Opened in error

.cloudbuild/ci/doc-tests.yaml

@@ -1,5 +1,5 @@
 steps:
-  - name: quay.io/gravitational/next:main
+  - name: quay.io/gravitational/docs:latest
     id: docs-test
     entrypoint: /bin/bash
     dir: /src

.cloudbuild/ci/integration-tests.yaml

@@ -1,7 +1,8 @@
 timeout: 25m
 
 options:
-  machineType: E2_HIGHCPU_32
+  pool:
+    name: projects/ci-account/locations/us-west1/workerPools/high-cpu-pool
 
   # This build needs to run in environments where the _GITHUB_DEPLOY_KEY_SRC
   # substitution is defined, but also environments where it isn't. The

.cloudbuild/ci/lint.yaml

@@ -3,4 +3,6 @@ steps:
     id: lint
     args: ['make', 'lint']
 options:
-  machineType: 'E2_HIGHCPU_32'
+  pool:
+    name: projects/ci-account/locations/us-west1/workerPools/high-cpu-pool
+

.cloudbuild/ci/unit-tests.yaml

@@ -1,7 +1,8 @@
 timeout: 25m
 
 options:
-  machineType: E2_HIGHCPU_32
+  pool:
+    name: projects/ci-account/locations/us-west1/workerPools/high-cpu-pool
 
   # This build needs to run in environments where the _GITHUB_DEPLOY_KEY_SRC
   # substitution is defined, but also environments where it isn't. The

.drone.yml

@@ -90,7 +90,7 @@ steps:
   - apk add --no-cache make
   - chown -R $UID:$GID /go
   - cd /go/src/github.com/gravitational/teleport
-  - make -C build.assets release-amd64
+  - make -C build.assets release-amd64-centos7
   environment:
     ARCH: amd64
     GID: "1000"
@@ -299,7 +299,7 @@ steps:
   - chown -R $UID:$GID /go
   - cd /go/src/github.com/gravitational/teleport
   - export VERSION=$(cat /go/.version.txt)
-  - make -C build.assets release-amd64-fips
+  - make -C build.assets release-amd64-centos7-fips
   environment:
     ARCH: amd64
     FIPS: "yes"
@@ -1464,7 +1464,7 @@ steps:
   - apk add --no-cache make
   - chown -R $UID:$GID /go
   - cd /go/src/github.com/gravitational/teleport
-  - make -C build.assets release-amd64
+  - make -C build.assets release-amd64-centos7
   environment:
     ARCH: amd64
     GID: "1000"
@@ -1619,7 +1619,7 @@ steps:
   - chown -R $UID:$GID /go
   - cd /go/src/github.com/gravitational/teleport
   - export VERSION=$(cat /go/.version.txt)
-  - make -C build.assets release-amd64-fips
+  - make -C build.assets release-amd64-centos7-fips
   environment:
     ARCH: amd64
     FIPS: "yes"
@@ -4585,7 +4585,7 @@ steps:
   - chown -R $UID:$GID /go
   - cd /go/src/github.com/gravitational/teleport
   - echo -n "$WINDOWS_SIGNING_CERT" | base64 -d > windows-signing-cert.pfx
-  - make -C build.assets release-amd64
+  - make -C build.assets release-windows
   - rm -f windows-signing-cert.pfx
   environment:
     ARCH: amd64
@@ -5614,6 +5614,6 @@ volumes:
       name: drone-s3-debrepo-pvc
 ---
 kind: signature
-hmac: 5acd82e991fc974378ec84b0265df412875f0c349000a6c92720b39287639ac8
+hmac: 34263b8b17bde404ec85a7f09a6edd6679664c70a6ce53c66e6e3104a94212f4
 
 ...

CHANGELOG.md

@@ -2,13 +2,213 @@
 
 ## 10.0.0
 
-Teleport 10.0 is a major release of Teleport that contains new features, improvements, and bug fixes.
+Teleport 10 is a major release that brings the following new features.
 
-### Breaking Changes
+Platform:
+
+* Passwordless (Preview)
+* Resource Access Requests (Preview)
+* Proxy Peering (Preview)
+
+Server Access:
+
+* IP-Based Restrictions (Preview)
+* Automatic User Provisioning (Preview)
+
+Database Access:
+
+* Audit Logging for Microsoft SQL Server Database Access
+* Snowflake Database Access (Preview)
+* ElastiCache/MemoryDB Database Access (Preview)
+
+Teleport Connect:
+
+* Teleport Connect for Server and Database Access (Preview)
+
+Machine ID:
+
+* Machine ID Database Access Support (Preview)
+
+### Passwordless (Preview)
+
+Teleport 10 introduces passwordless support to your clusters. To use passwordless
+users may register a security key with resident credentials or use a built-in
+authenticator, like Touch ID.
+
+See https://goteleport.com/docs/access-controls/guides/passwordless/.
+
+### Resource Access Requests (Preview)
+
+Teleport 10 expands just-in-time access requests to allow for requesting access
+to specific resources. This lets you grant users the least privileged access
+needed for their workflows.
+
+Just-in-time access requests are only available in Teleport Enterprise Edition.
+
+### Proxy Peering (Preview)
+
+Proxy peering enables Teleport deployments to scale without an increase in load
+from the number of agent connections. This is accomplished by allowing Proxy
+Services to tunnel client connections to the desired agent through a neighboring
+proxy and decoupling the number of agent connections from the number of Proxies.
+
+Proxy peering can be enabled with the following configurations:
+
+```yaml
+auth_service:
+  tunnel_strategy:
+    type: proxy_peering
+    agent_connection_count: 1
+```
+
+```yaml
+proxy_service:
+  peer_listen_addr: 0.0.0.0:3021
+```
+
+Network connectivity between proxy servers to the `peer_listen_addr` is required
+for this feature to work.
+
+Proxy peering is only available in Teleport Enterprise Edition.
+
+### IP-Based Restrictions (Preview)
+
+Teleport 10 introduces a new role option to pin the source IP in SSH
+certificates. When enabled, the source IP that was used to request certificates
+is embedded in the certificate, and SSH servers will reject connection attempts
+from other IPs. This protects against attacks where valid credentials are
+exfiltrated from disk and copied out into other environments.
+
+IP-based restrictions are only available in Teleport Enterprise Edition.
+
+### Automatic User Provisioning (Preview)
+
+Teleport 10 can be configured to automatically create Linux host users upon
+login without having to use Teleport's PAM integration. Users can be added to specific
+Linux groups and assigned appropriate “sudoer” privileges.
+
+To learn more about configuring automatic user provisioning read the guide:
+https://goteleport.com/docs/server-access/guides/host-user-creation/.
+
+### Audit Logging for Microsoft SQL Server Database Access
+
+Teleport 9 introduced a preview of Database Access support for Microsoft SQL
+Server which didn’t include audit logging of user queries. Teleport 10 captures
+users' queries and prepared statements and sends them to the audit log, similarly
+to other supported database protocols.
+
+Teleport Database Access for SQL Server remains in Preview mode with more UX
+improvements coming in future releases.
+
+Refer to the guide to set up access to a SQL Server with Active Directory
+authentication: https://goteleport.com/docs/database-access/guides/sql-server-ad/.
+
+### Snowflake Database Access (Preview)
+
+Teleport 10 brings support for Snowflake to Database Access. Administrators can
+set up access to Snowflake databases through Teleport for their users with
+standard Database Access features like role-based access control and audit
+logging, including query activity.
+
+Connect your Snowflake database to Teleport following this guide:
+https://goteleport.com/docs/database-access/guides/snowflake/.
+
+### Elasticache/MemoryDB Database Access (Preview)
+
+Teleport 9 added Redis protocol support to Database Access. Teleport 10 improves
+this integration by adding native support for AWS-hosted Elasticache and
+MemoryDB, including auto-discovery and automatic credential management in some
+deployment configurations.
+
+Learn more about it in this guide:
+https://goteleport.com/docs/database-access/guides/redis-aws/.
+
+### Teleport Connect for Server and Database Access (Preview)
+
+Teleport Connect is a graphical macOS application that simplifies access to your
+Teleport resources. Teleport Connect 10 supports Server Access and Database Access.
+Other protocols and Windows support are coming in a future release.
+
+Get Teleport Connect installer from the macOS tab on the downloads page:
+https://goteleport.com/download/.
+
+### Machine ID Database Access Support (Preview)
+
+In Teleport 10 we’ve added Database Access support to Machine ID. Applications
+can use Machine ID to access databases protected by Teleport.
+
+You can find Machine ID guide for database access in the documentation:
+https://goteleport.com/docs/machine-id/guides/databases/.
+
+### Breaking changes
+
+Please familiarize yourself with the following potentially disruptive changes in
+Teleport 10 before upgrading.
+
+#### Auth Service version check
+
+Teleport 10 agents will now refuse to start if they detect that the Auth Service
+is more than one major version behind them. You can use the `--skip-version-check` flag to
+bypass the version check.
+
+Take a look at component compatibility guarantees in the documentation:
+https://goteleport.com/docs/setup/operations/upgrading/#component-compatibility.
+
+#### HTTP_PROXY for reverse tunnels
+
+Reverse tunnel connections will now respect `HTTP_PROXY` environment variables.
+This may result in reverse tunnel agents not being able to re-establish
+connections if the HTTP proxy is set in their environment and does not allow
+connections to the Teleport Proxy Service.
+
+Refer to the following documentation section for more details:
+https://goteleport.com/docs/setup/reference/networking/#http-connect-proxies.
+
+#### New APT repos
+
+With Teleport 10 we’ve migrated to new APT repositories that now support
+multiple release channels, Teleport versions and OS distributions. The new
+repositories have been backfilled with Teleport versions starting from 6.2.31
+and we recommend upgrading to them. The old repositories will be maintained for
+the foreseeable future.
+
+See updated installation instructions:
+https://goteleport.com/docs/server-access/getting-started/#step-14-install-teleport-on-your-linux-host.
+
+#### Removed “tctl access ls”
+
+The `tctl access ls` command that returned information about user server access
+within the cluster was removed. Please use a previous `tctl` version if you’d like
+to keep using it.
 
 #### Relaxed session join permissions
 
-In previous versions of Teleport users need full access to the node/Kubernetes pod in order to join a session. With Teleport 10.0 we have relaxed this requirement. Joining sessions remains deny-by-default as of Teleport 9.0 but now only `join_policy` statements as described in the [Moderated Sessions Guide](https://goteleport.com/docs/access-controls/guides/moderated-sessions/) are checked for session join RBAC.
+In previous versions of Teleport users needed full access to a Node/Kubernetes
+pod in order to join a session. Teleport 10 relaxes this requirement. Joining
+sessions remains deny-by-default but now only `join_policy` statements are
+checked for session join RBAC.
+
+See the Moderated Sessions guide for more details:
+https://goteleport.com/docs/access-controls/guides/moderated-sessions/.
+
+#### GitHub connectors
+
+The GitHub authentication connector’s `teams_to_logins` field is deprecated in favor of the new
+`teams_to_roles` field. The old field will be removed in a future release.
+
+#### Teleport FIPS AWS endpoints
+
+Teleport 10 will now automatically use FIPS endpoints for AWS S3 and DynamoDB
+when started with the `--fips` flag. You can use the `use_fips_endpoint=false`
+connection endpoint option to use regular endpoints for Teleport in FIPS mode,
+for example:
+
+```
+s3://bucket/path?region=us-east-1&use_fips_endpoint=false
+```
+
+See the S3/DynamoDB backends documentation for more information:
+https://goteleport.com/docs/setup/reference/backends/#s3.
 
 ## 8.0.0
 
@@ -242,11 +442,11 @@ Kubernetes Access will no longer automatically register a cluster named after th
 
 Teleport 6.2 contains new features, improvements, and bug fixes.
 
-**Note:** the DynamoDB migration described [below](#dynamodb-indexing-change)
-may cause rate-limiting errors from AWS APIs and is slow on large deployments
-(1000+ existing audit events). The next patch release, v6.2.1, will improve the
-migration performance. If you run a large DynamoDB-based cluster, we advise you
-to wait for v6.2.1 before upgrading.
+**Note:** the DynamoDB indexing change described below may cause rate-limiting
+errors from AWS APIs and is slow on large deployments (1000+ existing audit
+events). The next patch release, v6.2.1, will improve the migration performance.
+If you run a large DynamoDB-based cluster, we advise you to wait for v6.2.1
+before upgrading.
 
 ### New Features
 
@@ -417,7 +617,7 @@ To learn more about configuring role-based access control for Database Access, c
 
 See [Reference](https://goteleport.com/teleport/docs/database-access/reference/) for an overview of Database Access related configuration and CLI commands.
 
-Finally, check out [Frequently Asked Questions](./database-access/faq.mdx).
+Finally, check out [Frequently Asked Questions](docs/pages/database-access/faq.mdx).
 
 #### OSS RBAC
 
@@ -1192,18 +1392,18 @@ This is a minor Teleport release with a focus on new features and bug fixes.
 ### Improvements
 
 * Alpha: Enhanced Session Recording lets you know what's really happening during a Teleport Session. [#2948](https://github.com/gravitational/teleport/issues/2948)
-* Alpha: Workflows API lets admins escalate RBAC roles in response to user requests. [Read the docs](./enterprise/workflow). [#3006](https://github.com/gravitational/teleport/issues/3006)
-* Beta: Teleport provides HA Support using Firestore and Google Cloud Storage using Google Cloud Platform. [Read the docs](./setup/deployments/gcp.mdx). [#2821](https://github.com/gravitational/teleport/pull/2821)
-* Remote tctl execution is now possible. [Read the docs](./setup/reference/cli.mdx#tctl). [#1525](https://github.com/gravitational/teleport/issues/1525) [#2991](https://github.com/gravitational/teleport/issues/2991)
+* Alpha: Workflows API lets admins escalate RBAC roles in response to user requests. [Read the docs](./docs/pages/enterprise/workflow). [#3006](https://github.com/gravitational/teleport/issues/3006)
+* Beta: Teleport provides HA Support using Firestore and Google Cloud Storage using Google Cloud Platform. [Read the docs](./docs/pages/setup/deployments/gcp.mdx). [#2821](https://github.com/gravitational/teleport/pull/2821)
+* Remote tctl execution is now possible. [Read the docs](./docs/pages/setup/reference/cli.mdx#tctl). [#1525](https://github.com/gravitational/teleport/issues/1525) [#2991](https://github.com/gravitational/teleport/issues/2991)
 
 ### Fixes
 
 * Fixed issue in socks4 when rendering remote address [#3110](https://github.com/gravitational/teleport/issues/3110)
 
 ### Documentation
 
-* Adopting root/leaf terminology for trusted clusters. [Trusted cluster documentation](./setup/admin/trustedclusters.mdx).
-* Documented Teleport FedRAMP & FIPS Support. [FedRAMP & FIPS documentation](./enterprise/fedramp.mdx).
+* Adopting root/leaf terminology for trusted clusters. [Trusted cluster documentation](./docs/pages/setup/admin/trustedclusters.mdx).
+* Documented Teleport FedRAMP & FIPS Support. [FedRAMP & FIPS documentation](./docs/pages/enterprise/fedramp.mdx).
 
 ## 4.1.11
 
@@ -1434,7 +1634,7 @@ With this release of Teleport, we have built out the foundation to help Teleport
 
 ### Improvements
 
-* Teleport now support 10,000 remote connections to a single Teleport cluster. [Using our recommend hardware setup.](./setup/operations/scaling.mdx#hardware-recommendations)
+* Teleport now support 10,000 remote connections to a single Teleport cluster. [Using our recommend hardware setup.](./docs/pages/setup/operations/scaling.mdx#hardware-recommendations)
 * Added ability to delete node using `tctl rm`. [#2685](https://github.com/gravitational/teleport/pull/2685)
 * Output of `tsh ls` is now sorted by node name. [#2534](https://github.com/gravitational/teleport/pull/2534)
 
@@ -1918,7 +2118,7 @@ available Teleport clusters with ease.
 #### Configuration Changes
 
 * Role templates (depreciated in Teleport 2.3) were fully removed. We recommend
-  migrating to role variables which are documented [here](./access-controls/guides/role-templates.mdx)
+  migrating to role variables which are documented [here](./docs/pages/access-controls/guides/role-templates.mdx)
 
 * Resource names (like roles, connectors, trusted clusters) can no longer
   contain unicode or other special characters. Update the names of all user