Opened in error #14382
Closed
Opened in error #14382
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…w/ no cfg (#13515) * fix CA rotation watcher not starting when database svc enabled w/ no cfg * move shouldInitDatabase test to db_test.go and t.Parallel()
926cf19e setup project to run prettier (gravitational/webapps#886) gravitational/webapps@926cf19e [source: -w teleport-v10] [target: -t branch/v10]
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
#13532) (#13540) Switch from `make release-amd64` to make release-windows in Drone builds, making release builds similar to "regular" builds (that already use `make release-windows-unsigned`). Fixes current woes caused by FIDO2=yes in Windows release builds. (Note that ARCH is implied by the build.) * Use `make release-windows` on Drone, make it similar to `make release` * Update .drone.yaml
#13573) * Support configuration `teleport.join_params.join_method` "token" * support loading token name from file * update tests * update documentation for AuthToken to hint towards deprecation
Adds a `trace.Tracer` to the `cache.Cache`so that all operations can be traced. Also, updates the `utils.FnCache` to link the `context.Context` passed to the loadFn to any current spans. This will allow any fetches made by the `FnCache` to be associated with the call that lead to loading. Note: There are a few methods in the `auth.Cache` interface which do not take a `context.Context`. For the time being all spans for these calls use a `context.TODO` and will be updated in the future, where the changes can be made on a per method basis.
Newer versions of Rust increase our minimum GLIBC requirement, which is not acceptable at this time.
Recent Rust dependency upgrades include a newer version of prost. This new version no longer ships embedded protoc binaries, and instead tries to build protoc from source. This would require us to install cmake on our buildboxes. We want to avoid this and instead leverage the version of protoc already installed. This change was made to the standard buildbox, but the CentOS 7 buildbox was missed. Additionally, I noticed that Rust was installed in Dockerfile-centos7-fips, but not in Dockerfile-fips, which means the FIPS binaries have different functionality depending on which version you use. To correct this, I removed Rust from the CentOS 7 FIPS builds (since the Rust features are not FIPS compliant anyway). Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
a1bfa577 Update e-ref: fix for search based request list total count bug (gravitational/webapps#896) gravitational/webapps@a1bfa577 [source: -w teleport-v10] [target: -t branch/v10]
Prevent the filesessions uploader from writing to disk by using a sync recording mode with a discard emitter. Fixes #13565
…rning to debug (#13649) * Dont log `teleport-service` group not found * Use debug instead of warn for user creation at config time
This change adds a more useful error message for EC2 labels when tags aren't available in EC2 instance metadata. It also adds a cleaner fallback for when individual tag values can't be fetched.
Fix Teleport welcome screen image The Linux Server getting started guide shows the wrong screenshot when referring to the Teleport welcome screen. This change uses a screenshot of the view an unauthenticated user would see when first visiting the Web UI.
…lan (#13743) Return an already exists error if the user was found but service group was not
Move Helm deployment guides Backports #13105 See #12654 The Kubernetes Access section includes guides for using the Kubernetes Service as well as guides for running the Auth and Proxy Service on Kubernetes. This is misleading, since (a) you can run the Auth/Proxy on Kubernetes without using Kubernetes Access and (b) you can use Kubernetes Access without running the Auth/Proxy on Kubernetes. This change focuses on our Helm deployment guides. These guides are not related to the Kubernetes Service, but rather to deploying the Auth Service and Proxy Service on Kubernetes. I've suggested moving these guides to a /setup/helm-deployments section for visibility.
* Fix http proxy basic auth (#13140) * Fix http proxy basic auth * Update docs about HTTP CONNECT env var formats * Fix build errors
#14342) * Prevent forwarding traces to servers which don't support tracing Tracing clients can detect if a server doesn't support tracing by checking for a trace.NotImplented error in response to an UploadTraces request. Since the grpc.Conn used by the client is likely to be bound to that server for the duration of its life it doesn't make sense to keep trying to forward traces. Instead the client now remembers that a server doesn't support tracing and will drop any spans. Part of #12241
…4183) * Make it possible to test gateway opening/closing in Connect Open() and Close() used to not return any error and Open() used to start the gateway in a goroutine, making it rather hard to write tests for it. This commit makes it so that Open() and Close() return errors and Open() blocks. Adjustments have been made to other places in lib/teleterm to account for that missing goroutine and returned errors. * Close httptest server in alpnproxy/local_proxy_test.go While writing tests for the gateways, I was relying heavily on tests for the local proxy. I noticed that it starts the server but doesn't close it so I added an appropriate call to the cleanup function.
Address the following FIDO2 issues: 1. Retry assertions without UV if UV=true if the PIN is set 2. Correctly handle single account responses from authenticators 1 happens in the wild and the fix is confirmed. The fix is based in the fact that the authenticator will set the UV bit in the resulting assertion when the PIN is present, regardless of us asking for it. We do need the UV bit to clear server-side validation, that haven't changed. 2 was a misunderstanding on my part; the spec doesn't require authenticators to return user names for single account responses, which they effectively don't. In practical terms we are unable to guarantee the `--user` flag for single account scenarios, but not failing seems better than failing. See the [authenticatorGetAssertion response][1], user member. [1]: https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#authenticatorgetassertion-response-structure Backport #14198 to branch/v10 * Add tests for UV failure and single account * Correctly handle single account responses * Retry without UV if a PIN is set
Correct network_restrictions resource version in docs
Remove refetching from resourceWatcher The resourceWatcher is meant to be a long lived way for a component to receive events about a particular resource from an upstream cache. However, there was a refetching mechanism that would cause a healthy and subscribed watcher to be closed, the resourceWatcher to fetch all the resource types it is watching from the upstream cache and to create a new watcher **every 10 minutes**. This causes unneeded load on the upstream cache and also eats up network bandwidth. This removes the refetching behavior entirely to ensure watchers aren't unnecessarily closed. The change should be transparent to users of the resourceWatcher, but should noticeably reduce both the number of init events being emitted through out a cluster and the number of cache reads. Fixes #14234
PuTTY uses its own keypair format which has the extension .ppk on Windows, hence PPK. The specification for the file format is here: https://the.earth.li/\~sgtatham/putty/0.76/htmldoc/AppendixC.html\#ppk
github-actions
bot
added
audit-log
github-actions
bot
added
kubernetes
machine-id
rdp
rfd
|
@webvictim - this PR is large and will require admin approval to merge. Consider breaking it up into a series smaller changes. |
1 similar comment
|
@webvictim - this PR is large and will require admin approval to merge. Consider breaking it up into a series smaller changes. |
github-actions
bot
requested review from
jimbishopp,
ptgott,
r0mant,
xinding33 and
zmb3
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
make release-windowson Drone, make it similar tomake release(Usemake release-windowson Drone, make it similar tomake release#13532) ([v10] Usemake release-windowson Drone, make it similar tomake release(#13532) #13540)teleport.join_params.join_method"token" ([v10] Support configurationteleport.join_params.join_method"token" #13573)cache.Cache([v10] Manually instrumentcache.Cache#13587)tsh kube execis invoked #13616)cgo.Handlepanic ([v10] Fixes potentialcgo.Handlepanic #13581)teleport-servicegroup not found, downgrade macos warning to debug ([v10] Dont logteleport-servicegroup not found, down grade macos warning to debug #13649)serverSelectionTimeoutMSset to 5000 ([v10] Mongo clients withserverSelectionTimeoutMSset to 5000 #13860)tsh db ls --all([v10] Fix database role fetch fortsh db ls --all#13625)vfrom macOS tsh installer version number ([v10] Dropvfrom macOS tsh installer version number #13931)handle_bitmap([v10] Add error check beforehandle_bitmap#13899)tsh request ls([v10] Add resource IDs totsh request ls#13941)remoteSite. ([v10] Push CAs after establishing watchers inremoteSite. #14043)JWT token is invaliderror. ([v10] Fix SnowflakeJWT token is invaliderror. #14170)Server.Serve([v10] Fix segfault inServer.Serve#14202)tctl ssocommands. (CLI ref fortctl ssocommands. #13148) ([v10] CLI ref fortctl ssocommands. (#13148) #14081)tsh([v10] Add a Touch ID prompt message totsh#14186)--userflag intsh login([v10] Add hint for--userflag intsh login#14253)