Skip to content

Commit

Permalink
Merge branch 'tcsc/idc-ui-changes' of github.com:gravitational/telepo…
Browse files Browse the repository at this point in the history
…rt into tcsc/idc-ui-changes
  • Loading branch information
flyinghermit committed Dec 5, 2024
2 parents 09bfc8a + 50efca3 commit 38d0845
Show file tree
Hide file tree
Showing 580 changed files with 28,658 additions and 14,938 deletions.
4 changes: 2 additions & 2 deletions .github/workflows/build-ci-service-images.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -38,13 +38,13 @@ jobs:

- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}

- name: Build etcd image
id: docker_build
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
with:
context: ${{ github.workspace }}
file: .github/services/Dockerfile.etcd
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/build-usage-image.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ jobs:
with:
registry-type: public
# Build and publish container image on ECR.
- uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
- uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
with:
context: "examples/teleport-usage"
tags: public.ecr.aws/gravitational/teleport-usage:${{ steps.version.outputs.version }}
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/dependency-review.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -25,4 +25,5 @@ jobs:
pkg:cargo/asn1-rs,
pkg:cargo/asn1-rs-derive,
pkg:cargo/asn1-rs-impl,
pkg:cargo/der-parser
pkg:cargo/der-parser,
pkg:npm/prettier
2 changes: 1 addition & 1 deletion .github/workflows/lint.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -203,7 +203,7 @@ jobs:
- name: Print linter versions
run: |
echo "BUF_VERSION=$BUF_VERSION"
- uses: bufbuild/buf-setup-action@5d38b66514ec5b6b7b753e133245555ea664d0ac # v1.46.0
- uses: bufbuild/buf-setup-action@9672cee01808979ea1249f81d6d321217b9a10f6 # v1.47.2
with:
github_token: ${{ github.token }}
version: ${{ env.BUF_VERSION }}
Expand Down
39 changes: 29 additions & 10 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,24 @@
# Changelog

## 18.0.0 (xx/xx/xx)

### Breaking changes

#### TLS Cipher Suites

TLS cipher suites with known security issues can no longer be manually
configured in the Teleport YAML configuration file.
If you do not explicitly configure any of the listed TLS cipher suites, you are
not affected by this change.
Teleport 18 removes support for:
- `tls-rsa-with-aes-128-cbc-sha`
- `tls-rsa-with-aes-256-cbc-sha`
- `tls-rsa-with-aes-128-cbc-sha256`
- `tls-rsa-with-aes-128-gcm-sha256`
- `tls-rsa-with-aes-256-gcm-sha384`
- `tls-ecdhe-ecdsa-with-aes-128-cbc-sha256`
- `tls-ecdhe-rsa-with-aes-128-cbc-sha256`

## 16.0.0 (xx/xx/xx)

### Breaking changes
Expand Down Expand Up @@ -37,10 +56,10 @@ more details.

#### Default keyboard shortcuts in Teleport Connect have been changed

On Windows and Linux, some of the default shortcuts conflicted with the default bash or nano shortcuts
On Windows and Linux, some of the default shortcuts conflicted with the default bash or nano shortcuts
(e.g. Ctrl + E, Ctrl + K).
On those platforms, the default shortcuts have been changed to a combination of Ctrl + Shift + *.
We also updated the shortcut to open a new terminal on macOS to Control + Shift + \`.
We also updated the shortcut to open a new terminal on macOS to Control + Shift + \`.
See [configuration](docs/pages/connect-your-client/teleport-connect.mdx#configuration)
for the current list of shortcuts.

Expand Down Expand Up @@ -152,8 +171,8 @@ or use PAM.

#### Remove restricted sessions for SSH

The restricted session feature for SSH has been deprecated since Teleport 14 and
has been removed in Teleport 15. We recommend implementing network restrictions
The restricted session feature for SSH has been deprecated since Teleport 14 and
has been removed in Teleport 15. We recommend implementing network restrictions
outside of Teleport (iptables, security groups, etc).

#### Packages no longer published to legacy Debian and RPM repos
Expand Down Expand Up @@ -200,7 +219,7 @@ throughout the remainder of these releases' lifecycle.

##### Helm cluster chart FIPS mode changes

The teleport-cluster chart no longer uses versionOverride and extraArgs to set FIPS mode.
The teleport-cluster chart no longer uses versionOverride and extraArgs to set FIPS mode.

Instead, you should use the following values file configuration:
```
Expand Down Expand Up @@ -277,7 +296,7 @@ used with the legacy AMIs has been removed.
Due to the new separate operator deployment, the operator is deployed by a subchart.
This causes the following breaking changes:
- `installCRDs` has been replaced by `operator.installCRDs`
- `teleportVersionOverride` does not set the operator version anymore, you must
- `teleportVersionOverride` does not set the operator version anymore, you must
use `operator.teleportVersionOverride` to override the operator version.

Note: version overrides are dangerous and not recommended. Each chart version
Expand All @@ -290,7 +309,7 @@ The chart configures this for you since v12, unless you disabled `rbac` creation

##### Helm cluster chart FIPS mode changes

The teleport-cluster chart no longer uses versionOverride and extraArgs to set FIPS mode.
The teleport-cluster chart no longer uses versionOverride and extraArgs to set FIPS mode.

Instead, you should use the following values file configuration:

Expand Down Expand Up @@ -340,7 +359,7 @@ Teleport 14 brings the following new major features and improvements:
- Support for TLS routing in Terraform deployment examples
- Discord and ServiceNow hosted plugins
- Limited passwordless access for local Windows users in Teleport Community
Edition
Edition
- Machine ID: Kubernetes Secret destination

In addition, this release includes several changes that affect existing
Expand Down Expand Up @@ -413,7 +432,7 @@ audit logging support.

See documentation on how to configure it in the [Oracle guide](docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/oracle-self-hosted.mdx).

#### Limited passwordless access for local Windows users in Teleport Community Edition
#### Limited passwordless access for local Windows users in Teleport Community Edition

In Teleport 14, access to Windows desktops with local Windows users has been
extended to Community Edition. Teleport will permit users to register and
Expand Down Expand Up @@ -3291,7 +3310,7 @@ auth_service:
# EXPERIMENTAL *-sync modes: proxy and node send logs directly to S3 or other
# storage without storing the records on disk at all. This mode will kill a
# connection if network connectivity is lost.
# NOTE: These experimental modes require all Teleport Auth Service instances,
# NOTE: These experimental modes require all Teleport Auth Service instances,
# Proxy Service instances, and nodes to be running Teleport 4.4.
#
# "node-sync" : sessions recording will be streamed from node -> auth -> storage
Expand Down
55 changes: 39 additions & 16 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion api/accessrequest/access_request.go
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ func GetResourceDetails(ctx context.Context, clusterName string, lister client.L
// We're interested in hostname or friendly name details. These apply to
// nodes, app servers, and user groups.
switch resourceID.Kind {
case types.KindNode, types.KindApp, types.KindUserGroup:
case types.KindNode, types.KindApp, types.KindUserGroup, types.KindIdentityCenterAccount:
resourceIDs = append(resourceIDs, resourceID)
}
}
Expand Down
16 changes: 13 additions & 3 deletions api/client/client.go
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,7 @@ import (
"github.com/gravitational/teleport/api/client/discoveryconfig"
"github.com/gravitational/teleport/api/client/dynamicwindows"
"github.com/gravitational/teleport/api/client/externalauditstorage"
gitserverclient "github.com/gravitational/teleport/api/client/gitserver"
kubewaitingcontainerclient "github.com/gravitational/teleport/api/client/kubewaitingcontainer"
"github.com/gravitational/teleport/api/client/okta"
"github.com/gravitational/teleport/api/client/proto"
Expand All @@ -77,7 +78,7 @@ import (
discoveryconfigv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/discoveryconfig/v1"
dynamicwindowsv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/dynamicwindows/v1"
externalauditstoragev1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/externalauditstorage/v1"
gitserverv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/gitserver/v1"
gitserverpb "github.com/gravitational/teleport/api/gen/proto/go/teleport/gitserver/v1"
identitycenterv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/identitycenter/v1"
integrationpb "github.com/gravitational/teleport/api/gen/proto/go/teleport/integration/v1"
kubeproto "github.com/gravitational/teleport/api/gen/proto/go/teleport/kube/v1"
Expand Down Expand Up @@ -3807,6 +3808,8 @@ func (c *Client) ListResources(ctx context.Context, req proto.ListResourcesReque
resources[i] = respResource.GetAppServerOrSAMLIdPServiceProvider()
case types.KindSAMLIdPServiceProvider:
resources[i] = respResource.GetSAMLIdPServiceProvider()
case types.KindIdentityCenterAccount:
resources[i] = respResource.GetAppServer()
default:
return nil, trace.NotImplemented("resource type %s does not support pagination", req.ResourceType)
}
Expand Down Expand Up @@ -3896,6 +3899,8 @@ func convertEnrichedResource(resource *proto.PaginatedResource) (*types.Enriched
return &types.EnrichedResource{ResourceWithLabels: r, Logins: resource.Logins, RequiresRequest: resource.RequiresRequest}, nil
} else if r := resource.GetSAMLIdPServiceProvider(); r != nil {
return &types.EnrichedResource{ResourceWithLabels: r, RequiresRequest: resource.RequiresRequest}, nil
} else if r := resource.GetGitServer(); r != nil {
return &types.EnrichedResource{ResourceWithLabels: r, RequiresRequest: resource.RequiresRequest}, nil
} else {
return nil, trace.BadParameter("received unsupported resource %T", resource.Resource)
}
Expand Down Expand Up @@ -4876,8 +4881,8 @@ func (c *Client) UserTasksServiceClient() *usertaskapi.Client {
}

// GitServerClient returns a client for managing git servers
func (c *Client) GitServerClient() gitserverv1.GitServerServiceClient {
return gitserverv1.NewGitServerServiceClient(c.conn)
func (c *Client) GitServerClient() *gitserverclient.Client {
return gitserverclient.NewClient(gitserverpb.NewGitServerServiceClient(c.conn))
}

// GetCertAuthority retrieves a CA by type and domain.
Expand Down Expand Up @@ -5196,3 +5201,8 @@ func (c *Client) IdentityCenterClient() identitycenterv1.IdentityCenterServiceCl
func (c *Client) ProvisioningServiceClient() provisioningv1.ProvisioningServiceClient {
return provisioningv1.NewProvisioningServiceClient(c.conn)
}

// IntegrationsClient returns integrations client.
func (c *Client) IntegrationsClient() integrationpb.IntegrationServiceClient {
return c.integrationsClient()
}
2 changes: 2 additions & 0 deletions api/client/credentials_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -471,6 +471,7 @@ func TestDynamicIdentityFileCreds(t *testing.T) {
require.NoError(t, err)
wantTLSCert, err := tls.X509KeyPair(tlsCert, keyPEM)
require.NoError(t, err)
wantTLSCert.Leaf = nil
require.Equal(t, wantTLSCert, *gotTLSCert)

expiry, ok := cred.Expiry()
Expand Down Expand Up @@ -529,6 +530,7 @@ func TestDynamicIdentityFileCreds(t *testing.T) {
require.NoError(t, err)
wantTLSCert, err = tls.X509KeyPair(secondTLSCertPem, keyPEM)
require.NoError(t, err)
wantTLSCert.Leaf = nil
require.Equal(t, wantTLSCert, *gotTLSCert)

expiry, ok = cred.Expiry()
Expand Down
7 changes: 7 additions & 0 deletions api/client/events.go
Original file line number Diff line number Diff line change
Expand Up @@ -343,6 +343,10 @@ func EventToGRPC(in types.Event) (*proto.Event, error) {
out.Resource = &proto.Event_AccessListReview{
AccessListReview: accesslistv1conv.ToReviewProto(r),
}
case *types.PluginStaticCredentialsV1:
out.Resource = &proto.Event_PluginStaticCredentials{
PluginStaticCredentials: r,
}
default:
return nil, trace.BadParameter("resource type %T is not supported", in.Resource)
}
Expand Down Expand Up @@ -609,6 +613,9 @@ func EventFromGRPC(in *proto.Event) (*types.Event, error) {
} else if r := in.GetIdentityCenterAccountAssignment(); r != nil {
out.Resource = types.Resource153ToLegacy(r)
return &out, nil
} else if r := in.GetPluginStaticCredentials(); r != nil {
out.Resource = r
return &out, nil
} else {
return nil, trace.BadParameter("received unsupported resource %T", in.Resource)
}
Expand Down
Loading

0 comments on commit 38d0845

Please sign in to comment.