From 640fdba8f4437a766cc638192a09e38e2da19e0a Mon Sep 17 00:00:00 2001 From: stevenGravy Date: Wed, 11 Dec 2024 15:55:42 -0500 Subject: [PATCH] rfd updates --- rfd/0054-passwordless-macos.md | 2 +- ...chine-id-token-join-method-bot-instance.md | 4 ++-- rfd/0167-debug-service.md | 2 +- rfd/0173-terraform-machine-id.md | 2 +- rfd/0178-github-proxy.md | 24 +++++++++---------- rfd/0182-multi-port-tcp-app-access.md | 2 +- rfd/0184-agent-auto-updates.md | 2 +- 7 files changed, 19 insertions(+), 19 deletions(-) diff --git a/rfd/0054-passwordless-macos.md b/rfd/0054-passwordless-macos.md index 15bf07a106f3d..3fd3ab88fc66c 100644 --- a/rfd/0054-passwordless-macos.md +++ b/rfd/0054-passwordless-macos.md @@ -389,7 +389,7 @@ allowed by Apple). It is likely possible to make use of those APIs for Teleport Cloud, but we would need a solution for other installations regardless. A final consequence of the above is that Passkey support (aka iCloud-stored -credentials) for CLIs is out of the roadmap for the forseeable future (but +credentials) for CLIs is out of the roadmap for the foreseeable future (but Passkeys _can_ be used for Safari-based access). References: diff --git a/rfd/0162-machine-id-token-join-method-bot-instance.md b/rfd/0162-machine-id-token-join-method-bot-instance.md index eb8eef6ab8921..f1419641aae0e 100644 --- a/rfd/0162-machine-id-token-join-method-bot-instance.md +++ b/rfd/0162-machine-id-token-join-method-bot-instance.md @@ -22,7 +22,7 @@ Terminology: - Bot instance: A single instance of `tbot` running on a host. This RFD proposes improvements to the management of fleets of Machine ID Bots. -These improvements are mostly targetted at on-prem deployments, where the +These improvements are mostly targeted at on-prem deployments, where the delegated join methods are not available. The improvements will focus on three points: @@ -564,7 +564,7 @@ Existing analytics for join, renewal and certificate generation should be extended to include the BotInstance ID anonymized. This will allow them to be linked together. -### Migration/Compatability +### Migration/Compatibility The "create if not exists" behaviour of the BotInstance resource will mean that existing Bot instances will have a BotInstance resource created on their first diff --git a/rfd/0167-debug-service.md b/rfd/0167-debug-service.md index 21a3f463521eb..335997b331349 100644 --- a/rfd/0167-debug-service.md +++ b/rfd/0167-debug-service.md @@ -197,7 +197,7 @@ $ teleport debug profile heap,goroutine > profile.tar.gz ### Security Items listed on this section are have their impact limited due to the fact that -the service will not be exposed outsite the machine/container running the +the service will not be exposed outside the machine/container running the Teleport instance. #### CPU and Memory consumption during profiling diff --git a/rfd/0173-terraform-machine-id.md b/rfd/0173-terraform-machine-id.md index ba07277f64d98..8a7f7f6663cda 100644 --- a/rfd/0173-terraform-machine-id.md +++ b/rfd/0173-terraform-machine-id.md @@ -176,7 +176,7 @@ $ terraform apply ... Please check if you have the rights to create role, bot and token resources. You might need to re-log in for new rights to take effect. (tsh logout --proxy="mytenant.teleport.sh:443" --user="hugo.hervieux@goteleport.com") ``` -- run a one-shot tbot to retrieve certificates via the bot for the terraformn role +- run a one-shot tbot to retrieve certificates via the bot for the terraform role - set the environment variable `TF_TELEPORT_IDENTITY_FILE_BASE64` - echo a user-friendly message containing the bot name and the certificate validity diff --git a/rfd/0178-github-proxy.md b/rfd/0178-github-proxy.md index 779afb737cc09..26609234fff0c 100644 --- a/rfd/0178-github-proxy.md +++ b/rfd/0178-github-proxy.md @@ -20,14 +20,14 @@ for GitHub repositories. GitHub Enterprise provides a security feature to bring your own SSH certificate authorities (CA). Once a CA is added, your organization can sign short-lived client SSH certificates to access organization resources on GitHub. You can -also require your memebers to use these SSH certificates, which disables Git +also require your members to use these SSH certificates, which disables Git access using personal tokens. The concept of short-lived SSH certificates to access organization resources aligns well with Teleport, where a Teleport user begins their day with a 'tsh' session, accessing only what their roleset permits. Teleport can also easily provide the capability to issue of short-lived client SSH certificates for -GitHub organzations so Teleport customers do not need to implement a separate +GitHub organizations so Teleport customers do not need to implement a separate system for issuing these certificates. Teleport also offers other GitHub-related features, such as [GitHub IAM @@ -185,14 +185,14 @@ $ tsh git clone git@github.com:my-org/my-repo.git The first `git` command (including the `clone`) will open a browser window to trigger the GitHub OAuth flow for Teleport to grab Bob's GitHub ID and -username. Once Bob sees "Login Successful" from the brower and goes back to his +username. Once Bob sees "Login Successful" from the browser and goes back to his terminal. The repo is cloned by now, and Bob can `cd` into the directory and perform regular `git` commands naturally, without using `tsh`. Bob can also find the "authorized" GitHub username in `tsh status` or `tsh git ls`. -On the second day (as the `tsh` session expiress), when Bob tries to `git +On the second day (as the `tsh` session expires), when Bob tries to `git fetch` from the repo, the command prompts to login into Teleport. The command proceeds as usual once Teleport login is successful. @@ -264,7 +264,7 @@ Charlie is an auditor and is able to see the audit events from Web UI: #### Alice wants to understand the available break glass options Alice, a system administrator, manages the Teleport cluster by checking -Terrafrom scripts and values into various GitHub repos. CI/CD then picks the +Terraform scripts and values into various GitHub repos. CI/CD then picks the changes and apply to the Teleport cluster. A change to the Terraform script may break the Teleport cluster and the GitHub @@ -275,7 +275,7 @@ at the organization level and does not want to allow it for security purpose. Alice still has a few options to access the organization repos when the GitHub proxy is unavailable: -- Alice can still logs into GitHub through a browser and make chnages there if +- Alice can still logs into GitHub through a browser and make changes there if necessary. - Alice can manually sign an user certificate according to [GitHub spec](https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-git-access-to-your-organizations-repositories/about-ssh-certificate-authorities#issuing-certificates). @@ -471,7 +471,7 @@ matched against the hidden label from the `git_server` resources. #### SSH transport Existing [SSH -transprt](https://github.com/gravitational/teleport/blob/master/rfd/0100-proxy-ssh-grpc.md) +transport](https://github.com/gravitational/teleport/blob/master/rfd/0100-proxy-ssh-grpc.md) is used for proxying Git commands. No change is necessary on the client side or on the GRPC protocol to support @@ -509,7 +509,7 @@ message GenerateGitHubUserCertRequest { bytes public_key = 2; // UserID is the GitHub user ID. string user_id = 3; - // KeyId is the certficate ID, usually the Teleport username. + // KeyId is the certificate ID, usually the Teleport username. string key_id = 4; // Ttl is the duration the certificate will be valid for. google.protobuf.Duration ttl = 5; @@ -548,7 +548,7 @@ hint: use 'tsh git clone ' to clone a new repository To forward SSH traffic from `git` to Teleport, the Git repo will be configured with [`core.sshCommand`](https://git-scm.com/docs/git-config#Documentation/git-config.txt-coresshCommand) -set to `tsh git ssh --githb-org `. The `core.sshCommand` makes `git` to +set to `tsh git ssh --github-org `. The `core.sshCommand` makes `git` to call this command instead of `ssh`. `tsh git ssh` is a hidden command that basically does `tsh ssh @@ -565,7 +565,7 @@ In addition, `tsh` provides two helper commands to automatically configures make a clone. Before cloning, the GitHub organization is parsed from the ``, and a GitHub proxy server with its logins is retrieved matching the GitHub organization. If more than one GitHub logins are available, users -can expliclitly specify one using `--username` when running `tsh git clone`. +can explicitly specify one using `--username` when running `tsh git clone`. `tsh git config` checks Teleport-related configurations in the current Git dir by running `git config --local --default "" --get core.sshCommand`. @@ -633,7 +633,7 @@ message GitCommandAction { There is no heartbeats for `git_server` with subkind `github` (yet). -Exising `SessionStartEvent` will be expanded to include git metadata with +Existing `SessionStartEvent` will be expanded to include git metadata with `session_type` of `git`: ```grpc // SessionStartGitMetadata contains additional information about git commands. @@ -752,7 +752,7 @@ integration on each Auth service and combines all the keys. Support for Git servers should be implemented similar to how SSH is supported today for Machine ID. -As mentinoned earlier, since services like GitHub actions are not affected by +As mentioned earlier, since services like GitHub actions are not affected by this feature (by not using Teleport), Machine ID supported can be added after the MVP. diff --git a/rfd/0182-multi-port-tcp-app-access.md b/rfd/0182-multi-port-tcp-app-access.md index d8810689dd4a2..c6742e480e259 100644 --- a/rfd/0182-multi-port-tcp-app-access.md +++ b/rfd/0182-multi-port-tcp-app-access.md @@ -186,7 +186,7 @@ ports. ##### Embedding the port within SNI or an ALPN protocol -The port number could be included within TLS config on the client side, either as a special sudomain +The port number could be included within TLS config on the client side, either as a special subdomain in the SNI, e.g. `app-teleport-proxy-target-port-1337.teleport.cluster.local`, or a new ALPN protocol, say `teleport-tcp@1337`. diff --git a/rfd/0184-agent-auto-updates.md b/rfd/0184-agent-auto-updates.md index a204b424bef70..80cd666bec451 100644 --- a/rfd/0184-agent-auto-updates.md +++ b/rfd/0184-agent-auto-updates.md @@ -1656,7 +1656,7 @@ $ ls -l /usr/local/bin/teleport $ ls -l /usr/local/bin/teleport-update /usr/local/teleport/clusterA/bin/teleport-update -> /var/lib/teleport/install/clusterA/versions/15.0.0/bin/teleport-update $ ls -l /usr/local/lib/systemd/system/teleport-clusterA.service -/usr/local/lib/systemd/system/teleport-clutserA.service -> /var/lib/teleport/install/clusterA/versions/15.0.0/etc/systemd/teleport.service +/usr/local/lib/systemd/system/teleport-clusterA.service -> /var/lib/teleport/install/clusterA/versions/15.0.0/etc/systemd/teleport.service ``` ##### update.yaml