Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[v16] Remove v13 mentions in the docs #50893

Merged
merged 2 commits into from
Jan 9, 2025
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,6 @@ token, and removing a trusted device.

(!docs/pages/includes/device-trust/prereqs.mdx!)

- For clusters created after v13.3.6, Teleport supports the preset `device-admin`
role to manage devices.

## Register a trusted device

The `tctl` tool is used to manage the device inventory. A device admin is
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -35,11 +35,10 @@ by the `device_trust_mode` authentication setting:

(!docs/pages/includes/device-trust/prereqs.mdx!)

- We expect your Teleport cluster to be on version 13.3.6 and above, which has
the preset `require-trusted-device` role. The preset `require-trusted-device`
role does not enforce the use of a trusted device for
[Apps](#app-access-support) or [Desktops](#desktop-access-support). Refer to
their corresponding sections for instructions.
This guide makes use of the preset `require-trusted-device` role, which does not
enforce the use of a trusted device for [Apps](#app-access-support) or
[Desktops](#desktop-access-support). Refer to their corresponding sections for
instructions.

## Role-based trusted device enforcement

Expand Down
48 changes: 4 additions & 44 deletions docs/pages/admin-guides/access-controls/device-trust/guide.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -45,46 +45,6 @@ protected with Teleport.
root@(=clusterDefaults.nodeIP=):~#
```

<Details type="warning" title="Teleport v13.3.5 and Below">
The preset `require-trusted-device` role, as referenced in this guide, is only available
from Teleport version 13.3.6 and above. For older Teleport cluster, you will need to update
a role with `device_trust_mode: required`.

For simplicity, the example below updates the preset `access` role but you can update
any existing access granting role which the user is assigned with to enforce Device Trust.

First, fetch a role so you can update it locally:
```code
$ tctl edit role/access
```

Edit the role with Device Trust mode:
```diff
kind: role
metadata:
labels:
teleport.internal/resource-type: preset
name: access
spec:
allow:
logins:
- '{{internal.logins}}'
...
options:
# require authenticated device check for this role
+ device_trust_mode: "required" # add this line
...
deny:
...

```

Save your edits.

Now that the `access` role is configured with device mode "required", users with
this role will be enforced with Device Trust.
</Details>

Once the above prerequisites are met, begin with the following step.

## Step 1/2. Update user profile to enforce Device Trust
Expand Down Expand Up @@ -145,12 +105,12 @@ $ tsh device enroll --current-device
Device "(=devicetrust.asset_tag=)"/macOS registered and enrolled
```

<Admonition type="tip" title="self enrollment: v13.3.5+">
The `--current-device` flag tells `tsh` to enroll current device. User must have the preset `editor`
<Admonition type="tip" title="self enrollment">
The `--current-device` flag tells `tsh` to enroll the current device. The user must have the preset `editor`
or `device-admin` role to be able to self-enroll their device. For users without the `editor` or
`device-admin` roles, an enrollment token must be generated by a device admin, which can then be
`device-admin` roles, a device admin must generate the an enrollment token, which can then be
used to enroll the device. Learn more about manual device enrollment in the
[device management guide](./device-management.mdx#register-a-trusted-device)
[device management guide](./device-management.mdx#register-a-trusted-device).
</Admonition>

Relogin to fetch updated certificate with device extension:
Expand Down
12 changes: 4 additions & 8 deletions docs/pages/admin-guides/access-controls/guides/headless.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@
- Machines for Headless WebAuthn activities have [Linux](../../../installation.mdx), [macOS](../../../installation.mdx) or [Windows](../../../installation.mdx) `tsh` binary installed.
- Machines used to approve Headless WebAuthn requests have a Web browser with [WebAuthn support](
https://developers.yubico.com/WebAuthn/WebAuthn_Browser_Support/) or `tsh` binary installed.
- Optional: Teleport Connect v13.3.1+ for [seamless Headless WebAuthn approval](#optional-teleport-connect).
- Optional: Teleport Connect for [seamless Headless WebAuthn approval](#optional-teleport-connect).

Check failure on line 34 in docs/pages/admin-guides/access-controls/guides/headless.mdx

View workflow job for this annotation

GitHub Actions / Lint docs prose style

[vale] reported by reviewdog 🐶 [messaging.subjective-terms] Avoid using 'seamless' as a qualifier, since it is subject to interpretation. Use more technically precise terms instead. Raw Output: {"message": "[messaging.subjective-terms] Avoid using 'seamless' as a qualifier, since it is subject to interpretation. Use more technically precise terms instead.", "location": {"path": "docs/pages/admin-guides/access-controls/guides/headless.mdx", "range": {"start": {"line": 34, "column": 35}}}, "severity": "ERROR"}

## Step 1/3. Configuration

Expand Down Expand Up @@ -169,9 +169,9 @@

## Optional: Teleport Connect

Teleport Connect v13.3.1+ can also be used to approve Headless WebAuthn logins.
Teleport Connect will automatically detect the Headless WebAuthn login attempt
and allow you to approve or cancel the request.
Teleport Connect can also be used to approve Headless WebAuthn logins. Teleport
Connect will automatically detect the Headless WebAuthn login attempt and allow
you to approve or cancel the request.

<Figure width="700">
![Headless Confirmation](../../../../img/headless/confirmation.png)
Expand All @@ -183,10 +183,6 @@
![Headless WebAuthn Approval](../../../../img/headless/approval.png)
</Figure>

<Notice type="note">
This also requires a v13.3.1+ Teleport Auth Service.
</Notice>

## Troubleshooting

### "WARN: Failed to lock system memory for headless login: ..."
Expand Down
4 changes: 2 additions & 2 deletions docs/pages/admin-guides/access-controls/guides/webauthn.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -246,8 +246,8 @@ The `tctl` tool is used to manage the device inventory. A device admin is
responsible for managing devices, adding new devices to the inventory and
removing devices that are no longer in use.

<Admonition type="tip" title="Self enrollment: v13.3.5+">
Users with the preset `editor` or `device-admin` role (since v13.3.6)
<Admonition type="tip" title="Self enrollment">
Users with the preset `editor` or `device-admin` role
can register and enroll their device in a single step with the following command:
```code
$ tsh device enroll --current-device
Expand Down
16 changes: 7 additions & 9 deletions docs/pages/admin-guides/access-controls/sso/oidc.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,6 @@ policies like:
(!docs/pages/includes/commercial-prereqs-tabs.mdx!)

- (!docs/pages/includes/tctl.mdx!)
- To control the maximum age of users' sessions before they will be forced to
reauthenticate, your Teleport cluster must be on version 13.3.7 or above.

## Identity Providers

Expand Down Expand Up @@ -197,13 +195,13 @@ spec:

### Optional: Max age

Teleport has supported setting the `max_age` field since version 13.3.7 to control the
maximum age of users' sessions before they will be forced to reauthenticate. By
default `max_age` is unset, meaning once a user authenticates using OIDC they will
not have to reauthenticate unless the configured OIDC provider forces them to. This
can be set to a duration of time to force users to reauthenticate more often. If
`max_age` is set to zero seconds, users will be forced to reauthenticate with their
OIDC provider every time they authenticate with Teleport.
The `max_age` field controls the maximum age of users' sessions before they will
be forced to reauthenticate. By default `max_age` is unset, meaning once a user
authenticates using OIDC they will not have to reauthenticate unless the
configured OIDC provider forces them to. This can be set to a duration of time
to force users to reauthenticate more often. If `max_age` is set to zero
seconds, users will be forced to reauthenticate with their OIDC provider every
time they authenticate with Teleport.

Note that the specified duration must be in whole seconds. `24h` works because that's
the same as `1440s`, but `60s500ms` would not be allowed as that is 60.5 seconds.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,6 @@ You should be aware of these potential limitations and differences when using La
that it terminate all inbound TLS traffic itself on the Teleport proxy. This is not directly possible when using
a Layer 7 load balancer, so the `tsh` client implements this flow itself
[using ALPN connection upgrades](../../../reference/architecture/tls-routing.mdx).
- The use of Teleport and `tsh` v13 or higher is required.

<Admonition type="warning">
Using ACM with an ALB also requires that your cluster has a fully functional installation of the AWS Load Balancer
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,10 +12,8 @@ the Teleport cluster.

Teleport (= db_client_ca.released_version.v15 =) introduced the `db_client` CA
to split the responsibilities of the Teleport `db` CA, which was acting as both
host and client CA for Teleport self-hosted database access.
The `db_client` CA was also added as a patch in Teleport
(= db_client_ca.released_version.v13 =) and
(= db_client_ca.released_version.v14 =).
host and client CA for Teleport self-hosted database access. The `db_client` CA
was also added as a patch in Teleport (= db_client_ca.released_version.v14 =).

The `db` and `db_client` CAs were both introduced as an automatic migration
that occurs after upgrading Teleport.
Expand Down Expand Up @@ -113,8 +111,7 @@ However, for defense in depth, these databases should only mTLS handshake with
a client that presents a `db_client` CA-issued certificate.

If your Teleport cluster was upgraded to Teleport
\>=(= db_client_ca.released_version.v13 =),
\>=(= db_client_ca.released_version.v14 =), or
\>=(= db_client_ca.released_version.v14 =) or
\>=(= db_client_ca.released_version.v15 =),
then you should ensure that you have completed the `db_client` migration.
To complete the `db_client` CA migration:
Expand Down Expand Up @@ -144,8 +141,7 @@ and you have not rotated *both* your `host` and `db` CAs at least once since
upgrading, then you should complete the `db` CA migration.

If you upgraded an existing cluster to Teleport
\>=(= db_client_ca.released_version.v13 =),
\>=(= db_client_ca.released_version.v14 =), or
\>=(= db_client_ca.released_version.v14 =) or
\>=(= db_client_ca.released_version.v15 =)
and you have not rotated *both* your
`db` and `db_client` CAs at least once since upgrading, then you should complete
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ description: Configure automatic user provisioning for PostgreSQL.

## Prerequisites

- Teleport cluster v13.1 or above with a configured [self-hosted
- Teleport cluster with a configured [self-hosted
PostgreSQL](../enroll-self-hosted-databases/postgres-self-hosted.mdx) or [RDS
PostgreSQL](../enroll-aws-databases/rds.mdx) database. To configure
permissions for database objects like tables, your cluster must be on version
Expand Down
5 changes: 2 additions & 3 deletions docs/pages/includes/database-access/split-db-ca-details.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,8 @@ needs to have a long-lived certificate issued by another CA that its peer node
trusts.

The split `db` and `db_client` CA architecture was introduced as a security fix
in Teleport versions:
(= db_client_ca.released_version.v13 =),
(= db_client_ca.released_version.v14 =), and
in Teleport versions
(= db_client_ca.released_version.v14 =) and
(= db_client_ca.released_version.v15 =).

See
Expand Down
2 changes: 1 addition & 1 deletion docs/pages/includes/device-trust/prereqs.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
- To enroll a Windows device, you need:
- A device with TPM 2.0.
- A user with administrator privileges. This is only required during enrollment.
- `tsh` v13.1.2 or newer. [Download the Windows tsh installer](../../installation.mdx#windows-tsh-and-tctl-clients-only).
- The `tsh` client. [Download the Windows tsh installer](../../installation.mdx#windows-tsh-and-tctl-clients-only).
- To enroll a Linux device, you need:
- A device with TPM 2.0.
- A user with permissions to use the /dev/tpmrm0 device (typically done by
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -1112,11 +1112,8 @@ For this reason, it is strongly discouraged to set a custom image when using
automatic updates. Teleport Cloud uses automatic updates by default.
</Admonition>

Since version 13, hardened distroless images are used by default. You can use
the deprecated debian-based images by setting the value to
`public.ecr.aws/gravitational/teleport`. Those images will be removed with
teleport 15.

By default, the image contains only the Teleport application and its runtime
dependencies, and does not contain a shell.
This setting only takes effect when [`enterprise`](#enterprise) is `false`.
When running an enterprise version, you must use
[`enterpriseImage`](#enterpriseImage) instead.
Expand All @@ -1142,11 +1139,8 @@ Teleport-published image.
using automatic updates. Teleport Cloud uses automatic updates by default.
</Admonition>

Since version 13, hardened distroless images are used by default.
You can use the deprecated debian-based images by setting the value to
`public.ecr.aws/gravitational/teleport-ent`. Those images will be
removed with teleport 15.

By default, the image contains only the Teleport application and its runtime
dependencies, and does not contain a shell.
This setting only takes effect when [`enterprise`](#enterprise) is `true`.
When running an enterprise version, you must use [`image`](#image) instead.

Expand Down
15 changes: 0 additions & 15 deletions docs/pages/reference/access-controls/login-rules.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -584,11 +584,6 @@ Expression | Result

### `strings.split`

<Admonition type="note">
The `strings.split` helper was introduced in Teleport v13.3.0. All Auth Service
instances must be running this version or greater before it can be used.
</Admonition>

#### Signature

```go
Expand Down Expand Up @@ -625,11 +620,6 @@ Expression | Result

### `email.local`

<Admonition type="note">
The `email.local` helper was introduced in Teleport v13.3.0. All Auth Service instances
must be running this version or greater before it can be used.
</Admonition>

#### Signature

```go
Expand Down Expand Up @@ -661,11 +651,6 @@ Expression | Result

### `regexp.replace`

<Admonition type="note">
The `regexp.replace` helper was introduced in Teleport v13.3.0. All Auth Service instances
must be running this version or greater before it can be used.
</Admonition>

#### Signature

```go
Expand Down
7 changes: 0 additions & 7 deletions docs/pages/reference/access-controls/roles.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -188,13 +188,6 @@ spec:

### Label expressions

<Admonition type="warning">
Label expressions are available starting in Teleport version `13.1.1`.
All components of your Teleport cluster must be upgraded to version `13.1.1`
or newer before you will be able to use label expressions.
This includes the Auth Service and **all** Teleport agents.
</Admonition>

Teleport roles also support matching resource labels with predicate expressions
when you need to:

Expand Down
7 changes: 0 additions & 7 deletions docs/pages/reference/predicate-language.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -76,13 +76,6 @@ See some [examples](cli/cli.mdx) of the different ways you can filter resources.

## Label expressions

<Admonition type="warning">
Label expressions are available starting in Teleport version `13.1.1`.
All components of your Teleport cluster must be upgraded to version `13.1.1`
or newer before you will be able to use label expressions.
This includes the Auth Service and **all** Teleport agents.
</Admonition>

Label expressions can be used in Teleport roles to define access to resources
with custom logic.
Check out the Access Controls
Expand Down
16 changes: 6 additions & 10 deletions examples/chart/teleport-cluster/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -568,17 +568,13 @@ tls:
# Values that you shouldn't need to change.
##################################################

# Container image for the cluster.
# Since version 13, hardened distroless images are used by default.
# You can use the deprecated debian-based images by setting the value to
# `public.ecr.aws/gravitational/teleport`. Those images will be
# removed with teleport 14.
# Container image for the cluster. By default, the image contains only the
# Teleport application and its runtime dependencies, and does not contain a
# shell.
image: public.ecr.aws/gravitational/teleport-distroless
# Enterprise version of the image
# Since version 13, hardened distroless images are used by default.
# You can use the deprecated debian-based images by setting the value to
# `public.ecr.aws/gravitational/teleport-ent`. Those images will be
# removed with teleport 14.
# Enterprise version of the image. By default, the image contains only the
# Teleport application and its runtime dependencies, and does not contain a
# shell.
enterpriseImage: public.ecr.aws/gravitational/teleport-ent-distroless
# Optional array of imagePullSecrets, to use when pulling from a private registry
imagePullSecrets: []
Expand Down
14 changes: 4 additions & 10 deletions examples/chart/teleport-kube-agent/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -881,11 +881,8 @@ adminClusterRoleBinding:
# automatic updates. Teleport Cloud uses automatic updates by default.
# </Admonition>
#
# Since version 13, hardened distroless images are used by default. You can use
# the deprecated debian-based images by setting the value to
# `public.ecr.aws/gravitational/teleport`. Those images will be removed with
# teleport 15.
#
# By default, the image contains only the Teleport application and its runtime
# dependencies, and does not contain a shell.
# This setting only takes effect when [`enterprise`](#enterprise) is `false`.
# When running an enterprise version, you must use
# [`enterpriseImage`](#enterpriseImage) instead.
Expand All @@ -906,11 +903,8 @@ image: public.ecr.aws/gravitational/teleport-distroless
# using automatic updates. Teleport Cloud uses automatic updates by default.
# </Admonition>
#
# Since version 13, hardened distroless images are used by default.
# You can use the deprecated debian-based images by setting the value to
# `public.ecr.aws/gravitational/teleport-ent`. Those images will be
# removed with teleport 15.
#
# By default, the image contains only the Teleport application and its runtime
# dependencies, and does not contain a shell.
# This setting only takes effect when [`enterprise`](#enterprise) is `true`.
# When running an enterprise version, you must use [`image`](#image) instead.
enterpriseImage: public.ecr.aws/gravitational/teleport-ent-distroless
Expand Down
Loading