From 44470c0e21c0b076436255fdc983cb9c014a7beb Mon Sep 17 00:00:00 2001
From: Steven Martin <steven@goteleport.com>
Date: Mon, 14 Oct 2024 07:48:28 -0400
Subject: [PATCH 1/4] docs: simplify machine-id getting started

---
 .../machine-id/getting-started.mdx            | 40 +------------------
 1 file changed, 1 insertion(+), 39 deletions(-)

diff --git a/docs/pages/enroll-resources/machine-id/getting-started.mdx b/docs/pages/enroll-resources/machine-id/getting-started.mdx
index dfdaf84dc424..c6cf0168e429 100644
--- a/docs/pages/enroll-resources/machine-id/getting-started.mdx
+++ b/docs/pages/enroll-resources/machine-id/getting-started.mdx
@@ -49,17 +49,8 @@ Before you create a bot user, you need to determine which role(s) you want to
 assign to it. You can use the `tctl` command below to examine what roles exist
 on your system.
 
-<Tabs>
-<TabItem scope={["cloud"]} label="Teleport Enterprise Cloud">
 On your client machine, log in to Teleport using `tsh`, then use `tctl` to examine
 what roles exist on your system.
-</TabItem>
-<TabItem scope={["oss","enterprise"]} label="Self-Hosted">
-Connect to the Teleport Auth Server and use `tctl` to examine what roles exist on
-your system.
-</TabItem>
-
-</Tabs>
 
 ```code
 $ tctl get roles --format=text
@@ -179,29 +170,10 @@ this by omitting this.
 
 Replace the following fields with values from your own cluster.
 
-<Tabs>
-<TabItem scope={["cloud"]} label="Teleport Enterprise Cloud">
-
-- `token` is the token output by the `tctl bots add` command or the name of your IAM method token.
-- `destination-dir` is where Machine ID writes user certificates that can be used by applications and tools.
-- `data-dir` is where Machine ID writes its private data, including its own short-lived renewable certificates. These should not be used by applications and tools.
-- `auth-server` is the address of your Teleport Cloud Proxy Server, for example `example.teleport.sh:443`.
-
-</TabItem>
-<TabItem scope={["oss","enterprise"]} label="Self-Hosted">
-
 - `token` is the token output by the `tctl bots add` command or the name of your IAM method token.
-- `ca-pin` is the CA Pin for your Teleport cluster, and is output by the `tctl bots add` command.
 - `destination-dir` is where Machine ID writes user certificates that can be used by applications and tools.
 - `data-dir` is where Machine ID writes its private data, including its own short-lived renewable certificates. These should not be used by applications and tools.
-- `auth-server` is typically the address of your Teleport Proxy Server
-   (`teleport.example.com:443`), but can also be the address of the
-   Auth Server is direct connectivity is available.
-  `teleport.example.com:443`.
-
-</TabItem>
-
-</Tabs>
+- `proxy-server` is the address of your Teleport Proxy service, for example `example.teleport.sh:443`.
 
 Now that Machine ID has successfully started, let's investigate the
 `/opt/machine-id` directory to see what was written to disk.
@@ -257,19 +229,9 @@ $ ssh -F /opt/machine-id/ssh_config root@node-name.example.com
 In addition to the `ssh` client you can use `tsh`. Replace the `--proxy` parameter
 with your proxy address. 
 
-<Tabs>
-<TabItem scope={["oss","enterprise"]} label="Self-Hosted">
-```code
-$ tsh ssh --proxy=teleport.example.com -i /opt/machine-id/identity root@node-name
-```
-</TabItem>
-<TabItem scope={["cloud"]} label="Teleport Enterprise Cloud">
 ```code
 $ tsh ssh --proxy=mytenant.teleport.sh -i /opt/machine-id/identity root@node-name
 ```
-</TabItem>
-
-</Tabs>
 
 <Admonition type="note" title="Roles must have logins defined">
   The below error can occur when the bot does not have permission to log in to

From d0201f409ba8e005611217d8440a5210d018357e Mon Sep 17 00:00:00 2001
From: Steven Martin <steven@goteleport.com>
Date: Mon, 14 Oct 2024 09:02:55 -0400
Subject: [PATCH 2/4] docs: update token joining desc for machine-id getting
 started

---
 docs/pages/enroll-resources/machine-id/getting-started.mdx | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/docs/pages/enroll-resources/machine-id/getting-started.mdx b/docs/pages/enroll-resources/machine-id/getting-started.mdx
index c6cf0168e429..98d5112046bb 100644
--- a/docs/pages/enroll-resources/machine-id/getting-started.mdx
+++ b/docs/pages/enroll-resources/machine-id/getting-started.mdx
@@ -74,7 +74,9 @@ database. For full details on how traits work in Teleport roles, see the
 [Teleport Access Controls
 Reference](../../reference/access-controls/roles.mdx).
 
-Machine ID can join with a token or the [IAM Method](../agents/join-services-to-your-cluster/aws-iam.mdx) on AWS.
+Machine ID can join with a token and multiple other join methods including the [IAM Method](../agents/join-services-to-your-cluster/aws-iam.mdx) on AWS.
+Using the IAM Method and other non-token join methods allows for re-joining if Machine-ID certificates expire. Certificates expire by default
+after an hour so a non-token method could be a better choice for machines that are shut down for long periods.
 
 Assuming that you are using the default `access` role, ensure that you use the 
 `--logins` flag when adding your bot to specify the SSH logins that you wish to 

From e75602ab4e098463b79c80bc68914e82404278d8 Mon Sep 17 00:00:00 2001
From: Steven Martin <steven@goteleport.com>
Date: Mon, 14 Oct 2024 09:29:33 -0400
Subject: [PATCH 3/4] Revert "docs: update token joining desc for machine-id
 getting started"

This reverts commit 1731a26ae7b37ad6b9b2c27c8905df4c85d2d8af.

this is being done in a separate pr on joining methods
---
 docs/pages/enroll-resources/machine-id/getting-started.mdx | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/docs/pages/enroll-resources/machine-id/getting-started.mdx b/docs/pages/enroll-resources/machine-id/getting-started.mdx
index 98d5112046bb..c6cf0168e429 100644
--- a/docs/pages/enroll-resources/machine-id/getting-started.mdx
+++ b/docs/pages/enroll-resources/machine-id/getting-started.mdx
@@ -74,9 +74,7 @@ database. For full details on how traits work in Teleport roles, see the
 [Teleport Access Controls
 Reference](../../reference/access-controls/roles.mdx).
 
-Machine ID can join with a token and multiple other join methods including the [IAM Method](../agents/join-services-to-your-cluster/aws-iam.mdx) on AWS.
-Using the IAM Method and other non-token join methods allows for re-joining if Machine-ID certificates expire. Certificates expire by default
-after an hour so a non-token method could be a better choice for machines that are shut down for long periods.
+Machine ID can join with a token or the [IAM Method](../agents/join-services-to-your-cluster/aws-iam.mdx) on AWS.
 
 Assuming that you are using the default `access` role, ensure that you use the 
 `--logins` flag when adding your bot to specify the SSH logins that you wish to 

From b1dda8a77bc5041f52a2be72dd4d45069b2ffc41 Mon Sep 17 00:00:00 2001
From: Steven Martin <steven@goteleport.com>
Date: Tue, 15 Oct 2024 09:48:38 -0400
Subject: [PATCH 4/4] docs: include note on k8s verbs in github actions for
 machine-id

---
 .../machine-id/deployment/github-actions.mdx               | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/docs/pages/enroll-resources/machine-id/deployment/github-actions.mdx b/docs/pages/enroll-resources/machine-id/deployment/github-actions.mdx
index ac013be01469..23d64e94cf83 100644
--- a/docs/pages/enroll-resources/machine-id/deployment/github-actions.mdx
+++ b/docs/pages/enroll-resources/machine-id/deployment/github-actions.mdx
@@ -277,6 +277,13 @@ spec:
     - editor
 ```
 
+<Admonition type="note">
+This example assumes the role is version `v6`. If you are using a `v7`+ role
+you will need to include `verbs: ["get", "list"]` for the `kind: pod` section
+in `kubernetes_resources`. Otherwise the example `kubectl get pods -A` execution
+will be denied.
+</Admonition>
+
 With that privileges granted, you can now create the GitHub Actions workflow.
 Create `.github/workflows/example.yaml`: