_plugin
     out: gen/proto/js
     opt: grpc_js
-    path: grpc_tools_node_protoc_plugin
+    strategy: all
 
   # https://github.com/agreatfool/grpc_tools_node_protoc_ts/tree/v5.3.2
-  - name: ts
-    strategy: all
+  - local: protoc-gen-ts
     out: gen/proto/js
     opt: "service=grpc-node"
+    strategy: all
diff --git a/build.assets/genproto.sh b/build.assets/genproto.sh
@@ -42,41 +42,18 @@ main() {
   # this for us (and which is what we use for the non-gogo protogen).
   rm -fr gogogen
   trap 'rm -fr gogogen' EXIT # don't leave files behind
-  echoed buf generate --template=buf-gogo.gen.yaml \
-    --path=api/proto/teleport/legacy/ \
-    --path=api/proto/teleport/attestation/ \
-    --path=api/proto/teleport/usageevents/ \
-    --path=proto/teleport/lib/web/terminal/envelope.proto \
-    --exclude-path=api/proto/teleport/legacy/client/proto/event.proto
+  echoed buf generate --template=buf-gogo.gen.yaml
   cp -r gogogen/github.com/gravitational/teleport/. .
   # error out if there's anything outside of github.com/gravitational/teleport
   rm -fr gogogen/github.com/gravitational/teleport
   rmdir gogogen/github.com/gravitational gogogen/github.com gogogen
 
-  # Generate protoc-gen-go protos (preferred).
-  echoed buf generate --template=buf-go.gen.yaml \
-    --exclude-path=api/proto/teleport/legacy/ \
-    --exclude-path=api/proto/teleport/attestation/ \
-    --exclude-path=api/proto/teleport/usageevents/ \
-    --exclude-path=proto/teleport/lib/web/terminal/envelope.proto \
-    --exclude-path=proto/prehog/
-
-  # Generate event.proto separately because we only want to run it on this
-  # one particular file in legacy.
-  echoed buf generate --template=buf-go.gen.yaml \
-    --path=api/proto/teleport/legacy/client/proto/event.proto
-
-  # Generate connect-go protos.
-  echoed buf generate --template=buf-connect-go.gen.yaml \
-    --path=proto/prehog/
+  # Generate go, go-grpc and connect-go protos (preferred).
+  echoed buf generate --template=buf-go.gen.yaml
+  echoed buf generate --template=buf-connect-go.gen.yaml
 
   # Generate JS protos.
-  [[ $skip_js -eq 0 ]] && echoed buf generate --template=buf-js.gen.yaml \
-    --path=proto/prehog/ \
-    --path=proto/teleport/lib/teleterm/ \
-    --path=api/proto/teleport/accesslist/ \
-    --path=api/proto/teleport/trait/ \
-    --path=api/proto/teleport/header/
+  [[ $skip_js -eq 0 ]] && echoed buf generate --template=buf-js.gen.yaml
 }
 
 main "$@"
diff --git a/docs/pages/admin-guides/management/admin/trustedclusters.mdx b/docs/pages/admin-guides/management/admin/trustedclusters.mdx
@@ -3,6 +3,10 @@ title: Configure Trusted Clusters
 description: Explains how you can configure a trust relationship and manage access between two Teleport clusters.
 ---
 
+<Admonition type="note">
+Trusted clusters are only available for self-hosted Teleport clusters.
+</Admonition>
+
 As you learned in [Core Concepts](../../../core-concepts.mdx), a Teleport cluster
 consists of the Teleport Auth Service, the Teleport Proxy Service, and the 
 Teleport services that manage access to resources in your infrastructure.

diff --git a/docs/pages/admin-guides/management/guides/ssh-key-extensions.mdx b/docs/pages/admin-guides/management/guides/ssh-key-extensions.mdx
@@ -17,7 +17,7 @@ Teleport supports exporting user SSH certificates with configurable key extensio
 In order to export the Teleport CA, execute the following command, assigning <Var name="proxy" /> to the address of your Teleport Proxy Service:
 
 ```code
-$ curl 'https://<Var name="proxy"/>/webapi/auth/export?type=user' | sed 's/^cert-authority //g'
+$ curl 'https://<Var name="proxy" />/webapi/auth/export?type=user' | sed 's/^cert-authority //g'
 ```
 
 Next, follow the instructions in the guide below to import your Teleport CA into GitHub:
@@ -48,14 +48,23 @@ spec:
 
 ## Step 3/3. Issue a user certificate
 
-A user certificate may be issued with the following command, where `<USERNAME>` is the Teleport user to generate the SSH certificate for:
+When you authenticated to Teleport to assume the `developer` role we defined
+earlier, Teleport added the certificate extensions you configured to your user
+certificate. You can then refer to this path in your local SSH configuration.
+
+For convenience, open a terminal and assign an environment variable to the
+location of your user certificate. Replace <Var name="example.teleport.sh" /> with
+the domain name of your Teleport cluster and <Var name="myuser" /> with the name
+of your Teleport user:
+
 ```code
-$ tctl auth sign --out out.cer --user=<USERNAME>
+$ export TELEPORT_CERT=~/.tsh/keys/<Var name="example.teleport.sh" />/<Var name="myuser" />-ssh/<Var name="example.teleport.sh" />-cert.pub
 ```
 
 To test that authentication with this signed certificate is working correctly, SSH into `github.com` with your organization's user:
+
 ```code
-$ ssh -i out.cer org-<ID>@github.com
+$ ssh -i $TELEPORT_CERT org-<ID>@github.com
 ```
 If authentication is successful,  a "You've successfully authenticated" message should be displayed in the terminal.
 
@@ -64,7 +73,7 @@ This newly generated certificate may then be used when interacting with GitHub o
 ```code
 Host github.com
  HostName github.com
- IdentityFile path/to/out.cer
+ IdentityFile path/to/cert.pub
 ```
 
 When using SSH Certificate Authorities, you should retrieve your GitHub repository's SSH URL from the GitHub UI so the correct SSH user is used for authentication. For more information, see [About SSH URLs with SSH certificates](https://docs.github.com/en/organizations/managing-git-access-to-your-organizations-repositories/about-ssh-certificate-authorities#about-ssh-urls-with-ssh-certificates).
diff --git a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_githubconnectors.yaml b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_githubconnectors.yaml
@@ -42,6 +42,20 @@ spec:
               client_id:
                 description: ClientID is the Github OAuth app client ID.
                 type: string
+              client_redirect_settings:
+                description: ClientRedirectSettings defines which client redirect
+                  URLs are allowed for non-browser SSO logins other than the standard
+                  localhost ones.
+                nullable: true
+                properties:
+                  allowed_https_hostnames:
+                    description: a list of hostnames allowed for https client redirect
+                      URLs
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                type: object
               client_secret:
                 description: ClientSecret is the Github OAuth app client secret.
                 type: string

diff --git a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_oidcconnectors.yaml b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_oidcconnectors.yaml
@@ -67,6 +67,20 @@ spec:
                 description: ClientID is the id of the authentication client (Teleport
                   Auth server).
                 type: string
+              client_redirect_settings:
+                description: ClientRedirectSettings defines which client redirect
+                  URLs are allowed for non-browser SSO logins other than the standard
+                  localhost ones.
+                nullable: true
+                properties:
+                  allowed_https_hostnames:
+                    description: a list of hostnames allowed for https client redirect
+                      URLs
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                type: object
               client_secret:
                 description: ClientSecret is used to authenticate the client.
                 type: string