Merge branch 'branch/v14' into bot/backport-47478-branch/v14

.github/workflows/kube-integration-tests-non-root.yaml

@@ -28,6 +28,7 @@ on:
 env:
   TEST_KUBE: true
   KUBECONFIG: /home/.kube/config
+  ALPINE_VERSION: 3.20.3
 
 jobs:
   test:
@@ -81,6 +82,38 @@ jobs:
           cp -r $HOME/.kube /home/
           chown -R ci:ci /home/.kube
 
+      - name: Build Alpine image with webserver
+        run: |
+
+          export SHORT_VERSION=${ALPINE_VERSION%.*}
+
+          # download the alpine image
+          # store the files in the fixtures/alpine directory
+          # to avoid passing all the repository files to the docker build context.
+          cd ./fixtures/alpine
+
+          # download alpine minirootfs and signature
+          curl -fSsLO https://dl-cdn.alpinelinux.org/alpine/v$SHORT_VERSION/releases/x86_64/alpine-minirootfs-$ALPINE_VERSION-x86_64.tar.gz
+          curl -fSsLO https://dl-cdn.alpinelinux.org/alpine/v$SHORT_VERSION/releases/x86_64/alpine-minirootfs-$ALPINE_VERSION-x86_64.tar.gz.asc
+          curl -fSsLO https://dl-cdn.alpinelinux.org/alpine/v$SHORT_VERSION/releases/x86_64/alpine-minirootfs-$ALPINE_VERSION-x86_64.tar.gz.sha256
+
+          # verify the checksum
+          sha256sum -c alpine-minirootfs-$ALPINE_VERSION-x86_64.tar.gz.sha256
+
+          # verify the signature
+          gpg --import  ./alpine-ncopa.at.alpinelinux.org.asc
+          gpg --verify ./alpine-minirootfs-$ALPINE_VERSION-x86_64.tar.gz.asc ./alpine-minirootfs-$ALPINE_VERSION-x86_64.tar.gz
+
+          # build the webserver
+          CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o ./webserver ./webserver.go
+
+          docker build -t alpine-webserver:v1 --build-arg=ALPINE_VERSION=$ALPINE_VERSION -f ./Dockerfile .
+
+          # load the image into the kind cluster
+          kind load docker-image alpine-webserver:v1
+
+          cd - 
+
       - name: Run tests
         timeout-minutes: 40
         run: |

.github/workflows/update-docs-webhook.yaml

@@ -1,6 +1,8 @@
 name: Update docs webhook
 on:
   push:
+    paths:
+      - 'docs/**'
     branches:
       - master
       - branch/v*
@@ -11,11 +13,19 @@ jobs:
     name: Update docs webhook
     runs-on: ubuntu-latest
     environment: update-docs
+    strategy:
+      fail-fast: false
+      matrix:
+        webhooks:
+        - url_secret_name: DOCS_DEPLOY_HOOK
+          http_method: GET
+        - url_secret_name: AMPLIFY_DOCS_DEPLOY_HOOK
+          http_method: POST
     steps:
       - name: Call deployment webhook
         env:
-          WEBHOOK_URL: ${{ secrets.DOCS_DEPLOY_HOOK }}
+          WEBHOOK_URL: ${{ secrets[matrix.webhooks.url_secret_name] }}
         run: |
-          if curl --silent --fail --show-error "$WEBHOOK_URL" > /dev/null; then
+          if curl -X ${{ matrix.webhooks.http_method }} --silent --fail --show-error "$WEBHOOK_URL" > /dev/null; then
             echo "Triggered successfully"
           fi

.gitignore

@@ -10,6 +10,8 @@ default.etcd
 
 # usually release tarballs get in the way
 *.gz
+# ignore all tarballs except the alpine one
+!fixtures/alpine/alpine-minirootfs-*.tar.gz
 *.zip
 
 # editors

CHANGELOG.md

@@ -1,5 +1,32 @@
 # Changelog
 
+## 14.3.33 (10/30/24)
+
+* Fixed a bug in the External Audit Storage bootstrap script that broke S3 bucket creation. [#48179](https://github.com/gravitational/teleport/pull/48179)
+* During the Set Up Access of the Enroll New Resource flows, Okta users will be asked to change the role instead of entering the principals and getting an error afterwards. [#47959](https://github.com/gravitational/teleport/pull/47959)
+* Fixed `teleport_connected_resource` metric overshooting after keepalive errors. [#47951](https://github.com/gravitational/teleport/pull/47951)
+* Fixed an issue preventing connections with users whose configured home directories were inaccessible. [#47918](https://github.com/gravitational/teleport/pull/47918)
+* Auto-enroll may be locally disabled using the `TELEPORT_DEVICE_AUTO_ENROLL_DISABLED=1` environment variable. [#47718](https://github.com/gravitational/teleport/pull/47718)
+* Alter ServiceAccounts in the teleport-cluster Helm chart to automatically disable mounting of service account tokens on newer Kubernetes distributions, helping satisfy security linters. [#47701](https://github.com/gravitational/teleport/pull/47701)
+* Avoid tsh auto-enroll escalation in machines without a TPM. [#47697](https://github.com/gravitational/teleport/pull/47697)
+* Postgres database session start events now include the Postgres backend PID for the session. [#47645](https://github.com/gravitational/teleport/pull/47645)
+* Fixes a bug where Let's Encrypt certificate renewal failed in AMI and HA deployments due to insufficient disk space caused by syncing audit logs. [#47623](https://github.com/gravitational/teleport/pull/47623)
+* Adds support for custom SQS consumer lock name and disabling a consumer. [#47612](https://github.com/gravitational/teleport/pull/47612)
+* Include host name instead of host uuid in error messages when SSH connections are prevented due to an invalid login. [#47603](https://github.com/gravitational/teleport/pull/47603)
+* Allow using a custom database for Firestore backends. [#47585](https://github.com/gravitational/teleport/pull/47585)
+* Extended Teleport Discovery Service to support resource discovery across all projects accessible by the service account. [#47566](https://github.com/gravitational/teleport/pull/47566)
+* Fixed a bug that could allow users to list active sessions even when prohibited by RBAC. [#47562](https://github.com/gravitational/teleport/pull/47562)
+* The `tctl tokens ls` command redacts secret join tokens by default. To include the token values, provide the new `--with-secrets` flag. [#47547](https://github.com/gravitational/teleport/pull/47547)
+* Fixed an issue with the Microsoft license negotiation for RDP sessions. [#47544](https://github.com/gravitational/teleport/pull/47544)
+* Fixed a bug where tsh logout failed to parse flags passed with spaces. [#47461](https://github.com/gravitational/teleport/pull/47461)
+* Added kubeconfig context name to the output table of `tsh proxy kube` command for enhanced clarity. [#47381](https://github.com/gravitational/teleport/pull/47381)
+* Improve error messaging when connections to offline agents are attempted. [#47363](https://github.com/gravitational/teleport/pull/47363)
+* Teleport Connect for Linux now requires glibc 2.31 or later. [#47264](https://github.com/gravitational/teleport/pull/47264)
+* Updates self-hosted db discover flow to generate 2190h TTL certs, not 12h. [#47128](https://github.com/gravitational/teleport/pull/47128)
+
+Enterprise:
+* Device auto-enroll failures are now recorded in the audit log.
+
 ## 14.3.32 (10/03/24)
 
 * Fixes an issue preventing access requests from displaying user friendly resource names. [#47110](https://github.com/gravitational/teleport/pull/47110)
@@ -859,7 +886,8 @@ applications in Kubernetes clusters. When connected to a Kubernetes cluster (or
 deployed as a Helm chart), the Teleport Discovery Service will automatically find
 and enroll web applications with your Teleport cluster.
 
-See documentation [here](docs/pages/enroll-resources/application-access/enroll-kubernetes-applications.mdx).
+See documentation
+[here](docs/pages/enroll-resources/application-access/enroll-kubernetes-applications/kubernetes-applications.mdx).
 
 #### Extended Kubernetes per-resource RBAC
 
@@ -1761,7 +1789,7 @@ This will allow users to view the OpenSSH nodes in Web UI and using `tsh ls`
 and use RBAC to control access to them.
 
 See the updated [OpenSSH integration
-guide](docs/pages/enroll-resources/server-access/guides/openssh.mdx).
+guide](docs/pages/enroll-resources/server-access/guides/openssh/openssh.mdx).
 
 ### Cross-cluster search for Teleport Connect
 
@@ -2962,7 +2990,7 @@ is more than one major version behind them. You can use the `--skip-version-chec
 bypass the version check.
 
 Take a look at component compatibility guarantees in the
-[documentation](docs/pages/upgrading.mdx).
+[documentation](docs/pages/upgrading/upgrading.mdx).
 
 #### HTTP_PROXY for reverse tunnels
 
@@ -3951,7 +3979,7 @@ if err = clt.CreateAccessRequest(ctx, accessRequest); err != nil {
 
 ### Upgrade Notes
 
-Please follow our [standard upgrade procedure](docs/pages/admin-guides/management/admin.mdx) to upgrade your cluster.
+Please follow our [standard upgrade procedure](docs/pages/admin-guides/management/admin/admin.mdx) to upgrade your cluster.
 
 Note, for clusters using GitHub SSO and Trusted Clusters, when upgrading SSO users will lose connectivity to leaf clusters. Local users will not be affected.
 
@@ -4201,8 +4229,8 @@ Teleport 5.0 also iterates on the UI Refresh from 4.3. We've moved the cluster l
 Other updates:
 
 * We now provide local user management via `https://[cluster-url]/web/users`, providing the ability to edit, reset and delete local users.
-* Teleport Node & App Install scripts. This is currently an Enterprise-only feature that provides customers with an installer script. Enterprise customers can enable this feature by modifying the 'token' resource. See note above.
-* We've added a Waiting Room for customers using Access Workflows. [Docs](docs/pages/admin-guides/access-controls/access-request-plugins.mdx)
+* Teleport Node & App Install scripts. This is currently an Enterprise-only feature that provides customers with an 'auto-magic' installer script. Enterprise customers can enable this feature by modifying the 'token' resource. See note above.
+* We've added a Waiting Room for customers using Access Workflows. [Docs](docs/pages/admin-guides/access-controls/access-request-plugins/access-request-plugins.mdx)
 
 ##### Signed RPM and Releases
 
@@ -4236,7 +4264,7 @@ We've added an [API Guide](docs/pages/admin-guides/api/api.mdx) to simply develo
 
 #### Upgrade Notes
 
-Please follow our [standard upgrade procedure](./docs/pages/upgrading.mdx).
+Please follow our [standard upgrade procedure](docs/pages/upgrading/upgrading.mdx).
 
 * Optional: Consider updating `https_key_file` & `https_cert_file` to our new `https_keypairs:` format.
 * Optional: Consider migrating Kubernetes access from `proxy_service` to `kubernetes_service` after the upgrade.
@@ -4380,7 +4408,7 @@ auth_service:
 #### Upgrade Notes
 
 Please follow our [standard upgrade
-procedure](docs/pages/upgrading.mdx).
+procedure](docs/pages/upgrading/upgrading.mdx).
 
 ## 4.3.9
 
@@ -4465,7 +4493,7 @@ Teleport's Web UI now exposes Teleport’s Audit log, letting auditors and admin
 
 ##### Teleport Plugins
 
-Teleport 4.3 introduces four new plugins that work out of the box with [Approval Workflow](docs/pages/admin-guides/access-controls/access-request-plugins.mdx). These plugins allow you to automatically support role escalation with commonly used third party services. The built-in plugins are listed below.
+Teleport 4.3 introduces four new plugins that work out of the box with [Approval Workflow](docs/pages/admin-guides/access-controls/access-request-plugins/access-request-plugins.mdx). These plugins allow you to automatically support role escalation with commonly used third party services. The built-in plugins are listed below.
 
 *   [PagerDuty](docs/pages/admin-guides/access-controls/access-request-plugins/ssh-approval-pagerduty.mdx)
 *   [Jira](docs/pages/admin-guides/access-controls/access-request-plugins/ssh-approval-jira.mdx)
@@ -4501,7 +4529,7 @@ Teleport 4.3 introduces four new plugins that work out of the box with [Approval
 #### Upgrade Notes
 
 Always follow the [recommended upgrade
-procedure](./docs/pages/upgrading.mdx) to upgrade to this version.
+procedure](docs/pages/upgrading/upgrading.mdx) to upgrade to this version.
 
 ##### New Signing Algorithm
 
@@ -4542,7 +4570,7 @@ permissions](./docs/pages/enroll-resources/kubernetes-access/controls.mdx).
 The [etcd backend](docs/pages/reference/backends.mdx#etcd) now correctly uses
 the “prefix” config value when storing data. Upgrading from 4.2 to 4.3 will
 migrate the data as needed at startup. Make sure you follow our Teleport
-[upgrade guidance](docs/pages/upgrading.mdx).
+[upgrade guidance](docs/pages/upgrading/upgrading.mdx).
 
 **Note: If you use an etcd backend with a non-default prefix and need to downgrade from 4.3 to 4.2, you should [backup Teleport data and restore it](docs/pages/admin-guides/management/operations/backup-restore.mdx) into the downgraded cluster.**
 
@@ -4665,7 +4693,7 @@ This is a minor Teleport release with a focus on new features and bug fixes.
 ### Improvements
 
 * Alpha: Enhanced Session Recording lets you know what's really happening during a Teleport Session. [#2948](https://github.com/gravitational/teleport/issues/2948)
-* Alpha: Workflows API lets admins escalate RBAC roles in response to user requests. [Read the docs](docs/pages/admin-guides/access-controls/access-requests.mdx). [#3006](https://github.com/gravitational/teleport/issues/3006)
+* Alpha: Workflows API lets admins escalate RBAC roles in response to user requests. [Read the docs](docs/pages/admin-guides/access-controls/access-requests/access-requests.mdx). [#3006](https://github.com/gravitational/teleport/issues/3006)
 * Beta: Teleport provides HA Support using Firestore and Google Cloud Storage using Google Cloud Platform. [Read the docs](docs/pages/admin-guides/deploy-a-cluster/deployments/gcp.mdx). [#2821](https://github.com/gravitational/teleport/pull/2821)
 * Remote tctl execution is now possible. [Read the docs](./docs/pages/reference/cli/tctl.mdx). [#1525](https://github.com/gravitational/teleport/issues/1525) [#2991](https://github.com/gravitational/teleport/issues/2991)
 
@@ -4921,7 +4949,7 @@ The lists of improvements and bug fixes above mention only the significant chang
 
 ### Upgrading
 
-Teleport 4.0 is backwards compatible with Teleport 3.2 and later. [Follow the recommended upgrade procedure to upgrade to this version.](docs/pages/upgrading.mdx)
+Teleport 4.0 is backwards compatible with Teleport 3.2 and later. [Follow the recommended upgrade procedure to upgrade to this version.](docs/pages/upgrading/upgrading.mdx)
 
 Note that due to substantial changes between Teleport 3.2 and 4.0, we recommend creating a backup of the backend datastore (DynamoDB, etcd, or dir) before upgrading a cluster to Teleport 4.0 to allow downgrades.
 
@@ -5189,7 +5217,7 @@ on Github for more.
 #### Upgrading to 3.0
 
 Follow the [recommended upgrade
-procedure](docs/pages/upgrading.mdx) to upgrade to this
+procedure](docs/pages/upgrading/upgrading.mdx) to upgrade to this
 version.
 
 **WARNING:** if you are using Teleport with the etcd back-end, make sure your
@@ -5295,7 +5323,7 @@ As always, this release contains several bug fixes. The full list can be seen [h
 #### Upgrading
 
 Follow the [recommended upgrade
-procedure](docs/pages/upgrading.mdx) to upgrade to this
+procedure](docs/pages/upgrading/upgrading.mdx) to upgrade to this
 version.
 
 ## 2.6.9
@@ -5425,7 +5453,7 @@ You can see the full list of 2.6.0 changes [here](https://github.com/gravitation
 #### Upgrading
 
 Follow the [recommended upgrade
-procedure](docs/pages/upgrading.mdx) to upgrade to this
+procedure](docs/pages/upgrading/upgrading.mdx) to upgrade to this
 version.
 
 ## 2.5.7
@@ -5512,7 +5540,7 @@ release, which includes:
 
 * The Teleport daemon now implements built-in connection draining which allows
   zero-downtime upgrades.  [See
-  documentation](docs/pages/upgrading.mdx).
+  documentation](docs/pages/upgrading/upgrading.mdx).
 
 * Dynamic join tokens for new nodes can now be explicitly set via `tctl node add --token`.
   This allows Teleport admins to use an external mechanism for generating