Remove TXT record validation of custom DNS zones in VNet #46709
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ravicious
commented
Sep 18, 2024
Comment on lines
-224
to
-242
| if !isSubdomain(fqdn, zone) { | ||
| // The queried app fqdn is not a subdomain of this zone, skip it. | ||
| continue | ||
| } | ||
|
|
||
| // Found a matching cluster. | ||
|
|
||
| if zone == clusterConfig.ProxyPublicAddr { | ||
| // We don't need to validate a custom DNS zone if this is the proxy public address, this is a | ||
| // normal app public_addr. | ||
| if isDescendantSubdomain(fqdn, zone) { | ||
| return clusterClient, nil | ||
| } | ||
| // The queried app fqdn is a subdomain of this custom zone. Check if the zone is valid. | ||
| if err := r.customDNSZoneChecker.validate(ctx, clusterConfig.ClusterName, zone); err != nil { | ||
| // Return an error here since the FQDN does match this custom zone, but the zone failed to | ||
| // validate. | ||
| return nil, trace.Wrap(err, "validating custom DNS zone %q matching queried FQDN %q", zone, fqdn) | ||
| } | ||
| return clusterClient, nil |
There was a problem hiding this comment.
This used to be basically "Given the FQDN of an app, if you find a matching custom DNS zone configured in the cluster, validate its TXT records and return the cluster client, unless it's a zone of the proxy service, then just skip the validation and return the client".
Now we do not care about the TXT records, so we just return the client if the FQDN on the app matches a zone for this cluster.
| // isDescendantSubdomain checks if appFQDN belongs in the hierarchy of zone. For example, both | ||
| // foo.bar.baz.example.com and bar.baz.example.com belong in the hierarchy of baz.example.com, but | ||
| // quux.example.com does not. | ||
| func isDescendantSubdomain(appFQDN, zone string) bool { |
There was a problem hiding this comment.
Renaming this as I was already confused by this in the past. For me "subdomain" means like a direct descendant, e.g. foo.example.com is a subdomain of example.com.
| }, | ||
| customDNSZones: []string{ | ||
| "myzone.example.com", | ||
| // This zone will not have a valid TXT record because it is not included in the | ||
| // customDNSZones passed to newTestPack. | ||
| "an.invalid.zone", |
There was a problem hiding this comment.
After removing the TXT record requirement, this custom domain becomes yet another custom DNS zone in use. It's not that much different in behavior to myzone.example.com above, so I just removed it.
github-actions
bot
requested review from
EdwardDowling,
mmcallister,
ptgott,
r0mant,
rosstimothy and
xinding33
|
🤖 Vercel preview here: https://docs-durw6959w-goteleport.vercel.app/docs/ver/preview |
ravicious
removed request for
r0mant,
mmcallister,
EdwardDowling,
xinding33,
ptgott and
rosstimothy
Co-authored-by: Nic Klaassen <nic@goteleport.com>
|
🤖 Vercel preview here: https://docs-98b0rr408-goteleport.vercel.app/docs/ver/preview |
rosstimothy
approved these changes
Sep 18, 2024
public-teleport-github-review-bot
bot
removed the request for review
from zmb3
zmb3
approved these changes
Sep 18, 2024
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
|
@ravicious See the table below for backport results.
|
mvbrock
pushed a commit
that referenced
this pull request
Sep 19, 2024
* Remove TXT record validation from custom DNS zones * Remove mentions of TXT records from docs * Outline in the RFD why domain verification was dropped * Update rfd/0163-vnet.md Co-authored-by: Nic Klaassen <nic@goteleport.com> --------- Co-authored-by: Nic Klaassen <nic@goteleport.com>
github-merge-queue bot
pushed a commit
that referenced
this pull request
Sep 20, 2024
* Displaying mode and controls to additional participants * Moving SessionControlsInfoBroadcast over to kube/proxy * Transitioning to consistent proxy-emitted mode+controls * Moving message broadcast so new participant wont see it * Possible unit test fix (cant seem to test locally) * Fixed unit test * Adding a line break before messaging the participant * Linter errors * Emitting audit event and controls message for additional parties, i.e. not the session initiator * Revert "Emitting audit event and controls message for additional parties, i.e. not the session initiator" This reverts commit b66ad27. * Add User Tasks resource - protos (#46059) * Add User Integration Tasks resource - protos * add account id * move state to task instead of instance * rename from user integration task to user task * add instance id * Add notice to web UI that users arent equal to MAU (#46686) This adds a dismissible notice to the Users page for usage based billing users that notifies them that the user count here isn't an accurate reflection of MAU * Clarify TLS requirements in the Jira guide (#46484) Closes #45654 - Indicate that certificates for the Jira web server cannot be self signed. - Remove references to Caddy and a `Certificate` resource, which were left over from an attempted change to this guide that was not fully completed. * Remove TXT record validation of custom DNS zones in VNet (#46709) * Remove TXT record validation from custom DNS zones * Remove mentions of TXT records from docs * Outline in the RFD why domain verification was dropped * Update rfd/0163-vnet.md Co-authored-by: Nic Klaassen <nic@goteleport.com> --------- Co-authored-by: Nic Klaassen <nic@goteleport.com> * docs: mention the --days flag when executing an audit log query (#45764) * Update access-monitoring.mdx Include the default date range in the CLI example. This range is otherwise unclear and is hidden in the tctl audit help menu. * Update access-monitoring.mdx * Update docs/pages/admin-guides/access-controls/access-monitoring.mdx Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> --------- Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> * Remove access-graph path resolution, proxy `/enterprise` requests (#46541) * Remove `access-graph` path from tsconfig * Proxy /enterprise requested in dev * update e ref (#46726) * fix: tolerate mismatched key PEM headers (#46725) * fix: tolerate mismatched key PEM headers Issue #43381 introduced a regression where we now fail to parse PKCS8 encoded RSA private keys within an "RSA PRIVATE KEY" PEM block in some cases. This format is somewhat non-standard, usually PKCS8 data should be in a "PRIVATE KEY" PEM block. However, certain versions of OpenSSL and possibly even Teleport in specific cases have generated private keys in this format. This commit updates ParsePrivateKey and ParsePublicKey to be more tolerant of PKCS8, PKCS1, or PKIX key data no matter which PEM header is used. Fixes #46710 changelog: fixed regression in private key parser to handle mismatched PEM headers * fix typo in comment Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> --------- Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * Use dynamic base path for favicon images (#46719) * Add Datadog Incident Management plugin support (#46271) * Implement datadog plugin * Add unit tests * Add fallback recipient config * Rename to Datadog Incident Management * Update tests * Datadog Incident Management * Update tctl resource plugin command * Typos * Lint * Exclude api changes for now * Set channel size * Address feedback - Add PluginShutdownTimeout const - Support api endpoint configuration - Add additional godocs/comments * Comment about datadog client package * Document Datadog API types * Only post resolution message when the AR is resolved * Fix lint * Unused function --------- Co-authored-by: hugoShaka <hugo.hervieux@goteleport.com> * Add AutoUpdate Client/Cache implementation (#46661) * Add AutoUpdate Client/Cache implementation * CR changes * Add permission for proxy to access resources * Rename all occurrences auto update to camelcase * Remove auto update client wrapper * Drop AutoUpdateServiceClient helper Rename comments for consistency * User Tasks: services and clients implementation (#46131) This PR adds the implementation for the User Tasks: - services (backend+cache) - clients (API + tctl) - light validation to set up the path for later PRs * expanding testplan for host user creation (#46729) * Fix operator docs reference generator bug (#46732) In the reference page for one Kubernetes operator resource, some Markdown links are malformed. The issue is that some fields of custom resource definitions used by the operator consist of arrays of anonymous objects with fields that are also objects. When creating docs based on these fields, the operator resource docs generator creates a malformed link reference. This change modifies the generator to replace any spaces with hyphens before outputting link references, causing the resulting internal links to work correctly. This change also does some light refactoring to remove an unnecessary `switch` statement. * [auto] Update AMI IDs for 16.4.0 (#46746) Co-authored-by: GitHub <noreply@github.com> * Remove deprecated HTTP RemoteCluster endpoints (#46756) * Remove deprecated HTTP RemoteCluster endpoints * Remove redundant test * Add `tbot` helm chart to `version.mk` (#46763) * Remove LockConfiguration.LockName (#46772) Cleans up the deprecated config option now that gravitational/teleport.e#5034 has been merged. * adding a reference to to the host user guide (#46765) * Replace more Logrus usage with Slog (#46757) * Remove logrus from lib/auth/machineid * Switch authclient.Config.Log and TunnelAuthDialerConfig.Log to Slog * Add *slog.Logger to auth.Server * Remove logrus usage in `lib/auth/access.go` * Replace logrus with slog in lib/auth/accountrecovery.go * Replace logrus with slog in `lib/auth/apiserver.go` * Add missing logger to auth.Server * Fix test * Update AWS roles ARNs displayed on `tsh app login` for AWS console apps (#44983) * feat(tsh): list aws console logins from server * chore(services): remove unified resources change This is being covered on another PR. * test(tsh): solve TestAzure flakiness by waiting using app servers are ready * fix(tsh): apps with logins were fallingback into using aws arns * refactor(client): use GetEnrichedResources * chore(client): rename function * refactor(tsh): directly resource lisiting for apps and reuse cluster client * chore(client): reset client changes * refactor(tsh): reuse cluster client for fetching allowed logins * chore(tsh): remove unused function param * refactor(tsh): update getApp retry with login * refactor(tsh): use a single function to grab profile and cluste client * refactor(tsh): perform retry with login at caller site * fix(tsh): close auth client * test(tsh): fix test failing due to login misconfiguration * test(tsh): fix lint errors * test(tsh): remove unused imports * bulk audit event export api (#46399) * Reverting back to using the emitSessionJoin boolean * Nits and removing a debug log --------- Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> Co-authored-by: Michael <michael.myers@goteleport.com> Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com> Co-authored-by: Rafał Cieślak <rafal.cieslak@goteleport.com> Co-authored-by: Nic Klaassen <nic@goteleport.com> Co-authored-by: Dan Johns <117299936+djohns7@users.noreply.github.com> Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> Co-authored-by: Ryan Clark <ryan.clark@goteleport.com> Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> Co-authored-by: Bernard Kim <bernard@goteleport.com> Co-authored-by: hugoShaka <hugo.hervieux@goteleport.com> Co-authored-by: Vadym Popov <vadym.popov@goteleport.com> Co-authored-by: Erik Tate <erik.tate@goteleport.com> Co-authored-by: teleport-post-release-automation[bot] <128860004+teleport-post-release-automation[bot]@users.noreply.github.com> Co-authored-by: GitHub <noreply@github.com> Co-authored-by: Noah Stride <noah.stride@goteleport.com> Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> Co-authored-by: Gabriel Corado <gabriel.oliveira@goteleport.com> Co-authored-by: Forrest <30576607+fspmarshall@users.noreply.github.com>
mvbrock
added a commit
that referenced
this pull request
Sep 24, 2024
* Displaying mode and controls to additional participants * Moving SessionControlsInfoBroadcast over to kube/proxy * Transitioning to consistent proxy-emitted mode+controls * Moving message broadcast so new participant wont see it * Possible unit test fix (cant seem to test locally) * Fixed unit test * Adding a line break before messaging the participant * Linter errors * Emitting audit event and controls message for additional parties, i.e. not the session initiator * Revert "Emitting audit event and controls message for additional parties, i.e. not the session initiator" This reverts commit b66ad27. * Add User Tasks resource - protos (#46059) * Add User Integration Tasks resource - protos * add account id * move state to task instead of instance * rename from user integration task to user task * add instance id * Add notice to web UI that users arent equal to MAU (#46686) This adds a dismissible notice to the Users page for usage based billing users that notifies them that the user count here isn't an accurate reflection of MAU * Clarify TLS requirements in the Jira guide (#46484) Closes #45654 - Indicate that certificates for the Jira web server cannot be self signed. - Remove references to Caddy and a `Certificate` resource, which were left over from an attempted change to this guide that was not fully completed. * Remove TXT record validation of custom DNS zones in VNet (#46709) * Remove TXT record validation from custom DNS zones * Remove mentions of TXT records from docs * Outline in the RFD why domain verification was dropped * Update rfd/0163-vnet.md Co-authored-by: Nic Klaassen <nic@goteleport.com> --------- Co-authored-by: Nic Klaassen <nic@goteleport.com> * docs: mention the --days flag when executing an audit log query (#45764) * Update access-monitoring.mdx Include the default date range in the CLI example. This range is otherwise unclear and is hidden in the tctl audit help menu. * Update access-monitoring.mdx * Update docs/pages/admin-guides/access-controls/access-monitoring.mdx Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> --------- Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> * Remove access-graph path resolution, proxy `/enterprise` requests (#46541) * Remove `access-graph` path from tsconfig * Proxy /enterprise requested in dev * update e ref (#46726) * fix: tolerate mismatched key PEM headers (#46725) * fix: tolerate mismatched key PEM headers Issue #43381 introduced a regression where we now fail to parse PKCS8 encoded RSA private keys within an "RSA PRIVATE KEY" PEM block in some cases. This format is somewhat non-standard, usually PKCS8 data should be in a "PRIVATE KEY" PEM block. However, certain versions of OpenSSL and possibly even Teleport in specific cases have generated private keys in this format. This commit updates ParsePrivateKey and ParsePublicKey to be more tolerant of PKCS8, PKCS1, or PKIX key data no matter which PEM header is used. Fixes #46710 changelog: fixed regression in private key parser to handle mismatched PEM headers * fix typo in comment Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> --------- Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * Use dynamic base path for favicon images (#46719) * Add Datadog Incident Management plugin support (#46271) * Implement datadog plugin * Add unit tests * Add fallback recipient config * Rename to Datadog Incident Management * Update tests * Datadog Incident Management * Update tctl resource plugin command * Typos * Lint * Exclude api changes for now * Set channel size * Address feedback - Add PluginShutdownTimeout const - Support api endpoint configuration - Add additional godocs/comments * Comment about datadog client package * Document Datadog API types * Only post resolution message when the AR is resolved * Fix lint * Unused function --------- Co-authored-by: hugoShaka <hugo.hervieux@goteleport.com> * Add AutoUpdate Client/Cache implementation (#46661) * Add AutoUpdate Client/Cache implementation * CR changes * Add permission for proxy to access resources * Rename all occurrences auto update to camelcase * Remove auto update client wrapper * Drop AutoUpdateServiceClient helper Rename comments for consistency * User Tasks: services and clients implementation (#46131) This PR adds the implementation for the User Tasks: - services (backend+cache) - clients (API + tctl) - light validation to set up the path for later PRs * expanding testplan for host user creation (#46729) * Fix operator docs reference generator bug (#46732) In the reference page for one Kubernetes operator resource, some Markdown links are malformed. The issue is that some fields of custom resource definitions used by the operator consist of arrays of anonymous objects with fields that are also objects. When creating docs based on these fields, the operator resource docs generator creates a malformed link reference. This change modifies the generator to replace any spaces with hyphens before outputting link references, causing the resulting internal links to work correctly. This change also does some light refactoring to remove an unnecessary `switch` statement. * [auto] Update AMI IDs for 16.4.0 (#46746) Co-authored-by: GitHub <noreply@github.com> * Remove deprecated HTTP RemoteCluster endpoints (#46756) * Remove deprecated HTTP RemoteCluster endpoints * Remove redundant test * Add `tbot` helm chart to `version.mk` (#46763) * Remove LockConfiguration.LockName (#46772) Cleans up the deprecated config option now that gravitational/teleport.e#5034 has been merged. * adding a reference to to the host user guide (#46765) * Replace more Logrus usage with Slog (#46757) * Remove logrus from lib/auth/machineid * Switch authclient.Config.Log and TunnelAuthDialerConfig.Log to Slog * Add *slog.Logger to auth.Server * Remove logrus usage in `lib/auth/access.go` * Replace logrus with slog in lib/auth/accountrecovery.go * Replace logrus with slog in `lib/auth/apiserver.go` * Add missing logger to auth.Server * Fix test * Update AWS roles ARNs displayed on `tsh app login` for AWS console apps (#44983) * feat(tsh): list aws console logins from server * chore(services): remove unified resources change This is being covered on another PR. * test(tsh): solve TestAzure flakiness by waiting using app servers are ready * fix(tsh): apps with logins were fallingback into using aws arns * refactor(client): use GetEnrichedResources * chore(client): rename function * refactor(tsh): directly resource lisiting for apps and reuse cluster client * chore(client): reset client changes * refactor(tsh): reuse cluster client for fetching allowed logins * chore(tsh): remove unused function param * refactor(tsh): update getApp retry with login * refactor(tsh): use a single function to grab profile and cluste client * refactor(tsh): perform retry with login at caller site * fix(tsh): close auth client * test(tsh): fix test failing due to login misconfiguration * test(tsh): fix lint errors * test(tsh): remove unused imports * bulk audit event export api (#46399) * Reverting back to using the emitSessionJoin boolean * Nits and removing a debug log --------- Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> Co-authored-by: Michael <michael.myers@goteleport.com> Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com> Co-authored-by: Rafał Cieślak <rafal.cieslak@goteleport.com> Co-authored-by: Nic Klaassen <nic@goteleport.com> Co-authored-by: Dan Johns <117299936+djohns7@users.noreply.github.com> Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> Co-authored-by: Ryan Clark <ryan.clark@goteleport.com> Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> Co-authored-by: Bernard Kim <bernard@goteleport.com> Co-authored-by: hugoShaka <hugo.hervieux@goteleport.com> Co-authored-by: Vadym Popov <vadym.popov@goteleport.com> Co-authored-by: Erik Tate <erik.tate@goteleport.com> Co-authored-by: teleport-post-release-automation[bot] <128860004+teleport-post-release-automation[bot]@users.noreply.github.com> Co-authored-by: GitHub <noreply@github.com> Co-authored-by: Noah Stride <noah.stride@goteleport.com> Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> Co-authored-by: Gabriel Corado <gabriel.oliveira@goteleport.com> Co-authored-by: Forrest <30576607+fspmarshall@users.noreply.github.com>
mvbrock
added a commit
that referenced
this pull request
Sep 25, 2024
* Displaying mode and controls to additional participants * Moving SessionControlsInfoBroadcast over to kube/proxy * Transitioning to consistent proxy-emitted mode+controls * Moving message broadcast so new participant wont see it * Possible unit test fix (cant seem to test locally) * Fixed unit test * Adding a line break before messaging the participant * Linter errors * Emitting audit event and controls message for additional parties, i.e. not the session initiator * Revert "Emitting audit event and controls message for additional parties, i.e. not the session initiator" This reverts commit b66ad27. * Add User Tasks resource - protos (#46059) * Add User Integration Tasks resource - protos * add account id * move state to task instead of instance * rename from user integration task to user task * add instance id * Add notice to web UI that users arent equal to MAU (#46686) This adds a dismissible notice to the Users page for usage based billing users that notifies them that the user count here isn't an accurate reflection of MAU * Clarify TLS requirements in the Jira guide (#46484) Closes #45654 - Indicate that certificates for the Jira web server cannot be self signed. - Remove references to Caddy and a `Certificate` resource, which were left over from an attempted change to this guide that was not fully completed. * Remove TXT record validation of custom DNS zones in VNet (#46709) * Remove TXT record validation from custom DNS zones * Remove mentions of TXT records from docs * Outline in the RFD why domain verification was dropped * Update rfd/0163-vnet.md Co-authored-by: Nic Klaassen <nic@goteleport.com> --------- Co-authored-by: Nic Klaassen <nic@goteleport.com> * docs: mention the --days flag when executing an audit log query (#45764) * Update access-monitoring.mdx Include the default date range in the CLI example. This range is otherwise unclear and is hidden in the tctl audit help menu. * Update access-monitoring.mdx * Update docs/pages/admin-guides/access-controls/access-monitoring.mdx Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> --------- Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> * Remove access-graph path resolution, proxy `/enterprise` requests (#46541) * Remove `access-graph` path from tsconfig * Proxy /enterprise requested in dev * update e ref (#46726) * fix: tolerate mismatched key PEM headers (#46725) * fix: tolerate mismatched key PEM headers Issue #43381 introduced a regression where we now fail to parse PKCS8 encoded RSA private keys within an "RSA PRIVATE KEY" PEM block in some cases. This format is somewhat non-standard, usually PKCS8 data should be in a "PRIVATE KEY" PEM block. However, certain versions of OpenSSL and possibly even Teleport in specific cases have generated private keys in this format. This commit updates ParsePrivateKey and ParsePublicKey to be more tolerant of PKCS8, PKCS1, or PKIX key data no matter which PEM header is used. Fixes #46710 changelog: fixed regression in private key parser to handle mismatched PEM headers * fix typo in comment Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> --------- Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * Use dynamic base path for favicon images (#46719) * Add Datadog Incident Management plugin support (#46271) * Implement datadog plugin * Add unit tests * Add fallback recipient config * Rename to Datadog Incident Management * Update tests * Datadog Incident Management * Update tctl resource plugin command * Typos * Lint * Exclude api changes for now * Set channel size * Address feedback - Add PluginShutdownTimeout const - Support api endpoint configuration - Add additional godocs/comments * Comment about datadog client package * Document Datadog API types * Only post resolution message when the AR is resolved * Fix lint * Unused function --------- Co-authored-by: hugoShaka <hugo.hervieux@goteleport.com> * Add AutoUpdate Client/Cache implementation (#46661) * Add AutoUpdate Client/Cache implementation * CR changes * Add permission for proxy to access resources * Rename all occurrences auto update to camelcase * Remove auto update client wrapper * Drop AutoUpdateServiceClient helper Rename comments for consistency * User Tasks: services and clients implementation (#46131) This PR adds the implementation for the User Tasks: - services (backend+cache) - clients (API + tctl) - light validation to set up the path for later PRs * expanding testplan for host user creation (#46729) * Fix operator docs reference generator bug (#46732) In the reference page for one Kubernetes operator resource, some Markdown links are malformed. The issue is that some fields of custom resource definitions used by the operator consist of arrays of anonymous objects with fields that are also objects. When creating docs based on these fields, the operator resource docs generator creates a malformed link reference. This change modifies the generator to replace any spaces with hyphens before outputting link references, causing the resulting internal links to work correctly. This change also does some light refactoring to remove an unnecessary `switch` statement. * [auto] Update AMI IDs for 16.4.0 (#46746) Co-authored-by: GitHub <noreply@github.com> * Remove deprecated HTTP RemoteCluster endpoints (#46756) * Remove deprecated HTTP RemoteCluster endpoints * Remove redundant test * Add `tbot` helm chart to `version.mk` (#46763) * Remove LockConfiguration.LockName (#46772) Cleans up the deprecated config option now that gravitational/teleport.e#5034 has been merged. * adding a reference to to the host user guide (#46765) * Replace more Logrus usage with Slog (#46757) * Remove logrus from lib/auth/machineid * Switch authclient.Config.Log and TunnelAuthDialerConfig.Log to Slog * Add *slog.Logger to auth.Server * Remove logrus usage in `lib/auth/access.go` * Replace logrus with slog in lib/auth/accountrecovery.go * Replace logrus with slog in `lib/auth/apiserver.go` * Add missing logger to auth.Server * Fix test * Update AWS roles ARNs displayed on `tsh app login` for AWS console apps (#44983) * feat(tsh): list aws console logins from server * chore(services): remove unified resources change This is being covered on another PR. * test(tsh): solve TestAzure flakiness by waiting using app servers are ready * fix(tsh): apps with logins were fallingback into using aws arns * refactor(client): use GetEnrichedResources * chore(client): rename function * refactor(tsh): directly resource lisiting for apps and reuse cluster client * chore(client): reset client changes * refactor(tsh): reuse cluster client for fetching allowed logins * chore(tsh): remove unused function param * refactor(tsh): update getApp retry with login * refactor(tsh): use a single function to grab profile and cluste client * refactor(tsh): perform retry with login at caller site * fix(tsh): close auth client * test(tsh): fix test failing due to login misconfiguration * test(tsh): fix lint errors * test(tsh): remove unused imports * bulk audit event export api (#46399) * Reverting back to using the emitSessionJoin boolean * Nits and removing a debug log --------- Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> Co-authored-by: Michael <michael.myers@goteleport.com> Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com> Co-authored-by: Rafał Cieślak <rafal.cieslak@goteleport.com> Co-authored-by: Nic Klaassen <nic@goteleport.com> Co-authored-by: Dan Johns <117299936+djohns7@users.noreply.github.com> Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> Co-authored-by: Ryan Clark <ryan.clark@goteleport.com> Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> Co-authored-by: Bernard Kim <bernard@goteleport.com> Co-authored-by: hugoShaka <hugo.hervieux@goteleport.com> Co-authored-by: Vadym Popov <vadym.popov@goteleport.com> Co-authored-by: Erik Tate <erik.tate@goteleport.com> Co-authored-by: teleport-post-release-automation[bot] <128860004+teleport-post-release-automation[bot]@users.noreply.github.com> Co-authored-by: GitHub <noreply@github.com> Co-authored-by: Noah Stride <noah.stride@goteleport.com> Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> Co-authored-by: Gabriel Corado <gabriel.oliveira@goteleport.com> Co-authored-by: Forrest <30576607+fspmarshall@users.noreply.github.com>
github-merge-queue bot
pushed a commit
that referenced
this pull request
Sep 25, 2024
) * Displaying mode and controls to additional participants * Moving SessionControlsInfoBroadcast over to kube/proxy * Transitioning to consistent proxy-emitted mode+controls * Moving message broadcast so new participant wont see it * Possible unit test fix (cant seem to test locally) * Fixed unit test * Adding a line break before messaging the participant * Linter errors * Emitting audit event and controls message for additional parties, i.e. not the session initiator * Revert "Emitting audit event and controls message for additional parties, i.e. not the session initiator" This reverts commit b66ad27. * Add User Tasks resource - protos (#46059) * Add User Integration Tasks resource - protos * add account id * move state to task instead of instance * rename from user integration task to user task * add instance id * Add notice to web UI that users arent equal to MAU (#46686) This adds a dismissible notice to the Users page for usage based billing users that notifies them that the user count here isn't an accurate reflection of MAU * Clarify TLS requirements in the Jira guide (#46484) Closes #45654 - Indicate that certificates for the Jira web server cannot be self signed. - Remove references to Caddy and a `Certificate` resource, which were left over from an attempted change to this guide that was not fully completed. * Remove TXT record validation of custom DNS zones in VNet (#46709) * Remove TXT record validation from custom DNS zones * Remove mentions of TXT records from docs * Outline in the RFD why domain verification was dropped * Update rfd/0163-vnet.md --------- * docs: mention the --days flag when executing an audit log query (#45764) * Update access-monitoring.mdx Include the default date range in the CLI example. This range is otherwise unclear and is hidden in the tctl audit help menu. * Update access-monitoring.mdx * Update docs/pages/admin-guides/access-controls/access-monitoring.mdx --------- * Remove access-graph path resolution, proxy `/enterprise` requests (#46541) * Remove `access-graph` path from tsconfig * Proxy /enterprise requested in dev * update e ref (#46726) * fix: tolerate mismatched key PEM headers (#46725) * fix: tolerate mismatched key PEM headers Issue #43381 introduced a regression where we now fail to parse PKCS8 encoded RSA private keys within an "RSA PRIVATE KEY" PEM block in some cases. This format is somewhat non-standard, usually PKCS8 data should be in a "PRIVATE KEY" PEM block. However, certain versions of OpenSSL and possibly even Teleport in specific cases have generated private keys in this format. This commit updates ParsePrivateKey and ParsePublicKey to be more tolerant of PKCS8, PKCS1, or PKIX key data no matter which PEM header is used. Fixes #46710 changelog: fixed regression in private key parser to handle mismatched PEM headers * fix typo in comment --------- * Use dynamic base path for favicon images (#46719) * Add Datadog Incident Management plugin support (#46271) * Implement datadog plugin * Add unit tests * Add fallback recipient config * Rename to Datadog Incident Management * Update tests * Datadog Incident Management * Update tctl resource plugin command * Typos * Lint * Exclude api changes for now * Set channel size * Address feedback - Add PluginShutdownTimeout const - Support api endpoint configuration - Add additional godocs/comments * Comment about datadog client package * Document Datadog API types * Only post resolution message when the AR is resolved * Fix lint * Unused function --------- * Add AutoUpdate Client/Cache implementation (#46661) * Add AutoUpdate Client/Cache implementation * CR changes * Add permission for proxy to access resources * Rename all occurrences auto update to camelcase * Remove auto update client wrapper * Drop AutoUpdateServiceClient helper Rename comments for consistency * User Tasks: services and clients implementation (#46131) This PR adds the implementation for the User Tasks: - services (backend+cache) - clients (API + tctl) - light validation to set up the path for later PRs * expanding testplan for host user creation (#46729) * Fix operator docs reference generator bug (#46732) In the reference page for one Kubernetes operator resource, some Markdown links are malformed. The issue is that some fields of custom resource definitions used by the operator consist of arrays of anonymous objects with fields that are also objects. When creating docs based on these fields, the operator resource docs generator creates a malformed link reference. This change modifies the generator to replace any spaces with hyphens before outputting link references, causing the resulting internal links to work correctly. This change also does some light refactoring to remove an unnecessary `switch` statement. * [auto] Update AMI IDs for 16.4.0 (#46746) * Remove deprecated HTTP RemoteCluster endpoints (#46756) * Remove deprecated HTTP RemoteCluster endpoints * Remove redundant test * Add `tbot` helm chart to `version.mk` (#46763) * Remove LockConfiguration.LockName (#46772) Cleans up the deprecated config option now that gravitational/teleport.e#5034 has been merged. * adding a reference to to the host user guide (#46765) * Replace more Logrus usage with Slog (#46757) * Remove logrus from lib/auth/machineid * Switch authclient.Config.Log and TunnelAuthDialerConfig.Log to Slog * Add *slog.Logger to auth.Server * Remove logrus usage in `lib/auth/access.go` * Replace logrus with slog in lib/auth/accountrecovery.go * Replace logrus with slog in `lib/auth/apiserver.go` * Add missing logger to auth.Server * Fix test * Update AWS roles ARNs displayed on `tsh app login` for AWS console apps (#44983) * feat(tsh): list aws console logins from server * chore(services): remove unified resources change This is being covered on another PR. * test(tsh): solve TestAzure flakiness by waiting using app servers are ready * fix(tsh): apps with logins were fallingback into using aws arns * refactor(client): use GetEnrichedResources * chore(client): rename function * refactor(tsh): directly resource lisiting for apps and reuse cluster client * chore(client): reset client changes * refactor(tsh): reuse cluster client for fetching allowed logins * chore(tsh): remove unused function param * refactor(tsh): update getApp retry with login * refactor(tsh): use a single function to grab profile and cluste client * refactor(tsh): perform retry with login at caller site * fix(tsh): close auth client * test(tsh): fix test failing due to login misconfiguration * test(tsh): fix lint errors * test(tsh): remove unused imports * bulk audit event export api (#46399) * Reverting back to using the emitSessionJoin boolean * Nits and removing a debug log --------- Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> Co-authored-by: Michael <michael.myers@goteleport.com> Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com> Co-authored-by: Rafał Cieślak <rafal.cieslak@goteleport.com> Co-authored-by: Nic Klaassen <nic@goteleport.com> Co-authored-by: Dan Johns <117299936+djohns7@users.noreply.github.com> Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> Co-authored-by: Ryan Clark <ryan.clark@goteleport.com> Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> Co-authored-by: Bernard Kim <bernard@goteleport.com> Co-authored-by: hugoShaka <hugo.hervieux@goteleport.com> Co-authored-by: Vadym Popov <vadym.popov@goteleport.com> Co-authored-by: Erik Tate <erik.tate@goteleport.com> Co-authored-by: teleport-post-release-automation[bot] <128860004+teleport-post-release-automation[bot]@users.noreply.github.com> Co-authored-by: GitHub <noreply@github.com> Co-authored-by: Noah Stride <noah.stride@goteleport.com> Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> Co-authored-by: Gabriel Corado <gabriel.oliveira@goteleport.com> Co-authored-by: Forrest <30576607+fspmarshall@users.noreply.github.com>
github-merge-queue bot
pushed a commit
that referenced
this pull request
Sep 25, 2024
) * Displaying mode and controls to additional participants * Moving SessionControlsInfoBroadcast over to kube/proxy * Transitioning to consistent proxy-emitted mode+controls * Moving message broadcast so new participant wont see it * Possible unit test fix (cant seem to test locally) * Fixed unit test * Adding a line break before messaging the participant * Linter errors * Emitting audit event and controls message for additional parties, i.e. not the session initiator * Revert "Emitting audit event and controls message for additional parties, i.e. not the session initiator" This reverts commit b66ad27. * Add User Tasks resource - protos (#46059) * Add User Integration Tasks resource - protos * add account id * move state to task instead of instance * rename from user integration task to user task * add instance id * Add notice to web UI that users arent equal to MAU (#46686) This adds a dismissible notice to the Users page for usage based billing users that notifies them that the user count here isn't an accurate reflection of MAU * Clarify TLS requirements in the Jira guide (#46484) Closes #45654 - Indicate that certificates for the Jira web server cannot be self signed. - Remove references to Caddy and a `Certificate` resource, which were left over from an attempted change to this guide that was not fully completed. * Remove TXT record validation of custom DNS zones in VNet (#46709) * Remove TXT record validation from custom DNS zones * Remove mentions of TXT records from docs * Outline in the RFD why domain verification was dropped * Update rfd/0163-vnet.md --------- * docs: mention the --days flag when executing an audit log query (#45764) * Update access-monitoring.mdx Include the default date range in the CLI example. This range is otherwise unclear and is hidden in the tctl audit help menu. * Update access-monitoring.mdx * Update docs/pages/admin-guides/access-controls/access-monitoring.mdx --------- * Remove access-graph path resolution, proxy `/enterprise` requests (#46541) * Remove `access-graph` path from tsconfig * Proxy /enterprise requested in dev * update e ref (#46726) * fix: tolerate mismatched key PEM headers (#46725) * fix: tolerate mismatched key PEM headers Issue #43381 introduced a regression where we now fail to parse PKCS8 encoded RSA private keys within an "RSA PRIVATE KEY" PEM block in some cases. This format is somewhat non-standard, usually PKCS8 data should be in a "PRIVATE KEY" PEM block. However, certain versions of OpenSSL and possibly even Teleport in specific cases have generated private keys in this format. This commit updates ParsePrivateKey and ParsePublicKey to be more tolerant of PKCS8, PKCS1, or PKIX key data no matter which PEM header is used. Fixes #46710 changelog: fixed regression in private key parser to handle mismatched PEM headers * fix typo in comment --------- * Use dynamic base path for favicon images (#46719) * Add Datadog Incident Management plugin support (#46271) * Implement datadog plugin * Add unit tests * Add fallback recipient config * Rename to Datadog Incident Management * Update tests * Datadog Incident Management * Update tctl resource plugin command * Typos * Lint * Exclude api changes for now * Set channel size * Address feedback - Add PluginShutdownTimeout const - Support api endpoint configuration - Add additional godocs/comments * Comment about datadog client package * Document Datadog API types * Only post resolution message when the AR is resolved * Fix lint * Unused function --------- * Add AutoUpdate Client/Cache implementation (#46661) * Add AutoUpdate Client/Cache implementation * CR changes * Add permission for proxy to access resources * Rename all occurrences auto update to camelcase * Remove auto update client wrapper * Drop AutoUpdateServiceClient helper Rename comments for consistency * User Tasks: services and clients implementation (#46131) This PR adds the implementation for the User Tasks: - services (backend+cache) - clients (API + tctl) - light validation to set up the path for later PRs * expanding testplan for host user creation (#46729) * Fix operator docs reference generator bug (#46732) In the reference page for one Kubernetes operator resource, some Markdown links are malformed. The issue is that some fields of custom resource definitions used by the operator consist of arrays of anonymous objects with fields that are also objects. When creating docs based on these fields, the operator resource docs generator creates a malformed link reference. This change modifies the generator to replace any spaces with hyphens before outputting link references, causing the resulting internal links to work correctly. This change also does some light refactoring to remove an unnecessary `switch` statement. * [auto] Update AMI IDs for 16.4.0 (#46746) * Remove deprecated HTTP RemoteCluster endpoints (#46756) * Remove deprecated HTTP RemoteCluster endpoints * Remove redundant test * Add `tbot` helm chart to `version.mk` (#46763) * Remove LockConfiguration.LockName (#46772) Cleans up the deprecated config option now that gravitational/teleport.e#5034 has been merged. * adding a reference to to the host user guide (#46765) * Replace more Logrus usage with Slog (#46757) * Remove logrus from lib/auth/machineid * Switch authclient.Config.Log and TunnelAuthDialerConfig.Log to Slog * Add *slog.Logger to auth.Server * Remove logrus usage in `lib/auth/access.go` * Replace logrus with slog in lib/auth/accountrecovery.go * Replace logrus with slog in `lib/auth/apiserver.go` * Add missing logger to auth.Server * Fix test * Update AWS roles ARNs displayed on `tsh app login` for AWS console apps (#44983) * feat(tsh): list aws console logins from server * chore(services): remove unified resources change This is being covered on another PR. * test(tsh): solve TestAzure flakiness by waiting using app servers are ready * fix(tsh): apps with logins were fallingback into using aws arns * refactor(client): use GetEnrichedResources * chore(client): rename function * refactor(tsh): directly resource lisiting for apps and reuse cluster client * chore(client): reset client changes * refactor(tsh): reuse cluster client for fetching allowed logins * chore(tsh): remove unused function param * refactor(tsh): update getApp retry with login * refactor(tsh): use a single function to grab profile and cluste client * refactor(tsh): perform retry with login at caller site * fix(tsh): close auth client * test(tsh): fix test failing due to login misconfiguration * test(tsh): fix lint errors * test(tsh): remove unused imports * bulk audit event export api (#46399) * Reverting back to using the emitSessionJoin boolean * Nits and removing a debug log --------- Co-authored-by: Marco Dinis <marco.dinis@goteleport.com> Co-authored-by: Michael <michael.myers@goteleport.com> Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com> Co-authored-by: Rafał Cieślak <rafal.cieslak@goteleport.com> Co-authored-by: Nic Klaassen <nic@goteleport.com> Co-authored-by: Dan Johns <117299936+djohns7@users.noreply.github.com> Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> Co-authored-by: Ryan Clark <ryan.clark@goteleport.com> Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> Co-authored-by: Bernard Kim <bernard@goteleport.com> Co-authored-by: hugoShaka <hugo.hervieux@goteleport.com> Co-authored-by: Vadym Popov <vadym.popov@goteleport.com> Co-authored-by: Erik Tate <erik.tate@goteleport.com> Co-authored-by: teleport-post-release-automation[bot] <128860004+teleport-post-release-automation[bot]@users.noreply.github.com> Co-authored-by: GitHub <noreply@github.com> Co-authored-by: Noah Stride <noah.stride@goteleport.com> Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> Co-authored-by: Gabriel Corado <gabriel.oliveira@goteleport.com> Co-authored-by: Forrest <30576607+fspmarshall@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
As discussed on Slack, we've decided to drop domain verification for custom DNS zones in VNet. The reasons are outlined in the changes in the RFD in this PR.
changelog: Removed TXT record validation from custom DNS zones in VNet; VNet now supports any custom DNS zone, as long as it's included in
vnet_config